scispace - formally typeset
Search or ask a question
Author

Oleg Sheyner

Bio: Oleg Sheyner is an academic researcher from Carnegie Mellon University. The author has contributed to research in topics: Model checking & Intrusion detection system. The author has an hindex of 7, co-authored 8 publications receiving 2250 citations.

Papers
More filters
Proceedings ArticleDOI
12 May 2002
TL;DR: This paper presents an automated technique for generating and analyzing attack graphs, based on symbolic model checking algorithms, letting us construct attack graphs automatically and efficiently.
Abstract: An integral part of modeling the global view of network security is constructing attack graphs. Manual attack graph construction is tedious, error-prone, and impractical for attack graphs larger than a hundred nodes. In this paper we present an automated technique for generating and analyzing attack graphs. We base our technique on symbolic model checking algorithms, letting us construct attack graphs automatically and efficiently. We also describe two analyses to help decide which attacks would be most cost-effective to guard against. We implemented our technique in a tool suite and tested it on a small network example, which includes models of a firewall and an intrusion detection system.

1,302 citations

Proceedings ArticleDOI
24 Jun 2002
TL;DR: This paper presents an algorithm for generating attack graphs using model checking as a subroutine, and provides a formal characterization of this problem, proving that it is polynomially equivalent to the minimum hitting set problem and presenting a greedy algorithm with provable bounds.
Abstract: An attack graph is a succinct representation of all paths through a system that end in a state where an intruder has successfully achieved his goal. Today Red Teams determine the vulnerability of networked systems by drawing gigantic attack graphs by hand. Constructing attack graphs by hand is tedious, error-prone, and impractical for large systems. By viewing an attack as a violation of a safety property, we can use off-the-shelf model checking technology to produce attack graphs automatically: a successful path from the intruder's viewpoint is a counterexample produced by the model checker In this paper we present an algorithm for generating attack graphs using model checking as a subroutine. Security analysts use attack graphs for detection, defense and forensics. In this paper we present a minimization analysis technique that allows analysts to decide which minimal set of security measures would guarantee the safety of the system. We provide a formal characterization of this problem: we prove that it is polynomially equivalent to the minimum hitting set problem and we present a greedy algorithm with provable bounds. We also present a reliability analysis technique that allows analysts to perform a simple cost-benefit trade-off depending on the likelihoods of attacks. By interpreting attack graphs as Markov Decision Processes we can use the value iteration algorithm to compute the probabilities of intruder success for each attack the graph.

444 citations

Journal Article
TL;DR: This paper takes network attack models as input to attack graph tools to generate attack graphs automatically and to analyze system vulnerabilities and presents details of an example to illustrate how these models are specified and analyzed.
Abstract: Attack graphs depict ways in which an adversary exploits system vulnerabilities to achieve a desired state. System administrators use attack graphs to determine how vulnerable their systems are and to determine what security measures to deploy to defend their systems. In this paper, we present details of an example to illustrate how we specify and analyze network attack models. We take these models as input to our attack graph tools to generate attack graphs automatically and to analyze system vulnerabilities. While we have published our generation and analysis algorithms in earlier work, the presentation of our example and toolkit is novel to this paper.

219 citations

01 Jan 2004
TL;DR: This work develops formal techniques that give users flexibility in examining design errors discovered by automated analysis, and defines and analyze attack graphs, an application of scenario graphs to represent ways in which intruders attack computer networks.
Abstract: We develop formal techniques that give users flexibility in examining design errors discovered by automated analysis. We build our results using the model checking approach to verification. The two inputs to a model checker are a finite system model and a formal correctness property specifying acceptable behaviors. The correctness property induces a bipartition on the set of behaviors of the model: correct behaviors, which satisfy the property, and faulty behaviors, which violate the property. Traditional model checkers give users a single counterexample, chosen from the set of faulty behaviors. Giving the user access to the entire set, however, lets him have more control over the design refinement process. The focus of our work is on ways of generating, presenting, and analyzing faulty behavior sets. We present our results in two parts. In Part I we introduce concepts that let us define faulty behavior sets as failure scenario graphs . We then describe algorithms for generating scenario graphs. The algorithms use model checking techniques to produce faulty behavior sets that are sound and complete. In Part II we apply our formal concepts to the security domain. Building on the foundation established in Part I, we define and analyze attack graphs, an application of scenario graphs to represent ways in which intruders attack computer networks. This application of formal analysis contributes to techniques and tools for strengthening network security.

192 citations

01 Feb 2002
TL;DR: This paper presents a minimization technique that allows analysts to decide which minimal set of security measures would guarantee the safety of the system, and provides a formal characterization of this problem and proves that it is polynomially equivalent to the minimum hitting set problem.
Abstract: : An attack graph is a succinct representation of all paths through a system that end in a state where an intruder has successfully achieved his goal. Today Red Teams determine the vulnerability of networked systems by drawing gigantic attack graphs by hand. Constructing attack graphs by hand is tedious, error-prone, and impractical for large systems. By viewing an attack as a violation of a safety property, we can use model checking to produce attack graphs automatically: a successful path from the intruder's viewpoint is a counterexample produced by the model checker. In this paper we present an algorithm for generating attack graphs using model checking. Security analysts use attack graphs for detection, defense, and forensics. In this paper we present a minimization technique that allows analysts to decide which minimal set of security measures would guarantee the safety of the system. We provide a formal characterization of this problem: we prove that it is polynomially equivalent to the minimum hitting set problem and we present a greedy algorithm with provable bounds. We also present a reliability technique that allows analysts to perform a simple cost-benefit analysis depending on the likelihoods of attacks. By interpreting attack graphs as Markov Decision Processes we can use a standard MDP value iteration algorithm to compute the probabilities of intruder success for each attack the graph. We illustrate our work in the context of a small example that includes models of a firewall and an intrusion detection system.

97 citations


Cited by
More filters
Proceedings ArticleDOI
12 May 2002
TL;DR: This paper presents an automated technique for generating and analyzing attack graphs, based on symbolic model checking algorithms, letting us construct attack graphs automatically and efficiently.
Abstract: An integral part of modeling the global view of network security is constructing attack graphs. Manual attack graph construction is tedious, error-prone, and impractical for attack graphs larger than a hundred nodes. In this paper we present an automated technique for generating and analyzing attack graphs. We base our technique on symbolic model checking algorithms, letting us construct attack graphs automatically and efficiently. We also describe two analyses to help decide which attacks would be most cost-effective to guard against. We implemented our technique in a tool suite and tested it on a small network example, which includes models of a firewall and an intrusion detection system.

1,302 citations

Proceedings ArticleDOI
18 Nov 2002
TL;DR: This paper revisits the idea of attack graphs themselves, and argues that they represent more information explicitly than is necessary for the analyst, and proposes a more compact and scalable representation.
Abstract: Even well administered networks are vulnerable to attack Recent work in network security has focused on the fact that combinations of exploits are the typical means by which an attacker breaks into a network Researchers have proposed a variety of graph-based algorithms to generate attack trees (or graphs) Either structure represents all possible sequences of exploits, where any given exploit can take advantage of the penetration achieved by prior exploits in its chain, and the final exploit in the chain achieves the attacker's goal The most recent approach in this line of work uses a modified version of the model checker NuSMV as a powerful inference engine for chaining together network exploits, compactly representing attack graphs, and identifying minimal sets of exploits However, it is also well known that model checkers suffer from scalability problems, and there is good reason to doubt whether a model checker can handle directly a realistic set of exploits for even a modest-sized network In this paper, we revisit the idea of attack graphs themselves, and argue that they represent more information explicitly than is necessary for the analyst Instead, we propose a more compact and scalable representation Although we show that it is possible to produce attack trees from our representation, we argue that more useful information can be produced, for larger networks, while bypassing the attack tree step Our approach relies on an explicit assumption of monotonicity, which, in essence, states that the precondition of a given exploit is never invalidated by the successful application of another exploit In other words, the attacker never needs to backtrack The assumption reduces the complexity of the analysis problem from exponential to polynomial, thereby bringing even very large networks within reach of analysis

788 citations

Proceedings ArticleDOI
30 Oct 2006
TL;DR: This paper proposes logical attack graphs, which directly illustrate logical dependencies among attack goals and configuration information, and shows experimental evidence that the logical attack graph generation algorithm is very efficient.
Abstract: Attack graphs are important tools for analyzing security vulnerabilities in enterprise networks. Previous work on attack graphs has not provided an account of the scalability of the graph generating process, and there is often a lack of logical formalism in the representation of attack graphs, which results in the attack graph being difficult to use and understand by human beings. Pioneer work by Sheyner, et al. is the first attack-graph tool based on formal logical techniques, namely model-checking. However, when applied to moderate-sized networks, Sheyner's tool encountered a significant exponential explosion problem. This paper describes a new approach to represent and generate attack graphs. We propose logical attack graphs, which directly illustrate logical dependencies among attack goals and configuration information. A logical attack graph always has size polynomial to the network being analyzed. Our attack graph generation tool builds upon MulVAL, a network security analyzer based on logical programming. We demonstrate how to produce a derivation trace in the MulVAL logic-programming engine, and how to use the trace to generate a logical attack graph in quadratic time. We show experimental evidence that our logical attack graph generation algorithm is very efficient. We have generated logical attack graphs for fully connected networks of 1000 machines using a Pentium 4 CPU with 1GB of RAM.

616 citations

Proceedings Article
31 Jul 2005
TL;DR: MulVAL is an end-to-end framework and reasoning system that conducts multihost, multistage vulnerability analysis on a network and can reason about 84% of the Red Hat bugs reported in OVAL, a formal vulnerability definition language.
Abstract: To determine the security impact software vulnerabilities have on a particular network, one must consider interactions among multiple network elements For a vulnerability analysis tool to be useful in practice, two features are crucial First, the model used in the analysis must be able to automatically integrate formal vulnerability specifications from the bug-reporting community Second, the analysis must be able to scale to networks with thousands of machines We show how to achieve these two goals by presenting MulVAL, an end-to-end framework and reasoning system that conducts multihost, multistage vulnerability analysis on a network MulVAL adopts Datalog as the modeling language for the elements in the analysis (bug specification, configuration description, reasoning rules, operating-system permission and privilege model, etc) We easily leverage existing vulnerability-database and scanning tools by expressing their output in Datalog and feeding it to our MulVAL reasoning engine Once the information is collected, the analysis can be performed in seconds for networks with thousands of machines We implemented our framework on the Red Hat Linux platform Our framework can reason about 84% of the Red Hat bugs reported in OVAL, a formal vulnerability definition language We tested our tool on a real network with hundreds of users The tool detected a policy violation caused by software vulnerabilities and the system administrators took remediation measures

599 citations

Proceedings ArticleDOI
18 Nov 2002
TL;DR: A formal framework for alert correlation, the implementation of an off-line alert correlator based on the framework, and the evaluation of the method with the 2000 DARPA intrusion detection scenario specific datasets demonstrate the potential of the proposed method and its advantage over alternative methods.
Abstract: Traditional intrusion detection systems (IDSs) focus on low-level attacks or anomalies, and raise alerts independently, though there may be logical connections between them. In situations where there are intensive intrusions, not only will actual alerts be mixed with false alerts, but the amount of alerts will also become unmanageable. As a result, it is difficult for human users or intrusion response systems to understand the alerts and take appropriate actions. This paper presents a practical technique to address this issue. The proposed approach constructs attack scenarios by correlating alerts on the basis of prerequisites and consequences of intrusions. Intuitively, the prerequisite of an intrusion is the necessary condition for the intrusion to be successful, while the consequence of an intrusion is the possible outcome of the intrusion. Based on the prerequisites and consequences of different types of attacks, the proposed approach correlates alerts by (partially) matching the consequence of some previous alerts and the prerequisite of some later ones. The contribution of this paper includes a formal framework for alert correlation, the implementation of an off-line alert correlator based on the framework, and the evaluation of our method with the 2000 DARPA intrusion detection scenario specific datasets. Our experience and experimental results have demonstrated the potential of the proposed method and its advantage over alternative methods.

548 citations