Thesis Presentation

In the 1990s, the world saw a rapid increase in the size of computer networks, mainly due to the immense popularity of the Internet. Today, these computer networks continue to expand. However, a side effect of this growing size of computer networks in the growing concern for computer security. Today's computers run a multitude of services, share trust relationships with numerous other computers, and share various kinds of connectivity with other computers. This type of heavy interaction poses a major security threat and exposes these computers to malicious attacks by third parties. How can we prevent these attacks in an informed way? How can we help system administrators in charge of these monstrous networks? Attack graphs provide a mechanism to perform such analysis. An attack graph is a succinct visual representation of all paths through a system that end in a state where an attack has achieved a predetermined goal. Sheyner has built an attack graph toolkit that uses model checking, a formal verification technique, to generate attack graphs for simple networks. With respect to this, our contributions are fivefold: 1) we identified a set of target questions that a typical system administrator might have about the security of his or her network; 2) we designed a realistic network model on top of Sheyner's attack model; we designed and performed a series of experiments on our model using the attack graph toolkit; 3) we developed attack graph analysis methods for predicting specific attacks and assessing the vulnerability of a network; 4) we answered the target questions using our experimental observations, and our attack graph analysis methods; and finally 5) we designed and implemented a "stress-test" for the attack graph toolkit to assess its performance limitations.

Thesis Committee:
Jeannette Wing, Chair
Michael Reiter