Abstract
The extensive use of information and communication technology in government and private organizations brings new security vulnerabilities. These vulnerabilities provide multiple opportunities for adversaries to compromise organizations' business-critical resources. Nowadays, new types of sophisticated Cyberattacks, namely “multistage attacks” keep increasing in sophistication and number. Essentially, the adversary chains together multiple vulnerabilities and exploits them to obtain incremental access to the network resources. In practice, mitigating all the identified vulnerabilities, even for a moderate-sized network, is impractical for the security administrator. Existing vulnerability scanners do not consider the causal dependency between the identified vulnerabilities. Moreover, most vulnerabilities reported by scanners are not exploitable because of the absence of enabling condition(s). Therefore, the administrators' absolute reliance on vulnerability scanners makes the vulnerability patching process ineffective. Attack graph, a popular graphical network security model, depicts potential multistage, multi-host attacks for a vulnerable network configuration and thereby helps the administrator harden the network effectively. We propose a framework based on recursive composition algebra to explore the additional advantages of using an attack graph for proactive network hardening. The algebra generates an attack graph (free from attack cycles) for a vulnerable network configuration. Moreover, the proposed framework classifies the identified vulnerabilities. The vulnerability classes help the administrator prioritize the network hardening activities. We have validated the effectiveness and applicability of our framework through a case study.
Published Version
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call