# Extending Attack Graphs to Represent Cyber-Attacks in Communication   Protocols and Modern IT Networks

**Authors:** Orly Stan, Ron Bitton, Michal Ezrets, Moran Dadon, Masaki Inokuchi,, Yoshinobu Ohta, Yoshiyuki Yamada, Tomohiko Yagyu, Yuval Elovici, Asaf Shabtai

arXiv: 1906.09786 · 2019-06-25

## TL;DR

This paper enhances attack graph modeling by extending MulVAL to include network protocol vulnerabilities, wireless communication, and industrial architectures, enabling comprehensive cyber-attack analysis on modern networks.

## Contribution

It introduces an extended MulVAL model supporting protocol vulnerabilities, wireless, and industrial communication, improving attack representation in diverse network environments.

## Key findings

- Successfully modeled attacks like spoofing, MITM, and DoS.
- Demonstrated the extended model on a mixed IT and industrial testbed.
- Enhanced attack graph coverage for modern communication protocols.

## Abstract

An attack graph is a method used to enumerate the possible paths that an attacker can execute in the organization network. MulVAL is a known open-source framework used to automatically generate attack graphs. MulVAL's default modeling has two main shortcomings. First, it lacks the representation of network protocol vulnerabilities, and thus it cannot be used to model common network attacks such as ARP poisoning, DNS spoofing, and SYN flooding. Second, it does not support advanced types of communication such as wireless and bus communication, and thus it cannot be used to model cyber-attacks on networks that include IoT devices or industrial components. In this paper, we present an extended network security model for MulVAL that: (1) considers the physical network topology, (2) supports short-range communication protocols (e.g., Bluetooth), (3) models vulnerabilities in the design of network protocols, and (4) models specific industrial communication architectures. Using the proposed extensions, we were able to model multiple attack techniques including: spoofing, man-in-the-middle, and denial of service, as well as attacks on advanced types of communication. We demonstrate the proposed model on a testbed implementing a simplified network architecture comprised of both IT and industrial components.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1906.09786/full.md

## Figures

32 figures with captions in the complete paper: https://tomesphere.com/paper/1906.09786/full.md

## References

27 references — full list in the complete paper: https://tomesphere.com/paper/1906.09786/full.md

---
Source: https://tomesphere.com/paper/1906.09786