Home   >   CSC-OpenAccess Library   >    Manuscript Information
Full Text Available

This is an Open Access publication published under CSC-OpenAccess Policy.
Application of Attack Graphs in Intrusion Detection Systems: An Implementation
Ahmad Fadlallah, Hassan Sbeity, Mohammad Malli, Patrick Lteif
Pages - 1 - 12     |    Revised - 31-03-2016     |    Published - 30-04-2016
Volume - 8   Issue - 1    |    Publication Date - April 2016  Table of Contents
Attack Graphs, IDS, Vulnerability Analysis, Network Security.
Internet attacks are continuously increasing in the last years, in terms of scale and complexity, challenging the existing defense solutions with new complications and making them almost ineffective against multi-stage attacks, in particular the intrusion detection systems which fail to identify such complex attacks. Attack graph is a modeling technique used to visualize the different steps an attacker might select to achieve his end game, based on existing vulnerabilities and weaknesses in the system. This paper studies the application of attack graphs in intrusion detection and prevention systems (IDS/IPS) in order to better identify complex attacks based on predefined models, configurations, and alerts. As a “proof of concept”, a tool is developed which interfaces with the well-known SNORT [1] intrusion detection system and matches the alerts with an attack graph generated using the NESSUS [2] vulnerability scanner (maintained up-to-date using the National Vulnerability Database (NVD) [3]) and the MULVAL [4] attack graph generation library. The tool allows to keep track with the attacker activities along the different stages of the attack graph.
CITED BY (0)  
1 Google Scholar
2 CiteSeerX
3 refSeek
4 Scribd
5 SlideShare
6 PdfSR
1 Snort-Project. “Snort network intrusion detection system”, Internet: http://www.snort.org.2016. [February 16, 2016].
2 Tenable Network Security Inc. “Nessus vulnerability scanner”. Internet: http://www.tenable.com/products/nessus. 2016. [February 16, 2016].
3 National Institute of Standards and Technologies (NIST). “National Vulnerability Database”, Internet: http://nvd.nist.gov. 2016. [February 16, 2016].
4 X. Ou, S. Govindavajhala, A.W. Appel. “MULVAL: A logic-based network security analyzer”. In Proceedings of the 14th USENIX Security Symposium (SSYM’05). 2005.
5 ArborNetworks. “Worldwide infrastructure security report - volume XI”. Internet: https://www.arbornetworks.com/images/documents/WISR2016_EN_Web.pdf. January 26, 2016. [February 16, 2016].
6 Cisco Inc. “Cisco 2016 annual security report”. Internet: www.cisco.com/go/asr2016. January 2016. [February 16, 2016].
7 S. Jha, O. Sheyner and J. Wing. “Two formal analyses of attack graphs”. In Proceedings of the 15th IEEE Computer Security Foundations Workshop, 2002, pp 49–63.
8 R. Lippmann, K. Ingols. “An annotated review of past papers on attack graphs”. MIT Lincoln laboratory Project Report, 31 March 2005.
9 O. Sheyner, J. Haines, S. Jha, R. Lippmann, J. Wing. “Automated generation and analysis of attack graphs”. In proceedings of the IEEE Symposium on Security and Privacy, 2002. pp 273–284.
10 S. Noel, M. Jacobs, P. Kalapa, S. Jajodia. “Multiple coordinated views for network attack graphs”. In Proceedings of the IEEE Workshops on Visualization for Computer Security,2005. pp12-14.
11 L. Huiying. “Research on network risk assessment based on attack probability”. Second International Workshop on Computer Science and Engineering (WCSE ‘09). 2009. vol. 2, pp. 376–381.
12 K. Ingols, R. Lippmann, K. Piwowarski. “Practical attack graph generation for network defense”. 22nd Annual Computer Security Applications Conference (ACSAC ’06), 2006. pp 121-130.
13 J. Lee, H. Lee, In HP. “Scalable attack graph for risk assessment”. In Proceedings of the 23rd International Conference on Information Networking (ICOIN’09). 2009. pp 78–82.
14 X. Ou, W.F. Boyer, M.A. McQueen. “A scalable approach to attack graph generation”. In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS). pp 336–345.
15 C. Phillips, L.P. Swiler. “A graph-based system for network-vulnerability analysis”. In Proceedings of the ACM Workshop on New Security Paradigms (NSPW ’98). 1998. pp71–79.
16 S.S. Huang, T.J. Green, B.T. Loo. “Datalog and emerging applications: An interactive tutorial”. In Proceedings of the ACM International Conference on Management of Data (SIGMOD’11). 2011. pp1213–1216.
17 L. Surhone, M. Timpledon, S. Marseken. “Sguil”. VDM Publishing, 2010.
18 A. Baker. “Barnyard: Output spool reader for snort”, Internet: http://barnyard.sourceforge.net. 2016. [February 16, 2016].
19 MITRE Corporation. “Open vulnerability and assessment language (OVAL)” Internet: http://oval.mitre.org/. 2016. [February 16, 2016].
20 MITRE Corporation. “Common vulnerabilities and exposures (CVE): The standard for information security vulnerability names”. Internet: http://cve.mitre.org. 2016. [February 16, 2016].
21 S. Radack, R. Kuhn. “Managing security: The security content automation protocol”. in IT Professional, vol.13, no.1, pp.9-11, Jan.-Feb. 2011.
22 O. Sheyner and J.M. Wing. “Tools for generating and analyzing attack graphs”. In Proceedings of Workshop on Formal Methods for Components and Objects, 2004,344-371.
23 A.Singhal and X.Ou. “Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs”. National Institute of Science and Technology Interagency Report 7788. August 2011.
24 J. Ellson, E. Gansner, L. Koutsofios, S.C. North, G. Woodhull. “GraphViz-Open source graph drawing tools”. Graph Drawing, Lecture Notes in Computer Science, vol. 2265, Springer Berlin Heidelberg, 2002; pp 483–484.
Dr. Ahmad Fadlallah
Faculty of Computer Studies Arab Open University Beirut - Lebanon
Mr. Hassan Sbeity
Faculty of Computer Studies Arab Open University Beirut - Lebanon
Mr. Mohammad Malli
Faculty of Computer Studies Arab Open University Beirut - Lebanon
Dr. Patrick Lteif
Sodetel, Beirut - Lebanon