Scenario Graphs and Attack Graphs: a Summary
نویسنده
چکیده
For the past twenty years, model checking has been used successfully in many engineering projects. Model checkers assist the engineer in identifying automatically individual design flaws in a system. A typical model checker takes as input a model of the system and a correctness specification. It checks the model against the specification for erroneous behavior. If erroneous behavior exists, the model checker produces an example that helps the user understand and address the problem. Once the problem is fixed, the user can repeat the process until the model satisfies the specification perfectly. In some situations the process of repeatedly checking for and fixing individual flaws does not work well. Sometimes it is not feasible to eliminate every undesirable behavior. For instance, network security cannot in practice be made perfect due to a combination of factors: software complexity, desire to keep up with the latest features, expense of fixing known system vulnerabilities, etc. Despite these difficulties, network system administrators would invest the time and resources necessary to find and prevent the most destructive intrusion scenarios. However, the “find problemfix problem-repeat” engineering paradigm inherent in traditional uses of model checkers does not make it easy to prioritize the problems and focus the limited available resources on the most pressing tasks. We adapt model checking to situations where the ideal of a perfect design is not feasible. A recently proposed formalism appropriate for this task is failure scenario graphs [8]. Informally, a failure scenario graph is a succinct representation of all execution paths through a system that violate some correctness condition. Scenario graphs show everything that can go wrong in a system, leaving the engineer free to prioritize the problems as appropriate. In Sections 2-4 we give formal definitions for scenario graphs and develop algorithms that generate scenario graphs automatically from finite models. In Section 2 we define scenario graphs and the associated terminology used throughout the thesis. Section 3 presents algorithms for generating scenario graphs from finite models. In Section 4 we measure performance of our scenario graph generator and evaluate some algorithmic adjustments that trade off running time and completeness guarantees for memory requirements. Sections 5-9 contains a detailed discussion of a specific kind of scenario graph: attack graphs. In Section 6 we give general definitions for attack models and attack graphs. Section 7 narrows the definitions specifically to the domain of network security. In Section 8 we consider some post-generation analyses that can be done on attack graphs to help solve real-world questions about network security. Section 9 focuses on the practical aspects of building a usable attack graph tool. We discuss several approaches to collecting the data necessary to build the network model.
منابع مشابه
An Ant Colony Optimization Algorithm for Network Vulnerability Analysis
Intruders often combine exploits against multiple vulnerabilities in order to break into the system. Each attack scenario is a sequence of exploits launched by an intruder that leads to an undesirable state such as access to a database, service disruption, etc. The collection of possible attack scenarios in a computer network can be represented by a directed graph, called network attack gra...
متن کاملA particle swarm optimization algorithm for minimization analysis of cost-sensitive attack graphs
To prevent an exploit, the security analyst must implement a suitable countermeasure. In this paper, we consider cost-sensitive attack graphs (CAGs) for network vulnerability analysis. In these attack graphs, a weight is assigned to each countermeasure to represent the cost of its implementation. There may be multiple countermeasures with different weights for preventing a single exploit. Also,...
متن کاملScenario Graphs Applied to Network Security
Traditional model checking produces one counterexample to illustrate a violation of a property by a model of the system. Some applications benefit from having all counterexamples, not just one. We call this set of counterexamples a scenario graph. In this chapter we present two different algorithms for producing scenario graphs and explain how scenario graphs are a natural representation for at...
متن کاملScenario Graphs and Attack Graphs
ly, an attack graph is a collection of scenarios showing how a malicious agent can compromise the integrity of a target system. Such graphs are a natural application of the scenario graph formalism defined in Chapter 2. With a suitable model of the system, we can use the techniques developed in Part I to generate attack graphs automatically. In this context, correctness properties specify the n...
متن کاملAn Approach to Model Network Exploitations Using Exploitation Graphs
In this article, a modeling process is defined to address challenges in analyzing attack scenarios and mitigating vulnerabilities in networked environments. Known system vulnerability data, system configuration data, and vulnerability scanner results are considered to create exploitation graphs (e-graphs) that are used to represent attack scenarios. Experiments carried out in a cluster computin...
متن کامل