modeling and evaluating the survivability of an intrusion tolerant database system hai wang and peng...

Modeling and Evaluating the Survivability of an IntrusionTolerant Database System

Hai Wang and Peng LiuCyber Security LabPennsylvania State University

Penn State Cyber Security Lab, USA 2

Introduction

Motivation The need for quantifying survivability The limitation of reliability/availability model

Goal Developing a survivability evaluation model Proposing quantitative measures to characterize the

capability of a resilient system surviving intrusions Understanding the impact of existing system

deficiencies and attack behaviors on the survivability


Outline Introduction ITDB: An Motivating Example Modeling Intrusion Tolerant Database Systems Survivability Evaluation Empirical Validation Results Conclusion Related Work


ITDB: An Motivating Example ITDB motivation

After the database is damaged, locate the damaged part and repair it as soon as possible

The database can continue being useful in the face of attacks Basic ITDB system architecture


Modeling Intrusion Tolerant Database Systems Stochastic versus Deterministic models

Less parameters Transition structure ComprehensiveComplex relationships


Basic state transition model

States Good state: G Infected state: I Containment state: M Recovery state: R

Parameters Mean time to attack (MTTA): Mean time to detect (MTTD): Mean time to mark (MTTM): Mean time to repair (MTTR):

a/1

d/1

m/1

r/1


Intrusion Detection System Model

False alarm A false alarm occurred

when the IDS fails before the intrusion

Time to intrusion:

Detection probability Detection probability: Undetected state MD and

manual repair state MR Detection latency

Detection time:

},min{ faa TTA

dT

d


Damage Propagation and Repair Model Damage propagation

The time between the infection of and the item:

Assume is exponentially distributed

Damage repair The time to scan:

The time to repair:

thi )1( ith

diTdiT

tdD

i

ietF 1)(

tM

m

ietF 1)(

tR

r

ietF 1)(


Survivability Evaluation

State transition model analysis The transient behavior of the Continuous Time Markov Chain

(CTMC) can be described by the Kolmogorov differential equation

Cumulative probabilities of the CTMC

The steady state probability of the CTMC

QtPdt

tdP)(

)(

)0()()(

PQtLdt

tdL

Si

iQ 1,0


Survivability Evaluation (2)

Consider the basic state transition model State space Generator matrix

Steady state probabilities

MTTRMTTMMTTDMTTA

MTTR

MTTRMTTMMTTDMTTA

MTTM

MTTRMTTMMTTDMTTA

MTTD

MTTRMTTMMTTDMTTA

MTTA

rmda

rR

rmda

mM

rmda

dD

rmda

aG

/1/1/1/1

/1

/1/1/1/1

/1

/1/1/1/1

/1

/1/1/1/1

/1

rr

mm

dd

aa

Q

00

00

00

00

},,,{ RMIGS


Survivability Evaluation Metrics

Integrity (I) A fraction of time that all accessible data items in the

database are clean Consider the basic state transition model

Integrity

Consider the comprehensive model Integrity

MTTRMTTMMTTDMTTA

MTTRMTTMMTTAI RMG

k

iR

k

iMGI

11


Survivability Evaluation Metrics(2)

Rewarding-availability (RA) Availability is defined as a fraction of time that the system is providing

service to its users RA is defined as a fraction of time that the all clean data items are

accessible Consider the basic state transition model

Rewarding availability

Consider the comprehensive model Rewarding availability

MTTRMTTMMTTDMTTA

MTTRMTTARA RG

k

iRGRA

1


Empirical Validation

Testbed A real testbed ITDB is built Transaction application: the TPC-c benchmark

Parameters setting and estimation Parameters setting

attack hitting rate, false alarm rate, detection probability, detection rate, manual repair rate and manual detection rate

Parameters estimation Maximum-likelihood to produce estimator

k

R

k

MR

k

M

k

~~

,


Empirical Validation

Validation The steady state probability of occupying a particular

state computed from the CTMC model The estimated probability from the observed data

the ratio of the length of time the system was in that state to the total length of the period of observation


Results

Using ITDB as an example to study Focusing on the impact of different system

deficiencies on the survivability in the present of attack

Parameters settings


Impact of Attack Intensity

Can ITDB handle different attack intensity?


Impact of False Alarms

High false alarm rate Bring extra workload to the recovery subsystem Waste system resources


Impact of Detection Probability

Low detection probability Talk longer time to detect the intrusion manually Bring more work for the administrator to mark and

repair the damage manually


Transient Behaviors

Steady state measures the behavior of the system in a infinite time interval

The system may never reach the steady state, or take a very long time

Transient Behaviors of a good system


Transient Behaviors (2)

Transient Behaviors of a poor system


Conclusion

Contributions Extended the classic availability model to a new

survivability model. Mean Time to Attack (MTTA), Mean Time to

Detection (MTTD), Mean Time to Marking (MTTM), and Mean Time to Repair (MTTR) are proposed as basic measures of survivability

A real intrusion tolerant database system is established to validate the state transition models we established

The impacts of existing system deficiencies and attack behaviors on the survivability are studied


Conclusion (2)

Findings The CTMC models we established can be taken to

model the real system reasonably well ITDB can provide essential database services in the

presence of attacks ITDB can maintain the desired essential survivability

properties without being seriously affected by various system deficiencies and different attack intensity

Compared with false alarm, the impact of detection probability on survivability is severer


Outline Introduction ITDB: An Motivating Example Modeling Intrusion Tolerant Database

Systems Survivability Evaluation Empirical Validation Results Related Work


Related Work

Madan, B.B., Goseva-Popstojanova, K., Vaidyanathan, K., Trivedi (Performance Evaluation 2004) Stochastic modeling techniques are used to capture the attacker

behavior as well as the system's response to a security intrusion A security measure called the mean time (or effort) to security

failure is proposed “good guestimate" values of model parameters were used

Singh, S., Cukier, M., Sanders, W.H. (DSN 2003) stochastic activity network is used to quantitatively validate an

intrusion-tolerant replication management system Several measures defined on the model were proposed to study

the survivability The impacts of system parameters variations are studied


Selected references

Liu, P.: Architectures for intrusion tolerant database systems. In: Proceedings of 18th Annual Computer Security Applications Conference (ACSAC 2002). (2002) 311-320

Madan, B.B., Goseva-Popstojanova, K., Vaidyanathan, K., Trivedi, K.S.: A method for modeling and quantifying the security attributes of intrusion tolerant systems. Performance Evaluation 56(1-4) (2004) 167-186

Yu, M., Liu, P., Zang, W.: Self-healing workflow systems under attacks. In: Proceedings of 24th International Conference on Distributed Computing Systems (ICDCS 2004). (2004) 418-425

Wang, H., Liu, P., Li, L.: Evaluating the impact of intrusion detection deficiencies on the cost-effectiveness of attack recovery. In: Proceedings of 7th International Information Security Conference (ISC 2004). (2004) 146-157

Singh, S., Cukier, M., Sanders, W.H.: Probabilistic validation of an intrusion-tolerant replication system. In: Proceedings of the International Conference on Dependable Systems and Networks (DSN 2003). (2003) 615-624

modeling and evaluating the survivability of an intrusion tolerant database system hai wang and peng...

Documents

penn state cyber security

containment state

recovery state

survivability slide

steady state probability

intrusion time

undetected state md

g infected state