Risk Assessment using Network Hardening Attack Graphs
Student Name
Student ID #1234567
INSE 6320 Course Project
ABSTRACT
Attack graphs provide analytical support to prevent multistep
network attacks by showing all possible sequences of
vulnerabilities and their interactions. Since attack graphs generally
consist of a very large number of nodes, it is difficult to analyze
and find out solution(s) to harden a network against such attacks.
That is why a solution to harden a network must make use of a
critical set of attacks that can be analyzed by the network
administrator and be in turn disabled to accomplish the task to
harden the network. In this paper, we present a risk assessment
using this technique. First, we describe attack graphs and define
the network hardening problem and how it can be approached
using a minimum cost network hardening algorithm and how this
all applies into our risk assessment analysis
Keywords
Attack Graphs, Network Hardening, Risk Assessment.
1. INTRODUCTION
Among the different goals of establishing a network security
protocol, the foremost is to protect critical computer systems of
utmost importance. Information Technology (IT) has become a
cornerstone of our current society, and that is mainly because our
IT systems manage many of our day to day systems as well as
critical resources. It is because of this reliance on IT systems to
manage our critical resources and data that a rising need to secure
them has motivated research in the IT security field. While there
are many real world options to secure our IT resources exists, like
intrusion detection systems (IDS) and vulnerability scanners, they
usually are not enough; these need to be constantly revised since
the attackers are always experienced opponents; always one step
ahead of the efforts of the people that deal with security. Many of
the approaches that are being pursued to achieve a secure network
are focused in providing a network hardening model by using
attack graphs. Theres currently a rising need to come up with a
solution that could generate a feasible hardening solution and rank
it based on costs. The reason for this is mainly because our current
methods, even though they are very good in detecting threats, are
not good enough to detect the attacks that experienced opponents
can perform. These attacks normally take the form of
concatenated independent attacks to achieve the attackers goals
which are not always evident from the alert systems.
In this paper, we present an overview of how we can apply risk
assessment tools into the network hardening solution with
minimum cost requirement by using attack graphs. Attack graphs
help us to gather information to understand what attack steps an
opponent may take since it shows the possible scenarios where we
can find vulnerabilities and their conditions [1]. In other words,
attack graphs reveal all potential threats against networks by
showing all possible attack paths. Attack graphs can be useful
tools to extract recommendation in order to harden network nodes
against inherent vulnerabilities [2-3]. Section 2 introduces
essential background for attack graphs and network hardening. An
example on how to implement risk analysis into our attack graph
model is discussed in Section 3. Finally, Section 4 discuss
comparisons between our analysis and what has been
implemented in previous papers, and finally Section 5 concludes
the paper.
2. BACKGROUND: ATTACK GRAPHS
AND NETWORK HARDENING
The attacker attempts to intrude into the network can be
represented normally in these attacks graphs. These attempts are
depicted through directed graph between Exploits and Security
conditions. [3] The exploits are a relationship between a source
host, a destination host, and sometimes an intermediate host. The
conditions are another relationship between source hosts and
destination host or just a relationship where only the source host is
considered. This relationship is elaborated in figure 1 where V
represents exploits and C represents condition.
Figure 1. Relationship between conditions and vulnerabilities
The attack graphs also perform the function of assessing the
probable damage incurred in a given system by finding probable
attacks and correlating intrusion alerts to attack scenarios. There
are two types of attack graphs that are generally used in network
protection: state-based attack graphs and compact or exploit-based
attack graphs. On this paper we will focus on the former. In these
type of attack graphs, the nodes represent a state of network and
show each step of attacks explicitly [14]. In compact attack graph,
nodes correspond to exploits or security conditions which are
preconditions or post conditions of vulnerabilities. This type of
representation of an attack path has polynomial complexity in
terms of total number of vulnerabilities and security conditions
[4].
Attack graphs have also been used in the estimation of how
conditional probabilities can be used to calculate the likelihood of
attacks [7-9] By using this approximation, the authors in [8, 9]
were able to set probabilities to the vulnerabilities by using
standardization efforts on security Metrics like the Common
Vulnerability Scoring System (CVSS) or the Common Weakness
Scoring System (CWSS). While Wang uses Bayesian networks to
model static attack graphs, Frigualt [9] goes a bit further in the
research by proposing the same approximation that Wang uses in
[8] by considering the changes in the probabilities of
vulnerabilities based on the changes in the conditions.
As mentioned before, one of the advantages of using attack graphs ssh, and rsh traffic from a user workstation to both servers, and
over other methods is that it allows us to express pre-conditions blocks all other traffic. An example of the attack graph used for
and post-conditions of an attack path in a graphical way. They this is shown in Figure 2; the square text items represent security
take as inputs known vulnerabilities, initial capabilities of the conditions while rounded boxes represent exploits. The two
attacker, and connectivity between hosts to be used as states in the numbers inside parentheses denote the source and destination
graph. The vulnerabilities that are used for inputs usually come host, respectively.
from knowledge of the domain, normally from expert knowledge
that already have some experience with these vulnerabilities; or in
other cases, they can also be available from a public database.
Same idea applies for the initial capabilities of the attacker. The
connectivity between hosts are usually taken from the
vulnerability information between hosts that are normally
obtained from network scanning tools. These states, by means of
different exploits, will yield to some other states with the same
idea of conditions.
Another advantage of using attack graphs is that the states that we
defined in the previous paragraph can be used as inputs into a
model checker that will generate different attack paths. The model
checker with provide with a counter example for a particular
attack path selected that will provide with the information on how
an attacker can achieve a particular goal state based on the input
given. This sequence of exploits provide some knowledge of the
potential attacks that must be avoided to secure the network.
One important consideration to take into account when analyzing
attack graphs is the monotonic assumption that was proposed by
[3]. This assumption states that once an attacker has obtained a
privilege, he will not let go of this privilege, or any other
previously obtain privilege, no matter what exploits he may
perform. Using this assumption, the complexity of the attack
graph goes from being exponential to polynomial in the number of
hosts.
Before we proceed any further, we must also take a look at what
risk management is. Risk management is the total process of
identifying, measuring, and minimizing the uncertain events that
can affect resources. This definition also implies the process of
bringing management (remedial action) and control into the risk Figure 2. Attack Graph used in this paper
analysis. A basic ingredient of risk assessment and analysis is the
In the attack graph we can observe these attack paths, the meaning
concept of vulnerability. A vulnerability is a weakness in any
of which are self-explanatory:
information system, system security procedure, internal controls,
or implementation that an attacker could exploit. It can also be a 1. sshd_bof(0,1) ftp_rhosts(1,2) rsh(1,2) local_bof(2)
weakness in a system, such as a coding bug or design flaw. An
attack occurs when an attacker with a reason to strike takes 2. ftp_rhosts(0,1) rsh(0,1) ftp_rhosts(1,2) rsh(1,2)
advantage of a vulnerability to threaten an asset. The second most local_bof(2)
important ingredient in risk assessment is the concept of a threat, 3. ftp_rhosts(0,2) rsh(0,2) local_bof(2)
which is any circumstance or event with the potential to adversely
impact an information system through unauthorized access, More details can be found in [6].
destruction, disclosure, modification of data, or denial of service. There are four exploits and seven initial conditions in the attack
Similarly, a threat to a system is a potential event that will have an graph. Table 1 shows the success probability. Following the
unwelcome consequence if it becomes an attack asset operation of the procedure Network_Hardening that is explained
in [5] we will determine the fault tree of this network. This
3. RISK ANALYSIS USING ATTACK procedure is backwards algorithm that starts at the goal node of
GRAPHS the attack tree and works its way up to the initial conditions of the
3.1 Fault trees and Block Diagrams network and establishes the relationship between them in a
In this section, a well-known network example in the study of Disjunctive Normal Form (DNF). On this particular case, the
attack graphs [4] is used to illustrate the risk analysis algorithm presents us the following solution: Goal = (ftp(0,2) v
approximation using attack graphs and the minimum network ftp(1,2) (ftp(0,1) v sshd(0,1))). This can easily be put in terms of
hardening algorithm described by Wang et al. There are 3 fault trees and figure 3 represents this while figure 4 represents
machines on this network: one attacker, host 0, and two victims (a the block diagram. From this analysis we can determine the
file server, host 1, and a database server, host 2). The file server reliability of this particular system.
offers the file transfer protocol (ftp) service, the secure shell (ssh)
Table 1. Exploits in the sample network.
service, and the remote shell (rsh) service. The database server
offers the ftp and rsh services. There is a firewall that allows ftp,
 Exploit
Exploits Probability
ftp_rhosts 0.8
rsh 0.8
local_bof 0.5
sshd_bof 0.7
Since we have the success probabilities that an attack can be
executed on table 1, we can correlate these to be the failure
probabilities of our system. While the backwards algorithm shows
us how to reach a goal state based on initial conditions and our
exploits show us the probability on how likely that exploit is to
occur, it is easy to see the correlation between the probability of
an exploit and its corresponding initial condition.
Figure 3. Fault tree of the System
Therefore, the reliability for this particular system is given by the
following formula Rs(t) = 1 Fs(t). Where Rs(t) is the reliability of
the system and Fs(t) is the failure probability of it. Fs(t) is given by
the following relationship Fs(t) = 1 (1 P(ftp(0,2)*(1 FE1) . FE1
is given by the following relationship, FE1 = P(ftp(1,2))*FE2,
where FE2 = P(ftp(0,1))*P(sshd(0,1)). Thus, our complete
Reliability of the system is given by Rs(t) = 1 [1 (1
P(ftp(0,2))(1 P(ftp(1,2))*P(ftp(0,1))*P(sshd(0,1))))] = 0.5584.
That is, this system has a 55.84% reliability that it will survive a
malicious attack using the identified vulnerabilities.
Figure 4. Block diagram of the System
3.2 Bayesian Network.
In this model, the estimated cost of recovering from a database
breach (Incident) is $20,000 (standard deviation $2,000). Each
network configuration has an associated likelihood of a breach
occurring, with a corresponding multiplicative reduction (from the
full $20,000) in expected loss. The estimated cost for
implementing firewall changes is $1,000 (standard deviation
$100). So the question is whether the firewall implementation
costs are justified in terms of reduced risk (expected loss), versus
simply making no change to the network.
As mentioned on the previous section the attack graph
approximation will help us figure out the paths that an attacker
can take in order to compromise a system. From the example
provided we were able to notice that there are three different paths
that a potential adversary might take. These 3 paths can be
resumed in disabling either both ftp(0,2) and ftp(1,2) (effectively
blocking the RSH service on the network), or to disable the three
conditions ftp(0,2), ftp(0,1), and sshd(0,1) (effectively blocking
the SSH service on the network).
In Figure 5, we have the Bayesian net of the associated
vulnerabilities that are on this network. The model input
probabilities represent the inherent chance of each exploit
occurring, independent of other exploits. For example, these could
be relative frequencies of events observed on a network over a
period of time. Or, they could be taken from a product such as
Symantec DeepSight. In this particular case, we are taking the
values that were previously mentioned on Table 1.
In figure 5 we can also see the attack graphs resulting from not
blocking ssh (left side) or rsh traffic (right side) from the
workstation to the file server. In other words, for each network
hardening choice, a particular set of attack paths still remains. The
cumulative likelihood of each blocking option would be given by
the conjunctive or disjunctive combination of the probabilities of
each of the vulnerabilities. Since local bof(2) yields the overall
goal for this attack scenario (compromise of the database server),
the likelihood of local bof(2) occurring is the overall attack graph
metric. That being said, we can calculate the probabilities from
blocking ssh, blocking rsh, and making no changes to the
network. The probability of a successful attack by blocking ssh
would be given by P(block_ssh) = [P(ftp_rhosts) * P(rsh) *
P(ftp_rhosts) * P(rsh) + P(ftp_rhosts) * P(rsh) P(ftp_rhosts) *
P(rsh) * P(ftp_rhosts) * P(rsh) * P(ftp_rhosts) * P(rsh)] *
P(local_bof) = 0.3937. The probability of a successful attack by
blocking rsh would be given by P(block_rsh) = [P(sshd_bof) *
P(ftp_rhosts) * P(rsh) + P(ftp_rhosts) * P(rsh) P(sshd_bof) *
P(ftp_rhosts) * P(rsh) * P(ftp_rhosts) * P(rsh)] * P(local_bof) =
0.4006. In a similar way, using figure 5, we can determine that the
success probability that an attacker can reach the goal node when
no changes have been done on the network is 0.4484.
section. These are basically to block the ssh service (d1) to block
the rsh service (d2) and to perform no change at all on the system
(d3). On the same token, we have two states of natures based on
the assumptions that we specified at the beginning of this section.
They basically deal with the associated cost of implementing
firewall rules that can counter the attacks (s1 on figure 6 and
firewall on figure 6) and to fix the database server if an attack has
successfully been performed (s2 on figure 6 and database on
figure 6).

Figure 5. Bayesian Network of the vulnerabilities found on the Figure 6. Influence diagram for our network
system

3.3 Decision Analysis

Table 2 shows the payoff table of the projected investment, with
its corresponding probabilities (value written in parenthesis), that
the network administrator must take into consideration when
analyzing the hardening problem of his network. The best
selection of vulnerability remedial action depends on the
investment (in this case, it could also be considered as a cost) that
the network administrator must do in order to better solve the
network hardening problem. Figure 6 presents this idea as a form
of an influence diagram. Once we have this information, we
proceed to the construction of the decision tree to perform the
analysis.
Table 2. Payoff Table

Figure 7. Decision Tree

Table 3. Payoff table used to find the value for the optimistic
and conservative approach in the decision analysis

3.3.1 Optimal, Conservative and Minimax approach

We start of by defining the influence diagram for this particular
network hardening problem. This is represented on figure 7. We
start of by defining what the decision alternatives are. There are 3
on this particular example and they represent the vulnerability
remedial options for the network as analyzed on the previous
From the information gathered thus far we can begin a decision
analysis for this problem. Based on the Optimistic approach
searches for the investment that will least of cost of the minimum
costs; that is it would be recommended to go for the decision
where no vulnerability remedial action should be taken (the one
where we invest $0). Based on the Conservative approach, we
would pick the option that, among the worst investment options
gives us the least cost. In this case, this option would yield a
different decision as this would make us chose to block the ssh
service from the network (given by the $17,000). Table 3
summarizes how these decisions were taken.
Finally, using the minimax approach, the vulnerability remedial
measure would be to block the rsh service from the network.
Table 4. Payoff table and regret table for the minimax
decision analysis
Table 4 shows us the payoff table as well as the regret table that
comes from it. From there we can see that by taking the minimum
of the maximum regrets, this value yields $2,000 which
corresponds to the second decision.
3.4 Expected Value Analysis
As we can see, the 3 different methods yield three different
recommendations. Because of this, using the expected value
analysis we can even narrow down our selection even further.
Figure 8 is a representation of our decision tree from figure 7 but
considering the expected values for the each one of the decisions
from the tree
Figure 8. Decision tree after computing the expected values at
chance nodes 2 to 4
Using the expected value approach, we can see that our last
recommendation using the minimax approach also holds true.
From here we can see that it is by blocking the rsh service that we
get the best expected return for hardening the network from the 3.
Since it provides us with the expected investment of all three, we
can see that EV(d1) (block the rsh service) = 8409.6 is the best
one (lowest cost of investment); followed by blocking the ssh
service (EV(d2) = 8511.8) and finally (as to be expected), the one
that provides the worst expected value would be to perform no
changes on the network at all (EV = 8968) since it would imply
taking head on an attack from an attacker. Figure 9 shows the risk
profile for our recommended decision to choose decision 2
(disable the rsh service) over the other 2.
Frequently information is available which can improve the
probability estimates for the states of nature. That is why we use
the expected value of perfect information (EVPI). This is basically
the increase in the expected profit that could result if we know
with certainty that the state of nature would occur. With this, we
can calculate EVPI as the absolute value of the difference of the
expected value with perfect information (EVwPI) and the
expected value without perfect information (EVwoPI).
Figure 9. Risk profile for decision 2 (disable the rsh service)
Calculating the EVwPI is just the sum of the best values
multiplied by their respective probabilities which in this case
would be given by: EVwPI = $6,692.9. The EVwoPI is given by
the best expected value of our choices, in this case decision 2:
EV(d2) = $8,409.6. From these two values, we can calculate the
EVPI. The result would give us EVPI = $1,716.7. This value
provides us with an upper bound on the expected value of any
survey information.
3.5 Sensitivity Analysis
Having done the decision tree analysis, we have to conclude that
the best decision for this particular network would be to block the
rsh service in order to avoid any unwanted attack. However, in
order to see how sensitive this recommendation is to changing
probability values, we will let p equal the probability that an
attacker can get hold of our database server. In that way, figure 10
provides us with an overview of how our investment, for each of
the decision alternatives would fluctuate based on the probability
that an attacker will reach the goal.
Figure 10. Investment as a function of the probability on an
attack for the 3 decision alternatives.
Since we are not interested in leaving the network unattended, our
sensitivity analysis will be done between blocking ssh service, and
blocking the rsh service. The equations that come out from this
are: d1=3000(1-p) + 17000p (for blocking rsh) and d2=2000(1-p)
+ 18000p (for blocking ssh). From here, using sensitivity analysis,
we can determine the probability of blocking the rsh service
would have to be in order to change our recommended decision
alternative. Using these two equations, it is easy to see that the
probability of blocking rsh should be of 50% or more in order to
change the recommended decision alternative. Figure 11 provides
us with a graphical representation on how our investment would
change based on these assumptions.
Figure 11. Sensitivity analysis for our network
4. Comparison with attack graph analysis
From the attack graph analysis, we could see that the condition
ftp(0,2) must be disabled in either case, and hence it can be
ignored in considering relative costs. Since the condition sshd(0,1)
can be disabled by patching the buffer overflow vulnerability in
the sshd service, the cost may be relatively low. On the other
hand, the conditions involving the ftp service incurs more costs,
because the ftp service is properly functioning, and is simply used
by the attacker in a clever way. Moreover, disabling ftp(0,2) may
mean stopping the ftp service on host 2 to all external hosts,
which may incur a higher cost than stopping the ftp service
between two internal hosts 1 and 2 (they may still communicate
files via other services). Based on those assumptions, the first
option has a lower cost than that of the second and thus should be
chosen as the solution. That being said, since the ftp services
should not be touched, we fall into the following question: Block
ssh or block rsh. Between the ssh service and the rsh serve the
authors in [6] do provide enough evidence that the service that
will minimize the network administrators investment in securing
his network would by blocking the rsh service.
5. Conclusions
From our analysis we could see that we can fully integrate risk
assessment analysis to the ongoing research of network hardening
attack graphs. From our risk analysis done in this paper we could
see that the best recommended choice is to disable the rsh service.
This falls in line with what the authors in [6], and up to some
extent the authors at [5], stated. We were able to verify that our
assumptions and deductions were correct and fell in line with
what these before mentioned bibliographies had stated, further
proving that through Decision tree and Expected value analysis,
we can fully integrate risk analysis methods to network hardening
attack graphs.
6. REFERENCES
[1] Ritchey, R.W et al, Using model checking to analyze
network vulnerabilities, Security and Privacy, 2000.
Proceedings., 2000 IEEE Symposium on, p. 156 - 165, 2000
[2] Sheyner, O. et al, Automated generation and analysis of
attack graphs, Security and Privacy, 2002. Proceedings.
2002 IEEE Symposium on, p. 273 - 284, 2002.
[3] Ammann, P. et al, Scalable, graph-based network
vulnerability analysis, Proceedings of the 9th ACM
conference on Computer and communications security, pp
217 224, 2002
[4] Noel, S. et al, Efficient minimum-cost network hardening
via exploit dependency graphs, Computer Security
Application Conference, 2003. Proceedings. 19th. Annual,
Pag. 86 95, 2003
[5] Lingyu Wang et al, Minimum-cost network hardening using
attack graphs, Computer Communications, Vol. 29 Issue 18,
pp. 3812 - 3824, 2006.
[6] Noel, S. et al, Measuring Security Risk of Networks Using
Attack Graphs., International Journal of Next-Generation
computing, vol. 1, Issue 1, p.p. 113 123, 2010.
[7] Frigault, M. and Lingyu Wang, "Measuring Network
Security Using Bayesian Network-Based Attack Graphs,
Computer Software and Applications,2008. COMPSAC
08. 32nd Annual IEEE International, pp. 698 703, 2008
[8] Wang Lingyu, et al, An Attack Graph-Based Probabilistic
Security Metric", Data and Applications Security XXII.
Lecture Notes in Computer Sciences, Vol. 5094, pp., 283
296, 2008.
[9] Frigault, M. et al, Network Measuring Network Security
Using Dynamic Bayesian Network , Proccedings of the 4th
ACM workshop on Quality of protection. pp. 23 - 30, 2008.
[10] Wang Lingyu et al, "k-Zero Day Safety: Measuring the
Security Risk of Networks against Unknown Attacks,
Computer Security ESORICS 2010. Lecture Notes in
Computer Sciende, Vol. 6345, pp. 573 - 587, 2007
[11] Verendel, Vilhelm, Quantified Security is a Weak
Hypothesis, NSPW 09, Proceedings of the 2009
workshops on New Security paradigms workshop, pp. 37
50, 2009
[12] Cheng, P.; Wang, L. et al, Aggregating CVSS Base Scores
for Semantics-Rich Network Security Metrics, Reliable
Distributed Systems (SRDS), 2012 IEEE 31st, Symposium
on, pp. 31 40, 2012
[13] L. Wang, S. Jajodia, A. Singhal, P. Cheng, and S. Noel, k-
zero day safety: A network security metric for measuring the
risk of unknown vulnerabilities, IEEE Transactions on
Dependable and Secure Computing, 2013.
[14] S. Jha, O. Sheyner, and J.M. Wing, "Two formal analysis of
attack graph", in Proc. the 15th Computer Security
Foundation Workshop (CSFW02), 2002, pp. 49-63.
[15] Bowman, M., Debray, S. K., and Peterson, L. L. 1993.
Reasoning about naming systems. ACM Trans. Program.
Lang. Syst. 15, 5 (Nov. 1993), 795-825. DOI=
http://doi.acm.org/10.1145/161468.16147.