Security modeling and quantification of intrusion tolerant systems using attack‐response graph

Increasing deployment of computer systems in critical applications has made study and quantifiable analysis of the security aspects of these systems an important issue. Security quantification analysis can either be done by logging large amounts of operational data and analyzing this data or by developing analytic models. First approach, though straight forward, is less desirable, since such an analysis is typically done in a post‐facto manner, after the damage caused by a security breach has already occurred. The modeling approach, on the other hand, can be done in an a‐priori manner and is also much less costly. Another aspect of designing secure systems that is gaining acceptance is that while preventing security attacks is an important goal, it is not always possible to be able to prevent all types of attacks, particularly since attackers are always creating newer attacks. Recent approaches to designing dependable systems suggest treating intrusion prevention as a first line of defense to be followed by building intrusion tolerance measures that do not entirely preclude the possibility of security intrusion from succeeding. Such systems take appropriate responsive measures to mitigate the adverse effects of security intrusions. In this paper, we utilize the attack or privilege graph models that have been successfully used to model the attack progression to incorporate the system's response to an attack and for verifying if the system is secure or not. The proposed model is referred to as the attack response graph. Security quantification uses a Markov chain model to compute mean time taken to reach security failed states. However, getting to the Markov chain directly is rather difficult. Instead, we first obtain the SPN from the ARG description. The reachability graph of this SPN gives the absorbing state Markov chain which in turn is used to quantify the security in terms of the mean‐time‐to‐security‐failure measure for an intrusion tolerant system. Finally, we utilize sensitivity analysis to evaluate the effects of inaccuracies in estimating the model parameters.