Academia.eduAcademia.edu

Outline

Title
Abstract
Introduction
Case Study A. Experiment Network
References
All Topics
Mathematics
Probability

Mapping evidence graphs to attack graphs

Profile image of Changwei LiuChangwei Liu

2012, 2012 IEEE International Workshop on Information Forensics and Security (WIFS)

Abstract

Attack graphs compute potential attack paths from a system configuration and known vulnerabilities of a system. Evidence graphs model intrusion evidence and dependencies among them for forensic analysis. In this paper, we show how to map evidence graphs to attack graphs. This mapping is useful for application of attack graphs and evidence graphs for forensic analysis. In addition to helping to refine attack graphs by comparing attack paths in both attack graphs and evidence graphs, important probabilistic information contained in evidence graphs can be used to compute or refine potential attack success probabilities contained in repositories like C VSS. Conversely, attack graphs can be used to add missing evidence or remove irrelevant evidence to build a complete evidence graph. In particular, when attackers use anti-forensics tools to destroy or distort evidence, attack graphs can help investigators recover the attack scenarios and explain the lack of evidence for missing steps. We illustrated the mapping using a database attack as a case study.

Related papers

Use of Attack Graphs in Security Systems
Sajjan Shiva

Journal of Computer Networks and Communications, 2014

Attack graphs have been used to model the vulnerabilities of the systems and their potential exploits. The successful exploits leading to the partial/total failure of the systems are subject of keen security interest. Considerable effort has been expended in exhaustive modeling, analyses, detection, and mitigation of attacks. One prominent methodology involves constructing attack graphs of the pertinent system for analysis and response strategies. This not only gives the simplified representation of the system, but also allows prioritizing the security properties whose violations are of greater concern, for both detection and repair. We present a survey and critical study of state-of-the-art technologies in attack graph generation and use in security system. Based on our research, we identify the potential, challenges, and direction of the current research in using attack graphs.

View PDFchevron_right
Tracking the Bad Guys: An Efficient Forensic Methodology To Trace Multi-step Attacks Using Core Attack Graphs
Martín Barrère, Emil Lupu, Rabih Mohsen

In Proceedings of the 13th IEEE International Conference on Network and Service Management (CNSM’17), November 26-30, 2017, Tokyo, Japan., 2017

In this paper, we describe an efficient methodology to guide investigators during network forensic analysis. To this end, we introduce the concept of core attack graph, a compact representation of the main routes an attacker can take towards specific network targets. Such compactness allows forensic investigators to focus their efforts on critical nodes that are more likely to be part of attack paths, thus reducing the overall number of nodes (devices, network privileges) that need to be examined. Nevertheless, core graphs also allow investigators to hierarchically explore the graph in order to retrieve different levels of summarised information. We have evaluated our approach over different network topologies varying parameters such as network size, density, and forensic evaluation threshold. Our results demonstrate that we can achieve the same level of accuracy provided by standard logical attack graphs while significantly reducing the exploration rate of the network.

View PDFchevron_right
Reasoning About Complementary Intrusion Evidence
Douglas Reeves

20th Annual Computer Security Applications Conference, 2004

To facilitate the modeling of intrusion evidence, this paper classifies intrusion evidence into either event-based evidence or state-based evidence. Event-based evidence refers to observations (or detections) of intrusive actions (e.g., IDS alerts), while state-based evidence refers to observations of the effects of intrusions on system states. Based on the interdependency between event-based and state-based evidence, this paper develops techniques to automatically integrate complementary evidence into Bayesian networks, and reason about uncertain or unknown intrusion evidence based on verified evidence. The experimental results in this paper demonstrate the potential of the proposed techniques. In particular, additional observations by system monitoring or vulnerability scanning tools can potentially reduce the false alert rate and increase the confidence in alerts corresponding to successful attacks.

View PDFchevron_right
A novel approach for analysis of attack graph
Nhamo Mtetwa

2017 IEEE International Conference on Intelligence and Security Informatics (ISI), 2017

Attack graph technique is a common tool for the evaluation of network security. However, attack graphs are generally too large and complex to be understood and interpreted by security administrators. This paper proposes an analysis framework for security attack graphs for a given IT infrastructure system. First, in order to facilitate the discovery of interconnectivities among vulnerabilities in a network, multi-host multi-stage vulnerability analysis (MulVAL) is employed to generate an attack graph for a given network topology. Then a novel algorithm is applied to refine the attack graph and generate a simplified graph called a transition graph. Next, a Markov model is used to project the future security posture of the system. Finally, the framework is evaluated by applying it on a typical IT network scenario with specific services, network configurations, and vulnerabilities.

View PDFchevron_right
A layered graphical model for mission attack impact analysis
Changwei Liu

2017 IEEE Conference on Communications and Network Security (CNS)

In this paper, we describe a layered graphical model to analyze the mission impacts of attacks for forensic investigation. Our model has three layers: the upper layer models operational tasks and their dependencies; the middle layer reconstructs attack scenarios by using a forensic tool to find the causality between items of evidence; the lower level reconstructs potentially missing attack steps due to missing evidence from the middle layer. Based on the graphs produced from the three layers, our model computes mission impacts by using NIST National Vulnerability Database(NVD) scores or forensic investigators' estimates. The case study shows our layered graphical model can be used for both forensic analysis and hardening an enterprise infrastructure.

View PDFchevron_right
Comparative Analysis of Attack Graphs
Daryoush Alipour

It is well-known that nowadays computers and networks that are unique in their computational and service provision power have also major weaknesses and vulnerabilities that can be exploited by outsiders in compromising the valuable data and knowledge. Network administrators and network security analysts must be aware of different properties of current software solutions and diversity of problems regarding the possible protection of network assets. This means that they must know and use the latest and newest types of vulnerabilities, techniques and tools. “Attack Graphs” present formalized network maps and help with analysis of possible vulnerabilities that may exist in the network. Hence, in this paper we will describe some basic concepts that can be used to understand and generate the attack graphs.

View PDFchevron_right
Automatic Discovery of Attack Messages and Pre-and Post-Conditions for Attack Graph Generation
Marco Carvalho

Abstract: Network attack graphs are directed graph-representations of possible attack paths and vulnerabilities in a computer network. Each attack path is a sequence of steps taken by an attacker to achieve one or more goals in the target system. While there are some variations in the representations of the graph proposed by different researchers, typically the edges represent possible actions (or exploits) available to an attacker, and vertices represent the possible states for the system and applications.

View PDFchevron_right
Relating Admissibility Standards for Digital Evidence to Attack Scenario Reconstruction
Changwei Liu

Journal of Digital Forensics, Security and Law, 2014

Attackers tend to use complex techniques such as combining multi-step, multi-stage attack with anti-forensic tools to make it difficult to find incriminating evidence and reconstruct attack scenarios that can stand up to the expected level of evidence admissibility in a court of law. As a solution, we propose to integrate the legal aspects of evidence correlation into a Prolog based reasoner to address the admissibility requirements by creating most probable attack scenarios that satisfy admissibility standards for substantiating evidence. Using a prototype implementation, we show how evidence extracted by using forensic tools can be integrated with legal reasoning to reconstruct network attack scenarios. Our experiment shows this implemented reasoner can provide pre-estimate of admissibility on a digital crime towards an attacked network.

View PDFchevron_right
An Attack Simulation and Evidence Chains Generation Model for Critical Information Infrastructures
Eleni-Maria Kalogeraki

Electronics, 2022

Recently, the rapid growth of technology and the increased teleworking due to the COVID-19 outbreak have motivated cyber attackers to advance their skills and develop new sophisticated methods, e.g., Advanced Persistent Threat (APT) attacks, to leverage their cybercriminal capabilities. They compromise interconnected Critical Information Infrastructures (CIIs) (e.g., Supervisory Control and Data Acquisition (SCADA) systems) by exploiting a series of vulnerabilities and launching multiple attacks. In this context, industry players need to increase their knowledge on the security of the CIs they operate and further explore the technical aspects of cyber-attacks, e.g., attack’s course, vulnerabilities exploitability, attacker’s behavior, and location. Several research papers address vulnerability chain discovery techniques. Nevertheless, most of them do not focus on developing attack graphs based on incident analysis. This paper proposes an attack simulation and evidence chains generat...

View PDFchevron_right
Asas: agile similarity attack strategy model based on evidence classification for network forensic attack analysis
Science Park Research Organization & Counselling

Attack strategies have increasingly become more sophisticated in cyber crime, which makes it extremely difficult to identify an accurate attack strategy. Most attack strategy techniques depend on alert correlation that has a number of limitations such as requiring a larger number of predefined attributes, hard implementation, and at the same time having inadequacy to discover the casual relationships between the related attributes. Determining the attack strategy makes it easier for network forensic investigators to draw a possible comprehensive frame of the criminal case. In addition, it will hopefully make the investigation process even more accurate as to help apprehend the real crime perpetrator. This paper proposes an Agile Similarity Attack Strategy (ASAS) model that estimates the similar evidence between a new criminal case and others. The model uses the classification method based on a relation between attack evidence priorities with evidence group values, presented as a vector. Furthermore, the model uses a cosine similarity as a distance-based similarity measure (Metric Axioms) to improve the quality of decision making. Experiments were performed on real network data traffic from our university research labs where data traffic holds a Teredo attack to evaluate the proposed model. From the similarity metric output observation, ASAS will hopefully help an investigator to predict an attack strategy as an estimation value in order to decrease, time, effort and processing cost. some computer hackers calling themselves "Anonymous". In most of these cases it takes a lot of time to discover a real crime maker, and until this moment, some are still registered as unknown. Unfortunat ely, such crimes were repeated times and again as in what happened this year with Sony group when a group of hackers calling themselves "LulzSec" permeated a number of Sony sites. This indicates that the network forensics investigation process still uses manual ad-hoc methods, and it is time consuming, costly and an error-prone process to apprehend the real perpetrator [1]. This calls for the need for more effective analysis methods.

View PDFchevron_right

References (14)

  1. TightVNC Software, http://www.tightvnc.com/.
  2. L. Wang, T. Islam, T. Long, A. Singhal, and S. Jajodia. An attack graph- based probabilistic security metric. In Proceedings of The 22nd Annual IFIP WG 11.3 Working Conference on Data and Applications Security '%6(& ¶
  3. C. Liu, A. Singhal ' :LMHVHNHUD ³8VLQJ $WWDFN *UDSKV LQ )RUHQVLF ([DPLQDWLRQV´ 6HYHQWK ,QWHUQDWLRQDO &RQIHUHQFH RQ $YDLODELOLW\ Reliability and Security, August 2012
  4. MulVAL V1.1, Jan 30, 2012, http://people.cis.ksu.edu/~xou/mulval/.
  5. T.H. Cormen, C.E. Leiserson, R.L. Rivest, C. Stein, Introduction to Algorithms, MIT University Press, Cambridge, 2001.
  6. A PP E N D I X 1. A ttack graph in F igure 1
  7. O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. M.Wing. Automated generation and analysis of attack graphs. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, pages 254±265, 2002.
  8. >@ . ,QJROV 0 &KX 5 /LSSPDQQ 6 :HEVWHU DQG 6 %R\HU ³0RGHOLQJ 0RGHUQ 1HWZRUN $WWDFNV DQG &RXQWHUPHDVXUHV 8VLQJ $WWDFN *UDSKV´ Proceedings of ACSAC Conference 2009.
  9. >@ 6$16 ,QVWLWXWH ,QIR6HF 5HDGLQJ 5RRP ³DQ 2YHUYLHZ RI 'LVN ,PDJLQJ 7RROLQ&RPSXWHU)RUHQVLFV´
  10. >@ % &DUULHU ³)LOH 6\VWHP )RUHQVLF $QDO\VLV´ $GGLVRQ-Wesley Professional, March 2005.
  11. H. Debar, M. Becker, D. Siboni, A neural network component for an intrusion detection system, Proceedings of IEEE Symposium on Research in Computer Security and Privacy, 1992.
  12. >@ 6 -DMRGLD 6 1RHO %2 ¶%HUU\ ³7RSRORJLFDO $QDO\VLV RI 1HWZRUN
  13. $WWDFN 9XOQHUDELOLW\´ ,Q 0DQDJLQJ &\EHU 7KUHDWV ,ssues, Approaches and Challenges, V. Kumar, J. Srivastava, A. Lazarevic (eds.), Springer, 2005.
  14. W. G. Halfond, J. Viegas, and A. Orso. A Classification of SQL-Injection Attacks and Countermeasures. In Proc. Of the Intern. Symposium on Secure Software Engineering (ISSSE 2006), Mar. 2006.

Related papers

Creating Integrated Evidence Graphs for Network Forensics
Coco Liu

IFIP advances in information and communication technology, 2013

Probabilistic evidence graphs can be used to model network intrusion evidence and the underlying dependencies to support network forensic analysis. The graphs provide a means for linking the probabilities associated with different attack paths with the available evidence. However, current work focused on evidence graphs assumes that all the available evidence can be expressed using a single, small evidence graph. This paper presents an algorithm for merging evidence graphs with or without a corresponding attack graph. The application of the algorithm to a file server and database server attack scenario yields an integrated evidence graph that shows the global scope of the attack. The global graph provides a broader context and better understandability than multiple local evidence graphs.

View PDFchevron_right
Creating an integrated evidence graph
Changwei Liu

Evidence graphs model network intrusion evidence and their dependencies to help with network forensics analysis. With quantitative metrics, probabilistic evidence graphs provide a way to link probabilities associated with different attack paths with available evidence. Existing work in evidence graphs assumes that all available evidence forms a single evidence graph. We show how to merge different evidence graphs with or without the help of a corresponding attack graph. We show this by providing algorithms and a possible attack scenario towards a file server and a database server in an example network environment. An integrated evidence graph, showing all attacks using global reasoning, is more useful to forensics analysts and network administrators than multiple evidence graphs that use local reasoning.

View PDFchevron_right
A Model Towards Using Evidence From Security Events For Network Attack Analysis
Changwei Liu

Constructing an efficient and accurate model from security events to determine an attack scenario for an enterprise network is challenging. In this paper, we discuss how to use evidence obtained from security events to construct an attack scenario and build an evidence graph. To achieve the accuracy and completeness of the evidence graph, we use Prolog inductive and abductive reasoning to correlate evidence by reasoning the causality, and use an anti-forensics database and a corresponding attack graph to find the missing evidence. In addition, because the constructed scenario and supplied evidence might need to stand up in the court of law, the federal rules of evidence are also taken into account to predetermine the admissibility of the evidence.

View PDFchevron_right
A Probabilistic Network Forensic Model for Evidence Analysis
Changwei Liu

IFIP Advances in Information and Communication Technology, 2016

Modern-day attackers tend to use sophisticated multi-stage/multi-host attack techniques and anti-forensics tools to cover their attack traces. Due to the current limitations of intrusion detection systems (IDS) and forensic analysis tools, the evidence can be a false positive or missing. Besides, the number of security events is so large that finding an attack pattern is like finding a needle in a haystack. Under this situation, reconstructing the attack scenario that can hold the attacker accountable for their crime is very challenging. This paper describes a probabilistic model that applies Bayesian Network to constructed evidence graphs, systematically addressing how to resolve some of the above problems by detecting false positives, analyzing the reasons of the missing evidence and computing the probability for an entire attack scenario. We have also developed a software tool based on this model for network forensics analysis. Our system is based on a Prolog system using known vulnerability databases and an anti-forensics database that is similar to the NIST National Vulnerability Database (NVD). Our experimental results and case study show that such a system can be useful for constructing the most likely attack scenario and managing errors for network forensics analysis.

View PDFchevron_right
A Layered Graphical Model for Cloud Forensic Mission Attack Impact Analysis
Changwei Liu

Advances in Digital Forensics XIV

Cyber attacks on the systems that support an enterprise's mission can significantly impact its objectives. This chapter describes a layered graphical model designed to support forensic investigations by quantifying the mission impacts of cyber attacks. The model has three layers: (i) an upper layer that models operational tasks and their interdependencies that fulfill mission objectives; (ii) a middle layer that reconstructs attack scenarios based on the interrelationships of the available evidence; and (iii) a lower level that uses system calls executed in upper layer tasks in order to reconstruct missing attack steps when evidence is missing. The graphs constructed from the three layers are employed to compute the impacts of attacks on enterprise missions. The National Vulnerability Database-Common Vulnerability Scoring System scores and forensic investigator estimates are used to compute the mission impacts. A case study is presented to demonstrate the utility of the graphical model.

View PDFchevron_right

Related topics

  • Computer Science
  • Probability
    • 580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved