Generation of Scenario Graphs Using Model Checking
This presentation is the property of its rightful owner.
Sponsored Links
1 / 13

Generation of Scenario Graphs Using Model Checking PowerPoint PPT Presentation


  • 58 Views
  • Uploaded on
  • Presentation posted in: General

Generation of Scenario Graphs Using Model Checking Somesh Jha (University of Wisconsin), Oleg Sheyner (CMU), Jeannette Wing (CMU). Example of Attack Graph Developed by a Professional Red Team.

Download Presentation

Generation of Scenario Graphs Using Model Checking

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Generation of scenario graphs using model checking

Generation of Scenario Graphs Using Model Checking

Somesh Jha (University of Wisconsin), Oleg Sheyner (CMU),

Jeannette Wing (CMU)


Example of attack graph developed by a professional red team

Example of Attack Graph Developed by a Professional Red Team

  • Sandia Red Team “White Board” attack tree from DARPA CC20008 Information battle space preparation experiment

Sandia Red Team “White Board” attack graph from DARPA CC20008 Information battle space preparation experiment

Drawn By Hand


Definitions

Definitions

  • Given

    • a finite state model M

    • a correctness property F

  • An failure scenario is an execution of M that violates F.

  • An scenario graph is a set of failure scenarios of M.


Properties of scenario graphs

Properties of Scenario Graphs

  • Exhaustive

    • All possible failure scenarios are represented in G.

  • Succinct

    • Only relevant states are contained in G.

    • Only relevant transitions are contained in G.


Problem statement

Problem Statement

  • Problem: Generating scenario graphs by hand is tedious, error-prone, and impractical for large systems.

  • Our Goal: Automate the generation and analysis of scenario graphs.

    • Generation

      • Must be fast and completely automatic

      • Must handle large, realistic examples

      • Should guarantee properties of scenario graphs

    • Analysis

      • Enables tool-aided post-generation analysis


Overview of our method

Overview of Our Method

System Model

Correctness Property

Generator

Phase 1

Scenario Graph

Annotations

Query: What system transitions lead to failure?

Query: What is the likelihood of failure?

Phase 2

CostAnalyzer

ReliabilityAnalyzer

MinimizationAnalyzer

Scenario Subgraph

Probabilistic Scenario Graph


Explicit state scenario graph generation

Explicit-State Scenario Graph Generation

  • Based on Automata-Theoretic Model Checking

    • Interpret both model M and correctness property F as Buchi automata.

    • M and Finduce languages L(M), L(F).

    • L(M)\L(F) = executions of M that violate F.

    • Construct M~F by computing intersection of Buchi automata.

  • F can be any LTL property.


Explicit state algorithm illustrated

Explicit-State Algorithm Illustrated

Fc

LTL Property F =

Model M

a

¬c

c

T

¬F = G ¬c

Never c

a

a

a

d

a

a

a

a

a

a

b

a

a

a

a

a

d

c

b

b

b

a

c


Explicit state algorithm cont

Explicit-State Algorithm (Cont.)

a

a

a

a

a

b

Find strongly connected

components (SCCs) (R. Tarjan ’72)

a

a

Collect SCCs with acceptance states

a

a

a

Add paths from initial states

d

a

a

b

b

a

c


Performance

Performance

Linear Regression R2 = 0.9967


State hashing

State Hashing

Method

Full State

Hashcompact

Traceback

Performance

(Amortized)

O(E)

O(E)

O(E)O(depth)

Memory Overhead

per State

Full State Size

8 bytes

14 bytes

Complete

Coverage

Partial

Coverage

Complete

Coverage

Completeness


Example attack graph

Example Attack Graph

Begin

IIS buffer

overflow

CAN-2002-0364

Squid portscan

CVE-2001-1030

LICQ remote-

to-user

CVE-2001-0439

Local buffer

overflow

CVE-2002-0004

Done!

Security property (LTL):

G (intruder.privilege(host) < root)


Application attack graphs

Application: Attack Graphs

Model Builder

Host Configuration Data

Outpost

Server

SQL

database

Network

Configuration Data

MITRE

Attack Graph Generators

Outpost

Clients

System and Goal Specification

Attack Graph

Analyzers

Graphical User Interface


  • Login