This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior
April 1997 (vol. 23 no. 4)
pp. 235-245

Abstract—This paper is based on a conceptual framework in which security can be split into two generic types of characteristics, behavioral and preventive. Here, preventive security denotes the system's ability to protect itself from external attacks. One way to describe the preventive security of a system is in terms of its interaction with the alleged attacker, i.e., by describing the intrusion process. To our knowledge, very little is done to model this process in quantitative terms. Therefore, based on empirical data collected from intrusion experiments, we have worked out a hypothesis on typical attacker behavior. The hypothesis suggests that the attacking process can be split into three phases: the learning phase, the standard attack phase, and the innovative attack phase. The probability for successful attacks during the learning and innovative phases is expected to be small, although for different reasons. During the standard attack phase it is expected to be considerably higher. The collected data indicates that the breaches during the standard attack phase are statistically equivalent and that the times between breaches are exponentially distributed. This would actually imply that traditional methods for reliability modeling could be applicable.

[1] C.R. Attanasio, P. Markstein, and R.J. Phillips, "Penetrating an Operating System: A Study of VM/370 Integrity," IBM Systems J., vol. 15, no. 1, pp. l02-16, 1976.
[2] S. Brocklehurst, B. Littlewood, T. Olovsson, and E. Jonsson, "On Measurement of Operational Security," COMPASS '94, Proc. Ninth Ann. IEEE Conf. Computer Assurance,Gaithersburg, ISBN 0-7803-1855-2, IEEE Computer Society, pp. 257-266, 1994.
[3] D.E. Denning, “An Intrusion-Detection Model,” IEEE Trans. Software Eng., vol. 13, pp. 222–232, Feb. 1987.
[4] Federal Criteria for Information Security Tech nology, Draft, National Institute of Standards and Technology (NIST) and National Security Agency (NSA), 1992.
[5] P.D. Goldis, "Questions and Answers about Tiger Teams," EDPACS, The EDP Audit, Control and Security Newsletter, vol. 27, no. 4, pp. 1-10, Oct. 1989.
[6] U. Gustafson, E. Jonsson, and T. Olovsson, "Security Evaluation of a PC Network based on Intrusion Experiments," Proc. 14th Int'l Congress on Computer and Communications Security, SECURICOM '96, Paris, France, pp. 187-203, June4-6, 1996.
[7] U. Gustafson, E. Jonsson, and T. Olovsson, "On the Modelling of Preventive Security Based on a PC Network Intrusion Experiment," Proc. Australasian Conf. Information Security and Privacy, ACISP '96,Wollongong, Australia, June 24-26, Lecture Notes in Computer Science 1172, ISBN 3-540-61991-7, pp. 242-252. Springer-Verlag, 1996.
[8] I.S. Herschberg, "Make the Tigers Hunt for You," Computers and Security, vol. 7, pp. 197-203, 1988.
[9] Information Technology Security Evaluation Criteria (ITSEC): Provisional Harmonized Criteria, ISBN 92-826-7024-4, Dec. 1993.
[10] E. Jonsson and M. Andersson, "On the Quantitative Assessment of Behavioural Security," Proc. Australasian Conf. Information Security and Privacy,Wollongong, Australia, June 24-26, Lecture Notes in Computer Science 1172, ISBN 3-540-61991-7, pp. 228-241. Springer-Verlag, 1996.
[11] E. Jonsson and T. Olovsson, "On the Integration of Security and Dependability in Computer Systems," IASTED Int'l Conf. Reliability, Quality Control and Risk Assessment,Washington, Nov.4-6, ISBN 0-88986-171-4, pp. 93-97, 1992.
[12] E. Jonsson and T. Olovsson, "An Empirical Model of the Security Intrusion Process," COMPASS '96, Proc. 11th Ann. Conf. Computer Assurance, June 17-21, NIST, Gaithersburg, Md., pp.176-186, ISBN 0-7803-3390-X, IEEE Computer Society, 1996.
[13] B. Littlewood, S. Brocklehurst, N.E. Fenton, P. Mellor, S. Page, D. Wright, J.E. Dobson, J.A. McDermid, and D. Gollmann, "Towards Operational Measures of Computer Security," J. Computer Security, vol. 2, no. 3.
[14] MIL-HBDK-217F, Dept. of Defense, Washington D.C., Dec.2, 1991.
[15] T. Olovsson, E. Jonsson, S. Brocklehurst, and B. Littlewood, "Data Collection for Security Fault Forecasting: Pilot Experiment," Technical Report no. 167, Dept. of Computer Eng., Chalmers Univ. of Tech nology, and ESPRIT/BRA Project no. 6362 (PDCS2) First Year Report, Toulouse, pp. 515-540, Sept. 1993.
[16] T. Olovsson, E. Jonsson, S. Brocklehurst, and B. Littlewood, "Towards Operational Measures of Computer Security: Experimentation and Modelling," Predictably Dependable Computing Systems, B. Randell et al., eds., ISBN 3-540-59334-9, pp. 555-572. Springer-Verlag, 1995.
[17] L. Råde and M. Rudemo, "Sannolikhetslära och statistik" (in Swedish), Biblioteksförlaget, Stockholm, ISBN 91-542-1050-X, pp. 197ff and 254ff, 1984.
[18] Trusted Computer System Evaluation Criteria ("Orange Book"), National Computer Security Center, Dept. of Defense, no. DoD5200.28.STD, 1985.
[19] I.S. Winkler and B. Dealy, "Information Security Technology? -.... Don't Rely on It. A Case Study in Social Engineering," The Fifth USENIX Unix Security Symp.,Salt Lake City, Utah, pp. 1-6, June5-7, 1995.

Index Terms:
Computer security, modeling, metric, intrusion, attacks, operational security.
Citation:
Erland Jonsson, Tomas Olovsson, "A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior," IEEE Transactions on Software Engineering, vol. 23, no. 4, pp. 235-245, April 1997, doi:10.1109/32.588541
Usage of this product signifies your acceptance of the Terms of Use.