Discovering and Mitigating New Attack Paths Using Graphical Security Models

Jin Bum Hong, Dong Seong Kim

Research output: Chapter in Book/Conference paperConference paper

Abstract

To provide a comprehensive security analysis of modern networked systems, we need to take into account the combined effects of existing vulnerabilities and zero-day vulnerabilities. In addition to them, it is important to incorporate new vulnerabilities emerging from threats such as BYOD, USB file sharing. Consequently, there may be new dependencies between system components that could also create new attack paths, but previous work did not take into account those new attack paths in their security analysis (i.e., not all attack paths are taken into account). Thus, countermeasures may not be effective, especially against attacks exploiting the new attack paths. In this paper, we propose a Unified Vulnerability Risk Analysis Module (UV-RAM) to address the aforementioned problems by taking into account the combined effects of those vulnerabilities and capturing the new attack paths. The three main functionalities of UV-RAM are: (i) to discover new dependencies and new attack paths, (ii) to incorporate new vulnerabilities introduced and zero-day vulnerabilities into security analysis, and (iii) to formulate mitigation strategies for hardening the networked system. Our experimental results demonstrate and validate the effectiveness of UV-RAM.

Original languageEnglish
Title of host publicationProceedings: 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops, DSN-W 2017
Place of PublicationUSA
PublisherIEEE, Institute of Electrical and Electronics Engineers
Pages45-52
Number of pages8
ISBN (Electronic)9781538622728
DOIs
Publication statusPublished - 30 Aug 2017
Externally publishedYes
Event47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops, DSN-W 2017 - Denver, United States
Duration: 26 Jun 201729 Jun 2017

Conference

Conference47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops, DSN-W 2017
CountryUnited States
CityDenver
Period26/06/1729/06/17

Fingerprint

Risk analysis
Hardening

Cite this

Hong, J. B., & Kim, D. S. (2017). Discovering and Mitigating New Attack Paths Using Graphical Security Models. In Proceedings: 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops, DSN-W 2017 (pp. 45-52). [8023697] USA: IEEE, Institute of Electrical and Electronics Engineers. https://doi.org/10.1109/DSN-W.2017.18
Hong, Jin Bum ; Kim, Dong Seong. / Discovering and Mitigating New Attack Paths Using Graphical Security Models. Proceedings: 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops, DSN-W 2017. USA : IEEE, Institute of Electrical and Electronics Engineers, 2017. pp. 45-52
@inproceedings{38f3547fe7cd4d11b85b352d5bc5300a,
title = "Discovering and Mitigating New Attack Paths Using Graphical Security Models",
abstract = "To provide a comprehensive security analysis of modern networked systems, we need to take into account the combined effects of existing vulnerabilities and zero-day vulnerabilities. In addition to them, it is important to incorporate new vulnerabilities emerging from threats such as BYOD, USB file sharing. Consequently, there may be new dependencies between system components that could also create new attack paths, but previous work did not take into account those new attack paths in their security analysis (i.e., not all attack paths are taken into account). Thus, countermeasures may not be effective, especially against attacks exploiting the new attack paths. In this paper, we propose a Unified Vulnerability Risk Analysis Module (UV-RAM) to address the aforementioned problems by taking into account the combined effects of those vulnerabilities and capturing the new attack paths. The three main functionalities of UV-RAM are: (i) to discover new dependencies and new attack paths, (ii) to incorporate new vulnerabilities introduced and zero-day vulnerabilities into security analysis, and (iii) to formulate mitigation strategies for hardening the networked system. Our experimental results demonstrate and validate the effectiveness of UV-RAM.",
keywords = "Attack Graphs, Mitigation Strategies, Network Hardening, Security Analysis, Zero-day Vulnerabilities",
author = "Hong, {Jin Bum} and Kim, {Dong Seong}",
year = "2017",
month = "8",
day = "30",
doi = "10.1109/DSN-W.2017.18",
language = "English",
pages = "45--52",
booktitle = "Proceedings: 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops, DSN-W 2017",
publisher = "IEEE, Institute of Electrical and Electronics Engineers",
address = "United States",

}

Hong, JB & Kim, DS 2017, Discovering and Mitigating New Attack Paths Using Graphical Security Models. in Proceedings: 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops, DSN-W 2017., 8023697, IEEE, Institute of Electrical and Electronics Engineers, USA, pp. 45-52, 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops, DSN-W 2017, Denver, United States, 26/06/17. https://doi.org/10.1109/DSN-W.2017.18

Discovering and Mitigating New Attack Paths Using Graphical Security Models. / Hong, Jin Bum; Kim, Dong Seong.

Proceedings: 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops, DSN-W 2017. USA : IEEE, Institute of Electrical and Electronics Engineers, 2017. p. 45-52 8023697.

Research output: Chapter in Book/Conference paperConference paper

TY - GEN

T1 - Discovering and Mitigating New Attack Paths Using Graphical Security Models

AU - Hong, Jin Bum

AU - Kim, Dong Seong

PY - 2017/8/30

Y1 - 2017/8/30

N2 - To provide a comprehensive security analysis of modern networked systems, we need to take into account the combined effects of existing vulnerabilities and zero-day vulnerabilities. In addition to them, it is important to incorporate new vulnerabilities emerging from threats such as BYOD, USB file sharing. Consequently, there may be new dependencies between system components that could also create new attack paths, but previous work did not take into account those new attack paths in their security analysis (i.e., not all attack paths are taken into account). Thus, countermeasures may not be effective, especially against attacks exploiting the new attack paths. In this paper, we propose a Unified Vulnerability Risk Analysis Module (UV-RAM) to address the aforementioned problems by taking into account the combined effects of those vulnerabilities and capturing the new attack paths. The three main functionalities of UV-RAM are: (i) to discover new dependencies and new attack paths, (ii) to incorporate new vulnerabilities introduced and zero-day vulnerabilities into security analysis, and (iii) to formulate mitigation strategies for hardening the networked system. Our experimental results demonstrate and validate the effectiveness of UV-RAM.

AB - To provide a comprehensive security analysis of modern networked systems, we need to take into account the combined effects of existing vulnerabilities and zero-day vulnerabilities. In addition to them, it is important to incorporate new vulnerabilities emerging from threats such as BYOD, USB file sharing. Consequently, there may be new dependencies between system components that could also create new attack paths, but previous work did not take into account those new attack paths in their security analysis (i.e., not all attack paths are taken into account). Thus, countermeasures may not be effective, especially against attacks exploiting the new attack paths. In this paper, we propose a Unified Vulnerability Risk Analysis Module (UV-RAM) to address the aforementioned problems by taking into account the combined effects of those vulnerabilities and capturing the new attack paths. The three main functionalities of UV-RAM are: (i) to discover new dependencies and new attack paths, (ii) to incorporate new vulnerabilities introduced and zero-day vulnerabilities into security analysis, and (iii) to formulate mitigation strategies for hardening the networked system. Our experimental results demonstrate and validate the effectiveness of UV-RAM.

KW - Attack Graphs

KW - Mitigation Strategies

KW - Network Hardening

KW - Security Analysis

KW - Zero-day Vulnerabilities

UR - http://www.scopus.com/inward/record.url?scp=85031760923&partnerID=8YFLogxK

U2 - 10.1109/DSN-W.2017.18

DO - 10.1109/DSN-W.2017.18

M3 - Conference paper

SP - 45

EP - 52

BT - Proceedings: 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops, DSN-W 2017

PB - IEEE, Institute of Electrical and Electronics Engineers

CY - USA

ER -

Hong JB, Kim DS. Discovering and Mitigating New Attack Paths Using Graphical Security Models. In Proceedings: 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops, DSN-W 2017. USA: IEEE, Institute of Electrical and Electronics Engineers. 2017. p. 45-52. 8023697 https://doi.org/10.1109/DSN-W.2017.18