Security analysis of SITAR intrusion tolerance system
Security is an important QoS attribute for characterizing intrusion tolerant computing systems. Frequently however, the security of computing systems is assessed in a qualitative manner based on the presence and absence of certain functional characteristics and security mechanisms. Such a characterization is not only ad hoc, it also lacks rigorous scientific and systematic basis. Some recent research efforts have emphasized the need for a quantitative assessment of security attributes for intrusion tolerant systems. Intrusion tolerant systems are not only complex, but also have to operate in an environment made unpredictable due to the unpredictable actions of bona-fide and non bona-fide users. This makes quantitative security analysis a difficult problem. Earlier approaches to security modelling have been based on the use of Markov models. Capturing details of real architectures in a manually constructed Markov model is difficult. We advocate the use of higher level formalism based on stochastic Petri nets for modelling and quantitative security analysis of intrusion tolerant systems. To validate our approach, we use an experimental intrusion tolerant systems known as the SITAR (scalable intrusion tolerant architecture) currently being implemented jointly at MCNC and Duke University as our target system. It is shown that the resulting analysis is useful in determining gains in security by reconfiguring such a system in terms of increase in redundancy under varying threat levels.
