Requirements Definition for Survivable Network Systems

Pervasive societal dependency on large-scale, unbounded network systems, the substantial risks of such dependency, and the growing sophistication of system intruders, have focused increased attention on how to ensure network system survivability. Survivability is the capacity of a system to provide essential services even after successful intrusion and compromise, and to recover full services in a timely manner. Requirements for survivable systems must include definitions of essential and non-essential services, plus definitions of new survivability services for intrusion resistance, recognition, and recovery. Survivable system requirements must also specify both legitimate and intruder usage scenarios, and survivability practices for system development, operation, and evolution. This paper defines a framework for survivable systems requirements definition and discusses requirements for several emerging survivability strategies. Survivability must be designed into network systems, beginning with effective survivability requirements analysis and definition. 1. The Idea of Survivable Network Systems From their modest beginnings some 20 years ago, network systems have grown to become a critical enabling agent in business, industry, government, and defense. Major economic sectors, including energy, transportation, telecommunications, manufacturing, financial services, health care, and education all depend on a vast array of network systems operating on local, national, and global scales. This pervasive societal dependency on networks magnifies the consequences of failure and amplifies the vital importance of ensuring their survivability. As a result, methods for achieving system survivability are receiving increasing attention [1]. Survivability refers to the capability of a system to complete its mission in a timely manner, even if significant portions are compromised by attack or accident. In particular, survivability refers to the capability of a system to provide essential services in the presence of successful intrusion, and to recover compromised services in a timely manner after intrusion occurs. For example, a survivable financial network would maintain the integrity and availability of essential information, such as account and loan data, and services, such as transaction validation and processing. Integrity would be maintained even if particular nodes or communication links were incapacitated through intrusion or accident, and would recover compromised information and services in a timely manner. While survivability focuses on the preservation of mission capabilities, it includes issues of confidentiality and integrity as well. Because of the value of the CERT intrusion knowledge base, this work has focused on attack and compromise by intelligent adversaries. Experience with network systems has shown that no amount of hardening can guarantee invulnerability to attack. Despite best efforts, systems will continue to be breached. Thus, it is vital to expand the current view of information systems security to encompass system behavior that contributes to survivability in spite of intrusions or accidents. Network systems must be robust in the presence of attack and able to survive attacks that cannot be completely repelled. The growing societal dependency on networks and the risks associated with their failure require that survivability be designed into these systems, beginning with effective survivability requirements analysis and definition. In today’s network environment, system security is largely dependent upon the encryption of data and isolation through mechanisms such as firewalls. While the firewall approach is currently practical in a limited fashion, it will become increasingly inadequate to protect systems from intrusion in the rapidly expanding world of unbounded network computing. Current systems are characterized by customer owned and controlled computing resources communicating over unbounded networks. In future systems, most computing resources will be resident within unbounded network infrastructures, and will be controlled by a multitude of computing and communications service providers. These environments will be so unbounded as to render ineffective current security approaches, such as firewalls, that are based solely on isolation. In such environments, firewalls will be ineffective in detecting attacks, recovering from attacks, or helping systems survive intrusions and complete their missions in spite of malicious activity. Future unbounded systems will also embody dynamic architectures, capable of automated, real-time reconfiguration and adaptation in response to changing requirements and environments. In summary, survivable network systems embody two essential characteristics. First, they preserve essential services under intrusion and recover full services in a timely manner. Second, they ensure survivability in environments characterized by unbounded networks and dynamic architectures. It is often the case that insufficient emphasis is placed on these survivability issues. As a result, the processes and techniques for addressing survivability are generally inadequate to deal with the threat. Concepts of system survivability provide a framework for integrating established disciplines of system reliability [2], safety [3], security [4], and fault tolerance [5], as well as emerging disciplines such as dynamic system adaptation, diversification, and trust maintenance. 2. Survivability Requirements In this paper, we focus on requirements definition for survivable software systems. Figure 1 depicts an iterative model for defining survivable system requirements, We recognize that survivability must address not only requirements for software functionality, but also requirements for software usage, development, operation, and evolution. Thus, five specific types of requirements definition are relevant to survivable systems in the model 1 From the following document currently submitted for publication: “Systematic Generation of Stochastic Diversity in Survivable System Software,” by R.C. Linger. of Figure 1, as discussed below. Other areas of survivability requirements definition may emerge in the future.