Employing attack graphs for intrusion detection

Frank Capobianco, Rahul George, Kaiming Huang, Trent Jaeger, Srikanth Krishnamurthy, Zhiyun Qian, Mathias Payer, Paul Yu

Research output: Chapter in Book/Report/Conference proceedingConference contribution

7 Scopus citations


Intrusion detection systems are a commonly deployed defense that examines network traffic, host operations, or both to detect attacks. However, more attacks bypass IDS defenses each year, and with the sophistication of attacks increasing as well, we must examine new perspectives for intrusion detection. Current intrusion detection systems focus on known attacks and/or vulnerabilities, limiting their ability to identify new attacks, and lack the visibility into all system components necessary to confirm attacks accurately, particularly programs. To change the landscape of intrusion detection, we propose that future IDSs track how attacks evolve across system layers by adapting the concept of attack graphs. Attack graphs were proposed to study how multi-stage attacks could be launched by exploiting known vulnerabilities. Instead of constructing attacks reactively, we propose to apply attack graphs proactively to detect sequences of events that fulfill the requirements for vulnerability exploitation. Using this insight, we examine how to generate modular attack graphs automatically that relate adversary accessibility for each component, called its attack surface, to flaws that provide adversaries with permissions that create threats, called attack states, and exploit operations from those threats, called attack actions. We evaluate the proposed approach by applying it to two case studies: (1) attacks on file retrieval, such as TOCTTOU attacks, and (2) attacks propagated among processes, such as attacks on Shellshock vulnerabilities. In these case studies, we demonstrate how to leverage existing tools to compute attack graphs automatically and assess the effectiveness of these tools for building complete attack graphs. While we identify some research areas, we also find several reasons why attack graphs can provide a valuable foundation for improving future intrusion detection systems.

Original languageEnglish (US)
Title of host publicationNew Security Paradigms Workshop, NSPW 2019 - Proceedings
PublisherAssociation for Computing Machinery
Number of pages15
ISBN (Electronic)9781450376471
StatePublished - Sep 23 2019
Event2019 New Security Paradigms Workshop, NSPW 2019 - San Carlos, Costa Rica
Duration: Sep 23 2019Sep 26 2019

Publication series

NameACM International Conference Proceeding Series


Conference2019 New Security Paradigms Workshop, NSPW 2019
Country/TerritoryCosta Rica
CitySan Carlos

All Science Journal Classification (ASJC) codes

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications


Dive into the research topics of 'Employing attack graphs for intrusion detection'. Together they form a unique fingerprint.

Cite this