Modeling and Evaluating the Survivability of an IntrusionTolerant Database System
Hai Wang and Peng LiuCyber Security LabPennsylvania State University
Penn State Cyber Security Lab, USA 2
Introduction
Motivation The need for quantifying survivability The limitation of reliability/availability model
Goal Developing a survivability evaluation model Proposing quantitative measures to characterize the
capability of a resilient system surviving intrusions Understanding the impact of existing system
deficiencies and attack behaviors on the survivability
Penn State Cyber Security Lab, USA 3
Outline Introduction ITDB: An Motivating Example Modeling Intrusion Tolerant Database Systems Survivability Evaluation Empirical Validation Results Conclusion Related Work
Penn State Cyber Security Lab, USA 4
Outline Introduction ITDB: An Motivating Example Modeling Intrusion Tolerant Database Systems Survivability Evaluation Empirical Validation Results Conclusion Related Work
Penn State Cyber Security Lab, USA 5
ITDB: An Motivating Example ITDB motivation
After the database is damaged, locate the damaged part and repair it as soon as possible
The database can continue being useful in the face of attacks Basic ITDB system architecture
Penn State Cyber Security Lab, USA 6
Outline Introduction ITDB: An Motivating Example Modeling Intrusion Tolerant Database Systems Survivability Evaluation Empirical Validation Results Conclusion Related Work
Penn State Cyber Security Lab, USA 7
Modeling Intrusion Tolerant Database Systems Stochastic versus Deterministic models
Less parameters Transition structure ComprehensiveComplex relationships
Penn State Cyber Security Lab, USA 8
Basic state transition model
States Good state: G Infected state: I Containment state: M Recovery state: R
Parameters Mean time to attack (MTTA): Mean time to detect (MTTD): Mean time to mark (MTTM): Mean time to repair (MTTR):
a/1
d/1
m/1
r/1
Penn State Cyber Security Lab, USA 9
Intrusion Detection System Model
False alarm A false alarm occurred
when the IDS fails before the intrusion
Time to intrusion:
Detection probability Detection probability: Undetected state MD and
manual repair state MR Detection latency
Detection time:
},min{ faa TTA
dT
d
Penn State Cyber Security Lab, USA 10
Damage Propagation and Repair Model Damage propagation
The time between the infection of and the item:
Assume is exponentially distributed
Damage repair The time to scan:
The time to repair:
thi )1( ith
diTdiT
tdD
i
ietF 1)(
tM
m
ietF 1)(
tR
r
ietF 1)(
Penn State Cyber Security Lab, USA 11
Outline Introduction ITDB: An Motivating Example Modeling Intrusion Tolerant Database Systems Survivability Evaluation Empirical Validation Results Conclusion Related Work
Penn State Cyber Security Lab, USA 12
Survivability Evaluation
State transition model analysis The transient behavior of the Continuous Time Markov Chain
(CTMC) can be described by the Kolmogorov differential equation
Cumulative probabilities of the CTMC
The steady state probability of the CTMC
QtPdt
tdP)(
)(
)0()()(
PQtLdt
tdL
Si
iQ 1,0
Penn State Cyber Security Lab, USA 13
Survivability Evaluation (2)
Consider the basic state transition model State space Generator matrix
Steady state probabilities
MTTRMTTMMTTDMTTA
MTTR
MTTRMTTMMTTDMTTA
MTTM
MTTRMTTMMTTDMTTA
MTTD
MTTRMTTMMTTDMTTA
MTTA
rmda
rR
rmda
mM
rmda
dD
rmda
aG
/1/1/1/1
/1
/1/1/1/1
/1
/1/1/1/1
/1
/1/1/1/1
/1
rr
mm
dd
aa
Q
00
00
00
00
},,,{ RMIGS
Penn State Cyber Security Lab, USA 14
Survivability Evaluation Metrics
Integrity (I) A fraction of time that all accessible data items in the
database are clean Consider the basic state transition model
Integrity
Consider the comprehensive model Integrity
MTTRMTTMMTTDMTTA
MTTRMTTMMTTAI RMG
k
iR
k
iMGI
11
Penn State Cyber Security Lab, USA 15
Survivability Evaluation Metrics(2)
Rewarding-availability (RA) Availability is defined as a fraction of time that the system is providing
service to its users RA is defined as a fraction of time that the all clean data items are
accessible Consider the basic state transition model
Rewarding availability
Consider the comprehensive model Rewarding availability
MTTRMTTMMTTDMTTA
MTTRMTTARA RG
k
iRGRA
1
Penn State Cyber Security Lab, USA 16
Outline Introduction ITDB: An Motivating Example Modeling Intrusion Tolerant Database Systems Survivability Evaluation Empirical Validation Results Conclusion Related Work
Penn State Cyber Security Lab, USA 17
Empirical Validation
Testbed A real testbed ITDB is built Transaction application: the TPC-c benchmark
Parameters setting and estimation Parameters setting
attack hitting rate, false alarm rate, detection probability, detection rate, manual repair rate and manual detection rate
Parameters estimation Maximum-likelihood to produce estimator
k
R
k
MR
k
M
k
~~
,
Penn State Cyber Security Lab, USA 18
Empirical Validation
Validation The steady state probability of occupying a particular
state computed from the CTMC model The estimated probability from the observed data
the ratio of the length of time the system was in that state to the total length of the period of observation
Penn State Cyber Security Lab, USA 19
Outline Introduction ITDB: An Motivating Example Modeling Intrusion Tolerant Database Systems Survivability Evaluation Empirical Validation Results Conclusion Related Work
Penn State Cyber Security Lab, USA 20
Results
Using ITDB as an example to study Focusing on the impact of different system
deficiencies on the survivability in the present of attack
Parameters settings
Penn State Cyber Security Lab, USA 21
Impact of Attack Intensity
Can ITDB handle different attack intensity?
Penn State Cyber Security Lab, USA 22
Impact of False Alarms
High false alarm rate Bring extra workload to the recovery subsystem Waste system resources
Penn State Cyber Security Lab, USA 23
Impact of Detection Probability
Low detection probability Talk longer time to detect the intrusion manually Bring more work for the administrator to mark and
repair the damage manually
Penn State Cyber Security Lab, USA 24
Transient Behaviors
Steady state measures the behavior of the system in a infinite time interval
The system may never reach the steady state, or take a very long time
Transient Behaviors of a good system
Penn State Cyber Security Lab, USA 25
Transient Behaviors (2)
Transient Behaviors of a poor system
Penn State Cyber Security Lab, USA 26
Outline Introduction ITDB: An Motivating Example Modeling Intrusion Tolerant Database Systems Survivability Evaluation Empirical Validation Results Conclusion Related Work
Penn State Cyber Security Lab, USA 27
Conclusion
Contributions Extended the classic availability model to a new
survivability model. Mean Time to Attack (MTTA), Mean Time to
Detection (MTTD), Mean Time to Marking (MTTM), and Mean Time to Repair (MTTR) are proposed as basic measures of survivability
A real intrusion tolerant database system is established to validate the state transition models we established
The impacts of existing system deficiencies and attack behaviors on the survivability are studied
Penn State Cyber Security Lab, USA 28
Conclusion (2)
Findings The CTMC models we established can be taken to
model the real system reasonably well ITDB can provide essential database services in the
presence of attacks ITDB can maintain the desired essential survivability
properties without being seriously affected by various system deficiencies and different attack intensity
Compared with false alarm, the impact of detection probability on survivability is severer
Penn State Cyber Security Lab, USA 29
Outline Introduction ITDB: An Motivating Example Modeling Intrusion Tolerant Database
Systems Survivability Evaluation Empirical Validation Results Related Work
Penn State Cyber Security Lab, USA 30
Related Work
Madan, B.B., Goseva-Popstojanova, K., Vaidyanathan, K., Trivedi (Performance Evaluation 2004) Stochastic modeling techniques are used to capture the attacker
behavior as well as the system's response to a security intrusion A security measure called the mean time (or effort) to security
failure is proposed “good guestimate" values of model parameters were used
Singh, S., Cukier, M., Sanders, W.H. (DSN 2003) stochastic activity network is used to quantitatively validate an
intrusion-tolerant replication management system Several measures defined on the model were proposed to study
the survivability The impacts of system parameters variations are studied
Penn State Cyber Security Lab, USA 31
Selected references
Liu, P.: Architectures for intrusion tolerant database systems. In: Proceedings of 18th Annual Computer Security Applications Conference (ACSAC 2002). (2002) 311-320
Madan, B.B., Goseva-Popstojanova, K., Vaidyanathan, K., Trivedi, K.S.: A method for modeling and quantifying the security attributes of intrusion tolerant systems. Performance Evaluation 56(1-4) (2004) 167-186
Yu, M., Liu, P., Zang, W.: Self-healing workflow systems under attacks. In: Proceedings of 24th International Conference on Distributed Computing Systems (ICDCS 2004). (2004) 418-425
Wang, H., Liu, P., Li, L.: Evaluating the impact of intrusion detection deficiencies on the cost-effectiveness of attack recovery. In: Proceedings of 7th International Information Security Conference (ISC 2004). (2004) 146-157
Singh, S., Cukier, M., Sanders, W.H.: Probabilistic validation of an intrusion-tolerant replication system. In: Proceedings of the International Conference on Dependable Systems and Networks (DSN 2003). (2003) 615-624
Penn State Cyber Security Lab, USA 32
Top Related