TY - JOUR
T1 - Extending Attack Graphs to Represent Cyber-Attacks in Communication Protocols and Modern IT Networks
AU - Stan, Orly
AU - Bitton, Ron
AU - Ezrets, Michal
AU - Dadon, Moran
AU - Inokuchi, Masaki
AU - Ohta, Yoshinobu
AU - Yagyu, Tomohiko
AU - Elovici, Yuval
AU - Shabtai, Asaf
N1 - Publisher Copyright:
© 2004-2012 IEEE.
PY - 2022/1/1
Y1 - 2022/1/1
N2 - An attack graph is a method used to enumerate the possible paths that an attacker can take in the organizational network. MulVAL is a known open-source framework used to automatically generate attack graphs. MulVAL's default modeling has two main shortcomings. First, it lacks the ability to represent network protocol vulnerabilities, and thus it cannot be used to model common network attacks, such as ARP poisoning. Second, it does not support advanced types of communication, such as wireless and bus communication, and thus it cannot be used to model cyber-attacks on networks that include IoT devices or industrial components. In this article, we present an extended network security model for MulVAL that: (1) considers the physical network topology, (2) supports short-range communication protocols, (3) models vulnerabilities in the design of network protocols, and (4) models specific industrial communication architectures. Using the proposed extensions, we were able to model multiple attack techniques including: spoofing, man-in-the-middle, and denial of service attacks, as well as attacks on advanced types of communication. We demonstrate the proposed model in a testbed which implements a simplified network architecture comprised of both IT and industrial components.
AB - An attack graph is a method used to enumerate the possible paths that an attacker can take in the organizational network. MulVAL is a known open-source framework used to automatically generate attack graphs. MulVAL's default modeling has two main shortcomings. First, it lacks the ability to represent network protocol vulnerabilities, and thus it cannot be used to model common network attacks, such as ARP poisoning. Second, it does not support advanced types of communication, such as wireless and bus communication, and thus it cannot be used to model cyber-attacks on networks that include IoT devices or industrial components. In this article, we present an extended network security model for MulVAL that: (1) considers the physical network topology, (2) supports short-range communication protocols, (3) models vulnerabilities in the design of network protocols, and (4) models specific industrial communication architectures. Using the proposed extensions, we were able to model multiple attack techniques including: spoofing, man-in-the-middle, and denial of service attacks, as well as attacks on advanced types of communication. We demonstrate the proposed model in a testbed which implements a simplified network architecture comprised of both IT and industrial components.
KW - Attack graph
KW - MulVAL
KW - Network attacks
KW - Network protocols
UR - http://www.scopus.com/inward/record.url?scp=85097387474&partnerID=8YFLogxK
U2 - 10.1109/TDSC.2020.3041999
DO - 10.1109/TDSC.2020.3041999
M3 - Article
AN - SCOPUS:85097387474
SN - 1545-5971
VL - 19
SP - 1936
EP - 1954
JO - IEEE Transactions on Dependable and Secure Computing
JF - IEEE Transactions on Dependable and Secure Computing
IS - 3
ER -