slide1
Download
Skip this Video
Download Presentation
Generation of Scenario Graphs Using Model Checking

Loading in 2 Seconds...

play fullscreen
1 / 13

Generation of Scenario Graphs Using Model Checking - PowerPoint PPT Presentation


  • 97 Views
  • Uploaded on

Generation of Scenario Graphs Using Model Checking Somesh Jha (University of Wisconsin), Oleg Sheyner (CMU), Jeannette Wing (CMU). Example of Attack Graph Developed by a Professional Red Team.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Generation of Scenario Graphs Using Model Checking' - azriel


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1
Generation of Scenario Graphs Using Model Checking

Somesh Jha (University of Wisconsin), Oleg Sheyner (CMU),

Jeannette Wing (CMU)

example of attack graph developed by a professional red team
Example of Attack Graph Developed by a Professional Red Team
  • Sandia Red Team “White Board” attack tree from DARPA CC20008 Information battle space preparation experiment

Sandia Red Team “White Board” attack graph from DARPA CC20008 Information battle space preparation experiment

Drawn By Hand

definitions
Definitions
  • Given
    • a finite state model M
    • a correctness property F
  • An failure scenario is an execution of M that violates F.
  • An scenario graph is a set of failure scenarios of M.
properties of scenario graphs
Properties of Scenario Graphs
  • Exhaustive
    • All possible failure scenarios are represented in G.
  • Succinct
    • Only relevant states are contained in G.
    • Only relevant transitions are contained in G.
problem statement
Problem Statement
  • Problem: Generating scenario graphs by hand is tedious, error-prone, and impractical for large systems.
  • Our Goal: Automate the generation and analysis of scenario graphs.
    • Generation
      • Must be fast and completely automatic
      • Must handle large, realistic examples
      • Should guarantee properties of scenario graphs
    • Analysis
      • Enables tool-aided post-generation analysis
overview of our method
Overview of Our Method

System Model

Correctness Property

Generator

Phase 1

Scenario Graph

Annotations

Query: What system transitions lead to failure?

Query: What is the likelihood of failure?

Phase 2

CostAnalyzer

ReliabilityAnalyzer

MinimizationAnalyzer

Scenario Subgraph

Probabilistic Scenario Graph

explicit state scenario graph generation
Explicit-State Scenario Graph Generation
  • Based on Automata-Theoretic Model Checking
    • Interpret both model M and correctness property F as Buchi automata.
    • M and Finduce languages L(M), L(F).
    • L(M)\L(F) = executions of M that violate F.
    • Construct M~F by computing intersection of Buchi automata.
  • F can be any LTL property.
explicit state algorithm illustrated
Explicit-State Algorithm Illustrated

Fc

LTL Property F =

Model M

a

¬c

c

T

¬F = G ¬c

Never c

a

a

a

d

a

a

a

a

a

a

b

a

a

a

a

a

d

c

b

b

b

a

c

explicit state algorithm cont
Explicit-State Algorithm (Cont.)

a

a

a

a

a

b

Find strongly connected

components (SCCs) (R. Tarjan ’72)

a

a

Collect SCCs with acceptance states

a

a

a

Add paths from initial states

d

a

a

b

b

a

c

performance
Performance

Linear Regression R2 = 0.9967

state hashing
State Hashing

Method

Full State

Hashcompact

Traceback

Performance

(Amortized)

O(E)

O(E)

O(E)O(depth)

Memory Overhead

per State

Full State Size

8 bytes

14 bytes

Complete

Coverage

Partial

Coverage

Complete

Coverage

Completeness

example attack graph
Example Attack Graph

Begin

IIS buffer

overflow

CAN-2002-0364

Squid portscan

CVE-2001-1030

LICQ remote-

to-user

CVE-2001-0439

Local buffer

overflow

CVE-2002-0004

Done!

Security property (LTL):

G (intruder.privilege(host) < root)

application attack graphs
Application: Attack Graphs

Model Builder

Host Configuration Data

Outpost

Server

SQL

database

Network

Configuration Data

MITRE

Attack Graph Generators

Outpost

Clients

System and Goal Specification

Attack Graph

Analyzers

Graphical User Interface

ad