TY - GEN
T1 - State space approach to security quantification
AU - Griffin, Christopher
AU - Madan, Bharat
AU - Trivedi, Kishor
PY - 2005/12/1
Y1 - 2005/12/1
N2 - In this paper, we describe three different state space models for analyzing the security of a software system. In the first part of this paper, we utilize a semi-Markov Process (SMP) to model the transitions between the security states of an abstract software system. The SMP model can be solved to obtain the probability of reaching security failed states along with the mean-time to security failure (MTTSF). In the second part of the paper, we use a discrete event dynamic system model of security dynamics. We show how to derive events and transitions from existing security taxonomies. We then apply theory of discrete event control to define safety properties of the computer system in terms of the basic concepts of controllability used in discrete event control for two special sublanguages KS and KV. These languages correspond to maximally robust controllable sub-languages. In the third approach, we show that by associating cost with the state transitions, the security quantification problem can be casted as Markov decision problem (MDP). This MDP can be solved to obtain an optimal controllable language K S* ⊆Ks the gives the minimal cost safe security policy.
AB - In this paper, we describe three different state space models for analyzing the security of a software system. In the first part of this paper, we utilize a semi-Markov Process (SMP) to model the transitions between the security states of an abstract software system. The SMP model can be solved to obtain the probability of reaching security failed states along with the mean-time to security failure (MTTSF). In the second part of the paper, we use a discrete event dynamic system model of security dynamics. We show how to derive events and transitions from existing security taxonomies. We then apply theory of discrete event control to define safety properties of the computer system in terms of the basic concepts of controllability used in discrete event control for two special sublanguages KS and KV. These languages correspond to maximally robust controllable sub-languages. In the third approach, we show that by associating cost with the state transitions, the security quantification problem can be casted as Markov decision problem (MDP). This MDP can be solved to obtain an optimal controllable language K S* ⊆Ks the gives the minimal cost safe security policy.
UR - http://www.scopus.com/inward/record.url?scp=34248553830&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=34248553830&partnerID=8YFLogxK
U2 - 10.1109/COMPSAC.2005.145
DO - 10.1109/COMPSAC.2005.145
M3 - Conference contribution
AN - SCOPUS:34248553830
SN - 0769522092
SN - 9780769522098
T3 - Proceedings - International Computer Software and Applications Conference
SP - 83
EP - 88
BT - Proceedings of the 29th Annual International Computer Software and Applications Conference - Workshops and Fast Abstracts, COMPSAC 2005
T2 - 29th Annual International Computer Software and Applications Conference, COMPSAC 2005
Y2 - 26 July 2005 through 28 July 2005
ER -