Modeling SITAR System Security

Recent strategies to protect system security lay emphasis on designing intrusion-tolerant systems that are able to tolerate intrusions using techniques such as redundancy, diversity, reconfiguration and graceful degradation. These systems are expected to not only detect and tolerate attacks, but also repair, or rejuvenate themselves so as to remove any damage caused by an intrusion. Several research efforts are currently afoot to design such systems, such as Enclaves, EMERALDS, ITUA, MAFTIA and SITAR. Before any security mechanism can be accepted to provide protection to a system, it is important to assess its efficacy. Earlier security evaluations were mainly based on a qualitative assessment, such as [1], [2]. This may not be enough to characterize intrusion tolerant systems. Recent studies to security evaluation have begun to take a quantitative approach by using probabilistic and statistical methods as in traditional reliability analysis [6], [3], [5], [4]. In this paper we apply probabilistic modeling to the SITAR system, which is an intrusion tolerant architecture developed jointly by MCNC and Duke University. We start with a continuous-time Markov model that describes the dynamic behavior of multiple intrusion tolerance strategies that exist in SITAR. In order to increase the fidelity of the model to the SITAR architecture, we found it difficult to continue with the hand construction of a CTMC, we motivate and use the stochastic reward net (SRN) model to capture the SITAR system behavior as well as the attacker behavior.