## Understanding Complex Network Attack Graphs through Clustered Adjacency (2005)

Venue: | Matrices”, Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC |

Citations: | 8 - 1 self |

### BibTeX

@INPROCEEDINGS{Noel05understandingcomplex,

author = {Steven Noel and Sushil Jajodia},

title = {Understanding Complex Network Attack Graphs through Clustered Adjacency},

booktitle = {Matrices”, Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC},

year = {2005},

pages = {160--169}

}

### OpenURL

### Abstract

We apply adjacency matrix clustering to network attack graphs for attack correlation, prediction, and hypothesizing. We self-multiply the clustered adjacency matrices to show attacker reachability across the network for a given number of attack steps, culminating in transitive closure for attack prediction over all possible number of steps. This reachability analysis provides a concise summary of the impact of network configuration changes on the attack graph. Using our framework, we also place intrusion alarms in the context of vulnerabilitybased attack graphs, so that false alarms become apparent and missed detections can be inferred. We introduce a graphical technique that shows multiple-step attacks by matching rows and columns of the clustered adjacency matrix. This allows attack impact/responses to be identified and prioritized according to the number of attack steps to victim machines, and allows attack origins to be determined. Our techniques have quadratic complexity in the size of the attack graph. 1.

### Citations

175 |
Alert Correlation In A Cooperative Intrusion Detection Framework
- Cuppens, Miege
- 2002
(Show Context)
Citation Context ...network attack protection, detection, and response. In Section 5, we summarize our work and draw conclusions. 2. Related Work Recent advances in automatic attack graph generation [2][3][4][5][6][7][8]=-=[9]-=- have made it possible to efficiently compute attack graphs for realistic networks. These approaches avoid the state explosion problem by representing dependencies among state transitions (i.e., attac... |

87 | Scalable, graph-based network vulnerability analysis
- Ammann, Wijesekera, et al.
- 2002
(Show Context)
Citation Context ...or network attack protection, detection, and response. In Section 5, we summarize our work and draw conclusions. 2. Related Work Recent advances in automatic attack graph generation [2][3][4][5][6][7]=-=[8]-=-[9] have made it possible to efficiently compute attack graphs for realistic networks. These approaches avoid the state explosion problem by representing dependencies among state transitions (i.e., at... |

80 | Multilevel visualization of clustered graphs
- Eades, Feng
- 1996
(Show Context)
Citation Context ...nnected attack graph has (4x200) 2 = 640,000 edges. An approach has been proposed for managing attack graph complexity through hierarchical aggregation [4], based on the formalism of clustered graphs =-=[11]-=-. The idea is to collapse subsets of the attack graph into single aggregate vertices, and allow interactive de-aggregation. A disadvantage of this approach is that lower-level details of the attack gr... |

65 | Fully automatic cross-associations
- Chakrabarti, Papadimitriou, et al.
- 2004
(Show Context)
Citation Context ...t. That is, without the proper ordering of matrix rows and columns, the underlying attack graph structure is not necessarily apparent. We therefore apply an information-theoretic clustering technique =-=[1]-=- that reorders the adjacency matrix so that blocks of similarly-connected attack graph elements emerge. The clustering technique is fully automatic, parameter-free, and scales linearly with graph size... |

63 | NVisionIP: NetFlow Visualizations of System State for Security
- Lakkaraju, Yurcik, et al.
- 2004
(Show Context)
Citation Context ...as single units. This clustering technique is fully automatic, is free of parameters, and scales linearly with graph size. There have been approaches that view network traffic in the form of a matrix =-=[12]-=-[13], where rows and columnssmight be subnets, IP addresses, ports, etc. But these approaches do not employ clustering to find homogeneous groups within the visualized matrices as we do. Also, they ge... |

61 |
PortVis: a tool for port-based detection of security events
- McPherson, Ma, et al.
- 2004
(Show Context)
Citation Context ...ingle units. This clustering technique is fully automatic, is free of parameters, and scales linearly with graph size. There have been approaches that view network traffic in the form of a matrix [12]=-=[13]-=-, where rows and columnssmight be subnets, IP addresses, ports, etc. But these approaches do not employ clustering to find homogeneous groups within the visualized matrices as we do. Also, they genera... |

59 | A tutorial introduction to the minimum description length principle,” In: Advances in Minimum Description Length: Theory and Applications, (edited by
- Grünwald
- 2005
(Show Context)
Citation Context ...rs of clusters and cluster assignments provide an information-theoretic measure of cluster optimality. This is based on ideas from data compression, including the Minimum Description Length principle =-=[14]-=-, in which regularity in the data can be used to compress it (describe it in fewer symbols). Intuitively, one can say that the more we compress the data, the better we understand it, in the sense that... |

55 |
Topological analysis of network attack vulnerability
- Jajodia, Noel, et al.
- 2003
(Show Context)
Citation Context ...a number of ways for network attack protection, detection, and response. In Section 5, we summarize our work and draw conclusions. 2. Related Work Recent advances in automatic attack graph generation =-=[2]-=-[3][4][5][6][7][8][9] have made it possible to efficiently compute attack graphs for realistic networks. These approaches avoid the state explosion problem by representing dependencies among state tra... |

47 |
Efficient minimum-cost network hardening via exploit dependency grpahs
- Noel, Jajodia, et al.
- 2003
(Show Context)
Citation Context ...ways for network attack protection, detection, and response. In Section 5, we summarize our work and draw conclusions. 2. Related Work Recent advances in automatic attack graph generation [2][3][4][5]=-=[6]-=-[7][8][9] have made it possible to efficiently compute attack graphs for realistic networks. These approaches avoid the state explosion problem by representing dependencies among state transitions (i.... |

40 | Managing attack graph complexity through visual hierarchical aggregation
- Noel, Jajodia
- 2004
(Show Context)
Citation Context ...er of ways for network attack protection, detection, and response. In Section 5, we summarize our work and draw conclusions. 2. Related Work Recent advances in automatic attack graph generation [2][3]=-=[4]-=-[5][6][7][8][9] have made it possible to efficiently compute attack graphs for realistic networks. These approaches avoid the state explosion problem by representing dependencies among state transitio... |

30 | Correlating Intrusion Events and Building Attack Scenarios through Attack Graph Distances
- Noel, Jajodia
(Show Context)
Citation Context ...umber of ways for network attack protection, detection, and response. In Section 5, we summarize our work and draw conclusions. 2. Related Work Recent advances in automatic attack graph generation [2]=-=[3]-=-[4][5][6][7][8][9] have made it possible to efficiently compute attack graphs for realistic networks. These approaches avoid the state explosion problem by representing dependencies among state transi... |

22 |
Tollis, Graph Drawing: Algorithms for the Visualization of Graphs
- Battista, Eades, et al.
- 1999
(Show Context)
Citation Context ... are generated for realistic networks, using comprehensive sets of modeled attacker exploits, the resulting attack graphs can be very large. Previous approaches generally use graph drawing algorithms =-=[10]-=-, in which vertices and edges between them are drawn according to particular aesthetic criteria. While large graphs have been successfully drawn, these have generally been relatively sparsely connecte... |

21 | Representing TCP/IP connectivity for topological analysis of network security
- Ritchey, O’Berry, et al.
- 2002
(Show Context)
Citation Context ...s for network attack protection, detection, and response. In Section 5, we summarize our work and draw conclusions. 2. Related Work Recent advances in automatic attack graph generation [2][3][4][5][6]=-=[7]-=-[8][9] have made it possible to efficiently compute attack graphs for realistic networks. These approaches avoid the state explosion problem by representing dependencies among state transitions (i.e.,... |

10 |
Amant, “Building Attack Scenarios through Integration of Complementary Alert Correlation Methods
- Ning, Xu, et al.
- 2004
(Show Context)
Citation Context ...of ways for network attack protection, detection, and response. In Section 5, we summarize our work and draw conclusions. 2. Related Work Recent advances in automatic attack graph generation [2][3][4]=-=[5]-=-[6][7][8][9] have made it possible to efficiently compute attack graphs for realistic networks. These approaches avoid the state explosion problem by representing dependencies among state transitions ... |

6 | Efficient Transitive Closure Computation
- Nuutila
- 1995
(Show Context)
Citation Context ...umbers of steps. This Boolean sum is known as the transitive closure of A. The classical Floyd-Warshall algorithm computes transitive closure in O(n 3 ), although there are improved algorithms, e.g., =-=[15]-=-, that come closer to O(n 2 ). Frequently in practice, elements of A p monotonically increase as p increases. In such cases, we can distinguish the minimum number of steps required to reach each pair ... |