Combinatorial analysis of network security

We extend the traditional analysis of network vulnerability by searching for sequences of exploited vulnerabilities distributed throughout a network. While vulnerabilities considered in isolation may seem innocuous, when considered in combination they may lead to serious security breaches. Our approach establishes encoding rules to reason about interdependent vulnerabilities and exploits. It then reasons about the rules to perform critical failure analysis for a given network. We have developed a prototype software tool for automating the analysis, which can be integrated with existing network security tools such as vulnerability databases and network discovery tools. We demonstrate our approach through an example application. We also perform a scaling experiment to show the performance of our approach for larger networks.

[1]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[2]  Paul Ammann,et al.  Using model checking to analyze network vulnerabilities , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[3]  Edmund M. Clarke,et al.  Model Checking , 1999, Handbook of Automated Reasoning.

[4]  David Notkin,et al.  Model checking large software specifications , 1996, SIGSOFT '96.

[5]  Edmund M. Clarke,et al.  Symbolic Model Checking: 10^20 States and Beyond , 1990, Inf. Comput..

[6]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..

[7]  David Notkin,et al.  Model checking large software specifications , 1996, SIGSOFT '96.