This presentation is the property of its rightful owner.
1 / 13

# Generation of Scenario Graphs Using Model Checking PowerPoint PPT Presentation

Generation of Scenario Graphs Using Model Checking Somesh Jha (University of Wisconsin), Oleg Sheyner (CMU), Jeannette Wing (CMU). Example of Attack Graph Developed by a Professional Red Team.

Generation of Scenario Graphs Using Model Checking

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

#### Presentation Transcript

Generation of Scenario Graphs Using Model Checking

Somesh Jha (University of Wisconsin), Oleg Sheyner (CMU),

Jeannette Wing (CMU)

### Example of Attack Graph Developed by a Professional Red Team

• Sandia Red Team “White Board” attack tree from DARPA CC20008 Information battle space preparation experiment

Sandia Red Team “White Board” attack graph from DARPA CC20008 Information battle space preparation experiment

Drawn By Hand

### Definitions

• Given

• a finite state model M

• a correctness property F

• An failure scenario is an execution of M that violates F.

• An scenario graph is a set of failure scenarios of M.

### Properties of Scenario Graphs

• Exhaustive

• All possible failure scenarios are represented in G.

• Succinct

• Only relevant states are contained in G.

• Only relevant transitions are contained in G.

### Problem Statement

• Problem: Generating scenario graphs by hand is tedious, error-prone, and impractical for large systems.

• Our Goal: Automate the generation and analysis of scenario graphs.

• Generation

• Must be fast and completely automatic

• Must handle large, realistic examples

• Should guarantee properties of scenario graphs

• Analysis

• Enables tool-aided post-generation analysis

### Overview of Our Method

System Model

Correctness Property

Generator

Phase 1

Scenario Graph

Annotations

Query: What system transitions lead to failure?

Query: What is the likelihood of failure?

Phase 2

CostAnalyzer

ReliabilityAnalyzer

MinimizationAnalyzer

Scenario Subgraph

Probabilistic Scenario Graph

### Explicit-State Scenario Graph Generation

• Based on Automata-Theoretic Model Checking

• Interpret both model M and correctness property F as Buchi automata.

• M and Finduce languages L(M), L(F).

• L(M)\L(F) = executions of M that violate F.

• Construct M~F by computing intersection of Buchi automata.

• F can be any LTL property.

Fc

LTL Property F =

Model M

a

¬c

c

T

¬F = G ¬c

Never c

a

a

a

d

a

a

a

a

a

a

b

a

a

a

a

a

d

c

b

b

b

a

c

### Explicit-State Algorithm (Cont.)

a

a

a

a

a

b

Find strongly connected

components (SCCs) (R. Tarjan ’72)

a

a

Collect SCCs with acceptance states

a

a

a

d

a

a

b

b

a

c

### Performance

Linear Regression R2 = 0.9967

Method

Full State

Hashcompact

Traceback

Performance

(Amortized)

O(E)

O(E)

O(E)O(depth)

per State

Full State Size

8 bytes

14 bytes

Complete

Coverage

Partial

Coverage

Complete

Coverage

Completeness

### Example Attack Graph

Begin

IIS buffer

overflow

CAN-2002-0364

Squid portscan

CVE-2001-1030

LICQ remote-

to-user

CVE-2001-0439

Local buffer

overflow

CVE-2002-0004

Done!

Security property (LTL):

G (intruder.privilege(host) < root)

### Application: Attack Graphs

Model Builder

Host Configuration Data

Outpost

Server

SQL

database

Network

Configuration Data

MITRE

Attack Graph Generators

Outpost

Clients

System and Goal Specification

Attack Graph

Analyzers

Graphical User Interface