Modeling and performance evaluation of computer systems security operation

Mo deling and P erformance Ev aluation of Computer Syst ems Securit y Op erati on ∗ D. Guster † N. K. Krivulin ‡§ Abstract A mo del of computer system s ecurity operation is developed based on the for k-join queueing net work forma lism. W e introduce a security op eration per formance mea sure, and show how it may b e used to p er - formance ev a luation of actual systems. Key-Wor ds: computer system security , security attack, security vulnerability , p erformance ev aluation, fork-join queueing netw orks . 1 In tro duction The explosiv e gro wth in computer systems and net works has increased the role of computer security within organizations [4]. In man y cases, ineffectiv e protection against c omputer se curity treats leads t o considerable damage, and ev en can cause an organizati on to b e paralized. Therefore, the de- v elopmen t of new mo dels and metho ds of p erformance analysis of securit y systems seems to b e very imp ortan t. In this p ap er, we prop ose a m o del of computer s ecurit y op eration, and in tro du ce its related p erform ance measure. It is sho wn ho w the mo d el can b e applied to p erformance ev aluation of actual systems. Finally , a tec h - nique of security system p erformance analysis is describ ed and its practical implemen tation is discussed. W e conclude with an app endix whic h con tains tec hnical details concern- ing fork-join n et w ork representat ion of the mo d el, and related results. ∗ Proc. 4th St. Petersburg W orkshop on Simulation / Ed. b y S. M. Ermako v, Y u. N. Kash tanov, V. B. Melas, NI I Chemistry St. P etersburg U niversit y Publishers, St. Petersburg, 2001, pp. 233–238. † Department of Statistics, St. Cloud State Un ivers ity , 720 4th Ave. S., St.Cloud, MN 56301-444 2, Guster@m cs.stcloudstate.edu. ‡ F acult y of Mathematics and Mechanics, St. P et ersburg State Universit y , 28 Un iver- sitetsky Ave., St. Petersburg, 198504, Ru ssia, nkk@math .spbu.ru. § The w ork wa s partially supp orted b y the Ru ssian F oundation for Basic Researc h, Gran t #00-01-00760 . 1 2 A Securit y Op eration M o d el In this p ap er, we deal with the current securit y activities (see Fig. 1) that mainly relate to th e actual securit y th reats rather than to strategic or long- term issues of securit y managemen t. In trusion Detection ❅ ❅   Analysis of A ttack ❅ ❅   Reco v ery Planning ❅ ❅   Reco v ery Pro cedure Figure 1: Computer systems security activities. Consider the mo del of securit y op eration in an organization, p resent ed in Fig. 2. Eac h op erational cycle starts with security attac k detection based on audit records and system/errors log analysis, traffic analysis, or user rep orts. In order to detect an in trusion, au tomated to ols of security monitoring are normally u sed includin g pro cedu res of statistical anomaly d etection, ru le- based detect ion, and data in tegrit y con trol [4]. 1 Securit y A ttac ks Detecti on     ✒ ❅ ❅ ❅ ❅ ❘ 3 V ulner- abilities Analysis ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✕ ✲ 2 Soft w are and Data In tegrit y Analysis ✲ 5 Dev elop- men t of Count er- measures     ✒ 4 Soft w are and Data Reco very Pro cedures ❅ ❅ ❅ ❅ ❘ 6 Securit y System Mo difi- cation Figure 2: A securit y analysis and maintenance model. After securit y attac k detection and id en tification, the in tegrit y of s y s - tem/applicatio n soft ware and data in storage d evices h as to b e examined to searc h for p ossible unauthorized mo difications or damages made by the in truder . The inv estigat ion pro cedur e can exploit file lists and c hec ksum analysis, hash functions, and other automat ed techniques. In parallel, the system vuln erabilities, wh ic h allo w the intruder to attac k, should b e id en tified and in v estigated. The vu lnerabilit y analysis normally present s an informal pro cedure, and therefore, it can hardly b e p erformed automatica lly . Based on the r esults of in tegrit y analysis, a soft wa re and data reco v ery pro cedur e can b e initiated u s ing back-up servers and r eserving storage d e- vices. It has to tak e into acco unt the security vulnerabilities ident ified at 2 the previous step, so as to provide f or furth er impro ve ments in the entire securit y system. Along with the reco v ery pro cedur e, the dev elopmen t of a complete set of coun termeasures against s imilar attac ks should b e p er f ormed. Finally , the op erational cycle is concluded with ap p ropriate m o difications of soft ware, data bases, an d system securit y p olicies and procedu res. W e assu m e that the organization h as appropr iate p ersonn el in tegrated in a Compu ter Emergency Resp onse T eam, a v ailable to handle the attac k. The team w ould include at least t wo subteams w orkin g in parallel, one to p erform in tegrit y analysis and reco v ery pro cedures, and another to do vulnerabilit y analysis and dev elopmen t of countermea sur es. A t an y time instant, eac h subteam can deal with only one securit y incident . An y p ro cedure ma y b e started as so on as all prior pro cedu res according to the mo del in Fig. 2, ha v e b een completed. If a r equest to handle a n ew incident occurs wh en a subteam is still w orking on a pro cedur e, the request has to w ait unti l the pro cessing of that p ro cedure is completed. W e denote by τ 1 k a random v ariable (r.v.) that represents t he time in ter- v al b et wee n detections of the k th attac k and its predecessor. F urth er m ore, w e introd uce r.v.’s τ ik , i = 2 , . . . , 6 , to describ e the time of the k th instant of pr o cedure i in the mo del. W e assume τ i 1 , τ i 2 , . . . , to b e ind ep endent and iden tically d istributed (i.i.d.) r.v.’s with fi nite mean and v ariance for eac h i , i = 1 , . . . , 6 . A t the same time, we d o n ot r equire of ind ep endence of τ 1 k , . . . , τ 6 k for eac h k , k = 1 , 2 , . . . . 3 Securit y Op eration P erformance Ev aluation In order to describ e system p erformance, w e introdu ce the follo wing nota- tions. Let T A b e the m ean time b et w een consecutiv e securit y attac ks (the attac k cycl e time ), a nd T S b e the mean time required to completely handle an attac k (the reco very cycle time), as the n umber of attac ks k tends to ∞ . In devising the securit y op eration p erf ormance measure, one can tak e the ratio R = T S /T A . With the natural cond ition T S ≤ T A , one can consider R as the time p ortion the sys tem is u n der reco v ery , assuming k → ∞ . First note that the attac k cycle time can imm ediately b e ev aluated as the mea n v alue: T A = E[ τ 11 ] . No w consider the cycle time of the ent ire system, w hic h can b e defin ed as the mean time in terv al b et we en successiv e completions of securit y system mo dification pro cedures as the n umb er of atta c ks k → ∞ . As one can pro ve (see App endix for f u rther details), the system cycle time γ can b e calculated as γ = max { E[ τ 11 ] , . . . , E[ τ 61 ] } . 3 In order to ev aluate the reco very cycle time, w e assume the system will op erate u nder th e maximum traffic lev el, wh ic h can b e ac h iev ed wh en all the time interv als b et ween attac ks are set to 0 . Clearly , un der that condition, the system cycle time can b e tak en as a reasonable esti mate of the reco ve ry cycle time. Considering that no w E[ τ 11 ] = 0 , we get the r eco very cycle time in the form T S = max { E[ τ 21 ] , . . . , E[ τ 61 ] } . 4 P erformance Analysis and Discussion In fact, the ab ov e mo del presen ts a quite simple but useful tool for securit y system op eration man agement. It ma y b e used to mak e decision on the basis of a few natural paramete rs of the securit y op eration pro cess. Let us r epresent the ratio R in the form R = m ax { E[ τ 21 ] , . . . , E[ τ 61 ] } / E[ τ 11 ] , and assume the attac k rate determined b y E[ τ 11 ] , to b e fixed . T aking into accoun t that the ab o ve resu lt has b een obtained based on the assum p tion of an infinite num b er of attac ks , we arr iv e at the follo w- ing conclusion. As the num b er of attac ks b ecomes sufficientl y large, the p erforman ce of the system is determined by the time of the longest pro ce- dure inv olved in the system op eration, whereas the impact of the order of p erformin g the pro cedu res d isapp ears. It is clear that in order to impro ve system p erformance, the system securit y man ager (administr ator) should first concen trate on decreasing th e mean time required to p erform the longest pro cedur e within the s ecur it y op eration mo del, then consider th e second longest pro cedu re, and so on. The goal of decreasing the time can b e ac hiev ed throu gh partition of a whole pr o cedure in to subpro cedur es, whic h can b e p erformed in parallel, or through rescheduling of the entire pro cess with redistribution of particular activitie s b et w een pro cedur es. In practice, the ab o v e mo d el and its rela ted r atio R can serv e as the basis for efficien t monitorization of organizatio nal securit y sys tems. Beca use the in tro du ction of new count ermeasures ma y c hange the attac k cycle time, the monitoring requires up dating this parameter after eac h mo dification of the system. Finally note, the ab ov e mo del can b e easily extended to co v er securit y op erational pro cesses, wh ic h consist of differen t pro cedures and precedence constrain ts. 4 App endix In order to describ e the ab o ve security system op erational mo d el in a form al w a y , we exp loit the f ork -join net wo rk formalism prop osed in [1]. The f ork -join net wo rks pr esen t a class of qu eueing systems, which allo w for splitting a customer into sev eral new customers at one n o de, and of merg- ing customers into one at another nod e. In order to represen t the dy n amics of such net wo rks, w e u se a (max , + ) -algebra based appr oac h dev elop ed in [2]. The (max , + ) -algebra is a trip le h R ε , ⊕ , ⊗i , where R ε = R ∪ { ε } with ε = −∞ . Th e op erations ⊕ and ⊗ are defined for a ll x, y ∈ R ε as x ⊕ y = max( x, y ) , x ⊗ y = x + y . The (max , + ) -algebra of matrices is in tro du ced in the ordinary wa y with the matrix E with all its ent ries equal ε , tak en as the n ull matrix, and the matrix E = diag(0 , . . . , 0) w ith its off-diagonal entries equ al ε , as the iden tit y . W e int ro d uce the ve ctor x ( k ) = ( x 1 ( k ) , . . . , x n ( k )) T as th e k th ser- vice completion times at the net work no d es, and the diagonal matrix T k = diag( τ 1 k , . . . , τ nk ) with giv en nonnegativ e random v ariables τ ik represent ing the k th s er v ice time at n o de i , i = 1 , . . . , n , and the off-diagonal ent ries equal ε . The d ynamics of acyc lic fork-join net w orks can b e describ ed by the sto c hastic difference equation (see [2] for further details) x ( k ) = A ( k ) ⊗ x ( k − 1) , A ( k ) = p M j =0 ( T k ⊗ G T ) j ⊗ T k , (1) where G is a matrix with the elemen ts g ij =  0 , if there exists arc ( i, j ) in the net work graph , ε, otherwise , and p is the length of the longest path in th e graph. The matrix G is normally referred to as the supp ort matrix of the net- w ork. Note that since the net work graph is ac yclic, we h a v e G q = E for all q > p . The cycle time of the net work is defin ed as γ = lim k →∞ k x ( k ) k 1 /k , where k x ( k ) k = max i x i ( k ) . Clearly , if this limit exists, it can b e found a s lim k →∞ k A k k 1 /k , where A k = A ( k ) ⊗ · · · ⊗ A (1) . As it is easy to see, the fork-join net wo rk r epresent ation of the ab o ve securit y op eration mo del tak es the form presen ted in Fig. 3. 5 ❤ 1    ✒ ❅ ❅ ❅ ❘ ❤ 2 ✲ ❤ 3 ✲ ✁ ✁ ✁ ✁ ✁ ✕ ❤ 4 ❅ ❅ ❅ ❘ ❤ 5    ✒ ❤ 6 ✲ (a) Net work sc heme G =         ε 0 0 ε ε ε ε ε ε 0 ε ε ε ε ε 0 0 ε ε ε ε ε ε 0 ε ε ε ε ε 0 ε ε ε ε ε ε         (b) Supp ort matrix Figure 3: The fork-join queueing net work model. F or the netw ork graph , we ha v e p = 3 . Therefore, we get equation (1) with A ( k ) = ( E ⊕ T k ⊗ G T ⊕ ( T k ⊗ G T ) 2 ) ⊕ ( T k ⊗ G T ) 3 ) ⊗ T k . Let u s consider an arbitrary fork-join queueing netw ork with n n o des, whic h is go ve rned by equation (1). W e assu me that the matrix G at (1) has th e upp er triangular form. Since the n et w ork graph is acyclic, the net w ork no d es can alw a ys b e renum b ered so that the matrix G b ecome upp er triangular. No w w e d escrib e a tand em qu eueing system asso ciated with the ab ov e net w ork. W e assume the ev olution of the tandem system to b e go v erned b y the equati on x ( k ) = B ( k ) ⊗ x ( k − 1) , B ( k ) = n M j =0 ( T k ⊗ H T ) j ⊗ T k , where H is a supp ort matrix with the elemen ts h ij =  0 , if i + 1 = j , ε, otherwise . Note th at b oth matrices A ( k ) and B ( k ) are determined by th e common matrix T k , but differen t sup p ort m atrices G and H . Clearly , the longest path in the graph associated with th e tandem queue is assu m ed to b e equal n . Lemma 1. F or al l k = 1 , 2 , . . . , it holds that A ( k ) ≤ B ( k ) . Pro of: As it is easy to v erify , for an y intege r q > 0 , it holds G q ≤ H ⊕ H 2 ⊕ · · · ⊕ H n . F urthermore, since T k has only n onnegativ e en tries on the d iagonal, w e ha v e for an y q > 1 , H q ⊗ T k ≤ ( H ⊗ T k ) q . 6 By applying the ab o ve inequalities toget her w ith the condition that H m = E for all m > n , w e arriv e at the inequalit y ( G ⊗ T k ) q ≤ ( H ⊗ T k ) ⊕ ( H ⊗ T k ) 2 ⊕ · · · ⊕ ( H ⊗ T k ) n . T aking in to accoun t that the last inequalit y is v alid for all q > 0 , we ha v e T k ⊗ p M j =0 ( G ⊗ T k ) j ≤ T k ⊗ n M j =0 ( H ⊗ T k ) j . It remains to transp ose the b oth side of the inequalit y to get the desired result. By applyin g the ab ov e lemma together w ith the result in [3], one can pro ve the follo wing statemen t. Lemma 2. Supp ose that for the acyclic fork-join queuei ng network, the r andom variables τ i 1 , τ i 2 , . . . , ar e i.i.d. for e ach i = 1 , . . . , n with finite me an E[ τ i 1 ] ≥ 0 and varianc e D[ τ i 1 ] . Then the c ycle time γ c an b e evaluate d as γ = max { E[ τ 11 ] , . . . , E[ τ n 1 ] } . References [1] F. Baccell i and A. M. Mak o wski. Queueing m o dels for systems with sync hronization constraint s. Pr o c. IE E E , 77(1):1 38–160, January 1989. doi:10.1 109/5.21 076 . [2] N. K. Kr ivulin. Algebraic m o deling and p erforman ce ev aluation of acyclic fork-join qu eueing net wo rks. In N. Balakrishnan , V. B. Melas, and S. Er mak o v, editors, A dvanc es in Sto chastic Simulation Metho ds , Statistics for Industry and T ec hn ology , pages 63–81. Birkh¨ auser, Boston, 2000. arXiv:1 212.4648 . [3] N. K. Kr ivulin and V. B. Nevzoro v. Ev aluation of the mean in terde- parture time in tandem qu eueing systems. In S. M. Erm ako v, Y. N. Kash tano v, and V. B. Melas, editors, Pr o c . 4th St. Petersbur g Workshop on Simulation , pages 310–3 15, St. Pet ersbu rg, 2001. NI I Chemistry St. P etersburg Unive rsity Pu blishers. [4] W. S tallings. Network and Internetwork Se curity: Principles and P r ac- tic e . Prentice Ha ll, Englew o o d Cliffs, 1995. 7