Behind the scenes of attack graphs: Vulnerable network generator for in-depth experimental evaluation of attack graph scalability

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-06-28 DOI:10.1016/j.cose.2025.104576

Alessandro Palma, Silvia Bonomi

{"title":"Behind the scenes of attack graphs: Vulnerable network generator for in-depth experimental evaluation of attack graph scalability","authors":"Alessandro Palma, Silvia Bonomi","doi":"10.1016/j.cose.2025.104576","DOIUrl":null,"url":null,"abstract":"<div><div>An Attack Graph represents potential paths for attackers to compromise a computer network and security analysts use it to pinpoint vulnerable areas for cyber risk assessment. Due to their combinatorial complexity, designing scalable algorithms for generating these graphs without sacrificing their accuracy remains a challenge. Previous research focused on improving scalability, but evaluations often overlooked key parameters beyond network size, thus raising the natural question of their application in real-world settings. One of the main causes is the lack of data that the cybersecurity community faces in different areas, and cyber risk assessment in particular. To address this problem and support the comprehensive evaluation of attack graph algorithms, we introduce a dataset generator of vulnerable networks, which includes realistic reachability graphs and vulnerability inventories. This enables the design of an analytical framework to assess attack graph scalability comprehensively, considering diverse network and vulnerability dimensions. According to the proposed framework, we perform an in-depth experimental evaluation of the time and space complexities of attack graphs, offering novel insights into the critical parameters affecting them, and we extensively discuss how they inform and benefit future approaches.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104576"},"PeriodicalIF":5.4000,"publicationDate":"2025-06-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825002652","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

An Attack Graph represents potential paths for attackers to compromise a computer network and security analysts use it to pinpoint vulnerable areas for cyber risk assessment. Due to their combinatorial complexity, designing scalable algorithms for generating these graphs without sacrificing their accuracy remains a challenge. Previous research focused on improving scalability, but evaluations often overlooked key parameters beyond network size, thus raising the natural question of their application in real-world settings. One of the main causes is the lack of data that the cybersecurity community faces in different areas, and cyber risk assessment in particular. To address this problem and support the comprehensive evaluation of attack graph algorithms, we introduce a dataset generator of vulnerable networks, which includes realistic reachability graphs and vulnerability inventories. This enables the design of an analytical framework to assess attack graph scalability comprehensively, considering diverse network and vulnerability dimensions. According to the proposed framework, we perform an in-depth experimental evaluation of the time and space complexities of attack graphs, offering novel insights into the critical parameters affecting them, and we extensively discuss how they inform and benefit future approaches.

查看原文本刊更多论文

攻击图的幕后：脆弱网络生成器，用于深入实验评估攻击图的可扩展性

攻击图表示攻击者破坏计算机网络的潜在路径，安全分析师使用它来确定易受攻击的区域，以进行网络风险评估。由于它们的组合复杂性，设计可扩展的算法来生成这些图而不牺牲它们的准确性仍然是一个挑战。以前的研究集中在提高可伸缩性上，但是评估往往忽略了网络大小以外的关键参数，从而提出了它们在现实环境中的应用的自然问题。其中一个主要原因是网络安全社区在不同领域面临的数据缺乏，特别是网络风险评估。为了解决这一问题并支持攻击图算法的综合评估，我们引入了一个脆弱网络的数据集生成器，其中包括现实的可达性图和漏洞清单。这使得分析框架的设计能够全面评估攻击图的可扩展性，考虑不同的网络和漏洞维度。根据提出的框架，我们对攻击图的时间和空间复杂性进行了深入的实验评估，对影响它们的关键参数提供了新的见解，并广泛讨论了它们如何通知和促进未来的方法。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.