TY - GEN
T1 - Design procedure of knowledge base for practical attack graph generation
AU - Inokuchi, Masaki
AU - Ohta, Yoshinobu
AU - Kinoshita, Shunichi
AU - Yagyu, Tomohiko
AU - Stan, Orly
AU - Bitton, Ron
AU - Elovici, Yuval
AU - Shabtai, Asaf
N1 - Publisher Copyright:
© 2019 Association for Computing Machinery.
PY - 2019/7/2
Y1 - 2019/7/2
N2 - Cyber security assessment is an essential activity for understanding the security risks in an enterprise environment. While many tools have been developed in order to evaluate the security risks for individual hosts, it is still a challenge to identify multi-hop cyber security risks in a large-scale environment. An attack graph, which provides a comprehensive view of attacks, assists in identifying high-risk attack paths and efficiently deploying countermeasures. Several frameworks which generate an attack graph from system information and knowledge base have also been developed in the past. Although these tools are widely adopted, their expression capabilities are insufficient. The expansion of knowledge base is needed to handle comprehensive attack scenario. In this research, we developed an attack graph generation system by extending the MulVAL framework which is widely adopted due to its high extensibility. We designed and implemented knowledge base (also known as "interaction rules" in the MulVAL framework) for practical attack graph generation. A structured design procedure is necessary to construct a knowledge base that enables comprehensive analysis, which is highly important for actual risk assessment. We describe the design procedure, design considerations and implementation of our rule set. Additionally, we demonstrate the improvement to the generated attack graph by the implemented rules in a case study.
AB - Cyber security assessment is an essential activity for understanding the security risks in an enterprise environment. While many tools have been developed in order to evaluate the security risks for individual hosts, it is still a challenge to identify multi-hop cyber security risks in a large-scale environment. An attack graph, which provides a comprehensive view of attacks, assists in identifying high-risk attack paths and efficiently deploying countermeasures. Several frameworks which generate an attack graph from system information and knowledge base have also been developed in the past. Although these tools are widely adopted, their expression capabilities are insufficient. The expansion of knowledge base is needed to handle comprehensive attack scenario. In this research, we developed an attack graph generation system by extending the MulVAL framework which is widely adopted due to its high extensibility. We designed and implemented knowledge base (also known as "interaction rules" in the MulVAL framework) for practical attack graph generation. A structured design procedure is necessary to construct a knowledge base that enables comprehensive analysis, which is highly important for actual risk assessment. We describe the design procedure, design considerations and implementation of our rule set. Additionally, we demonstrate the improvement to the generated attack graph by the implemented rules in a case study.
KW - Attack graph
KW - Design procedure
KW - Knowledge base
KW - Risk assessment
UR - http://www.scopus.com/inward/record.url?scp=85069958447&partnerID=8YFLogxK
U2 - 10.1145/3321705.3329853
DO - 10.1145/3321705.3329853
M3 - Conference contribution
AN - SCOPUS:85069958447
T3 - AsiaCCS 2019 - Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security
SP - 594
EP - 601
BT - AsiaCCS 2019 - Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security
PB - Association for Computing Machinery, Inc
T2 - 2019 ACM Asia Conference on Computer and Communications Security, AsiaCCS 2019
Y2 - 9 July 2019 through 12 July 2019
ER -