Towards a stochastic model for integrated security and dependability evaluation
Summary (3 min read)
1 Introduction
- Security is a concept addressing the attributes confidentiality, integrity and availability [6].
- Dependability, on the other hand, is the ability of a com- ∗”Centre for Quantifiable Quality of Service in Communication Systems, Centre of Excellence” appointed by the Research Council of Norway, funded by the Research Council, NTNU and UNINETT.
- The security community can benefit from the mature dependability modelling techniques, which can provide the operational measures that are so desirable today.
- In Section 3, the authors show that the states can be viewed as elements in a stochastic game, and explain how game theory can be used to compute the expected attacker behavior.
- In Section 6 the authors compare their work with previous related work.
2 The Stochastic Model
- This high level description can be used to perform qualitative assessment of system properties, such as the security levels obtained by Common Criteria evaluation [7].
- Moreover, such methods only evaluate static behavior of the system and do not consider dependencies of events or time aspects of failures.
- To create a model suitable for quantitative analysis and assessment of operational security, one needs to use a fine-granular system description, which is capable of incorporating the dynamic behavior of a system.
- During its operational lifetime, a system will alternate between the different states.
- This may be due to normal usage as well as misuse, administrative measures and maintenance, as well as software- and hardware failures and repairs.
2.1 The Failure Process
- It has been shown in [2, 9, 16] that the ”fault-errorfailure” pathology, which is commonly used for modelling the failure process in a dependability context, can be applied in the security domain as well.
- Based on the results from this research the authors demonstrate how a stochastic process can be used to model security failures in a similar way as the dependability community usually treats accidental and unintentional failures.
- An error is always internal and will not be visible from outside the system.
- For each failure state which conflicts with the system’s intended functionality, the authors can therefore assign a corresponding property that is violated, e.g. confidentiality-failed or availability-failed.
- Even though the time, or effort, to perform an intrusion may be randomly distributed, the decision to perform the action is not.
2.2 Modelling Intrusion as Transitions
- According to [16], there are two underlying causes of any intrusion: A malicious action that tries to exploit the vulnerability.
- In reality, other types of distributions may be more suitable.) with rate λij(a), where i and j are two different states in the stochastic model.
- By introducing the decision probability πi(a), the result from a successful attack, i.e. a malicious external humanmade fault, can be modelled as one or more intentional state changes of the underlying stochastic process, which represents the dynamic behavior of the system.
2.3 Obtaining Steady State Probabilities
- In mathematical terms, the stochastic process describing the dynamic system behavior is a continuous time Markov chain with discrete state space.
- Similarly, by making the failure states absorbing, i.e. removing all outgoing transitions, one can compute the mean time to first failure (MTFF ) for a system.
2.4 Model Parameterization
- The procedure of obtaining accidental failure- and repair rates has been practiced for many years in traditional dependability analysis, and will therefore not be discussed in this paper.
- The most straightforward solution is to let security experts assess the rates based on subjective expert opinion, empirical data or a combination of both.
- An example of empirical data is historical attack data collected from honeypots.
- In [17, 18], the authors propose game theory as a means for computing the expected attacker strategy.
- The procedure is summarized in the next section.
3 Computing Expected Attacker Behavior
- From the stochastic model, pick all states where the system is vulnerable to malicious faults.
- For all transitions out of the game element states which represent intrusions, identify the corresponding attack actions.
- For each game element, the authors assign two values to each attack action; one that represents the reward gained by the attacker if the action remains undetected, and another to represent the negative reward, i.e. cost, experienced if the action is detected and reacted to.
4 Tuning Parameters of the Game
- The game model presented in the previous section is based on a reward- and cost concept.
- Furthermore, if the action succeeds, additional rewards may be gained.
- The reward values will therefore represent the attackers’ motivation when deciding on attack actions.
- The cost of a detected action will be an important demotivation factor when modelling, for example, insiders - legitimate users who override their current privileges.
- Similarly, commercial adversaries would lose reputation and market share if it is exposed that illegal means are used.
4.1 Attacker Profiling
- Rogers summarizes earlier research on hacker categorization and provides a new taxonomy based on a two dimensional classification model.
- Skill and motivation are identified as the primary classification criteria, which fit well into their mathematical framework where an attacker’s skill is represented by the expected time to success, λ−1(a), and the motivation by the rewardand cost concept.
- Rogers’ model suggests eight primary categories, whereof seven represent outsiders: ”novices”, ”cyber-punks”, ”petty thieves”, ”virus writers”, ”old guard hackers”, ”professional criminals” and ”information warriors”.
- The authors model does not depend on any attacker classification.
- Instead, in their approach it is possible to tune the reward- and cost values of the game elements and thereby be able to model the motivation of any kind of attacker.
4.2 Varying the Cost Parameters
- Hence, an attacker can choose either to perform the attack (a), or to resign (φ).
- Hence, an increasing cost of a detected action will decrease the attackers’ motivation.
- In general, as Proceedings of the First International Conference on Availability, Reliability and Security (ARES’06).
- It is interesting to note that even though measures are taken to increase the cost of detected actions (legal proceedings, for instance), a rapidly decreasing b will only have marginal effect on the behavior of an attacker who has a strong reluctance of resigning.
5 Case Study: The DNS Service
- To further illustrate the approach, the authors model and analyze the security and dependability of a DNS service.
- The most important attributes of this service are integrity and availability.
- All the three states 1-3 are considered to be good states.
- The state transition model in Figure 2 in Section 3 represents the security and dependability of the service of a single DNS server under the given assumptions.
- The transitions labeled with the μS and μH rates represent the accidental software and hardware failures, the ϕ rates represent an imaginary system administrator’s possible actions and the λ rates represent the success rates of the possible attack actions.
7 Concluding Remarks
- This paper presents a stochastic model for integrated security and dependability assessment.
- By using stochastic game theory the authors can compute the expected attacker behavior for different types of attackers.
- In the final step, the corresponding stochastic process is used to compute operational measures of the system.
- As pointed out in Section 3, the Nash equilibrium of the game will be an indication of the best strategy for attackers who do not know the probabilities that their actions will be detected.
- This may not always be the case in real life.
Did you find this useful? Give us your feedback
Citations
243 citations
Cites background or methods from "Towards a stochastic model for inte..."
...[30], [31], [36], [37] also fall into this subclass....
[...]
...In fact, the prediction of the strategies in many approaches to security and dependability measurement is used as input for a measurement module [11], [29], [30], [31] in order to compute the metrics of security and dependability....
[...]
...In [30], the following three concepts are introduced: a real time method to measure the security metrics, the mean time to next failure (MTNF), and the probability that the time until the next failure is greater than a given time for an attacker target....
[...]
...• Dynamic game • Stochastic games [8], [20], [21], [22], [26], [29], [30], [31], [36], [37], [44] • Problem : • to determine the best strategies for the administrator to diffuse the risks among the asserts in a network against the attacker [44] • to obtain best optimal defense strategy [8], [20], [21], [36] • to evalute secutiy and dependability level [22], [26], [29], [30], [31], [37] • The state transition of a system is a Markov process [21], [29], [44] • Use Q-learning to obtain the converging optimal strategies when the transition matrix is not known [44] Non-cooperative • Use Shapley’s method [35] to calculate the Nash Equilibrium games of the game [29] • Use a method called NPL 1 in [34] to obtain the Nash Equilibrium of the game [21] • Repeated security investment game between network users, two or more players [47]...
[...]
107 citations
92 citations
Cites background from "Towards a stochastic model for inte..."
...propose the use of stochastic game theory to compute probabilities to attacker actions [16,17]....
[...]
74 citations
Cites methods from "Towards a stochastic model for inte..."
...[53], [54] propose a model to estimate the Mean Time to First Failure (MTFF) metric....
[...]
63 citations
References
4,695 citations
"Towards a stochastic model for inte..." refers background in this paper
...…the ability of a com- ∗”Centre for Quantifiable Quality of Service in Communication Systems, Centre of Excellence” appointed by the Research Council of Norway, funded by the Research Council, NTNU and UNINETT. http://www.q2s.ntnu.no/ puter system to deliver service that can justifiably be trusted....
[...]
...In a security context, the result of these faults is generally referred to as an intrusion....
[...]
...Dependability, on the other hand, is the ability of a com- ∗”Centre for Quantifiable Quality of Service in Communication Systems, Centre of Excellence” appointed by the Research Council of Norway, funded by the Research Council, NTNU and UNINETT. http://www.q2s.ntnu.no/ puter system to deliver service that can justifiably be trusted....
[...]
...It has been shown in [2, 9, 16] that the ”fault-errorfailure” pathology, which is commonly used for modelling the failure process in a dependability context, can be applied in the security domain as well....
[...]
4,335 citations
537 citations
"Towards a stochastic model for inte..." refers background in this paper
...As pointed out in [13], security analysis must assume that an attacker’s choice of action will depend on the system state, may change over time, and will result in security failures that are highly correlated....
[...]
409 citations
388 citations
Related Papers (5)
Frequently Asked Questions (13)
Q2. What are the future works mentioned in the paper "Towards a stochastic model for integrated security and dependability evaluation" ?
In the future the authors plan to investigate whether timedependent success rates can be used to compute more realistic strategies ( they must assume that attackers learn over time ! ). Furthermore, verifying the model ’ s ability to predict real-life attacks will require further research, including validation of the model against empirical data.
Q3. What are the two concepts used to quantify the payoff of the actions?
Reward and cost are generic concepts, which can be used to quantify the payoff of the actions both in terms of abstract values, such as social status and satisfaction versus disrespect and disappointment, as well as real values, e.g. financial gain and loss.
Q4. What is the purpose of this paper?
This paper focuses on the dynamic method of using stochastic models (Markov chains), which is commonly used to obtain availability (the fraction of time the system is operational during an observation period) or reliability (the probability that the system remains operational over an observation period) predictions by the dependability community.
Q5. how many times does the game become a fictitious set of reward and cost values?
Using the rate values λ23 = 1/3, λ34 = λ35 = λ45 = 3, ϕ12 = 1/480, ϕ21 = 1/120, ϕ31 = ϕ41 = 1, ϕ51 = 3, ϕ61 = 1/24, μH = 1/3600 and μS = 1/120 per hour, together with a fictitious set of reward- and cost values, the game elements becomeΓ2 = (1 + 0.952Γ3 −4 −5 0) ,Γ3 = ⎛ ⎝1 + 0.748Γ4 −31 −2−5 0⎞ ⎠ ,Γ4 = (1 −2 −5 0) .Solving the stochastic game in accordance to (8) provides the strategy vectors π2 = (0.568, 0.432), π3 = (0, 0.625, 0.375) and π4 = (0.625, 0.375), hence, the state transition rate matrix for the DNS server is as displayed in Table 1.Using (3) and (4) in Section 2.3, the authors compute the stationary probabilities X = {X1, . . . , X6} = {0.98, 0.01, 6.50 · 10−4, 0, 3.16 · 10−3, 6.62 · 10−3}.
Q6. What is the main strength of state transition models?
This is the main strength of state transition models where, at a low level, the system is modelled as a finite state machine (most systems consist of a set of interacting components and the system state is therefore the set of its component states).
Q7. What is the definition of a stochastic process?
In mathematical terms, the stochastic process describing the dynamic system behavior is a continuous time Markov chain with discrete state space.
Q8. How can one compute the mean time to first failure?
by making the failure states absorbing, i.e. removing all outgoing transitions, one can compute the mean time to first failure (MTFF ) for a system.
Q9. What are the primary classification criteria for hacker?
Skill and motivation are identified as the primary classification criteria, which fit well into their mathematical framework where an attacker’s skill is represented by the expected time to success, λ−1(a), and the motivation by the rewardand cost concept.
Q10. What is the effect of a decreasing b on the behavior of an attacker?
It is interesting to note that even though measures are taken to increase the cost of detected actions (legal proceedings, for instance), a rapidly decreasing b will only have marginal effect on the behavior of an attacker who has a strong reluctance of resigning.
Q11. What are the two types of accidental failures?
The authors distinguish between two different types of accidental failures: hardware availability failures which require a manual repair, and software availability failures, which only require a system reconfiguration and/or reboot.
Q12. What is the common type of attack on a DNS server?
This may transfer the system into a third state (3), and thereby make it possible to insert false entries in the server cache (software integrity failure) or to shut the server down (software availability failure).
Q13. What is the transition probability between game elements 2 and 3?
1. Hence, the transition probability between game elements 2 and 3 for this particular ”play of the game” is computed asp23(a1) = λ23λ23 + ϕ21 + μS + μH (5)Step 5: Solve the game model.