Mathematical Problems in Engineering

Volume 2018, Article ID 4278632, 13 pages

https://doi.org/10.1155/2018/4278632

## New Insights into Approaches to Evaluating Intention and Path for Network Multistep Attacks

^{1}Information Science and Technology Institute, Zhengzhou 450001, China^{2}Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences, Beijing 100190, China^{3}Henan Key Laboratory of Information Security, Zhengzhou 450001, China^{4}National Digital Switching System Engineering and Technological Research Center, Zhengzhou 450001, China

Correspondence should be addressed to Yuling Liu; nc.ca.sacsi.act@uilly

Received 16 November 2017; Revised 22 April 2018; Accepted 26 April 2018; Published 10 July 2018

Academic Editor: Ivan Giorgio

Copyright © 2018 Hao Hu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

The attack graph (AG) is an abstraction technique that reveals the ways an attacker can use to leverage vulnerabilities in a given network to violate security policies. The analyses developed to extract security-relevant properties are referred to as AG-based security evaluations. In recent years, many evaluation approaches have been explored. However, they are generally limited to the attacker’s “monotonicity” assumption, which needs further improvements to overcome the limitation. To address this issue, the stochastic mathematical model called absorbing Markov chain (AMC) is applied over the AG to give some new insights, namely, the expected success probability of attack intention (EAIP) and the expected attack path length (EAPL). Our evaluations provide the preferred mitigating target hosts and the vulnerabilities patching prioritization of middle hosts. Tests on the public datasets DARPA2000 and Defcon’s CTF23 both verify that our evaluations are available and reliable.

#### 1. Introduction

Today’s information systems face sophisticated hackers who combine multiple vulnerabilities to penetrate networks with devastating impact. Most network attacks are not single attack actions. They are multistage, multihost attacks, which are composed of a series of attack actions, leading to the network security facing huge threats and challenges. Attack intention and path evaluations aim to model and measure the security-related properties of hacker breaching the enterprise network from the attacker’s perspective, which allows the administrator to quantitatively estimate the overall resilience of network systems against attacks

As a nice tool for modeling multistep attacks, attack graph (AG) [1] represents possible ways in which a potential attacker can break into the target network by exploiting a series of vulnerabilities on various network hosts. When using AG-based metrics, one can analyze security-relevant properties of a network. In particular, evaluations of attack intention and path aim to analyze the vulnerability exploiting relationship among the network nodes in the AG. From the attacker’s perspective, we analyze possible attack paths, identify potential attack intention, and provide an indication of critical attack paths as well as the associated weakest vulnerability links. The estimations offer constructive guidance on security reinforcement and proactive defense.

The present AG-based security metrics commonly developed based on the “monotonicity” assumption of attackers, which is firstly proposed in the 2002 ACM Conference on Computer and Communications Security (CCS) [2]. They assumed that the attackers never have to backtrack during the network penetration and each node appears exactly once in any attack path. However, the ideal attack scenario may not be the real scenario launched by the attacker. We recognize that networks commonly have many host interconnections and network privileges obtained in many ways, leading to cycles in an AG. While it is possible to “unfold” the attack graph into an acyclic representation, the approach is impractical because the dramatic increasing in the size of graph structure will likely make the path computing inefficient. To address this issue, we model the complete AG as the absorbing Markov chain (AMC) for expressing the multistep attacks so that we can handle the cycles, and give new insights into measuring intention and path based on this model. It improves the scientificity of metric. More specifically, we give new insights into evaluations towards cyclic attack graph releasing “monotonicity” assumption with two major highlights as follows:(i)The expected success probabilities of attack intentions (EAIPs) for the attacker to compromise different attack intention nodes are estimated.(ii)The expected attack path lengths (EAPLs) that the attacker needs to breach different attack intention nodes from different initial state node are calculated.

The former enables a manager to determine the prioritization of vulnerability patching regarding different attack intention hosts. The latter can be devoted to giving a better understanding concerning the counter steps the attacker needs to breach the goal and can further optimize the necessary steps to harden the enterprise network from external threats as well.

The rest of this paper is organized as follows. Section 2 describes related works, which include analysis of attack intention and path evaluations, respectively. Section 3 contains a detailed presentation of the preliminaries about this paper. In addition, the model of AMC-based AG is developed in Section 4. Section 5 performs deep analyses on metrics of attack intention and path using the probability inference over AMC, and two evaluation algorithms are proposed. Section 6 describes the experiments and analyses of the proposed algorithms on two public datasets. Finally, we conclude this paper in Section 7.

#### 2. Related Works

Network security evaluation may provide quantifiable evidence to assist security practitioners in securing computer networks, which have received significant attention in recent years. For instance, Pendleton et al. [3] designed a security metrics framework. Behi et al. [4] provided a structure for quantitation of network security and prioritization of significant security metrics. In addition, Ramos et al. [5] presented a deep survey of the state-ofthe-art of existing model-based security metric from the aspects of classifications, advantages/disadvantages, characteristics, and open research issues.

Recent works mostly focus on the usage of AG for security metrics and monitoring, which makes it easier for administrators to directly understand the attacking process. In the AG, attack paths are described by using nodes and edges to represent vulnerabilities and exploits, respectively. For attack graph-based security metric, Kantar et al. [1] made a systematical study of potential challenges and open issues of AG. One of the important works related to AG focus on modeling and core building issues. They focus on solving the scalability problem for AG generation. A large number of commercially automatic builders were designed and commonly used in large-scale attacks. These automatic builders extended the limited capability for manual construction, which was tedious, error-prone, and impractical for attack graphs when the enterprise network has a large number of nodes. With the gradual development of construction technology of AG, the application of AG in the aspect of measurement of attack intentions and paths has attracted scholars’ extensive attention.

For attack intention evaluation, intention recognition is the process of deducing an invader’s ultimate goal from observed actions. The rapid development of network technologies has helped network attackers to hide their malicious intentions. The conventional Intrusion Prevention System (IPS) is capable of analyzing the actions of an attacker. However, IPS cannot infer intentions and predict a series of exploits. To improve the intelligence level of IPS, Cai et al. [6] constructed an intrusion prevention method based on Weighed Planning Knowledge Graph (WPKG), which is an acyclic graph essentially. Based on alert observations, Zhu et al. [7] identified the attacker’s intention using alert correlation technology. However, it fails to reduce false positive alerts. Noel et al. [8] built a predictive model of possible attack paths and critical vulnerabilities, correlating alerts to known vulnerability paths. The model suggested best courses of action for responding to attacks. Ahmed et al. [9] analyzed attack types and classified them according to their malicious intentions, further used similarity metrics to recognize attacker plans, and predicted their intentions. Concerning that attack likelihoods are propagated through the attack graph, the probabilistic AG is proposed by Ou et al. [10] to calculate the cumulative probability of attack steps in the acyclic graph. Due to the drawback of static analysis in the above methods, Nayot et al. [11] used the dynamic Bayesian Attack Graph (BAG) to represent the causal relationships between preconditions, vulnerability exploits, and postconditions. The superiority is that the proposed approach can dynamically revise the likelihood of compromising intention via encoding the attack events into BAG. Besides, Ghasemigol et al. [12] introduced a comprehensive approach that can predict future attacks with higher precision and dynamically adapt to changes in the environment.

Through the above analysis, many works have been investigated from various aspects such as alert correlation, cumulative probability, evidence theory, and Bayesian inference. Although the above reports made significant progress in security metric using attack graph, the major limitation is that they do not allow cycles in attack graphs. Moreover, existing researches focus on analyzing attackers with just one attack intention. Few investigations have been provided on sophisticated scenarios with multiple attack intentions. How to quantify the reachable probabilities of different attack intentions and further rank all intentions to find out the preferred attack intention is still essential.

For attack path evaluation, nodes and edges in the AG describe vulnerabilities and their exploits, respectively. Path evaluation aims to analyze the vulnerability exploit relationship among the network nodes. Ritchey et al. [13] developed a mathematics model to determine if an intention state is reachable from the initial state. To identify the path of one-day attack, Sun et al. [14] described a prototype system called ZePro to generate the path by taking a probabilistic approach using the Bayesian network. Wang et al. [15] described a novel security metric for zero-day attacks by counting how many such vulnerabilities are required for compromising network assets. A modified version of Floyd–Warshall and Dijkstra algorithm is proposed by Sarraute et al. [16] to compute the shortest attack path. To explore the fast and accurate solution of finding a potential vulnerable path in the network, Wang et al. [17] used the augmented road algorithm to find optimal attack path within the global paths. To integrate the above security metrics, Idika et al. [18] presented a suite of AG-based security metrics. For instance, the normalized mean of path lengths, the median of path lengths, mode of path lengths, and standard deviation of path lengths. The advantages are that multidimensional measurements of attack paths are achieved. Overall, the above investigations mainly focused on the path metrics upon the ideal attack scenario.

While the above achievements on evaluations of intention and path are abundant and useful, most of them miss out one major issue. Major existing metrics rely on the “monotonicity” assumption, which means that an attacker never needs to relinquish any obtained capability. The assumption of “monotonicity” means that an attacker never has to backtrack, which improves the scalability of the AG, but only reflects the ideal attack scenario. Bopche et al. [19] had reported that the ideal security metrics such as the shortest path and the number of paths cannot reflect the security strength of the network accurately. Ammann et al. [2] also explained that “there are certain attacks where monotonicity does not strictly hold”.

Within this assumption, all the attack scenarios can be modeled as the ideal acyclic graphs. However, the real-world attackers may not be familiar with the given network topology. We recognize that networks have many host interconnections and network privileges obtained in many ways generally, leading to cycles in AG. When calculating the path length, existing reports omit the appearances of repeated nodes in the path. On the contrary, the action of vulnerability exploitation truly happens even if the attempt fails in the realistic attack scenario. Hence, the estimate of path length in the realistic scenario may be greater.

To accurately estimate the attacker’s intention and measure the path length, we borrow a stochastic mathematical model AMC [20] from the attacker’s perspective in this paper. AMC has been widely used in economics, which is capable of analyzing the potential rules of state transition behaviors. Inspired by this, we recognize that multistep and multihost attacks can also be modeled and analyzed using AMC. We analyze the propagation of probabilities along attack paths in the AMC and obtain a suit of metric. In detail, we use automatic tool Multihost Multistage Vulnerability Analysis (MulVAL) [21] to generate logical AG firstly. Then, we design a normalization algorithm with respect to state transition probability and prove that any complete AG can be converted to an AMC. In addition, with the inference process of AMC, we design the relevant matrices* B* and* T* for calculating EAIP and EAPL respectively. Additionally, we present two evaluation algorithms, which provide new insights into security metrics of EAIP and EAPL. Finally, we test our algorithms on the CTF and DARPA datasets.

#### 3. Preliminaries

Table 1 summarizes the primary symbols in this paper.