Generation of Scenario Graphs Using Model Checking

1 / 13

# Generation of Scenario Graphs Using Model Checking - PowerPoint PPT Presentation

Generation of Scenario Graphs Using Model Checking Somesh Jha (University of Wisconsin), Oleg Sheyner (CMU), Jeannette Wing (CMU). Example of Attack Graph Developed by a Professional Red Team.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about ' Generation of Scenario Graphs Using Model Checking' - azriel

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Generation of Scenario Graphs Using Model Checking

Somesh Jha (University of Wisconsin), Oleg Sheyner (CMU),

Jeannette Wing (CMU)

Example of Attack Graph Developed by a Professional Red Team
• Sandia Red Team “White Board” attack tree from DARPA CC20008 Information battle space preparation experiment

Sandia Red Team “White Board” attack graph from DARPA CC20008 Information battle space preparation experiment

Drawn By Hand

Definitions
• Given
• a finite state model M
• a correctness property F
• An failure scenario is an execution of M that violates F.
• An scenario graph is a set of failure scenarios of M.
Properties of Scenario Graphs
• Exhaustive
• All possible failure scenarios are represented in G.
• Succinct
• Only relevant states are contained in G.
• Only relevant transitions are contained in G.
Problem Statement
• Problem: Generating scenario graphs by hand is tedious, error-prone, and impractical for large systems.
• Our Goal: Automate the generation and analysis of scenario graphs.
• Generation
• Must be fast and completely automatic
• Must handle large, realistic examples
• Should guarantee properties of scenario graphs
• Analysis
• Enables tool-aided post-generation analysis
Overview of Our Method

System Model

Correctness Property

Generator

Phase 1

Scenario Graph

Annotations

Query: What system transitions lead to failure?

Query: What is the likelihood of failure?

Phase 2

CostAnalyzer

ReliabilityAnalyzer

MinimizationAnalyzer

Scenario Subgraph

Probabilistic Scenario Graph

Explicit-State Scenario Graph Generation
• Based on Automata-Theoretic Model Checking
• Interpret both model M and correctness property F as Buchi automata.
• M and Finduce languages L(M), L(F).
• L(M)\L(F) = executions of M that violate F.
• Construct M~F by computing intersection of Buchi automata.
• F can be any LTL property.
Explicit-State Algorithm Illustrated

Fc

LTL Property F =

Model M

a

¬c

c

T

¬F = G ¬c

Never c

a

a

a

d

a

a

a

a

a

a

b

a

a

a

a

a

d

c

b

b

b

a

c

Explicit-State Algorithm (Cont.)

a

a

a

a

a

b

Find strongly connected

components (SCCs) (R. Tarjan ’72)

a

a

Collect SCCs with acceptance states

a

a

a

d

a

a

b

b

a

c

Performance

Linear Regression R2 = 0.9967

State Hashing

Method

Full State

Hashcompact

Traceback

Performance

(Amortized)

O(E)

O(E)

O(E)O(depth)

per State

Full State Size

8 bytes

14 bytes

Complete

Coverage

Partial

Coverage

Complete

Coverage

Completeness

Example Attack Graph

Begin

IIS buffer

overflow

CAN-2002-0364

Squid portscan

CVE-2001-1030

LICQ remote-

to-user

CVE-2001-0439

Local buffer

overflow

CVE-2002-0004

Done!

Security property (LTL):

G (intruder.privilege(host) < root)

Application: Attack Graphs

Model Builder

Host Configuration Data

Outpost

Server

SQL

database

Network

Configuration Data

MITRE

Attack Graph Generators

Outpost

Clients

System and Goal Specification

Attack Graph

Analyzers

Graphical User Interface