Augmenting NVD-based Attack Path Generation with New Factors for Cloud Environments

To quantitatively assess the security level of a cloud environment, a common method is to construct an attack graph which tracks a potentail attacker’s moves through interconnected computing systems by exploiting vulnerabilities of each system, one after another. The state-of-the-art automatic attack graph generation suffers from two limitations: 1) low quality or inconsistency of vulnerability descriptions (as the generation relies on the description text in an automated manner for scalability), leading to inaccurate attack paths, and 2) the vertical layer of VMs/containers not reflected in the attack paths (as traditional approaches only consider horizontal network links between nodes, not exploits from a hosted environment to a hosting environment). Our project will address the two limitations by 1) using machine learning and specifically large language models to process multiple sources of vulnerability information/description (e.g., the IBM and Redhat reports) so that more accurate attack paths can be generated, and 2) reclassifying vulnerabilities into horizontal exploits and vertical exploits to take into account the hosted and hosting relationship, and constructing 2-dimensional attack graphs.

Faculty Supervisor:

Lianying Zhao

Student:

Partner:

Ericsson Canada Inc (Quebec)

Discipline:

Computer science

Sector:

Professional, scientific and technical services

University:

Carleton University

Program: