Identifying Critical Attack Assets inDependency Attack Graphs

摘要

Attack graphs have been proposed as useful tools for analyz-ing security vulnerabilities in network systems. Even when they are pro-duced efficiently, the size and complexity of attack graphs often preventa human from fully comprehending the information conveyed. A distil-lation of this overwhelming amount of information is crucial to aid net-work administrators in efficiently allocating scarce human and financialresources. This paper introduces AssetRank, a generalization of GooglesPageRank algorithm which ranks web pages in web graphs. AssetRankaddresses the unique semantics of dependency attack graphs and incor-porates vulnerability data from public databases to compute metrics forthe graph vertices (representing attacker privileges and vulnerabilities)which reveal their importance in attacks against the system. The resultsof applying the algorithm on a number of network scenarios show thatthe numeric ranks computed are consistent with the intuitive importancethat the privileges and vulnerabilities have to an attacker. The vertexranks can be used to prioritize countermeasures, help a human readerto better comprehend security problems, and provide input to furthersecurity analysis tools.