Browse > Article
http://dx.doi.org/10.13089/JKIISC.2012.22.5.1079

Automated Attack Path Enumeration Method based on System Vulnerabilities Analysis  

Kim, Ji Hong (Graduate School of Information Security, Korea University)
Kim, Huy Kang (Graduate School of Information Security, Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.22, no.5, 2012 , pp. 1079-1090 More about this Journal
Abstract
As the number of information asset and their vulnerabilities are increasing, it becomes more difficult for network security administrators to assess security vulnerability of their system and network. There are several researches for vulnerability analysis based on quantitative approach. However, most of them are based on experts' subjective evaluation or they require a lot of manual input for deriving quantitative assessment results. In this paper, we propose HRMS(Hacking and Response Measurement System) for enumerating attack path using automated vulnerability measurement automatically. HRMS can estimate exploitability of systems or applications based on their known vulnerability assessment metric, and enumerate attack path even though system, network and application's information are not fully given for vulnerability assessment. With this proposed method, system administrators can do proactive security vulnerability assessment.
Keywords
Network Security; Attack Graph; System Vulnerability Evaluation;
Citations & Related Records
연도 인용수 순위
  • Reference
1 K. Ingols, C. Scoot, K. Oiwowarski, K. Kratkiewicz, M. Artz, and R. Lippmann, "Validating and restoring defense in depth using attack graphs," Military Communications Conference (MILCOM 2006), pp. 1-10, Oct. 2006.
2 M. Jun-chun, W. Yong-jun, S. Ji-yin, and C. Shan, "A minimum cost of network hardening model based on attack graphs," Procedia Engineering, vol. 15, pp. 3277-3233, Dec. 2011.   DOI
3 B. Martin, C. Sullo, and J. Kouns, "OSVDB: open source vulnerability database," http://www.osvdb.org/
4 P. Mell, K. Scarfone, and S. Romanosky, "CVSS: a common vulnerability scoring system," http://www.first.org/cvss/cvss-guide.html/
5 S.H. Houmb and V.N.L. Franqueira, "Estimating toe risk level using CVSS," International Conference on Reliability and Security, pp. 718-725, Mar. 2009.
6 김동진, 조성제, "국가 DB 기반의 국내외 보안취약 점 관리체계 분석," Internet and Information Security, 1(2), pp. 130-147, 2010
7 S. Quinn, D. Waltermire, C. Johnson, K. Scarfone, and J. Banghart, "The technical specification for the security content automation protocol(SCAP)," National Institute of Standards and Technology(NIST), sp. 800-126, 2010.
8 R. Wang, L. Gao, Q. Sun, and D. Sun, "An improved CVSS-based vulnerability scoring mechanism," Third International Conference on Multimedia Information Networking and Security(MINES), pp. 352-355, Nov. 2011.
9 C. Fruhwirth and T. Mannisto, "Improving CVSS-based vulnerability prioritization and response with context information," Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement, pp. 535-544, 2009.
10 S. Jajodia, S. Noel, and B. O'Berry, "Topological analysis of network attack vulnerability," Managing Cyber Threats, vol. 5, pp. 247-266, 2005.
11 S. Noel and S. Jajodia, "Managing attack graph complexity through visual hierarchical aggregation," Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, pp. 109-118, 2004.
12 L. wang, T. Islam, A. Singhal, and S. jajodia, "An attack graph-based probabilistic security metric," Lecture Notes in Computer Science, vol. 5094, pp. 283-296, 2008.
13 B. Wu and A.J.A. Wang, "EVMAT : an OVAL and NVD based enterprise vulnerability modeling and assessment tool," Proceedings of the 49th Annual Southeast Regional Conference, pp. 115-120, 2011.
14 김윤호, 이승, 강희조, "사용자 인증 방법의 분류방법에 대한 연구," 보안공학연구논문지(Journal of Security Engineering), 4(1), Feb. 2007.
15 L. Wiliams, R. Lippmann, and K. Ingols, "An interactive attack graph cascade and reachability display," VizSEC 2007 Mathematics and Visualization, pp. 221-236, 2008.