Design Procedure of Knowledge Base for Practical Attack Graph Generation

Inokuchi, Masaki; Ohta, Yoshinobu; Kinoshita, Shunichi; Yagyu, Tomohiko; Stan, Orly; Bitton, Ron; Elovici, Yuval; Shabtai, Asaf

doi:10.1145/3321705.3329853

Cited by 14 publications

(8 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A threat modeling language that utilized ATT&CK was proposed in [10]. ATT&CK and CVE (Common Vulnerabilities and Exposures [11]) were utilized in [12]. Aksu et al used CVE vulnerabilities from the NVD (National Vulnerability Database) [13].…”

Section: B Attack Graphsmentioning

confidence: 99%

Identification of Attack Paths Using Kill Chain and Attack Graphs

Sadlek

Čeleda

Tovarňák

2022

NOMS 2022-2022 IEEE/IFIP Network Operations and Management Symposium

View full text Add to dashboard Cite

The ever-evolving capabilities of cyber attackers force security administrators to focus on the early identification of emerging threats. Targeted cyber attacks usually consist of several phases, from initial reconnaissance of the network environment to final impact on objectives. This paper investigates the identification of multi-step cyber threat scenarios using kill chain and attack graphs. Kill chain and attack graphs are threat modeling concepts that enable determining weak security defense points. We propose a novel kill chain attack graph that merges kill chain and attack graphs together. This approach determines possible chains of attacker's actions and their materialization within the protected network. The graph generation uses a categorization of threats according to violated security properties. The graph allows determining the kill chain phase the administrator should focus on and applicable countermeasures to mitigate possible cyber threats. We implemented the proposed approach for a predefined range of cyber threats, especially vulnerability exploitation and network threats. The approach was validated on a real-world use case. Publicly available implementation contains a proof-of-concept kill chain attack graph generator.

show abstract

Section: B Attack Graphsmentioning

confidence: 99%

Identification of Attack Paths Using Kill Chain and Attack Graphs

Sadlek

Čeleda

Tovarňák

2022

NOMS 2022-2022 IEEE/IFIP Network Operations and Management Symposium

View full text Add to dashboard Cite

show abstract

“…By finding counterexamples on attack sequences, paths that breach security attributes are represented in a state attack graph [12]; however, it also confronts exponential state-space problems even used in middle-scale networks. Different from the state attack graph, logical attack graphs are built by deductive reasoning to demonstrate attack steps and their prerequisites for each action [13][14][15][16]. A wellknown and open-source reasoning framework, called MulVAL (Multihost, Multistage Vulnerability Analysis), is utilized to infer attack paths among attack goals and configuration information [15,16], which is fit for risk assessment in the large-scale enterprise environment.…”

Section: Related Workmentioning

confidence: 99%

“…Different from the state attack graph, logical attack graphs are built by deductive reasoning to demonstrate attack steps and their prerequisites for each action [13][14][15][16]. A wellknown and open-source reasoning framework, called MulVAL (Multihost, Multistage Vulnerability Analysis), is utilized to infer attack paths among attack goals and configuration information [15,16], which is fit for risk assessment in the large-scale enterprise environment.…”

Section: Related Workmentioning

confidence: 99%

“…In this part, the proposed automatic planning-based attack path discovery approach is evaluated. At first, an Input: device reachability graph Gr, subgraph size subg_size Output: all subgraphs (1) function GENERATE SUBGRAPHS (Gr, subg_size) (2) if nodes_num of Gr more than subg_size then (3) push Gr to Qp (4) while Qp is not empty do (5) pop a subgraph G from Qp (6) find branch nodes Ns from G (7) get edges from Ns and push them into Qe (8) while Qe is not empty do (9) pop an edge qe from Qe (10) find successor subgraph Gs from edge qe in G (11) if nodes in Gs less than subg_size then (12) push Gs into Qp (13) else (14) push Gs into Qo (15) output all subgraphs from Qo (16) else (17) output Gr (18) end function ALGORITHM 1: Device reachability graph partitioning.…”

Section: Case Studymentioning

confidence: 99%

See 1 more Smart Citation

An Automatic Planning-Based Attack Path Discovery Approach from IT to OT Networks

Wang

Zhang

Liu

et al. 2021

Security and Communication Networks

View full text Add to dashboard Cite

With the convergence of IT and OT networks, more opportunities can be found to destroy physical processes by cyberattacks. Discovering attack paths plays a vital role in describing possible sequences of exploitation. Automated planning that is an important branch of artificial intelligence (AI) is introduced into the attack graph modeling. However, while adopting the modeling method for large-scale IT and OT networks, it is difficult to meet urgent demands, such as scattered data management, scalability, and automation. To that end, an automatic planning-based attack path discovery approach is proposed in this paper. At first, information of the attacking knowledge and network topology is formally represented in a standardized planning domain definition language (PDDL), integrated into a graph data model. Subsequently, device reachability graph partitioning algorithm is introduced to obtain subgraphs that are small enough and of limited size, which facilitates the discovery of attack paths through the AI planner as soon as possible. In order to further cope with scalability problems, a multithreading manner is used to execute the attack path enumeration for each subgraph. Finally, an automatic workflow with the assistance of a graph database is provided for constructing the PDDL problem file for each subgraph and traversal query in an interactive way. A case study is presented to demonstrate effectiveness of attack path discovery and efficiency with the increase in number of devices.

show abstract

“…Attack graphs are one of the main techniques used to perform the assessment process [17]. MulVAL [35], [34] was the first attack graph tool providing automatic end-to-end attack graph generation and analysis.…”

Section: Introductionmentioning

confidence: 99%

An Automated, End-to-End Framework for Modeling Attacks From Vulnerability Descriptions

Binyamini,

Bitton,

Inokuchi

et al. 2020

Preprint

Self Cite

View full text Add to dashboard Cite

Attack graphs are one of the main techniques used to automate the risk assessment process. In order to derive a relevant attack graph, up-to-date information on known attack techniques should be represented as interaction rules. Designing and creating new interaction rules is not a trivial task and currently performed manually by security experts. However, since the number of new security vulnerabilities and attack techniques continuously and rapidly grows, there is a need to frequently update the rule set of attack graph tools with new attack techniques to ensure that the set of interaction rules is always upto-date. We present a novel, end-to-end, automated framework for modeling new attack techniques from textual description of a security vulnerability. Given a description of a security vulnerability, the proposed framework first extracts the relevant attack entities required to model the attack, completes missing information on the vulnerability, and derives a new interaction rule that models the attack; this new rule is integrated within MulVAL attack graph tool. The proposed framework implements a novel pipeline that includes a dedicated cybersecurity linguistic model trained on the the NVD repository, a recurrent neural network model used for attack entity extraction, a logistic regression model used for completing the missing information, and a novel machine learning-based approach for automatically modeling the attacks as MulVAL's interaction rule. We evaluated the performance of each of the individual algorithms, as well as the complete framework and demonstrated its effectiveness.

show abstract

Design Procedure of Knowledge Base for Practical Attack Graph Generation

Cited by 14 publications

References 12 publications

Identification of Attack Paths Using Kill Chain and Attack Graphs

Identification of Attack Paths Using Kill Chain and Attack Graphs

An Automatic Planning-Based Attack Path Discovery Approach from IT to OT Networks

An Automated, End-to-End Framework for Modeling Attacks From Vulnerability Descriptions

Contact Info

Product

Resources

About