|Speaker:||Massimiliano Albanese, University of Maryland, College Park|
|When:||April 7, 2011, 11:00 am - 12:00 pm|
|Where:||Nguyen Engineering Building, Room 5117|
Attack graphs have been widely used for attack modeling, alert correlation, and prediction, but traditional approaches have some limitations with respect to scalability, impact analysis, and attacker's behavior. In this talk, I will present a novel framework to analyze massive amounts of security alerts in real-time, and estimate the impact of current and future attacks, based on a better knowledge of the attacker's behavior. First, I will introduce the notion of generalized dependency graph, which captures how network components depend on one another, and how the services offered by an enterprise depend on the underlying infrastructure. Second, I will present an extension of the classical definition of attack graph, encoding probabilistic knowledge of the attacker's temporal behavior. Third, I will introduce attack scenario graphs, which combine dependency and attack graphs, bridging the gap between known vulnerabilities and the services that could be ultimately affected by the corresponding exploits. Finally, I will present a data structure to index large volumes of security alerts, and an efficient algorithm to update the index in real-time, as well as an algorithm to predict and rank future scenarios, based on the current situation. In conclusion, I will show that the proposed approach scales well for large graphs and large volumes of alerts. In practice, the proposed framework can provide security analysts with actionable intelligence about the current cyber situation, enabling them to make more informed decisions.