Hindawi

Security and Communication Networks

Volume 2019, Article ID 2031063, 16 pages
https://doi.org/10.1155/2019/2031063

Review Article
Survey of Attack Graph Analysis Methods from the Perspective of
Data and Knowledge Processing

Jianping Zeng ,1,2 Shuang Wu,1,2 Yanyu Chen,1,2 Rui Zeng,3 and Chengrong Wu1,2
1
School of Computer Science, Fudan University, Shanghai 200433, China
2
Engineering Research Center of Cyber Security Auditing and Monitoring, Ministry of Education, Shanghai 200433, China
3
School of Computer Engineering and Science, Shanghai University, Shanghai 200444, China

Correspondence should be addressed to Jianping Zeng; [email protected]

Received 1 October 2019; Revised 10 November 2019; Accepted 4 December 2019; Published 26 December 2019

Academic Editor: Pino Caballero-Gil

Copyright © 2019 Jianping Zeng et al. This is an open access article distributed under the Creative Commons Attribution License,
which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
Attack graph can simulate the possible paths used by attackers to invade the network. By using the attack graph, the administrator
can evaluate the security of the network and analyze and predict the behavior of the attacker. Although there are many research
studies on attack graph, there is no systematic survey for the related analysis methods. This paper firstly introduces the basic
concepts, generation methods, and computing tasks of the attack graph, and then, several kinds of analysis methods of attack
graph, namely, graph-based method, Bayesian network-based method, Markov model-based method, cost optimization method,
and uncertainty analysis method, are described in detail. Finally, comparative study of the methods and future work are provided.
We believe that this work would help the research community to understand the attack graph analysis method systematically.

1. Introduction attack graph model proposed by Swiler et al. [2] in 1997 has
stronger ability in the description of network attack process.
Network security breach has become a potential danger that Hence, it becomes one of the most widely used tools for
limits the further development of network applications. solving network security problems. When attackers launch
According to the “China Cyber security Report for the First network penetration, they usually start from gaining priv-
Half of 2017,” the number of port scan on MySQL and SQL ilege to a node by exploiting vulnerabilities in the network,
Server in China was ranked first in the world [1]. Usually, then gradually infiltrate into other nodes, and eventually
network scanning is the first step to implement network reach the target node and obtain the required information.
attack; hence, we can be aware of the severe network security Therefore, an attack path from the initial node to the target
situation in China. Cyber attacks are also fatal for global node can be used to describe the attacker’s specific attack
enterprise networks, for example, the new ransomware virus behaviors. Since the network topology itself is of graph-
Petya attacked several known organizations, such as the based structure, nodes and attack paths can be represented
Ukrainian capital airport, Russian oil and gas giant Rosneft, by means of graphs. The attack graph model is designed to
American pharmaceutical company Merck, and so on. describe the abstracted network topology with a directed
Because the virus can prevent the machine from booting acyclic graph and to show the nodes, paths, and conse-
properly to make the computer unusable, the network se- quences of network attack. Each node in the attack graph can
curity issues greatly affect the normal operations of enter- stand for host, vulnerability, or network device, according to
prise network systems. To solve such problem, it is different attack graph representation methods. The edge
important to analyze the networks and find out the weak from node A to B indicates that from A, the attacker can
nodes for security hardening. reach node B. Thus, attack graph is similar to the network
There are many kinds of models for cyber attack eval- structure and can simulate attacker’s attack steps. At the
uation, such as attack tree, Petri net, and attack graph. The same time, there are many mathematical models that can
2 Security and Communication Networks

formally represent and analyze the simulation. Thus, com- 2. Research Framework of Attack Graphs
plex connections, vulnerabilities, and attack paths can be
integrated together by modeling enterprise-level network as The research framework of attack graphs is shown in
attack graph. With the help of various attack graph formal Figure 1.
analysis methods, discovery of potential security problems As can be seen from Figure 1, information about net-
become easy; hence, the attack graph plays a crucial role in work topology, vulnerability, network configuration, and
network security analysis. network connectivity should be firstly collected. Then, the
Since the proposal of the attack graph model, it has information is used to generate the attack graph which can
received extensive attention from the academic community. be visualized. According to the graph definition and re-
The methods in node representation, graph generation, and quirements on security analysis, the graph should be de-
formal mathematical analysis have made great progress. In scribed in mathematical formulation so that quantity
the previous review work, Kaynar [3] conducted a com- analysis can be performed on nodes, edges, and attack path.
prehensive analysis and comparison of attack graph gen- Finally, the analysis results can provide a basis for various
eration, vulnerability classification, and application, Ye et al. attack graph applications. The attack graph analysis method
and Shandilya et al. summarized the application scenarios is the key to attack graph research and applications. Hence,
[4, 5], and Chen et al. surveyed the attack graph generation we concentrate on the module of the “analysis method” in
methods [6]. The review work of the attack graph model is a the framework.
summary of the outstanding research work at that time.
Compared with these studies, the main contributions of this
paper are as follows: 2.1. Example of Attack Graph. Attack graphs are designed to
represent the abstracted network topology with a directed
Firstly, the paper focuses on the analysis methods of the acyclic graph. One of the main application scenarios is for
attack graph. Previous review work mainly concen- network vulnerability analysis. The vertices of attack graphs
trated on the generation method and applications of the can be related elements such as host, authority, vulnerability,
attack graph, which involves little about the analysis service, and even some network security status, depending
methods. Attack graph is a representation of network on the attack behavior analysis requirements. Unlike the
topology, and how to convert it into formal models is diversity of vertex, the edges in attack graphs generally
important for the actual applications. Although there indicate the perpetration of attacks. As an example shown in
exist many analysis methods, they are ignored by Figure 2, we use the topology of a web Internet network
current survey work. presented in [7]. The network consists of three subnetworks,
Secondly, this paper classifies the attack graph analysis that is, the Internet, the DMZ (demilitarized zone), and the
methods according to the differences of research ideas, so trust zone. The DMZ contains a DNS server and a web
it can provide valuable reference for selecting appro- server. There are three servers in the trust zone, that is, the
priate analysis methods. Previous reviews mainly FTP server, database server, and administrative server.
classified attack graph based on the node presentation The vulnerabilities on each server are listed in Table 1,
methods, and they emphasized more on the repre- and the communication rules between servers are presented
sentation of attack graphs rather than the difference in Table 2. Note that “CVE ID” is the vulnerability’s iden-
between analysis methods. tification in “Common Vulnerabilities and Exposures” li-
Finally, this paper summarizes the uncertainty analysis brary. Figure 3 shows the corresponding attack graph based
methods of attack graphs. The uncertainty in network on the network topology, vulnerabilities, and connections
attack stems from network structure, behavior of at- between the servers.
tack, and so on. For example, mobile devices frequently
connect and disconnect with the network and thus lead
2.2. Attack Graph Generation Method. Attack graph gen-
to the connections varying a lot in the graph. The kind
eration generally contains three steps, that is, reachability
of uncertainty leads to great difficulty in dealing with
analysis, attack template establishment, and attack graph
network security, and thus the uncertainty analysis of
construction [3]. For large-scale attack graphs, reducing the
the attack graph is an unavoidable problem. However,
complexity of attack graph is necessary, and corresponding
there is no systematic approach for this problem, and it
methods include path pruning, network properties com-
is usually ignored in the existing review work.
pression, and property matching time reducing. Several tools
This paper is organized as follows. The basic concepts, are able to generate the graph automatically.
generation methods, and tasks of attack graphs are described Sheyner et al. developed an attack graph generation tool
in the next section. The attack graph analysis models and [8], which is the first-generation product based on model
algorithms, including the graph algorithms, Bayesian and checking technique. It takes the host state, state transition
Markov model, cost-optimized analysis method, and un- probability, and security attributes as inputs. The output is
certainty analysis method, are described in detail in the an attack graph containing paths that violate security
following sections. In the final section, the various analysis attributes.
methods are compared in terms of advantages and disad- MulVAL (http://people.cs.ksu.edu/∼xou/argus/software/
vantages, and future research directions are pointed out. mulval/readme.html) is a Linux-based attack graph
Security and Communication Networks 3

Acquire network Attack graph Attack graph

Calculation and analysis Application
information generation mathematical model

Analysis method

Figure 1: Attack graph research framework.

DNS server (DS) Web server (WS)

10.10.90.1 10.10.90.3

DMZ

Firewall

Internet Trusted zone

Attacker FTP server (FS) Database server (DBS) Administrative server (AS)
202.120.234.6 10.11.90.4 10.11.90.2 10.11.90.5
Figure 2: Example of network topology.

Table 1: Vulnerabilities on each server.

Attacker
Server Vulnerabilities CVE ID
WS Allow remote execution of code CVE-2015-1635
CVE-2015-1635
DBS Remote execution of SQL command CVE-2014-1466 in web server
Allow remote execution of code CVE-2013-4465
FS Malicious HTTP
Allow remote execution of code CVE-2012-2526 request, HTTP-Sys
AS Allow remote execution of code CVE-2009-0241 analysis error

Get privilige to
Table 2: Communication rules between servers. excute arbitrary code
in web server
Source server Destination server Protocol and port
202.120.234.6 WS HTTP (80)
WS DBS SQL (1433) CVE-2012-2526 CVE-2013-4465 CVE-2014-1466
in FTP server in FTP server in SQL server
DBS SQL (1433)
FS FTP (21)
AS Send malicious
WS HTTP (80) message, access and
Upload extendable
SQL injection
file
DS DNS (1024) delete objects

or
Get privilige to Get privilige to
excute arbitrary code excute arbitrary SQL
autogeneration tool introduced by Ou et al. [9]. It uses Prolog in FTP server code in SQL server
logic language to formally describe the configuration and
vulnerability of nodes, then infers the entire attack process to
Accomplish attack
generate attack paths, and uses Graphviz to draw the attack
graph. Figure 3: The corresponding attack graph.
4 Security and Communication Networks

NetSPA (https://dspace.mit.edu/handle/1721.1/29899) is influence of vulnerabilities, links, attack behaviors, and other

an attack graph generation tool designed by Lippmann et al. factors on network attacks.
from MIT. It builds a network model by analyzing firewall
rules and vulnerability information and performs reach- 3. Attack Graph Analysis Methods Based on
ability analysis [10]. Due to the lack of learning ability in
attack mode, NetSPA needs to create a vulnerability rule set
Graph Algorithm
manually. Usually, an attack is launched at the initial node, and then
TVA uses the Nessus vulnerability scanner to auto- the neighbor nodes which have weakness in security can be
matically map the scanned vulnerabilities to the description served as the next hop to finally reach the target node.
of the network device [11]. In the generated attack graph, Hence, by analyzing the characteristics of the attack graph,
attack paths from the initial state to the target state are the effectiveness of each path and node in security assurance
provided. Like NetSPA, TVA needs to manually create a rule can be examined. Accordingly, the current research studies
set. on attack graph algorithm can be summarized in two cat-
egories: one is based on graph path and the other is based on
the node.
2.3. Attack Graph Calculation Task. The purpose of attack
graphs is to quantify network security situation and find the
weakness. Therefore, several important calculation tasks to 3.1. Graph Path Algorithm. The general research methods of
be done on the attack graph include network vulnerability attack graphs are based on various graph path algorithms of
analysis, node security hardening selection, attack path directed acyclic graphs. Several metrics, such as the shortest
prediction, and uncertainty analysis. path, the average path length, and the extended security
Vulnerability analysis includes two aspects. One is the metric, have been devised to measure the network security in
analysis of possible attack paths before attack and defense of the algorithms.
high-risk nodes on the path. The other is analyzing attack The shortest path in the attack graph is the one that
behavior, predicting subsequent target, and taking coun- covers the least number of vulnerabilities in the process of
termeasures for the attack [4]. reaching the attack target [12]. The idea is to utilize various
In the network reinforcement, important steps include graph algorithms, such as Dijkstra algorithm, Floyd algo-
the selection of nodes needed to be strengthened, the balance rithm, and so on [13]. This is a relatively straightforward
between costs and benefits, and targeted network defense method of attack graph analysis, but there are some prob-
methods. All these tasks need rigorous modeling analysis. lems. For example, it is suggested that this method does not
For attack path prediction, since the network attack is consider the number of shortest paths in the attack graph
usually systemic, the exploited vulnerability and the attack [12]. Suppose two alternative topologies have the same
path can be traceable. While there are many attack paths in a shortest length, this method can lead to wrong results.
particular attack, how to identify the paths that are the most Figures 4 and 5 represent two different networks. The to-
likely used requires complete considerations. In addition, pology, configuration, and version of applications in the two
the dynamics of network configuration requires that net- networks are different, so do the labels. Suppose the starting
work attack defense mechanism needs to be updated state is S, the target state is G. The shortest path length in
according to the development of network security tech- both figures is 1, which means that the shortest path does not
nology and enterprise services. As a result, it is necessary for provide any reasonable reference. However, the paths with
attack graphs to provide uncertainty analysis on the security length 1 in Figure 5 are not only one. Hence, in order to
problems caused by the network configuration. increase the shortest path length of the attack graph, only
one path needs reinforcement in Figure 4. For this reason,
the network of Figure 4 is stronger than Figure 5. But the
2.4. Attack Graph Analysis Method. There is no such an shortest path method cannot draw this conclusion. In ad-
analysis method that can fulfill with all of the above cal- dition, the shortest path is a coarse-grained metric that is not
culation tasks. Hence, the corresponding analysis method sensitive to small changes in network nodes. For example, in
should be carefully selected according to the specific tasks. Figure 5, as long as one of the five paths from S to G is
This paper systematically surveys on the analysis methods, maintained, any changes in other paths will not affect the
which can be generally categorized into logic-based methods shortest path.
and probability-based methods. Probability-based analysis Another path algorithm attempts to find the number of
methods include Bayesian networks and Markov models, attack paths which represents how many different methods
and the rest are based on logic. Among these methods, an attacker can choose to reach the target [14]. The number
graph-based algorithms and Markov model-based analysis of attack paths reflects the exposure degree of the network to
methods can be used to predict attack behavior and analyze attackers. The more the attack path number, the lower the
the most likely attack path. Bayesian network-based analysis security of the network. Compared to the shortest path
methods tend to identify high-risk nodes and the key nodes method, the attack graph path number is more sensitive and
that should be reinforced. Cost-optimized algorithms have a performs better in the prediction of attack behavior.
huge advantage in balancing costs and benefits. The analysis However, the shortcomings of this method are also very
method based on the uncertainty is used to study the obvious. For example, the number of attack paths does not
Security and Communication Networks 5

normalization makes the comparison between different

S
attack graphs more reasonable and comprehensive. The
attack graph with less normalized average path length is
more likely to be risky. Secondly, the mean of the path
V1 V2 V3 V4 lengths is not able to describe the variance of path lengths.
Therefore, the authors introduce three criteria, that is, the
standard deviation of path lengths, the distribution of path
lengths, and the median of path lengths. Through the dis-
V5 V6 V7 V8 V10 V11 tribution of path lengths, the most typical path length in the
attack graph can be revealed, and it suggests a likely amount
of effort for attackers. As for the median of path length, it
suggests an average effort for attackers. For standard de-
V9 V12 viation and the median, administrators should focus on
those paths whose length is less than the average during
network hardening.
The above methods only consider paths and ignore the
G V13
role of nodes in path selection. To overcome this problem,
some researchers recently proposed a path analysis method
Figure 4: Optional attack graph A. for large-scale networks [16]. This method combines path
lengths and the danger coefficient of nodes represented by
CVSS (https://www.first.org/cvss/) (Common Vulnerability
Scoring System) scores. The danger coefficient of the whole
S path can be expressed by the product of all node scores on
the path. The higher the danger coefficient is, the higher the
probability the path will be utilized by attackers. Based on
the results, administrators can select the path with a greater
danger coefficient than the predefined threshold for
optimization.

V14 V15 V16 V17 V18

3.2. Importance Sorting Algorithm for Graph Nodes. In order
to capture the uniqueness of different nodes for security
reinforcement, other studies focus on the node sorting
method.
G Inspired by the PageRank algorithm which measures the
importance of the webpages in search engine [17], Mehta
Figure 5: Optional attack graph B. et al. [18] improved the PR algorithm to solve the problem in
analyzing the large scale of the attack graph. This algorithm
first analyzes the path that a particular network may be
reflect the cost of the attack spent, nor does it reflect the attacked to generate an attack model, and then it was
difficulty of each path to the target. transformed into an attack graph. The nodes represent a
An average path length metric that averages the length of particular state, for example, a database server port is open
all attack paths to measure the cost of attacks on the target or not. The edges represent a transition between states, for
network is proposed [15]. This approach is slightly different example, an open port state might cause the invasion of
from the assumptions on which the shortest path method is database server. The leaf nodes represent an error state
based. The shortest path method assumes that the attacker which is a kind of privilege the attacker finally gets. The
will choose the shortest path, which is subject to many other sorting of attack graph nodes is essentially a prediction of
factors in reality, such as the skills the attacker has and the state transitions, similar to the Markov model introduced in
utilization of the vulnerability on the shortest path. Section 5. The sorting algorithm obtains the leaf node with
Therefore, the average path length metric uses the average the highest PR value in the graph, and the error state
length instead of the smallest one. This method has a good represented by the node is the most likely privilege gained by
performance in network security reinforcement. However, it the attackers. Sorting other nonleaf nodes will reveal the
is not sensitive for this method to the path change of the attack path that is the most likely to be exploited by the
attack graph. attacker. For example, if the node that represents the open
Based on the above three metrics, the improved security state of a port on the database server has a high PR value, it
metric was proposed by Idika and Bhargava [14]. Firstly, the means that the attacker is more likely to use this port to
average of all attack path lengths in the graph is normalized. launch attack.
The normalization compensates for the lack of path number The PageRank algorithm will find out the way most likely
in the average path length metric. At the same time, the to be attacked through and provide advice for reinforcing
6 Security and Communication Networks

vulnerable nodes. However, network is usually changed based scores and the casual relationships to update the
dynamically. As a result, the corresponding attack graph posterior probabilities of nodes, and then the attack path can
should be reconstructed frequently, and a lot of computation be exploited. Later, the huge advantages of solving uncer-
for the algorithm should not be ignored. tainty make BN widely used in attack graphs.
To solve the problem, Lu et al. [19] employed GNN Researchers have found that the impact of vulnerabilities
(Graph Neural Network) [20] to sort the attack graph nodes. would change over time. For example, if the vendor releases
GNN learns the topological dependence of objects, such as a patch to fix vulnerability, the exploitability of the vul-
the Ranking of a node relative to its adjacent nodes. The nerability will be greatly reduced. Therefore, it is insufficient
reason why authors used GNN is that, compared to other to use the CVSS-based score to evaluate vulnerabilities
machine learning algorithms, GNN does not need nor- without considering the time evolution. Thus, Frigault et al.
malized vector data. Secondly, GNN guarantees conver- [22] employed the factor of time, such as the availability of
gence. Although this method is the same as the basic idea of exploitation or patch, to establish a dynamic Bayesian attack
PageRank, it provides a better solution for dynamic network model (DBN). In this model, the attack graph is composed of
changes. The experimental results show that the accuracy of multiple Bayesian attack graphs. Each BN corresponds to a
training with GNN is similar to the PageRank algorithm. specific time, and nodes are connected by edges in con-
GNN takes a long time to train, but after that, the attack secutive time slice. The DBN model satisfies the Markov
graph can be tested quickly, so it is more suitable to deal with properties, that is, the system state only depends on the
the frequent dynamic changes. previous state. According to the probability distribution of
the initial and the adjacent time, a joint probability distri-
bution can be obtained.
3.3. Comparisons between the Two Methods. The path In addition, only using CVSS scores to estimate the
analysis methods do not need to investigate and assign the probability in the attack graph does not make full use of
probability of node states. Therefore, the variables in the other information of the network. For this reason, Wu et al.
methods are more explicit and can be solved by algebraic [23] added three environmental factors to the Bayesian
methods. However, the sensitivity of path analysis algorithm attack graph to improve the inference ability. These factors
is generally low, and the difficulty of exploiting is also ig- are the value of assets in the network, the usage of the
nored. The analysis method for sorting node importance network, and the attack history of the network. The authors
takes the general states of the nodes into consideration, and believed that the network which is of higher asset values and
thus it can be utilized to overcome the problems in path used more frequently is more likely to be attacked again. The
analysis methods. experiments support this conclusion, so considering envi-
ronmental factors will make the analysis results more
4. Attack Graph Analysis Method Based on accurate.
Bayesian Network Although the introduction of the Bayesian network to
analyze attack graph is more comprehensive compared to
Bayesian network (BN) is a kind of probabilistic graph the graph algorithm, all of the above works did not propose a
network. It is commonly used in the field of uncertainty reasonable and effective model that can apply to the process
analysis and reasoning. The Bayesian network uses causal of reasoning. To overcome the problem, Liu and Man [21]
relationships to estimate the probability of an unknown put forward a variable elimination (VE) algorithm, but the
event based on events that have occurred. The attack graph complexity of VE algorithm highly depends on the order of
based on the Bayesian network is represented by a triple variable elimination which is random and has low com-
(Node, Edge, and PTable). The nodes in the attack graph putational efficiency. Therefore, it can only be used in a
denote the vulnerabilities, privileges, etc. The edges are the small-scale network. In addition, the VE algorithm can only
dependencies between the nodes. PTable is the conditional calculate the unconditional probability of one node at a time.
probability distribution, which is used to record the con- Therefore, Munoz-Gonzalez et al. [24] used the joint tree
ditional probability of nodes that are being attacked. The algorithm (JT) as an improvement on the VE algorithm. The
value of the probability is usually determined by experts in JT algorithm can achieve the convergence state through the
the professional field. message passing mechanism. Once the model achieves the
An example of an attack graph in Bayes-based attack convergence state, all the probabilities no longer change. At
graph analysis is shown in Figure 6. Five nodes from A to E the same time, the introduction of the prior probability value
indicate the vulnerabilities of the system or the privilege of one node would only affect several probability values
obtained through vulnerabilities. PTable is presented in the other than the total graph. The experiment results show that
figure. For example, when node C is successfully attacked by the JT algorithm is superior to the VE algorithm in terms of
an attacker, the probability that node E is attacked is 0.5. time complexity and space complexity and is more suitable
When a node is identified as an evidence node, which means for actual situations.
that the attack event has happened, then the probability of Although there are a lot of research studies on attack
other node status can be obtained by using the Bayesian graph analysis based on Bayesian network, little work pays
formula. attention to the attack time consumed which is important for
Liu and Man applied Bayesian network to the attack administrators to predict when the next attack will happen.
graph for the first time [21]. The authors incorporated CVSS- Hu et al. [25] presented a method to calculate the time
Security and Communication Networks 7

P(B) P(¬B)
P(A) P(¬A) A B
0.7 0.3
0.7 0.3

A B P(C) P(¬C)
1 1 0.8 0.2
1 0 0.6 0.4 C D
0 1 0.4 0.6
1 1 0 1
B P(D) P(¬D)
C P(E) P(¬E) 1 0.7 0.3
E 0 0 1
1 0.5 0.5

Figure 6: An example of an attack graph in Bayes-based attack graph analysis.

consumed. They calculated the average time consumption by probability P(i, j) from i to j is defined as the score of j
weighting on history attack and took the expected time divided by the sum of the scores of all of the next nodes of i.
based on the probability of future attack. Through the model, the authors can perform a security
assessment on the network, such as calculating the expected
5. Attack Graph Analysis Method Based on path length and probabilistic path metric.
Markov Model Abraham and Nair later introduced time factors into the
Markov chain and presented a network security metric
Markov models are widely used in attack graph analysis. model [27]. The time factors can capture the probability that
They can be divided into four categories, that is, Markov the vulnerability exploited by the attacker changes with time.
chain (MC), Markov decision process (MDP), hidden The authors used the results of Frei’s vulnerability lifecycle
Markov model (HMM), and partially observable Markov model [28] to calculate the likelihood of an exploit or patch
decision process (POMDP). Their relationship is shown in being available a certain number of days after its disclosure.
Table 3. Actually, the impact of the vulnerability will gradually de-
All of the above models have no aftereffects. Given the crease over time. Then, the probability of the state transition
known information, the past state is irrelevant for predicting from this vulnerability should be reduced. Thus, it is useful
future states, and the future state is only relevant to the to combine time weights and the CVSS score into the
present one. In this section, the attack graph studies are, transition matrix of the Markov model.
respectively, reviewed based on these four models.
5.2. Markov Decision Process. The analysis method based on
5.1. Markov Model. By means of Markov chain, a triple (S, P, Markov decision process (MDP) uses a five-tuple (S, A, P, R,
Q) is used to represent the attack graph, where S denotes all c) to describe attack graph. S denotes the set of states that
possible states in the system, including absorbing states and may appear in the system, A denotes the action set, P denotes
transient states. States consist of network assets, user priv- the state transition matrix, R is the benefit of state transfer by
ilege, etc. P denotes the state transition probability matrices performing the action, and c is a discount factor indicating
and Q denotes the initial probability of states. The absorbing the uncertainty about the future. MDP can be utilized to
Markov chain has two properties. First, an attack graph has represent attacker’s decision. The benefit is the attacker’s
at least one absorbing state. Second, in an attack graph, it is cost or the reward if the attack is successful. In the attack
possible to go from every state to an absorbing state. As graph, the attacker tends to choose a path that minimizes the
shown in Figure 7, node 4 is absorbing because it is im- cost of the attack or gets the highest reward. Markov decision
possible to leave it once entered. process can select the most profitable set of actions in a series
In the attack graph, the absorbing state is regarded as the of random action sequences based on Markov properties.
attack target. Once the node is reached, the attack is done Sheyner et al. [8] calculated the likelihood of the suc-
successfully. For any network, the attack path is from the cessful attack based on the MDP modeling of attack graph.
initial node to the target node through the transient states, The method of value iteration is used to select the optimal
and thus state transition can be used to indicate the change action strategy based on MDP. However, as the scale of the
of the network security. The network state, state transition network increases, the great challenges in the calculation are
relationship, initial state, and target state can be abstracted obvious. Therefore, simplifying the calculation has become
from the network to construct a state transition system of the one of the issues when using MDP to solve optimization
network. By analyzing the attack path, it is possible to problems.
conduct the network security assessment. Durkota et al. [29] adopted a pruning strategy for MDP
Abraham and Nair [26] modeled the attack graph as an in response to the above problem. The authors considered
absorbed Markov chain. The transition probabilities of the the MDP problem from the attacker’s point of view and used
Markov chain are calculated by CVSS scores, and the Sibling-Class Pruning and the Branch-and-Bound methods
8 Security and Communication Networks

Table 3: Four categories of Markov models.

No consideration of decision action With consideration of decision action
Visible state Markov chain (MC) Markov decision process (MDP)
Partially observable Markov decision process
Invisible state Hidden Markov model (HMM)
(POMDP)

1 X1 X2 X3

2
Y1 Y2 Y3 Y4

3 Figure 8: Hidden Markov model.

4
observation sequence is attained by Viterbi algorithm which
takes both vulnerability scores and defense cost into con-
Figure 7: Absorption Markov chain.
sideration. In this way, it is possible to select the most
necessary path for network hardening.
to speed up the search process. With the pruning techniques,
the amount of calculation is greatly reduced, and the model
can be applied to large-scale network analysis. 5.4. Partially Observable Markov Decision Process. The
partial observable Markov decision process (POMDP) is
represented the model by using a seven-tuple (S, A, P, R, Ω,
5.3. Hidden Markov Model. Hidden Markov model (HMM) O, c). Ω is the set of observations. O is the conditional
adds a hidden state to the Markov chain and can be rep- observation probability, indicating how likely it is in a
resented by a five-tuple (S, O, A, B, PI). S is the set of hidden particular state after observing Ω. Because the administrator
states, expressed as the state of the system, i.e., the attack is unsure about the current state, he needs to perceive the
state. O is the set of observation states, expressed as physical environment to determine which state he is in. Then, the
components (such as hosts and servers), network assets, concept of a belief state space is introduced, which is to
privileges, or vulnerabilities. A is the state transition estimate the current state and then the POMDP problem can
probability matrix. B is the observation symbol probability be converted into an MDP problem.
matrix and PI is the initial state distribution. Taking Figure 8 Miehling et al. used POMDP to develop optimization
as an example, the upper layers X1 , X2 , and X3 are hidden strategies for attack graph analysis [31]. It is assumed that the
states, and the bottom layers Y1 , Y2 , Y3 , and Y4 are ob- defender can only partially observe the attacker’s action at
servation states. There is a certain relationship between any given time and needs to make decisions when the in-
hidden states. For example, if X1 represents state of port formation is incomplete, and thus POMDP problem can be
scanning, then the next state is more likely to be “sending formulated. In the attack graph, the nodes represent system
error packets.” The relationship between hidden states is attributes, such as, attacker permission levels on a given
described by the transition probability matrix A. At the same machine, vulnerabilities of a service or system, information
time, each hidden state corresponds to several observation leakage, and so on. Exploits which are represented by the
states. For instance, at the state of X1 (port scan), we can edges in the graph are events that allow the attacker to use
observe both Y1 (warning from snort and other detection their current set of capabilities to obtain further capabilities.
tool) and Y2 (honeypot capture) states with a certain The probability of the observed events can be used to es-
probabilities which are represented by the observation timate the attacker’s ability. The authors used POMDP
symbol probability matrix B. solver developed by Cassandra to obtain the optimal defense
Wang et al. [30] first proposed a method for quantitative policy [32].
analysis of the attack graph under the framework of the In addition to the incomplete observations, the utility
hidden Markov model. In the research, nodes such as function might be unknown. For example, for the zero-day
network assets, system vulnerabilities, and user rights are vulnerability in the attack graph, the information about the
taken as observations, and the system state of attack and vulnerability is unknown so that the cost or reward cannot
nonattack is set as hidden states. The observations are as- be estimated. However, defenders can get some feedback
sociated with the hidden system state by a certain proba- after taking defensive measures. Therefore, Hu et al. [33]
bility. Based on the proposed HMM model, the next system used a POMDP algorithm for solving unknown utility. The
state can be predicted by capturing a series of observable authors divided the time equally and calculated the benefit as
values. The most probable attack sequence for a specific the average of the benefit for each time period. Finally,
Security and Communication Networks 9

dynamic programming is used to estimate the optimal utility In the early stage of the attack graph research, the general
function. The simulation results show that when the utility idea to solve this problem is to find the smallest set of
function is unknown, the algorithm can help the defender vulnerability [35]. The smallest set means that the target
identify an effective defense strategy. attack state becomes unreachable if all the vulnerabilities in
Recently, Miehling et al. developed a new POMDP the set are fixed or removed. However, the parent nodes for
model [34], which is more general than the previous one each node in the set are ignored in this method. Hence, the
[31]. The authors considered more complex dependencies conditions that vulnerability happens still exist and can
between vulnerabilities, such as the successful exploitation of become a potential security risk.
a vulnerability that would create multiple attack conditions. Approaches based on cost distribution along paths are
At the same time, more real situations such as false positives another attempt for the problem. The motive is that re-
of alerts are also discussed. In this method, only the state moving the starting nodes with serious vulnerabilities can
related to the current defense decision, regardless of the effectively improve the network security. Islam and Wang
entire state space, is considered, and the experiment shows [36] proposed a heuristic algorithm for searching such initial
the calculation efficiency is improved. nodes. Each initial node in the attack graph has a value of
effective cost which is defined as the ratio of node cost and
the number of vulnerabilities in it. Then, the cost is dis-
5.5. Comparisons of the Methods. The four methods of MC, tributed to the next nodes according to several rules, and
MDP, HMM, and POMDP are employed to denote the finally, the distribution reaches the target node that needs to
attack behavior. These models can be distinguished by be defended. As a result, the initial node with greatest impact
whether the state is visible or not and whether to consider on the target node and minimal initial cost should be se-
decision actions. MC only makes use of state transition lected for hardening. Wang et al. proposed a disjunctive
probability, while MDP introduces utility function. How- normal form (DNF) representation method for attach graph
ever, the utility function and state transition probability are [37]. In this way, the target node is transformed into the
known over all time periods. MDP adds the attacker’s de- DNF of its preorder nodes. The decomposition of the target
cision-making behavior into the Markov chain. From the node contains only the initial conditions, and each dis-
actual application point of view, the defender has to use the junction in the DNF provides a different condition in
existing partial information, historical state sequence, and network hardening. Options with the minimum costs are
reward function to make decisions so that POMDP becomes chosen by the given assumptions on the cost of initial
potentially effective. conditions.
Reduced ordered binary decision diagram (ROBDD)
6. Attack Graph Analysis Method Based on Cost [38] is a new idea to tackle the cost minimization problem.
ROBDD provides an efficient graphical way for representing
Optimization Algorithm
and manipulating Boolean functions, which include one
Apart from finding the security condition of specific net- source and two sinks labeled with 0 and 1. There are two
work, another important task of attack graph is to determine types of relations between exploit nodes and condition nodes
how to implement target reinforcement. When it comes to in an attack graph, namely, AND relation and OR relation.
network hardening, it is necessary to consider the cost. Any Each internal node Ni in ROBDD has a high edge pointing to
measures adopted have cost, for example, deploying a new node Nhi and a low edge pointing to node Nli . By performing
packet filtering firewall will cost, and filtering out packages iterative Shannon decomposition on each node as the
by mistake also costs. If the impact of a network attack is not function, we get
severe or the attack is easy to be repaired, then the cost of
network hardening can be higher than repairing it after MinCost 􏼐Nj 􏼑 � min􏽮MinCost 􏼐Nhj 􏼑, MinCost 􏼐Nlj 􏼑 + C􏼐Nj 􏼑􏽯.
attack. From the perspective of attackers, if the gain from (1)
attacking is far less than the time and other cost of attacking,
the attackers may give up attacking the network. Therefore, it For example, in the attack graph shown in Figure 9(a), ci
is important to decide whether it needs reinforcement or not indicates initial condition, A and B are middle nodes, G is the
and which nodes should be reinforced. target node, and there are two paths lead to the target node.
In this section, cost optimization algorithms are intro- Figure 9(b) shows the corresponding ROBDD of Figure 9(a),
duced. The general idea is to obtain the attack paths and the and the available path is labeled 1, while the unavailable one
probability of each node to be exploited and then calculate labeled 0. Assume the hardening cost of ci is C(c1) � 10,
the cost of node hardening. C(c2) � 1, and C(c3) � 15. The cost of network hardening is
min􏼈C(c2 ), C(c3 ), C(c2 ) + C(c1 ), C(c3 ) + C(c2 )􏼉, so the
minimum cost is 1 and c2 is supposed to be reinforced. The
6.1. Attack Graph Analysis Method Based on Cost Minimi- ROBDD method does not need graph traversal to reach the
zation Algorithm. For a particular network, finding the least target state, and thus the complexity is O(n), where n is the
cost in network optimization is an NP-complete problem. number of nodes in ROBDD.
Cost minimization algorithms simultaneously take the In addition, intelligent algorithms can also be employed
vulnerability exploitation, the time spent, and economic cost to the cost minimization problem. Genetic algorithm can be
into account. used to solve the minimum cost network hardening of attack
10 Security and Communication Networks

C1 C1
A

C2 C2
C2 or G

B
C3
C3

0 1

(a) (b)

Figure 9: Example of ROBDD attack graph.

graphs [39]. Firstly, the attack graph is binary coded: 0 are used to represent the logical structure of the entire
means the node does not need to be changed while 1 means network, and the action nodes represent the attack behavior,
it needs to be changed. The second step is to initialize which is accompanied by the probability and cost of suc-
population, define fitness function and objective function, cessful attacks. The attacker would choose the attack path
and iterate according to the presupposed parameters. The with the highest profit. Once the attacker enters the hon-
fitness function is the cost of the optimized state represented eypot, the attack ends. Therefore, the authors transform the
by each chromosome, and the objective function represents attack graph with the game theory model into a MDP
the expected minimum cost. The final result of multiple problem to solve this complex problem and introduce some
iterations is the approximate optimal result. Sequential pruning techniques to effectively reduce the amount of
linear programming is another approach to get the cost computation. However, the assumption of this method has
minimization solution [40]. The theoretical complexity of limitations, for example, the attacker needs to know most of
this algorithm is high, but with the appropriate parameters, the information and just cannot distinguish the truth of the
the running time in practice can be accepted. host.
A new game theory model for attack graph analysis is
proposed based on reasonable assumption [41]. In this
6.2. Attack Graph Analysis Method Based on Game Theory. model, the attacker only knows the total number of hon-
The essence of cyber security analysis is the game among eypots but does not know their types. However, the optimal
individuals, that is, attackers and defenders. Game theory strategy for finding a defender’s honeypot is NP-hard and
provides a reasonable mathematical framework for ana- cannot be directly calculated in larger networks. The
lyzing network security, and it can help to choose the best problem can be converted into an approximate model of a
strategies with considerations of defense cost and profit. perfect information game where the attacker is supposed to
In the process of network reinforcement, honeypot is a know the defense strategy of the defender. Experiments
common facility for defenders to reduce the risk of network show that the strategy is very close to the original model.
attacks. Legitimate users do not interact with the honeypot,
and thus the honeypot can act as bait to draw the attackers’
attention. At the same time, it can send intrusion alerts to the 6.3. Comparisons of the Methods. The goals of two methods
defender. However, the construction cost and maintenance are the same, that is, to find the proper security rein-
cost of honeypots are very high. It is very important for forcement under restriction of cost. The cost minimiza-
defenders to consider how to properly deploy honeypots. On tion algorithms take the vulnerability exploitation, the
the other hand, for attackers, they need to predict and avoid time spent, and economic cost into account. The game
honeypots. Therefore, game theory is used to simulate the theory-based method further considers the interaction
offensive and defensive interaction, and the best way to deal between offensive and defensive sides. Therefore, it can
with the attackers can be determined by calculating the gains attain more useful results for reinforcement. However,
attained by the offense and defense. both of the two methods should face the same questions,
Durkota et al. extended Stackelberg models, which is a such as the setting of cost, the computation complexity,
leader-follower game [29]. In the game, the defender is the and so on.
leader and the attacker is a follower. The authors suppose
that the attacker knows the number of honeypots and their 7. Uncertainty Analysis Based on the
types, but not sure where the honeypots are. The defender Attack Graph
strengthens the security defense by placing a honeypot, and
the attacker selects the optimal attack path by analyzing the Dealing with uncertainty in the attack process is important
defender behaviors. There are two kinds of nodes in the for network security. New methods should be introduced
attack graph, that is, fact nodes and action nodes. Fact nodes into the attack graph to process the uncertainties. The
Security and Communication Networks 11

uncertainties come from several sources, such as the network A scalable probabilistic graph model that incorporates
structure, attack actions, device configurations, and so on dynamic network features into modeling is proposed [40].
[42]. Therefore, according to the types of uncertainty that The model used probabilities to represent the possible usage
can be analyzed, three analysis methods towards uncertain of mobile devices and their properties, such as connection
path, uncertain node, and zero-day attack are summarized in duration and connection frequency. The scalable probabi-
the section. listic attack graph adds a node represented as device Online
(H, P), in which H stands for a mobile device and P stands
for the operating system of H. The node is assigned a
7.1. Analysis of Attack Graph with Uncertainty Paths. The Bernoulli variable as the probability of its connection to
uncertain graph plays an important role in graph structure network. In the analysis phase, it is assumed that the mobile
uncertainty analysis and is widely applied in many areas of device connects to the network according to the defined
uncertainty analysis [43, 44]. Nguyen et al. [45] attempted probability and then determines how the connection im-
to model uncertainties in the existence of vulnerabilities pacts on the security of whole network. The experimental
and network connections by uncertain graphs. In the results show that after the introduction of mobile devices,
uncertainty graph model, the existence of each edge is great changes have happened in the distribution of security
unknown and can be described by probability. The original threats across the network. Experiment also finds that the
uncertain graph model uses a triple (V, E, P) to represent mobile phone’s attack expectation is far beyond other nodes.
the existence probability: V for the node, E for the edge, The results also confirm that mobile devices have a great
and p for the existence probability. Whether the attack impact on traditional network defense strategies.
path can be utilized is based on the reachability of initial
node to target node in corresponding uncertainty graph
7.3. Analysis of Attack Graph with Zero-Day Attack.
[46], which can be calculated by summarizing the path
Zero-day vulnerability refers to the vulnerability that has been
existence probability in all possible worlds of the uncertain
discovered but possibly not known to public, and the official
graph.
has not released a related patch. For this reason, it is a serve
The original uncertainty graph assumes that the
threat to network security. By borrowing the idea of attack
probabilities of edges are independent of each other.
surface [47–49] and k-anonymity in privacy protection [50],
However, this is not always true in attack graph. Therefore,
Wang et al. proposed the k-zero-day method to model the
Nguyen et al. extended the form of the uncertain graph and
zero-day attacks in network defense [51]. According to the
described the relationship between edge existence by a
basic idea of k-anonymity, the analysis supposes the existence
quintuple (V, E, p, X, q). X is a Boolean variable indicating
of zero-day vulnerability on each node and then counts the
whether the edge exists or not. The edge existence prob-
number of possible zero-day vulnerabilities on each attack
ability of X is p � P[X]; q is a Boolean function indicating
path. If the number of zero-day vulnerabilities is less than k,
the relationship between edges. At the same time, the
then the attack graph is k-safety. The greater the value of k is,
article demonstrates that when Boolean function is mo-
the more unknown vulnerabilities that an attacker needs to
notonous, uncertainty analysis of attack graph transforms
exploit to invade the network and the more secure the net-
from NP-complete to the calculation of confidence interval
work is. Therefore, the defender can properly arrange the
of the path’s initial probability distribution. The reach-
devices on the network so that the requirement of k-safety is
ability from the initial node to target node is positively
satisfied. This strategy for defending zero-day attack not only
correlated with the uncertainty of the path; hence, the
preserves the possibility of zero-day attack in attack graphs
impact of possible vulnerabilities and configuration
but also finds a more feasible way to solve the uncertainty
changes in the network on the reachability of the target
brought by zero-day attack.
node can be analyzed.
Sun et al. [52] introduced zero-day vulnerabilities in
Bayesian networks, also attempting to combine zero-day
7.2. Analysis of Attack Graph with Uncertainty Nodes. vulnerabilities with Bayesian-based attack graph analysis
Mobile terminal which can freely connect to the network methods. This approach is remarkable, but how the zero-day
vulnerability impacts on other vulnerabilities needs further
provides a new way for attackers to invade the network. The
evaluation.
attackers can even attack other network nodes through the
vulnerability on mobile devices instead of merely attacking
the device itself. It is imperative to introduce the mobile 7.4. Comparisons of the Methods. The uncertainty analysis
device nodes in the attack graph. provides an effective remedy for dealing with special sce-
The analysis method for attack graphs with mobile de- narios. The analysis method of attack graph with uncertain
vices is of great challenge. Firstly, whether the mobile device paths focuses on the uncertainties in the existence of
exists in the network, when and how long it exists, and which vulnerabilities and network connections, the analysis of
network services are open on it are all unknown. Secondly, attack graph with uncertain nodes pays attention to the
many questions are still difficult to resolve, for example, how uncertainties raised from mobile devices, and the analysis
to determine whether the mobile device has exploitable method of attack graph with zero-day attack deals with
vulnerabilities and how to measure the vulnerabilities on the those vulnerabilities that have been discovered but possibly
mobile devices. not known to public.
12 Security and Communication Networks

8. Applications of Attack Graph 8.4. Uncertainty Analysis Based on Attack Graph. The net-
Analysis Method work structure and configurations are usually changing
dynamically and frequently. Software update, application, or
Currently, applications of attack graph can be categorized configuration changes may cause minor changes on network
into four types, that is, network risk assessment, network topology, but the changes on attack graph are enormous.
security hardening, prediction of attack behavior, and the Therefore, the attack graph of the network is more sensitive
uncertainty analysis of network security. to uncertainty. The uncertainties usually are caused by
several factors. The vulnerabilities in the new version of
software are unknown and probably not the same as the old
8.1. Network Risk Assessment. The administrator can analyze version. As another example, the mobile device connections
the network security by assigning probabilities or damage are usually not kept and difficult to predict, which lead to the
values to the edges and nodes in the attack graph and great uncertainty on network security. The task of uncer-
calculating the security indicators. These metrics can be used tainty analysis based on attack graphs is thus to analyze the
to determine whether a host or network is under attack, such uncertain phenomena mentioned above, evaluate the in-
as risk analysis and reliability analysis [53]. In the graph fluence of these uncertain factors, and attempt to conduct
algorithm, the corresponding metric, such as the number of quantitative analysis. These uncertainties can be solved by
attack paths in the graph, can be used as the criterion for uncertain attack graphs. The scalable attack graph analyzes
whether the network is secure. Otherwise, the attack graph the connection probability of mobile devices in the network,
analysis methods based on Bayesian network, Markov evaluating security status of whole network. The zero-day
models, and other probability-based methods infer the attack graph can deal with the unknown vulnerabilities that
possibility of attacks through probability distributions. may exist in the network.

9. Conclusion and Future Work

8.2. Security Hardening. Network security hardening aims to
adopt an optimal security policy to improve network se- 9.1. Conclusion. This paper focuses on the analysis method
curity. Repairing all vulnerabilities is meaningless and in- of attack graphs. The main research work can be grouped
feasible. A more suitable choice is to find some high-risk into five types, namely, graph-based attack graph analysis
vulnerabilities and measure the cost of attack and defense, method, Bayes-based attack graph analysis method, Markov
respectively, and then remove some appropriate vulnera- model-based attack graph analysis method, cost optimiza-
bilities according to the cost. When selecting the node to tion methods, and uncertainty analysis methods. To sum-
harden, a heuristic optimization algorithm can be used to marize the survey, the comparison among these methods is
compare the optimal strategy. For example, Wang et al. provided in Table 4.
integrated attack graph and the hidden Markov model to Compared with Bayesian and Markov models, the graph
explore the probabilistic relation between system vulnera- algorithm is more simple and intuitive. Meanwhile, the
bilities and attack states, and then a heuristic searching graph algorithm does not need to carry out model training,
algorithm is employed to automatically infer the optimal and the influence of node changes is limited, so the graph
security hardening through cost-benefit analysis [30]. Based algorithm performs better in terms of scalability. Bayesian
on the Bayesian network analysis method, Poolsappasit et al. network has great advantages in solving uncertainties and
proposed to multiply three key factors, that is, the proba- correlation problems. Markov-based models need enough
bility of exploiting the vulnerability, the expected return of training data. When using HMM to infer the distribution
vulnerability elimination, and hardening cost [54]. Then, the over hidden states, it is necessary to enumerate all the ob-
result is considered as the hardening return to find out the servation sequences. It is difficult to obtain an accurate result
best hardening strategies by using genetic algorithm. by using MDP and POMDP since the problem is NP-hard,
so some approximation algorithms are used instead. The
complexity of the optimization algorithm is generally higher
8.3. Prediction of Attack Behavior. In some occasions, the than the graph algorithm.
administrator needs to predict the next targets once a host
has been found compromised. By applying attack graph 9.2. Future Work. The attack graph analysis method is still
analysis methods to the scenario, it is able to get the pre- developing continuously, and the future development will
diction results. For graph algorithms, the prediction can be focus on the following aspects:
inferred from the kinds of path, such as the shortest path. For
Bayesian network-based method, the next behavior can be (1) Integrate different attack graph analysis methods to
predicted by calculating the posterior probability for improve the ability of attack representation and
neighbor nodes. Moreover, the method provides a good way modeling analysis.
to update the prediction model by adding the new attack The existing analysis methods have respective ad-
instances into training set and then updating the model. In vantages and disadvantages. Therefore, in the future,
applications, the alarm message provided by security in- the researchers can try to integrate logic-based path
frastructures, such as intrusion detection system, system log, analysis and probability-based node analysis. An
and so on, can be taken as the current attack situation [4]. effective integration framework can be designed to
 Security and Communication Networks

Table 4: Comparison of attack graph analysis methods.

Analysis method Advantage Disadvantage Calculation tasks Complexity Scalability
Insufficient combination with exploit Identify the most likely path and high-risk
Graph algorithm Intuitive, portable O(n2) Strong
utilization node, predict attack behavior
Analyze vulnerability, identify high-risk
Bayesian network Flexible, easy to train Complicated analytical calculations nodes, network hardening, and predict O(n2) General
attack behavior
Identify the most likely paths, identify high-
Markov model Easy to train, better prediction More restrictions risk nodes, network hardening, and predict O(n2) General
attack behavior
Cost optimization
algorithm
Game theory Strong portability Slight discrepancy with actual results Network hardening, predict attack behavior O(n2) General
Cost minimization Limited application, difficult model
Strong portability Network hardening, predict attack behavior O(n) Strong
algorithm selection
Solved problems that other algorithms Analyze vulnerability, identify high-risk
Uncertainty algorithm Limited application areas — Strong
cannot solve nodes
13
14 Security and Communication Networks

take full advantages of the two analysis methods. For References

example, the complexity of Bayesian and Markov
algorithms can be reduced by pruning attack graph [1] Beijing Rising Information Technology Limited by Share Ltd.,
based on probability of vulnerability exploiting. The Information And Network Security of the National In-
formation Center (BU): China’s Network Security Report in the
(2) Combine the attack graph analysis method with big First Half of 2017, pp. 15–89, People’s Post and Telecom-
data technology to improve the accuracy of model munications Press, Beijing, China, 2017.
training and parameter setting. [2] L. P. Swiler, C. Phillips, and T. Gaylor, “A graph-based net-
Probability-based analysis methods, such as Bayesian, work-vulnerability analysis system,” Tech. Rep. SAND97-3010/
Markov, and game theory, need to accurately estimate 1, Sandia National Laboratories, Livermore, CA, USA, 1997.
the parameters which are difficult to be set. In future [3] K. Kaynar, “A taxonomy for attack graph generation and
usage in network security,” Journal of Information Security
research, these parameters can be obtained through
and Applications, vol. 29, pp. 27–56, 2016.
big data analysis to avoid errors caused by subjective [4] Z. W. Ye, Y. B. Guo, C. D. Wang, and A. K. Ju, “Survey on
allocation. The general idea is to collect a large amount application of attack graph technology,” Journal of Com-
of network attack data first. Then, clean, extract munications, vol. 38, no. 11, pp. 121–132, 2017.
features, and explore the relations between different [5] V. Shandilya, C. B. Simmons, and S. Shiva, “Use of attack
vulnerabilities by big data technology, providing a graphs in security systems,” Journal of Computer Networks
basis for determining the transition probability. and Communications, vol. 2014, Article ID 818957, 13 pages,
(3) Introduce more uncertainty theory to attack graph 2014.
analysis and enhance the ability to analyze uncer- [6] F. Chen, H. D. Mao, W. M. Zhang, and C.-H. Lei, “Survey of
tainty in attack behavior. attack graph technique,” Chinese Computer Science, vol. 38,
no. 11, pp. 12–18, 2011.
In addition to the system uncertainty, there are also [7] N. Gao, L. Gao, Y. Y. He et al., “Dynamic security risk as-
the attacker uncertainty and system environment sessment model on Bayesian attack graph,” Journal of Sichuan
uncertainty. Due to the complex characteristics and University (Engineering Science Edition), vol. 48, no. 1,
dynamics, existing methods are difficult to deal with pp. 111–118, 2016.
all kinds of uncertainties exactly. Therefore, it is [8] O. Sheyner, J. Haines, S. Jha et al., “Automated generation and
necessary to introduce more uncertainty theory and analysis of attack graphs,” in Proceedings of the IEEE Sym-
techniques, such as fuzzy cognitive maps, rough sets, posium on Security and Privacy, pp. 273–284, Berkeley, CA,
D-S theory, and rule-based systems, to enhance the USA, May 2002.
ability to analyze uncertainty in attack behavior. [9] X. Ou, W. F. Boyer, and M. A. Mcqueen, “A scalable approach
to attack graph generation,” in Proceedings of the ACM
(4) Combine the attack graph technology with other
Conference on Computer and Communications Security,
security technologies to solve the difficult problems pp. 336–345, Alexandria, VA, USA, October 2006.
in network security. [10] R. Lippmann, K. Ingols, C. Scott et al., “Validating and re-
The typical examples are APT attacks and zero-day storing defense in depth using attack graphs,” in Proceedings
vulnerability detection. The APT attack is tough in of the Military Communications Conference, pp. 1–10,
vulnerability identification and network defense Washington, DC, USA, October 2006.
because of its long duration and hard to be detected [11] S. Noel, M. Elder, S. Jajodia et al., “Advances in topological
form the abnormality of single node. The attack vulnerability analysis,” in Proceedings of the Conference For
graph technology can infer the change of the network Homeland Cybersecurity Applications & Technology,
state and discover the abnormal operation of system pp. 124–129, Washington, DC, USA, March 2009.
[12] R. Ortalo, Y. Deswarte, and M. Kaâniche, “Experimenting
in the graph. Therefore, the combination of state
with quantitative evaluation tools for monitoring operational
analysis in attack graphs and network intrusion
security,” IEEE Transactions on Software Engineering, vol. 25,
detection technology can improve the detection of no. 5, pp. 633–650, 1999.
APT attacks. Meanwhile, it is possible to combine the [13] P. Höfner and B. Möller, “Dijkstra, Floyd and Warshall meet
code detection and attack graph technology to dis- Kleene,” Formal Aspects of Computing, vol. 24, no. 4-6,
cover suspicious parts in the network and improve pp. 459–476, 2012.
the ability to identify zero-day vulnerabilities. [14] N. Idika and B. Bhargava, “Extending attack graph-based
security metrics and aggregating their application,” IEEE
Transactions on Dependable & Secure Computing, vol. 9, no. 1,
Conflicts of Interest pp. 75–85, 2011.
The authors declare that they have no conflicts of interest. [15] W. Li and R. B. Vaughn, “Cluster security research involving
the modeling of network exploitations using exploitation
graphs,” in Proceedings of the IEEE International Symposium
Acknowledgments on Cluster Computing and the Grid, p. 26, Singapore, May
2006.
This work was supported by the National Key R&D Program [16] C. Zhao, H. Q. Wang, J. Y. Lin, H. Lv, and J. Han, “Attack
of China (grant nos. 2017YFB0803203 and 2016YFB0800101) graph analysis method for large scale network security
and Shanghai Municipal Natural Science Foundation (grant hardening,” Journal of Frontiers of Computer Science and
no. 15ZR1403700). Technology, vol. 12, no. 2, pp. 263–273, 2018.
Security and Communication Networks 15

[17] S. Brin, R. Motwani, L. Page, and T. Winograd, “What can you Workshop on Moving Target Defense, pp. 99–109, New York,
do with a web in your pocket?,” Data Engineering Bulletin, NY, USA, October 2017.
vol. 21, no. 2, pp. 37–47, 1998. [34] E. Miehling, M. Rasouli, and D. Teneketzis, “A POMDP
[18] V. Mehta, C. Bartzis, H. Zhu, E. Clarke, and J. Wing, “Ranking approach to the dynamic defense of large-scale cyber net-
attack graphs,” in Proceedings of the International Conference works,” IEEE Transaction on Information Forensics and Se-
on Recent Advances in Intrusion Detection, pp. 127–144, curity, vol. 13, no. 10, pp. 2490–2505, 2018.
Hamburg, Germany, September 2006. [35] S. Jha, O. Sheyner, and J. Wing, “Two formal analyses of attack
[19] L. Lu, R. Safavi-Naini, M. Hagenbuchner et al., “Ranking graphs,” in Proceedings of the Computer Security Foundation
attack graphs with graph neural networks,” in Proceedings of Workshop, Cape Breton, Canada, June 2002.
the 5th International Conference on Information Security [36] T. Islam and L. Wang, “A heuristic approach to minimum-
Practice and Experience, pp. 345–359, Xi’an, China, April cost network hardening using attack graph,” in Proceedings of
2009. the IEEE New Technologies, Mobility and Security, pp. 1–5,
[20] F. Scarselli, A. C. Tsoi, M. Gori et al., “A new neural network Tangier, Morocco, November 2008.
model for graph processing,” Technical Report DII 1/05, [37] L. Wang, S. Noel, and S. Jajodia, “Minimum-cost network
University of Siena, Siena, Italy, 2005. hardening using attack graphs,” Computer Communications,
[21] Y. Liu and H. Man, “Network vulnerability assessment using
vol. 29, no. 18, pp. 3812–3824, 2006.
Bayesian networks,” in Proceedings of the SPIE-the Interna-
[38] F. Chen, L. Wang, and J. Su, “An efficient approach to
tional Society for Optical Engineering, Bellingham, WA, USA,
minimum-cost network hardening using attack graphs,” in
March 2005.
Proceedings of the International Conference on Information
[22] M. Frigault, L. Wang, A. Singhal, and S. Jajodia, “Measuring
network security using dynamic Bayesian network,” in Pro- Assurance and Security, pp. 209–212, Naples, Italy, September
ceedings of the ACM Workshop on Quality of Protection, 2008.
pp. 23–30, Alexandria, VA, USA, October 2008. [39] M. Jun-Chun, W. Yong-Jun, S. Ji-Yin, and C. Shan, “A
[23] J. Wu, L. Yin, and Y. Guo, “Cyber attacks prediction model minimum cost of network hardening model based on attack
based on Bayesian network,” in Proceedings of the IEEE In- graphs,” Procedia Engineering, vol. 15, no. 1, pp. 3227–3233,
ternational Conference on Parallel and Distributed Systems, 2011.
pp. 730-731, Singapore, December 2012. [40] H. M. J. Almohri, L. T. Watson, D. Yao, and X. Ou, “Security
[24] L. Munoz-Gonzalez, D. Sgandurra, M. Barrere, and optimization of dynamic networks with probabilistic graph
E. C. Lupu, “Exact inference techniques for the analysis of modeling and linear programming,” IEEE Transactions on
Bayesian attack graphs,” IEEE Transactions on Dependable Dependable and Secure Computing, vol. 13, no. 4, pp. 474–487,
and Secure Computing, vol. 16, no. 2, pp. 231–244, 2019. 2016.
[25] H. Hu, H. Q. Zhang, Y. Liu, and Y. Wang, “Quantitative [41] K. Durkota, V. Lisý, B. Bošanský, and C. Kiekintveld, “Ap-
method for network security situation based on attach pre- proximate solutions for attack graph games with imperfect
diction,” Security and Communication Networks, vol. 2017, information,” in Proceedings of the International Conference
Article ID 3407642, 19 pages, 2017. on Decision and Game Theory for Security, pp. 228–249,
[26] S. Abraham and S. Nair, “Cyber security analytics: a stochastic London, UK, November 2015.
model for security quantification using absorbing Markov [42] P. Xie, J. H. Li, X. Ou et al., “Using Bayesian networks for
chains,” Journal of Communications, vol. 9, no. 12, pp. 899– cyber security analysis,” in Proceedings of the IEEE/IFIP In-
907, 2014. ternational Conference on Dependable Systems & Networks,
[27] S. Abraham and S. Nair, “A predictive framework for cyber pp. 211–220, Chicago, IL, USA, July 2010.
security analytics using attack graphs,” International Journal [43] J. Ghosh, H. Q. Ngo, S. Yoon, and C. Qiao, “On a routing
of Computer Networks & Communications, vol. 7, no. 1, problem within probabilistic graphs and its application to
pp. 1–17, 2015. intermittently connected networks,” in Proceedings of the
[28] S. Frei, Security econometrics—the dynamics of (in)security, IEEE International Conference on Computer Communications,
Ph.D. dissertation, Createspace Independent Pub., Scotts Valley,
pp. 1721–1729, Barcelona, Spain, May 2007.
CA, USA, 2009. [44] W. Segev, G. Avigdor, and E. Opher, “Inference of security
[29] K. Durkota, V. Lisy, B. Bošansky, and C. Kiekintveld, “Op-
hazards from event composition based on incomplete or
timal network security hardening using attack graph games,”
uncertain information,” IEEE Transactions on Knowledge and
in Proceedings of the International Conference on Artificial
Data Engineering, vol. 20, no. 8, pp. 1111–1114, 2008.
Intelligence, pp. 526–532, Buenos Aires, Argentina, July 2015.
[45] H. H. Nguyen, K. Palani, and D. M. Nicol, “An approach to
[30] S. Wang, Z. Zhang, and Y. Kadobayashi, “Exploring attack
graph for cost-benefit security hardening: a probabilistic incorporating uncertainty in network security analysis,” in
approach,” Computers & Security, vol. 32, no. 1, pp. 158–169, Proceedings of the Hot Topics in Science of Security: Symposium
2013. and Bootcamp, pp. 74–84, Hanover, MA, USA, April 2017.
[31] E. Miehling, M. Rasouli, and D. Teneketzis, “Optimal defense [46] S. W. Zeng, Z. H. Wen, L. W. Dai et al., “Analysis of network
Policies for partially observable spreading processes on security based on uncertain attack graph path,” Computer
Bayesian attack graphs,” in Proceedings of the ACM Workshop Science, vol. 44, no. S1, pp. 351–355, 2017.
on Moving Target Defense, pp. 67–76, Denver, CO, USA, [47] M. Howard, J. Pincus, and J. M. Wing, “Measuring relative
October 2015. attack surfaces,” in Computer Security in Century,
[32] T. Cassandra, pomdp-solve: POMDP Solver Software, v5.4, pp. 109–137, Springer, Boston, MA, USA, 2003.
https://rdrr.io/cran/pomdp/man/solve_POMDP.html, [48] P. Manadhata, J. Wing, M. Flynn et al., “Measuring the attack
2003–2015. surfaces of two FTP daemons,” in Proceedings of the ACM
[33] Z. Hu, M. Zhu, and P. Liu, “Online algorithms for adaptive Workshop on Quality of Protection, pp. 3–10, Alexandria, VI,
cyber defense on Bayesian attack graphs,” in Proceedings of the USA, October 2006.
16 Security and Communication Networks

[49] P. Manadhata and J. M. Wing, “Measuring a system’s attack

surface,” Advances in Information Security, vol. 54, pp. 1–28,
2004.
[50] P. Samarati, “Protecting respondents identities in microdata
release,” IEEE Transactions on Knowledge and Data Engi-
neering, vol. 13, no. 6, pp. 1010–1027, 2001.
[51] L. Wang, S. Jajodia, A. Singhal, P. Cheng, and S. Noel, “k-zero
day safety: evaluating the resilience of networks against un-
known attacks,” in Network Security Metrics, pp. 75–93,
Springer, Cham, Switzerland, 2017.
[52] X. Sun, J. Dai, P. Liu, A. Singhal, and J. Yen, “Using Bayesian
networks for probabilistic identification of zero-day attack
paths,” IEEE Transactions on Information Forensics and Se-
curity, vol. 13, no. 10, pp. 2506–2521, 2018.
[53] J. Somesh and J. M. Wing, “Survivability analysis of net-
worked systems,” in Proceedings of the International Con-
ference on Software Engineering, pp. 307–317, Toronto,
Canada, May 2001.
[54] N. Poolsappasit, R. Dewri, and I. Ray, “Dynamic security risk
management using Bayesian attack graphs,” IEEE Transac-
tions on Dependable & Secure Computing, vol. 9, no. 1,
pp. 61–74, 2012.
 International Journal of

Rotating Advances in
Machinery Multimedia

The Scientific
Engineering
Journal of
Journal of

Hindawi
World Journal
Hindawi Publishing Corporation Hindawi
Sensors
Hindawi Hindawi
www.hindawi.com Volume 2018 http://www.hindawi.com
www.hindawi.com Volume 2018
2013 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018

Journal of

Control Science
and Engineering

Advances in
Civil Engineering
Hindawi Hindawi
www.hindawi.com Volume 2018 www.hindawi.com Volume 2018

Submit your manuscripts at

www.hindawi.com

Journal of
Journal of Electrical and Computer
Robotics
Hindawi
Engineering
Hindawi
www.hindawi.com Volume 2018 www.hindawi.com Volume 2018

VLSI Design
Advances in
OptoElectronics
International Journal of

International Journal of
Modelling &
Simulation
Aerospace
Hindawi Volume 2018
Navigation and
Observation
Hindawi
www.hindawi.com Volume 2018
in Engineering
Hindawi
www.hindawi.com Volume 2018
Engineering
Hindawi
www.hindawi.com Volume 2018
Hindawi
www.hindawi.com www.hindawi.com Volume 2018

International Journal of
International Journal of Antennas and Active and Passive Advances in
Chemical Engineering Propagation Electronic Components Shock and Vibration Acoustics and Vibration
Hindawi Hindawi Hindawi Hindawi Hindawi
www.hindawi.com Volume 2018 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018