9.8. Related Work
Generating a set of all counterexamples is a novel addition to the repertoire of model checking techniques. Sheyner’s dissertation [3] gives the most comprehensive description of scenario graphs and algorithms for generating them. We restrict the remainder of our discussion of related work to attack graphs.
Phillips and Swiler [17] propose the concept of attack graphs that is similar to the one described here. However, they take an “attack-centric” view of the system. Since we work with a general modeling language, we can express in our model both seemingly benign system events (such as failure of a link) and malicious events (such as attacks). Therefore, our attack graphs are more general than the one proposed by Phillips and Swiler. Swiler et al. [18] describe a tool for generating attack graphs based on their previous work. Their tool constructs the attack graph by forward exploration starting from the initial state.
The advantage of using model checking instead of forward search is that the technique can be expanded to include liveness properties, which can model service guarantees in the face of malicious activity. For example, a model of a banking network could have a liveness security property such as
G (CheckDeposited → (F CheckCleared))
which specifies that every check deposited at a bank branch must eventually clear.
Templeton and Levitt [19] propose a requires/provides model for attacks. The model links atomic attacks into scenarios, with earlier atomic attacks supplying the prerequisites for the later ones. Templeton and Levitt point out that relating seemingly innocuous system behavior to known attack scenarios can help discover new atomic attacks. However, they do not consider combining their attack scenarios into attack graphs.
Cuppens and Ortalo [20] propose a declarative language (LAMBDA) for specifying attacks in terms of pre- and postconditions. LAMBDA is a superset of the simple language we used to model attacks in our work. The language is modular and hierarchical; higher-level attacks can be described using lower-level attacks as components. LAMBDA also includes intrusion detection elements. Attack specifications include information about the steps needed to detect the attack and the steps needed to verify that the attack has already been carried out. Using a database of attacks specified in LAMBDA, Cuppens and Miege [21] propose a method for alert correlation based on matching postconditions of some attacks with preconditions of other attacks that may follow. In effect, they exploit the fact that alerts about attacks are more likely to be related if the corresponding attacks can be a part of the same attack scenario.
Dacier [22] proposes the concept of privilege graphs. Each node in the privilege graph represents a set of privileges owned by the user; edges represent vulnerabilities. Privilege graphs are then explored to construct attack state graphs, which represents different ways in which an intruder can reach a certain goal, such as root access on a host. He also defines a metric, called the mean effort to failure or METF, based on the attack state graphs. Orlato et al. [23] describe an experimental evaluation of a framework based on these ideas. At the surface, our notion of attack graphs seems similar to the one proposed by Dacier. However, as is the case with Phillips and Swiler, Dacier takes an “attack-centric” view of the world. As pointed out above, our attack graphs are more general. From the experiments conducted by Orlato et al., it appears that even for small examples the space required to construct attack state graphs becomes prohibitive. By basing our algorithm on model checking we take advantage of advances in representing large state spaces and can thus hope to represent large attack graphs.
Ritchey and Ammann [11] also use model checking for vulnerability analysis of networks. They use the (unmodified) model checker SMV [24]. They can obtain only one counterexample (i.e., only one attack corresponding to an unsafe state). In contrast, we modified the model checker NuSMV to produce attack graphs, representing all possible attacks. We also described postfacto analyses that can be performed on these attack graphs. These analysis techniques cannot be meaningfully performed on single attacks.
Graph-based data structures have also been used in network IDSs, such as NetSTAT [25]. There are two major components in NetSTAT: a set of probes placed at different points in the network and an analyzer. The analyzer processes events generated by the probes and generates alarms by consulting a network fact base and a scenario database. The network fact base contains information (such as connectivity) about the network being monitored. The scenario database has a directed graph representation of various atomic attacks. For example, the graph corresponding to an IP spoofing attack shows various steps that an intruder takes to mount that specific attack. The authors state that “in the analysis process the most critical operation is the generation of all possible instances of an attack scenario with respect to a given target network.”
Ammann et al. [26] present a scalable attack graph representation. They encode attack graphs as dependencies among exploits and security conditions, under the assumption of monotonicity. Informally, monotonicity means that no action an intruder can take interferes with the intruder’s ability to take any other actions. The authors treat vulnerabilities, intruder access privileges, and network connectivity as atomic Boolean attributes. Actions are treated as atomic transformations that, given a set of preconditions on the attributes, establish a set of postconditions. In this model, monotonicity means that (1) once a postcondition is satisfied, it can never become unsatisfied, and (2) the negation operator cannot be used in expressing action preconditions.
The authors show that under the monotonicity assumption it is possible to construct an efficient (low-order polynomial) attack graph representation that scales well. They present an efficient algorithm for extracting minimal attack scenarios from the representation, and suggest that a standard graph algorithm can produce a critical set of actions that disconnect the goal state of the intruder from the initial state.
This approach is less general than our treatment of attack graphs. In addition to the monotonicity requirement, it can handle only simple safety properties. Further, the compact attack graph representation is less explicit, and therefore harder for a human to read. The advantage of the approach is that it has a worst-case bound on the size of the graph that is polynomial in the number of atomic attributes in the model, and, therefore, can scale better than full-fledged model checking to large networks.