This paper presents a graph-based approach to network vulnerability analysis. The method is flexible, allowing analysis of attacks from both inside and outside the network. It can analyze risks to a specific network asset or examine the universe of possible consequences following a successful attack. The graph-based tool can identify attack paths with high probability of success or low effort cost for the attacker. The system could be used to test the effectiveness of configuration changes, intrusion detection systems, etc. The analysis system requires a database of common attacks, network configuration and topology information, and an attacker profile. Attack information is matched with network configuration and attacker profile to create a superset attack graph. Nodes represent attack stages, such as the class of machines the attacker has accessed and user privilege level. Arcs represent attacks or attack stages. Probabilities of success or effort costs are assigned to arcs, allowing graph algorithms like shortest-path algorithms to identify high-probability attack paths. The system can answer "what-if" questions about the effects of configuration changes, such as topology changes or intrusion detection system installation. It can indicate which attacks are possible only from highly-skilled attackers and which can be achieved with lower effort. It can also simulate dynamic attacks and use results to test intrusion detection systems. The system is based on an attack graph, where each node represents a possible attack state. Edges represent changes in state caused by attacker actions. Attack graphs are generated from attack templates, configuration files, and attacker profiles. Attack templates represent generic attacks, including conditions that must hold for the attack to be possible. Configuration files provide detailed information about the network, and attacker profiles contain information about the attacker's capabilities. The system can model time dependencies, multiple attempts, and multi-prong attacks. It can also identify new attacks and provide more informative output for system administrators with limited security experience. The system is more comprehensive than existing tools as it considers physical network topology in conjunction with the set of attacks. The system can be used to determine low-cost attack paths, find cost-effective defenses, and simulate dynamic attacks. It can also be used to test intrusion detection systems. The system is more effective than existing tools in modeling dynamic aspects of the network and attacker capabilities. It can also be used to identify undesirable activities an attacker could perform once they entered the network. The system addresses many modeling issues that current scanning technology cannot. It allows for modeling dynamic aspects of the network, several levels of attacker capability, user access levels and transitions, and time dependencies in sequences of attacks. The system can be used to test intrusion detection systems and identify the most cost-effective set and placement of defenses. The system is an advance in network-vulnerability modeling and will ultimately help network security if implemented in a reasonable way.This paper presents a graph-based approach to network vulnerability analysis. The method is flexible, allowing analysis of attacks from both inside and outside the network. It can analyze risks to a specific network asset or examine the universe of possible consequences following a successful attack. The graph-based tool can identify attack paths with high probability of success or low effort cost for the attacker. The system could be used to test the effectiveness of configuration changes, intrusion detection systems, etc. The analysis system requires a database of common attacks, network configuration and topology information, and an attacker profile. Attack information is matched with network configuration and attacker profile to create a superset attack graph. Nodes represent attack stages, such as the class of machines the attacker has accessed and user privilege level. Arcs represent attacks or attack stages. Probabilities of success or effort costs are assigned to arcs, allowing graph algorithms like shortest-path algorithms to identify high-probability attack paths. The system can answer "what-if" questions about the effects of configuration changes, such as topology changes or intrusion detection system installation. It can indicate which attacks are possible only from highly-skilled attackers and which can be achieved with lower effort. It can also simulate dynamic attacks and use results to test intrusion detection systems. The system is based on an attack graph, where each node represents a possible attack state. Edges represent changes in state caused by attacker actions. Attack graphs are generated from attack templates, configuration files, and attacker profiles. Attack templates represent generic attacks, including conditions that must hold for the attack to be possible. Configuration files provide detailed information about the network, and attacker profiles contain information about the attacker's capabilities. The system can model time dependencies, multiple attempts, and multi-prong attacks. It can also identify new attacks and provide more informative output for system administrators with limited security experience. The system is more comprehensive than existing tools as it considers physical network topology in conjunction with the set of attacks. The system can be used to determine low-cost attack paths, find cost-effective defenses, and simulate dynamic attacks. It can also be used to test intrusion detection systems. The system is more effective than existing tools in modeling dynamic aspects of the network and attacker capabilities. It can also be used to identify undesirable activities an attacker could perform once they entered the network. The system addresses many modeling issues that current scanning technology cannot. It allows for modeling dynamic aspects of the network, several levels of attacker capability, user access levels and transitions, and time dependencies in sequences of attacks. The system can be used to test intrusion detection systems and identify the most cost-effective set and placement of defenses. The system is an advance in network-vulnerability modeling and will ultimately help network security if implemented in a reasonable way.