• No results found

Quantification of Security and Survivability

N/A
N/A
Protected

Academic year: 2021

Share "Quantification of Security and Survivability"

Copied!
15
0
0

Loading.... (view fulltext now)

Full text

(1)

Quantification of Security and

Survivability

Kishor Trivedi

Department of Electrical and Computer Engineering Duke University

Durham, NC 27708-0291 Email: [email protected]

Home page: www.ee.duke.edu/~kst

ITI Workshop on Dependability and Security Urbana, Illinois

(2)

Outline

„

Quantification of security

(3)

Security Quantification

„

Security Attributes

„

Integrity, confidentiality, availability

„

Authentication, non-repudiation

„

Threats

„ Design, physical, interaction faults „ Attacks

„

Security Evaluation

„

Qualitative assessment

„ Certain checklists as security evaluation criteria, tiger team

„

Quantitative assessment

(4)

Related work

„ Littlewood et al. explored the feasibility of probabilistic quantification

on security

„ Ortalo et al. used privilege graph to model system operational security „ Jha et al. used attack graph to model attacker behavior

„ Singh et al. designed SANs (stochastic activity networks) model for

probabilistic validation of security and performance of several intrusion-tolerant architectures

„ Chen et al. analyzed vulnerabilities using finite state machine model „ Jonsson et al. conducted experiments and presented a quantitative

model of security intrusion based on attacker behavior

„ Stevens et al. proposed probabilistic methods to model the DPASA

(Designing Protection and Adaptation into a Survivable Architecture) architecture

(5)

Probabilistic Security Quantification

„

Our research publications

„ “Security analysis of SITAR Intrusion Tolerant System”, ACM Workshop

on Survivable and Self-Regenerative systems, Oct. 2003

„ “A method for Modeling and Quantifying the Security Attributes of

Intrusion Tolerant System” Performance Evaluation Journal, 2004

„ “Security modeling and quantification of intrusion tolerant systems

using attack-response graph”, Trusted Internet Workshop, Dec. 2003

„

Our approach: design

state transition diagram

of

system security states, and use

Markov chains

,

Semi Markov Process

,

SRN

and

Attack Response

Graph

to develop high fidelity models incorporating

(6)

SITAR Overview

„ SITAR is an intrusion tolerant

architecture developed jointly by MCNC and Duke

„ SITAR uses spatial redundancy,

diversity and adaptive

reconfigu-ration to achieve intrusion tolerance

„ SITAR architecture

„ Proxy modules (PM)

„ Acceptance monitors (AM) „ Ballot monitors (BM)

„ Audit control module (ACM)

„ Adaptive reconfiguration module (ARM) „ COTS servers

(7)

Security Quantification of SITAR

Security vs. attack rate

0.9550.96 0.9650.97 0.9750.98 0.9850.99 0.9951 0.33 2.33 4.33 6.33 8.33 10.33 12.33 threat level 3 threat level 1

Mean time to security failure vs. attack rate

0 5000 10000 15000 20000 25000 30000 1 2 3 4 5 6 7 8 9 10 11 12 13 threat level 3 threat level 1 System security

Mean time to severe security failure Threat level 1

(8)

Security Quantification Challenges

„

Appropriate modeling of cyber attackers

„ Need to determine appropriate level of detail/abstraction

„ Need different attacker models for different purposes and attack classes

„

Comprehensive modeling of system-level security

quantification

„ Difficult to model certain security attributes such as

confidentiality and integrity using probabilistic techniques „ Hard to comprehensively quantify high-level security

requirement with different security attributes using a single approach

„

Measurement techniques for model parameterization and

validation

„ Hard, careful work and significant time required for data collection

(9)

Survivability Quantification

„ Threats „ Natural disasters „ Man-made accidents „ Hardware/software faults „ Malicious attacks „ Quantitative evaluation „ John Knight

„ A survivability specification is a four-tuple {E, R, P, M}, E: operating

environment; R: tolerable service; P: pmf on R; M: finite-state machine of state transition (analogous to availability).

„ Soung Liew

„ r-percentile survivability Nr is the probability that N is no greater than r

% of the total resource (analogous to performability). „ T1A1.2 working group

„ Survivability depicts the time-varying system performance after a

(10)

Our Survivability Research

Analysis approach

„ Develop, parameterize, and solve Markov and non-Markov

models including failure modes, traffic patterns, and resource contention.

„ T1A1.2 based survivability measures do NOT depend on the

disaster rate; this may be considered good as the disaster rate is hard to quantify in practice

„

Our Publications

„ Transient behavior of ATM networks under overloads IEEE INFOCOM’

96, pages 978–985, San Francisco, CA, March 1996.

„ Network survivability performance evaluation: a quantitative

approach with applications in wireless ad-hoc networks ACM

International Workshop on Modeling, Analysis and Simulation of Wireless and Mobile Systems (MSWiM' 02), Atlanta, GA, September 2002.

„ A general framework of survivability quantification Proc. of l2th GI/ITG.

Conf. On Measuring, Modelling and Evaluation of Computer and Communication Systems (MMB’04)

„ Survivability analysis of telephone access network Proc. of 15th IEEE

(11)

Availability and performance models

0 1 2

……

n-1 n

λ

µ

λ

λ

2

µ

3

µ

λ

n

µ

Pure performance model To compute blocking prob. In each state of the availability model

(12)

Survivability Model and Results

Survivability results –

blocking probability

Force a failure in the system

Make this the initial state Make this Absorbing state Pbk=0.0079366 Pbk=0.0079366 Pbk=1 Pbk=1 Normal operation in this state Pbk=1 Pbk=1 TR TR: relaxation time

(13)

Excess Loss Due to Failure (ELF)

„

ELF: a survivability measure reflecting the total

loss before the system is recovered

P

bk

(t)

P

bk

(t=0)

Excess blocked calls

Area in the shadow

ELF

=

Dropped calls

+

(14)

Comparison: six proposed architectures

of Telephone access network

9*10

7

9*10

7

9920

118

days

I, IIA

20748

15804

4944

32940 s

Active/active IIB

0

0

0

0 s

III Active/standby IIC2 Active/standby IIC1

35243

25323

9920

35370 s

29649

19729

9920

35310 s

ELF Extra call loss

due to blocking Call loss due

to failure Relaxation

time*

Y. Liu, V. Mendiratta, K. S. Trivedi, Survivability analysis of telephone access network Proc. of 15th IEEE International Symposium on Software Engineering (ISSRE’04)

(15)

Survivability Quantification Challenges

„

No unified definition

„ Variation due to different metrics

„ Steady state or transient

„ Availability, capacity-oriented availability, or performance

„ Variation due to different systems

„ Wire-line/wireless access networks, optical transport networks, military 3C

networks, financial and banking networks, etc.

„

Increased system complexity

„ Heterogeneity

„ Components have different capacity, performance, fault tolerance

„ Multiple layer hierarchy

„ Cross layer dependence, fault propagation, resource allocation & optimization

„ Failure scenario and impact

References

Related documents

The same techniques may be used to balance the freedom of one religion against the freedom of another, the freedom of religion against the freedom to choose not to be religious,

Members in which the reinforcement provided is less than the minimum amounts given in Section 12 should also be treated as plain concrete for the purposes of structural design.

Following Kohn and Sack (2003), we can interpret this lack of response in longer rates as a signal that market participants are reacting to policy-timing changes (i.e.,

Network Security Monitoring An Introduction to the world of Intrusion Detection Systems Irvin Homem [email protected] Stockholm University

Leading foreign high- tech firms have not invested in the Russian SEZs, and it is anything but certain whether the entry boom of global high-tech companies into Russia will happen,

Building extension on private land because of poor border demarcation, population growth, fragmented land and drainage are the main cause of farm land conflict which many of the

Unilateral fee clauses also favor lenders in the sense that a lender is much more likely to be the party pursuing claims based on the nature of the lender-borrower relationship,

We have presented here an extension of the life-cycle permanent-income model of consumption to the case of a durable good whose purchase involves lumpy transactions costs.