A Hierarchical Network Security Risk Evaluation Approach Based On Multi-goal Attack Graph

The network technology accelerates the progress of information society. At the same time, with the network attacks techniques being more secret, efficient, and intelligent, the network security becomes more and more serious. An attacker can often infiltrate a seemingly well-guarded network system to promulgate threats using multi-step attacks by exploiting sequences of related vulnerabilities. In the research on evaluating the security risk arising from these potential threats, the main challenge is how to accurately identify the potential threats, compute the network security risk, guide to the architecture construction of network security techniques, and reach to the Proportional Security of the network system.Through the in-depth analysis of network security characteristics and the practice of the network security risk evaluation, the multi-goal attack graphs are introduced to reveal such potential threats by enumerating all possible sequences of atomic attacks that an attacker can follow to compromise critical information resources in the given network system. Furthermore, a hierarchical network security risk evaluation framework based on multi-goal attack graphs MAG-SRE is developed, which involves three evaluation contents (i.e. identifying the potential threats, computing the network security risk, and hardening network security), five evaluation stages (i.e. modeling the network and attackers, multi-goal attack graphs automated generation, managing the multi-goal attack graphs complexity, computing the network security risk, hardening network security with minimum-cost), and thirteen evaluation steps. In addition, the study goes further in the key technologies corresponding to the evaluation stages.In the stage of modeling the network and attackers, the attribute-oriented hierarchical network model is firstly present in terms of the characteristic of the network hierarchy. Secondly, the knowledge base for attack patterns is put forward to model the attacker's ability on the basis of the study of the open vulnerability database. Thirdly, the modeling language AGML is designed to formally describe the models of the given network system and attackers. Finally, two techniques are proposed to automatically acquire the network model parameters from the given network system in order to model the actual large-scale network system automatically.In the stage of the multi-goal attack graphs automated generation, the crucial issue is the generation algorithm's scalability. First, three optimization techniques (filtering attack patterns, compressing attributes, instancing & looking back) is proposed to sustain the novel attack graphs generation algorithm, through the in-depth analysis of the models'features of the network system and attackers and the limitation of previous algorithms. Moreover, the algorithm's scalability is explored by analyzing the time complexity and evaluating simulated networks. The experimental result shows the algorithm could be applied to the large network system.In the stage of managing the multi-goal attack graphs complexity, the crucial issue is to reduce the large-scale attack graphs complexity. Firstly, the analysis technique for valid attack paths is present from perspective of the actual attack scenario. Secondly, the hierarchical aggregation technique is proposed from perspective of the dependency among components in the network. Thirdly, the discovery technique for the dependency among vulnerabilities is put forward. At the same time, the algorithms corresponding to the above three techniques are bring forward to actualize the automated complexity management of large-scale attack graphs. The practice shows these techniques are helpful to security analysts for accuracy comprehension and application of attack graphs.In the stage of computing the network security risk, a multi-goal attack graphs- oriented hierarchical network security risk computation approach is proposed, which utilizes multi-goal attack graphs to identify the potential threats, and make use of the model of threats occurrence probability computation, the model of threats impact analysis, and the model of network security risk index computation to evaluate the security risk index of objects (i.e. services, hosts and the system ) in the network. Compared with the previous work, the novel computation approach has three advantages of objectivity, repeatability and comparability.In the stage of hardening network security with minimum-cost, the problem of the minimum-cost network security hardening solutions is proved to be the NP-complete problem. Thus two algorithms are put forward to solve the problem. One is to compute accurate solution, which can be applied to the small attack graphs, and can not be applied to the large-scale attack graphs due to its exponential time complexity. The other is to compute approximate solution, which can not be applied to the large-scale attack graphs owing to its polynomial time complexity and the worst performance ratio. In the application, between the above two algorithms, what it is first depends on circumstances.In a word, the above study of the key technologies not only supports the development of the hierarchical network security risk evaluation approach based on multi-goal attack graphs MAG-SRE, but also plays a crucial role in promoting the improvement and development of the attack graphs technology.