Real-Time Risk Assessment of Network Security Based on Attack Graphs

Abstract

Facing hackers’ intelligent attacks and multi-source information from various security equipments, evaluating real-time risk of the network becomes more and more complicated to handle. This paper proposes a new attack graphs model(NAG)-based analysis method in order to assess the impact on the network system made by multiple vulnerabilities. Aiming at simplify the attack graphs, we combined attack graphs with Bayesian theory and put forward an optimized algorithm to remove the cycles in attack graphs. By importing Common Vulnerability Scoring System (CVSS) and attack evidence, the assessment method in this paper can dynamically evaluate the partial or entire network security. Experimental results show that the method can reflect the changing situation of the network security. Introduction In face of sophisticated and multi-step network attacks, vulnerabilities bring a lot risk to the network systems. Though the scanners such as Nessus [1] can find individual vulnerabilities, the attackers usually combine multiple vulnerabilities to penetrate networks with devastating impact [2] which we should take into account when evaluating the security of the network. As a model of risk assessment, attack graphs can find out all possible actions of an attacker who may use the relationship of the vulnerabilities and then analysis the threats the network faced. There exists many approaches for evaluating network security based on attack graphs. Marcel et al. [3] propose a Dynamic Bayesian Networks-based model which provides a theoretical foundation and a practical framework for continuously measuring network security. But as time goes on, there will be an enormous space to maintain which goes aginst to realtime assessment. Nayot et al. [4] combined Bayesian theory and attack graphs in risk assessment, however they ignored the cycles that exist in attack graphs. Yun Ye et al. [5] evaluated network security based on probability of nodes in attack graphs but they didn’t give a measure of evaluating the impact on network system brought by attacks. Xi Zhang et al. [6] computed the risk score using the CVSS [7] in attack graphs, however they didn’t concern the dynamic changing of the network. In this paper, by combining Bayesian theory, we proposed a new attack graphs model (NAG) based on which we designed an effective assessment method by importing CVSS and attack evidence. The rest of this paper is organized as follows. We firstly define the new model of attack graphs, secondly give the method of risk assessment based on attack graphs, then present experimental evaluation and in the end conclude the paper. Attack Graphs model The new attack graphs model is a structure of using five elements group to describe information. Its structure: NAG= . Among the model: S is the set of attributes; A is the set of atomic attacks and also the edges in NAG; E is the set of relationships; P is the set of probabilities. And the model should abide the followings: (1). A∈S×S. ∀am∈A, am=pre(am)→post(am), pre(am) is the source attribute of am and post(am) is the destination attribute of am. International Conference on Information Science and Computer Applications (ISCA 2013) © 2013. The authors Published by Atlantis Press 75 (2). S=So∪Sin∪Sf. ∀Si∈S,Si has two property value: Si =0 or Si =1. ∀Si∈So, ∃/ am where am∈ A and Si=post(am); ∀Si∈Sin, ∃aj, ak∈A where Si =post(aj)=pre(ak); ∀Si∈Sf, ∃/ am where am∈A and Si =pre(am). (3). ∀Si∈S, P(Si) denotes the probability of Si =1; ∀am∈A, P(am) denotes the probability of pre(am)→post(am). (4). ∀Si∈Sin∪Sf, ∃ei∈E correspond to Si and ei∈{AND, OR, MIX}. In traditional attack graphs, the parents of atomic attacks has the relationship of AND. Similarly, the parents of attributes has the relationship of OR. Since this paper combined the edges with the atomic attacks, there are three relationships in NAG: AND, OR, MIX, as shown in Fig. 1 and the relationship is denoted by the set of E.