A test of attack graph-based evaluation of IT-security

Abstract: To assess the accuracy and correctness of attack graphs I have studied several different attack graphs and their attributes. The purpose of this study is to find out if attack graphs can successfully predict real attacks on modern systems. Test design was built to test MulVALs performance when Nexpose is used to provide system information. Based on the ROC measurement method the results shows that MulVALs accuracy is only 0.02 percent when determining attack paths used to compromise the system. The main reason for low accuracy was due to the high trade o in precision, where MulVAL suggested thousands of paths to the decision maker which no attacker tried.