Performance Impact of Connectivity Restrictions and Increased Vulnerability Presence on Automated Attack Graph Generation
Download
Author
Cullum, James
Irvine, Cynthia E.
Levin, Tim
Date
2007-03-00Metadata
Show full item recordAbstract
The current generation of network vulnerability detection software uses databases of known vulnerabilities and scans target networks for these weaknesses. The results can be voluminous and difficult to assess. Thus, the success of this technology has created a need for software to aid in network vulnerability analysis. Although research has shown the effectiveness of automated attack graph generation tools in displaying potential attack paths in a network, research involving the performance of these tools has been limited. The performance impact of connectivity restrictions and the number of vulnerabilities present on a network for these tools is not well understood. Using empirical testing, we have collected quantitative data using CAULDRON, an attack graph generation tool developed at George Mason University, on a collection of simulated networks defined to modulate connectivity at certain points in our networks and represent the number of vulnerabilities present per node. By defining our model to include sets of nodes, which allow connectivity from all nodes to all vulnerable nodes in the set; the number of nodes present in each set, the number of connections between sets; and the number of vulnerabilities per node as our variables, we are able to observe the performance impact on CAULDRON of both connectivity restrictions and the increased presence of vulnerabilities in our networks. The effect of these variables on processing time and memory usage is presented and can be used as a metric to assess the scalability of this tool within various customer environments.
Description
ICIW 2007 2nd International Conference on Warfare and Security Naval Postgraduate School, Monterey, California, USA 8-9 March 2007 pp.33-46
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.Related items
Showing items related by title, author, creator and subject.
-
Performance analysis of automated attack graph generation software
Cullum, James J. (Monterey, California. Naval Postgraduate School, 2006-12);The current generation of network vulnerability detection software uses databases of known vulnerabilities and scans target networks for these weaknesses. The results can be voluminous and difficult to assess. Thus, the ... -
Network defense-in-depth: evaluating host-based intrusion detection systems
Yun, Ronald E. (2001-06);As networks grow, their vulnerability to attack increases. DoD networks represent a rich target for a variety of attackers. The number and sophistication of attacks continue to increase as more vulnerabilities and the tools ... -
In Search of the Real Network Science, An Interview with David Alderson
Alderson, David; Ubiquity Staff (Association for Computing Machinery (ACM), 2009-08);Since Duncan Watts and Steve Strogatz published “Collective Dynamics of Small-World Networks” in Nature in 1998, there has been an explosion of interest in mathematical models of large networks, leading to numerous research ...