Survey of Attack Graph Analysis Methods from the Perspective of Data and Knowledge Processing

Abstract: Attack graph can simulate the possible paths used by attackers to invade the network. By using the attack graph, the administrator can evaluate the security of the network and analyze and predict the behavior of the attacker. Although there are many research studies on attack graph, there is no systematic survey for the related analysis methods. This paper firstly introduces the basic concepts, generation methods, and computing tasks of the attack graph, and then, several kinds of analysis methods of attack gr… Show more

“…In this part, the proposed automatic planning-based attack path discovery approach is evaluated. At first, an Input: device reachability graph Gr, subgraph size subg_size Output: all subgraphs (1) function GENERATE SUBGRAPHS (Gr, subg_size) (2) if nodes_num of Gr more than subg_size then (3) push Gr to Qp (4) while Qp is not empty do (5) pop a subgraph G from Qp (6) find branch nodes Ns from G (7) get edges from Ns and push them into Qe (8) while Qe is not empty do (9) pop an edge qe from Qe (10) find successor subgraph Gs from edge qe in G (11) if nodes in Gs less than subg_size then (12) push Gs into Qp (13) else (14) push Gs into Qo (15) output all subgraphs from Qo (16) else (17) output Gr (18) end function ALGORITHM 1: Device reachability graph partitioning.…”

“…Input: pddl file template domain_temp and problem_temp connection object to a graph database hg; planning goals Output: constructed pddl domain and problem files (1) function GENERATE PDDL FILE (domain_temp, problem_temp, hg) (2) query device nodes, device reachability, vulnerability and component via hg (3) generate domain file: (4) generate predicates of vulnerability, reachability, pre and postconditions (5) generate actions of vulnerability from pre-and postconditions of vulnerability ( 6) end (7) generate problem file: (8) generate objects from device nodes (9) generate initially satisfied conditions (10) generate goals based on your input (11) end (12) return generated domain and problem files (13) end function ALGORITHM 2: Automatic construction of PDDL domain and problem files. experimental setup is introduced by a hypothetical network topology from IT to OT networks in Section 6.1. en, attack paths are illustrated, and the corresponding data is stored in the form of graph data in Section 6.2.…”

“…Input: number of threads thread_num Output: attack graph AG; adding exploit and attack edges in a graph database (1) create an empty attack graph AG (2) get domain.pddl and problem.pddl via GENERATE PDDL FILE (domain_temp, problem_temp, hg) (3) get all subgraphs from GENERATE SUBGRAPHS (G, subg_size) (4) create threads pool threads_pool and set maxim workers corresponding to thread_num (5) foreach subgraph in subgraphs do (6) modify problem.pddl and domain.pddl based on subgraph (7) create a thread and bind it to enumerate attack paths using a planner (8) submit this thread to threads_pool (9) while True do (10) check the status of threads in threads_pool ( 11) if all tasks in threads_pool have done do (12) break ( 13) generate subag from paths returned from each thread and merge them into AG (14) get ag_edges from AG (15) create attack and exploit edges in a graph database according to ag_edges ALGORITHM 3: Attack graph generation in a multithreading manner. e paths in the attack graph are a mix of the Device nodes and the Vulnerability nodes, which represents that an attacker can reach a device and exploit vulnerability.…”

“…Focusing on finding all possible attack paths, dependencies of topologies, vulnerabilities, exploitations, and targets are integrated into a graph, called attack graph [8]. Since the attack graph model was first constructed in 1997, quantities of generation methods for it have been widely used in a variety of scenarios to discovery attack paths [6].…”

An Automatic Planning-Based Attack Path Discovery Approach from IT to OT Networks

“…In this part, the proposed automatic planning-based attack path discovery approach is evaluated. At first, an Input: device reachability graph Gr, subgraph size subg_size Output: all subgraphs (1) function GENERATE SUBGRAPHS (Gr, subg_size) (2) if nodes_num of Gr more than subg_size then (3) push Gr to Qp (4) while Qp is not empty do (5) pop a subgraph G from Qp (6) find branch nodes Ns from G (7) get edges from Ns and push them into Qe (8) while Qe is not empty do (9) pop an edge qe from Qe (10) find successor subgraph Gs from edge qe in G (11) if nodes in Gs less than subg_size then (12) push Gs into Qp (13) else (14) push Gs into Qo (15) output all subgraphs from Qo (16) else (17) output Gr (18) end function ALGORITHM 1: Device reachability graph partitioning.…”

“…Input: pddl file template domain_temp and problem_temp connection object to a graph database hg; planning goals Output: constructed pddl domain and problem files (1) function GENERATE PDDL FILE (domain_temp, problem_temp, hg) (2) query device nodes, device reachability, vulnerability and component via hg (3) generate domain file: (4) generate predicates of vulnerability, reachability, pre and postconditions (5) generate actions of vulnerability from pre-and postconditions of vulnerability ( 6) end (7) generate problem file: (8) generate objects from device nodes (9) generate initially satisfied conditions (10) generate goals based on your input (11) end (12) return generated domain and problem files (13) end function ALGORITHM 2: Automatic construction of PDDL domain and problem files. experimental setup is introduced by a hypothetical network topology from IT to OT networks in Section 6.1. en, attack paths are illustrated, and the corresponding data is stored in the form of graph data in Section 6.2.…”

“…Input: number of threads thread_num Output: attack graph AG; adding exploit and attack edges in a graph database (1) create an empty attack graph AG (2) get domain.pddl and problem.pddl via GENERATE PDDL FILE (domain_temp, problem_temp, hg) (3) get all subgraphs from GENERATE SUBGRAPHS (G, subg_size) (4) create threads pool threads_pool and set maxim workers corresponding to thread_num (5) foreach subgraph in subgraphs do (6) modify problem.pddl and domain.pddl based on subgraph (7) create a thread and bind it to enumerate attack paths using a planner (8) submit this thread to threads_pool (9) while True do (10) check the status of threads in threads_pool ( 11) if all tasks in threads_pool have done do (12) break ( 13) generate subag from paths returned from each thread and merge them into AG (14) get ag_edges from AG (15) create attack and exploit edges in a graph database according to ag_edges ALGORITHM 3: Attack graph generation in a multithreading manner. e paths in the attack graph are a mix of the Device nodes and the Vulnerability nodes, which represents that an attacker can reach a device and exploit vulnerability.…”

“…Focusing on finding all possible attack paths, dependencies of topologies, vulnerabilities, exploitations, and targets are integrated into a graph, called attack graph [8]. Since the attack graph model was first constructed in 1997, quantities of generation methods for it have been widely used in a variety of scenarios to discovery attack paths [6].…”

An Automatic Planning-Based Attack Path Discovery Approach from IT to OT Networks

“…However, there are still several problems with the attack graph-based approach. Attack graph generation can involve up to polynomial complexity, and the evaluation and analysis of attack graphs to determine all possible attack paths suffer from scalability issues [7]. Meanwhile, a large-scale attack graph is complicated, making it difficult for humans to digest all the dependency relations and specify the key problems in a limited amount of time.…”

A Vulnerability Risk Assessment Method Based on Heterogeneous Information Network

Attack Path Analysis for Cyber Physical Systems