Presentation is loading. Please wait.

Presentation is loading. Please wait.

Carnegie Mellon University Software Engineering Institute Lecture 4 The Survivable Network Analysis Method: Evaluating Survivability of Critical Systems.

Published byAlisha Marsh Modified over 9 years ago

Similar presentations

Presentation on theme: "Carnegie Mellon University Software Engineering Institute Lecture 4 The Survivable Network Analysis Method: Evaluating Survivability of Critical Systems."— Presentation transcript:

1 Carnegie Mellon University Software Engineering Institute Lecture 4 The Survivable Network Analysis Method: Evaluating Survivability of Critical Systems

2 Carnegie Mellon University Software Engineering Institute Survivable Network Technology

3 Carnegie Mellon University Software Engineering Institute Survivability Motivation Growing societal dependence on complex, large-scale, networked systems –Sectors: commercial, government, defense,... –Infrastructure: telecom, transportation, utilities, … –Interdependencies and cascade failures Serious consequences of system compromises and failures Presidential Commission on Critical Infrastructure Protection

4 Carnegie Mellon University Software Engineering Institute Survivability Defined -- 1 Survivability is the capability of a system to fulfill its mission –in a timely manner –in the presence of attacks, failures, or accidents Focus is on continuity and recovery No amount of security can guarantee that systems will not be penetrated

5 Carnegie Mellon University Software Engineering Institute Survivability Defined -- 2 Differs from security –Security focuses on static perimeter solutions –Survivability focuses on layers of protection that degrade over time, and recovery of full services Differs from dependability –Dependability focuses on random faults –Survivability focuses on coordinated attacks by intelligent adversaries

6 Carnegie Mellon University Software Engineering Institute The Survivable Network Analysis Method

7 Carnegie Mellon University Software Engineering Institute SNA Preliminaries What is a usage scenario? –Defined as the sequence of steps in a system use –A “use” can be thought of as a transaction Example: A usage scenario for checking mail on AOL Invoke AOL logon: enter name and password after connection, select “new mail” scroll to end of list select and read new messages if any save and delete messages as necessary logoff

8 Carnegie Mellon University Software Engineering Institute SNA Concepts -- 1: Essential Capabilities Essential services/assets –System capabilities that support the business mission –Must be available despite intrusions Essential service/asset usage scenarios –Steps in essential service/asset usage Essential components –Architecture parts required by essential service/asset scenarios –Determined by tracing scenarios through the architecture to determine the components reached (compositional reasoning)

9 Carnegie Mellon University Software Engineering Institute Essential Service Scenario Essential Component Essential Service Trace Communication Link Architecture Node Essential Service Scenario Trace

10 Carnegie Mellon University Software Engineering Institute SNA Concepts -- 2: Intrusion Capabilities Treat intruders as users Intrusion usage scenarios –Steps in attacker usage Compromisable components –Architecture parts accessible by intrusion scenarios –Determined by intrusion scenario traces

11 Carnegie Mellon University Software Engineering Institute Intrusion Scenario Compromisable Component Intrusion Trace Intrusion Scenario Trace

12 Carnegie Mellon University Software Engineering Institute SNA Concepts -- 3: Softspot Components Softspot components are architecture parts that are both essential and compromisable

13 Carnegie Mellon University Software Engineering Institute Essential Service Scenario Intrusion Scenario Softspot Component: both essential and compromisable Architecture Softspot Identification

14 Carnegie Mellon University Software Engineering Institute SNA Concepts -- 4: The “Three R’s” Resistance –Capability to deter attacks Recognition –Capability to recognize attacks and extent of damage Recovery –Capability to provide essential services/assets during attack and recover full services after attack

15 Carnegie Mellon University Software Engineering Institute SNA Concepts -- 5: “Three R” Strategies Resistance –User authentication, firewalls, software diversification,... Recognition –Intrusion usage pattern detection, internal integrity checking,... Recovery –Hot spares, redundant facilities, data replication and reinitialization, alternative service delivery methods,...

16 Carnegie Mellon University Software Engineering Institute SNA Concepts -- 5: Survivability Map Defines survivability strategies for the three R’s based on intrusion softspots Relates the strategies to the architecture Makes recommendations for architecture modifications

17 Carnegie Mellon University Software Engineering Institute Survivability Map Roadmap for management evaluation and action

18 Carnegie Mellon University Software Engineering Institute Survivable Network Analysis (SNA) Method STEP 1 SYSTEM DEFINITION Mission requirements definition Architecture definition and elicitation STEP 2 ESSENTIAL CAPABILITY DEFINITION Essential service/asset selection/scenarios Essential component identification STEP 3 COMPROMISABLE CAPABILITY DEF’N Intrusion selection/scenarios Compromisable component identification STEP 4 SURVIVABILITY ANALYSIS Softspot component (essential & compromisable) identification Resistance, recognition, and recovery analysis Survivability Map development

19 Carnegie Mellon University Software Engineering Institute A Survivability Case Study: The Sentinel Subsystem

20 Carnegie Mellon University Software Engineering Institute The Vigilant Healthcare System Large-scale, distributed mental healthcare management system by CarnegieWorks, Inc. Many business rules and regulations, many users and stakeholders Sentinel subsystem –Maintains patient data, provider teams, goals, actions, treatment plans,... –Sentinel prototype was subject of survivability study

21 Carnegie Mellon University Software Engineering Institute Applying the SNA method Evaluation team/customer meetings –Sentinel architecture elicited –Essential services/assets selected, scenarios defined –Essential components of architecture traced –Intrusion types selected, scenarios defined –Compromisable components of architecture traced Evaluation team sessions –Softspots identified, Survivability Map and architecture impacts defined Customer briefed on findings

22 Carnegie Mellon University Software Engineering Institute List Manager Reporting Engine Treatment Plan Builder Treatment Plan Validator Action Team Builder User Interface Sentinel Application Sentinel Back End Business Logic Common Database API Other System Components Other System Components Original Sentinel Architecture

23 Carnegie Mellon University Software Engineering Institute Initial Analysis Essential capabilities identified –A single service: Treatment plan display on demand –A single asset: Treatment plans Five intrusion scenarios identified

24 Carnegie Mellon University Software Engineering Institute Sentinel Survivability Map -- Intrusion 1

25 Carnegie Mellon University Software Engineering Institute Sentinel Survivability Map -- Intrusion 2

26 Carnegie Mellon University Software Engineering Institute List Manager Reporting Engine [2] Action Team Builder User Interface Sentinel Application Sentinel Back End Business Logic Common Database - Replicated and Daily Backups [5] API Other System Components Other System Components Isolated Reporting System [6] Modified Sentinel Architecture TP Builder crypto-chk [3] TP Validator crypto-chk [4] Security [1] Minimal User Interface Minimal Reporting Engine/TPs Security Layer [1]

27 Carnegie Mellon University Software Engineering Institute SEI Survivability Research

28 Carnegie Mellon University Software Engineering Institute SEI Survivable Network Technology Program Canonical Adaptable Intrusion Scenarios Survivable Network Development (SND) Method Semantic Foundations for Network Systems Survivability Strategy Architecture Patterns Survivability Software Engineering Life Cycle Survivable System Simulator Information Survivability Workshops (ISW) Survivable Network Analysis (SNA) Method* Practice:Research & Development:Transition: Critical Infrastructure Constituency Survivability Simulation Experiments Case Studies, Assessments, Publications Education, Collaboration, Transition Partners

29 Carnegie Mellon University Software Engineering Institute Architecture Calculus -- 1 Survivability should be analyzed at the architecture level before committing resources to development Survivability analysis depends on precise semantics for architecture definitions An architecture calculus can provide semantics and methods for survivability analysis and design

30 Carnegie Mellon University Software Engineering Institute Architecture Calculus -- 2 First initiative: Model Checking technology –Exhaustive search of state-space for states that fail to satisfy defined properties Model Checking used to reveal system states that violate survivability properties Scenario graphs generated –Show steps intruder could take to reach unsafe state –Can be mapped to system architecture for corrections

31 Carnegie Mellon University Software Engineering Institute Survivable Systems Simulator -- 1 Survivability involves non-functional properties that must exist globally in network systems, but often cannot exist locally in individual nodes Emergent algorithms offer a highly distributed mechanism for achieving such properties through local interactions A need exists to –measure, assess effectiveness of emergent algorithms –develop techniques for predicting emergent behavior – assist in design of survivable architectures

32 Carnegie Mellon University Software Engineering Institute Survivable Systems Simulator -- 2 CERT/CC is developing a language for describing survivability architectures in terms of computations within nodes and protocols of interaction among nodes The language enables simulated execution of 100s to 1000s of parallel nodes, but is hosted on uniprocessor PCs The simulator supports –definition of capabilities and limitations of nodes –observer processes for analyzing simulations –facilitator processes for controlling simulations

Download ppt "Carnegie Mellon University Software Engineering Institute Lecture 4 The Survivable Network Analysis Method: Evaluating Survivability of Critical Systems."

Similar presentations

Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Operating System Security

Operating System Security
Ch:8 Design Concepts S.W Design should have following quality attribute: Functionality Usability Reliability Performance Supportability (extensibility,

Ch:8 Design Concepts S.W Design should have following quality attribute: Functionality Usability Reliability Performance Supportability (extensibility,
Distributed Systems Major Design Issues Presented by: Christopher Hector CS8320 – Advanced Operating Systems Spring 2007 – Section 2.6 Presentation Dr.

Distributed Systems Major Design Issues Presented by: Christopher Hector CS8320 – Advanced Operating Systems Spring 2007 – Section 2.6 Presentation Dr.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering 2.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering 2.
Principles of Engineering System Design Dr T Asokan

Principles of Engineering System Design Dr T Asokan
Oracle Financial System Project Team: Aseem Gupta Jeng Toa Lee Jun Lu Kevin Patrick Zhu Thomas Verghese Weicheng Wong Xuegong Wang ( Jeff ) Date : 26 th.

Oracle Financial System Project Team: Aseem Gupta Jeng Toa Lee Jun Lu Kevin Patrick Zhu Thomas Verghese Weicheng Wong Xuegong Wang ( Jeff ) Date : 26 th.
DARPA ITS PI Meeting – Honolulu – July 17-21, 2000Slide 1 Aegis Research Corporation Intrusion Tolerance Using Masking, Redundancy and Dispersion DARPA.

DARPA ITS PI Meeting – Honolulu – July 17-21, 2000Slide 1 Aegis Research Corporation Intrusion Tolerance Using Masking, Redundancy and Dispersion DARPA.
Sponsored by the U.S. Department of Defense © 2005 by Carnegie Mellon University 1 Pittsburgh, PA 15213-3890 Dennis Smith, David Carney and Ed Morris DEAS.

Sponsored by the U.S. Department of Defense © 2005 by Carnegie Mellon University 1 Pittsburgh, PA Dennis Smith, David Carney and Ed Morris DEAS.
The Experience Factory May 2004 Leonardo Vaccaro.

The Experience Factory May 2004 Leonardo Vaccaro.
Conquering Complex and Changing Systems Object-Oriented Software Engineering TJSS System Design Lecture 12 Päivi Ovaska.

Conquering Complex and Changing Systems Object-Oriented Software Engineering TJSS System Design Lecture 12 Päivi Ovaska.
02/12/00 E-Business Architecture

02/12/00 E-Business Architecture
Guide to Network Defense and Countermeasures Second Edition Chapter 2 Security Policy Design: Risk Analysis.

Guide to Network Defense and Countermeasures Second Edition Chapter 2 Security Policy Design: Risk Analysis.
The Architecture Design Process

The Architecture Design Process
Adaptive Infrastructures EPRI/DoD Initiative on Complex Interactive Networks/Systems Joint innovative research ·EPRI and ·Office of the Director of Defense.

Adaptive Infrastructures EPRI/DoD Initiative on Complex Interactive Networks/Systems Joint innovative research ·EPRI and ·Office of the Director of Defense.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
27 September 1999 Crisis Management William L. Scherlis Carnegie Mellon University School of Computer Science.

27 September 1999 Crisis Management William L. Scherlis Carnegie Mellon University School of Computer Science.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.
1 Security Architecture and Analysis Management of System Development and Implementation –The System Development Process –Issues and Risks –Mitigation.

1 Security Architecture and Analysis Management of System Development and Implementation –The System Development Process –Issues and Risks –Mitigation.
1 FM Overview of Adaptation. 2 FM RAPIDware: Component-Based Design of Adaptive and Dependable Middleware Project Investigators: Philip McKinley, Kurt.

1 FM Overview of Adaptation. 2 FM RAPIDware: Component-Based Design of Adaptive and Dependable Middleware Project Investigators: Philip McKinley, Kurt.

Similar presentations

Ads by Google