Table of Contents Author Guidelines Submit a Manuscript
Mathematical Problems in Engineering
Volume 2018, Article ID 4278632, 13 pages
Research Article

New Insights into Approaches to Evaluating Intention and Path for Network Multistep Attacks

1Information Science and Technology Institute, Zhengzhou 450001, China
2Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences, Beijing 100190, China
3Henan Key Laboratory of Information Security, Zhengzhou 450001, China
4National Digital Switching System Engineering and Technological Research Center, Zhengzhou 450001, China

Correspondence should be addressed to Yuling Liu;

Received 16 November 2017; Revised 22 April 2018; Accepted 26 April 2018; Published 10 July 2018

Academic Editor: Ivan Giorgio

Copyright © 2018 Hao Hu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.


The attack graph (AG) is an abstraction technique that reveals the ways an attacker can use to leverage vulnerabilities in a given network to violate security policies. The analyses developed to extract security-relevant properties are referred to as AG-based security evaluations. In recent years, many evaluation approaches have been explored. However, they are generally limited to the attacker’s “monotonicity” assumption, which needs further improvements to overcome the limitation. To address this issue, the stochastic mathematical model called absorbing Markov chain (AMC) is applied over the AG to give some new insights, namely, the expected success probability of attack intention (EAIP) and the expected attack path length (EAPL). Our evaluations provide the preferred mitigating target hosts and the vulnerabilities patching prioritization of middle hosts. Tests on the public datasets DARPA2000 and Defcon’s CTF23 both verify that our evaluations are available and reliable.

1. Introduction

Today’s information systems face sophisticated hackers who combine multiple vulnerabilities to penetrate networks with devastating impact. Most network attacks are not single attack actions. They are multistage, multihost attacks, which are composed of a series of attack actions, leading to the network security facing huge threats and challenges. Attack intention and path evaluations aim to model and measure the security-related properties of hacker breaching the enterprise network from the attacker’s perspective, which allows the administrator to quantitatively estimate the overall resilience of network systems against attacks

As a nice tool for modeling multistep attacks, attack graph (AG) [1] represents possible ways in which a potential attacker can break into the target network by exploiting a series of vulnerabilities on various network hosts. When using AG-based metrics, one can analyze security-relevant properties of a network. In particular, evaluations of attack intention and path aim to analyze the vulnerability exploiting relationship among the network nodes in the AG. From the attacker’s perspective, we analyze possible attack paths, identify potential attack intention, and provide an indication of critical attack paths as well as the associated weakest vulnerability links. The estimations offer constructive guidance on security reinforcement and proactive defense.

The present AG-based security metrics commonly developed based on the “monotonicity” assumption of attackers, which is firstly proposed in the 2002 ACM Conference on Computer and Communications Security (CCS) [2]. They assumed that the attackers never have to backtrack during the network penetration and each node appears exactly once in any attack path. However, the ideal attack scenario may not be the real scenario launched by the attacker. We recognize that networks commonly have many host interconnections and network privileges obtained in many ways, leading to cycles in an AG. While it is possible to “unfold” the attack graph into an acyclic representation, the approach is impractical because the dramatic increasing in the size of graph structure will likely make the path computing inefficient. To address this issue, we model the complete AG as the absorbing Markov chain (AMC) for expressing the multistep attacks so that we can handle the cycles, and give new insights into measuring intention and path based on this model. It improves the scientificity of metric. More specifically, we give new insights into evaluations towards cyclic attack graph releasing “monotonicity” assumption with two major highlights as follows:(i)The expected success probabilities of attack intentions (EAIPs) for the attacker to compromise different attack intention nodes are estimated.(ii)The expected attack path lengths (EAPLs) that the attacker needs to breach different attack intention nodes from different initial state node are calculated.

The former enables a manager to determine the prioritization of vulnerability patching regarding different attack intention hosts. The latter can be devoted to giving a better understanding concerning the counter steps the attacker needs to breach the goal and can further optimize the necessary steps to harden the enterprise network from external threats as well.

The rest of this paper is organized as follows. Section 2 describes related works, which include analysis of attack intention and path evaluations, respectively. Section 3 contains a detailed presentation of the preliminaries about this paper. In addition, the model of AMC-based AG is developed in Section 4. Section 5 performs deep analyses on metrics of attack intention and path using the probability inference over AMC, and two evaluation algorithms are proposed. Section 6 describes the experiments and analyses of the proposed algorithms on two public datasets. Finally, we conclude this paper in Section 7.

2. Related Works

Network security evaluation may provide quantifiable evidence to assist security practitioners in securing computer networks, which have received significant attention in recent years. For instance, Pendleton et al. [3] designed a security metrics framework. Behi et al. [4] provided a structure for quantitation of network security and prioritization of significant security metrics. In addition, Ramos et al. [5] presented a deep survey of the state-ofthe-art of existing model-based security metric from the aspects of classifications, advantages/disadvantages, characteristics, and open research issues.

Recent works mostly focus on the usage of AG for security metrics and monitoring, which makes it easier for administrators to directly understand the attacking process. In the AG, attack paths are described by using nodes and edges to represent vulnerabilities and exploits, respectively. For attack graph-based security metric, Kantar et al. [1] made a systematical study of potential challenges and open issues of AG. One of the important works related to AG focus on modeling and core building issues. They focus on solving the scalability problem for AG generation. A large number of commercially automatic builders were designed and commonly used in large-scale attacks. These automatic builders extended the limited capability for manual construction, which was tedious, error-prone, and impractical for attack graphs when the enterprise network has a large number of nodes. With the gradual development of construction technology of AG, the application of AG in the aspect of measurement of attack intentions and paths has attracted scholars’ extensive attention.

For attack intention evaluation, intention recognition is the process of deducing an invader’s ultimate goal from observed actions. The rapid development of network technologies has helped network attackers to hide their malicious intentions. The conventional Intrusion Prevention System (IPS) is capable of analyzing the actions of an attacker. However, IPS cannot infer intentions and predict a series of exploits. To improve the intelligence level of IPS, Cai et al. [6] constructed an intrusion prevention method based on Weighed Planning Knowledge Graph (WPKG), which is an acyclic graph essentially. Based on alert observations, Zhu et al. [7] identified the attacker’s intention using alert correlation technology. However, it fails to reduce false positive alerts. Noel et al. [8] built a predictive model of possible attack paths and critical vulnerabilities, correlating alerts to known vulnerability paths. The model suggested best courses of action for responding to attacks. Ahmed et al. [9] analyzed attack types and classified them according to their malicious intentions, further used similarity metrics to recognize attacker plans, and predicted their intentions. Concerning that attack likelihoods are propagated through the attack graph, the probabilistic AG is proposed by Ou et al. [10] to calculate the cumulative probability of attack steps in the acyclic graph. Due to the drawback of static analysis in the above methods, Nayot et al. [11] used the dynamic Bayesian Attack Graph (BAG) to represent the causal relationships between preconditions, vulnerability exploits, and postconditions. The superiority is that the proposed approach can dynamically revise the likelihood of compromising intention via encoding the attack events into BAG. Besides, Ghasemigol et al. [12] introduced a comprehensive approach that can predict future attacks with higher precision and dynamically adapt to changes in the environment.

Through the above analysis, many works have been investigated from various aspects such as alert correlation, cumulative probability, evidence theory, and Bayesian inference. Although the above reports made significant progress in security metric using attack graph, the major limitation is that they do not allow cycles in attack graphs. Moreover, existing researches focus on analyzing attackers with just one attack intention. Few investigations have been provided on sophisticated scenarios with multiple attack intentions. How to quantify the reachable probabilities of different attack intentions and further rank all intentions to find out the preferred attack intention is still essential.

For attack path evaluation, nodes and edges in the AG describe vulnerabilities and their exploits, respectively. Path evaluation aims to analyze the vulnerability exploit relationship among the network nodes. Ritchey et al. [13] developed a mathematics model to determine if an intention state is reachable from the initial state. To identify the path of one-day attack, Sun et al. [14] described a prototype system called ZePro to generate the path by taking a probabilistic approach using the Bayesian network. Wang et al. [15] described a novel security metric for zero-day attacks by counting how many such vulnerabilities are required for compromising network assets. A modified version of Floyd–Warshall and Dijkstra algorithm is proposed by Sarraute et al. [16] to compute the shortest attack path. To explore the fast and accurate solution of finding a potential vulnerable path in the network, Wang et al. [17] used the augmented road algorithm to find optimal attack path within the global paths. To integrate the above security metrics, Idika et al. [18] presented a suite of AG-based security metrics. For instance, the normalized mean of path lengths, the median of path lengths, mode of path lengths, and standard deviation of path lengths. The advantages are that multidimensional measurements of attack paths are achieved. Overall, the above investigations mainly focused on the path metrics upon the ideal attack scenario.

While the above achievements on evaluations of intention and path are abundant and useful, most of them miss out one major issue. Major existing metrics rely on the “monotonicity” assumption, which means that an attacker never needs to relinquish any obtained capability. The assumption of “monotonicity” means that an attacker never has to backtrack, which improves the scalability of the AG, but only reflects the ideal attack scenario. Bopche et al. [19] had reported that the ideal security metrics such as the shortest path and the number of paths cannot reflect the security strength of the network accurately. Ammann et al. [2] also explained that “there are certain attacks where monotonicity does not strictly hold”.

Within this assumption, all the attack scenarios can be modeled as the ideal acyclic graphs. However, the real-world attackers may not be familiar with the given network topology. We recognize that networks have many host interconnections and network privileges obtained in many ways generally, leading to cycles in AG. When calculating the path length, existing reports omit the appearances of repeated nodes in the path. On the contrary, the action of vulnerability exploitation truly happens even if the attempt fails in the realistic attack scenario. Hence, the estimate of path length in the realistic scenario may be greater.

To accurately estimate the attacker’s intention and measure the path length, we borrow a stochastic mathematical model AMC [20] from the attacker’s perspective in this paper. AMC has been widely used in economics, which is capable of analyzing the potential rules of state transition behaviors. Inspired by this, we recognize that multistep and multihost attacks can also be modeled and analyzed using AMC. We analyze the propagation of probabilities along attack paths in the AMC and obtain a suit of metric. In detail, we use automatic tool Multihost Multistage Vulnerability Analysis (MulVAL) [21] to generate logical AG firstly. Then, we design a normalization algorithm with respect to state transition probability and prove that any complete AG can be converted to an AMC. In addition, with the inference process of AMC, we design the relevant matrices B and T for calculating EAIP and EAPL respectively. Additionally, we present two evaluation algorithms, which provide new insights into security metrics of EAIP and EAPL. Finally, we test our algorithms on the CTF and DARPA datasets.

3. Preliminaries

Table 1 summarizes the primary symbols in this paper.

Table 1: Symbols and their descriptions in this paper.
3.1. Motivation

In the above section, we explained that the circles in the AG are the key issue in our study. It is possible to unfold any cyclic graph into an equivalent acyclic graph such that each node appears exactly once in any path. However, this procedure is not necessary if we apply a stochastic model to the cyclic nodes so that we can evaluate the same probabilities as on the unfolded graph but without actually unfolding it. The key idea is to model the complete AG as the AMC, which plays an important role in our approach. On the one hand, the Markov property of AMC is in line with the randomness of attack states transition. On the other hand, any network attacks have at least one ultimate state, which corresponds to the absorbing state in the AMC. Hence, we describe, analyze, and estimate the underlying rules of attack behaviors in the framework of AMC in this paper.

3.2. Attack Graph

As an effective method for modeling multistep attack behaviors, any real-world attack scenario can be abstracted as a logical AG such as Figure 1.

Figure 1: An example attack graph.

Definition 1. Atomic attack is a single step that cannot be broken anymore. It may be a host service scanning or an exploit of the vulnerability. Each atomic attack carries the attacker to a new attack state S.

Definition 2. Attack graph is a tuple , where S is the set of state nodes, A is the set of atomic attack nodes, E is the set of directed edges, and is the set of probabilities of state transitions.(1) is the set of all state nodes in the AG, in which is the set of intention state nodes, and is the set of residual state nodes.(2), where the element in E is the inner product of S. , is the edge connecting nodes and , where is the former node of and is the latter node of .(3)An atomic attack allows an attacker to compromise the from with a nonzero probability of success. The attacker can reach certain privilege state by exploiting the relevant vulnerability.(4) denotes the attack likelihoods propagated through the edge . It measures the success probability associated with the atomic attack . If the state transition is unreachable, assign .

The logical attack graph is generated using a network model builder (e.g., MulVAL, TVA, and NETSPA) by taking the network topology, services running logs, and the firewall policy as input. In this paper, we adopt MulVAL to generate the logical AG. The MulVAL is an efficient polynomial-time builder [21]. Given an attack graph, the edge probability can be computed by diverse technologies (e.g., prior domain knowledge, alert sequence, CVSS metric, and data mining). For the specific surveys, the reader can refer to [1].

Definition 3. Attack intention is a certain ultimate state that attacker wants to achieve.

Definition 4. Attack path is the transition sequence of the attacker starting from an initial state to an intention state. The number of edges equals the length of the attack path.

Definition 5. Expected success probability of attack intention (EAIP) is the mathematical expected value of the probability that the attacker can reach his intention. ProbRank denotes the ranking of intentions according to EAIPs.

Definition 6. Expected attack path length (EAPL) is the mathematical expected value of the number of attack steps the attacker needs to take from his initial state to his intention state. LengRank denotes the ranking of state nodes according to their EAPLs.

Remarks(1)Assume that an attacker can exploit a total of two independent attack paths with length 1 and 4 to reach his intention with probability 1/6 and 1/3, respectively; then . In other words, the attacker will reach the intention node with a sum of probability of 1/2. Meanwhile, the mean number of steps of reaching the intention is 3.(2)The path in ideal attack scenario does not consider the repeated appearing nodes, so there is no circle in the acyclic scenario graph. The EAPL and EAIP equal the arithmetic mean of statistics.(3)In a real-world attack scenario, the number of possible paths is uncertain due to the cyclic path. Hence, the calculation of EAPL is difficult. To the best of our knowledge, so far little researches have been devoted to this issue.

3.3. Absorbing Markov Chain

Definition 7. Markov chain (MC) [20] is a discrete sequence satisfying the following condition: MC contains a finite number of random states, and each state is only related to the predecessor state. Formally

Definition 8. State transition matrix P [20] is an adjacency matrix of MC; the entry is the probability of state transition . If is unreachable, assign . The matrix P satisfies

Definition 9. Absorbing state is the state where the security intention is violated. This state node only has in-going edges but does not have out-going edges.

Definition 10. Transient state is the nonabsorbing state, which has at least one out-going edge.

Definition 11. Absorbing Markov chain (AMC) [20] is a special Markov chain containing at least one absorbing state. For the AMC including r absorbing states and t transient states, the standard form of the state transition matrix iswhere Q is a matrix representing transition probabilities of the transient states, 0 is a zero matrix, R is a matrix representing the transition probabilities between transient states and absorbing states, and I is an identity matrix. The total number of states is .

4. Model of AMC-Based AG

In this section, we first present a normalized algorithm for state transition probabilities in the AG and then construct the state transition matrix P of AMC. On this basis, we prove that the complete AC can be converted to the AMC.

The pseudocode describing the normalization approach for edge probabilities in AG is presented in Algorithm 1. The variables i and j label the ith row and jth column of the matrix P, respectively, where . The variable k labels the kth out-going edge of the node . The set is the set of total out-going edges of the node .

Algorithm 1: Pseudocode for state transition probability normalization algorithm.

We initialize the variables firstly as depicted in line , and then each row vector of matrix P is generated orderly. For the ith row vector of P, as shown in lines , it is generated according to the node . More specifically, we first select all the out-going edges of and add them into the set , then we calculate the normalized probability of state transition in the AMC, and assign the entry of P as , . The residual entries in the ith row vector are assigned with 0. We perform the above recursive process until the matrix P is fully constructed.

According to the number of layers of the recursive algorithm, the time complexity is . Our algorithm needs to store matrix P and vector ; thus the space complexity is also . Therefore, the proposed Algorithm 1 is reachable in polynomial time.

A complete attack graph contains at least one absorbing state node. The absorbing state is the attack intention node where the security goal is violated. It is possible to go to an absorbing state starting from any transient state in a finite number of steps in a complete AC. Once the attacker reaches the intention node, then the system is considered to be in a breached state and the attacker realizes his goal. Therefore, the attacker will continue to remain in this state until preventive measures are taken by the security team to remove the attacker’s presence from the system. Hence, the absorbing state corresponds to the attack intention, and any complete AC contains at least one absorbing state.

A complete AG satisfies the following two conditions and is therefore an absorbing Markov chain: (i) The sum of probabilities of all out-going edges from the node is equal to 1. (ii) The AG contains at least one absorbing state node. The above conditions hold as follows.

Using Algorithm 1, for any node , we can obtain , which indicates that Definition 8 holds. Consequently, condition (i) holds. Since any complete AC contains at least one absorbing state, we can derive that condition (ii) holds. Accordingly, we can get that the proposed proposition holds by and .

The following is the state transition matrix of AMC associated with Figure 1 calculated by Algorithm 1.

5. New Insights into Evaluations of Attack Intention and Path

In the previous section, we model the AG as the AMC and construct the state transition matrix of AG-based AMC. In this section, some lemmas and theorems for state transition are deduced based on this model. In addition, we present new insight into evaluations to quantify EAIP and EAPL.

5.1. Evaluation of EAIP

Lemma 12. Let P be the transition matrix of AMC meeting Definition 11. The entry denotes the probability of and denotes the probability of after launching m steps of atomic attack. is the mth power of matrix P. Then one has

Proof. Using mathematical induction, we have the following:(1)When , (5) holds as follows:(2)Assume (5) holds if ; thus , and then we can deriveTherefore, the assumption follows. From and , we can obtain that Lemma 12 holds.

Lemma 13. The attacker will reach an ultimate absorbing state from any initial transient state if the number of attack actions is not limited. In other words, the transition probabilities between transient states are 0. Mathematically,

Proof. By (3) and (5), if the above formula holds, then we only need to prove . The ijth element of the matrix gives the probability that the Markov chain, starting in the state , will be in the state after m steps. Then we need to prove . It gives us an idea about the convergence of the AMC. Suppose the probability of reaching an absorbing state is nonzero; let it be u, where . Then, initially, the probability that the process will not be absorbed is . After m steps, this probability is equal to . Note that as , we can derive . Thus, for every transient state , the probability that the attacker remains in the state is 0. Hence, Lemma 13 holds.

Lemma 14. Given a fundamental matrix N, the entry denotes the expected number of visits to the transient node from the initial transient node before absorption. Then we can derive .

Proof. If we want to compute the expected number of steps until the chain enters a recurrent class, assuming starting at state , we only need to sum over all transient states . Thus, the sum of number of visits the chain is in the state , given that the chain, starting in the state , through m steps of atomic attack is .
As , by (5) and (8), we can derive ; it implies that all the eigenvalues of Q have absolute values strictly less than 1. Hence, is an invertible matrix. Thus, . Furthermore, we can obtain .
According to and , Lemma 14 holds.

Theorem 15. Given a matrix B, the entry denotes the EAIP of the attacker absorbing in , given that the chain started in , where , . Then one can derive .

Proof. By Lemmas 13 and 14, we can obtain . The ith row of gives the probabilities of ending up in each of the absorbing states, given that the chain started in the ith transient states. Hence, we can derive , and the theorem holds.

To simplify the presentation, we use the attack graph in Figure 1 as an example. We manually assign , and then we can obtain the corresponding state transition matrix P using Algorithm 1. Additionally, combined with (3), we can construct Q and R and further calculate the matrix B as follows:

From the first row of B, if the attacker started at , the EAIPs of and are 3/4 and 1/4 respectively. Since the EAIP of is higher, the most likely attack intention is and the rank of intentions is . By the second row of B, if the initial attack state is , it is observed that the reachable probabilities of and are equal to 1/2. Moreover, for the above two examples, we can see that the attacker will finally reach the absorbing state nodes with the definite probability 1 regardless of its initial state.

5.2. Evaluation of EAPL

Theorem 16. Given a matrix T, where the entry denotes the EAPL the attacker needs to take from the initial state node to the intention state, , let C be a unit vector, and then one has .

Proof. According to Lemma 14, for attacker starting from the initial node , the visits to before absorption are , respectively. As a result, the EAPL of is (equals to the sum of visits to the appearing nodes in the path). Hence, we can derive and that Theorem 16 holds.

Going on with the example in Section 5.1, we can derive that

Obviously, EAPLs of S1 and S2 are 9/4 and 5/2, respectively. Assume that the time-cost for each step attack is equal; then the penetration starting from is quicker than that from . Therefore, the crucial degree of S1 is higher, and the mitigation priorities of the nodes are .

5.3. Algorithm Complexity Analysis

For the above-mentioned two algorithms, the space and time complexity are as follows:(1)The algorithms need to maintain matrix P, matrix Q, matrix N, matrix B, matrix C, and matrix T. Since , the space complexity is .(2)The operations of the algorithm include matrix inversion, matrix addition, and matrix multiplication. Among them, the time complexity of matrix multiplication is the highest. When two matrices are multiplied, there are fundamental operations, so the time complexity is .

To sum up, the proposed algorithms achieve polynomial complexity.

6. Experiments and Analyses

The Defcon’s Capture the Flag (CTF) contest is the largest open computer security hacking game in the world. The game is adversarial, with multiple potentially competing intentions. As demonstrated in [22], since all players are skilled in attack and defense, the attacking process is of great significance for intrusion analysis. The CTF23 dataset [23] released recently, in 2015, contains a large number of attack scenarios. The classical DARPA2000 dataset [24] by the MIT Lincoln laboratory is the standard test set for DDoS attack scenarios.

In this section, deep performances are presented based on the above two datasets by using our metrics.

6.1. CTF 23

Defcon is the largest Internet security community in the world. Defcon provides a “Capture the Flag” (CTF) contest, which is a contest of computer security attack and defense skills, as shown in Figure 2. CTF attracts several expert intruders with a legal opportunity to deliver their skills in a public forum. Each team has to defend its own flag, while trying to corrupt as many of the other teams’ flags as possible. A flag is a data file on the team’s server.

Figure 2: Defcon’s Capture the Flag contest network.

During the game, intruders seek to replace the flag on someone else’s server with their own flag, while defenders try to preserve their flags on their own server. Defcon has recently published the archive of CTF23, which includes all the traffic generation during the game. The size of CTF23 is more than hundreds of GB. There are many attackers starting from different initial states with different attack intentions in attack scenarios.

Firstly, we use TCPReplay tool [25] to replay the CTF23 dataset and detect the alert data by Snort. By extracting the alert sequences using the analyzer ArcSight [26], we reconstruct more than 80 different attack scenarios. Among them, the minimum attack scenario only has 3 nodes, and the maximum attack scenario has no more than 20 nodes. Then we select a familiar attack scenario depicted in Figure 3 as our test scenario. Although the attack process is simple, it helps to analyze the impact of single attack step over the whole network.

Figure 3: A simple attack scenarios extracted from CTF23.

The set of transient states is and the set of the intention states is . Assume that the attacker’s initial state is S1, and his intention is S4; one possible attack path is . The description of this path is as follows: The intruder (IP: breaks into the server with IP address using remote code execution vulnerability and gets its user privilege. After launching a brute-force attack to log in the MySQL server, the attacker can obtain the root privilege finally.

To simplify the discussion, we give some enumerations and summarize the relationships between attack path and edge probabilities. Suppose that the success probabilities of “remote code execution” and “Rothenburg-based attack” are the same and equal to , the success probabilities of “SQL Injection” and “brute-force” are equal to , where . We first construct the state transition matrix P using Algorithm 1. Afterwards, the EAIP matrix B and EAPL matrix T can be calculated using Algorithms 2 and 3, respectively, as follows:

Algorithm 2: Pseudocode for EAIP evaluation algorithm.
Algorithm 3: Pseudocode for EAPL evaluation algorithm.
6.1.1. Evaluation of EAIP

From the first row vector of matrix B, we can obtain that if the initial states is , the EAIPs of and are and , respectively. Some enumerations of EAIP calculation are organized in Table 2. The corresponding 3D figure of V1, V2, and EAIP is illustrated in Figure 4. The EAIP of S3 is higher than 0.5, and the EAIP of S4 is lower than 0.5. Hence, the attacker is more likely to compromise the node S3. We can identify that the possible attack intention is S3. Meantime, the intentions rank is . It means that the first suggested vulnerability to patch is SQL Injection Vulnerability on the server Moreover, we can observe that the value of increases as the parameter increases.

Table 2: Enumerations of EAIPs in Figure 3.
Figure 4: Distribution of EAIPs in Figure 3.

Affected by the attacker’s own characteristics (e.g., knowledge level, professional skills, and attack experience), a different attacker has a different success probability on the vulnerability. In practical application, the probability can be estimated by the attacker’s historical security events. Afterwards, the EAIPs of different intentions can be calculated using Algorithm 1. The security engineer can take precautions for the preferred attack intention nodes.

6.1.2. Evaluation of EAPL

From the matrix T, we observe that the EAPLs of S1 and S2 are both . Therefore, the security rank of the transient nodes is .

Some enumerations of EAPL are listed in Table 3. The 3D figure of EAPL is illustrated in Figure 5. There is a relatively big difference of EAPL with different V1 and V2. For example, from Table 3, when , . On the contrary, when , . Therefore, the probabilities of V1 and V2 have significant impact on the number of steps the attacker needs to reach his intention. Meanwhile, from the formula of , the value of EAPL increases as increases. And the minimum when . In particular, we can obtain when , indicating that the attacker should perform an average of two atomic attacks to achieve his intention.

Table 3: Enumerations of EAPLs in Figure 3.
Figure 5: Distribution of EAPLs in Figure 3.

One can make use of EAPL to quantify the average number of atomic attacks for the attacker to achieve his intention. During the application, by analyzing the ongoing attack events, the security manager can locate the current state of the attacker. Through calculating the EAIPs of the attacker’s different intentions, one can also identify the attacker’s preferred target. This information is valuable for a security engineer to prioritize which intention node needs to be patched first and how it will affect the strength of the network against attacks.

6.2. DARPA 2000

The DARPA 2000 is a classical dataset for DDoS attack analysis, which is a commonly acknowledged. Similarly, we first use the TCPReplay tool to replay DARPA2000 dataset. Then with the automatic AG generation tool, we constructed the attack scenario graph of LLDOS1.0 in Figure 6. For the edge probabilities, we borrow the results in [7], where

Figure 6: LLDOS1.0 attack scenario.

Firstly, we use Algorithm 1 to generate the state transition matrix P of AMC and then perform Algorithms 2 and 3 to calculate the matrices B and T as follows:

In this above scenario, the transient state set is and the absorbing state set is .

According to the matrix B, the attacker will definitively reach the intention node S5 with the probability 1 regardless of initial state. By the matrix T, we can derive that, for different initial state nodes S1, S2, S3, and S4, the calculated EAPLs to S5 are 8.198, 7.200, 7.692, and 7.197, respectively. Hence, the security rank of the middle nodes in the attack path is .

The security metrics under ideal and realistic scenarios in Figure 6 are presented in Table 4. Some conclusions can be summarized as follows:(i)For the ideal scenario, each node appears exactly once in any attack path, and the attacker never has to backtrack during the network penetration, Therefore, there is no circles in ideal path, and the number of total paths is 8. Among them, the shortest paths are and with length 2. The mode of path lengths is 3, and the median of path lengths is 3. The mean path length is 3. The ideal success probability of S5 is 0.14, which is the cumulative probabilities of all the paths under the “monotonicity” assumption, which indicates that each step of the attack launched in the path is indeed successful.(ii)For the realistic scenario, even a failed action of state transition is still handled as an occurrence of the atomic attack. Since the number of atomic attacks is not limited in actual practice, the occurrence probability of S5 is 1, which is bigger than that of 0.14 in the ideal attack scenario. Moreover, the maximum EAPL is 8.2 when the attacker’s initial state is , and the minimum EAPL is 7.197 when the attacker’s initial state is . The maximum 8.2 indicates that the attacker needs to launch an average of 8.2 atomic attacks to breach his intention. However, in the ideal attack scenario, the result is 3 since the repeated nodes appearing in the path are excluded.

Table 4: Structural measurements of LLDOS1.0 attack scenario in Figure 6.
6.3. Comparisons and Discussions

The detailed comparisons of security metrics among ours and other related methods are summarized in Table 5. The security parameters under the ideal and realistic attack scenarios are fully analyzed. As explained in paragraph 3 of Section 1, the metrics under the ideal attack scenario is limited by the “monotonicity” assumption of attackers. Therefore, new insights into EAIP and EAPL in the cyclic graph under realistic attack scenario are provided for the first time in this paper. The major merits are as follows:(i)For the ideal attack scenario, the common metrics involve the most likely attack path [1719], success probability of intention [10, 16, 18, 19], and the number of attack paths [1619], which are investigated in the acyclic graph. Furthermore, [18, 19] further analyzed the mean, median, and mode of path lengths. All these metrics do not take into account the circles and instead assume that each node appears exactly once in any attack path.(ii)For the realistic attack scenario, two new insights into security metrics are given by using AMC to handle the circles in the cyclic graph. First, we investigate the EAIPs of different intentions, which helps to identify the most possible attack target and determine the priorities of critical destination hosts. Second, by locating the current state of the attacker, we can calculate EAPL. The measurement of EAPL enables the administrator to comprehend a reliability number of attack steps that the attacker needs to complete his goal and make the appropriate protection decisions.

Table 5: Comparisons of security metrics among our method and others.

To conclude, our new insights provide more accurate and reliable quantification into the security metrics of multistep attacks.

7. Conclusion and Future Work

Quantifying security with metrics is important since we want to have a scoring system to evaluate the strength of the security. Although many investigations have been made, they are more or less subjected to the attacker’s “monotonicity” assumption. To overcome the limitations, we employ a mathematical model AMC to handle the circles in AG and present the realistic metrics for calculating EAIP and EAPL. In addition, we aggregate existing approaches and give a suite of evaluation methods for both ideal and realistic attack scenario towards multistep attacks. Experiments verify the validity and accuracy of the proposed model and algorithms.

Large-scale networks are mostly generated by integrating multiple small-scale local networks. Due to the scalability of security attacks, our metrics can be extended to the large-scale network systems. Trying to capture the large dataset of the enterprise to test the scalability of the proposed methodology is the future work. Meanwhile, the emphasis is on measuring the state transition probability based on the observed alerts from IDS, firewall, system logs, etc. so that we can improve the flexibility and applicability in a further step.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.


This work was partially supported by the National Key Research and Development Program of China (Grants nos. 2016YFF0204002 and 2016YFF0204003), the Equipment Pre-Research Foundation during the 13th Five-Year Plan period (Grant no. 6140002020115), the CCF-Venus “Hongyan” Scientific Research Plan Foundation (Grant no. 2017003), and the Science and Technology Leading Talent Project of Zhengzhou (Grant no. 131PLJRC644).


  1. K. Kaynar, “A taxonomy for attack graph generation and usage in network security,” Journal of Information Security and Applications, vol. 29, pp. 27–56, 2016. View at Publisher · View at Google Scholar · View at Scopus
  2. P. Ammann, D. Wijesekera, and S. Kaushik, “Scalable, graph-based network vulnerability analysis,” in Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 217–224, ACM, Washington, DC, USA, November 2002. View at Scopus
  3. M. Pendleton, R. Garcia-Lebron, J.-H. Cho, and S. Xu, “A survey on systems security metrics,” ACM Computing Surveys, vol. 49, no. 4, article no. 62, 2016. View at Publisher · View at Google Scholar · View at Scopus
  4. M. Behi, M. GhasemiGol, and H. Vahdat-Nejad, “A new approach to quantify network security by ranking of security metrics and considering their relationships,” International Journal of Network Security, vol. 20, no. 1, pp. 141–148, 2018. View at Google Scholar · View at Scopus
  5. A. Ramos, M. Lazar, and R. H. Filho, “Model-based quantitative network security metrics: a survey,” IEEE Communications Surveys Tutorials, vol. 19, no. 4, pp. 2704–2734, 2017. View at Publisher · View at Google Scholar
  6. Z. Cai, Q. Zhang, and Y. Gan, “Intrusion intention recognition and response based on weighed plan knowledge graph,” Computer Modeling New Technologies, vol. 18, no. 12B, pp. 151–157, 2014. View at Google Scholar
  7. B. Zhu and A. A. Ghorbani, “Alert correlation for extracting attack strategies,” International Journal of Network Security, vol. 3, no. 3, pp. 244–258, 2006. View at Google Scholar · View at Scopus
  8. S. Noel, E. Harley, K. H. Tam, M. Limiero, and M. Share, “Cygraph: graph-based analytics and visualization for cybersecurity,” Handbook of Statistics, vol. 35, pp. 117–167, 2016. View at Publisher · View at Google Scholar · View at Scopus
  9. A. A. Ahmed, “Investigation approach for network attack intention recognition,” International Journal of Digital Crime and Forensics, vol. 9, no. 1, pp. 17–38, 2017. View at Publisher · View at Google Scholar · View at Scopus
  10. X. Ou and A. Singhal, “Security risk analysis of enterprise networks using probabilistic attack graphs,” National Institute of Standards and Technology, pp. 13–23, 2012. View at Publisher · View at Google Scholar
  11. N. Poolsappasit, R. Dewri, and I. Ray, “Dynamic security risk management using Bayesian attack graphs,” IEEE Transactions on Dependable and Secure Computing, vol. 9, no. 1, pp. 61–74, 2012. View at Publisher · View at Google Scholar · View at Scopus
  12. M. Ghasemigol, A. Ghaemi-Bafghi, and H. Takabi, “A comprehensive approach for network attack forecasting,” Computers & Security, vol. 58, pp. 83–105, 2016. View at Publisher · View at Google Scholar · View at Scopus
  13. R. W. Ritchey and P. Ammann, “Using model checking to analyze network vulnerabilities,” 2000 IEEE Symposium on Security and Privacy, pp. 156–165, 2000. View at Google Scholar · View at Scopus
  14. L. Wang, S. Jajodia, and A. Singhal, Using Bayesian Networks to Fuse Intrusion Evidences And Detect Zero-Day Attack Paths, Network Security Metrics, Springer International Publishing, Cham, Switzerland, 2017. View at Publisher · View at Google Scholar
  15. L. Wang, S. Jajodia, and A. Singhal, K-Zero Day Safety: Evaluating The Resilience of Networks against Unknown Attacks, Network Security Metrics, Springer International Publishing, Cham, Switzerland, 2017. View at Publisher · View at Google Scholar
  16. C. Sarraute, G. Richarte, and J. Lucángeli Obes, “An algorithm to find optimal attack paths in nondeterministic scenarios,” in Proceedings of the ACM workshop on security and artificial intelligence, (AISec '11), pp. 71–80, Chicago, Ill, USA, October 2011. View at Publisher · View at Google Scholar
  17. H. Wang, Z. Chen, J. Zhao, X. Di, and D. Liu, “A vulnerability assessment method in industrial internet of things based on attack graph and maximum flow,” IEEE Access, vol. 6, pp. 8599–8609, 2018. View at Publisher · View at Google Scholar
  18. N. Idika and B. Bhargava, “Extending attack graph-based security metrics and aggregating their application,” IEEE Transactions on Dependable and Secure Computing, vol. 9, no. 1, pp. 75–85, 2012. View at Publisher · View at Google Scholar · View at Scopus
  19. G. S. Bopche and B. M. Mehtre, “Graph similarity metrics for assessing temporal changes in attack surface of dynamic networks,” Computers & Security, vol. 64, pp. 16–43, 2017. View at Publisher · View at Google Scholar · View at Scopus
  20. G. F. Lawler, Introduction to Stochastic Processes, Chapman and Hall/CRC, Taylor and Francis Group, London, UK, New York, NY, USA, 2nd edition, 2006. View at MathSciNet
  21. X. Ou, S. Govindavajhala, and A. W. Appel, “MulVAL: a logic-based network security analyzer,” in Proceeding of the 14th conference on USENIX Security Symposium, vol. 14, p. 8, 2005.
  22. H. Huang, J. Ding, and W. Zhang, “A differential game approach to planning in adversarial scenarios: A case study on capture-the-flag,” in Proceedings of the 2011 IEEE International Conference on Robotics and Automation, ICRA 2011, pp. 1451–1456, China, May 2011. View at Scopus
  23. DEFCON, “Capture the flag traffic dump,”
  24. MIT Lincoln Lab, “2000 DARPA intrusion detection scenario specific datasets,”
  25. MIT Lincoln Lab, “TCPdump file replay utility,” index.html.
  26. ArcSight, “ESM enterprise security manager,”