Scalable Intrusion Prevention Framework based on Attack Graphs

One of the most important challenges in network security is doing intrusion prevention to protect critical assets from serious attacks. But today there is the lack of a widely accepted intrusion prevention system being able of doing network hardening in large real networks. Because of limitation in cost, administrator must be able of doing minimum cost network hardening and the most important problem with existing hardening systems is their inability for enabling the administrator to do cost-benefit tradeoff in selecting the countermeasures. In this paper an intrusion prevention system is proposed that produce countermeasures for network hardening by measuring our defined security metrics. Also our framework can measure the security level improvement of each countermeasure without the need for reconstructing the security model of the network. This feature is the biggest innovation of this paper in comparison with existent solutions that makes the cost-benefit tradeoff applicable in large real networks.