We use proprietary and third party's cookies to improve your experience and our services, identifying your Internet Browsing preferences on our website; develop analytic activities and display advertising based on your preferences. If you keep browsing, you accept its use. You can get more information on our Cookie Policy
Cookies Policy
Security-Monitoring: Mulval Attack Path Engine Open API Specification - FIWARE Forge Wiki

Security-Monitoring: Mulval Attack Path Engine Open API Specification

From FIWARE Forge Wiki

Jump to: navigation, search


Introduction to the Mulval Attack Path Engine API

This API is deprecated.

Mulval Attack Path Engine API Core

This document provides a description of the available interface and presents adapters used by the MulVAL Attack Path Engine to import data files. The adapter transforms the data file to internal data in order to provide reporting and decision support in the context of the security monitoring G.E.


Figure 1: principle of Mulval API The MulVAL Attack Path Engine API can be seen as a module. This module needs input to be processed and compute the results with certain available options. We can summarize as: Input: file required by the engine Engine: offers certain flexibility (options) of attack path computation Output: data file which can be consumed by the reporting, visualization and decision support components.

Intended Audience

This document is addressed both software architects and developers, and the operators of MulVAL Attack Path Engine.

API Change History

This version of the Mulval Attack Path API Guide replaces and obsoletes all previous versions. The most recent changes are described in the table below:

Revision Date Changes Summary
August, 2012
  • V1.0, first release
Janauary, 2012
  • V1.1 release
  • Nessus scanner supported
  • Attack path generated from the file exported by the Nessus scanner.
  • ...

How to Read This Document

Along the document, some special notations are applied to differentiate some special words or concepts. The following list summarizes these special notations:

  • A bold, mono-spaced font is used to represent a module.
  • An italic font is used to represent an example

Additional Resources

The attack path engine is an innovative way to assess security risk. The current API is provided in summary version. Academics publications regarding attack paths are available through the following links:

all references can found here

MulVAL: A logic-based network security analyzer. Xinming Ou, Sudhakar Govindavajhala, and Andrew W. Appel. In 14th USENIX Security Symposium, Baltimore, Maryland, U.S.A., August 2005.

A logic-programming approach to network security analysis. Xinming Ou. PhD dissertation, Princeton University, 2005.

A scalable approach to attack graph generation. Xinming Ou, Wayne F. Boyer, and Miles A. McQueen. In 13th ACM Conference on Computer and Communications Security (CCS 2006), Alexandria, VA, U.S.A., October 2006.

Googling attack graphs. Reginald Sawilla and Xinming Ou. Technical report, Defence R & D Canada -- Ottawa. TM 2007-205, September 2007.

From attack graphs to automated configuration management - an iterative approach. John Homer, Xinming Ou, and Miles A. McQueen. Technical report, Kansas State University, Computing and Information Sciences Department. January 2008.

Improving attack graph visualization through data reduction and attack grouping. John Homer, Ashok Varikuti, Xinming Ou, and Miles A. McQueen. In 5th International Workshop on Visualization for Cyber Security (VizSEC 2008), Cambridge, MA, U.S.A., September 2008.

Identifying critical attack assets in dependency attack graphs. Reginald Sawilla and Xinming Ou. In 13th European Symposium on Research in Computer Security (ESORICS 2008), Malaga, Spain, October 2008. The extended version.

SAT-solving approaches to context-aware enterprise network security management. John Homer and Xinming Ou, In IEEE JSAC Special Issue on Network Infrastructure Configuration, Vol. 27, No. 3, April 2009. Preprint

Techniques for enterprise network security metrics. Anoop Singhal and Xinming Ou. Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies (CSIIRW) , Extended Abstract, April, 2009.

A host-based security assessment architecture for industrial control systems. Abhishek Rakshit and Xinming Ou. 2nd International Symposium on Resilient Control Systems (ISRCS), Idaho Falls, ID, USA, August 2009.

A sound and practical approach to quantifying security risk in enterprise networks. John Homer, Xinming Ou, and David Schmidt. Technical report, Kansas State University, Computing and Information Sciences Department. August 2009.

Uncertainty and risk management in cyber situational awareness. Jason Li, Xinming Ou, and Raj Rajagopalan. In Sushil Jajodia et al., editor, Cyber Situational Awareness: Issues and Research , chapter 4. Springer, Nov. 2009.

An empirical approach to modeling uncertainty in intrusion analysis. Xinming Ou, S. Raj Rajagopalan, and Sakthiyuvaraja Sakthivelmurugan. Annual Computer Security Applications Conference (ACSAC), Honolulu, Hawaii, USA, Dec 2009.

General Mulval Attack Path API Information

The Mulval Attack Path engine is an orchestration of chained modules. A module can be an adapter, core attack graph computation, attack path visualization or metrics analysis.


Figure 2: Orchestration of chained modules.

The attack path engine is composed of four modules:

  • 1. Adapters
  • 2. Core Attack Graph Computation
  • 3. Metrics analysis
  • 4. Attack Path visualization


What are adapters?

The adapters convert / transform the input data files to the internal information which is required by the engine. Regarding of the interface attack path engine in input, the input data files are:

1. NVD database

2. Vulnerability scanners (OVAL and NESSUS)

NVD database can be obtained directly from NIST. After getting these XML files, the adapter parsers them and stores them to the local MySQL database.

A NVD example is provided in figure bellow.


OVAL result is obtained by using an OVAL scanner. In our case, we use the OVAL interpreter which can be downloaded at


The OVAL Interpreter scan the “vulnerable host” and provides a result on xml file. Bellow is an example of OVAL result:


NESSUS result is obtained by using NESSUS scanner. The NESSUS scanner scans the set of IP addresses and offers an export option in order to export the result to xml format.

Example of NESSUS result


Core Attack Graph Computation

This module is the core computation. It uses the input files (OVAL or NESSUS scanner) transformed previously by the adapters and combines these input files with the local MySQL database in order to get more information about the vulnerability. The core computation is handled with the ProLog rules.

Attack Path Visualization

The attack path visualization is the result of the core computation which can be rendered under different formats: XML, PDF, text file.

Bellow is an example under XML format.


Bellow is an example under PDF format.


Bellow an example under Text format.


Metrics Analysis

The metrics analysis uses the CVSS scoring. This score is contained in each vulnerability definition. We have included a quantitative risk assessment algorithm.

Personal tools
Create a book