Study of Attack Graph Construction Based on Distributed Parallel Processing

doi:10.3969/j.issn.1000-1093.2012.01.018

Acta Armamentarii ›› 2012, Vol. 33 ›› Issue (1): 109-115.doi: 10.3969/j.issn.1000-1093.2012.01.018

• Research Notes • Previous Articles Next Articles

Study of Attack Graph Construction Based on Distributed Parallel Processing

MA Jun-chun^1,2， SUN Ji-yin²， WANG Yong-jun¹， ZHAO Bao-kang¹, CHEN Shan³

(1.School of Computer Science, National University of Defense Technology, Changsha 410073, Hunan, China;2.The Second Artillery Engineering Institute, Xi’an 710025, Shaanxi, China；3.The PLA 96617 Troops, Luzhou 646000, Sichuan, China)

Received:2010-10-10 Revised:2010-10-10 Online:2014-03-04
Contact: MA Jun-chun E-mail:chenshan1223@126.com

Abstract

Abstract: In order to resolve the existed problems when analyzing large and complex network systems, a novel attack graph construction method is proposed which is based on distributed parallel processing technology. Firstly, from the defender's point of view, all the vulnerable hosts are considered as attack targets, using positive, breadth-first search strategy to construct attack graph, which resolves the problem of which the attack target is defined and single in the existed methods. Secondly, the optimization technology is researched, and the total network is divided into different areas, through multi-engine parallel processing technology, to meet the distribution scalability requirements, the problem of existed methods with high complexity and low scalability is resolved, and which is difficult for large-scale complex network. Finally, the optimization strategy, limited number of attack steps is used, which resolves the existing state explosion problem when constructing the attack graph. Experimental results show that this method can improve the efficiency of attack graph’s generation, and reduce the system resource consumption greatly, and it has value for assessing the security of large-scale complex network.

Key words: computer system architecture, large-scale network, network security, attack graph, distributed parallel processing

CLC Number:

TP393

MA Jun-chun， SUN Ji-yin， WANG Yong-jun， ZHAO Bao-kang, CHEN Shan. Study of Attack Graph Construction Based on Distributed Parallel Processing[J]. Acta Armamentarii, 2012, 33(1): 109-115.

References

［1］ Ortalo R, Dewarte Y, Kaaniche M. Experimenting with quantitative evaluation tools for monitoring operation security[J]. IEEE Transactions on Software Engineering, 1999, 25(9-10): 633-650.
［2］陆余良, 夏阳. 主机安全量化融合模型研究[J]. 计算机学报,2005,5(28): 914-920.
LU Yu-liang, XIA Yang. Research on target-computer secure quantitative fusion model[J]. Chinese Journal of Computers, 2005, 5(28): 914-920. (in Chinese)
［3］冯萍慧, 连一峰, 戴英侠, 等. 面向网络系统的脆弱性利用成本估算模型[J]. 计算机学报, 2006, 8(29): 1375-382.
FENG Ping-hui, LIAN Yi-feng, DAI Ying-jie, et al. An evaluation model of vulnerability exploitation cost for network system[J]. Chinese Journal of Computers, 2006, 8(29): 1375-382. (in Chinese)
［4］ Cuppens F. Alert correlation in a cooperative intrusion detection framework[C]∥Proceedings of the 2002 IEEE Symposium on Security and Privacy, Washington, DC: IEEE Computer Society, 2002.
［5］ Ning P, Xu D. Learning attack strategies from intrusion alerts[C]∥Proceedings of the 10 ACM Conference on Computer and Communications Security. New York: ACM Press, 2003: 200-209.
［6］ Swiler L P, Phillips C, Ellis D, et al. Computer-attack graph generation tool[C]∥Proceedings DARPA Information Survivability Conference and Exposition (DISCEX II’01), Vol 2. Anaheim: IEEE Computer Society, 2001: 1307- 1321.
［7］ Swiler L P, Phillips C, Gaylor T. A graph-based network-vulnerability analysis system, SAND97-3010/1[R]. Sandia National Laboratories, Albuquerque, New Mexico and Livermore: 1998.
［8］ Ritchey R, Ammann P. Using model checking analyze network vulnerability[C]∥Proceedings of IEEE Symposium on Security and Privacy. 2001:156-165.
［9］ Sheyner O, Haines Jha S. Automated generation and analysis of attack graph[C]∥Proceedings of IEEE Symposium on Security and Privacy. 2002:273-284.
［10］王永杰, 鲜明, 刘进, 等. 基于攻击图模型的网络安全评估研究[J]. 通信学报, 2007,28(3):29-34.
WANG Yong-jie, XIAN Ming, LIU Jin, et al. Study of network security evaluation based on attack graph model[J]. Journal of Communications, 2007,28(3):29-34. (in Chinese)
［11］ Michener J. System insecurity in the internet age [J]. IEEE Software, 1999, 16(4): 62-69.
［12］ CAPEC. Common attack pattern enumeration and classification[EB/OL]. (2009-04-15)[2010-09-26]. http:∥www.capec.mitre.org.

[1]	LI Xu， QIU Song-qing， PENG Jin-lin， WANG Cong. An Improved Multi-path Routing Protocol in Mobile Ad Hoc Network [J]. Acta Armamentarii, 2016, 37(11): 2022-2028.
[2]	QIAN Yu-wen, SONG Hua-jü, KONG Jian-shou, ZHU Xiao-mei. Study on the Module of Network Thumb Printer Based on Network Covert Time Channel [J]. Acta Armamentarii, 2012, 33(1): 19-25.

Study of Attack Graph Construction Based on Distributed Parallel Processing

PDF (PC)

Knowledge

Cited

Abstract

Cite this article

share this article

References

Related Articles 2

Recommended Articles

Metrics

Comments