{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,25]],"date-time":"2026-02-25T17:47:31Z","timestamp":1772041651824,"version":"3.50.1"},"reference-count":26,"publisher":"Emerald","issue":"5","license":[{"start":{"date-parts":[[2015,11,9]],"date-time":"2015-11-09T00:00:00Z","timestamp":1447027200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2015,11,9]]},"abstract":"\n Purpose<\/jats:title>\n \u2013 The purpose of this paper is to test the practical utility of attack graph analysis. Attack graphs have been proposed as a viable solution to many problems in computer network security management. After individual vulnerabilities are identified with a vulnerability scanner, an attack graph can relate the individual vulnerabilities to the possibility of an attack and subsequently analyze and predict which privileges attackers could obtain through multi-step attacks (in which multiple vulnerabilities are exploited in sequence). <\/jats:p>\n <\/jats:sec>\n \n Design\/methodology\/approach<\/jats:title>\n \u2013 The attack graph tool, MulVAL, was fed information from the vulnerability scanner Nexpose and network topology information from 8 fictitious organizations containing 199 machines. Two teams of attackers attempted to infiltrate these networks over the course of two days and reported which machines they compromised and which attack paths they attempted to use. Their reports are compared to the predictions of the attack graph analysis. <\/jats:p>\n <\/jats:sec>\n \n Findings<\/jats:title>\n \u2013 The prediction accuracy of the attack graph analysis was poor. Attackers were more than three times likely to compromise a host predicted as impossible to compromise compared to a host that was predicted as possible to compromise. Furthermore, 29 per cent of the hosts predicted as impossible to compromise were compromised during the two days. The inaccuracy of the vulnerability scanner and MulVAL\u2019s interpretation of vulnerability information are primary reasons for the poor prediction accuracy. <\/jats:p>\n <\/jats:sec>\n \n Originality\/value<\/jats:title>\n \u2013 Although considerable research contributions have been made to the development of attack graphs, and several analysis methods have been proposed using attack graphs, the extant literature does not describe any tests of their accuracy under realistic conditions.<\/jats:p>\n <\/jats:sec>","DOI":"10.1108\/ics-06-2014-0036","type":"journal-article","created":{"date-parts":[[2015,11,3]],"date-time":"2015-11-03T03:30:17Z","timestamp":1446521417000},"page":"516-531","source":"Crossref","is-referenced-by-count":20,"title":["An empirical test of the accuracy of an attack graph analysis tool"],"prefix":"10.1108","volume":"23","author":[{"given":"Teodor","family":"Sommestad","sequence":"first","affiliation":[]},{"given":"Fredrik","family":"Sandstr\u00f6m","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"key":"key2020122001392512800_b1","doi-asserted-by":"crossref","unstructured":"Alhomidi, M.A.\n and \n Reed, M.J.\n (2012), \u201cAttack graphs representations\u201d, 2012 4th Computer Science and Electronic Engineering Conference (CEEC), IEEE, pp. 83-88.","DOI":"10.1109\/CEEC.2012.6375383"},{"key":"key2020122001392512800_b2","unstructured":"Artz, M.L.\n (2002), \n Netspa: A Network Security Planning Architecture\n , MA Institute of Technology, available at: http:\/\/scholar.google.com\/scholar?hl=en\n\t\t\t\t\t&\n\t\t\t\tbtnG=Search\n\t\t\t\t\t&\n\t\t\t\tq=intitle:NetSPA+:+A+Network+Security+Planning+Architecture+by#0"},{"key":"key2020122001392512800_b3","doi-asserted-by":"crossref","unstructured":"Chu, M.\n , \n Ingols, K.\n , \n Lippmann, R.\n , \n Webster, S.\n and \n Boyer, S.\n (2010), \u201cVisualizing attack graphs, reachability, and trust relationships with NAVIGATOR\u201d, Proceedings of the Seventh International Symposium on Visualization for Cyber Security, ACM, pp. 22-33.","DOI":"10.1145\/1850795.1850798"},{"key":"key2020122001392512800_b4","unstructured":"Heberlein, T.\n , \n Bishop, M.\n , \n Ceesay, E.\n , \n Danforth, M.\n , \n Senthilkumar, C.\n and \n Stallard, T.\n (2004), \u201cA taxonomy for comparing attack-graph approaches\u201d, available at: netsq.com"},{"key":"key2020122001392512800_b5","doi-asserted-by":"crossref","unstructured":"Holm, H.\n , \n Sommestad, T.\n , \n Almroth, J.\n and \n Persson, M.\n (2011), \u201cA quantitative evaluation of vulnerability scanning\u201d, \n Information Management & Computer Security\n , Vol. 19 No. 4, pp. 231-247.","DOI":"10.1108\/09685221111173058"},{"key":"key2020122001392512800_b7","unstructured":"Homer, J.\n , \n Manhattan, K.\n , \n Ou, X.\n and \n Schmidt, D.\n (2010), \u201cA sound and practical approach to quantifying security risk in enterprise networks, people.cis.ksu.edu, KS\u201d, available at: http:\/\/people.cis.ksu.edu\/\u223cxou\/publications\/tr_homer_0809.pdf (accessed 24 June 2010)."},{"key":"key2020122001392512800_b6","doi-asserted-by":"crossref","unstructured":"Homer, J.\n and \n Ou, X.\n (2009), \u201cSAT-solving approaches to context-aware enterprise network security management\u201d, \n IEEE Journal on Selected Areas in Communications\n , Vol. 27 No. 3, pp. 315-322.","DOI":"10.1109\/JSAC.2009.090407"},{"key":"key2020122001392512800_b8","doi-asserted-by":"crossref","unstructured":"Ingols, K.\n , \n Chu, M.\n , \n Lippmann, R.\n , \n Webster, S.\n and \n Boyer, S.\n (2009), \u201cModeling modern network attacks and countermeasures using attack graphs\u201d, Annual Computer Security Applications Conference, IEEE, pp. 117-126.","DOI":"10.1109\/ACSAC.2009.21"},{"key":"key2020122001392512800_b9","doi-asserted-by":"crossref","unstructured":"Jajodia, S.\n (2007), \u201cTopological analysis of network attack vulnerability\u201d, \n Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security \u2013 ASIACCS \u201907\n , ACM Press, New York, NY, p. 2.","DOI":"10.1145\/1229285.1229288"},{"key":"key2020122001392512800_b10","unstructured":"Jajodia, S.\n and \n Noel, S.\n (2010), \n Advanced Cyber Attack Modeling Analysis and Visualization\n , Rome, NY, available at: http:\/\/oai.dtic.mil\/oai\/oai?verb=getRecord\n\t\t\t\t\t&\n\t\t\t\tmetadataPrefix=html\n\t\t\t\t\t&\n\t\t\t\tidentifier=ADA516716 (accessed 1 April 2014)."},{"key":"key2020122001392512800_b11","unstructured":"Jonathan Bennett AutoIt Consulting Ltd\n (2013), \u201cAutoIt script editor\u201d, available at: www.autoitscript.com\/site\/autoit\/ (accessed 13 January 2014)."},{"key":"key2020122001392512800_b12","unstructured":"Lippmann, R.\n (2002), \n Netspa: A Network Security Planning Architecture, Network Security\n , MA Institute of Technology."},{"key":"key2020122001392512800_b13","doi-asserted-by":"crossref","unstructured":"Lippmann, R.\n and \n Ingols, K.\n (2005), \n An Annotated Review of Past Papers on Attack Graphs\n , Lexington, MA, available at: www.dtic.mil\/cgi-bin\/GetTRDoc?AD=ADA431826\n\t\t\t\t\t&\n\t\t\t\tLocation=U2\n\t\t\t\t\t&\n\t\t\t\tdoc=GetTRDoc.pdf (accessed 14 September 2010).","DOI":"10.21236\/ADA431826"},{"key":"key2020122001392512800_b14","doi-asserted-by":"crossref","unstructured":"Liu, C.\n , \n Singhal, A.\n and \n Wijesekera, D.\n (2012), \u201cUsing attack graphs in forensic examinations\u201d, 2012 Seventh International Conference on Availability, Reliability and Security, IEEE, pp. 596-603.","DOI":"10.1109\/ARES.2012.58"},{"key":"key2020122001392512800_b15","unstructured":"Mell, P.\n , \n Scarfone, K.\n and \n Romanosky, S.\n (2007), \n A Complete Guide to the Common Vulnerability Scoring System (CVSS), Version 2.0\n ."},{"key":"key2020122001392512800_b16","unstructured":"Noel, S.\n , \n Elder, M.\n , \n Jajodia, S.\n , \n Kalapa, P.\n , \n O\u2019Hare, S.\n and \n Prole, K.\n (2009), \n Advances in Topological Vulnerability Analysis\n , 2009 Cybersecurity Applications \n\t\t\t\t\t&\n\t\t\t\t Technology Conference for Homeland Security, IEEE, Washington, DC, pp. 124-129."},{"key":"key2020122001392512800_b18","unstructured":"Ou, X.\n , \n Boyer, W.F.\n and \n Zhang, S.\n (2013), \u201cMulVAL: a logic-based enterprise network security analyzer\u201d, available at: www.arguslab.org\/mulval.html (accessed 4 March 2014)."},{"key":"key2020122001392512800_b17","doi-asserted-by":"crossref","unstructured":"Ou, X.\n , \n Boyer, W.W.F.\n and \n McQueen, M.A.\n (2006), \u201cA scalable approach to attack graph generation\u201d, Proceedings of the 13th ACM Conference on Computer and Communications Security, ACM, Alexandria, VA, pp. 336-345.","DOI":"10.1145\/1180405.1180446"},{"key":"key2020122001392512800_b19","unstructured":"Ou, X.\n , \n Govindavajhala, S.\n and \n Appel, A.W.\n (2005), \u201cMulVAL: a logic-based network security analyzer\u201d, Proceedings of the 14th Conference on USENIX Security Symposium-Volume 14, USENIX Association, p. 8."},{"key":"key2020122001392512800_b21","doi-asserted-by":"crossref","unstructured":"Roschke, S.\n , \n Cheng, F.\n and \n Meinel, C.\n (2010), \u201cUsing vulnerability information and attack graphs for intrusion detection\u201d, 2010 Sixth International Conference on Information Assurance and Security, IEEE, pp. 68-73.","DOI":"10.1109\/ISIAS.2010.5604041"},{"key":"key2020122001392512800_b20","doi-asserted-by":"crossref","unstructured":"Roschke, S.\n , \n Cheng, F.\n , \n Schuppenies, R.\n and \n Meinel, C.\n (2009), \u201cTowards unifying vulnerability information for attack graph construction\u201d, \n Information Security\n , pp. 218-233.","DOI":"10.1007\/978-3-642-04474-8_18"},{"key":"key2020122001392512800_b22","doi-asserted-by":"crossref","unstructured":"Sawilla, R.\n and \n Ou, X.\n (2008), \u201cIdentifying critical attack assets in dependency attack graphs\u201d, 13th European Symposium on Research in Computer Security (ESORICS), Springer, pp. 18-34.","DOI":"10.1007\/978-3-540-88313-5_2"},{"key":"key2020122001392512800_b23","unstructured":"Singhal, A.\n and \n Ou, X.\n (2009), \u201cTechniques for enterprise network security metrics\u201d, Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies, ACM, p. 25."},{"key":"key2020122001392512800_b24","doi-asserted-by":"crossref","unstructured":"Sommestad, T.\n , \n Holm, H.\n and \n Ekstedt, M.\n (2012), \u201cEstimates of success rates of remote arbitrary code execution attacks\u201d, \n Information Management & Computer Security\n , Vol. 20 No. 2, pp. 107-122.","DOI":"10.1108\/09685221211235625"},{"key":"key2020122001392512800_b25","unstructured":"Williams, L.\n (2008), \u201cGARNET: a graphical attack graph and reachability network evaluation tool\u201d, in \n Goodall, J.R.\n , \n Conti, G.\n and \n MA, K.L.\n (Eds), \n 5th International Workshop, VizSec 2008\n , Springer Berlin Heidelberg, Cambridge, MA."},{"key":"key2020122001392512800_b26","unstructured":"Zhang, S.\n , \n Ou, X.\n , \n Singhal, A.\n and \n Homer, J.\n (2011), \u201cAn empirical study of a vulnerability metric aggregation method, csrc.nist.gov\u201d, available at: http:\/\/csrc.nist.gov\/staff\/Singhal\/xou-anoop-workshop2011-paper.pdf (accessed 27 July 2011)."}],"container-title":["Information & Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/ICS-06-2014-0036","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-06-2014-0036\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-06-2014-0036\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:22:58Z","timestamp":1753406578000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/23\/5\/516-531\/110951"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2015,11,9]]},"references-count":26,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2015,11,9]]}},"alternative-id":["10.1108\/ICS-06-2014-0036"],"URL":"https:\/\/doi.org\/10.1108\/ics-06-2014-0036","relation":{},"ISSN":["2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2015,11,9]]}}}