Abstract
Due to its fast growth, Cloud computing is a quick evolving research area. Security, which is among the most required Cloud features, is a very hard and challenging task when it’s addressed for large networked systems. To automate security assessment, one should use an Attack Representation Model (ARM), such as Attack Graph (AG) or Attack Tree, to represent and analyze multi-host multi-stage attacks. In order to improve AG analysis for large-scale networked systems, our framework uses Software-defined Networking (SDN) to build a detailed and dynamic knowledge about the network configuration and the host access control list. Altogether with machine configuration information, our framework will be able to construct loosely connected sub-groups of virtual machines and perform a parallel security analysis. We have performed experimental validation using a real networked system to show the performance improvement in comparison with MULVAL network security analyzer.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Open daylight. http://www.opendaylight.org/. Accessed 24 Oct 2017
The openvas website. http://www.openvas.org/. Accessed 24 Oct 2017
Beale, J., Deraison, R., Meer, H., Temmingh, R., Walt, C.V.D.: Nessus Network Auditing. Syngress Publishing, Rockland (2004)
Ben-Yehuda, M., Day, M.D., Dubitzky, Z., Factor, M., Har’El, N., Gordon, A., Liguori, A., Wasserman, O., Yassour, B.-A.: The turtles project: design and implementation of nested virtualization. OSDI 10, 423–436 (2010)
Bui, T.N., Jones, C.: A heuristic for reducing fill-in in sparse matrix factorization. Technical report, Society for Industrial and Applied Mathematics (SIAM), Philadelphia, PA (United States) (1993)
Dor, D., Tarsi, M.: Graph decomposition is NP-complete: a complete proof of Holyer’s conjecture. SIAM J. Comput. 26(4), 1166–1187 (1997)
Fishman, A., Rapoport, M., Budilovsky, E., Eidus, I., et al.: HVX: virtualizing the cloud. In: HotCloud. Citeseer (2013)
Open Networking Foundation: Software-defined networking: the new norm for networks. ONF White Paper (2012)
Gabow, H.N.: Path-based depth-first search for strong and biconnected components. Inf. Process. Lett. 74(3), 107–114 (2000)
Karypis, G., Kumar, V.: Analysis of multilevel graph partitioning. In: Proceedings of the 1995 ACM/IEEE Conference on Supercomputing, p. 29. ACM (1995)
Karypis, G., Kumar, V.: Multilevel k-way partitioning scheme for irregular graphs. J. Parallel Distrib. comput. 48(1), 96–129 (1998)
Karypis, G., Schloegel, K., Kumar, V.: Parmetis: parallel graph partitioning and sparse matrix ordering library. Version 1.0, Department of Computer Science, University of Minnesota (1997)
Kaynar, K., Sivrikaya, F.: Distributed attack graph generation. IEEE Trans. Dependable Secure Comput. 13(5), 519–532 (2016)
Kernighan, B.W., Lin, S.: An efficient heuristic procedure for partitioning graphs. Bell Syst. Tech. J. 49(2), 291–307 (1970)
Kim, H., Feamster, N.: Improving network management with software defined networking. IEEE Commun. Mag. 51(2), 114–119 (2013)
Lantz, B., Heller, B., McKeown, N.: A network in a laptop: rapid prototyping for software-defined networks. In: Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks, p. 19. ACM (2010)
Lyon, G.F.: Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Insecure, Cheers (2009)
McKeown, N.: Software-defined networking. INFOCOM Keynote Talk 17(2), 30–32 (2009)
McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., Shenker, S., Turner, J.: Openflow: enabling innovation in campus networks. ACM SIGCOMM Comput. Commun. Rev. 38(2), 69–74 (2008)
Mell, P., Grance, T.: The NIST definition of cloud computing (2011)
Mjihil, O., Kim, D.S., Haqiq, A.: Security assessment framework for multi-tenant cloud with nested virtualization. J. Inf. Assur. Secur. 11(2), 283–292 (2016)
Nunes, B.A.A., Mendonca, M., Nguyen, X.-N., Obraczka, K., Turletti, T.: A survey of software-defined networking: past, present, and future of programmable networks. IEEE Commun. Surv. Tutorials 16(3), 1617–1634 (2014)
Ou, X., Boyer, W.F., McQueen, M.A.: A scalable approach to attack graph generation. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 336–345. ACM (2006)
Ou, X., Govindavajhala, S., Appel, A.W.: MulVAL: a logic-based network security analyzer. In: USENIX Security (2005)
Schneier, B.: Attack trees. Dr. Dobbs J. 24(12), 21–29 (1999)
Sharir, M.: A strong-connectivity algorithm and its applications in data flow analysis. Comput. Math. Appl. 7(1), 67–72 (1981)
Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: Proceedings of 2002 IEEE Symposium on Security and privacy, pp. 273–284. IEEE (2002)
Tange, O., et al.: GNU parallel-the command-line power tool. USENIX Mag. 36(1), 42–47 (2011)
Tarjan, R.: Depth-first search and linear graph algorithms. SIAM J. Comput. 1(2), 146–160 (1972)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Mjihil, O., Huang, D., Haqiq, A. (2017). Improving Attack Graph Scalability for the Cloud Through SDN-Based Decomposition and Parallel Processing. In: Sabir, E., GarcĂa Armada, A., Ghogho, M., Debbah, M. (eds) Ubiquitous Networking. UNet 2017. Lecture Notes in Computer Science(), vol 10542. Springer, Cham. https://doi.org/10.1007/978-3-319-68179-5_17
Download citation
DOI: https://doi.org/10.1007/978-3-319-68179-5_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-68178-8
Online ISBN: 978-3-319-68179-5
eBook Packages: Computer ScienceComputer Science (R0)