Efficient Attack Graph Analysis through Approximate Inference

TL;DR

This paper demonstrates that Loopy Belief Propagation, an approximate inference method, can efficiently analyze large attack graphs for cybersecurity risk assessment, providing scalable and accurate static and dynamic analysis.

Contribution

It introduces the application of Loopy Belief Propagation to attack graphs, enabling linear scaling for static and dynamic security risk analysis.

Findings

Loopy Belief Propagation scales linearly with network size.

Approximate inference achieves acceptable accuracy.

Parallel and sequential algorithms outperform exact inference in large graphs.

Abstract

Attack graphs provide compact representations of the attack paths that an attacker can follow to compromise network resources by analysing network vulnerabilities and topology. These representations are a powerful tool for security risk assessment. Bayesian inference on attack graphs enables the estimation of the risk of compromise to the system's components given their vulnerabilities and interconnections, and accounts for multi-step attacks spreading through the system. Whilst static analysis considers the risk posture at rest, dynamic analysis also accounts for evidence of compromise, e.g. from SIEM software or forensic investigation. However, in this context, exact Bayesian inference techniques do not scale well. In this paper we show how Loopy Belief Propagation - an approximate inference technique - can be applied to attack graphs, and that it scales linearly in the number of nodes for both static and dynamic analysis, making such analyses viable for larger networks. We experiment with different topologies and network clustering on synthetic Bayesian attack graphs with thousands of nodes to show that the algorithm's accuracy is acceptable and converge to a stable solution. We compare sequential and parallel versions of Loopy Belief Propagation with exact inference techniques for both static and dynamic analysis, showing the advantages of approximate inference techniques to scale to larger attack graphs.