1.3. Book Organization

In this section, we briefly overview the organization of the book, which has been divided into three parts, each containing several chapters.

1.3.1. The Three Parts of the Book

One of our key goals for this edited book has been to emphasize the need to bring together the communities and rich research results from the areas of security and dependability to exploit the synergies that exist between them, so that the growing issue of survivable and resilient networked information systems can be addressed in a holistic manner. Toward this goal, our key efforts have been to focus on the interaction and integration of tools and techniques from the security and dependability areas. Figure 1.2 illustrates the generic organization of the book into three parts.

Part I focuses on the foundational concepts from both security and dependability areas and sets the stage for looking at the issues related to their integration and interaction. A key goal of these chapters is to provide the overview of the various concepts and terminologies needed to understand the later chapters so that the book is self-contained.

Part II focuses on the interaction and integration of mechanisms and approaches from the areas of security and dependability. Chapter 9, which stands separate from the other four chapters in this part, focuses more on security, although its approach is generically applicable to the integrated environment. Also, the content of Chapter 9, generating attack trees and capturing attack scenarios, is a crucial step in building a resilient system and can potentially be integrated with fault tree concepts from the dependability community.

In Part III, which further builds on interaction and integration of security and dependability approaches, we have grouped the chapters that address related issues in specific types of environments (e.g., operating systems in Chapter 12 and wireless systems in Chapter 15) or the design of frameworks/architecture (e.g., integrated fault and security management framework in Chapter 16). Chapter 13 focuses on intrusion response systems that we believe are crucial for building survivable systems. We have included Chapter 11 in Part III, although it primarily focuses on security vulnerabilities, because it addresses a specialized environment (i.e., optical network environments) and monitoring and detection issues that are key components for survivable systems.

An overview of each chapter is provided in the following sections.

1.3.2. Chapter 2: Network Security

This chapter introduces key concepts related to network security. In particular, the chapter focuses on issues related to the assessment of networks’ current state of security, mechanisms to prevent and detect security violations, and policies, procedures, and techniques to respond to security intrusions. The chapter overviews various security services currently available and introduces cryptographic techniques and security protocols that are commonly used for securing a networked environment. The chapter also briefly overviews network security threats and attacks and how they can be addressed by using various security services and architectural configurations.

1.3.3. Chapter 3: Security for Distributed Systems: Foundations of Access Control

This chapter provides a comprehensive overview of key concepts underlying the foundations of access control and a discussion of key issues and trends in access control for distributed systems. The chapter introduces the notions of identification, authentication, and access control for distributed systems. It touches on various access control models, such as the role-based access control (RBAC) and Bell-LaPadula models, and surveys the main techniques for their implementation. The chapter also presents newly emerging access control-related standards such as Security Assertion Markup Language (SAML) and EXtensible Access Control Markup Language (XACML). Newer security issues within the context of distributed systems, such as trust negotiation, secure interoperation, location-based security, and federated digital identity management are also discussed.

1.3.4. Chapter 4: Network Survivability

This chapter explores network survivability and dependability mechanisms used to construct fault-tolerant communication networks. Basic network survivable design and traffic restoration concepts are reviewed. Research issues in the current literature are discussed along with potential avenues for integration with security techniques.

1.3.5. Chapter 5: System Survivability

This chapter introduces several topics that are at the core of systems survivability. It first introduces the notion of survivability and discusses its relation to fault models to establish a bridge between survivability and fault tolerance. It analyzes the limitations of standard fault-tolerance techniques to environments subjected to malicious acts. The chapter introduces the concept of design for survivability and discusses various design approaches for survivability. The author introduces decentralization as a basic concept in overcoming the impact of faults and security compromises, and discusses it as a mechanism to achieve survivability. The chapter finally presents a transformation model that can be used to relate survivability problems to problems from other well-established theoretical fields, followed by a discussion on how this will enable us to find solutions to survivability issues in new solution spaces, and allow for complexity analysis and comparison of solutions.

1.3.6. Chapter 6: Taxonomy and Framework for Integrating Dependability and Security

This chapter surveys various taxonomies and frameworks for integrating dependability and security. It emphasizes that security issues have not been comprehensively treated in existing taxonomies and frameworks. For instance, the security issues of authenticity and nonrepudiation have not been well integrated into the existing taxonomies and frameworks. In addition, many elements of existing taxonomies appear loosely integrated without generic relationships that capture interactions among different elements. Based on this observation, the authors present a novel integrated generic taxonomy and framework by using a feedback control system as a model to integrate concepts and attributes of both dependability and security. The chapter further expands the framework to cover lower-level techniques related to security and survivability.

1.3.7. Chapter 7: Stochastic Models/Techniques for Secure and Survivable Systems

This chapter focuses on the need for the quantitative analysis of dependability attributes, in particular, security and survivability. In this chapter, the authors explain stochastic modeling techniques based on Markovian and non-Markovian models for evaluating the system security and survivability. In particular, efforts toward capturing the details of real architectures for the systems often result in large stochastic models that are difficult to solve. The chapter emphasizes the use of higher-level formalisms based on stochastic Petri nets and their extensions for this purpose. The chapter presents these formalisms and illustrates them in the context of security and survivability modeling of the networked systems.

1.3.8. Chapter 8: Integrated Dependability and Security Evaluation Using Game Theory and Markov Models

This chapter attempts to interpret and assess the trustworthiness of networked information systems by combining security and dependability approaches. In particular, the chapter emphasizes the need for a combined approach in order to more accurately model reality. The chapter discusses the security of a system in a probabilistic manner with a goal to supplement assessment techniques from both security and dependability domains. The chapter extends a continuous-time Markov chain (CTMC) to include security attacks modeled using game theory techniques and categorized as intentional faults. It shows how dependability modeling and analysis can be further used to obtain quantitative metrics of system security as well as system trustworthiness.

1.3.9. Chapter 9: Scenario Graphs Applied to Network Security

This chapter deals with the complex problem of generating attack graphs. While the traditional model-checking approach produces one counterexample to illustrate a violation of a property by a model of a system, this chapter adopts the model-checking approach to generate all counterexamples that violate a given property. The chapter presents algorithms to create a set of all the counterexamples, called a scenario graph, for a networked system. The chapter explains how a scenario graph can be used to study what attacks are possible on a particular configuration of a networked system. Using a detailed example, the chapter illustrates how one can model a computer network and automatically generate and analyze attack graphs. The attack graph produced by the algorithms presented shows all ways in which an intruder can violate a given desired security property.

1.3.10. Chapter 10: Vulnerability-Centric Alert Correlation

This chapter discusses issues related to survivability of systems under multistep network intrusions. Defending a network against such intrusions is particularly challenging because experienced attackers can circumvent security controls and detections by gradually elevating their privileges on the intermediate hosts before reaching the final goal. This chapter describes recent advances in correlating intrusion alerts for the defense against such multistep network intrusions. Alert correlation techniques aim to reassemble correlated intrusion detection system (IDS) alerts into more meaningful attack scenarios. The chapter presents a vulnerability-centric approach to alert correlation that benefits from the advantages of topological vulnerability analysis and those of alert correlation. The chapter discusses how this method can effectively filter out irrelevant alerts, defeat the so-called slow attacks, and add to alert correlation the capabilities of hypothesizing missing alerts, predicting possible future alerts, and aggregating repetitive alerts. Empirical results presented show that these tasks can be fulfilled faster than the IDSs can report alerts under intensive attacks.

1.3.11. Chapter 11: Monitoring and Detecting Attacks in All-Optical Networks

This chapter focuses on the security attacks related to an all-optical network (AON). An AON is essentially a network in which data does not undergo optical-to-electrical (O-E) or electrical-to-optical (E-O) conversion within the network. Although AONs are a viable technology for future telecommunication and data networks, little attention has been devoted to the intrinsic differences between AONs and existing electro-optic/electronic networks in issues of security management. AON features like transparency and nonregeneration make attack detection and localization difficult. However, it is important to detect and localize an attack quickly in a transparent AON. The chapter specifically focuses on the diagnosis of crosstalk attacks as crosstalk attacks have the potential to create the widespread damage in AONs. The chapter provides a crosstalk attack model and a monitoring model, and then shows that it is possible to effectively reduce the number of monitors while still retaining all diagnostic capabilities. In particular, the chapter presents necessary and sufficient conditions for diagnosis of both single as well as multiple (i.e., k-crosstalk) attacks. The key ideas used for this include employing the status of existing connections along with that of test connections for diagnosis. The chapter also develops efficient monitor placement policies, test connection setup policies, and routing policies for such a network.

1.3.12. Chapter 12: Robustness Evaluation of Operating Systems

This chapter focuses on the robustness of the operating system (OS). Because it is a key component in all computer systems, it is imperative that the OS has an ability to correctly support the applications running on it even in the presence of operational perturbations. The chapter introduces OS robustness as the degree to which an OS can handle the perturbations and maintain its correct functionality. Among various perturbations that an OS may have to withstand include hardware malfunction, buggy software, invalid inputs, and stress generated by applications running on it. In essence, OSs are highly complex functional entities with countless environment interaction scenarios that limit the use of static analytical approaches. This chapter emphasizes experimental evaluations of OS robustness as a preferred approach and discusses various experimental methods. The chapter places key emphasis on target system definition, choice of evaluation strategy, the metrics to use, and interpretation of the results. Using a case study, the chapter illustrates these various aspects of the robustness evaluation methods.

1.3.13. Chapter 13: Intrusion Response Systems: A Survey

Protecting networks from security attacks is an important concern. While the intrusion prevention and intrusion detection systems have been the subject of much study, the actions that need to follow the steps of prevention and detection, namely response, have received less attention from researchers or practitioners. It was traditionally thought of as an offline process with humans in the loop, such as system administrators performing forensics by going through the system logs and determining which services or components need to be recovered. This chapter lays out the design challenges in building an autonomous intrusion response systems and provides a classification of existing work on the topic in four categories: response through static decision tables, response through dynamic decision process, intrusion tolerance through diverse replicas, and intrusion response for specific classes of attacks. The existing intrusion response systems are analyzed by using the classification schemes presented in this chapter. The chapter also presents methods for benchmarking the intrusion response systems.

1.3.14. Chapter 14: Secure and Resilient Routing: A Framework for Resilient Network Architectures

This chapter presents a generic framework for a secure and resilient network routing architecture. Such an architecture provides different services with different priorities to coexist in a virtualized environment. A key issue here is to provide robustness to the routing architecture to protect against network overloads and security attacks. The chapter discusses building blocks for the proposed framework, which is shown to be conducive to providing secure traffic engineering as well as network resiliency. The approach taken in this chapter starts with the identification of the need for the service requirement for security and resiliency in a prioritized environment and works backwards to identify the desirable architectural components to support this service paradigm.

1.3.15. Chapter 15: Security and Survivability of Wireless Systems

Information assurance techniques employed in wired networks have limited direct applicability in wireless networks because of the unique aspects of wireless networks (e.g., user mobility, wireless communication channel, power conservation, limited computational power in mobile nodes, security at the link layer, and so on). The interaction between the components of information assurance, namely availability and security, in a wireless network environment poses new challenges. In this chapter, recent research on understanding survivability and security in wireless networks and their interaction is presented.

1.3.16. Chapter 16: Integrated Fault and Security Management

This chapter focuses on an integrated framework for managing faults and security intrusions. The chapter emphasizes the need to be careful while identifying symptoms related to faults and security attacks, which may be similar, and classifying faults or security attacks based on such symptoms. Integration of fault and intrusion management is, however, a natural result of the similarity in the techniques used to analyze and identify them (i.e., based on symptom collection, correlation, and evaluation). The chapter presents an active problem diagnosis framework that analyzes faults and security alarms using the same engine. A key challenge is to ensure that incomplete symptom information is handled to properly identify faults and intrusions. The chapter then presents an architecture for network-based intrusion detection systems that analyzes traffic collected from different sensors, identifies faults and intrusions, and initiates actions to mitigate the intrusions/faults and their effects.