Probabilistic Validation of Intrusion Tolerance 1

Intrusion tolerance is an emerging approach to security that aims to increase the likelihood that an application will be able to continue to operate correctly in spite of malicious attacks that may result in successful intrusions. Most traditional approaches to security validation have not been quantitative, instead focusing on specifying procedures that should be followed during the design of a system (e.g., the Security Evaluation Criteria [DOD85, ISO99]). When quantitative methods have been used, they have typically either been based on formal methods (e.g., [Lan81]), aiming to prove that certain security properties hold given a specified set of assumptions, or been quite informal, using a team of experts (often called a “red team,” e.g. [Low01]) to try to compromise a system. An alternative approach has been to try to quantify, probabilistically, the behavior of an attacker and his impact on the ability of a system to provide certain security-related properties. In this extended abstract, we first (in Section 2) review existing probabilistic approaches. We then (in Section 3) describe work we are doing in this area, with the goal of creating a sound scientific basis for comparing alternative intrusion tolerance approaches quantitatively, and estimating the intrusion tolerance of particular approaches. Our main measure of security is application-level availability, which we define as a measure of correct delivery of service with respect to the alternation of correct and incorrect service [Lap91]. Realizing this goal will require work both in modeling and measurement, and the creation of guidelines for their application in intrusion tolerance approaches.

[1]  Paul Ammann,et al.  Using model checking to analyze network vulnerabilities , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[2]  David Wright,et al.  Towards Operational Measures of Computer Security , 1993, J. Comput. Secur..

[3]  J. Lowry An initial foray into understanding adversary planning and courses of action , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[4]  Jeannette M. Wing Survivability analysis of networked systems , 2000, FORTE.

[5]  H. Kopetz,et al.  Dependability: Basic Concepts and Terminology , 1992, Dependable Computing and Fault-Tolerant Systems.

[6]  Kishor S. Trivedi,et al.  Characterizing intrusion tolerant systems using a state transition model , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[7]  Carl E. Landwehr,et al.  Formal Models for Computer Security , 1981, CSUR.

[8]  P. S. Tasker,et al.  DEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA , 1985 .

[9]  Somesh Jha,et al.  Survivability analysis of networked systems , 2001, Proceedings of the 23rd International Conference on Software Engineering. ICSE 2001.

[10]  Tomas Olovsson,et al.  A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior , 1997, IEEE Trans. Software Eng..

[11]  Rodolphe Ortalo,et al.  Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security , 1999, IEEE Trans. Software Eng..