Network
and many aspects of the society. The
Security
Analysis
Based on
Secur
ity Status
Space
Abstract
As an important method to analyze the
security status of computer network,
generating of network attack graph is a
hot topic in this domain. After analyzing
network security attributes including the
host, user privilege, connection relation,
etc., the model of computer network
security status space is built. The node of
attack graph expresses the network
security status, and the directed-line
expresses the attack rule. We use a
forward-search, breadth-first and depth-
limited algorithm to produce attack
route, and utilize the tools Graphviz to
generate the attack graph. The
experiment validates the prototype of
network attack graph automatic
generating tools based on security status
space.
Introduction
The rapid growth of the network
influences the economy, politics, culture
1
deeper and wider the network
applications is, the more obvious and
more complex the computer and
network’s security problems are.
Hackers and virus can find more ways to
launch attack with the development of
the network technology. The security
problem of computer network is more
complex.
As an important aspect of network
security, evaluating the computer
security through the analysis to the
computer network is very important and
could protect us form being hacked.
Vulnerability scanning is a traditional
way to conduct network security
analysis. This method can check whether
or not there are any known
vulnerabilities, for example COPS [1],
Nmap [2], Nessus [3], ISS [4], and etc.
This technique is just suitable to check
system security qualitatively partially
but cannot check a whole system. We
can’t conclude describe about the whole
target network’s security status without
thinking of the correlation of the
vulnerabilities, host, and network
topology etc.
The ways to find the complex attack
paths or list which can lead to changes of
the system status are presented by
analyzing the security model. For
example, Phillips and Swiler presented
the earliest concept of attack graph [5],
[6]. The France Scholar Dacier and
Rodolphe Ortalo developed a method
named Privilege Graph [7]. Templeton
and Levitt proposed a requires/provides
model for modeling chains of network
exploits [8]. Ramakrishnan analyzed
these Unix-based systems security using
model-checking technique [9].
In this paper, we use attack graph to
provide a view of network security
status. This article presents a method to
generate attack graph for network
security analysis based on security status
space.

Computer Network Security Status

Space

Since security analysis mainly aims

at the current computer network, it needs
a simple, flexible and complete model to
reduce complexity of system status
space. In this paper we build a model for
the network security analysis.

Computer Network Security Status

User Privilege

In actual implementation
environment of the host computer, the
system visitors can be classified
according to the capability to access the
system resource. A lot of researchers
have described on this direction [15].
This article proposes to rearrange the
visitors and so the possible privilege can
be classified according to user's roles, as
described in Table1. Assume the
possible privilege set is P={Access,
Guest, User, Supuser, Root}, pi(i=1, 2,
…5) which presents a visitor privilege.
Connection Relation between Devices
The Internet is structured based on
TCP/IP protocol family, and the current
computer networks are generally based
on this protocol. TCP/IP protocol family
includes a lot of protocols which are in
different layers. According to this
technology principle, the connections of
network devices are distributed on
different layers. Ritchery has analyzed
the host connectivity for network
security [16]. In the paper these
connection relations can be expressed as
a set, and then the connection relation
between two devices is a sub-set of this
set.
Assume the connection relations set
between host and devices is

2
Protocol= {pro1, pro2, … pron}, proi
(i=1, 2, … n ) which presents a
connection relation.
The connection relations between
hosts are represented by a triad (HSRC,
HDST, Protocols). HSRC represents the
source host. HDST represents the
destination host. Protocols are sub-sets
of connection relations sets exist
between the source host and the
destination host. When there is no
relation between the source host and the
destination host, Protocols is an empty
set. When the source host is the same as
the destination host, the connection
relation is local connection, at this time,
Protocols = {localhost}.
Vulnerability
Vulnerability is a fault caused by an
error in the design, development,
configuration, or using of software,
malicious attacker may utilize this fault
to access unauthorized system resource
and misuse, violate the security policy,
and may be produce security incident.
We use a set V={vul1, vul2, …
vulm}, vuli (i=1, 2, …,n) to represent
vulnerability, and every vulnerability is
represented by a tuple
（BID，NAME，OS，DATE）.
We use BID to represent the unique
identifier, NAME to represent the name
of the vulnerability, OS to represent the
type and version of operation system
which is affected by the vulnerability,
and DATE to represent the publish data
of the vulnerability.
System Devices
The devices in the network are the
basic elements of an information system,
for example, computers, routers,
switches and the like. We use a set
3
H={h1, h2, … hm} to represent these
devices, and hi(i=1, 2, … m) to represent
a single network device.
A host on the network is represented
by a tuple (HOSTID, OS, SVCS,
VULS). HOSTID is the unique identifier
of host on the network, it can be the IP
address or host name. OS is the type and
version of operation system. SVCS is the
list of network service types with
respective network port numbers which
describe the services on the host and the
information on service monitor ports.
VULS is the host computer vulnerability
list which may include the security bug
information of installed software.
In summary, to a system user, the
computer network should be a set which
consists of the above parts, and the SS
（ Security Status ） can be described
as：
SS= {(pl, hi), (hj, hk, protocols)}, l=0, 1
…4; i, j, k=1, 2,….m。
(pl, hi) represents the privilege pl of the
user to the host hi.
(hj, hk, protocols) represents the
connection relation between hj and hk
witch is known to the user.
Attack Process
To the attacker who attempts to
exploit the target it is a process, which
needs to be performed step by step. The
harvest of each step may be a singular
discrete event, and it presents the
escalation of user privilege or addition of
connection relation, so the above
computer network security status
change.
Basically, using a vulnerability to
attack can be seen as a map from a set of
preconditions to a set of results. So an
attack can be represented by a two-tuples
Attack_rule=(Preconditions,Postconditio
ns ), in which Preconditions is the
preconditions set, Postconditions is
corresponded results set.
The preconditions set include four
elements which is represented as
Preconditions= {Src_privilege,
Dst_privilege, Vuls, Protocols}.
Src_privilege represents the lowest
privilege class which attacker should
have on the host where the attacks are
launched. Dst_privilege represents the
highest privilege class which attacker
should have on the object host. Vuls
represents the vulnerability which the
attack rule depend on. Protocols describe
the needed connection relation between
the attack host and the object host.
The results set include three elements
which is represented as
Preconditions={Rslt_privilege,
Rslt_protocols, Rslt_vuls}.
Rslt_privilege describes the privilege
which attacker can get on object host
after an attack is successfully completed.
Rslt_protocols is the network protocols
set which is added by attacks. If the
attacked host can use the network
protocols in this set to access a host on
the network, the current attacking host
can get the ability to access this host. If
the attack rule doesn't influence the
current network connection relation,
Rslt_protocols will be an empty set.
When Rslt_ protocols={all}, this
represents that the current attacking host
can get the attacked host's total ability to
access the object network. Rslt_vuls is
the newly added vulnerability set on
attacked host after attack is successfully
implemented, and it describes the
dependent relation between
vulnerabilities.
According to the analysis above, the
attack rule can be represented as:
4
Attack_rule= ({Src_privilege,
Dst_privilege, Vuls, Protocols},
{Rslt_privilege, Rslt_protocols,
Rslt_vuls}).
After analyzing the computer network
security status and attack process, the
computer network security status space
SSP（Security Status Space） should be
represented by the following tuple:
SSP= (SS, AR)
SS=Security Space.
It represents all the available sets of
attack process.
AR=Attack Rules=(attack_rule1,
attack_rule2, …attack_rulen ).
It represents the reason of the change
security status.
Generation of Attack Graph
The Node and Edge of Attack Graph
Synthesizing the attacker's
starting point and object, host
information and network topology
information, the graph-based description
represents the threat to security of
information system, and it is called an
attack graph. According the definition of
SSP, the SSP may be used to describe
the attack graph. In this paper, we use
nodes of attack graphs to represent the
SS. When the node transfers, the SS of
attacker is changed. The directed edges
of attack graphs present the mapping
relations which change with SS.
When attack_rule=({Src_consumer,
Dst_consumer, Vul,Conn_proto},
{Rslt_consummer, Rslt_conn,
Rslt_vuls}),
the directed edge is represented as:
(Hsrc, Hdst, attack_rule).
Algorithm to Generate Attack route
 To analyze the network Experiments
security, based on the analysis of
network security incidents and attacker’s We carried out our method in the
actions, we make assumptions as sample networkthat is the same as
follows: Sheyner’s [13].

Assumption 1: The attacker has the Network Environment

powerful attack ability, namely attacker
who knows the vulnerability well in The example network is shown
system has the ability to attack these as Fig. 1. There are two hosts in the
vulnerabilities. internal network, IP1 and IP2, and the
firewall islated the internal network from
Assumption 2: The attacker is external network. The attacker’s host is
sophisticated so that he doesn’t launch IP0 in the external network. The host
an attack to get the privilege that he has information in the internal network is
possessed. shown as Table 3.
In this paper we use a forward-
search, breadth-first and depth-limited
(attack steps limited) attack route
producing algorithm to find the attack
routes, then utilize the tools Graphviz
[17] to generate attack graph. The attack
route producing algorithm is described
as following:
(1) From the initial network state, it
finds all network states the attacker
could get directly, and add these network
states into State queue.
(2) It chooses a state from State
queue as Cur state, and finds all network
states which could be got directly from
Cur state as New states. If a state is new,
then it would be added into State queue.
(3) When the State queue is not
empty, it would return to (2). If the State
queue is empty, the algorithm finishes.
When each attack depends on the
previous attack on attack route, the
attack route is called minimal attack
route. Contrast to the method that has
been previous used [13], our method can
directly find all minimal attack route. At
the same time, in attacker's point of The firewall allows the ftp and the ssh
view, breadth-search guarantees to find packets to communicate with the host
all of the attack routes. IP1 to enter the internal network, and
allows ftp packets to communicate with

5
the host IP2 to enter the internal
network, but interdicts other packets. In
the internal network, connection relation
won't be controlled by firewall, so it can
be assumed that the internal host can
make connection with any remote server.
The connection relation with each other
is described as the following Table 4.

Experiments Results Contrast

In this experiment, the attacker

will attack the internal network using
host IP0, and the attacker has the highest
privilege of ROOT on IP0, However, on
the other host he just has the lowest
privilege of ACCESS. The attack object
is that obtaining the privilege of ROOT
on IP2 according to the Sheyner’s [13].
After implementing the attack graph
generate tools, the attack graphs we got
are shown as Fig. 2 and Fig. 3. Fig. 2 is
the result of Sheyner’s and Fig. 3 is our
result.
Contrasting the result of Sheyner [13],
our attack graph with attack object is
simpler. There are three reasons:
Sheyner takes the IDS as a network
element, so the space of his model is
lager than ours.
Sheyner doesn’t consider that the
attacker is sophisticated and the attacker
doesn’t launch an attack to get the
privilege that he have possessed, so the
model checking tool used by Sheyner
also can’t resolve this condition, so that
the attack graph generated have much
redundancy.
The execution efficiency of the tools
modified NuSMV is lower, so the speed
of attack graph generating is slower.

The attack graph with limited attack

steps

6
 To investigate the size of the
attack graph with different attack steps
limited, in this paper, we conduct an
experiment in a network environment
that includes ten hosts, and sixteen
vulnerabilities on the different host. We
assume that the attacker could only
access two network services in the
network. At last, we get the relationship
between the number of the nodes and the
attack steps as shown in Fig. 4, the
relationship between the number of the
edges and the attack steps as shown in
Fig. 5, and the relationship between the
number of the new capability to access
network and the attack steps as shown in
Fig. 6.

7
In the Fig. 4 and the Fig. 5, the number
of the nodes and the number of the edges
increase when the attack step increases.
In the Fig. 6, we can see that the number
of the new capability to access network
increase rapidly in the beginning, but
keeps steady subsequently as the attack
steps increase. At present the size of the
attack graph will be tremendous when
the network is lager [12]. From the Fig.
4, the Fig.5, and Fig. 6, when we limit
the attack steps in an acceptable scale,
although the generated attack graph will
not be complete, we could assure to get
all of the new capability to access the
network. And when the size of the attack
graph is larger, the probability of the
attack arrives at the last nodes becomes
less. So the acceptable attack steps could
[1] Computer Oracle and
Password System
(COPS).ftp.cert.org/pub/tools/co
ps.
[2] NMAP.
http://www.insecure.org/nmap/in
dex.html,
2005.
[3] Nessus.
http://www.nessus.org/, 2005.
[4] ISS. http://www.iss.com/,
2005.
limit the size of the attack graph, and we
could use the attack graph to analyze
larger network.
Conclusion
The tools to generate attack
graph based on security status space for
network security analysis are designed
and implemented, and the experiment
indicates the method is usable and
effective. Many related research should
be done in the future, the results from
network scan tools should be used in the
tools. The generating algorithm should
be optimized and the method to analyze
attack graph should be further studied.
References
[5] C.A.Phillips and L.P.Swiler,
“A graph-based system for
Network vulnerability analysis”,
In New Security Paradigms
Workshop, 1998, pp. 71-79.
[6] R.Ritchey and P.Ammann,
“Using model checking to
analyze network vulnerabilities”,
In Proceedings of the IEEE
Symposium on Security and
Privacy, MAY 2001, pp 156-165.