Abstract
This paper is based on a conceptual framework in which security can be split into two generic types of characteristics, behavioural and preventive. We show that, among the traditional security aspects, availability and confidentiality should be used to denote be havioural security. The third aspect, integrity, is interpreted in terms of fault prevention and is regarded as a preventive characteristic. A practical measure for behavioural characteristics, including reliability and safety, is defined. We show how the measure could be derived using traditional reliability methods, such as Markov modelling. The measure is meant for practical trade-offs within a class of computer systems. It quantifies system performance on user-specified service levels, which may be operational or failed. Certain levels may be related to confidentiality degradations or confidentiality failures. A simple example based on a Reference Monitor is given. Failures resulting from security breaches are normally not exponentially distributed. The calculation method must therefore be extended to handle situations with non-exponential failure rates. This is done by means of phase-type modelling, illustrated by introducing malicious software, such as a Trojan Horse, into the Reference Monitor.
Preview
Unable to display preview. Download preview PDF.
References
M. D. Beaudry, “Performance-Related Reliability Measures for Computing Systems”. IEEE Transactions on Computers, Vol. C-27, No. 6, June 1978.
S. Brocklehurst and B. Littlewood, “New Ways to Get Accurate Reliability Measures”, IEEE Software, vol. 9, No. 4, pp. 34–42, 1992.
S. Brocklehurst, B. Littlewood, T. Olovsson, E. Jonsson: “On Measurement of Operational Security”, in Proceedings of the Ninth Annual IEEE Conference on Computer Assurance, COMPASS'94, Gaithersburg, Maryland, USA, June 29–July 1, pp. 257–266.1994.
S. Castano, M. G. Fugini, G. Martella, P. Samarati, “Database Security”, Addison-Wesley, 1995. ISBN 0-201-59375-0.
C. J. Date, “An Introduction to Database Systems”, Vol. 1, 5th edition, pp. 429ff, Addison-Wesley 1990, ISBN 0-201-51381-1.
D. E. Denning, “A New Paradigm for Trusted Systems”, Proceedings of the IEEE New Paradigms Workshop, pp. 36–41.1993.
G. Grimmet, D. R. Stirzaker, “Probability and Random Processes”. ISBN 0-19-853666-6. Clarendon Press. p. 396ff. 1992.
U. Gustafson, E. Jonsson, T. Olovsson: “Security Evaluation of a PC Network based on Intrusion Experiments”. Proceedings of the 14th International Congress on Computer and Communications Security, SECURICOM '96, Paris, France, pp. 187–203, June 4–6, 1996.
U. Gustafson, E. Jonsson, T. Olovsson: “On the Modelling of Preventive Security Based on a PC Network Intrusion Experiment”. Proceedings of the Australasian Conference on Information Security and Privacy, ACISP'96, Wollongong, Australia, June 24–26, 1996.
R.A. Howard, “Dynamic Probabilistic Systems”, New York Wiley 1971, ISBN 99-0002431-1.1971.
Information Technology Security Evaluation Criteria (ITSEC), Provisional Harmonized Criteria, December 1993. ISBN 92-826-7024-4.
E. Jonsson, T. Olovsson, “On the Integration of Security and Dependability in Computer Systems”, IASTED International Conference on Reliability, Quality Control and Risk Assessment, Washington, Nov. 4–6, 1992. ISBN 0-88986-171-4, pp. 93–97.
E. Jonsson, S. Asmussen, “A Practical Dependability Measure for Embedded Computer Systems”, Proceeedings of the IFAC 12th World Congress, Sydney, Vol. 2, July 18–23, 1993. pp. 647–652.
E. Jonsson, M. Andersson, S. Asmussen, “A Practical Dependability Measure for Degradable Computer Systems with Non-exponential Degradation”, Proceedings of the IFAC Symposium on Fault Detection, Supervision and Safety for Technical Processes, SAFEPROCESS'94, Espoo, Finland, vol. 2, June 13–15, 1994. pp. 227–233.
E. Jonsson, T. Olovsson, “Security in a Dependability Perspective”, Nordic Seminar on Dependable Computing Systems 1994 (NSDCS'94), Lyngby, Aug. 24–26, 1994. pp. 175–186.
J. C. Laprie et al.: Dependability: Basic Concepts and Terminology, Springer-Verlag, ISBN 3-211-82296-8, 1992.
B. Littlewood, S. Brocklehurst, N.E. Fenton, P. Mellor, S. Page, D. Wright, J.E. Dobson, J.A. McDermid and D. Gollmann, “Towards Operational Measures of Computer Security”, Journal of Computer Security, vol. 2, no. 3. 1994.
J.F. Meyer, “On Evaluating the Performability of Degradable Computing Systems”, IEEE Transaction on Computers, Vol. C-29, pp. 720–731. 1980.
J.F. Meyer, “Performability: a Retrospective and Some Pointers to the Future” in Performance Evaluation 14, North-Holland, 1992. pp.139–156.
M. F. Neuts, “Matrix-Geometric Solutions in Stochastic Models”, Johns Hopkins University Press, Baltimore. 1981.
T. Olovsson, E. Jonsson, S. Brocklehurst, B. Littlewood, “Data Collection for Security Fault Forecasting: Pilot Experiment”, Technical Report No 167, Department of Computer Engineering, Chalmers University of Technology, 1992 and ESPRIT/BRA Project No 6362 (PDCS2) First Year Report, Toulouse Sept. 1993, pp. 515–540.
T. Olovsson, E. Jonsson, S. Brocklehurst, B. Littlewood: “Towards Operational Measures of Computer Security: Experimentation and Modelling”, in B. Randell et al. (editors.): Predictably Dependable Computing Systems, ESPRIT Basic Research Series, Springer Verlag, 1995, ISBN 3-540-59334-9, pp 555–572.
R.M. Smith, K.S. Trivedi, “A Performability Analysis of Two Multi-Processor Systems”, Proc. 17th IEEE Int. Symp. on Fault Tolerant Computing, FTCS-17, Pittsburg, Pennsylvania, 1987. pp. 224–229.
E. de Souza e Silva, H.R. Gail, “Calculating Availability and Performability Measures of Repairable Computer Systems Using Randomization”, Journal of the ACM, vol. 36, no. 1.1989.
Trusted Computer System Evaluation Criteria (“orange book”), National Computer Security Center, Department of Defense, No DOD 5200.28.STD, 1985.pd
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 1996 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Jonsson, E., Andersson, M. (1996). On the quantitative assessment of behavioural security. In: Pieprzyk, J., Seberry, J. (eds) Information Security and Privacy. ACISP 1996. Lecture Notes in Computer Science, vol 1172. Springer, Berlin, Heidelberg. https://doi.org/10.1007/BFb0023302
Download citation
DOI: https://doi.org/10.1007/BFb0023302
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-61991-8
Online ISBN: 978-3-540-49583-3
eBook Packages: Springer Book Archive