As computer networks are emerging in everyday life, network security has become an important issue. At the same time, attacks turned more sophisticated, making the defense of computer networks increasingly difficult. In order to model and assess the security of complex networks, attack graphs are used. These graphs provide a formal model to describe network security and allow to identify paths which lead an attacker to the attack goal. By means of attack graphs, unsuspicious system properties can be correlated into imminent threats, intrusion detection systems can be deployed more efficiently, and new network configurations can be tested conveniently. To construct attack graphs system information as well as vulnerability information are required. System information contains gathered data of the network to be analyzed, whereas vulnerability information describes what is required for a vulnerability to be exploited and what are the effects of such an exploitation. The automatic extraction of vulnerability information to make them usable for attack graphs remains an open issue.
This Master's Thesis addresses the challenge to automatically extract vulnerability information from existing vulnerability databases and transform them into a formal and unified format, thus making them available to attack graph modeling. At first, the technical foundations are described, highlighting fundamental aspects of vulnerabilities and the workflow of attack graph construction. Then, related work on vulnerability representation and extraction as well as attack graph construction, analysis, and tools is presented. Next, a data structure is proposed which is able to represent vulnerability information and important properties of systems under attack. Based on previous works, an unrestrictive, predicate-based structure is recommended, which will address the requirements of attack graph modeling. Afterwards, the current state of vulnerability databases is examined, with an emphasis on information extraction of data significant for attack graph construction. A special focus is put on the information extraction from textual vulnerability descriptions which have been neglected as a valuable source in previous research. Finally, a proof of concept implementation is presented which utilizes an attack graph tool as well as transformed vulnerability information to build attack graphs.
The contribution is fourfold. First of all, information stored in vulnerability databases is analyzed and its usefulness for attack graph generation is evaluated. Second of all, a data structure is proposed which allows to unify vulnerability information in an integrated model. Third of all, transformations are realized that extract vulnerability information from existing databases and transform them to the proposed model, hence making them available to attack graph applications. Finally, a prototype is implemented which uses both, the data structure and vulnerability information transformations, to construct attack graphs with an existing attack graph tool.