Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

It Is Time To Steer: A Scalable Framework for Analysis-driven Attack Graph Generation

Alessandro Palma, Marco Angelini

TL;DR

The paper tackles the combinatorial scalability of Attack Graph (AG) generation for cyber risk analysis and proposes a progressive, analysis-driven workflow that enables querying during generation to yield real-time insights. It introduces StatAG, which uses random-walk sampling to produce statistically significant partial AGs with KS-distance-based convergence metrics and a stability measure, and SteerAG, which learns steering rules from early results to guide generation toward query-relevant attack paths. The approach is validated through extensive synthetic experiments and a large real-network case study, showing that mature partial results can be obtained quickly and that common attack-path analyses can be performed without enumerating the full AG. This framework enables timely, quantitative risk assessment in dynamic networks, potentially transforming how analysts interact with AGs and enabling real-time decision support, even as networks evolve.

Abstract

Attack Graph (AG) represents the best-suited solution to support cyber risk assessment for multi-step attacks on computer networks, although their generation suffers from poor scalability due to their combinatorial complexity. Current solutions propose to address the generation problem from the algorithmic perspective and postulate the analysis only after the generation is complete, thus implying too long waiting time before enabling analysis capabilities. Additionally, they poorly capture the dynamic changes in the networks due to long generation times. To mitigate these problems, this paper rethinks the classic AG analysis through a novel workflow in which the analyst can query the system anytime, thus enabling real-time analysis before the completion of the AG generation with quantifiable statistical significance. Further, we introduce a mechanism to accelerate the generation by steering it with the analysis query. To show the capabilities of the proposed framework, we perform an extensive quantitative validation and present a realistic case study on networks of unprecedented size. It demonstrates the advantages of our approach in terms of scalability and fitting to common attack path analyses.

It Is Time To Steer: A Scalable Framework for Analysis-driven Attack Graph Generation

TL;DR

The paper tackles the combinatorial scalability of Attack Graph (AG) generation for cyber risk analysis and proposes a progressive, analysis-driven workflow that enables querying during generation to yield real-time insights. It introduces StatAG, which uses random-walk sampling to produce statistically significant partial AGs with KS-distance-based convergence metrics and a stability measure, and SteerAG, which learns steering rules from early results to guide generation toward query-relevant attack paths. The approach is validated through extensive synthetic experiments and a large real-network case study, showing that mature partial results can be obtained quickly and that common attack-path analyses can be performed without enumerating the full AG. This framework enables timely, quantitative risk assessment in dynamic networks, potentially transforming how analysts interact with AGs and enabling real-time decision support, even as networks evolve.

Abstract

Attack Graph (AG) represents the best-suited solution to support cyber risk assessment for multi-step attacks on computer networks, although their generation suffers from poor scalability due to their combinatorial complexity. Current solutions propose to address the generation problem from the algorithmic perspective and postulate the analysis only after the generation is complete, thus implying too long waiting time before enabling analysis capabilities. Additionally, they poorly capture the dynamic changes in the networks due to long generation times. To mitigate these problems, this paper rethinks the classic AG analysis through a novel workflow in which the analyst can query the system anytime, thus enabling real-time analysis before the completion of the AG generation with quantifiable statistical significance. Further, we introduce a mechanism to accelerate the generation by steering it with the analysis query. To show the capabilities of the proposed framework, we perform an extensive quantitative validation and present a realistic case study on networks of unprecedented size. It demonstrates the advantages of our approach in terms of scalability and fitting to common attack path analyses.
Paper Structure (13 sections, 2 equations, 11 figures, 1 table)

This paper contains 13 sections, 2 equations, 11 figures, 1 table.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Overview of Our Approach
  4. StatAG: Statistically Significant Generation
  5. StatAG Validation
  6. SteerAG: Steered Generation and Analysis
  7. SteerAG Validation
  8. Case Study Evaluation
  9. Application to Large Real Networks
  10. Coverage of Attack Path Analyses
  11. Related Work
  12. Discussion and Concluding Remarks
  13. Query stringency analysis

Figures (11)

  • Figure 1: (a) Classic attack graph generation and analysis process and (b) the progressive one. Dashed lines indicate periods in which the analysis is stalled.
  • Figure 2: StatAG workflow.
  • Figure 3: KS distance of partial AGs from the GT (vulnerability features).
  • Figure 4: KS distance of partial AGs from GT (attack path features).
  • Figure 5: Stability for the path features.
  • ...and 6 more figures

Theorems & Definitions (7)

  • definition thmcounterdefinition: Attack Graph
  • definition thmcounterdefinition: Attack Path
  • definition thmcounterdefinition: Vulnerability and Attack Path Features
  • definition thmcounterdefinition: Attack Path Query
  • definition thmcounterdefinition: Partial Attack Graph
  • definition thmcounterdefinition: Statistical Significance for partial AG
  • definition thmcounterdefinition: Attack Path Feature Stability