Methods for Dependability and Security Analysis of Large Networks

Methods for Dependability and Security Analysis of Large Networks

Ioannis Chochliouros (OTE S.A., General Directorate for Technology, Greece), Anastasia S. Spiliopoulou (OTE S.A., General Directorate for Regulatory Affairs, Greece) and Stergios P. Chochliouros (Independent Consultant, Greece)
DOI: 10.4018/978-1-60566-014-1.ch125
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

Dependability and security are rigorously related concepts that, however, differ for the specific proprieties they mainly concentrate on. In particular, in most commonly applied cases found in practical design techniques (Piedad & Hawkins, 2000), the dependability concept usually includes the security one, being a superset of it. In typical cases, security mainly comprises the following fundamental characteristics: confidentiality, integrity, and availability. Indeed, dependability mainly encompasses the following attributes (Avizienis, Laprie, Randell, & Landwehr, 2004): (1) availability: readiness for correct service; (2) reliability: continuity of correct service; (3) safety: absence of catastrophic consequences on the user(s) and the environment; (4) confidentiality: absence of unauthorized disclosure of information; (5) integrity: absence of improper system alterations; and (6) maintainability: ability to undergo modifications and repairs. The present work primarily intends to deal with formal methods, appropriate to perform both security and dependability analysis in modern networks. In general, security analysis of great networks takes the form of determining the exploitable vulnerabilities of a network, and intends to provide results or appropriate informative (or occasionally experimental) data about which network nodes can be compromised by exploiting chains of vulnerabilities, as well as specifying which fundamental security properties are altered (e.g., Confidentiality, Integrity, Availability). Therefore, such type of analysis is also referred as “network vulnerability analysis.” On the other hand, dependability analysis of networks typically intends to determine specific dependencies within the nodes (or the services offered) of the (appropriate) underlying network, so as to provide results about the consequences of (potential) faults (on services or hosts) and to find out which among these faults are able to cause unacceptable consequences, in terms of the basic dependability attributes. At this specific evaluation, it should be noted that it is possible to consider attacks (as well as attack consequences) as faults.
Chapter Preview
Top

Introduction

Dependability and security are rigorously related concepts that, however, differ for the specific proprieties they mainly concentrate on. In particular, in most commonly applied cases found in practical design techniques (Piedad & Hawkins, 2000), the dependability concept usually includes the security one, being a superset of it. In typical cases, security mainly comprises the following fundamental characteristics: confidentiality, integrity, and availability. Indeed, dependability mainly encompasses the following attributes (Avizienis, Laprie, Randell, & Landwehr, 2004): (1) availability: readiness for correct service; (2) reliability: continuity of correct service; (3) safety: absence of catastrophic consequences on the user(s) and the environment; (4) confidentiality: absence of unauthorized disclosure of information; (5) integrity: absence of improper system alterations; and (6) maintainability: ability to undergo modifications and repairs. The present work primarily intends to deal with formal methods, appropriate to perform both security and dependability analysis in modern networks.

In general, security analysis of great networks takes the form of determining the exploitable vulnerabilities of a network, and intends to provide results or appropriate informative (or occasionally experimental) data about which network nodes can be compromised by exploiting chains of vulnerabilities, as well as specifying which fundamental security properties are altered (e.g., Confidentiality, Integrity, Availability). Therefore, such type of analysis is also referred as “network vulnerability analysis.” On the other hand, dependability analysis of networks typically intends to determine specific dependencies within the nodes (or the services offered) of the (appropriate) underlying network, so as to provide results about the consequences of (potential) faults (on services or hosts) and to find out which among these faults are able to cause unacceptable consequences, in terms of the basic dependability attributes. At this specific evaluation, it should be noted that it is possible to consider attacks (as well as attack consequences) as faults.

A great variety of formal modeling and analysis techniques for dependability evaluation can be applied in the security domain (and vice-versa) (Nicol, Sanders, & Trivedi, 2004). Nevertheless, there is an important difference between the accidental (or unintentional) nature of faults (which are commonly considered in dependability assessment) and the intentional, human nature of cyber attacks. In fact, faults can only be realistically modeled by taking into account their probabilistic occurrences, while attacks due to the intentionality nature of a (potential) intruder, are more likely to be simply considered as “possible” or “impossible,” although it can even be of extreme interest to consider their probabilities of success in order to determine the likelihood of attack paths. However, in a more general approach, dependability evaluation implicates the performance of a more sophisticated analysis (usually stochastic) because it likes to consider the probability of faults and the acceptability of faults’ consequences. Anyway, it should be mentioned that when there is no particular interest in providing a quantitative evaluation of dependability, then it results that there is no practical need to model the likelihood of faults. Therefore, the same techniques used to perform classical security analysis can be used to perform dependability analysis, with satisfactory results.

It is quite remarkable to point out the fact that the two separate suggested methods of analysis have many common features. Among other aspects they share the following options:

  • They require the retrieval of many informative data from the selected nodes of the underlying network, in order to build the necessary models, for further assessment.

  • They both work on dependency models. Vulnerability analysis can be performed on dependency model of vulnerabilities, while dependability analysis uses models that represent more general dependencies.

  • They need to know the requirements for each specific (dependability or security) attribute. This is usually done in terms of the severity of failure of systems and services (e.g., in terms of costs) or in terms of its acceptability, that can be either expressed in absolute terms (typically for security) or in terms of an acceptable probability or frequency (usually for dependability).

  • They need to perform a scalable analysis in order to be able to handle real networks.

Key Terms in this Chapter

Block Diagram (BD): It is an intuitive graphical structure where there are two types of nodes, that are used to model the operational dependency of a system on its components. (These are block nodes that represent system components, and dummy nodes that represent the connections between components).

Petri net (also known as a Place/Transition Net or P/T Net): One of several mathematical representations of discrete distributed systems. As a modeling language, it graphically depicts the structure of a distributed system as a directed bipartite graph with annotations. As such, a Petri net has place nodes, transition nodes, and directed arcs connecting places with transitions.

Dependability: It is the trustworthiness of a computing system which allows reliance to be justifiably placed on the services it delivers. It should be noted that the concept of “Reliance” is contextually subjective, because it depends on the particular needs of an organization.

Fault Tolerance: This is the ability of a system or component to continue normal operation despite the presence of (unexpected) hardware or software faults. There are many levels of fault tolerance, the lowest being the ability to continue operation in the event of a power failure. Many fault-tolerant computer systems mirror all operations, that is, every operation is performed on two or more duplicate systems, so if one fails the other can take over.

Attack Graphs: These are data structures that model all possible avenues of attacking a network. Two versions have been widely used: (1) The first one is a direct graph where nodes represent network states, and edges represent the application of an exploit that transforms one network state into another, more compromised network state. The ending states of the attack graph represent the network states in which the attacker has achieved his goals. (2) The second one is an attack graph in the form on an exploit dependency graph. This is a direct graph where each node represents a pre- (or, depending on the point of view, a post-) condition of an exploit, and edges represent the consequence of having a true precondition that enables an exploit postcondition.

Attack Trees: They are a variation of fault trees, where the concern is a security breach instead of a system failure. Thus, an attack tree is able to model all possible attacks against a system, just as a fault tree models all failures. In particular, an attack tree represents attacks using a tree structure, where the root node is the attacker goal (or subgoal) and the leaf nodes are atomic attacks that represent all the possible ways an attacker can achieve the goal.

Fault-Tree (FT): The typical fault tree is an acyclic graph composed of internal and external nodes, where the former are traditional logic gates (i.e., AND, OR, K-of-N, etc.) and the latter are leaves that represent system components, while edges represent the flow of failure information in terms of Boolean entities (i.e., TRUE and FALSE).

Complete Chapter List

Search this Book:
Reset