A new approach for network vulnerability analysis

Hai L. Vu, Kenneth K. Khaw, Tsong Yueh Chen

Research output: Contribution to journalArticleResearchpeer-review

2 Citations (Scopus)

Abstract

Despite a significant increase in security of modern information systems, cyber attacks have become more sophisticated as attackers combine multiple vulnerabilities to penetrate networks resulting in devastating consequences. In the past, attack graphs had been important tools for analyzing and understanding how various vulnerabilities could be combined through many potential interactions and connections between network components to compromise security. Full attack graphs for a realistic network, however, can be very large and complex, making it difficult to analyze and to decide what changes should be made in the network to make it sufficiently secure. We propose in this paper a novel approach to analyze network vulnerability and to identify all the combinations of exploits that are critical to the overall security of a network. Unlike previous graph-based algorithms that generate attack trees (or graphs) to cover all possible sequences of vulnerabilities, our method directly analyzes and eliminates less critical vulnerabilities without building the actual attack graph. The proposed approach relies on a unique evaluation of a vulnerability metric defined in this paper and its effectiveness is demonstrated through an example of a network that provides voice over IP services.
Original languageEnglish
Pages (from-to)878-891
Number of pages14
JournalThe Computer Journal
Volume58
Issue number4
DOIs
Publication statusPublished - 16 Sept 2015
Externally publishedYes

Keywords

  • Computer networks
  • Network security
  • Vulnerability analysis

Cite this