Proceedings of IEEE CCIS2012

RESEARCH ON SECURITY EVALUATION OF CLOUD COMPUTING BASED ON ATTACK GRAPH

Yexia Cheng1, Yuejin Du2, Junfeng Xu2, Chunyang Yuan2, Zhi Xue1

1School of Information Security Engineering, Shanghai Jiaotong University, Shanghai 200240, China 2National Computer Network Emergency Response Technical Team/Coordination Center of China,

Beijing 100029, China chengyexia@sjtu.edu.cn, dyj@cert.org.cn, xjf@mail.nisac.gov.cn, ycy@cert.org.cn, zxue@sjtu.edu.cn

Abstract: Cloud computing is becoming more and more popular and its security is arising as well. In order to solve security issues and take security evaluation in cloud computing, its corresponding hierarchical security design model is introduced and an approach of security evaluation based on attack graph is proposed in cloud computing environment. Firstly, network threat model and automatic methods are presented to get information for generating attack graph automatically. By using symbolic model checking algorithm, attack graph is generated and visualized. Then, by combining the characteristics of Markov Chain with attack graph, two security evaluation metrics are proposed in cloud computing. They can be used for security evaluation, security hardness and give security suggestions in cloud computing.

Keywords: cloud security; attack graph; security evaluation; Markov Chain; cloud computing

1 Introduction In recent years, cloud computing has developed fast and become a hot topic for researchers. Cloud computing, which leads to a new information technology paradigm for next generation, can provide users with cloud services over the network. The advantages of cloud services include extremely strong computation capability, abundant resources, huge memory space but with low cost, etc. At present, according to the different levels of given services, cloud computing can be divided into three service models, which are Software as a Service (Saas), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). For example, CRM of Salesforce corporation is SaaS model; the App Engine of Google is PaaS model; Amazon Elastic Compute Cloud (EC2) is IaaS model [1][2]. And with the development and different demands of companies, these service models are becoming integrated with each other in order to provide much more convenient services.

However, due to the flexibility, scalability and low upfront investments of cloud computing, it is more prone to security threats and vulnerabilities. Security problems are arising and are of great importance not only to the cloud user but also to the cloud-end center including cloud service providers who are hosting the services. And now security has become the biggest issue

which constrains the large scale deployment and usage of cloud computing. Except for some traditional security issues, it is facing with some new security problems due to the cloud environment and its characteristics. Specifically speaking, these security problems are shown as follows: the inside attack, the possibility of accessing by other users who are sharing the resources, the multi-tier service models resulting in security risks. So that, in most cases, cloud computing must guarantee that the infrastructure is secure and clients’ data and applications are safe by implementing security policies and mechanisms. Meanwhile the cloud user must ensure that provider has taken proper security measures to protect their information. In order to make proper measures to solve these problems, we need to take security evaluation of the cloud computing, then we can resume to security management and control or security risk assessment, etc. Thus, the security evaluation has become the most significant problem to cloud computing.

Ever since the cloud concept has been put forward, the security evaluation has been along with it. Some experts have researched on it from all kinds of aspects. Sasko and Marjan et al [3] have proposed a new methodology for security evaluation in cloud computing. They give an overview of international and industrial standards and evaluate their completeness and propose a new extension to the ISO 27001:2005 standard including a new control objective about virtualization applicable for cloud systems. But obtaining the ISO 27001:2005 certificate is not enough for cloud computing information security systems, especially in business continuity detriment that cloud computing produces and propose new solutions that mitigate the risks. In paper [4], Bleikertz and Schunter et al have proposed algorithms to audit correct network security configurations and policies of a complex multi-tier cloud infrastructure using Amazon’s EC2 public infrastructure. They have carried out validation of security assessment of security groups by reachability and vulnerability. With the help of attack graphs, using Dijkstra’s shortest path algorithm to take analysis of attack graphs and make security audit. However, the authors haven’t given out the automated approach for construction and analysis of attack graphs, which is badly needed for security evaluation of cloud computing. In order to solve this problem and take effective security ___________________________________

978-1-4673-1857-0/12/$31.00 ©2012 IEEE

Proceedings of IEEE CCIS2012

assessment of cloud computing, this paper proposes a new methodology of security evaluation of cloud computing based on attack graph, which is automatically constructed and analyzed.

In this paper, we focus on security evaluation based on cloud computing using attack graph. First, we devote ourselves to designing the cloud center architecture with security attribute from different layers, especially on security evaluation. After that, we research on the attack graph of cloud computing. We propose the method of automatic constructing cloud-end network threat model. Then we use symbolic model checking to generate attack graph. Finally, we analyze Markov characteristics of attack graph and based on that we propose two evaluation metrics to take security evaluation of cloud computing environment. This new model can be used to help cloud-end administrators to suggest and take appropriate measures to strengthen the security. What’s more important is that cloud security evaluation model can make preparation for security risk control and classified security protection of cloud computing.

The rest of this paper is organized as follows: section 2 introduces the architecture of cloud computing and its hierarchical security design model. Section 3 presents the automatic attack graph modeling in cloud computing environment. Section 4 proposes the method to generate attack graph automatically. Section 5 mainly tells and researches on security evaluation of cloud computing based on attack graph. Section 6 gives the final conclusion of this paper.

2 Cloud computing security

2.1 Architecture of cloud computing center Unlike the traditional system, cloud computing is a new and large service network, which is comprised of parallel grids. Cloud computing adopts virtualization technology to improve and extend computing capacity, so that each device can be made the best. The architecture of cloud computing environment is shown in figure 1, which is mainly called the cloud-end or cloud center. As it interacts with user-end, the users can request service according to their needs. And the communication between user-end and cloud-end is network communication.

Figure 1 Architecture of cloud computing center

For cloud-end, there are layers of infrastructure, platform, software, which correspond to physical, link, network, transport and application layers. What’s more,

there is another important component in cloud-end, which is called management module, including business management, maintenance management, security management, etc. And what we propose about security evaluation based on attack graph in cloud computing will be deployed in this module of cloud-end.

2.2 Hierarchical security design of cloud computingAs for cloud computing, there are many security issues that need to be solved, including issues of being trusted, controllable, manageable, etc. Based on that, we can give out the hierarchical security [5] design model in figure 2. And the security evaluation module is one component of the model.

Figure 2 Hierarchical security design model

We can see from figure 2 that the hierarchical model contains 5 layers. From bottom to up, there are physical security layer, system security layer, security evaluation layer, security application layer and security management layer.

3 Automatic attack graph modeling in cloud computing environment In the security design of the cloud computing, we know that the most significant part of cloud computing lies in the cloud center, which is the cloud-end in the architecture. So in this section, we take consideration of cloud center security as well as its security evaluation, then we propose using attack graph model to solve security issues in cloud computing. In the following, we introduce cloud computing attack graph model and its automatic modeling method.

3.1 Attack graph model and network threat model in cloud computing Attack graph is a method which uses graphic view of all attack paths starting from attack point to attack target. It analyzes the configuration and vulnerability information of network. By getting the overall dependency relations of the information, attack graph can search all the possible attack paths.

Before constructing attack graph and getting attack graph model, we need to take on network threat mathematic modeling firstly. And that is to say, in the cloud computing environment, we should take network threat modeling first in cloud center.

Proceedings of IEEE CCIS2012

In order to describe our network threat model proposed in this paper exactly, we make several assumptions as follows.

Hypothesis 1 Once network topology is confirmed, it will not change dynamically or timely any longer for a period.

Hypothesis 2 For each vulnerability, there is only one vulnerability exploit

Hypothesis 3 The attacker is able to start his attack from any position in external network.

Hypothesis 4 The attacker has enough patience and time. And he can take advantage of social engineering to carry out attack.

Hypothesis 5 The attacker has much proficient attack ability, technology and most latest as well as advanced database of vulnerabilities. He can effectively make use of all known vulnerabilities.

Under these assumptions, we then go on with our model of network threat. The network threat model comprises of four parts, including components of host, topology, vulnerability and attacker. They are defined respectively in the following.

Definition 1 (host) A host is the entity which has some vulnerability and connects with the network. It is defined as a 3-tuple

)_,_,_( setvulsetportidhosthost , where idhost _is the host identification that can be used as the unique identity for hosts in destination network, setport _ is a set of open ports on the host, setvul _ is a set of vulnerabilities in the host, including all the exploitable vulnerabilities from local and remote.

Definition 2 (topology) A topology is also called connectivity relation. It refers to the connectivity relation between any network computers or devices. It is defined as a 3-tuple

),_,_( porthostdesthostsrcconn ,where hostsrc _denotes the source host, and hostdest _ denotes target host, port denotes accessible open port on the target host.

When it comes to the definition of vulnerability, we don’t use the traditional direct definition of precondition and effect. In order to take more effective application and comparison on vulnerability exploitation, we bring in new extensive definition to describe precondition and effect, which is named object. That is to say, vulnerability is defined with object oriented methodology in our network threat model. Both precondition and effect are deemed as objects. Then with them, we give define of vulnerability. The purpose of such defining is that it can make chaining of vulnerability dependency relation much easier by making full use of object with its advantages of easy comparison and chaining operation. Below we give out

the definition of object, object comparison and vulnerability.

Definition 3 (object) An object is a special data structure storing attacker’s capability and privilege as well as vulnerability precondition and effect. It is defined as multidimensional vector ),,,,,( 321 �� iddddobj , where id is the ith dimension of the object and the total vector dimension is determined by practical application. Besides, in order to facilitate object comparison, we’d better deliberately arrange order of the object multi-dimensions according to their different importance degree.

Definition 4 (comparison of objects) Comparison of objects is defined as follows: if kk dd 21 � holds for kand for all ki � , ii dd 21 � established, then we can call

),,,,(),,,,( 222212112111 ���� ii dddobjdddobj � , or

1obj contains 2obj .

Definition 5 (vulnerability) A vulnerability is the defects or weakness existing in process of system design, implementation, operation and control, which result in vulnerability exploitation, network threat, system security harm. The vulnerabilities include configure weakness, software vulnerability and trust weakness, etc. It is defined as a 4-tuple

),_,_,_( localityeffectobjpreobjidvulvul , where idvul _ is identification of vulnerability, preobj _ is

precondition object of the vulnerability, effectobj _ is effect object of the vulnerability, and locality denotes where the vulnerability can be exploited, which can be remotely or locally.

The same as definition of vulnerability, attacker is also defined with object.

Definition 6 (attacker) An attacker is the one that starts attack or intrusion. It is defined as a 5-tuple

,__arg,_,ker_ker( sethostetthoststartidattacattac)_,_ wlprivandknoobjstatusobj , where idattaker_

is identification of attacker, hoststart _ is start host identity, sethostett __arg denotes the identification set of target hosts, which can be more than one host. That is why we use a set form. And statusobj _ is object of the attacker’s privilege, capability, knowledge status on target host, wlprilandknoobj _ is the object of attacker’s privilege, capability and knowledge status on each host.

3.2 Automatic modeling of attack graph in cloud computing In above, network threat model and attack graph model have already been introduced into cloud computing. But the most important problem facing at present is how to automatically construct model of attack graph and generate attack graph. So in this part, we focus on automatic modeling of attack graph in cloud computing.

Proceedings of IEEE CCIS2012

In cloud center, much preparation must be finished before generating attack graph, including information collecting of cloud center and the information preprocessing, etc. And automatic operation method of collecting and processing information can make convenience for users and experts. Meanwhile, it can adapt to the trend of increasing scale of network in cloud center, for which automatic analysis of network threat model is of great significance. It also improves efficiency on security analysis.

While the precondition of automatic generating attack graph lies in collecting and processing network threat modeling information automatically, we give out a practical automatic modeling method in this paper. Its specific flow is shown in the following figure 3.

Figure 3 Network threat automatic modeling flow

As is seen from figure 3, there are mainly three automatic parts, which include automatic collecting and integrating of host information, automatic collecting and integrating of vulnerability information, automatic collecting and integrating of topology information.

3.2.1 Automatic collecting and integrating of host information

Many various host security analysis tools can be used for automatic collecting host information. And the commonly used tools include Nessus scanner, OVAL scanner, etc. In our paper, we use Nessus scanner by which CVE identity can automatically associated with other vulnerability database.

The specific method is as follows. By using Nessus scanner, we output the scan result of host set, which can be in the format of txt, html, xml, etc. Then regarding to these results, we take on automatic analysis of output contents so as to extract some key information such as vulnerability description, port, CVE identity, etc, and associate them automatically with our automatic vulnerability database at the same time and get integrated.

3.2.2 Automatic collecting and integrating of vulnerability information

The key step in automatic modeling of vulnerability lies in its automatic extracting and integrating. Since different vulnerability databases have different descriptions with various detailed level based on text form, we devote ourselves to distinguishing these text description and integrating the distinguished results. In the consequence, we propose algorithm of automatic collecting and integrating vulnerability information based on several database such as CVE, NVD, Secunia, etc, which is indexed by CVE ID and associated with Nessus scanner plug-in database. The specific pseudo-code is shown in figure 4.

for each plugins in Nessus do extract plugin Family information

if CVE ID exists extract CVE ID for each CVE ID associate with the underlying

plugin extract CVE description from CVE dictionary extract locality from NVD(remote/local) extract impact from

NVD(admin/user/other/avail/int/conf) extract CVSS vector from NVD

if Secunia url exists extract vulnerability name from Secunia extract locality from

Secunia(local/remote/local network) extract impact from Secunia(12 classes)

elseextract plugin Description extract Risk factor extract CVSS Vector

Figure 4 Algorithm pseudo-code for automatic modeling of topology information

3.2.3 Automatic collecting and integrating of topology information

Topology information automatic processing mainly lies in getting the reachability relationship by using the reachability matrix. The method of automatic modeling is as follows: firstly use Binary Determine Diagraph (BDD) to denote the configuration and filtering information. Secondly, decrease matrix scale by regulating hosts with some regulars [6] and reduce complexity of computing reachability by BDD.

4 Generating attack graphAfter all these work, we begin to generate attack graph of cloud computing. The steps proposed in this paper comprise of four steps, which is shown in the following part.

The first step is using network threat model for modeling attack graph in cloud computing. As is told above about network threat model, according to reference paper [10], we transform and abstract threat model to Büchi model, abstracting various factors that lead to make attack status transition into state of Büchi automata. The factors include state of hosts, state of

Proceedings of IEEE CCIS2012

attackers, transition relation. As a consequence, we define attack graph as a 5-tuple ),,,,( 0 DSSSG s�� ,where S is set of state, SS ��� is transition relation,

SS �0 is set of initial state, SSs � is set of

successful state, APSD 2: � is mark of state set in which some propositions are real.

The second step is designating security attributes of cloud computing network. Usually, CTL (Computer Tree Logic) description method is used for it. And the normal expression is )( unsafeAG , in which “unsafe” is defined according to the researched network. For example, the security attribute of a network is that attackers cannot obtain the privilege in some host, thus the CTL description of its security attribute is

)).|.((! useraccesshostrootaccesshostAG �� .

The third step is constructing and generating attack graph. The algorithm for generating attack graph is shown in figure 5, in which symbolic model checking algorithm is used.

Input: ),,,,( 0 DSSSM s�� -- Büchi model of network

attack)( unsafeAGp � -- security property

Output: attack graph ),,,,( 0 DSSSG p

spp

unsafep ��Algorithm:

),,,,( 0 DSSStackGraphGenerateAt ps

ppp �1 ),,(),,( 00 SSDDConstructBSS bddbddbdd �� 2 ),,(Re 0

bddbddbddreach SSachableComputeS �

3 ),,,,( 0 PDSSeckSymModelChS bddbddreachunsafe �

4 )( unsafeunsafep SS �� ���

5 unsafebddp SSS �00 �

6 })(|{ unsafesDSsS unsafeps ���

7 ),,,,(Re 0 DSSSturn ps

ppunsafe �

Figure 5 Algorithm for generating attack graph

In final or fourth step, visualize attack graph and display attack graph by some visualization tools. Then attack graph of cloud computing is generated and displayed at last. So based on cloud computing attack graph, we can take security evaluation of cloud computing using attack graph with its mathematic characteristics.

5 Security evaluation of cloud computing based on attack graph

5.1 Markov Chain characteristics of cloud computing attack graph In nature, a lot of phenomena comply with Markov or ineffectiveness characteristics of stochastic process.

That is to say, if state of process (or system) for the moment has already known, then the conditional distribution and process state for that moment have no relates to the former state. Generally speaking, under the condition of the fact that the state or process of “now” is known, then its “future” state or process doesn’t rely on its “past” state or process [7]. And this process is called Markov Process. Meanwhile, when the time and states of Markov Process are both discrete, it is called Markov Chain.

Attack graph comprises of attack states and attack actions of the attacker. Attack actions make attackers transit from one state to another state. And under some state, which action the attacker will take rely only on current state of the attacker. When there are more than one action which can transit state, the attacker can select one from these actions as his next attack action. Describe in formal language, we can get that the state of attack graph at t time can affect state at 0tt � time and don’t have to rely on state before t time. As a result, if the attack graph state of “now” is known, then its “future” state doesn’t rely on its “past” state, i.e. attack graph has Markov Chain characteristics. Thus, we can combine the Markov Chain Theory [8][9] in theory of probability and associate attack graph in cloud computing with Markov Chain. And at the same time, we take into consideration of state transition caused by atom attack method, therefore we will extend Markov Chain and give definition of Extended Markov Chain.

Definition 7 (Extended Markov Chain) An Extended Markov Chain is used to denote the corresponding relation between state transitions and atom attack actions over similar form of Markov Chain. It is defined as a 3-tuple ),,(_ APIExtMC � , where I indicates system state space, P is transition probability matrix, A is the set of all possible attack methods that can be

used.

Definition 8 (Characteristics of Extended Markov Chain) Characteristics of Extended Markov Chain refers that Extended Markov Chain ExtMC _corresponds with attack graph, its nodes stand for state of cloud computing network, its directed edges stand for the atom attack method and the weight of state transition probability. Therefore, the summary of all edges weight starting from every point is 1, i.e.

�,2,1��i , 1)1,(1

� � �

�jij mmP .

Definition 9 (attack realization) Attack realization is defined as realization level of taking attack successfully. It is determined by attack method, attack step of vulnerability and attack tools that have been developed, etc. So the different vulnerabilities have different attack realization level and value. Table 1 shows how we define rank and weight of attack realization. We can see from Table 1 that, the greater the weight of attack

Proceedings of IEEE CCIS2012

realization, the much more probable to attack successfully.

Table 1 Realization Level of Vulnerability

RealizationLevel

Realization Level Description

Weight

L6 Attack tools and specific attack steps are both available.

0.9

L5 Attack tools and specific attack steps can be made.

0.8

L4 Attack tools are not available, but with detailed attack steps.

0.6

L3 There are public reports and simple description of attack

methods.

0.5

L2 There are public reports and probable attack methods.

0.2

L1 There are only public reports, yet without given attack

methods.

0.1

L0 There are only public reports or attacks can be possible in

theory.

0.05

5.2 Security evaluation based on Markov Chain characteristics of attack graph in cloud computingBased on the Markov Chain characteristics of attack graph in cloud computing, we propose two security evaluation metrics and the method to compute them, including attack probability metrics and attack realization metrics.

5.2.1 Attack probability metrics and its algorithm

At first, we give definition of attack probability metrics. Then we introduce the method to compute them.

Definition 10 (attack probability metrics) Attack probability metrics denotes the probability an attacker chooses from initial state 0S to target state SI under the corresponding Extended Markov Chain

),,(__ APIExtMCAG � of attack graph in cloud computing.

As for attack probability metrics, when the value is greater, the probability is greater to reach target host. As a result, we need to strengthen its security measures such as changing topology, repairing vulnerabilities, etc.

When there is more than one attack action for an attacker to select his next action, he will make choice according to the attack realization level. When the value is greater, the probability is greater to be chosen.

Definition 11 (chosen probability) Providing that an attacker can get to next state iS by attack actions iAwhere ni ,,2,1 �� , and for each iA , the weight of attack realization level is iw , then we define the chosen

probability by selecting iA to transit state from 0S to

iS as

��

���� n

ii

ii

A

w

wSSP i

1

0 )( .

Suppose iS represents each node in Extended Markov Chain, )( iSV denotes the probability starting from state iS to target state, where ]1,0[)(, �� ii SVIS . In Extended Markov Chain, all the nodes of target state in cloud computing attack graph are denoted to set of SIand all non-target state nodes are denoted to set of MI ,so III MS �� . Meanwhile, for the state in SI , an

attacker can reach his target. So 1)(0 �iSV holds for

Si IS �� . For the state in MI , an attacker cannot reach his target if no transitions take place. So at the initial state of Markov Chain, 0)(0 �iSV holds for Mi IS �� .

As for node mS , all its next states are recorded as )( mSSUBSEQ and for )( mt SSUBSEQS � , the set of

attack rules from mS to tS are designated )( tm SSRULES � , So the algorithm to compute the

attack probability metrics that changes from initial state }{\ FIS um � to target state is as follows:

� �� ��

������)( )(

1 )()()(mt tmi

i

SSUBSEQS SSRULESAt

nt

Amm

n SVSSPSV

1

With the formula 1, we take n iterations and if 1�� nn VV , then this iterative process is convergent,

denoted to 1��� nn VVV . Owing to the assumptions of attackers in our attack graph model, there are no loops in attack graph. Assuming that there are at most Nsteps to start from initial state to target state in attack graph, the iterative process is bound to convergent after

1 N iterations. Let 0S denote initial state in Extended Markov Chain. When the iterative process is convergent,

)( 0SV will be the probability that an attacker may choose to the final target from initial state.

5.2.2 Attack realization metrics and its algorithm

Similarly, we now give definition of attack realization metrics and then introduce the method to compute them.

Definition 12 (attack realization metrics) Attack realization metrics denotes the probability an attacker starts his attack successfully from initial state to target state under the corresponding Extended Markov Chain

),,(__ APIExtMCAG � of attack graph in cloud computing.

Proceedings of IEEE CCIS2012

For attack realization metrics, when the value is greater, the probability is greater to succeed attacking. Therefore, we should take it as a key part in hardening security.

Suppose iS represents each node in Extended Markov Chain, )( iSW denotes the attack realization starting from state iS to target state, where ISi � . As for node

mS , all its next states are recorded as )( mSSUBSEQand for )( mt SSUBSEQS � , the set of attack rules from

mS to tS are designated )( tm SSRULES � , for )( tmi SSRULESA �� , which corresponds to an

attack rule, let )( iAE be its corresponding attack realization. Meanwhile, a state F and an empty action eA are both brought in. And for ISi �� , )( eAE =0

establishes and }{)( ei AFSRULES �� . Then we give out the algorithm to compute the attack realization metrics shown in formula 2 as follows:

� �� ��

�������)( )(

1 )()()()(mt tmi

i

SSUBSEQS SSRULESAt

nit

Amm

n SWAESSPSW

2

In initial state, 1)(0 �iSW holds for Si IS �� and

0)(0 �jSW holds for Mi IS �� . Similarly we assume

that there are at most N steps to start from initial state to target state in attack graph, the iterative process is bound to convergent after 1 N iterations using formula 2. Let 0S denote initial state in Extended Markov Chain. When the iterative process is convergent,

)( 0SW will be the value of attack realization that an attacker may successfully take attack to the final target.

6 Conclusions In this paper, cloud computing security and its corresponding hierarchical security design model are discussed. And focusing on security evaluation of cloud computing, an approach of security evaluation based on attack graph is proposed in cloud computing environment. Using network threat model and automatic methods presented in this paper, we are able to get information for generating attack graph automatically. Then symbolic model checking algorithm is adopted to generate attack graph. Combining the characteristics of Markov Chain with attack graph, two security evaluation metrics are proposed in cloud computing. With the method in the paper, its advantage is that we can get all the possible paths to attack. Besides, with the visualization show of attack graph, we

can obtain the relationships regarding to security aspect as a whole in cloud computing. Thirdly, we can make advantage of proposed security evaluation metrics to take security evaluation and give security suggestions or begin security hardness work in cloud computing. It is of worth and guide for security evaluation of cloud computing, which is of great significance to cloud computing security.

Acknowledgements This work was supported by National Natural Science Foundation Project of China (No. 61171173) and Chinese Major Project of Next Generation Broadband Wireless Mobile Communication Network (No. 2012ZX03002012).

References [1] I. Gul, A. Rehman. M. H. Islam. Cloud Computing

Security Auditing. Next Generation Information Technology, 2011 the 2nd International Conference. pages:143-148, 2011.

[2] Kaliski and Wayne, “Toward Risk Assessment as a Service in Cloud Environments”, HotCloud'10 Proceedings of the 2nd USENIX conference on Hot topics in cloud computing, 22-25 June, 2010.

[3] R, Sasko. G, Marjan. K, Magdalena. A new methodology for security evaluation in cloud computing. MIPRO, 2012 Proceedings of the 35th International Convention Page(s): 1484-1489, IEEE Conference Publications (2012).

[4] Bleikertz and Schunter, “Security Audits of Multi-tier Virtual Infrastructures in Public Infrastructure Clouds”, 17th ACM Conference on Computer and Communications Security, 08 Oct, 2010.

[5] Wenjuan Li. Lingdi Ping. Use Trust Management Module to Achieve Effective Security Mechanisms in Cloud Environment. 2010 International Conference on Electronics and Information Engineering. Pages:v1-14 to v1-19.

[6] Ingols K, Lippmann R, Piwowarski K. Practical Attack Graph Generation for Network Defense. In Proceedings of 22nd Annual Computer Security Applications Conference. 2006.

[7] Feng Dengguo. Mathmatic Method and Technology in Information Security[M]. Beijing, Qsinghua University Press, 2009.

[8] Cynthia P, Laura P S .A graph-based system for network-vulnerability analysis system [A].ACM New Security Paradigms Workshop[C].1998

[9] Cui Jianqing. A Network Security Analysis Method Research Based on Attack Graph [D]. Shanghai Jiaotong University, M.E. dissertation, 2008.1 (in Chinese)

[10] Wang Yongjie, Xian Ming, Liu Jin, et al. Study of network security based on attack graph model [J]. Journal on Communications, 2007, 28(3):29-34 (in Chinese)