Validating and restoring defense in depth using attack graphs
We implemented our methods using one of the existing attack-graph toolkits.
Initial experimentation shows that the proposed approaches can 1) significantly reduce the complexity of attack graphs by trimming a large portion of the graph that is not needed for a user to understand the security problem, and 2) automatically provide reasonable suggestions for resolving the security problem.
Net SPA generates attack graphs and automatically analyzes them to produce a small set of prioritized recommendations to restore defense in depth.
Field trials on networks with up to 3,400 hosts demonstrate that firewalls often do not provide defense in depth due to misconfigurations and critical unpatched vulnerabilities on hosts. degree in Electrical Engineering from the Polytechnic Institute of Brooklyn, in 1970 and a Ph. degree in Electrical Engineering from the Massachusetts Institute of Technology, in 1978.
In this paper, we present a graph data model for representing input information for attack graph generation.
Also, we show how graph queries can be used to generate attack graph and facilitate its analysis.
Graph databases enable storage of graph data and efficient querying of such data.
An integral part of modeling the global view of network security is constructing attack graphs.
Construction by hand, however, is tedious, error prone, and impractical for attack graphs larger than a hundred nodes.
Defense in depth is often depicted as a two-dimensional representation (drawing) of a three dimensional object (e.g.
security) that rarely reflects the multi-dimensional issues of an information sphere.