Scenario Graphs and Attack Graphs: a Summary

For the past twenty years, model checking has been used successfully in many engineering projects. Model checkers assist the engineer in identifying automatically individual design flaws in a system. A typical model checker takes as input a model of the system and a correctness specification. It checks the model against the specification for erroneous behavior. If erroneous behavior exists, the model checker produces an example that helps the user understand and address the problem. Once the problem is fixed, the user can repeat the process until the model satisfies the specification perfectly. In some situations the process of repeatedly checking for and fixing individual flaws does not work well. Sometimes it is not feasible to eliminate every undesirable behavior. For instance, network security cannot in practice be made perfect due to a combination of factors: software complexity, desire to keep up with the latest features, expense of fixing known system vulnerabilities, etc. Despite these difficulties, network system administrators would invest the time and resources necessary to find and prevent the most destructive intrusion scenarios. However, the “find problemfix problem-repeat” engineering paradigm inherent in traditional uses of model checkers does not make it easy to prioritize the problems and focus the limited available resources on the most pressing tasks. We adapt model checking to situations where the ideal of a perfect design is not feasible. A recently proposed formalism appropriate for this task is failure scenario graphs [8]. Informally, a failure scenario graph is a succinct representation of all execution paths through a system that violate some correctness condition. Scenario graphs show everything that can go wrong in a system, leaving the engineer free to prioritize the problems as appropriate. In Sections 2-4 we give formal definitions for scenario graphs and develop algorithms that generate scenario graphs automatically from finite models. In Section 2 we define scenario graphs and the associated terminology used throughout the thesis. Section 3 presents algorithms for generating scenario graphs from finite models. In Section 4 we measure performance of our scenario graph generator and evaluate some algorithmic adjustments that trade off running time and completeness guarantees for memory requirements. Sections 5-9 contains a detailed discussion of a specific kind of scenario graph: attack graphs. In Section 6 we give general definitions for attack models and attack graphs. Section 7 narrows the definitions specifically to the domain of network security. In Section 8 we consider some post-generation analyses that can be done on attack graphs to help solve real-world questions about network security. Section 9 focuses on the practical aspects of building a usable attack graph tool. We discuss several approaches to collecting the data necessary to build the network model.