Cost-Aware Network Immunization Framework for Intrusion Prevention Marjan Keramati Computer Engineering Department Iran University of Science and Technology Tehran, Iran Marjan_keramati@comp.iust.ac.ir Hassan Asgharian Computer Engineering Department Iran University of Science and Technology Tehran, Iran asgharian@iust.ac.ir Ahmad Akbari Computer Engineering Department Iran University of Science and Technology Tehran, Iran Akbari@iust.ac.ir Abstract— in this paper, a cost-aware framework for intrusion prevention has been presented. The inputs of this framework are the attack graph of the specified network and also the important assets of it (target of attacker). We have defined some graph based security metrics and aggregated their effects for prioritizing attack scenarios. The scenarios are ordered based on the attacker’s knowledge, attacker’s endurance, and scenario’s ease of exploitability and also impact of the attack scenario. The impact and exploitability of each attack scenario have been computed based on the extracted CVSS values. Based on the output of the prioritizing algorithm, some of the most important scenarios are selected for elimination. A subset of the initial conditions and vulnerabilities of the selected scenarios is carefully chosen to harden the network with the lowest possible cost in terms of the time and also removal costs. For evaluating our framework, we have also presented a risk factor. This factor indicates the likelihood of the attack path which is multiplied by its impact on the security factors (confidentiality, integrity and availability). The result of applying our framework on one well-known network example has been presented for showing its performance. Keywords-component; attack graph, network hardening, network immunization, vulnerability, attack scenario, security metrics I. INTRODUCTION With the growth of the computer networks in all related topics to information technology (e.g. commercial systems) in recent years, one of the vital subjects to computer networks is security. The security is one of the crucial requirements in all reliable networks. A well- known approach to securing computer network is based on their known vulnerabilities. Therefore, identifying the possible attacks and using acceptable countermeasures for removing them or reducing their likelihood will be important. In order to identify a possible attack, it is needed to recognize their causes. The main factor of network attacks is existence of vulnerabilities in systems, services and configurations. In computer security, vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements: 1- a system susceptibility, weakness or flaw, 2-attacker access to the flaw, and 3- attacker capability to exploit the flaw [1]. By exploiting the vulnerability, the attacker improves his access level on the desired asset in the network. There are many vulnerability scanners like Nessus [13] and NMAP [12] which has the capability of identifying the separate vulnerabilities of the existing elements of the network but these tools do not present any information about the relationship between these vulnerabilities [1, 5, 6]. For this reason they cannot identify the multi-stage attacks and attackers can infiltrate a seemingly well-guarded network using multi-stage attacks by exploiting sequences of related vulnerabilities [1]. Therefore, in addition to identification of existing vulnerabilities in the computer network, it is necessary to extract the relationship between the vulnerabilities. For this reason, a security model is needed to figure out the relationship between the known vulnerabilities. All different types of the attack graphs are one of these kinds of tools, which have the capability to specify the interaction and relation of vulnerabilities [1-6]. In other words, an attack graph specifies the attack paths (multi-stage attacks) and the causes of exploiting each single vulnerability in each attack path. Therefore, attack graphs can reveal all possible potential threats; measuring security risk of crucial resources in the vulnerable network and for this reason we used them as the security model in this paper. By analyzing the attack graph as a security model of the network, it is possible to extract the sequence of the vulnerabilities that results to attack. In other words, we can identify the causes of the multi-stage attacks in the specified network by attack graph analysis and perform some prevention tasks for complete attack removal or reducing the likelihoods of them. Resolving the related vulnerabilities to each attack path is one of the solutions that can be used for this problem. However, there is a direct mapping between vulnerabilities and associated costs of their removal that should be considered; because some of these costs can be unacceptable in some systems. For instance, the solution for removing an attack (e.g. attack to file server via ftp vulnerabilities) can be stopping its related service (e.g. ftp service) which is completely unacceptable because this solution affected the availability of the system directly. On the other hand, removing all vulnerabilities is impossible because there are no security patches for all known vulnerabilities [1, 8]. 2011 International Conference on Computer Applications and Industrial Electronics (ICCAIE 2011) 978-1-4577-2059-8/11/$26.00 ©2011 IEEE 639