Steven Harp, Johnathan Gohde, Thomas Haigh, and Mark Boddy
As networked systems become more complex, and they support more critical applications, there is a compelling need to augment the Red Team approach to vulnerability analysis with more formal, automated methods. Artificial Intelligence (AI) Planning, with its well-developed theory and rich set of tools, offers an attractive approach. By adopting this approach we have been able to generate attack graphs for a simple but realistic web-based system in five seconds or less, which is an order of magnitude improvement over previous efforts at automated analysis. In this paper we describe our methods and the results. Since vulnerability analysis is a new application of AI planning, our work has uncovered issues with both modeling techniques and planning tools. We discuss these issues and suggest methods for addressing them.