Abstract
A tradeoff is a situation that involves losing one quality or aspect of something in return for gaining another quality or aspect. Speaking about the tradeoff between performance and security indicates that both, performance and security, can be measured, and that to increase one, we have to pay in terms of the other. While established metrics for performance of systems exist this is not quite the case for security. In this chapter we present standard performance metrics and discuss proposed security metrics that are suitable for quantification.
The dilemma of inferior metrics can be solved by considering indirect metrics such as computation cost of security mechanisms. Security mechanisms such as encryption or security protocols come at a cost in terms of computing resources. Quantification of performance has long been done by means of stochastic models. With growing interest in the quantification of security stochastic modelling has been applied to security issues as well.
This chapter reviews existing approaches in the combined analysis and evaluation of performance and security. We find that most existing approaches take either security or performance as given and investigate the respective other. For instance [34] investigates the performance of a server running a security protocol, while [21] quantifies security without considering the cost of increased security. For special applications, mobile Ad-hoc networks in [5] and the email system in [32] we will see that models exist which can be used to explore the performance-security tradeoff.
To illustrate general aspects of the security-performance tradeoff we set up a simple Generalised Stochastic Petri Net (GSPN) model that allows us to study both, performance and security and especially the tradeoff between both. We formulate metrics, such as cost and an abstract combined performance and security measure that explicitly express the tradeoff and we show that system parameters can be found that optimise those metrics. These parameters are optimal for neither performance nor security, but for the combination of both.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Marsan, M.A., Balbo, G., Conte, G., Donatelli, S.: Modelling with Generalized Stochastic Petri Nets. Series in Parallel Computing. John Wiley & Sons, Chichester (1995)
Almasizadeh, J., Azgomi, M.A.: Intrusion process modeling for security quantification. In: International Conference on Availability, Reliability and Security, pp. 114–121. IEEE Computer Society, Los Alamitos (2009)
Avižienis, A., Laprie, J.-C., Randell, B., Landwehr, C.: Basic concepts and taxonomy of dependable and secure computing. IEEE Transactions on Dependable and Secure Computing 1(1), 11–33 (2004)
The Center for Internet Security. The CIS Security Metrics v1.0.0 (May 2009)
Cho, J.-H., Chen, I.-R., Feng, P.-G.: Performance analysis of dynamic group communication systems with intrusion detection integrated with batch rekeying in mobile ad hoc networks. In: AINAW 2008: Proceedings of the 22nd International Conference on Advanced Information Networking and Applications – Workshops, Washington, DC, USA, pp. 644–649. IEEE Computer Society, Los Alamitos (2008)
Deavours, D.D., Clark, G., Courtney, T., Daly, D., Derisavi, S., Doyle, J.M., Sanders, W.H., Webster, P.G.: The Möbius Framework and Its Implementation. Transactions on Software Engineering 28(10), 956–969 (2002)
Dingle, N.J., Harrison, P.G., Knottenbelt, W.J.: Hydra: Hypergraph-based distributed response-time analyzer. In: Arabnia, H.R., Mun, Y. (eds.) Proceedings of the International Conference on Parallel and Distributed Processing Techniques and Applications, PDPTA 2003, Las Vegas, Nevada, USA, June 23-26, vol. 1, pp. 215–219. CSREA Press (2003)
Dingle, N.J., Knottenbelt, W.J.: Automated customer-centric performance analysis of generalised stochastic petri nets using tagged tokens. Electron. Notes Theor. Comput. Sci. 232, 75–88 (2009)
Freiling, F.C.: Introduction to security metrics. In: Dependability Metrics, pp. 129–132 (2005)
German, R.: Performance Analysis of Communication Systems with Non-Markovian Stochastic Petri Nets. John Wiley & Sons, Inc., Chichester (2000)
Gilmore, S., Hillston, J.: The pepa workbench: A tool to support a process algebra-based approach to performance modelling. In: Haring, G., Kotsis, G. (eds.) TOOLS 1994. LNCS, vol. 794, pp. 353–368. Springer, Heidelberg (1994)
Haverkort, B.R.: Performance of Computer Communication Systems: A Model-Based Approach. John Wiley & Sons, Chichester (1998)
Hillston, J.: A Compositional Approach to Performance Modelling. Cambridge University Press, Cambridge (1994)
Hillston, J.: A Compositional Approach to Performance Modelling (Distinguished Dissertations in Computer Science). Cambridge University Press, New York (2005)
Jain, R.: The Art of Computer Systems Performance Analysis: Techniques for Experimental Design, Measurement, Simulation and Modeling. Wiley, New York (1991)
Jaquith, A.: Security Metrics: Replacing Fear, Uncertainty and Doubt. Addison-Wesley Professional, Reading (2007)
Kitchenham, B., Pfleeger, S.L., Fenton, N.: Towards a framework for software measurement validation. IEEE Trans. Softw. Eng. 21(12), 929–944 (1995)
Lamprecht, C., van Moorsel, A., Tomlinson, P., Thomas, N.: Investigating the efficiency of cryptographic algorithms in online transactions. International Journal of Simulation: Systems, Science & Technology 7(2), 63–75 (2006)
Lindemann, C.: Performance Modelling with Deterministic and Stochastic Petri Nets. John Wiley & Sons, Chichester (1998)
Littlewood, B., Brocklehurst, S., Fenton, N., Mellor, P., Page, S., Wright, D., Dobson, J., Mcdermid, J., Gollmann, D.: Towards operational measures of computer security. Journal of Computer Security 2, 211–229 (1993)
Madan, B.B., Goseva-Popstojanova, K., Vaidyanathan, K., Trivedi, K.S.: Modeling and quantification of security attributes of software systems. In: DSN 2002: Proceedings of the 2002 International Conference on Dependable Systems and Networks, Washington, DC, USA, pp. 505–514. IEEE Computer Society Press, Los Alamitos (2002)
Meyer, J.F.: On evaluating the performability of degradable computing systems. IEEE Transactions on Computers 29(8), 720–731 (1980)
Meyer, J.F.: Performability modeling: Back to the future? In: Proceedings of the 8th International Workshop on Performability Modeling of Computer and Communication Systems, pp. 5–9, CTIT (2007)
Miner, A.S.: Computing response time distributions using stochastic petri nets and matrix diagrams. In: IEEE International Workshop on Petri Nets and Performance Models. IEEE Computer Society, Los Alamitos (2003)
Mitrani, I.: Probabilistic modelling. Cambridge University Press, New York (1998)
Neuts, M.F.: Matrix-Geometric Solutions in Stochastic Models. An Algorithmic Approach. Dover Publications, Inc., New York (1981)
Nicol, D.M., Sanders, W.H., Trivedi, K.S.: Model-based evaluation: From dependability to security. IEEE Trans. Dependable Secur. Comput. 1(1), 48–65 (2004)
Pattipati, K.R., Mallubhatla, R., Gopalakrishna, V., Viswanatham, N.: Markov-Reward Models and Hyperbolic Systems. In: Performability Modelling: Techniques and Tools, pp. 83–106. Wiley, Chichester (1998)
Sahner, R.A., Trivedi, K.S., Puliafito, A.: Performance and Reliability Analysis of Computer Systems: An Example-Based Approach Using the SHARPE Software Package. Kluwer Academic Publishers, Dordrecht (1996)
van Moorsel, A., Bondavalli, A., Pinter, G., Madeira, H., Majzik, I., Durães, J., Karlsson, J., Falai, L., Strigini, L., Vieira, M., Vadursi, M., Lollini, P., Esposito, R.: State of the art. Technical Report D2.1, Assessing, Measuring and Benchmarking Resilience (AMBER) (April 2008)
Verendel, V.: Quantified security is a weak hypothesis: A critical survey of results and assumptions. In: NSPW 2009: Proceedings of the New Security Pradigms Workshop 2009, pp. 37–50. ACM, New York (2009)
Wang, Y., Lin, C., Li, Q.-L.: Performance analysis of email systems under three types of attacks. Performance Evaluation (2010) (in Press) (Corrected Proof)
Weyuker, E.J.: Evaluating software complexity measures. IEEE Trans. Softw. Eng. 14(9), 1357–1365 (1988)
Zhao, Y., Thomas, N.: Efficient solutions of a pepa model of a key distribution centre. Performance Evaluation (2009) (in Press) (Corrected Proof)
Zimmermann, A., German, R., Freiheit, J., Hommel, G.: Petri Net Modelling and Performability Evaluation with TimeNET 3.0. In: Haverkort, B.R., Bohnenkamp, H.C., Smith, C.U. (eds.) TOOLS 2000. LNCS, vol. 1786, pp. 188–202. Springer, Heidelberg (2000)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Wolter, K., Reinecke, P. (2010). Performance and Security Tradeoff. In: Aldini, A., Bernardo, M., Di Pierro, A., Wiklicky, H. (eds) Formal Methods for Quantitative Aspects of Programming Languages. SFM 2010. Lecture Notes in Computer Science, vol 6154. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-13678-8_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-13678-8_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-13677-1
Online ISBN: 978-3-642-13678-8
eBook Packages: Computer ScienceComputer Science (R0)