A graph-based system for network-vulnerability analysis

PDF Version Also Available for Download.

Description

This paper presents a graph-based approach to network vulnerability analysis. The method is flexible, allowing analysis of attacks from both outside and inside the network. It can analyze risks to a specific network asset, or examine the universe of possible consequences following a successful attack. The graph-based tool can identify the set of attack paths that have a high probability of success (or a low effort cost) for the attacker. The system could be used to test the effectiveness of making configuration changes, implementing an intrusion detection system, etc. The analysis system requires as input a database of common attacks, ... continued below

Physical Description

25 p.

Creation Information

Swiler, L.P. & Phillips, C. June 1, 1998.

Context

This article is part of the collection entitled: Office of Scientific & Technical Information Technical Reports and was provided by UNT Libraries Government Documents Department to Digital Library, a digital repository hosted by the UNT Libraries. It has been viewed 47 times , with 10 in the last month . More information about this article can be viewed below.

Who

People and organizations associated with either the creation of this article or its content.

Sponsor

Publisher

  • Sandia National Laboratories
    Publisher Info: Sandia National Labs., Albuquerque, NM (United States)
    Place of Publication: Albuquerque, New Mexico

Provided By

UNT Libraries Government Documents Department

Serving as both a federal and a state depository library, the UNT Libraries Government Documents Department maintains millions of items in a variety of formats. The department is a member of the FDLP Content Partnerships Program and an Affiliated Archive of the National Archives.

Contact Us

What

Descriptive information to help identify this article. Follow the links below to find similar items on the Digital Library.

Description

This paper presents a graph-based approach to network vulnerability analysis. The method is flexible, allowing analysis of attacks from both outside and inside the network. It can analyze risks to a specific network asset, or examine the universe of possible consequences following a successful attack. The graph-based tool can identify the set of attack paths that have a high probability of success (or a low effort cost) for the attacker. The system could be used to test the effectiveness of making configuration changes, implementing an intrusion detection system, etc. The analysis system requires as input a database of common attacks, broken into atomic steps, specific network configuration and topology information, and an attacker profile. The attack information is matched with the network configuration information and an attacker profile to create a superset attack graph. Nodes identify a stage of attack, for example the class of machines the attacker has accessed and the user privilege level he or she has compromised. The arcs in the attack graph represent attacks or stages of attacks. By assigning probabilities of success on the arcs or costs representing level-of-effort for the attacker, various graph algorithms such as shortest-path algorithms can identify the attack paths with the highest probability of success.

Physical Description

25 p.

Notes

OSTI as DE98005758

Source

  • New security paradigms workshop `98, Charlottesville, VA (United States), 22-25 Sep 1998

Language

Item Type

Identifier

Unique identifying numbers for this article in the Digital Library or other systems.

  • Other: DE98005758
  • Report No.: SAND--98-1127C
  • Report No.: CONF-980914--
  • Grant Number: AC04-94AL85000
  • DOI: 10.2172/573291 | External Link
  • Office of Scientific & Technical Information Report Number: 672082
  • Archival Resource Key: ark:/67531/metadc711473

Collections

This article is part of the following collection of related materials.

Office of Scientific & Technical Information Technical Reports

Reports, articles and other documents harvested from the Office of Scientific and Technical Information.

Office of Scientific and Technical Information (OSTI) is the Department of Energy (DOE) office that collects, preserves, and disseminates DOE-sponsored research and development (R&D) results that are the outcomes of R&D projects or other funded activities at DOE labs and facilities nationwide and grantees at universities and other institutions.

What responsibilities do I have when using this article?

When

Dates and time periods associated with this article.

Creation Date

  • June 1, 1998

Added to The UNT Digital Library

  • Sept. 12, 2015, 6:31 a.m.

Description Last Updated

  • May 5, 2016, 8:30 p.m.

Usage Statistics

When was this article last used?

Yesterday: 1
Past 30 days: 10
Total Uses: 47

Interact With This Article

Here are some suggestions for what to do next.

Start Reading

PDF Version Also Available for Download.

Citations, Rights, Re-Use

Swiler, L.P. & Phillips, C. A graph-based system for network-vulnerability analysis, article, June 1, 1998; Albuquerque, New Mexico. (digital.library.unt.edu/ark:/67531/metadc711473/: accessed November 22, 2017), University of North Texas Libraries, Digital Library, digital.library.unt.edu; crediting UNT Libraries Government Documents Department.