On this page you will find the results of my Master's thesis. I've worked on this project for about six months. In the beginning I felt like this is a sufficient amount of time, but the deeper I dived into the topic, the more interesting and unexplored aspects I discovered. After restricting myself to information extraction and transformation, it again seemed like a sufficient amount of time, but again, many cool aspects came up which I did not anticipate. Due to the limited time I had for the thesis, I feel the here presented results are incomplete and deserve much more work than what can be put into it in six months. But life goes on and I decided to not pursue a PhD degree. I hope somebody will pick up my work and, based on the results of the here presented thesis, continue the research in this field.

Nevertheless, I provide my work to the public domain and leave it to somebody else to decide whether one or the aspect of my work is of some value to future work. I would be happy to hear about your thoughts and resulting discussions. Feel free to contact me at robert.schuppenies@gmail.com
Master of Science Thesis
Automatic Extraction of Vulnerability Information for Attack Graphs
by
Robert Schuppenies
Potsdam, Germany; March 2009
As computer networks are emerging in everyday life, network security has become an important issue. At the same time, attacks turned more sophisticated, making the defense of computer networks increasingly difficult. In order to model and assess the security of complex networks, attack graphs are used. These graphs provide a formal model to describe network security and allow to identify paths which lead an attacker to the attack goal. By means of attack graphs, unsuspicious system properties can be correlated into imminent threats, intrusion detection systems can be deployed more efficiently, and new network configurations can be tested conveniently. To construct attack graphs system information as well as vulnerability information are required. System information contains gathered data of the network to be analyzed, whereas vulnerability information describes what is required for a vulnerability to be exploited and what are the effects of such an exploitation. The automatic extraction of vulnerability information to make them usable for attack graphs remains an open issue.
This Master's Thesis addresses the challenge to automatically extract vulnerability information from existing vulnerability databases and transform them into a formal and unified format, thus making them available to attack graph modeling. At first, the technical foundations are described, highlighting fundamental aspects of vulnerabilities and the workflow of attack graph construction. Then, related work on vulnerability representation and extraction as well as attack graph construction, analysis, and tools is presented. Next, a data structure is proposed which is able to represent vulnerability information and important properties of systems under attack. Based on previous works, an unrestrictive, predicate-based structure is recommended, which will address the requirements of attack graph modeling. Afterwards, the current state of vulnerability databases is examined, with an emphasis on information extraction of data significant for attack graph construction. A special focus is put on the information extraction from textual vulnerability descriptions which have been neglected as a valuable source in previous research. Finally, a proof of concept implementation is presented which utilizes an attack graph tool as well as transformed vulnerability information to build attack graphs.
The contribution is fourfold. First of all, information stored in vulnerability databases is analyzed and its usefulness for attack graph generation is evaluated. Second of all, a data structure is proposed which allows to unify vulnerability information in an integrated model. Third of all, transformations are realized that extract vulnerability information from existing databases and transform them to the proposed model, hence making them available to attack graph applications. Finally, a prototype is implemented which uses both, the data structure and vulnerability information transformations, to construct attack graphs with an existing attack graph tool.
Downloads
Source Code
The source code of my thesis is now maintained by the Chair for Internet Technologies and Systems at the Hasso-Plattner-Institute in Potsdam, Germany. If you are interested in it, please contact Feng Cheng or Sebastian Roschke for further details.