Empirical analysis of attack graphs for mitigating critical paths and vulnerabilities

The proliferated complexity of network size together with the expeditious development of software applications and their numerous vulnerabilities, security hardening is becoming a considerable challenge for security experts. Although various techniques were already present till date for security analysis, the majority of works focused on individual vulnerability analysis. Attackers do not necessarily compromise a single vulnerability on only one machine, but they can continue exploiting other vulnerabilities by using the resources of the compromised machine. Individual vulnerability analysis may not work well in such situations. This paper bridges the gap between chained vulnerabilities and their analysis. In this work, we have developed a methodology to prioritize individual vulnerability as well as attack paths. The existing CVSS score based scheme has been modified to calculate risk score of individual vulnerability considering all three metrics i.e. base metrics, temporal metrics and environmental metrics of CVSS in conjunction. Finally, Page rank model was used to prioritize attack paths. The results were verified by applying Markov model also. The results also show that the proposed methodology outperforms existing techniques in terms of risk analysis.