We use proprietary and third party´s cookies to improve your experience and our services, identifying your Internet Browsing preferences on our website; develop analytic activities and display advertising based on your preferences. If you keep browsing, you accept its use. You can get more information on our Cookie Policy
Cookies Policy
Ask Your Question

Inconsistencies in logical/topological attack graphs/paths

asked 2016-03-08 12:17:02 +0200

blu3 gravatar image

I'm facing a problem with understanding attack graphs, attack paths in both: logical and topological view - I conisder generated graphs are inconsistent.

Example 1

Firstly I tried to analyze this input file from examples: https://github.com/fiware-cybercaptor...

I uploaded the xml and generated graph with no errors or warnings. Graph has only one attack path.

Example 1a: Logical Attack Graph + Attack Path

As far as I understand Attack Path differs from Attack graph in that way the directed arcs/arrows are aimed at opposite direction. In a Graph theory a Path is a subgraph of a Graph. The problem is that both generated logical graphs (attack path and attack graph) are structurally different: Major differences are marked on the picture above. A subpath containing most important vertex (the attack indicator - rule execCode()) is marked green. Marked vertices (green and purple) are directly connected to that subpath on the Attack Graph, but not on the Attack Path. Why?

Example 1b: Topological Attack Graph + Attack Path

The structure of topological attack graph and attack path have different direction of edges. Why?

Example 2

Second example is from this appendix: https://github.com/fiware-cybercaptor... [end of the page]

There are generated 2 attack paths - only first is considered. Example 2 (three screenshots): Logical and topological view of attack path and topological attack graph

Logical attack path shows that the consequence of an attack is code execution on linux-user-2 execCode('linux-user-2', user) - which is show and marked with a rectangle. Topological attack path shows that the target is linux-user-1. This looks like contradiction of targets! Isn't it?

Bottom screenshot show topological view of attack graph where one of the targets is linux-user-2.

For me these observed differences are crucial and discredit whole attack graph analysis. Please correct me if I'm wrong, maybe I understand these graphs in wrong way, so please explain me the process of reading the results - how and why these graphs are so different. I'm desirious to involve myself into this project, it's great and after 2 weeks of fiddling with it I've got with many ideas how to improve it. If these issues are real please guide me how to fix them.

edit retag flag offensive close merge delete

1 answer

Sort by » oldest newest most voted

answered 2016-06-03 10:47:25 +0200

efelix gravatar image

Hi ! Here is an explanation of the cybercaptor output, and why you have these "contradictions" :

Attack graph : exhaustive representation of the possible attacks, with their conditions. There may not only be one target. you start from the target, and you search conditions to attack it. So arrows goes from the target, to the conditions.

Attack path : Different ways to attack a specific target. Arrows goes from the conditions to the target.

Logical : It's the main output of the graph engine used by Cybercaptor, Mulval. It shows every conditions & requirements for each attack step.

Topological : It's a more user friendly view, where you see only the machines that can be exploited, and not the specific ways to exploit them.

Your example :

It happens, on your specific example, that the attack graph and the attack path are isomorphic. Indeed, you only have one target, so the attack graph explains how to attack your target, and the attack path explains …. how to attack it. So all the attacks steps in the attack graph are used in the attack path. Your results are indeed very similar, you may notice that even if the nodes are placed the same way, their content is not exactly the same. On a more complex example, you'll see a more obvious difference.

I hope your now better understand the cybercaptor output !

edit flag offensive delete link more
Login/Signup to Answer

Question Tools

1 follower


Asked: 2016-03-08 12:17:02 +0200

Seen: 1,315 times

Last updated: Mar 08 '16