Presentation is loading. Please wait.

Presentation is loading. Please wait.

Generation of Scenario Graphs Using Model Checking

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Generation of Scenario Graphs Using Model Checking"— Presentation transcript:

1 Generation of Scenario Graphs Using Model Checking
Somesh Jha (University of Wisconsin), Oleg Sheyner (CMU), Jeannette Wing (CMU) Hello, and thank you all for coming. My name is Oleg Sheyner. I am a graduate student working with Jeannette Wing, and she invited me here to give this talk. So, let’s jump right into it… [c] 1 1

2 Example of Attack Graph Developed by a Professional Red Team
This is an attack graph produced a few years ago by a professional Red Team as part of a DARPA study. The graph flows from left to right; the initial nodes on the left represent the state of the network before any penetration has occurred. Each edge in the graph corresponds to a penetration step taken by a hypothetical intruder, leading to another node that represents the new state of the network, and so on until the intruder reaches his goal. A single path from a node on the left to a node on the right represents a sequence of attack steps executed by the intruder in the course of the attack. This graph was created by hand [c], which as you can imagine can be a tedious process. Sandia Red Team “White Board” attack tree from DARPA CC20008 Information battle space preparation experiment Sandia Red Team “White Board” attack graph from DARPA CC20008 Information battle space preparation experiment Drawn By Hand

3 Definitions Given a finite state model M a correctness property F An failure scenario is an execution of M that violates F. An scenario graph is a set of failure scenarios of M. To begin, define more precisely what we meant by ‘attack’, ‘attack scenario’, and ‘attack graph’

4 Properties of Scenario Graphs
Exhaustive All possible failure scenarios are represented in G. Succinct Only relevant states are contained in G. Only relevant transitions are contained in G. Desirable properties for automatically-generated attack graphs.

5 Problem Statement Problem: Generating scenario graphs by hand is tedious, error-prone, and impractical for large systems. Our Goal: Automate the generation and analysis of scenario graphs. Generation Must be fast and completely automatic Must handle large, realistic examples Should guarantee properties of scenario graphs Analysis Enables tool-aided post-generation analysis So, attack graphs are useful, but generating them by hand is less than ideal. The process is labor-intensive, error-prone, and impractical for large systems. [c] What we would like is to generate such graphs automatically, and then get the computer to help the system administrator with post-generation analysis tasks. Specifically, we’d like generation to be fast, automatic, and scalable. Further, the attack graphs that we produce should neither miss attack scenarios nor include states that do not figure in any scenario.

6 Overview of Our Method Phase 1 Generator System Model
Correctness Property Scenario Graph Minimization Analyzer Query: What system transitions lead to failure? Scenario Subgraph Cost Analyzer Phase 2 Annotations Reliability Analyzer Query: What is the likelihood of failure? Probabilistic Scenario Graph Our method consists of two phases. In the first phase we create an appropriate model of the network and specify some security property that we desire to hold. The model and the property are handed off to a generator that creates an attack graph, showing all attack scenarios that lead to a violation of the security property. [c] In the second phase the raw attack graph may be annotated with additional relevant information and handed off to various analysis tools. I will cover some of the analyses today.

7 Symbolic Scenario Graph Generation
Inputs S, S0  S, R  S X S F = AG (~unsafe) (a safety property) Output Scenario graph G = (Sunsafe, S0F, RF ) Algorithm Sunsafe = modelCheck(S, S0, R, F) (* Use an iterative algorithm derived from the fixpoint characterization of AG operator. *) S0F = S0  Sunsafe RF = R  (Sunsafe X Sunsafe) Symbolic attack graph generation

8 Explicit-State Scenario Graph Generation
Based on Automata-Theoretic Model Checking Interpret both model M and correctness property F as Buchi automata. M and F induce languages L(M), L(F). L(M)\L(F) = executions of M that violate F. Construct M  ~F by computing intersection of Buchi automata. F can be any LTL property.

9 Explicit-State Algorithm Illustrated
LTL Property F = F c c a d b Model M Never c ¬F = G ¬c ¬c c T c a d b

10 Explicit-State Algorithm (Cont.)
Find strongly connected components (SCCs) (R. Tarjan ’72) a a Collect SCCs with acceptance states a a a Add paths from initial states d a a a b a b b a c

11 Performance Linear Regression R2 =

12 State Hashing Method Performance (Amortized) Memory Overhead per State
Completeness Hashcompact O(E) 8 bytes Partial Coverage Traceback O(E)O(depth) 14 bytes Complete Coverage Full State O(E) Full State Size Complete Coverage

13 Security property (LTL): G (intruder.privilege(host) < root)
Example Attack Graph Security property (LTL): G (intruder.privilege(host) < root) Begin IIS buffer overflow CAN Squid portscan CVE LICQ remote- to-user CVE Local buffer overflow CVE Done!

14 Application: Attack Graphs
MITRE SQL database Outpost Server Clients Model Builder System and Goal Specification Host Configuration Data Network Configuration Data Attack Graph Generators Graphical User Interface Attack Graph Analyzers

Download ppt "Generation of Scenario Graphs Using Model Checking"

Similar presentations

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Black Box Checking Book: Chapter 9 Model Checking Finite state description of a system B. LTL formula. Translate into an automaton P. Check whether L(B)

Black Box Checking Book: Chapter 9 Model Checking Finite state description of a system B. LTL formula. Translate into an automaton P. Check whether L(B)
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
Testing Workflow Purpose

Testing Workflow Purpose
Test Yaodong Bi.

Test Yaodong Bi.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.

A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Testing and Quality Assurance

Testing and Quality Assurance
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.

Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture # 11.

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture # 11.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.
White Box Testing and Symbolic Execution Written by Michael Beder.

White Box Testing and Symbolic Execution Written by Michael Beder.
Witness and Counterexample Li Tan Oct. 15, 2002.

Witness and Counterexample Li Tan Oct. 15, 2002.

Similar presentations

Ads by Google