Automatic generation algorithm of penetration graph in penetration testing

Xue Qiu; Qiong Jia; Shuguang Wang; Chunhe Xia; Liang Shuang Lv

doi:10.1109/3PGCIC.2014.104

Automatic generation algorithm of penetration graph in penetration testing

Xue Qiu
, Qiong Jia
, Shuguang Wang
, Chunhe Xia
, Liang Shuang Lv

School of Computer Science and Engineering

Beihang University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

18 Scopus citations

Abstract

Penetration graph is a kind of attack graph which is widely used in penetration testing. It is an import tool to analyze security vulnerabilities in the network. However, the previous research on the generation methods of penetration graph have met a lot of challenges. Some methods are out of date and not applicable for practical scenarios, some may possibly leave out the import attack paths, some do not consider the probability of exploitation of each attack path and some failed to solve the problem of circle path and combination exploitation. We propose an automatic generation algorithm of penetration graph that optimizes the network topology before generating the penetration graph, which can reduce the redundant information effectively. We combine the penetration graph generation method with the CVSS (Common Vulnerability Scoring System) information together, increase the reliability of each attack path. Experiment result shows that the method can generates multi-path correctly and effectively, which can clearly show the structure of network, facilitates the testers' analysis of the target network, and provides reference for executing penetration testing.

Original language	English
Title of host publication	Proceedings - 2014 9th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2014
Editors	Leonard Barolli, Jin Li, Marek R. Ogiela, Fatos Xhafa, Tomoki Yoshihisa
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	531-537
Number of pages	7
ISBN (Electronic)	9781479941711
DOIs	https://doi.org/10.1109/3PGCIC.2014.104
State	Published - 27 Jan 2014
Event	9th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2014 - Guangzhou, Guangdong, China Duration: 8 Nov 2014 → 10 Nov 2014

Publication series

Name	Proceedings - 2014 9th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2014

Conference

Conference	9th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2014
Country/Territory	China
City	Guangzhou, Guangdong
Period	8/11/14 → 10/11/14

Keywords

Automatic generation
Penetration graph
Penetration testing
matrix
vulnerability

Access to Document

10.1109/3PGCIC.2014.104

Cite this

Qiu, X., Jia, Q., Wang, S., Xia, C., & Lv, L. S. (2014). Automatic generation algorithm of penetration graph in penetration testing. In L. Barolli, J. Li, M. R. Ogiela, F. Xhafa, & T. Yoshihisa (Eds.), Proceedings - 2014 9th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2014 (pp. 531-537). Article 7024641 (Proceedings - 2014 9th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2014). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/3PGCIC.2014.104

Qiu, Xue ; Jia, Qiong ; Wang, Shuguang et al. / Automatic generation algorithm of penetration graph in penetration testing. Proceedings - 2014 9th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2014. editor / Leonard Barolli ; Jin Li ; Marek R. Ogiela ; Fatos Xhafa ; Tomoki Yoshihisa. Institute of Electrical and Electronics Engineers Inc., 2014. pp. 531-537 (Proceedings - 2014 9th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2014).

@inproceedings{70d76c22808f44c389a29b4d2dd0d447,

title = "Automatic generation algorithm of penetration graph in penetration testing",

abstract = "Penetration graph is a kind of attack graph which is widely used in penetration testing. It is an import tool to analyze security vulnerabilities in the network. However, the previous research on the generation methods of penetration graph have met a lot of challenges. Some methods are out of date and not applicable for practical scenarios, some may possibly leave out the import attack paths, some do not consider the probability of exploitation of each attack path and some failed to solve the problem of circle path and combination exploitation. We propose an automatic generation algorithm of penetration graph that optimizes the network topology before generating the penetration graph, which can reduce the redundant information effectively. We combine the penetration graph generation method with the CVSS (Common Vulnerability Scoring System) information together, increase the reliability of each attack path. Experiment result shows that the method can generates multi-path correctly and effectively, which can clearly show the structure of network, facilitates the testers' analysis of the target network, and provides reference for executing penetration testing.",

keywords = "Automatic generation, Penetration graph, Penetration testing, matrix, vulnerability",

author = "Xue Qiu and Qiong Jia and Shuguang Wang and Chunhe Xia and Lv, \{Liang Shuang\}",

note = "Publisher Copyright: {\textcopyright} 2014 IEEE.; 9th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2014 ; Conference date: 08-11-2014 Through 10-11-2014",

year = "2014",

month = jan,

day = "27",

doi = "10.1109/3PGCIC.2014.104",

language = "英语",

series = "Proceedings - 2014 9th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2014",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "531--537",

editor = "Leonard Barolli and Jin Li and Ogiela, \{Marek R.\} and Fatos Xhafa and Tomoki Yoshihisa",

booktitle = "Proceedings - 2014 9th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2014",

address = "美国",

}

Qiu, X, Jia, Q, Wang, S, Xia, C & Lv, LS 2014, Automatic generation algorithm of penetration graph in penetration testing. in L Barolli, J Li, MR Ogiela, F Xhafa & T Yoshihisa (eds), Proceedings - 2014 9th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2014., 7024641, Proceedings - 2014 9th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2014, Institute of Electrical and Electronics Engineers Inc., pp. 531-537, 9th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2014, Guangzhou, Guangdong, China, 8/11/14. https://doi.org/10.1109/3PGCIC.2014.104

Automatic generation algorithm of penetration graph in penetration testing. / Qiu, Xue; Jia, Qiong; Wang, Shuguang et al.
Proceedings - 2014 9th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2014. ed. / Leonard Barolli; Jin Li; Marek R. Ogiela; Fatos Xhafa; Tomoki Yoshihisa. Institute of Electrical and Electronics Engineers Inc., 2014. p. 531-537 7024641 (Proceedings - 2014 9th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2014).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Automatic generation algorithm of penetration graph in penetration testing

AU - Qiu, Xue

AU - Jia, Qiong

AU - Wang, Shuguang

AU - Xia, Chunhe

AU - Lv, Liang Shuang

PY - 2014/1/27

Y1 - 2014/1/27

N2 - Penetration graph is a kind of attack graph which is widely used in penetration testing. It is an import tool to analyze security vulnerabilities in the network. However, the previous research on the generation methods of penetration graph have met a lot of challenges. Some methods are out of date and not applicable for practical scenarios, some may possibly leave out the import attack paths, some do not consider the probability of exploitation of each attack path and some failed to solve the problem of circle path and combination exploitation. We propose an automatic generation algorithm of penetration graph that optimizes the network topology before generating the penetration graph, which can reduce the redundant information effectively. We combine the penetration graph generation method with the CVSS (Common Vulnerability Scoring System) information together, increase the reliability of each attack path. Experiment result shows that the method can generates multi-path correctly and effectively, which can clearly show the structure of network, facilitates the testers' analysis of the target network, and provides reference for executing penetration testing.

AB - Penetration graph is a kind of attack graph which is widely used in penetration testing. It is an import tool to analyze security vulnerabilities in the network. However, the previous research on the generation methods of penetration graph have met a lot of challenges. Some methods are out of date and not applicable for practical scenarios, some may possibly leave out the import attack paths, some do not consider the probability of exploitation of each attack path and some failed to solve the problem of circle path and combination exploitation. We propose an automatic generation algorithm of penetration graph that optimizes the network topology before generating the penetration graph, which can reduce the redundant information effectively. We combine the penetration graph generation method with the CVSS (Common Vulnerability Scoring System) information together, increase the reliability of each attack path. Experiment result shows that the method can generates multi-path correctly and effectively, which can clearly show the structure of network, facilitates the testers' analysis of the target network, and provides reference for executing penetration testing.

KW - Automatic generation

KW - Penetration graph

KW - Penetration testing

KW - matrix

KW - vulnerability

UR - https://www.scopus.com/pages/publications/84946685146

U2 - 10.1109/3PGCIC.2014.104

DO - 10.1109/3PGCIC.2014.104

M3 - 会议稿件

AN - SCOPUS:84946685146

T3 - Proceedings - 2014 9th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2014

SP - 531

EP - 537

BT - Proceedings - 2014 9th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2014

A2 - Barolli, Leonard

A2 - Li, Jin

A2 - Ogiela, Marek R.

A2 - Xhafa, Fatos

A2 - Yoshihisa, Tomoki

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 9th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2014

Y2 - 8 November 2014 through 10 November 2014

ER -

Qiu X, Jia Q, Wang S, Xia C , Lv LS. Automatic generation algorithm of penetration graph in penetration testing. In Barolli L, Li J, Ogiela MR, Xhafa F, Yoshihisa T, editors, Proceedings - 2014 9th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2014. Institute of Electrical and Electronics Engineers Inc. 2014. p. 531-537. 7024641. (Proceedings - 2014 9th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2014). doi: 10.1109/3PGCIC.2014.104

Automatic generation algorithm of penetration graph in penetration testing

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this