Attack Graph Generation Design And Implementation In Network Security Assessment System

Attack graph is an integral part in network security assessment system. System administrators use attack graphs to determine how vulnerable their systems are and to determine what security measures to deploy to defend their systems.At present, attack graph generation has achieved mature network information processing cycle. Each module in the cycle owns the clear goal of data processing. The key points and difficult points of attack graph generation are focused on reducing the complexity of generation of the attack graph and establishing the associated vulnerability database. In response to the complexity difficulty, we propose a new approach called an atomic-domains-based approach which is simple and scalable to attack graph generation. Our approach is based on the goal of network security assessment and follows the breadth-first thought. Our algorithm achieved the scalable complexity of square level. Besides, our attack graphs are for global network and achieve more sufficient data support for network security assessment.For the problem of the associated vulnerability database, we build the database by information collection and data mining. Our vulnerability database provides data support for the attack graphs generation. We have completed the development of our system, in which the attack graph generation based atomic domain subsystem makes the core process. This subsystem is based on struts application framework and stratified modular thought of MVC (Model-View-Controller). During the design of our subsystem the distribution is based on B/S structure, which simplified the clients design and reduced the cost for system maintenance and upgrade. Besides, our vulnerabilities association database achieved quantification information collection for pre-and post-condition by data mining from current vulnerabilities database.The test of the subsystem of the attack graph generation shows that the associated vulnerability database provides data support for the attack graph generation. Our system generates the network attack graph which shows the elevation of the attacker's privilege. And the time of the attack graph generation increases with the level of the square of the host number.