Phillips, C. and Swiler, L. P. 1998. A graph-based system for network-vulnerability analysis. In /Proceedings of the 1998 Workshop on New Security Paradigms/. ACM, New York, NY, 71-79. Summary: This paper introduces a method for analyzing vulnerabilities in computer networks by matching the network configuration, attack templates borrowed from a database of common attacks, and attacker profile. The paper describes how attack templates are matched to the configuration and attacker profile to generate the attack graph. Attack templates include generic steps in known attacks and condition which must be hold. Attack templates are represented by a directed graph in which nodes are user level, machines, vulnerability, capabilities and state. Edges are actions by the attacker. The nodes of attack graph stages of an attack, and the edges are attacks that change the state. So the nodes in attack graph are the nodes in attack template instantiated with particular attackers/users and machines. The edges can be labeled with probability of success or cost. One can analyze the attack graphs by identifying the attack paths that are most likely to succeed, i.e. using shortest path algorithm. Why it is good: Attack graph provides a method for modeling attacks and relating the attacks to the machines in a network and users which could be the attackers. Using this approach, temporal stages and steps of an attack can be expressed. In addition, it supports expressing multiple ways to achieve malicious goals or attack the system by branches in the attack graph. An interesting suggestion of this work is using a database of common attacks, which contain various information about attacks; such as level of user who imposes the threat, machines which are involved, vulnerabilities which are imposed to the configuration by an attack, capabilities which express the malicious behavior needed to be delivered, and states which are atomic steps of an attack. Problems and limitations: The description of attack, i.e. user level, machine, vulnerability, capabilities, and state, are added to the nodes of the attack graph based on matching the configuration, attack template, and attacker profile. However, it is not described how the matching is performed. This matching may require defining a taxonomy of attacks, vulnerabilities, and capabilities, and a detailed description of the configuration. In addition, all the information about steps of an attack (user level, machine, vulnerability, capabilities, and state) are presented to the reader or user of the model in the same view. This reduces the use of such models for understanding the behavior of one single user or group of users, or security impact of an action or atomic steps. Although the proposed approach to modeling attacks is able to express the steps of occurring an attack, its post and pre conditions, required configurations, and capabilities, it does not provide a way to express the impact of the attacks on the normal functions of the system. It is not argued why the proposed method is limited to network vulnerability analysis, and why it cannot be generalized to apply to other computer systems such as Internet attacks, applications’ vulnerability, domain specific attacks, wireless communication, etc. The proposed quantitative analysis method which assigns probability or cost to the edges for computing the shortest path, and as a result the most likely attack works well in theory. However, in real-world practices such quantitative values and even approximate measures may not be available. Finally, the approach mentions the possibility of countermeasure analysis, but it does not provide means to link possible countermeasures to the attacks.