CHAPTER 9 – Scenario Graphs Applied to Network Security

Traditional model checking produces one counterexample to illustrate a violation of a property by a model of the system. Some applications benefit from having all counterexamples, not just one. We call this set of counterexamples a scenario graph. In this chapter we present two different algorithms for producing scenario graphs and explain how scenario graphs are a natural representation for attack graphs used in the security community. Through a detailed concrete example, we show how we can model a computer network and generate and analyze attack graphs automatically. The attack graph we produce for a network model shows all ways in which an intruder can violate a given desired security property.

[1]  Oleg Sheyner,et al.  Attack scenario graphs for computer network threat analysis and prediction , 2003, Complex.

[2]  Robert E. Tarjan,et al.  Depth-First Search and Linear Graph Algorithms , 1972, SIAM J. Comput..

[3]  Cynthia A. Phillips,et al.  Computer-attack graph generation tool , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[4]  Frédéric Cuppens,et al.  LAMBDA: A Language to Model a Database for Detection of Attacks , 2000, Recent Advances in Intrusion Detection.

[5]  Giorgio Ausiello,et al.  Structure Preserving Reductions among Convex Optimization Problems , 1980, J. Comput. Syst. Sci..

[6]  Rodolphe Ortalo,et al.  Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security , 1999, IEEE Trans. Software Eng..

[7]  Somesh Jha,et al.  Two formal analyses of attack graphs , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[8]  Paul Ammann,et al.  Using model checking to analyze network vulnerabilities , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[9]  Jeannette M. Wing Scenario Graphs Applied to Security (Extended Abstract) , 2005, VISSAS.

[10]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[11]  Gerard J. Holzmann,et al.  The SPIN Model Checker , 2003 .

[12]  Fausto Giunchiglia,et al.  NUSMV: a new symbolic model checker , 2000, International Journal on Software Tools for Technology Transfer.

[13]  Jeannette M. Wing,et al.  Scenario graphs and attack graphs , 2004 .

[14]  Somesh Jha,et al.  Survivability analysis of networked systems , 2001, Proceedings of the 23rd International Conference on Software Engineering. ICSE 2001.

[15]  Edmund M. Clarke,et al.  Model Checking , 1999, Handbook of Automated Reasoning.

[16]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[17]  Ronald L. Rivest,et al.  Introduction to Algorithms, Second Edition , 2001 .

[18]  Somesh Jha,et al.  Minimization and Reliability Analyses of Attack Graphs , 2002 .

[19]  Giovanni Vigna,et al.  NetSTAT: A Network-based Intrusion Detection System , 1999, J. Comput. Secur..

[20]  Edmund M. Clarke,et al.  Ranking Attack Graphs , 2006, RAID.

[21]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[22]  Jeannette M. Wing Survivability analysis of networked systems , 2000, FORTE.

[23]  Cynthia A. Phillips,et al.  A graph-based system for network-vulnerability analysis , 1998, NSPW '98.

[24]  Gerard J. Holzmann,et al.  The SPIN Model Checker - primer and reference manual , 2003 .

[25]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[26]  Jeannette M. Wing,et al.  Tools for Generating and Analyzing Attack Graphs , 2003, FMCO.

[27]  Ronald L. Rivest,et al.  Introduction to Algorithms , 1990 .

[28]  Steven J. Templeton,et al.  A requires/provides model for computer attacks , 2001, NSPW '00.

[29]  Pierre Wolper,et al.  Simple on-the-fly automatic verification of linear temporal logic , 1995, PSTV.