Abstract

The Internet of Things (IoT) and Cyber-Physical Systems (CPS) technologies have increased the complexity of systems and also exposed them to additional vulnerabilities. Attack-graphs are graphical representations that provide a complete view of how inter-dependencies among atomic vulnerabilities may be exploited by an adversary to stitch together an attack that can compromise the system. Their manual construction is tedious, error-prone, and time consuming. This paper presents a model-based Automated Attack-Graph Generator and Visualizer (A2G2V). Given the networked system description (its components, connectivity, services it supports, their vulnerabilities and protections), the attack graph enlists set of all possible sequences in which atomic-level vulnerabilities can be exploited to compromise a certain system-level security. The proposed A2G2V tool extends an existing formal methods tool (a model-checker) by integrating with it an architecture description tool, our own code (for parsing counterexamples, encoding those for specification relaxation, iterating till all attack sequences are revealed), and also a graph visualization tool.