pith. sign in

arxiv: 1906.09786 · v1 · pith:UNTFCLOJnew · submitted 2019-06-24 · 💻 cs.CR

Extending Attack Graphs to Represent Cyber-Attacks in Communication Protocols and Modern IT Networks

Orly Stan , Ron Bitton , Michal Ezrets , Moran Dadon , Masaki Inokuchi , Yoshinobu Ohta , Yoshiyuki Yamada , Tomohiko Yagyu
show 2 more authors
Yuval Elovici Asaf Shabtai
This is my paper

Pith reviewed 2026-05-25 17:32 UTC · model grok-4.3

classification 💻 cs.CR
keywords attack graphsMulVALnetwork protocol vulnerabilitiesphysical network topologyindustrial communicationIoT securityspoofing attacksdenial of service
0
0 comments X

The pith

MulVAL attack graphs now incorporate physical topologies and protocol design flaws to model spoofing and denial-of-service on wireless and industrial networks.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes an extended MulVAL model that adds support for physical network topology, short-range protocols such as Bluetooth, vulnerabilities in protocol designs, and industrial communication architectures. Standard MulVAL could not represent attacks like ARP poisoning, DNS spoofing, or SYN flooding, nor handle IoT and factory device networks. The extensions enable automatic generation of attack paths across these elements, shown on a testbed that mixes IT and industrial components.

Core claim

We present an extended network security model for MulVAL that considers the physical network topology, supports short-range communication protocols, models vulnerabilities in the design of network protocols, and models specific industrial communication architectures. Using the proposed extensions, we were able to model multiple attack techniques including spoofing, man-in-the-middle, and denial of service, as well as attacks on advanced types of communication. We demonstrate the proposed model on a testbed implementing a simplified network architecture comprised of both IT and industrial components.

What carries the argument

The extended MulVAL network security model, which adds rules for physical topology, short-range protocols, protocol design vulnerabilities, and industrial architectures to generate attack graphs.

If this is right

  • Attack graphs can now enumerate paths that use ARP poisoning, DNS spoofing, and SYN flooding.
  • Networks containing Bluetooth or similar short-range links become subject to automatic attack-path analysis.
  • Industrial control architectures can be analyzed for combined cyber-attack sequences within the same MulVAL framework.
  • Mixed IT and industrial testbeds can have their full set of reachable attack states generated automatically.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same rule additions could be ported to other attack-graph generators that currently lack protocol-layer modeling.
  • Running the extended model on larger factory-floor networks might surface attack routes that cross from office IT into process control.
  • Periodic re-validation of the new rules against fresh penetration-test data on similar hardware would keep the model aligned with evolving protocol implementations.

Load-bearing premise

The added modeling rules for protocol vulnerabilities and communication architectures accurately reflect real attack behaviors without introducing modeling errors.

What would settle it

Applying the extended model to the testbed and finding that it neither generates a path for a demonstrated man-in-the-middle attack nor avoids generating paths that do not correspond to feasible attacks in practice.

Figures

Figures reproduced from arXiv: 1906.09786 by Asaf Shabtai, Masaki Inokuchi, Michal Ezrets, Moran Dadon, Orly Stan, Ron Bitton, Tomohiko Yagyu, Yoshinobu Ohta, Yoshiyuki Yamada, Yuval Elovici.

Figure 1
Figure 1. Figure 1: MulVAL example: code execution scenario. [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 3
Figure 3. Figure 3: Illustration of the three-layer network structure and [PITH_FULL_IMAGE:figures/full_fig_p004_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Inference structure of accessDataFlow with read access [PITH_FULL_IMAGE:figures/full_fig_p007_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Testbed network topology VII. EVALUATION In order to evaluate the application of our proposed mod￾eling in a real environment, we established an operational testbed simulating a simple thermal power plant process (see [PITH_FULL_IMAGE:figures/full_fig_p012_5.png] view at source ↗
Figure 7
Figure 7. Figure 7: DNS spoofing attack graph. C. SYN Flooding Attack SYN flooding is a network-based DoS attack in which an attacker starts multiple TCP connections with the target host but doesn’t complete them. In the vulnerable TCP implemen￾tation, the target host saves all of the half-open connections, which eventually exhausts the host’s resources and makes it unresponsive to other connections. Within the testbed, the H… view at source ↗
Figure 8
Figure 8. Figure 8: SYN flooding attack graph. D. WEP Cracking Attack In this scenario, the attacker physically places his/her host in the range of the access point (i.e., in IT Wifi Zone), which is connected to IT Network. Based on the assumption that the attacker’s host is adequately equipped to execute this attack, we infer that the attacker can capture the wireless signals transmitted in IT Wifi Zone. The access point use… view at source ↗
Figure 10
Figure 10. Figure 10: Bluetooth PIN cracking attack graph. F. Bus Denial of Service Attack To demonstrate attacks on the serial bus, we introduce the Serial Bus component, which connects PLC#2, two more generators (Generator#4 and Generator#5), and a third PLC (PLC#3). The serial Modbus is the communication protocol in this bus, and the master is PLC#2. The attack graph generated for this attack scenario is pre￾sented in [PIT… view at source ↗
Figure 12
Figure 12. Figure 12: Bus spoofing attack graphs. REFERENCES [1] C. Phillips and L. P. Swiler, “A graph-based system for network￾vulnerability analysis,” in Proceedings of the 1998 workshop on New security paradigms. ACM, 1998, pp. 71–79. [2] O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. M. Wing, “Automated generation and analysis of attack graphs,” in Security and privacy, 2002. Proceedings. 2002 IEEE Symposium on. IEEE,… view at source ↗
read the original abstract

An attack graph is a method used to enumerate the possible paths that an attacker can execute in the organization network. MulVAL is a known open-source framework used to automatically generate attack graphs. MulVAL's default modeling has two main shortcomings. First, it lacks the representation of network protocol vulnerabilities, and thus it cannot be used to model common network attacks such as ARP poisoning, DNS spoofing, and SYN flooding. Second, it does not support advanced types of communication such as wireless and bus communication, and thus it cannot be used to model cyber-attacks on networks that include IoT devices or industrial components. In this paper, we present an extended network security model for MulVAL that: (1) considers the physical network topology, (2) supports short-range communication protocols (e.g., Bluetooth), (3) models vulnerabilities in the design of network protocols, and (4) models specific industrial communication architectures. Using the proposed extensions, we were able to model multiple attack techniques including: spoofing, man-in-the-middle, and denial of service, as well as attacks on advanced types of communication. We demonstrate the proposed model on a testbed implementing a simplified network architecture comprised of both IT and industrial components.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper extends the MulVAL attack-graph framework to address two limitations: inability to model network-protocol vulnerabilities (preventing representation of attacks such as ARP poisoning, DNS spoofing, and SYN flooding) and lack of support for wireless/bus communication (preventing modeling of IoT and industrial-control attacks). The four proposed extensions are (1) explicit physical network topology, (2) short-range protocols such as Bluetooth, (3) protocol-design vulnerabilities, and (4) industrial communication architectures. The authors supply the corresponding modeling rules and demonstrate that the extended model can generate attack graphs containing spoofing, man-in-the-middle, and denial-of-service paths on a simplified mixed IT/industrial testbed.

Significance. If the added modeling rules are shown to be faithful, the work would materially increase the practical reach of an existing open-source attack-graph tool to contemporary networks that include wireless links and industrial buses. The explicit provision of new Datalog rules and the testbed demonstration constitute reproducible artifacts that future researchers can build upon.

major comments (2)
  1. [Evaluation] Evaluation section: the testbed demonstration shows that attack graphs can be generated but supplies neither quantitative metrics (graph size, generation time) nor any validation against documented real-world attack traces or penetration-test results; this gap directly affects the central claim that the extensions correctly capture the listed attack techniques.
  2. [Section 3] Modeling extensions (Section 3): the new predicates and rules for protocol vulnerabilities and industrial architectures are introduced at a level that does not include an explicit statement of their interaction with MulVAL’s existing host and network facts, leaving open the possibility of incomplete or inconsistent attack paths.
minor comments (2)
  1. [Abstract] The abstract lists four numbered contributions but the body does not map each contribution to a specific subsection or rule set, reducing readability.
  2. [Figures] Figure captions for the testbed topology and generated graphs should explicitly label which new modeling elements are exercised in each example.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive comments and for recognizing the potential of the proposed extensions. We address each major comment below and indicate the corresponding revisions.

read point-by-point responses

  1. Referee: [Evaluation] Evaluation section: the testbed demonstration shows that attack graphs can be generated but supplies neither quantitative metrics (graph size, generation time) nor any validation against documented real-world attack traces or penetration-test results; this gap directly affects the central claim that the extensions correctly capture the listed attack techniques.

    Authors: We agree that quantitative metrics would improve the evaluation. In the revised manuscript we will add measurements of attack-graph size and generation time for the testbed example. Regarding validation against real-world traces or penetration-test results, the current demonstration uses a controlled testbed to show that the extended rules can produce the expected attack paths for known techniques; a systematic empirical validation lies outside the scope of this modeling-focused paper and will be noted as future work. revision: partial

  2. Referee: [Section 3] Modeling extensions (Section 3): the new predicates and rules for protocol vulnerabilities and industrial architectures are introduced at a level that does not include an explicit statement of their interaction with MulVAL’s existing host and network facts, leaving open the possibility of incomplete or inconsistent attack paths.

    Authors: We will revise Section 3 to add an explicit subsection describing the integration of the new predicates with MulVAL’s existing host and network facts. The revision will include examples of combined rules and a brief argument for why the resulting attack paths remain consistent. revision: yes

Circularity Check

0 steps flagged

No significant circularity detected

full rationale

The paper presents additive modeling extensions to the existing open-source MulVAL attack-graph framework, introducing rules for physical topology, short-range protocols, protocol design vulnerabilities, and industrial architectures. These extensions are demonstrated via explicit modeling rules and testbed examples that generate attack paths for spoofing, MITM, and DoS; no equations, predictions, or uniqueness claims are offered that reduce by construction to the paper's own inputs, fitted parameters, or self-citations. The central contribution is self-contained against the external MulVAL baseline and standard attack-graph literature.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The paper extends an existing logical attack graph framework with new domain rules; no new free parameters, mathematical axioms, or invented entities are introduced beyond standard network security modeling assumptions.

axioms (1)
  • domain assumption Attack graphs can be automatically generated from logical rules representing hosts, vulnerabilities, and network reachability.
    Core assumption inherited from the MulVAL framework referenced in the abstract.

pith-pipeline@v0.9.0 · 5786 in / 1152 out tokens · 29701 ms · 2026-05-25T17:32:49.960108+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

29 extracted references · 29 canonical work pages

  1. [1]

    A graph-based system for network- vulnerability analysis,

    C. Phillips and L. P. Swiler, “A graph-based system for network- vulnerability analysis,” in Proceedings of the 1998 workshop on New security paradigms. ACM, 1998, pp. 71–79

    work page 1998

  2. [2]

    Automated generation and analysis of attack graphs,

    O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. M. Wing, “Automated generation and analysis of attack graphs,” in Security and privacy, 2002. Proceedings. 2002 IEEE Symposium on . IEEE, 2002, pp. 273–284

    work page 2002

  3. [3]

    Jajodia, S

    S. Jajodia, S. Noel, and B. O’Berry, Topological Analysis of Network Attack Vulnerability. Springer US, 2005, pp. 247–266

    work page 2005

  4. [4]

    Practical attack graph generation for network defense,

    K. Ingols, R. Lippmann, and K. Piwowarski, “Practical attack graph generation for network defense,” in Computer Security Applications Conference, 2006. ACSAC’06. 22nd Annual . IEEE, 2006, pp. 121– 130

    work page 2006

  5. [5]

    A scalable approach to attack graph generation,

    X. Ou, W. F. Boyer, and M. A. McQueen, “A scalable approach to attack graph generation,” in Proceedings of the 13th ACM conference on Computer and communications security . ACM, 2006, pp. 336–345

    work page 2006

  6. [6]

    Mulval: A logic-based network security analyzer

    X. Ou, S. Govindavajhala, and A. W. Appel, “Mulval: A logic-based network security analyzer.” in USENIX Security Symposium. Baltimore, MD, 2005, pp. 8–8

    work page 2005

  7. [7]

    NVD national vulnerability database,

    “NVD national vulnerability database,” http://www.nvd.nist.gov, [On- line]

    work page

  8. [8]

    Nessus security scanner,

    “Nessus security scanner,” http://www.nessus.org, [Online]

    work page

  9. [9]

    Augmenting attack graphs to represent data link and network layer vulnerabilities,

    J. C. Acosta, E. Padilla, and J. Homer, “Augmenting attack graphs to represent data link and network layer vulnerabilities,” in Military Communications Conference, MILCOM 2016-2016 IEEE. IEEE, 2016, pp. 1010–1015

    work page 2016

  10. [10]

    Computer-attack graph generation tool,

    L. P. Swiler, C. Phillips, D. Ellis, and S. Chakerian, “Computer-attack graph generation tool,” in discex. IEEE, 2001, p. 1307

    work page 2001

  11. [11]

    Using model checking to analyze network vulnerabilities,

    R. W. Ritchey and P. Ammann, “Using model checking to analyze network vulnerabilities,” in Security and Privacy, 2000. S&P 2000. Proceedings. 2000 IEEE Symposium on . IEEE, 2000, pp. 156–165

    work page 2000

  12. [12]

    Representing tcp/ip connectivity for topological analysis of network security,

    R. Ritchey, B. O’Berry, and S. Noel, “Representing tcp/ip connectivity for topological analysis of network security,” in Computer Security Applications Conference, 2002. Proceedings. 18th Annual. IEEE, 2002, pp. 25–31

    work page 2002

  13. [13]

    Two formal analyses of attack graphs,

    S. Jha, O. Sheyner, and J. Wing, “Two formal analyses of attack graphs,” in Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15, June 2002, pp. 49–63

    work page 2002

  14. [14]

    Scalable, graph- based network vulnerability analysis,

    P. Ammann, D. Wijesekera, and S. Kaushik, “Scalable, graph- based network vulnerability analysis,” in Proceedings of the 9th ACM Conference on Computer and Communications Security , ser. CCS ’02. ACM, 2002, pp. 217–224. [Online]. Available: http://doi.acm.org/10. 1145/586110.586140

    work page arXiv 2002

  15. [15]

    Common vulnerabilities and exposures dictionary

    “Common vulnerabilities and exposures dictionary.” http://www.cve. mitre.com, [Online]

    work page

  16. [16]

    Overview on attack graph generation and visualization technology,

    S. Yi, Y . Peng, Q. Xiong, T. Wang, Z. Dai, H. Gao, J. Xu, J. Wang, and L. Xu, “Overview on attack graph generation and visualization technology,” in Anti-counterfeiting, security and identification (asid), 2013 IEEE international conference on . IEEE, 2013, pp. 1–6

    work page 2013

  17. [17]

    Cauldron mission-centric cyber situational awareness with defense in depth,

    S. Jajodia, S. Noel, P. Kalapa, M. Albanese, and J. Williams, “Cauldron mission-centric cyber situational awareness with defense in depth,” in 2011 - MILCOM 2011 Military Communications Conference, Nov 2011, pp. 1339–1344

    work page 2011

  18. [18]

    Cauldron, a cost-effective, nimble, adaptable and automated network vi- sualization and modeling tool,

    “Cauldron, a cost-effective, nimble, adaptable and automated network vi- sualization and modeling tool,” https://cyvision.net/cauldron/, [Online]

    work page

  19. [19]

    Firemon,

    “Firemon,” http://firemon.com, [Online]

    work page

  20. [20]

    Skybox security,

    “Skybox security,” http://www.skyboxsecurity.com, [Online]

    work page

  21. [21]

    Mulval extensions for dy- namic asset protection,

    E. Bacic, M. Froh, and G. Henderson, “Mulval extensions for dy- namic asset protection,” CINNABAR NETWORKS INC OTTAW A (ONTARIO), Tech. Rep., 2006

    work page 2006

  22. [22]

    M. J. Froh and G. Henderson, MulVAL extensions II. Defence R & D Canada-Ottawa, 2009

    work page 2009

  23. [23]

    Ou and A

    X. Ou and A. W. Appel, A logic-programming approach to network security analysis. Princeton University Princeton, 2005

    work page 2005

  24. [24]

    Weaknesses in the key scheduling algorithm of rc4,

    S. Fluhrer, I. Mantin, and A. Shamir, “Weaknesses in the key scheduling algorithm of rc4,” in Selected Areas in Cryptography , S. Vaudenay and A. M. Youssef, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2001, pp. 1–24

    work page 2001

  25. [25]

    Key reinstallation attacks: Forcing nonce reuse in wpa2,

    M. Vanhoef and F. Piessens, “Key reinstallation attacks: Forcing nonce reuse in wpa2,” in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security . ACM, 2017, pp. 1313–1328

    work page 2017

  26. [26]

    Advanced wi-fi attacks using commodity hardware,

    ——, “Advanced wi-fi attacks using commodity hardware,” in Proceed- ings of the 30th Annual Computer Security Applications Conference . ACM, 2014, pp. 256–265

    work page 2014

  27. [27]

    Cracking the bluetooth pin,

    Y . Shaked and A. Wool, “Cracking the bluetooth pin,” in Proceedings of the 3rd International Conference on Mobile Systems, Applications, and Services, ser. MobiSys ’05. New York, NY , USA: ACM, 2005, pp. 39–

    work page 2005

  28. [28]

    [Online]. Available: http://doi.acm.org/10.1145/1067170.1067176 APPENDIX A COMPARISON BETWEEN MULVAL EXTENSIONS Work Vulnerability Modeling Host Modeling Network Modeling Data Modeling User Modeling Safeguard Modeling Ou et al. [6] (baseline) Characterized by exploitation range (local or remote) and consequence (impacting CIA, DoS, or privilege escalation...

    work page doi:10.1145/1067170.1067176

  29. [29]

    [?] Represent vulnerability exploitation based on evidence collected from hosts – – – – – Acosta et al

    – Model the value of IT services (in terms of CIA) and associate them with host and program Associate hosts to networks; Represent network components (routers) Model assets/data value (in terms of CIA) – Represent security requirements (e.g., applicationAccount) and incorporate them in the interaction rules; Consider their (or other primitives) absence an...

    work page 2012