Mathematical model of the reliability of information protection with layered security system. Introduction Текст научной статьи по специальности «Компьютерные и информационные науки»

MATHEMATICAL MODEL OF THE RELIABILITY OF INFORMATION PROTECTION WITH LAYERED SECURITY SYSTEM. INTRODUCTION

A. I. Pereguda

Obninsk Institute for Nuclear Power Engineering, Obninsk, Russia

e-mail: pereguda@iate.obninsk.ru

ABSTRACT

The article describes a mathematical model of reliability of the information system security systems consisting of object information protection and security of the two systems. The functioning process of the studied information security system is described as a superposition of alternating renewal processes. Upper and lower bounds for the expectation of time before unauthorized access to information.

Keywords: reliability, security system, random variables, time to failure, random process, the expectation of the time, distribution function.

1. INTRODUCTION

When building a highly reliable security systems often used layered threat protection. To protect data from unauthorized access is required to provide a certain level of reliability of such systems, including the reliability of their hardware and software. When analyzing the reliability of such systems is not enough just to take into account the structure of the security system. Mathematical models of reliability of information protection systems considered in various works, such as [1, 2]. It is also necessary to take into account the reserve time available in security systems, which arises from the fact that to overcome the successive layers of protection attacker will take some time .Here we obtain relations to assess how this extra time is a reliability of information security.

2. DESCRIPTION OF THE MODEL

Let an information system which consists of a protection and safety of the two systems, each of which saves one of the varieties to attack protection. Security systems are not foolproof and may refuse. It is assumed that the failures of safety systems are independent. Failure detection security systems occurs only during periodic monitoring her condition. After failure detection security system performed its full restoration to its original state. If the first security system was not immediately able to parry, the unauthorized access to information can only be achieved after a while though, and only provided that during this time, none of the safety systems failed.

Denote x1- a random time before the first attack on the object of protection, detectable first security system. Random time reflection of the first attack on the object of protection, the detected

first security system, denoted J\. Then a random time before the second attack on the object of protection after the first attack, the reflection of the first security system detected a protection object denoted x2, after reflection the second attack - x3 etc. We assume that all X\, i = 1,2, •••, as

usual, are independent and identically distributed with the distribution function Fx (t) = P(x ^ t) .

Random time of reflection on the i attack to protect, detect the first security system will be denoted yi, i = 1,2,...,, as to which assume that - y-, i = 1,2,... independent identically distributed random

variables with distribution function Fy (t) = P(y< t) .Denote S- a random time between the i

attack on the object of protection, which was not detected the first security system, and unauthorized access. It is obvious that 8 i, i = 1,2,..., - independent identically distributed random

variables with distribution function F8 (t) = P{8< t}. Thus, the first security system can still

prevent unauthorized access time interval [xi, Xi +8i )

Since the process of operation of the first security system consists of cycles "attack - a reflection attack", and, consequently, the moments of the completion of attack to protect, detect the first security system are regenerative information system.

If the first security system and has not worked in the specified time interval, the second security system can still prevent unauthorized access at the moment X i +8 i. The duration of the second reflection attack security system after the first attack is denoted after the second attack -a 2, etc. Believe that a i, i = 1,2,... - independent identically distributed random variables with distribution functionFa (t) = P{a < t}.

Random time before the i attack on the object of protection, security system detects a second denote 9i, i = 1,2,... .Let 9 i, i = 1,2,... - independent identically distributed random variables with distribution function F9(t) = P{<p< t}. Duration reflection i-attack on the object of protection, which was discovered a second security system, denoted yi, i = 1,2,.... Believe that yi, i = 1,2,... - independent identically distributed random variables with distribution function Fy (t) = P{y < t}. Assume that the end points of reflection of such attacks are regenerative process of information system. Moreover, let the expectations xi, i = 1,2,., Yi, i = 1,2,..., 8i, i = 1,2,..., a;, i = 1,2,..., p., i = 1,2, .and ^, i = 1,2,..., exist and are finite .

Since the process of reflection attacks consists of cycles "attack - a reflection attack", and, consequently, the moments of the completion of the attack on the object of protection, first detected as a security system, and the second system security are regenerative information system.

We now consider the processes of safety systems. Let , i = 1,2,... for the i time between failure of the first security system. We assume that the time to failure of the first security system £(1), i = 1,2,... - independent identically distributed random variables with distribution function

F((i)(t) = p{ < t}. Duration of the first system restore security after the i -failure is denoted

n(1), i

= 1,2,. Here n(1), i = 1,2,.- independent identically distributed random variables with distribution function f (i) (t) = p {7(1) < t}. Fault detection security systems occurs only during

periodic condition monitoring. So serviceability first security system update to the period T(1) and the duration of the periodic control requires time equal 6(1).

If the first security system (SS) functioned properly random time ^(1), for this time

^ (1)

T(1) +0(1) _ operational T(1)

period was performed preventive control, and during these periods the first SS was

^ (1)

T(1) + 0(1)

units of time. Between the last before giving up control prevention,

which occurred at the time (T(1) + 0(1))

4

(i)

T(1) + 0(1)

, and the denial of time Ç(1) is still time

- (T(1) + o

(1) ^ /3(1)-

T(1) + 0(1)

during which the first SS is still OK.

On the last loop prevention control security system is idle time

£(i)

(T(1) + <9(1)) - (T(1) + e(i))

(1) (1)

t (1) + e{l)

, because rejection has occurred in its time E(1), but

was detected after the cycle test prophylaxis. Failure of the first security system will be detected in

4

(1)

and after the repair work lasting n(1) SS starts functioning

time (T(1) +0(1)) —^-- +1

v

correctly again.

Believe <^(2), i = 1,2,... - time between i -failure of the second-security, where E(2), i = 1,2,... are independent and identically distributed random variables with distribution function F (2) (t) = p{^f2 < t}. Duration of recovery the second security system after i -failure denote n(2),

i = 1,2,., where n(2), i = 1,2,.

then independent identically distributed random variables with distribution function

FJ(2)(t)=pk2) < t}.

n

Monitor the status of the second period the security system is denoted T(2), and the duration of its periodic monitoring - 6(2). Failure of the second security system is detected in time

E (2)

(T(2) +0(2))

T (2) + 0 (2)

+ 1

. After the repair work with duration equal to n(2) the second

SS will again operate correctly. Thus, the processes of the functioning of the first and second security system to control prevention have alternating renewal process. Here we assume that during the control state security not perform their functions .

Moreover, let the expectations , i = 1,2,..., i = 1,2,..., , i = 1,2,...and rj<j2), i = 1,2,... exist and are finite, and the distribution function of these random variables are not arithmetic.

Functioning processes of the first and second security systems appears as alternating intervals "work - restoration", which consist of independent, identically distributed random variables

i > 1} , {ri(1), i > 1}u {fi(2), i > 1} , r,(2), i > 1} forming two alternating renewal process

{(e,r(1)), i > 1} and {(^rH, i > 1}..

We introduce some notation and explanations of the process of preventive control, which will be further taken into account in the mathematical model. Through [x ] and {x} denote the integral and fractional parts of a number x, x+ = max(x,0), x A a = min(x,a), Jx<a — indicator of the

event x < a.

Random time to unauthorized access denoted a. Our task is to construct a mathematical model of reliability of information security systems with layered security system and obtain an estimate of the average time Ma to unauthorized access to information.

3. MAIN RESULTS

Since the process of functioning of the system of protection of information is described as a superposition of alternating renewal processes, the random time to unauthorized access can be written as the sum of the following:

a = s Oi + a v, i=1

where the duration of the regeneration process, the information system, which has not happened unauthorized access, equal

ai = Xi A V +1 (pi + n )JBj + (si + ai \JB. 1J Xi <Vi + wiJVi <Xi '

; Bi - denotes the opposite event - first security system is not

and duration of the regeneration process, the information system, which occurred unauthorized access, equal

a'i= Xt A Vt + J*,.<Vi.

In relation <Ji use the following notation: ¡3i - the length of time between the implementation of an attack on the object of protection, which should be parried the first security system, and actuation of this safety system, provided that it was able to parry; B{ -the event consists in the fact

that the regeneration of the i -cycle process, the information system for the implementation of attack corresponding to the first security system, the security system retorted this wave in the time interval i-1 i-1 ^ X^i + Zi, S^i + Zi + Si

j=i J=i

countered this attack on the object of protection in that time interval. For this model, it is obvious 0 <P; <8; .

For the distribution function of time to unauthorized access, obviously, we have the following relationship:

f v—1

Fa (t) = P(ffl < t) = P

V i=1

For further transformations of Fm (t) we use the method of conditional probability

distributions and express complex events through the conditional probability of this event under the appropriate conditions. If the conditions are incompatible and form a complete group of events, the absolute transformation of the distribution function F8 (t) for the total probability formula

v —i

X ^ + < - t

Fm (5) = Me -^ =S M (e -I v = n)p (v = n),

n=1

where Fm (5) = J e -5t dFm (t) = E [e -].

0

Since all Zi and yi are independent random variables, given that Fa (5) = Me sa and

Far (5) = Me sa , and the process in the regeneration, the P (v = n) = q (1 — q)n 1, where q - likelihood of unauthorized access to the regeneration process, the information system. Easy to see that

( ( v-1 , I I

\ - s 1 X a,. I

v = n) = M e V.=' ; v = n

V /

F (s)yFa. (s)

M (

Consequently, the Laplace-Stieltjes Fa(t) rewrite

X

Fm ( s ) = X F ( s ) I1 F^ ( s ) q (1 - q ) 11-1 = -

m 1 - (1 - q) Fa (s)

Expression for the expectation of time before unauthorized access can be directly calculated

dFa(s)

qPa' (S)

from the ratio of (1) or by using the well-known relation Ma =--. We obtain

ds

s=0

Ma = Ma' + Mo.

q

To find the expectation of use of the complex to the first accident is necessary to calculate separately the expectations Ma' and Ma . In calculating the expectation Ma', we consider that these random variables are mutually independent. Then, the mathematical expectation Ma', we can write as follows:

Ma' = M((x a p) + 8J^) = M(x a p) + M8P(x < p) =

x xx

= j (1 - Fx (t))(1 - Fp (t)dt +j (1 - Fs (t))dt J Fx (t)dF( (t).

0 0 0

By analogy with Ma' compute the expectation a , which is equal to

Ma = M ((x a p) + ((fi + r) J b + (8 + a) JB) J xp + J*) = M (x a p) +

x

+ M((fi + r) Jb + (8 + a) Jb ) J x() + M (yJ x>p) = j (1 - F%(t ))(1 - F*(t)dt +

0

+ P(x < p)((Mfi + Mr)P(B) + (M8 + Ma)P(B)) + M^Pp < x).

Substituting the calculated expectations Ma and Ma in (2) we have

1-q

Ma = M(x a()+8JX() + -M((x a()+((fi + rJ + (8+aJ ^ +Wx>p).

q

Note that the record of the distribution function for the random variables fi, which depend on the magnitude of ai, it is not possible, but it is possible to obtain upper and lower bounds for the expectation of time before unauthorized access to information by using the order relation on the set of distribution functions [3]. This assessment is written as follows:

- (m(x a pp+(mjP(B) + (M8 + Ma)P(B)p(x < ())+MyP(( < x) < Ma<

Ma'+-1- q *

(3)

< Ma+1- q *

Mix A ()+(cMS + My)P(B) + (MS + Ma)P(B)p(% < p))+< x).

In order to calculate the upper and lower bounds, you must first assess the probability q unauthorized access to the regeneration process of the information system. To get an estimate of the probability of a closer look at the processes of the safety systems [3,6].

q

Consider a single cycle of the functioning of the information system and compute P(B ), by considering two auxiliary random variables Un and Vn,, defined by the relations

Un =l£(1) + g

n-1 ( | e

(T(1) + e(l)) -J

(1)

A

UT(1) + 0(1))

V = Itf0) + g (T(1) + 0(1)) -

i=1

i=1

T(1) + 0(1)

+

■(T(1) + e(1)) +

i=1

T(1) +

Where Un - the time of n-failure of the first security, and Vn - the end of the first security system recovery after an-failure.

Because the process is functioning security system is alternating renewal process, we can

write

n-1

un + g (T(1) + e(1)) -

i=1

i=1

(1)

Vn + g (T(1) + e(1))-

i=1

i=1

[T(1) + 0(1)

[(T(1) + 0(1)) l + g^,

/ A

i=1

<T « + 0«) +

i=1

T(1) + 0(1)

v ^ -> J

Then unauthorized access to the cycles of regeneration process, the information system provided if

Un < J<Vn -8, 8 < Vn - Un,

or if

Vn-1 + t(1) < Vn-1 + t(1) + 0(1) - 8;

Vn-1 + (T(1) + 0(1)) + tp < x < Vn-1 + 2(Tp + dp) - 8;

Vn-1 +

(1)

Tm +0(1)

-1

(T 0) +0«) + t « < Vn-1 +

(1)

T(1) +0(1)

(T(1) +0(1)) -S;

8 < 0(1).

For further exposition must enter non-negative random variables

= (T(D +0(1)) -■

:(1)

T(1) + 0(1)

l(Td) +0(D)

An = r1 + ^n -8, C = 0(1)-S,

Here sn - the length of time from the moment of first refusal to security failure detection and recovery is started.

Taking into account the circumstances of the unauthorized access to information, write the expression for the probability of P( B ):

P(B) = gj M

n=1 0

T(1)+e(1)

JUn<x<Vn -SJAn >0 +

¿=1

+(i-1)(T(1)+e(1))<x<vn-1+/(T(1)+e(1))-sJi>0

dFJx).

It follows that

i=1

i=1

i=1

œ ^ œ

P(B) = XiPU a (Un +an ) < x) dFx(x)-X\P(Un +an < x) dFx(x) +

n=1 0

n=1 0

+

œ ^

sim

n=1 0

Q1)

: pVn-1 + ^ +0(1))-£(1))AVn-1 + +0(1))0 +C) <x)

Si M

n=1 0

Note that

i=1

Q(1)

T(1)+0(1)

dFx(x) -

S P^-! + i(T(1) + 0(1)) - 0(1) + Ç < x) i=1

dFX( x) = q1 + q2.

œ œœ * >

q1 =Sii((F,(1) *(F=(1) *F(1) *Fe)*<n-1))(x)-(F^(1) *(F® *Fg)*(n-1))(x-y))dFA(y)dFx(x),

n=10 0

t

where F?(1) * F^(1) (t) = i F?(1) (t - z)dF^(1) (z) - convolution of the distribution functions

F (1)(t) and F (1) (t ), F *(n)(t) = F * F *(n-1)(t) - n -fold convolution of functions F(t).

*(n-1)

Probability q1

œ œ

q1 = i i ( H 0( x ) - H 0( x - y )) dFa ( y )dFx ( x ) ,

0 0

GU

where H0 (x) = S F 1 * (F 1 * F 1 * F£ )*(n-1) (x) - 0-function recovery process operation of

n=1

the first security system. The second term is converted analogously

œ

q2 =SiiM

n=1 0 0

Q' тci)+ecl)

S pVri +i(T® +0®)-0® < x) - P(Vn_1 +i(T(1) +0®)-0® < x - y)) >dFQ (y)dFx (x) The resulting

expression can be written using functions 0-recovery:

q2 =ÜM

T(1)+e(1

S(H0, (x) - h0, (x - y))

i=1

df? (y)dfx (x),

where H0i(x) = £F2,,n(x), and F^(x) = P(V„=1 + i(T(1) +0(1))-0(1) < x)..

n=1

Further simplify the obtained relations is not possible, but you can get the asymptotic estimates, using the limit theorems of renewal theory [4,5]:

qi

mrjrn + (T (1) m

mn(r> + (t (D +0(D) + m

T(1) + 0(1)

+1

f ydFA( y):

(4)

£

(1)

T(1) + 0(1)

(T(1) + 0(1) -S)

' £(1) "

Mrm + (T(1) +0(1))M +1

V T(1) + 0(1)

and

q2

M " £(1) "

T(1) + 0(1)

Mrm + (T(1) +0(1))M " £(1) " + (T(1) +0(1))

T(1) + 0(1)

f ydFç ( y):

(5)

M " £(1) " M (&(1) + S)+)

T(1) + 0(1)

Mrm + (T(1) +0(1))M " £(1) " + (T(1) +0(1))

T(1) + 0(1)

Summing (5) and (4) we obtain the probability that the first security system is not to parry by protection time interval [x, X + $)

«(1) + (T(1) + 0(1)) - \ \(T(1) + 0(1)) - s

M

P(B)

Mr(1) + (t (1) + 0(1)) + (t (1) + e(1))M

(1)

T(1) + d(l)

+

+

M " ç(1) " M(0(1) - s)+

t (1) + e(l)

Mn(1) + (t (1) + e(1)) + (T(1) + 0(1))M " ç(1) "

t (1) + e(l)

Written explicitly J ydFA (y) and J ydF^ (y) is quite difficult even for the relatively simple

0 0

case of exponential distributions of random variables, but you can use the Monte - Carlo method to obtain the desired numerical estimates. Note also that

P(B) = 1 - P(B).

Probability q unauthorized access to the regeneration process of the information system in accordance with the formula of total probability we can write

1

+

q = p(accident on the regenaration cycle ^ )p(x < p) +

+ Placcident on the regenaration cycle

)p(x > ()

q(!,2)p(x < p)+ q(2)p(x > p) = q(1'2) JFz(t)dF„(t)+ q(2) 1 - JFz(t)dF„(t)

(1 2)

Where qK" - it's likely that the first regeneration cycle, followed by a second security

(2)

system will not be able to parry, and q - the likelihood that the second regeneration cycle security system will not be able to fend off the corresponding type of attack. Taking into account that the safety systems are independent from each other, we can write

q (1'2) = P (B)q(2).

And finally, the estimate for the probability of q(2) can be obtained using the same approach

that was used in calculating the above mentioned P{B ). Omit the intermediate calculations and present the final result immediately:

-,(2)

a -

M?(2) -d(2)M ' ?(2)

T (2) +0(2)

Mri (2) + (T(2) + 0(2)) + (T(2) +d(2y)M ?(2) "

T (2) +0(2)

(2)

Note that q - factor unavailability second security system that takes the minimum value during the control period with optimal prevention T^i [6].

Optimal prevention period determined by the formula

=V 20(2)( M%{2) + M,(2))

Thus, we managed to get the upper and lower asymptotic bounds (3) for the mean time to unauthorized access.

The proposed mathematical model of reliability of information security systems with layered security system with recoverable elements allows to take into account the temporal redundancy, when one security system "insures" the other. The proposed two-sided estimate for the expectation to unauthorized access to information provides a fairly narrow range of values for this indicator system reliability, simply calculated and takes into account a large number of different parameters of functioning of the system of information protection. The relations obtained are valid without any assumptions regarding the distribution functions of random variables.

jj

jj

REFERENCES

1. Corneliussen, K. & Hokstad, P. 2003. Reliability Prediction Method for Safety Instrumented Systems; PDS Method Handbook, 2003 Edition. SINTEF report STF38 A02420, SINTEF, Trondheim, Norway.

2. Gnedenko, B.V., Ushakov, I.A. 1995. Probabilistic Reliability Engineering. John Wiley & Sons, Inc.

3. Pereguda, A.I. 2001. Calculation of the Reliability Indicators of the System Protected Object-Control and Protection System. Atomic Energy 90: 460-468.

4. Rausand, M., H0yland, A. 2004 System Reliability Theory: Models, Statistical Methods and Applications. John Wiley & Sons, Inc.

5. Stoyan, D. 1983 Comparison Methods for Queues and Other Stochastic Models. Wiley-Interscience.

6. Pereguda, A.I., Timashov D.A. Mathematical model of reliability of security information systems.// Information . — 2009. —№8. —c.10-17.