1 / 13

Generation of Scenario Graphs Using Model Checking

Generation of Scenario Graphs Using Model Checking Somesh Jha (University of Wisconsin), Oleg Sheyner (CMU), Jeannette Wing (CMU). Example of Attack Graph Developed by a Professional Red Team.

jacqueline-chapman
Download Presentation

Generation of Scenario Graphs Using Model Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Generation of Scenario Graphs Using Model Checking Somesh Jha (University of Wisconsin), Oleg Sheyner (CMU), Jeannette Wing (CMU)

  2. Example of Attack Graph Developed by a Professional Red Team • Sandia Red Team “White Board” attack tree from DARPA CC20008 Information battle space preparation experiment Sandia Red Team “White Board” attack graph from DARPA CC20008 Information battle space preparation experiment Drawn By Hand

  3. Definitions • Given • a finite state model M • a correctness property F • An failure scenario is an execution of M that violates F. • An scenario graph is a set of failure scenarios of M.

  4. Properties of Scenario Graphs • Exhaustive • All possible failure scenarios are represented in G. • Succinct • Only relevant states are contained in G. • Only relevant transitions are contained in G.

  5. Problem Statement • Problem: Generating scenario graphs by hand is tedious, error-prone, and impractical for large systems. • Our Goal: Automate the generation and analysis of scenario graphs. • Generation • Must be fast and completely automatic • Must handle large, realistic examples • Should guarantee properties of scenario graphs • Analysis • Enables tool-aided post-generation analysis

  6. Overview of Our Method System Model Correctness Property Generator Phase 1 Scenario Graph Annotations Query: What system transitions lead to failure? Query: What is the likelihood of failure? Phase 2 CostAnalyzer ReliabilityAnalyzer MinimizationAnalyzer … Scenario Subgraph Probabilistic Scenario Graph

  7. Explicit-State Scenario Graph Generation • Based on Automata-Theoretic Model Checking • Interpret both model M and correctness property F as Buchi automata. • M and Finduce languages L(M), L(F). • L(M)\L(F) = executions of M that violate F. • Construct M~F by computing intersection of Buchi automata. • F can be any LTL property.

  8. Explicit-State Algorithm Illustrated Fc LTL Property F = Model M a ¬c c T ¬F = G ¬c Never c a a a d a a a a a a b a a a a a d c b b b a c ∩

  9. Explicit-State Algorithm (Cont.) a a a a a b Find strongly connected components (SCCs) (R. Tarjan ’72) a a Collect SCCs with acceptance states a a a Add paths from initial states d a a b b a c

  10. Performance Linear Regression R2 = 0.9967

  11. State Hashing Method Full State Hashcompact Traceback Performance (Amortized) O(E) O(E) O(E)O(depth) Memory Overhead per State Full State Size 8 bytes 14 bytes Complete Coverage Partial Coverage Complete Coverage Completeness

  12. Example Attack Graph Begin IIS buffer overflow CAN-2002-0364 Squid portscan CVE-2001-1030 LICQ remote- to-user CVE-2001-0439 Local buffer overflow CVE-2002-0004 Done! Security property (LTL): G (intruder.privilege(host) < root)

  13. Application: Attack Graphs Model Builder Host Configuration Data Outpost Server SQL database Network Configuration Data MITRE Attack Graph Generators Outpost Clients System and Goal Specification Attack Graph Analyzers Graphical User Interface

More Related