1. Using Markov Process in the Analysis of Intrusion Tolerant Systems Quyen L. Nguyen CS 795 – Computer Security Architectures

2. References 1.Sheldon M. Ross. “Introduction to Probability Models”, Academic Press. 2.Kishor Shridharbhai Trivedi. “Probability and Statistics with Reliability, Queuing, and Computer Science Applications, 2nd Edition”. Wiley-Interscience, 2001. 3.Bharat B. Madan, Katerina Goseva-Popstojanova, Kalyanaraman Vaidyanathan, and Kishor S. Trivedi. “A Method for Modeling and Quantifying the Security Attributes of Intrusion Tolerant Systems”. Performance Evaluation 56 (2004), 167-186. 4.Khin Mi Mi Aung, Kiejin Park, and Jong Sou Park. “A Model of ITS Using Cold Standby Cluster”. ICADL 2005, LNCS 3815, pp. 1-10, 2005. 5.Alex Hai Wang, Su Yan and peng Liu. “A Semi-Markov Survivability Evaluation Model for Intrusion Tolerant Database Systems”. 2010 International Conference on Availability, Reliability and Security. 6.Quyen Nguyen and Arun Sood. “Quantitative Approach to Tuning of a Time-Based Intrusion-Tolerant System Architecture”. WRAITS 2009, Lisbon, Portugal. Note: State Diagrams and matrix snapshots in subsequent slides are taken from [3], [4] and [5]. 11/03/20102

3. 3 Outline  Markov Chain –Semi-Markov Process (SMP)  Analysis Model of ITS –Mean Time to Security Failure (MTTSF) –Availability  SCIT  Cluster  ITDB 11/03/2010

4. Stochastic Process  Given that it rains today, will it rain or shine tomorrow?  Given that it is sunny today, will it rain or shine tomorrow? 11/03/20104

5. Markov Process  State space: {rainy, sunny}  Parameter space: X 1, X 2, …  Markov property: next state depends only on current state  p ij = p(X n+1 = j | X n = i, X n-1 = i n-1, …, X 0 = i 0 ) = p(X n+1 = j | X n = i)  Transition Probability Matrix: –P = [p ij ] with ∑ j p ij = 1 for every i  Markov Chain: finite state space  Discrete-time, Continuous-time 11/03/20105

6. Steady-state Probabilities  Stationary Process: transition probability independent of n –p(X n+1 = j | X n = i) = p(X n = j | X n-1 = i)  Chapman-Kolmogorov for n-step transition matrix –P (n) = P n  P n converges to steady state values, as n --> ∞  Solution of system (1) of equations: –x.P = x –Σ i x i = 1 11/03/20106

7. Semi-Markov Process  Time spent in a state i is a random variable with mean µ 1 –If amount of time in each state is 1, then SMP is a Markov.  Embedded DTMC with steady-state probabilities π i  Time proportion in state i: –P i = (π i * µ i ) / ∑ j (π j * µ j )(2)  Steps to solve an SMP: –Solve steady-probabilities of DTMC using system (1) –Use (2) 11/03/20107

8. Modeling ITS  Modeling steps: –Identify states –Identify transitions –Assign transition probabilities 11/03/20108

9. ITS State Diagram [3] 11/03/20109

10. ITS: Embedded DTMC [3] 11/03/201010

11. DTMC Transition Probability Matrix [3]  p 1 = 1 - p a  p 2 = 1 – p m – p u  p 3 = 1 – p s - p g 11/03/201011

12. Calculating Availability [3]  A = 1 – (P FS + P F + P UC )  Transition Diagram and formula depend on attack scenario and metric to compute.  Example: DoS attack, remove unused states MC and FS:  A = 1 – (P F + P UC ) 11/03/201012

13. Availability: Numerical Examples [3]  A is decreasing function of P a and increasing function of h G. 11/03/201013

14. Absorbing and Transient States  if p ij = 0 for i ≠ j, then i is an absorbing state. –Example: complete system failure state.  Arranging Transition Probability, with Q containing transitions between transient states only. 11/03/201014

15. Example of Absorbing State 11/03/201015

16. Visit Times  k-step transition probability matrix P k  ∑Q k = I + Q 1 + Q 2 + … converges to (I – Q) -1 = M = [m ij ]  (I – Q) -1 = M ↔ M(I – Q) = I ↔ M = I + MQ  Theorem: Let X ij be the visit times of state j starting from state i before going to absorbing states: E[X ij ] = m ij  Starting from state 1, V = (V 1, V 2, …, V n ) can be solved by system of equations: –V = I + V.Q 11/03/201016

17. Calculating MTTSF  Determine absorbing states: {UC, FS, GD, F}.  Transient states: {G, V, A, MC, TR}  Form transition matrix comprising of transient states Q.  Compute visit times V i using the equations: –v = q + v.Q  MTTSF = v.µ 11/03/201017

18. ITS: Transient States [3] 11/03/201018

19. MTTSF Numerical Examples [3]  MTTSF decreases as P a increases  MTTSF increases as h G increases. 11/03/201019

20. Issues  Parameter Modeling –Probability Distribution: exponential, Weibull, etc.  Mean value Estimation 11/03/201020

21. SCIT Parameters  Online window W o : server accepts requests from the network  Grace period W g : server stops accepting new requests and tries to fulfill outstanding requests already in its queue.  Exposure window: W = W o + W g.  N online : # redundant online nodes.  N total : total nodes in the cluster.  N total, W, and the cleansing-time T cleansing are inter-related. 11/03/201021

22. SCIT: State Transition Diagram with Absorbing States  Pa: probability of successful attack  Pc: probability of cleansing when in A.  F: low chance of occurrence, but still possible: –Virtual machine and/or the host machine no longer respond to the Controller. –Controller itself fails due to a hardware fault. GVAF G0100 V1–P a 0PaPa 0 APcPc 001-P c F0001 11/03/201022

23. SCIT: MTTSF Computation  Xa and Xt are absorbing states and transient states X a = {F} and X t = {G, V, A}  q: probabilities that process starts at each state in X t : q = (1,0,0), since it starts with state G.  V = (V 0 V 1 V 2 ): number of visit times for each state in X t.  h: mean sojourn times in each state  Solve system of equations: V = q + VQ  Using solutions for V, compute MTTSF scit = V.h 11/03/201023 Q

24. SCIT: MTTSF Expression  P a ↓ → MTTSF scit ↑  P c ↑ → MTTSF scit ↑  How to make P a ↓ and P c ↑? 11/03/201024

25. SCIT: Relationship between P a and W  Modeling malicious attack arrivals: –Assumption: non-staged attacks –(Attack arrivals) ̴ Poisson (λ)  Then, inter-arrival time Y between attacks is exponential distribution: –P(Y ≤ W) = 1 - e -λW  P(Y ≤ W) is also prob. that attacks occur in exposure window.  Then: –P a ≤ P(Y ≤ W) –→ P a ≤ 1 - e -λW 11/03/201025

26. SCIT: Relationship between P c and W  Resident time of the attack modeled as a “service” time Z with rate μ.  Assume Z exponential distribution: P(Z > W) = e -μW  probability that the service time is greater than W is limited by the fact that the system moves out of state A due to the cleansing mode: –P(Z > W) ≤ P c ↔ P c ≥ e -µW  System cannot “serve” more than the arriving attacks: μ ≤ λ.  Then: e -μW ≥ e -λW. 11/03/201026

27. SCIT: MTTSF and W  W ↓ → (P a ≤ 1 - e -λW ) ↓  W ↓ → (P c ≥ e -µW ) ↑  Then: W ↓ → MTTSF scit ↑  MTTSF SCIT ≥ F(W), where F(W) is a decreasing function of W:  Significance: engineer instance of SCIT architecture by tuning W in order to increase or decrease the value of MTTSF SCIT. 11/03/201027

28. SCIT: MTTSF Trend 11/03/201028

29. SCIT Failure State  Is state F really absorbing? –Compromise of Controller is very minimal due to the one-way data. –System automatically recovers back to the G state.  Use Semi-Markov Process with embedded DTMC (Discrete-Time Markov Chain) to compute the steady- state Availability (state without security faults). 11/03/201029

30. SCIT: Availability  Solve the DTMC steady-state probabilities vector y = (y 0, y 1, y 2, y 3 ) for all states in {G, V, A, F}: –y = y.P –Σ i y i = 1. 11/03/201030

31. SCIT: Availability and Exposure Window  Compute SMP stead-state probability π F for state F: –π F = y 3 h 3 /y.h, with h = (h 0, h 1, h 2, h 3 ) being extended to include the mean sojourn time h 3 for state F.  Availability = 1 − π F   Availability monotonically decreases with P a but increases with P c.  Using the same line of reasoning and the assumption of Poisson attack arrival process as for MTTSF SCIT above, we can also conclude that decreasing the exposure window will increase Availability. 11/03/201031

32. Rejuvenation: Single System [4] 11/03/201032  Rejuvenation: stop software, clean internal state, service restart.  Reconfiguration: patching, anti-virus, access control (IP blocking, port blocking, session drop, content filtering), traffic control by limiting bandwidth.  Both may be needed depending on the situation.

33. Rejuvenation: Transition Probability [4]  Equation System: –π = π.P and Σi π i = 1.  π i, i= (H,I,J,C,F).  A = 1 – (π F + π J + π C )  Paper uses balance equations of probabilities leaving and entering a state. 11/03/201033

34. Rejuvenation: Cluster Analysis [4] 11/03/201034  Use SMP for modeling with State Space: Xs =  {(1,1), (I,1), (J,1), (C,1), (F,1), (0,1), (0,I), (0,J), (0,C), (F,F)}  d is the solution of DTMC equations: d.P and Σdi = 1  Then, the prob. for SMP is given by:  A = 1 – (π F 1 + π FF )  Deadline D of mean sojourn time (d i h i ).  Indicator variable Y: –Y i = 0 if d i h i ≤ D and Y i = 1 if d i h i > D  Survavibility S = –A – [Y J1 π F 1 + Y C1 π C1 + Y 0J π 0J + Y 0C π 0C ]

35. Rejuvenation: Numerical Results [4] 11/03/201035  As prob. for (Rj,1), (Rc,1) or (0,Rj), (0,Rc) increase, availability and survivability decrease.

36. Rejuvenation: Numerical Results [4] 11/03/201036  Changes of survability vs. changes in rejuvenation when attacked.  No significant difference between deadlines when prob <.4

37. Coping Ability: Numerical Results [4] 11/03/201037  Survivability is maximized when primary-secondary servers detect abnormal behavior early.

38. Intrusion Tolerance DB [5] 11/03/201038

39. ITDB: State Transition [5]  Integrity: fraction of time when all accessible data are clean –I = π G + π Q + π R  Availability: fraction of time when all clean data are accessible –A = π G + π R 11/03/201039

40. ITDB: False Alarm Rate [5]  ITDB maintains I and A even at high FA rate.  Degradation of I and A as FA increases. 11/03/201040

41. ITDB: Detection Rate [5]  ITDB depends on detection probability.  When P d = 0, I and A are at low level.  When P d increases, I and A go up.  ITDB can maintain I and A at some level at low detection rate. 11/03/201041 d

42. ITDB: Attack Rate [5]  Heavy attack: h G = 5.  Compare “good” and “poor” systems in terms of P d, P fa, h I, h Q, h R.  When attack rate increases, observe: –I and A –Q and R 11/03/201042 d

43. 43 Summary  What is a Markov Process?  How to model an ITS using a Semi-Markov Process?  How to calculate MTTSF based on the model?  Application to SCIT Analysis  Rejuvenation Cluster Analysis  ITDB Analysis 11/03/2010

44. Thank You! mailto:qnguyeng@gmu.edu 11/03/201044