Computer scientists at George Mason University (GMU) have developed a new software to identify complex cyber network attacks. This software is named CAULDRON (short for 'Combinatorial Analysis Utilizing Logical Dependencies Residing on Networks'). The developers claim that CAULDRON 'can reduce the impact of cyber attacks by identifying the possible vulnerability paths through an organization's networks.' Their research was funded by grants from the defense, homeland security and intelligence communities and the Federal Aviation Administration (FAA). The FAA has already installed CAULDRON in its Cyber Security Incident Response Center to prioritize security problems. According to the developers, this software can be used 'in almost any industry or organization with a network and resources they want to keep protected.' But read more...
This project has been led by Sushil Jajodia, university professor and director of the Center for Secure Information Systems (CSIS) and Steven Noel, the associate director of CCIS, with the help of Pramod Kalapa, senior research scientist.
The GMU news release explains the problem that system administrators are facing. "By their very nature networks are highly interdependent and each machine’s overall susceptibility to attack depends on the vulnerabilities of the other machines in the network. Attackers can take advantage of multiple vulnerabilities in unexpected ways, allowing them to incrementally penetrate a network and compromise critical systems. In order to protect an organization’s networks, it is necessary to understand not only individual system vulnerabilities, but also their interdependencies."
Here is how Jajodia explains how he tried to solve this problem. "Currently, network administrators must rely on labor-intensive processes for tracking network configurations and vulnerabilities, which requires a great deal of expertise and is error prone because of the complexity, volume and frequent changes in security data and network configurations. This new software is an automated tool that can analyze and visualize vulnerabilities and attack paths, encouraging 'what-if analysis'."
And here are some more details about the software. "CAULDRON’s intelligent analysis engine reasons through attack dependencies, producing a map of all vulnerability paths that are then organized as an attack graph that conveys the impact of combined vulnerabilities on overall security. To manage attack graph complexity, CAULDRON includes hierarchical graph visualizations with high-level overviews and detail drilldown, allowing users to navigate into a selected part of the big picture to get more information."
As I wrote above, this software has been funded by various military organizations. It also has been extensively tested. For example, James Cullum, from the Naval Postgraduate School, Monterey, CA, wrote his Master's thesis about it, called "Performance Analysis Of Automated Attack Graph Generation Software." (December 2006)
Here is a part of the abstract. "Using empirical testing, we have collected quantitative data using CAULDRON, an attack graph generation tool developed at George Mason University, on a collection of simulated networks. By defining our model to include sets of nodes, which allow connectivity from all nodes to all nodes in the set; the number of nodes present in each set, the number of connections between sets; and the number of vulnerabilities per node as our variables, we are able to observe the performance impact on CAULDRON of connectivity and the increased presence of vulnerabilities in our networks."
For those of you who are interested by this subject, here is a link to the full thesis (PDF format, 159 pages, 704 KB).
Finally, here are three other documents you might want to read about this software.
- Attack Graphs for Sensor Placement, Alert Prioritization, and Attack Response, presented at the Cyberspace Research Workshop (part of Air Force Cyberspace Symposium), Shreveport, Louisiana, November 2007 (PDF format, 8 pages, 1.13 MB)
- Understanding Complex Network Attack Graphs through Clustered Adjacency Matrices, in the Proceedings of the 21st Annual Computer Security Applications Conference, Tucson, Arizona, December 2005 (PDF format,
10 pages, 1.02 MB)
- Multiple Coordinated Views for Network Attack Graphs, in the Proceedings of the Workshop on Visualization for Computer Security, Minneapolis, Minnesota, October 2005 (PDF format, 8 pages, 1.53 MB)
Sources: George Mason University news release, March 17, 2008; and various websites
You'll find related stories by following the links below.