Skip to Main Content
Because of increasing vulnerabilities, maturing attack tools, and increasing dependence on computer network infrastructure, tools to support network defenders are essential. Course-of-action recommendation research has often assumed a goal of perfect network security. In reality, network administrators balance security with usability and so tolerate vulnerabilities and imperfect security. We provide realistic course-of-action decision support for network administrators by minimizing connectivity in attack graphs, by optimizing network configuration changes to separate defence goals from attackers as much as possible, even when complete security is impractical. We introduce vertex closures and closure-relation graphs in AND/OR digraphs as the underlying framework. Computing an optimal course-of-action is NP-hard but we design a polynomial-time greedy algorithm that almost always produces an optimal solution.