Attack Graphs

My masters thesis (PDF) at the Institute for Information Security at the University of Tulsa was concerned with the generation of attack graphs, a graph theoretic formalism for modeling network attacks and their interactions. Specifically, we introduced a new variation of attack graphs called hybrid attack graphs, which are designed to blend discrete and continuous elements to model the security of cyber-physical systems.

Attack graphs model network or system states as nodes in a graph, and the edges represent state transitions that can be caused by specific actions of an attacker. They are generated based on matching attack patterns (which may target certain system types, patch levels, or network configurations) to a set of network hosts with a particular topology.

My thesis work entailed the addition of continuous-domain variables to the formalism. The idea was to provide a tool for modeling blended physical world and network attacks (Like, for instance, Stuxnet) for safety critical systems.

They tended to be unwieldy – here’s a depth-limited example of a compromised car ramming into a wall (left), and a full generation of a contrived denial of sleep attack (right):
thesis-civic-graph      thesis-dos

We iterated on this, producing a formalism called the hybrid attack dependency graph, in order to attempt to resolve some of this complexity. Here’s a similar denial of sleep attack:

hadg-dos

I also built a web interface for generating small attack graphs for experimentation purposes. An instance of it was publicly available for a while, but is no longer. The code for the attack graph generator and web tool both reside in this Bitbucket repository.