Attack graph approach to dynamic network vulnerability analysis and countermeasures
AuthorsHamid, Thaier K.A.
Dynamic Vulnerability Scoring System
G490 Computing Science not elsewhere classified
MetadataShow full item record
AbstractIt is widely accepted that modern computer networks (often presented as a heterogeneous collection of functioning organisations, applications, software, and hardware) contain vulnerabilities. This research proposes a new methodology to compute a dynamic severity cost for each state. Here a state refers to the behaviour of a system during an attack; an example of a state is where an attacker could influence the information on an application to alter the credentials. This is performed by utilising a modified variant of the Common Vulnerability Scoring System (CVSS), referred to as a Dynamic Vulnerability Scoring System (DVSS). This calculates scores of intrinsic, time-based, and ecological metrics by combining related sub-scores and modelling the problem’s parameters into a mathematical framework to develop a unique severity cost. The individual static nature of CVSS affects the scoring value, so the author has adapted a novel model to produce a DVSS metric that is more precise and efficient. In this approach, different parameters are used to compute the final scores determined from a number of parameters including network architecture, device setting, and the impact of vulnerability interactions. An attack graph (AG) is a security model representing the chains of vulnerability exploits in a network. A number of researchers have acknowledged the attack graph visual complexity and a lack of in-depth understanding. Current attack graph tools are constrained to only limited attributes or even rely on hand-generated input. The automatic formation of vulnerability information has been troublesome and vulnerability descriptions are frequently created by hand, or based on limited data. The network architectures and configurations along with the interactions between the individual vulnerabilities are considered in the method of computing the Cost using the DVSS and a dynamic cost-centric framework. A new methodology was built up to present an attack graph with a dynamic cost metric based on DVSS and also a novel methodology to estimate and represent the cost-centric approach for each host’ states was followed out. A framework is carried out on a test network, using the Nessus scanner to detect known vulnerabilities, implement these results and to build and represent the dynamic cost centric attack graph using ranking algorithms (in a standardised fashion to Mehta et al. 2006 and Kijsanayothin, 2010). However, instead of using vulnerabilities for each host, a CostRank Markov Model has developed utilising a novel cost-centric approach, thereby reducing the complexity in the attack graph and reducing the problem of visibility. An analogous parallel algorithm is developed to implement CostRank. The reason for developing a parallel CostRank Algorithm is to expedite the states ranking calculations for the increasing number of hosts and/or vulnerabilities. In the same way, the author intends to secure large scale networks that require fast and reliable computing to calculate the ranking of enormous graphs with thousands of vertices (states) and millions of arcs (representing an action to move from one state to another). In this proposed approach, the focus on a parallel CostRank computational architecture to appraise the enhancement in CostRank calculations and scalability of of the algorithm. In particular, a partitioning of input data, graph files and ranking vectors with a load balancing technique can enhance the performance and scalability of CostRank computations in parallel. A practical model of analogous CostRank parallel calculation is undertaken, resulting in a substantial decrease in calculations communication levels and in iteration time. The results are presented in an analytical approach in terms of scalability, efficiency, memory usage, speed up and input/output rates. Finally, a countermeasures model is developed to protect against network attacks by using a Dynamic Countermeasures Attack Tree (DCAT). The following scheme is used to build DCAT tree (i) using scalable parallel CostRank Algorithm to determine the critical asset, that system administrators need to protect; (ii) Track the Nessus scanner to determine the vulnerabilities associated with the asset using the dynamic cost centric framework and DVSS; (iii) Check out all published mitigations for all vulnerabilities. (iv) Assess how well the security solution mitigates those risks; (v) Assess DCAT algorithm in terms of effective security cost, probability and cost/benefit analysis to reduce the total impact of a specific vulnerability.
CitationHamid, T. (2014) 'Attack graph approach to dynamic network vulnerability analysis and countermeasures'. PhD thesis. University of Bedfordshire.
PublisherUniversity of Bedfordshire
TypeThesis or dissertation
DescriptionA thesis submitted to the University of Bedfordshire, in partial fulfilment of the requirements for the degree of Doctor of Philosophy
The following license files are associated with this item:
Showing items related by title, author, creator and subject.
Spatial diversity for wireless LANsBrito, Rodrigo; Allen, Ben; Dohler, Mischa; Aghvami, A.Hamid; University of Bristol (IEEE-INST ELECTRICAL ELECTRONICS ENGINEERS INC, 2004-05)Wireless local area networks (W-LAN) are widely used as a means of providing broadband access for high-speed wireless data services. The maximization of the system performance independent of the transceiver technology and the operating environment is of utmost importance to the hotspot system designer. This paper reports on the performance of single input and multiple output (SIMO) W-LAN systems and shows that a circular array topology located at the access point provides the best performance improvement compared to other candidate technologies when operating in an indoor office environment.
Performance analysis of routing protocols in ManetKaur, Pardeep (University of Bedfordshire, 2012)The history of wireless network is around 20 year old, when in 1997 IEEE start working on it and define the wireless standards in 1999. As Mobile Adhoc Network (MANET) is self managing and governing network, so it is the challenging task to handle the network in most effective and better way due to dynamic changes In the network as the nodes can join and leave the network without getting any authorization and these nodes are independent in nature. This research is based on the performance measurement of proactive and reactive protocols with respect to quality of service.
Cross-validation based man-in-the-middle attack protectionCui, Xiaofei (University of Bedfordshire, 2017-03)In recent years, computer network has widely used in almost all areas of our social life. It has been profoundly changing the way of our living. However, various network attacks have become an increasingly problem at the same time. In local area networks, Man-in-the-Middle attack, as one kind of ARP attack, is the most common attack. This research implemented a cross-validation based Man-in-the-Middle attack protection method (CVP). This approach enables a host to check whether another host that responds the initialising host with an ARP reply packet is genuine. It then allows the ARP cache table of the initialising hosts to be updated with the MAC address and IP address pairs of the genuine host and to place the MAC address of inauthentic hosts into a blacklist. This research introduced ARP and ICMP firstly, including the structure of ARP and ICMP packets, and their workflows. Secondly, this research discussed the types of ARP attacks and the existing ARP attacks protection methods, including their principles, applicable environment, advantages and disadvantages. Then, this research proposed and implemented a cross-validation based Man-in-the-Middle attack protection method. Simulations and experiments were performed to examine the effect of CVP method. The results show the effectiveness of the proposed cross-validation based method in protecting network from Man-in-the-Middle attack. Compared with the existing Man-in-the-Middle attack protection methods, CVP requires no extra devices and administration, leading to more secure local area networks and low cost. It also has made a “tabu” to attackers. That is, it places the MAC address of attackers into a blacklist. So they will be identified immediately if they try to attack the network again.