MulVAL: A logic-based, data-driven enterprise security analyzer

Table of Contents

  1. Quick Overview
  2. Requirements
  3. Download
  4. Installation
  5. Usage
  6. Contacts


MulVAL is a tool for enterprise network security analysis. It uses vulnerability scanners (OVAL/Nessus) and reasons about attack paths from the input, which includes both scanning results and network reachability information.


Operating Systems

The current version of MulVAL has been tested on the Linux and Mac OS X operating systems.


To run MulVAL, you need to have the following software installed and make sure both the program "xsb" and "dot" reside in your PATH.


The current stable version is MulVAL v1.1


$ tar xzf mulval.tar.gz
  The environmental variable MULVALROOT should point to this package's root folder
  Include $MULVALROOT/bin and $MULVALROOT/utils in PATH
  Type "make" to compile everything


You can either run the MulVAL attack-graph generator directly, if you already have an input file; or you can run the appropriate adapters to create the input files and then run the attack-graph generator.

I. Running MulVAL directly INPUT_FILE [OPTIONS] 

     There is a simple input file in testcases/3host/input.P. This input is for the
     3-host example in the MulVAL publications [1,2]. You can run it to check whether 
     the attack-graph generator is working correctly: input.P -v -p

     This will generate an attack graph that matches the description in the papers.
     Please note that the "-p" option SHOULD NOT BE INVOKED for production use, since it 
     will exponentially slow down the attack-graph generation process, and all it does is 
     to make the attack graph visually palatable (try the above command without the -p option).

     By default MulVAL outputs the attack graph in textual format (AttackGraph.txt) and
     xml format (AttackGraph.xml). The meaning of these formats are self-explanatory. 
     When the "-v" option is invoked, a visual representation of the attack graph will be 
     produced in AttackGraph.pdf through GraphViz. If you have the environment variable 
     PDF_READER set up, the program will be used to open the pdf file automatically.

     When the appropriate options are specified (see below), MulVAL also outputs the 
     attack-graph information in CSV format: VERTICES.CSV and ARCS.CSV. The CSV files can 
     be used by a render program to produce various views of the attack graph later (see below).

     MulVAL will also output a number of other temporary files in the folder where the program
     is run. So it is a good idea to run it in a separate folder to avoid cluttering.



            -l:  output the attack-graph in .CSV format
            -v:  output the attack-graph in .CSV and .PDF format
            -p:  perform deep trimming on the attack graph to improve visualization


            -r | --rulefile RULE_FILE
                 Use RULE_FILE as the interaction ruleset (see III.A)
            -a | --additional ADDITIONAL_RULE_FILE
                 Use ADDITIONAL_RULE_FILE in addition to the specified interaction ruleset (see III.A)

            -g | --goal ATTACK_GOAL
                 Specify a single attack goal

            --cvss:     use the CVSS information contained in the input file

            -ma:        use the CVSS information contained in the input file, 
                        and perform grouping on the input file. When this option is used,
                        the input file must contain the grouping information (see section II below)


            --arclabel: output lables for the arcs
            --reverse:  output the arcs in the reverse order
            --nometric: do not show the metric information
            --simple:   do not show the vertex fact labels 
                        (USE THIS OPTION WHEN THE ATTACK GRAPH BECOMES TOO BIG to visualize)

     After you have run the script, you can also invoke the to use the
     different rendering options. Simply issue the command in the same directory. [RENDERING OPTIONS]

II. Preparing MulVAL input file using adapters

    This package contains a number of adpater programs to aid in creating MulVAL input files
    from an enterprise network. A number of steps need to be taken as outlined below.

        Step 1:
           Set up an empty MySQL database for storing NVD data, and put the database connection information
           into config.txt in a directory where you want to run the MulVAL adapters.

           Example config.txt:


           Then you can populate the NVD database by typing "". This needs to be done as often
           as desired to keep the local MySQL database in sync with NVD. 

        Step 2:
           Translating OVAL/Nessus report into Datalog format.

           For OVAL:


  	      -The first parameter is the xml file of OVAL scanning result.
	      -The output will be in oval.P, summ_oval.P, and grps_oval.P

	          oval.P is the raw input to MulVAL 

                  summ_oval.P is a summarized input after performing grouping as outlined in [3]. 
	          (grps_oval.P contains mapping from vuln groups to raw vuln's)

           For NESSUS:

	      -The first parameter is the XML file of NESSUS scanning result.
	      -The output will be in nessus.P, summ_nessus.P, and grps_nessus.P

	          nessus.P is the raw input to MulVAL 

                  summ_nessus.P is a summarized input after performing grouping as outlined in [3] 
	          (grps_nessus.P contains mapping from vuln groups to raw vuln's)

        Step 3:
           Creating hacl tuples

           We assume all machines within the same scanning report can be reached by each other freely. 
           The connection information can be customized as hacl(Host1, Host2, Protocol, Port) in the MulVAL 
           input file. All the translated input files will then need to be combined into a single input

        Step 4:
           Creating MulVAL attack graph

           Once the input file is created, please refer to the instruction in section I to generate
           attack graph.

III. Advanced Usage

A. Creating customized rule set.

    To develop your own interaction rules, you can create new rule files, e.g. "my_interaction_rules.P", 
    and use the "-r" or "-a" options to load your rule files. The default rule files can be found under 
    the kb/ folder in this package

    At the beginning of a rule file, you must declare the primitive and derived predicates, and table
    all derived predicates. Facts with primitive predicates come from the input, and facts with derived
    predicates are defined by the interaction rules. Every predicate used by the interaction rules must
    have a declaration of either "primitive" or "derived", otherwise you may get an error message of 
    "undefined predicate" during evaluation, and the attack graph generation may fail with a warning message 
    telling you which predicate's declaration is missing. Tabling will prevent the XSB reasoning engine
    from entering an infinite loop and increase the efficiency of reasoning by memoizing intermediate

    Each interaction rule is introduced by "interaction_rule(Rule, Label)", where Rule is a Datalog rule
    and Label is some plain-text explaining its meaning. The labels will become annotations in attack graph. 
    Once you have developed your own rule set, you can test it by using the "-r RULEFILE" option with 
    to let it load RULEFILE instead of using the default rulesets. If you want your rule file to be addition to
    the default ruleset, you can use the "-a RULEFILE" option instead.

B. Calculating risk metrics based on CVSS and MulVAL attack graph

    We have included a quantitative risk assessment algorithm based on Wang et al. [4]. It combines
    the CVSS metrics and the attack graph to compute a probabilistic risk metrics for the enterprise
    network. To run the metric program, type in the following command where the attack-graph output
    is located:

    There is also a script that integrates multiple steps: creating MulVAL attack graph, 
    running the risk metrics algorithm and display the attack graph with metrics: INPUT [OPTIONS]

    It will run MulVAL on the input file. This script will always use the -ma (modeling artifact) 
    option to generate attack graph. Please use summ_oval.P (generated by or 
    summ_nessus.P (generated by as the INPUT. Use OPTIONS to pass any additional 
    options to the MulVAL attack-graph generator (


For questions, please contact Xinming Ou.



The MulVAL project has been partially funded by the Idaho National Laboratory, National Science Foundation under award No. 0716665, 0954138, and 1018703, AFOSR under award No. FA9550-09-1-0138, and HP Labs Innovation Research Program. Any opinions, findings and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsors.


  1. A scalable approach to attack graph generation. Xinming Ou, Wayne F. Boyer, and Miles A. McQueen. In 13th ACM Conference on Computer and Communications Security (CCS 2006), Alexandria, VA, U.S.A., October 2006.
  2. MulVAL: A logic-based network security analyzer. Xinming Ou, Sudhakar Govindavajhala, and Andrew W. Appel. In 14th USENIX Security Symposium, Baltimore, Maryland, U.S.A., August 2005.
  3. Effective network vulnerability assessment through model abstraction. Su Zhang, Xinming Ou, and John Homer. In: Proceedings of the Eighth SIG SIDAR Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 11), Amsterdam, The Netherlands, July 2011.
  4. An attack graph-based probabilistic security metric. Lingyu Wang, Tania Islam, Tao Long, Anoop Singhal, and Sushil Jajodia. In Proceedings of The 22nd Annual IFIP WG 11.3 Working Conference on Data and Applications Security (DBSEC 08), 2008.

Last updated on Nov 22, 2013

Argus Cybersecurity Lab at Kansas State University