Using Strategy Objectives for Network Security Analysis

  • Elie Bursztein
  • John C. Mitchell
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6151)


The anticipation game framework is an extension of attack graphs based on game theory. It is used to anticipate and analyze intruder and administrator concurrent interactions with the network. Like attack-graph-based model checking, the goal of an anticipation game is to prove that a safety property holds. However, expressing intruder goal as a safety property is tedious and error prone on large networks because it assumes that the analyst has prior and complete knowledge of critical network services and knows what the attacker targets will be.

In this paper we address this issue by introducing a new kind of goal called ”strategy objectives”. Strategy objectives mix logical constraints and numerical ones. In order to achieve these strategy objectives, we have extended the anticipation games framework with cost and reward. Additionally, this extension allows us to take into account the financial dimension of attacks during the analysis. We prove that finding the optimal strategy is decidable and only requires linear space. Finally we show that anticipation games with strategy objectives can be used in practice even on large networks by evaluating the performance of our prototype.


Model Check Dependency Graph Security Goal Analysis Goal Attack Graph 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Alur, R., Henzinger, T.A., Kupferman, O.: Alternating-time temporal logic. J. ACM 49(5), 672–713 (2002)CrossRefMathSciNetGoogle Scholar
  2. 2.
    Bérard, B., Bidoit, M., Finkel, A., Laroussinie, F., Petit, A., Petrucci, L., Schnoebelen, P.: Systems and Software Verification. In: Model-Checking Techniques and Tools. Springer, Heidelberg (2001)Google Scholar
  3. 3.
    Bursztein, E.: NetQi: A model checker for anticipation game. In: Cha, S(S.), Choi, J.-Y., Kim, M., Lee, I., Viswanathan, M. (eds.) ATVA 2008. LNCS, vol. 5311, pp. 246–251. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  4. 4.
    Bursztein, E., Goubault-Larrecq, J.: A logical framework for evaluating network resilience against faults and attacks. In: Cervesato, I. (ed.) ASIAN 2007. LNCS, vol. 4846, pp. 212–227. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  5. 5.
    Cuppens, F., Ortalo, R.: Lambda: A language to model a database for detection of attacks. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 197–216. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. 6.
    Dacier, M., Deswarte, Y., Kaaniche, M.: Models and tools for quantitative assessment of operational security. In: 12th International Information Security Conference, pp. 177–186 (May 1996)Google Scholar
  7. 7.
    de Alfaro, L., Faella, M., Henzinger, T., Majumdar, R., Stoelinga, M.: The element of surprise in timed games. In: Amadio, R.M., Lugiez, D. (eds.) CONCUR 2003. LNCS, vol. 2761, pp. 144–158. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  8. 8.
    Henzinger, T., Prabhu, V.: Timed alternating-time temporal logic. In: Asarin, E., Bouyer, P. (eds.) FORMATS 2006. LNCS, vol. 4202, pp. 1–17. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  9. 9.
    Lippmann, R., Webster, S., Stetson, D.: The effect of identifying vulnerabilities and patching software on the utility of network intrusion detection. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 307–326. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  10. 10.
    Lye, K.-w., Wing, J.M.: Game strategies in network security. Int. J. Inf. Sec. 4(1-2), 71–86 (2005)CrossRefGoogle Scholar
  11. 11.
    Mahimkar, A., Shmatikov, V.: Game-based analysis of denial-of-service prevention protocols. In: 18th IEEE Computer Security Foundations Workshop (CSFW), Aix-en-Provence, France, pp. 287–301. IEEE Computer Society, Los Alamitos (June 2005)CrossRefGoogle Scholar
  12. 12.
    Noel, S., Jajodia, S., O’Berry, B., Jacobs, M.: Efficient minimum-cost network hardening via exploit dependency graphs. In: 19th Annual Computer Security Applications Conference, pp. 86–95 (December 2003)Google Scholar
  13. 13.
    Noel, S., Jajodia, S.: Managing attack graph complexity through visual hierarchical aggregation. In: VizSEC/DMSEC 2004: Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, pp. 109–118. ACM Press, New York (2004)CrossRefGoogle Scholar
  14. 14.
    Pamula, J., Jajodia, S., Ammann, P., Swarup, V.: A weakest-adversary security metric for network configuration security analysis. In: QoP 2006: Proceedings of the 2nd ACM Workshop on Quality of Protection, pp. 31–38. ACM Press, New York (2006)CrossRefGoogle Scholar
  15. 15.
    Rasmusen, E.: Games and Information. Blackwell Publishing, Malden (2007)zbMATHGoogle Scholar
  16. 16.
    Ritchey, R.W., Ammann, P.: Using model checking to analyze network vulnerabilities. In: SP 2000: Proceedings of the 2000 IEEE Symposium on Security and Privacy, Washington, DC, USA, pp. 156–165. IEEE Computer Society, Los Alamitos (2000)CrossRefGoogle Scholar
  17. 17.
    Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: SP 2002: Proceedings of the 2002 IEEE Symposium on Security and Privacy, Washington, DC, USA, pp. 273–284. IEEE Computer Society, Los Alamitos (2002)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Elie Bursztein
    • 1
  • John C. Mitchell
    • 2
  1. 1.Stanford University and LSV, ENS Cachan, INRIA, CNRSUSA
  2. 2.Stanford UniversityUSA

Personalised recommendations