A real-time automated attack-defense graph generation approach

IF 3.7 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Information Security and Applications Pub Date : 2025-10-15 DOI:10.1016/j.jisa.2025.104266

Kéren A. Saint-Hilaire , Christopher Neal , Frédéric Cuppens , Nora Boulahia-Cuppens , Francesca Bassi , Makhlouf Hadji

{"title":"A real-time automated attack-defense graph generation approach","authors":"Kéren A. Saint-Hilaire , Christopher Neal , Frédéric Cuppens , Nora Boulahia-Cuppens , Francesca Bassi , Makhlouf Hadji","doi":"10.1016/j.jisa.2025.104266","DOIUrl":null,"url":null,"abstract":"<div><div>With the increase in cyberattacks, developing appropriate strategies to mitigate and prevent them is essential. In the literature, tools exist that either help prevent or mitigate them. Attack graphs help define mitigation strategies because they help represent and visualize the attacker’s position on a system. However, the mitigation actions are not instantiated on the attack graph. This paper proposes an approach to generate an automated attack-defense graph based on real-time monitored system alerts and an extensive and comprehensive state-of-the-art review. We propose to enrich logical attack graphs generated by a logical reasoner. The enrichment process is possible thanks to a vulnerability ontology that infers additional impacts for an exploited vulnerability. We propose a countermeasure selection approach based on graph matching to generate an optimal Incident Response (IR) playbook. We propose instantiating the generated playbook’s IR actions to get an attack-defense graph in real-time. This instantiation is done thanks to anti-correlation. The anti-correlation ensures that the countermeasures are instantiated on the appropriate attack graph nodes. Only the IR actions whose execution can be launched automatically are applied. We validate our approach using two use-case scenarios that target critical industrial infrastructures. We analyze the countermeasures instantiated on the attack graphs for the scenarios that can achieve the attack goal. We evaluated the approach concerning the security relevance of instantiated countermeasures in attack graphs for several attack paths. The countermeasures instantiated on a node are always relevant to the attacker’s action represented by this node. We also evaluate the approach regarding time performance, considering several situations for the use-case scenarios. The generation time depends on the number of vulnerabilities involved in the scenario. The generation time is on average 0.161 s when the playbook has been generated before the attack defense graph generation process.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"94 ","pages":"Article 104266"},"PeriodicalIF":3.7000,"publicationDate":"2025-10-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212625003035","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

With the increase in cyberattacks, developing appropriate strategies to mitigate and prevent them is essential. In the literature, tools exist that either help prevent or mitigate them. Attack graphs help define mitigation strategies because they help represent and visualize the attacker’s position on a system. However, the mitigation actions are not instantiated on the attack graph. This paper proposes an approach to generate an automated attack-defense graph based on real-time monitored system alerts and an extensive and comprehensive state-of-the-art review. We propose to enrich logical attack graphs generated by a logical reasoner. The enrichment process is possible thanks to a vulnerability ontology that infers additional impacts for an exploited vulnerability. We propose a countermeasure selection approach based on graph matching to generate an optimal Incident Response (IR) playbook. We propose instantiating the generated playbook’s IR actions to get an attack-defense graph in real-time. This instantiation is done thanks to anti-correlation. The anti-correlation ensures that the countermeasures are instantiated on the appropriate attack graph nodes. Only the IR actions whose execution can be launched automatically are applied. We validate our approach using two use-case scenarios that target critical industrial infrastructures. We analyze the countermeasures instantiated on the attack graphs for the scenarios that can achieve the attack goal. We evaluated the approach concerning the security relevance of instantiated countermeasures in attack graphs for several attack paths. The countermeasures instantiated on a node are always relevant to the attacker’s action represented by this node. We also evaluate the approach regarding time performance, considering several situations for the use-case scenarios. The generation time depends on the number of vulnerabilities involved in the scenario. The generation time is on average 0.161 s when the playbook has been generated before the attack defense graph generation process.

查看原文本刊更多论文

一种实时自动攻击防御图生成方法

随着网络攻击的增加，制定适当的策略来减轻和预防它们至关重要。在文献中，存在帮助预防或减轻它们的工具。攻击图有助于定义缓解策略，因为它们有助于表示和可视化攻击者在系统中的位置。但是，缓解操作没有在攻击图上实例化。本文提出了一种基于实时监控系统警报和广泛而全面的最新技术审查来生成自动攻击防御图的方法。我们提出丰富由逻辑推理器生成的逻辑攻击图。由于漏洞本体可以推断出被利用漏洞的额外影响，因此丰富过程成为可能。我们提出了一种基于图匹配的对策选择方法来生成最优事件响应（IR）剧本。我们建议实例化生成的剧本的IR动作，以实时获得攻击防御图。这个实例化是通过反相关实现的。反相关性确保在适当的攻击图节点上实例化对策。只有可以自动启动的IR操作才会被应用。我们使用两个针对关键工业基础设施的用例场景来验证我们的方法。我们分析了在攻击图上实例化的能够达到攻击目标的对策。我们评估了几种攻击路径的攻击图中实例化对策的安全相关性方法。在节点上实例化的对策总是与该节点所表示的攻击者的行为相关。我们还评估了关于时间性能的方法，考虑了用例场景的几种情况。生成时间取决于场景中涉及的漏洞数量。在攻击防御图生成之前，剧本已经生成，生成时间平均为0.161 s。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Information Security and Applications Computer Science-Computer Networks and Communications

CiteScore

10.90

自引率

5.40%

发文量

206

审稿时长

56 days

期刊介绍： Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.