Design Procedure of Knowledge Base for Practical Attack Graph Generation

Cyber security assessment is an essential activity for understanding the security risks in an enterprise environment. While many tools have been developed in order to evaluate the security risks for individual hosts, it is still a challenge to identify multi-hop cyber security risks in a large-scale environment. An attack graph, which provides a comprehensive view of attacks, assists in identifying high-risk attack paths and efficiently deploying countermeasures. Several frameworks which generate an attack graph from system information and knowledge base have also been developed in the past. Although these tools are widely adopted, their expression capabilities are insufficient. The expansion of knowledge base is needed to handle comprehensive attack scenario. In this research, we developed an attack graph generation system by extending the MulVAL framework which is widely adopted due to its high extensibility. We designed and implemented knowledge base (also known as "interaction rules" in the MulVAL framework) for practical attack graph generation. A structured design procedure is necessary to construct a knowledge base that enables comprehensive analysis, which is highly important for actual risk assessment. We describe the design procedure, design considerations and implementation of our rule set. Additionally, we demonstrate the improvement to the generated attack graph by the implemented rules in a case study.