A Heuristic Method of Attack Graph Analysis for Network Security Hardening

Traditional vulnerability scan tools cannot show the associations among vulnerabilities, and thus the security administrators have the difficulty to comprehensively understand the risks in networks according to the vulnerabilities sources. With the number of vulnerabilities growing rapidly, repairing all vulnerabilities costs much. In order to mitigate this problem, we propose a method using attack graph analysis, which provides network security hardening strategies in a cost effective way. For such a purpose, we construct attack graphs by software, and analyze the potential risks in networks by preprocessing them. Further, we calculate low-cost network security hardening strategies via modified ant-colony optimization. In case that the algorithm falls into local optima, a node-hidden mechanism with the highest selected probability is introduced. We have evaluated the performance of the proposed algorithm by simulations. The experimental results show that this method achieves scalability and significantly reduces cost of network security hardening strategies in an acceptable running time.