Validating and Restoring Defense in Depth Using Attack Graphs

作者: Richard Lippmann , Kyle Ingols , Chris Scott , Keith Piwowarski , Kendra Kratkiewicz

DOI: 10.1109/MILCOM.2006.302434

关键词:

摘要: Defense in depth is a common strategy that uses layers of firewalls to protect Supervisory Control and Data Acquisition (SCADA) subnets other critical resources on enterprise networks. A tool named NetSPA presented analyzes firewall rules vulnerabilities construct attack graphs. These show how inside outside attackers can progress by successively compromising exposed vulnerable hosts with the goal reaching internal targets. generates graphs automatically them produce small set prioritized recommendations restore defense depth. Field trials networks up 3,400 demonstrate often do not provide due misconfigurations unpatched hosts. In all cases, number was provided Simulations 50,000 this approach scales well enterprise-size

参考文章(17)
Michael Lyle Artz, NetSPA : a Network Security Planning Architecture Massachusetts Institute of Technology. ,(2002)
Sudhakar Govindavajhala, Xinming Ou, Andrew W. Appel, MulVAL: a logic-based network security analyzer usenix security symposium. pp. 8- 8 ,(2005)
Frédéric Cuppens, Rodolphe Ortalo, LAMBDA: A Language to Model a Database for Detection of Attacks recent advances in intrusion detection. pp. 197- 216 ,(2000) , 10.1007/3-540-39945-3_13
Sushil Jajodia, Topological analysis of network attack vulnerability Proceedings of the 2nd ACM symposium on Information, computer and communications security - ASIACCS '07. pp. 2- 2 ,(2007) , 10.1145/1229285.1229288
A. Wool, A quantitative study of firewall configuration errors IEEE Computer. ,vol. 37, pp. 62- 67 ,(2004) , 10.1109/MC.2004.2
Paul Ammann, Duminda Wijesekera, Saket Kaushik, Scalable, graph-based network vulnerability analysis Proceedings of the 9th ACM conference on Computer and communications security - CCS '02. pp. 217- 224 ,(2002) , 10.1145/586110.586140
Steven J. Templeton, Karl Levitt, A requires/provides model for computer attacks new security paradigms workshop. pp. 31- 38 ,(2001) , 10.1145/366173.366187
S. Cheung, U. Lindqvist, M.W. Fong, Modeling multistep cyber attacks for scenario recognition darpa information survivability conference and exposition. ,vol. 1, pp. 284- 292 ,(2003) , 10.1109/DISCEX.2003.1194892
L.P. Swiler, C. Phillips, D. Ellis, S. Chakerian, Computer-attack graph generation tool darpa information survivability conference and exposition. ,vol. 2, pp. 307- 321 ,(2001) , 10.1109/DISCEX.2001.932182
O. Sheyner, J. Haines, S. Jha, R. Lippmann, J.M. Wing, Automated generation and analysis of attack graphs ieee symposium on security and privacy. pp. 273- 284 ,(2002) , 10.1109/SECPRI.2002.1004377