Scenario graphs and attack graphs

We develop formal techniques that give users flexibility in examining design errors discovered by automated analysis. We build our results using the model checking approach to verification. The two inputs to a model checker are a finite system model and a formal correctness property specifying acceptable behaviors. The correctness property induces a bipartition on the set of behaviors of the model: correct behaviors, which satisfy the property, and faulty behaviors, which violate the property. Traditional model checkers give users a single counterexample, chosen from the set of faulty behaviors. Giving the user access to the entire set, however, lets him have more control over the design refinement process. The focus of our work is on ways of generating, presenting, and analyzing faulty behavior sets. We present our results in two parts. In Part I we introduce concepts that let us define faulty behavior sets as failure scenario graphs . We then describe algorithms for generating scenario graphs. The algorithms use model checking techniques to produce faulty behavior sets that are sound and complete. In Part II we apply our formal concepts to the security domain. Building on the foundation established in Part I, we define and analyze attack graphs, an application of scenario graphs to represent ways in which intruders attack computer networks. This application of formal analysis contributes to techniques and tools for strengthening network security.

[1]  Pierre Wolper,et al.  The Complementation Problem for Büchi Automata with Appplications to Temporal Logic , 1987, Theor. Comput. Sci..

[2]  Krishan K. Sabnani,et al.  A Calculus for Protocol Specification and Validation , 1983, Protocol Specification, Testing and Verification.

[3]  Doron A. Peled Combining Partial Order Reductions with On-the-fly Model-Checking , 1994, CAV.

[4]  Martin L. Puterman,et al.  Markov Decision Processes: Discrete Stochastic Dynamic Programming , 1994 .

[5]  David E. Muller,et al.  Infinite sequences and finite machines , 1963, SWCT.

[6]  Monika Maidl,et al.  The Common Fragment of CTL and LTL , 2000, FOCS.

[7]  Helmut Veith,et al.  Tree-like counterexamples in model checking , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[8]  Edmund M. Clarke,et al.  Efficient generation of counterexamples and witnesses in symbolic model checking , 1995, DAC '95.

[9]  Edmund M. Clarke,et al.  Symbolic Model Checking: 10^20 States and Beyond , 1990, Inf. Comput..

[10]  Cynthia A. Phillips,et al.  Computer-attack graph generation tool , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[11]  Kenneth L. McMillan,et al.  Using Unfoldings to Avoid the State Explosion Problem in the Verification of Asynchronous Circuits , 1992, CAV.

[12]  Cynthia A. Phillips,et al.  A graph-based system for network-vulnerability analysis , 1998, NSPW '98.

[13]  Robert E. Tarjan,et al.  Depth-First Search and Linear Graph Algorithms , 1972, SIAM J. Comput..

[14]  Pierre Wolper,et al.  A partial approach to model checking , 1991, [1991] Proceedings Sixth Annual IEEE Symposium on Logic in Computer Science.

[15]  Fuchun Joseph Lin,et al.  Specification and validation of communications in client/server models , 1994, Proceedings of ICNP - 1994 International Conference on Network Protocols.

[16]  Somesh Jha,et al.  Survivability analysis of networked systems , 2001, Proceedings of the 23rd International Conference on Software Engineering. ICSE 2001.

[17]  Robert P. Kurshan,et al.  Analysis of Discrete Event Coordination , 1989, REX Workshop.

[18]  Robert P. Kurshan,et al.  Software for analytical development of communications protocols , 1990, AT&T Technical Journal.

[19]  Edmund M. Clarke,et al.  Symbolic model checking for sequential circuit verification , 1993, IEEE Trans. Comput. Aided Des. Integr. Circuits Syst..

[20]  Edmund M. Clarke,et al.  Design and Synthesis of Synchronization Skeletons Using Branching-Time Temporal Logic , 1981, Logic of Programs.

[21]  E. Emerson,et al.  Modalities for model checking (extended abstract): branching time strikes back , 1985, ACM-SIGACT Symposium on Principles of Programming Languages.

[22]  Carl Pixley Introduction to a Computational Theory and Implementation of Sequential Hardware Equivalence , 1990, CAV.

[23]  Robert K. Brayton,et al.  BDD-Based Debugging Of Design Using Language Containment and Fair CTL , 1993, CAV.

[24]  Shin Nakajima,et al.  The SPIN Model Checker : Primer and Reference Manual , 2004 .

[25]  Edmund M. Clarke,et al.  Model Checking , 1999, Handbook of Automated Reasoning.

[26]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[27]  Peter Slavík A Tight Analysis of the Greedy Algorithm for Set Cover , 1997, J. Algorithms.

[28]  Jeannette M. Wing,et al.  Game strategies in network security , 2005, International Journal of Information Security.

[29]  Amir Pnueli,et al.  Checking that finite state concurrent programs satisfy their linear specification , 1985, POPL.

[30]  C. R. Ramakrishnan,et al.  Model-Based Vulnerability Analysis of Computer Systems , 1998 .

[31]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[32]  Amir Pnueli,et al.  The temporal logic of programs , 1977, 18th Annual Symposium on Foundations of Computer Science (sfcs 1977).

[33]  Kenneth L. McMillan,et al.  Symbolic model checking , 1992 .

[34]  Rodolphe Ortalo,et al.  Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security , 1999, IEEE Trans. Software Eng..

[35]  Antti Valmari,et al.  A stubborn attack on state explosion , 1990, Formal Methods Syst. Des..

[36]  M. F.,et al.  Bibliography , 1985, Experimental Gerontology.

[37]  John A. Chaves,et al.  Formal Methods at AT&T - An Industrial Usage Report , 1991, FORTE.

[38]  Gerard J. Holzmann,et al.  Design and validation of computer protocols , 1991 .

[39]  Somesh Jha,et al.  Minimization and Reliability Analyses of Attack Graphs , 2002 .

[40]  Gerard J. Holzmann An analysis of bitstate hashing , 1995 .

[41]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[42]  Pierre Wolper,et al.  Reliable Hashing without Collosion Detection , 1993, CAV.

[43]  Frédéric Cuppens,et al.  LAMBDA: A Language to Model a Database for Detection of Attacks , 2000, Recent Advances in Intrusion Detection.

[44]  Giorgio Ausiello,et al.  Structure Preserving Reductions among Convex Optimization Problems , 1980, J. Comput. Syst. Sci..

[45]  Pierre Wolper,et al.  An Automata-Theoretic Approach to Automatic Program Verification (Preliminary Report) , 1986, LICS.

[46]  Rance Cleaveland,et al.  The Concurrency Workbench , 1990, Automatic Verification Methods for Finite State Systems.

[47]  R. K. Shyamasundar,et al.  Introduction to algorithms , 1996 .

[48]  Orna Grumberg,et al.  Buy One, Get One Free!!! , 1994, J. Log. Comput..

[49]  Gerard J. Holzmann,et al.  The Theory and Practice of A Formal Method: NewCoRe , 1994, IFIP Congress.

[50]  Gerard J. Holzmann,et al.  Proving the value of formal methods , 1994, FORTE.

[51]  R. BurchJ.,et al.  Symbolic model checking , 1992 .

[52]  Shawn A. Butler,et al.  Security Attribute Evaluation Method , 2003 .

[53]  David L. Dill,et al.  Improved probabilistic verification by hash compaction , 1995, CHARME.

[54]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[55]  J. R. Büchi On a Decision Method in Restricted Second Order Arithmetic , 1990 .

[56]  Olivier Coudert,et al.  Verification of Synchronous Sequential Machines Based on Symbolic Execution , 1989, Automatic Verification Methods for Finite State Systems.

[57]  Gerard J. Holzmann,et al.  An improved protocol reachability analysis technique , 1988, Softw. Pract. Exp..

[58]  David L. Dill,et al.  A New Scheme for Memory-Efficient Probabilistic Verification , 1996, FORTE.

[59]  M. Maidi The common fragment of CTL and LTL , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[60]  Thierry Cattel,et al.  Modelization and verification of a multiprocessor realtime OS kernel , 1994, FORTE.

[61]  Fausto Giunchiglia,et al.  NUSMV: a new symbolic model checker , 2000, International Journal on Software Tools for Technology Transfer.

[62]  Gerard J. Holzmann,et al.  Coverage Preserving Reduction Strategies for Reachability Analysis , 1992, PSTV.

[63]  Robert P. Kurshan,et al.  Computer-Aided Verification of Coordinating Processes: The Automata-Theoretic Approach , 2014 .

[64]  Joseph Sifakis,et al.  Specification and verification of concurrent systems in CESAR , 1982, Symposium on Programming.

[65]  Saharon Shelah,et al.  On the temporal analysis of fairness , 1980, POPL '80.

[66]  Gregor von Bochmann Hardware Specification with Temporal Logic: An Example , 1982, IEEE Transactions on Computers.

[67]  Marc Dacier,et al.  Quantitative Assessment of Operational Security: Models and Tools * , 1996 .

[68]  E. Altman Constrained Markov Decision Processes , 1999 .

[69]  Steven J. Templeton,et al.  A requires/provides model for computer attacks , 2001, NSPW '00.

[70]  Pierre Wolper,et al.  Simple on-the-fly automatic verification of linear temporal logic , 1995, PSTV.

[71]  Pierre Wolper,et al.  Reasoning about infinite computation paths , 1983, 24th Annual Symposium on Foundations of Computer Science (sfcs 1983).

[72]  Gerard J. Holzmann,et al.  On Limits and Possibilities of Automated Protocol Analysis , 1987, PSTV.

[73]  Giovanni Vigna,et al.  NetSTAT: A Network-based Intrusion Detection System , 1999, J. Comput. Secur..

[74]  Aravinda Prasad Sistla,et al.  Theoretical issues in the design and verification of distributed systems , 1983 .

[75]  藤田 昌宏,et al.  Logic design assistance with temporal logic , 1985 .

[76]  Edmund M. Clarke,et al.  Symbolic Model Checking with Partitioned Transistion Relations , 1991, VLSI.

[77]  Karl N. Levitt,et al.  NetKuang - A Multi-Host Configuration Vulnerability Checker , 1996, USENIX Security Symposium.

[78]  S. Owicki,et al.  Temporal Specifications of Self·Timed Systems , 1981 .

[79]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[80]  Paul Ammann,et al.  Using model checking to analyze network vulnerabilities , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[81]  Jeannette M. Wing,et al.  Survivability analysis of networked systems , 2001, ICSE 2001.