CERT
Back to [14]   [15]    Forwards to [16]



A Survivable Network Analysis Method

R. J. Ellison,  D. A. Fisher,  R. C. Linger,
H. F. Lipson,  T. Longstaff,  N. R. Mead
Software Engineering Institute
Carnegie Mellon University

Survivability Concepts. As part of its Survivable Network Systems Initiative, the CERT® Coordination Center of the Software Engineering Institute (SEI) is developing technology and methods for analyzing and designing survivable network systems [1, 2]. Survivability is defined as the capability of a system to fulfill its mission, in a timely manner, in the presence of attacks, failures, or accidents. Unlike traditional security measures that require central control and administration, survivability addresses highly distributed, unbounded network environments with no central control or unified security policy. Survivability focuses on delivery of essential services and preservation of essential assets, even when systems are penetrated and compromised. As an emerging discipline, survivability builds on existing disciplines, including security, fault tolerance, and reliability, and introduces new concepts and principles.

The Survivable Network Analysis Method. A primary focus of the SEI effort has been development of an analysis method for assessing and improving the survivability of network architectures, as depicted in Figure 1.


Figure 1. Steps in the Survivable Network Analysis Method

The method can be applied to an existing or proposed system by a small team of trained evaluators through a structured interaction with system personnel of several days duration. The method is composed of four principal steps, as follows. In step 1, mission requirements of the current or candidate system are reviewed, and the structure and properties of the architecture are elicited. In step 2, essential services (services that must be maintained during attack) and essential assets (assets whose integrity, confidentiality, availability, and other properties must be maintained during attack) are identified, based on mission objectives and consequences of failure. These services and asset uses are characterized by usage scenarios that are mapped onto the architecture through execution traces to identify corresponding essential components (components that must be available to deliver essential services and maintain essential assets). In step 3, intrusion scenarios are selected based on the system environment and assessment of risks and intruder capabilities. These scenarios are likewise mapped onto the architecture to identify corresponding compromisable components (components that could be penetrated and damaged by intrusion). In step 4, softspot components of the architecture (components that are both essential and compromisable) are identified, based on the results of steps 2 and 3. The softspot components and the supporting architecture are then analyzed for three key survivability properties, namely, resistance, recognition, and recovery. Resistance is the capability of an architecture to repel attacks. Recognition is the capability to detect attacks as they occur, and to evaluate the extent of damage and compromise. Recovery, a hallmark of survivability, is the capability to maintain essential services and assets during attack, limit the extent of damage, and restore full services following attack. The analysis of the "three R's" is summarized in a Survivability Map, as depicted in Figure 2. The map enumerates, for every intrusion scenario and corresponding softspot effects, the current and recommended architecture strategies for resistance, recognition, and recovery. The survivability map provides feedback to the original architecture, and may result in an iterative process of survivability evaluation and improvement.

Intrusion Scenario Softspot Effects Architecture Strategies for -> Resistance Recognition Recovery
(Scenario 1)
... 		  Current    
Recommended    
(Scenario n)   Current    
Recommended    

Figure 2. Survivability Map Template

An Example of Survivable Network Analysis. The SEI recently completed an application of the survivable network analysis method to a prototype subsystem of a planned large-scale, distributed healthcare system. The subsystem provided capabilities for patient treatment plan development and use by healthcare professionals. Analysis revealed that treatment plan integrity and continuous accessibility were critical to fulfilling the system mission. Subsystem capabilities to display treatment plans were thus defined as essential services, and treatment plans themselves were defined as essential assets. Essential subsystem components for treatment plan display and protection were then identified. Five representative intrusion scenarios were selected based on the diverse user community and access environment, leading to identification of compromisable subsystem components. Softspot components (essential and compromisable) were then identified and analyzed for resistance, recognition, and recovery, resulting in a Survivability Map that defined strategies for improving survivability that could be applied to the existing architecture. Positive reaction to these recommendations by the client suggest that the method provides substantial added value for survivability analysis. Further application of the method is planned.

References

  1. Survivable Network Systems: An Emerging Discipline, Technical Report CMU/SEI-97-TR-013, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, November 1997.
  2. Linger, R. C., Mead, N. R., and Lipson, H. F., Requirements Definition for Survivable Network Systems, International Conference on Requirements Engineering, Colorado Springs, CO, IEEE Computer Society, Available online at http://www.cert.org/research, 1998.

CERT® is registered in the US Patent and Trademark Office.


Back to the Table of Contents
Back to [14]   [15]    Forwards to [16]