Analysis of an intrusion tolerant database system via semi-Markov processes (Theory and Application of Decision Analysis in Uncertain Situation)

(1)

Analysis of

an intrusion

tolerant

database

system

via

semi-Markov

processes

植村俊和, 土肥正

Toshikazu

Uemura and Tadashi

Dohi

Department of Information

Engineering,

Graduate

School of Engineering,

Hiroshima

University, Japan

1. Introduction

The

use

of computer-based systems and lnternet has been undergoing dramatic growth in$8cale$,

vari-ety and penetration, implying

our

growing dependence

on

them for

a

large number of businesses and

$day- t\triangleright day$ lifeservices. Unfortunately, the

complexity, the heterogeneity and the openness ofthe

sup-portinginfrastructures to untrusted

users

have also given rise to

an

increasing number ofvulnerabilities

and malicious threats (viruses, worms, denial ofservice attacks, fishing attempts, etc.). For malicious

attackers, if the

access

right strengthens, the probability that the security intrusion may happen will effectively decrease, but the utilization

on

accessibUity will be ratherlost. The claesical security-related

work has traditionally privileged, with

a

few exceptions, intrusion avoidance techniques (vulnerability elimination, strong authentication, etc.) and attack deterrence (attacktracing, auditing, etc.). However, suchtechniques haveprovedto be notsufficient to

ensure

the security ofsystemsconnected to networks. Morerecently, intrusion tolerance techniques, inspiredfromtraditional techniques commonly usedfor

tolerating accidental faults in hardware $and/or$ _software _systems, _{have received considerable attention}

to complement intrusion avoidance techniques, and improve the security ofsystems connected to the

Internet.

So

far, mostefforts in security have been focusedon specification, design and implementation

issues. In fact several implementation techniques ofintrusion toleranoe at the architecture level have

beendeveloped for realcomputer-based systemssuch

as

distributed systems [1], databasesystems $[6,7]$

,

middleware$[15,16]$,

server

systems [2]. _The

_above

_{implementation}_approaches

are

_based

_on

_{the redundant}

design at the architecture level

on

secure

software

systems. In other words, since these methods

can

be categorized by a design diversity technique in

secure

system design and need much cost for the

development, theeffect

on

implementationhasto be evaluated carefully and quantitatively.

Thequantitativeevaluation of

information

security based

on

modelingisbecoming muchpopular to

validatethe

effectiveness

of computer-based systems with intrusiontolerance. Littlewood et$d$

.

$[5]$ found

the analogy between the information security theory and the traditional reliability theory in aesessing the quantitative security of operational software systems, and explored the feasibility ofprobabilistic

quantMcation

on

security. Jonssonand Olovsson [4] gave

a

quantitativemethod to studytheattacker’s

behaviorwiththeempiricaldata observed inexperiments. Ortalo,Deswarteand Kaaniche[11] applied the

privilegegraphand the$continuoll\triangleright time$Markov chain(CTMC) toevaluate thesystem vulnerability,and

derived the

mean

effort

to security failure. Singh, Cukierand Sanders [12] designed stochastic activity

networks model for probabilistic validation ofsecurity and performance of several intrusion tolerant architectures.

Stevens

et al. [13] also proposed probabilistic methods to modelthe DPASA (Designing

Protection

and Adaptationinto a SurvivableArchitecture).

(2)

approachesto design the state transition diagramofsystem securitystatesby incorporating both attacker

and system behaviors under uncertainty. Madan et al. [9] dealt with

an

architecture with intrusion

tolerance, calledSITAR(ScalableIntrusion TolerantArchitecture) anddescribed the stochastic behavior

ofthe system by discrete-time semi-Markov chain (DTSMC). They also derived analytically the

mean

time length to security failure. Imaizumi, Kimura and Yasui [3] and Uemuraand Dohi [14] focused

on

the typical denial of service attacks for

server

systems and formulated

the

optimization problems

on

theoptimal monitoringtime and theoptimal patchmanagementpolicy viacontinuoll&time semi-Markov

chain (CTSMC) models. Although they mainlyconsideredthe expectedcost models which

are

familiarto

the$Markov/semi$-Markovanalyses,the relationship with security attributes

vas

stillunclearin modeling.

For the purposeof comprehensive modelingofsystem-level security quantification, it is actually diffi-culttomodel certain security attributessuch

as

confidentiality and $intq|\dot{\tau}ty$usingthe probabilistic tech-niques

as

well

as

to quantify thehigh-level security requirement with different security attributes [10].

Hence, themeasurementtechniques for model parameterization andvalidationmustbe carefullyselected

in securityevaluation. In such

a

situation,the$s$urvivabtity analysisis becoming very

common

to quantify

the computer-based systems underthe assumptionthat failure may

occur

and that theoutcome

of

the

failurenegatively impacts

a

large segmentof the subscribers totheITinbastructure,

where

such failures maybethe result ofdeliberate,malicious attacks againsttheinbastructureby

an

adversary.

In this paper

we

consider the

secure

design of an intrusiontolerant database (ITDB) system with a

control parameter, and describe the stochastic behaviorof

an

intrusion tolerant database system (ITDB). First,Liu et al. $[6,7]$proposedseveralITDB architecturesand presentedthedesign andimplementation

$methodo\log i\infty$

.

While traditional

secure

databaeesystemsrely

on

preventivecontrolsand

are

very limited

in surviving malicious attacks, the ITDB

can

detect intrusions and isolate attacks. Inaddition, it

can

contain,

essess

and repairthedamagecausedby intrusionsin

a

timely

manner

such that sustained,

self-stabilzed levels ofdataintegrityand availability

can

be providedto applications inthe face ofattacks.

With the aim

to

quantify the ITDB, Yu,

Liu

and Zang [18] and Wang and Liu [17] developed simple

CTMC

models to evaluate the survivability of the ITDB. Especially, Wang and Liu [$1\eta$ formulated

twosurvivability measures; system integnity andrewarding

availability1.

In this paper

we

extend it to

a

CTSMC

modelwithnon-exponentiallydistributed transitiontimes,andprovide

more

robustquantitative framework to maliciousattacks with avarietyofprobabilistic patterns.

Further, by introducing

an

additionalcontrol parameter called the switching time,

we

develop

secure

control schemes of the ITDB, which maximize the security messures; system integrity and rewarding availabUity,

as

well

as

the

common

system availability. Necessary and sufflcient conditions toeXist

a

finite

and unique optimal switching time

are

derived under

a

mild parametric amumption. These analytical

results enable

us

to maximize the utihty ofintrusion tolerance in the ITDB. Numerical examples

are

devoted to examine thedependenceof modelparameters

on

theoptimal switchingtime and its

wociated

security

measures.

Throughout the sensitivity analysis

on

themodelparameters, itisshownnumerically

that the ITDB should be designed to minimize mission impact by $\infty ntaining$ both the intrusion and

failure. FinaUy, thepaperis concludedwith

some

remarks andfutureresearch directions.

1Theintegritydeflned in[17]seemstobesomewhat different ftom the usualqualitativedefinitionasasecurityattribute. Inthispaper wecallit thesystem$|ntq’\backslash ty$whichisaquantitative measure,and distinguish fromthe qualitativemeasure.

(3)

Figure 1; _{Bssic ITDB architecture.}

2.

_{Intruslon Tolerant Database}

System 2.1. Basic Concept

First ofall,

we

give

a

brief summary

on

the intrusion tolerant database (ITDB). Inthe ITDB,

once

it is

damaged

&om

any

reason

such

as

infections andattacks, the damaged $part8$

are

automatically located,

contained and repaired

as soon as

possible,

so

that the database

can

continue being operative with the

intrusion tolerant functions. Figure 1 shows the major components of

a

compreheoive ITDB, which

was

introduced in $[6, 7]$

.

In

a

fashion similar to the reference [17], we $a1_{8}0$ focus

on some

significant components; Mediator, Damage containment and Damage recovery, in Fig.1 and describe the stochastic

behavior of functions in major components. Mediator subsystem may function

as

a

proxy for each

user

transaction and transaction processing call to the databaeesystem, andenables tokeep theuseful information

on

user

transactions, such

as

$read/w\dot{n}te$ operations. This function $i_{8}$ quite important to

generatethecorrespondinglogsfor damage

recovery

andcontainment.

Moreprecisely, in thetraditional

secure

databasesystem, the damagecontainment

can

not be made

until the data items

are

identified

as

damaged

ones.

In this situation,

a

signiflcant damage assessment

latencymayhappen,

so

that the damage caused by attacks

or

intrusions maypropagateto the other data

items. In the ITDB, theso-called multi-phasedamage containment technique is applied

as an

intrusion toleranttechnique [6], where it involvesonecontaining phaseand

one

more

uncontaining phasesreferred to _{as Containment relaxation. Once an intrusion} _{is detected by Intrusion} _detector, _Damage _recovery sukystemhasthe responsibility tothe damageassessmentand repair, andretrievesthemalicious

trans-action

messages

reported from

Intrusion

detector. On theother hand, Damage containment$suky_{8}tem$

traces

thedamage propagationbycapturing thedependent-upon relationshipamong transactions.

Hence, the control by

Intrusion

detector plays

an

central role to the design of the ITDB.

Since

Intrusion detector isbssed

on

both the trails on the logs and

some

relevant rules to identify malicious

transactions, however, $it_{8}$ effect is lmited. In other words, it would be impossible to detect _$aU$

the

intrusions automatically _{within the real time. In} _practice, _two _control _{modes can} _{be ready; automatic}

(4)

Figure2: Semi-Markovtransitiondiagram

a

manual detection mode ifIntrusion detector does return no response during the real time operation.

Wang andLiu[$1\eta$ developed

a

simpleCTMCmodel withrandom switchingfrom

an

automatic detection

mode toa manual one, andevaluatedthe security

measures

for the ITDB.

2.2.

Model Description

Following WangandLiu [17],

we

alsofocuson threecomponents intheITDB,Mediator, Damagerecovery

andDamage containmentsystems. Supposethatthe database systemstartsoperatingat time$t=0$with NormalState; $G$

.

Ifattackers

or hackers

detect thevulnerability of thedatabase, they try to attack the

database andthe state may make

a

transitionto

_Infection

State; $I$

,

where the transition time from $G$

to $I$ has the continuous cumulative distribution function (c.d.$f.$) $F_{G,I}(t)$ with

mean

$\mu_{G,l}(>0)$

.

Once

the malicious attack by

an

attacker

was

successful in

State

$I$, the intrusion detector begins operating automatically. Ifthe infection ofpartsor data items is detected in the automatic detection mode, the

statemakes

a

transitionfrom$I$toMaintenance State; $M$

,

wherethe transition time from$I$to$M$is given

by

a

randomvariable having the continuous c.d.$f$

.

_{$F_{I,M}(t)$} and

mean

_{$\mu_{l,M}(>0).$}

. In this phase, when

the infected items

are

identifled

more

specifically through thedamage

assessor,

the corrective

recovery

operation is triggered in Recovery State; $R$ in the damage recovery system. Let the state transition

time from $M$ to $R$ be the random variable having the c.d.$f$

.

_{$F_{M.R}(t)$} and

mean

_{$\mu_{M,R}(>0)$}

.

After

the completionof recovery operation, the infected parts

are

fixed and the database system

can

become

as good as new with Normal State, where the completion time to recover the database is given by the

non-negative continuous randomvariablewiththe c.d.$f$

.

_{$F_{R,G}(t)$} and

mcan

_{$\mu_{R,G}(>0)$}

.

On the other hand, it should be worth mentioning that the infection ofparts

or

data items is not always possible only in the automatic detection mode. In other words, the intrusion detection is not always perfect forallpossible attacks,

so

that the systemmanager$and/or$thefull vendor may searchthe

infectedparts in the manual detection mode. Wang andLiu [$1\eta$ considered the possibUity of switching

from the automatic detection modeto the manual detectionmode,and assumed that

the

switchingmay

occur

randomly. This correspondstothe switchingfrom theunconfinement executortotheconfinement

executor. In [17], theassociated stochastic model is based

on

a

CTMC with exponentially distributed

transition times. Instead ofthe exponential switching time,

we

model the switchingtime by the

non-negative continuous random variable withthe c.d.$f$

.

_{$F_{I,MD}(t)$} and

mean

_{$\mu_{I,MD}(>0)$}

,

where Manual

(5)

When the intrusion is detected, the system state makes transition from $MD$ to $MR$, and next the

recoveryoperation_{starts immediately. Finally, when the recovery}_operation_is_complete,_{the state makes}

a

transition from $MR$to$G$with NormalState. In thisway, the

same

_cyclerepeats_again _and_again

over

an

infinitetime horizon. Since theunderlyingstochastic processis

a

CTSMC, it is notedthat

our

model

is

an

extended versionto the

CTMC

model in [17]. Figure2 illustrates the state-transition diagram for

theCTSMC model.

In this context, the automaticdetection mode is randomlyswitchedto the manual detection mode.

Dissimilar toWang and Liu [17], we introduce the time limit to turn

on

the manual detection, $t_{0}(0\leq$

$t_{0}<\infty)$

,

periodically and call it the switching time. If the automatic detection is switched to the manual

detection, then the system state goes to $I$ from _$MD$

.

Without any loss ofgenerality,

we

define the

transitionprobabilityfrom$I$to _$MD$by

$F_{I,MD}(t)=\{\begin{array}{l}(t\geq t_{0})0(t<t_{0})\end{array}$ (1)

This

means

that the detection modecan be switched fromthe automaticmodetothe manual modelat

every

$t_{0}$ time unit.

3.

Security Measures

3.1. System Integrity

Wang andLiu [17] defined thesystemintegrity

as

a

fraction oftime when allaccessible data items inthe

database

are

clean. As mentioned previously in Section 1, the integrity is regarded

as one

ofthe most

typical securityattributesin addition to authentication andnon-repudiation. Whenthe integrity is high,

theITDS

can

serve

the

users

by utilizing the good

or

cleandata with high probability. InFig. 2, all data

items in the ITDB

are

clean and accessible in State $G$

.

When attacks occur,

some

dataitems _$wiU$ be

affectedand thepartof accessible dataitemsinstate$I$

may

be dirty. Aftertheintrusionis identified,the

ITDB

can

contain all the damaged data until it finishes the repair process. In this situation,the ITDB

carriesout the selective containment and repair, andis still available,

so

that the accessibledata items

are

clean duringthecontainment, damage assessment andrepair process. InFig. 2, since the system states

under considerationare $G,$ $M,$ $R$ and _$MR$, the system integrityis deflned by IN_{$(t_{0})=U_{IN}(t_{0})/T(t_{0})$}

,

where

$U_{IN}(t_{0})=\mu_{G,I}+(\mu_{M,R}+\mu_{R,G})F_{I,M}(t_{0})+\mu_{MR,G}\overline{F}_{I,M}(t_{0})$, (2)

$T(t_{0})=U_{IN}(t_{0})+ \int_{0}^{t_{0}}\overline{F}_{I,M}(t)dt+\mu_{MD,MR}\overline{F}_{I,M}(t_{0})$

.

(3)

Then, the problem is to derive the optimal switchingtime $t_{0}^{s}$ maximizing $AV(t_{0})$

.

For thepurpose,

we

makethefollowingparametricaesumption:

$(A\cdot 1)\mu_{MR,G}>\mu_{M,R}+\mu_{R,G}$

.

In (A-1),it is assumed that thetime length to detect

an

intrusion automatically isstrictlyshorterthan

thatbythemanual detection. This

seems

to be intuitivelyvalidated fromtheviewpoint of theutility in

automatic detection.

Proposition 1: (1) Suppose that the c.d.$f$

.

_{$F_{I,M}(t)$} isstrictly

DHR

under (A-1). Define the function:

(6)

$-[1+\{(\mu_{M}+\mu_{R})-(\mu_{MD}+\mu_{MR})\}r_{D}(t_{0})]U_{lN}(t_{0})$

.

(4)

(i) If$q_{IN}(0)>0$ and $q_{IN}(\infty)<0$, then there exists

a

finite and unique optimal switching

time $t_{0}^{*}(0<t_{0}^{*}<\infty)$ satisfying$q_{JN}(t_{0})=0$

(ii) If$q_{IN}(0)\leq 0$, then$t_{0}^{r}=0$ (lii) If$q_{IN}(\infty)\geq 0$

,

then $t_{0}^{*}arrow\infty$

(2) Suppose that the c.d.$f$

.

_{$F_{I,M}(t)$}isIHR under(A-1). IfIN_{$(O)>IN(\infty)$}, then_{$t_{0}^{*}=0$}otherwise $t_{0}^{l}arrow\infty$

.

The proofisomitted for brevity. For theactual managementofdatabasesystems,it is

more

significant to keep the clean and accessible data. So, whenthe quality ofdata is considered, the system integrity

shouldbethe

more

attractivesecurity

measure

thanthe$8y8tem$availability.

3.2. Rewarding Availablllty

Thesystem availability isdefined

as a &action

oftime when theITDB is providingservicesto itsusers,

and does not

care

thequalityof data. Since theITDB perform theon-the-fly repairandwill notstop

its service facedby attacks, it

can

be expectedthat the correspondingsystemavalabilityisnearly 100%

in almost all

cases.

For better evaluation of the security attribute in the ITDB, Wang and Liu [17]

considered anothertypeofavailability, called$re$warding availability,which is defined

as a &action

of time

whenall the clean dataitems

are

accessible. Iftheclean data

can

not be accessed intheITDB, it

can

be regarded

as

a

serious loss of service to

users.

Dissimilarto the system integrity, since the system states under consideration

are

$G,$ $R$and$MR$

,

therewarding availabihty isdefinedby$RA(t_{0})=U_{RA}(t_{0})/T(t_{0})$

,

where

$U_{RA}(t_{0})=\mu_{G,I}+\mu_{R_{*}G}F_{I,M}(t_{0})+\mu_{MR,G}\overline{F}_{I,M}(t_{0})$

.

(6) Wegivethe characterization result

on

theoptimalswitchingtimemaximizing therewarding availability without the proof.

Proposition2: (1) Supposethat the c.d.$f$

.

_{$F_{I,M}(t)$} isstrictlyDHR under (A-1). Definethefunction:

$q_{RA}(t_{0})=(\mu_{R,G}-\mu_{MR,G})r_{I,M}(t_{0})T(t_{0})$

$-[1+\{(\mu_{M,R}+\mu_{R,G})-(\mu MD,MR+\mu_{MR},c)\}r_{I,M}(t_{0})]U_{RA}(t_{0})$

.

(6)

(i) IfqRA(0) $>0$ and $q_{RA}(\infty)<0$

,

then thereexist8

a

finite and unique optimal switching

time$t_{0}(0<t_{0}<\infty)$ satisfying$q_{RA}(t_{0}^{*})=0$

(11) If$q_{RA}(0)\leq 0$, then$t_{0}=0$

(iii) If$q_{RA}(\infty)\geq 0$

,

then $t_{0}^{*}arrow\infty$

(2) Supposethat the c.d.$f$

.

_{$F_{I,M}(t)$}is

IHR

under (A-1). If$RA(O)>RA(\infty)$,then_{$t_{0}^{r}=0$}otherwise

$t_{0}arrow\infty$

.

Inthis section,

we

optimizedthethree security

measures

for the ITDB andderived theoptimalswitching timesforrespectivequantitativecniteria. InthefoUowing section,

we

will give

some

numerical$\alpha ampl\alpha$,

(7)

4. Numerical$nlu\epsilon tratlo118$

4.1. Parameter

Set

We focus

on

boththesystemlntegrity andtherewardlngavailability, andtreatthedatabasemanagement

system with Oracle St

server

in [17]. Although thesecurity model in [17]

was

based

on a

simple CTMC,

we here

assume

that the c.d.$f$

.

_{$F_{I,M}(t)$} is given by the Weibull distributionwith scale parameter

$\eta$ and

shapeparameter$m$:

$F_{l,M}(t)=1-\exp\{-(t/\eta)^{m}\}$

.

(7)

This assumption implies _{that the transition time from an intrusion} _{to the} _containment _{sate is}

_DHR

$(m\leq 1)$

or

IHR $(m\geq 1)$, and

can

represent the

more

_general transition _phenomena. _When _$m=1$, it

reducesto theexponentialdistributionwith constant hazard rate. The othertransitionratesfromstate

$i$ to state $j$

are

assumed to constant, _$i.e.,$ _{$1/\mu:.j=\lambda_{i,j}(i,j\in\{G,I,M, R, MD, MR\}, i\neq j)$}, except

for $(i,j)=(I, M)$

.

In particular, we introduce the attack hittingrate $\lambda_{\alpha}$ and the false alarm rate$\alpha$

as

Wang and Liu [17] did

so.

It should be noted that Intrusion detector in Fig. 1 $wiU$

waa

the system

user

ofmahcious$attack/intrusioo$

as

well

as

thesystem failure by

means

of

a

fake alarm. Let $T_{a}$ and

$\tau_{fa}$ be the intrusion time and the systemfailure time measured from time _$t=0$in

State

_$G$, and be the

exponentially _{distributed random vaniables with}parameters $\lambda_{a}$ and $\alpha$, respectively. Then the bction

$F_{G,I}(t)$ isregarded

as

the c.d.$f$

.

ofthe randomvariable_{$\min\{T_{a},T_{f^{a}}\}$} and is theexponentlal c.d.$f$

.

with

parameter $\lambda_{a}+\alpha$

.

Table 1 presents the model parametersusedin this example, where they

are

almost

same

in [17]. We set$m=0.2$,and choose$\eta$

so as

tosatisfy $\mu_{I,M}=\eta\Gamma(1+1/m)$

.

4.2. System Integrity

kble 2presentsthemaximized the systemintegrity forvaryingmodelparameters,where$t_{0}arrow\infty$implies the nomanual detection policy. IFYomthistable, it is

seen

that the optimalcontrol of the switchlngtime

to the manual detection mode leads to the $2.8\%\sim$ 35.5% improvement of system integrity. In _this

numerical example, it

can

beobservedthattheperiodicswitchlngtothe manualdetectionmode and the

rapid $containment/repair$ bom the damage due to attacks

or

intrusions

are

quite important factorsto

increase

thesystemintegrity. In Fig.3,

we

plot the behavior ofthe systemintegrity vith respectto the

attack hltting rate and the false alarm rate.

IFVom

this result, it

can

be

seen

that thesystem integrity

increases

to 0.2%\sim 1.4% $(1.3x10^{-2}\%\sim 0.16\%)$_when_the_{attack hitting}_rate_(false_alarm_rate)_decreases.

This

result

can

be explained physically,

so

that the system integrity

can

increase ifthe total operation

timeof the ITDB becomeslonger with thelowerattackhltting rate$and/or$if the load of the ITDB with

(8)

4.3. Rewarding Availabillty

SimilartoSubsection4.2,

we

examine the dependenceofmodelparameters

on

the optimal switching time and its associated rewarding availabilityin Table 3. Rom thistable, it

can

be found that the periodic control

on

the switching to the manualdetection mode enables

us

to increase therewardingavailability

up to 0.2%\sim 12.3%.

As

the detectionspeedbecomes faster, it

can

beincreased to 0.3%\sim 3.9%. Figure

4 shows the behaViorof rewarding availability

on

the attack hitting rate and the falsealarm, where the

rewarding availability varies inthe rangesof 27.2%\sim 32.8%and 1.7%\sim 3.2% for$\alpha$and$\lambda_{\alpha}$

,

respectively.

Thus, the attackhitting rateis

more

sensitive thanthe falsealarmrateto not only the system integrity but also the rewardingavailability.

5. Concluslons

In this paper we havereconsidered

an

ITDB architectureinWangandLiu [$1\eta$anddeveloped

a

CTSMC

to

assess

the security

measures

such

as

system availabUity, system integrity and rewarding availability.

Further,

we

haveoptimizedtheswitchingtimes formaximizing theabove

measures

andgiventheoptimal

design _{methodologies in terms of intrusion tolerance. In numerical} examples,

we

have calculated the

optimal switchingtimes and their associated security measures, andcarried outthe sensitivity analysis

on

model parameters. As the lesson learned from the numerical examples, it has been shown that the system integrity and the rewarding availability could be improved by controlling appropriatelythe

(9)

Figure

3:

Behaviorofsystemintegrity withrespect

to $\lambda_{a}$ and$\alpha$

.

Figure 4: Behavior ofrewarding availabilitywith r\mbox{\boldmath$\theta$}\eta禾禾i to$\lambda_{a}$ and$\alpha$

.

In the on-going research,

we

willevaluate quantitatively the other

measures

in survivability in the

ITDB. Since the survivability

can

be evaluated in the

same

framemork

as

performabihty [?, 10], the

CTSMC

modeldeveloped inthis paper

can

bestill usefulfor theanalysiswithdifferent

measures.

Also,

though

we

focused

on

only Mediator subsystem

as

a

proocy

for each

user

$tra$osaction and transaction

processing call to the database system, the other part

on

dynamic transaction processing such

as

the

database system itself may be included for modeling from the macroecopic point of view. Such

an

integrated model should be developed by applying the semi-Markov analysis in thefuture.

References

[1] Y. Deswarte, L. Blain and J. C. Fabre, “Intrusion tolerance in distributed computing systems,“

Proceedings

_of

1991 IEEESymposium

on

Research in Security and Privacy, pp. $11\triangleright 121$

,

IEEE CS

$Pr\infty$ (1991).

[2] V. Guputa, V. Lam, H.

V.

Ramasamy,

W.

H.

Sanders

and

S.

Slngh, “Dependability and

peIhr-mance

evaluation of intrusion-tolerant

server

architectures,” LADC$200S$

, LNCS

2847, pp. 81-101,

Springer-Verlag (2003).

[3] M. Imaizumi,M. Kimuraand K. Yasui, “Reliability analysisof

a

network

server

systemwith Megal

access,” AdvancedRdiability ModelingII(W.Y.YunandT. Dohi, eds.),pp.4047,WorldScientific

(2006).

[4] E. Jonsson and T. Olovsson, “A quantitative model of the security intrusion process based

on

attacker behavior,” IEEE IVunsactions on

_Software

Engineering, 23 (4),pp. $235-u5$ (1997).

[5] B.Littlewood,S. Brocklehurst, N. Fenton, P. Mellor,S. Page, D.Wright,

J.

Doboson,J. McDermid

and D. GoUmann, “Ibwards operational

measures

of computer security,” Joumal

of

Computer Secu 何瑠, 2 (2/3),

pp. 211-229

(1993).

[6] P. Liu,

“Architectures

for intrusion tolerant databasesystems,” Proceedings

_of

18th Annual

Com-puter Security Applicatiom

_Conference

(ACSAC 2002),pp. 311-320, IEEECS Press (2002).

[7] P. Liu,

J.

Jing, P. Luenam, Y. Wang, L. Ll and S. Ingsriswang, $u_{The}$design andimplementatlon

of

a

self-healingdatabase$sy_{8}tem$

,

Joumal

of

Intdligent

Information

Systems, 23 (3),pp.

247-269

(10)

[8] Y. Liu, V.B. Mendiratta, and K. Trivedi, “Survivability analysis of telephone

access

network,” Proceedings

_of

15th International Symposiumon

Software

Reliability Engineering (ISSRE2004),pp.

367-377, IEEECS Press (2004).

[9] B. B.Madan,K. Goseva-Popstojanova,K. Vaidyanathan,andK.S.hivedi, “A method formodeling

and quantifyingthe security attributes ofintrusiontolerantsystems,”,

_Performance

Evaluation,56

(1/4), pp.

167-186

(2004).

[10] D. M. Nikol, W. H. Sanders and K.

S.

hivedi, “Model-based evaluation: bom dependabllity to

security,” IEEE Jhansactions

on

Dependabilityand Secure Computing, 1 (1), pp. $4\triangleright 65$ (2004).

[11]

R.

Ortalo, Y. Deswarte and M. Kaaniche, “Experimenting with quantitative evaluation tools for

monitoring operational security,” IEEE $Ihn8actions$

on

_Software

Engineering,

25

(5), pp. $63ffi50$

(1999).

[12] S. Singh, M. Cukier and W. H.Sanders, “Probabilistic validationofan intrusiontolerantreplication

system,” Proceedings

_of

S3rdAnnual$IEEE/IFIP$International

_Conference

on

Dependable Systems

and Networks (DSN2003), pp.615-624,

IEEE

CS

Press (2003).

[13] F. Stevens, T. Courtney, S. Singh,

A.

Agbaria, J. F. Meyer,

W.

H. Sanders and P. Pal,

“Model-based validation of

an

intrusion-tolerant information system,” Proceedings

_of

2Srd IEEE Rdiable

Distributed Systems Symposium (SRDS 2004),pp. 184-194, IEEECS Press (2004).

[14] T.

Uemura

and T. Dohi, “Quantitative evaluation of intrusion tolerant systems subject to DoS attacks via semi-Markovcostmodels,” Emergzng

Directions

inEmbedded and Ubiquitous Computing: Intemationd

_Confere

nce EUC 2007Workshops(M.K.Denko,C.-S.Shih,K.-C.Li,S.-L. Tsao,Q.-A.

Zeng, S.-H. Park, Y.-B. Ko,

S.-H.

Hung and J.-H. Park, eds.),

LNCS

4809, pp. 31-42, Springer-Verlag (2007).

[15] P. E. Verissimo, N. F. Neves and M. Correia, “Intrusion-tolerant architectures: conceptsanddesign,”

ArchitectingDependable Systems (R. Lemos,

C. Gacek

and

A.

Romanovsky, eds.),

LNCS

2677, pp. $\succ 36$

,

[16] P. E. Verissimo, N. F.Neves, C. Cachin, J. Poritz,D. Powell, Y. Deswarte, R. Stroud and I. Welch,

“Intrusion-tolerant $mi$ddleware,” IEEESecurity and Privacy, 4 (4), pp. 54-62 (2006).

[17] H. Wang and P. Liu, “Modelng and evaluatingthe survivabilityof

an

intrusion tolerant database

system,

ESORICS 2006

(D. Gollmann,J. Meier and A.Sabelfeld,eds.),

LNCS

4189, pp. 207-224,

[18] M. Yu, P. Liu and W. Zang, “Self-healing workflow systems under attacks,“ Proceedings