A Method for Estimation of the Success Probability of an Intrusion Process by Considering the Temporal Aspects of the Attacker Behavior

  • Jaafar Almasizadeh
  • Mohammad Abdollahi Azgomi
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5430)


The aim is to propose a new approach for stochastic modeling of an intrusion process and quantitative evaluation of the probability of the attacker success. In many situations of security analysis, it is necessary to obtain the probabilities of success for attackers in an intrusion process. In the proposed method, the intrusion process is considered as elementary attack phases. In each atomic phase the attacker and the system interact and this interaction can transfer the current system state to a secure or failure state. Intrusion process modeling is done by a semi-Markov chain (SMC). The distribution functions assigned to the SMC transitions are a linear combination of some uniform distributions. These mixture distributions represent the time distribution of the attacker or the system in the transient states. In order to evaluate the security measure, the SMC is converted into a discrete-time Markov chain (DTMC) and then the resulting DTMC is analyzed and the probability of the attacker success is computed based on mathematical theorems. The desired security measure is evaluated with respect to the temporal aspects of the attacker behavior.


Security attacker system modeling evaluation intrusion process semi-Markov chain (SMC) discrete-time Markov chain (DTMC) 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Avizienis, A., Laprie, J.-C., Randell, B., Landwehr, C.: Basic Concepts and Taxonomy of Dependable and Secure Computing. IEEE Transaction on Dependable and Secure Computing 1 (2004)Google Scholar
  2. 2.
    Bodei, C., Curti, M., Degano, P.: A Quantitative Study of Two Attacks. In: Proc. of the 2nd International Workshop on Security Issues with Petri Nets and other Computational Models (WISP 2004). Electronic Notes in Theoretical Computer Science, vol. 121, pp. 65–85. Elsevier, Amsterdam (2005)Google Scholar
  3. 3.
    Cao, Y., Sun, H., Trivedi, K.S., Han, J.: System Availability With Non-Exponentially Distributed Outages. IEEE Transaction on Reliability 51(2) (2002)Google Scholar
  4. 4.
    Bolch, G., Greiner, S., de Meer, H., Trivedi, K.S.: Queueing Networks and Markov Chains: Modeling and Performance Evaluation with Computer Science Application, 2nd edn. John Wiley & Sons, Chichester (2006)CrossRefzbMATHGoogle Scholar
  5. 5.
    Goševa-Popstojanova, K., et al.: Characterizing Intrusion Tolerant Systems Using a State Transition Model. In: DARPA Information Survivability Conference and Exposition (DISCEX II), vol. 2, pp. 211–221 (2001)Google Scholar
  6. 6.
    Houmb, S.H., Sallahammar, K.: Modeling System Integrity of a Security Critical Using Coloured Petri Nets. In: Proc. of the 1st International Conference on Safety and Security Engineering, Rome, Italy, June 13-15 (2005)Google Scholar
  7. 7.
    Jonsson, E., Olovsson, T.: A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior. IEEE Trans. of Software Engineering 23(4), 235–245 (1997)CrossRefGoogle Scholar
  8. 8.
    Jonsson, E.: Towards an Integrated Conceptual Model of Security and Dependability. In: Proc. of the First International Conference on Availability, Reliability and Security (AReS) (2006)Google Scholar
  9. 9.
    Kaâniche, M., Alata, E., Nicomette, V., Deswarte, Y., Dacier, M.: Empirical Analysis and Statistical Modelling of Attack Processes Based on Honeypots. In: Proc. of Workshop on Empirical Evaluation of Dependability and Security (WEEDS 2006), Philadelphia, USA, June 25–28 (2006)Google Scholar
  10. 10.
    Littlewood, B., et al.: Towards Operational Measures of Computer Security. Journal of Computer Security 2, 211–229 (1993)CrossRefGoogle Scholar
  11. 11.
    Madan, B.B., Goseva-Popstojanova, K., Vaidyanathan, K., Trivedi, K.S.: A Method for Modeling and Quantifying the Security Attributes of Intrusion Tolerant Systems. Performance Evaluation 56 (2004)Google Scholar
  12. 12.
    Malhotra, S., Bhattacharya, S., Ghosh, S.K.: A Vulnerability and Exploit Independent Approach for Attack Path Prediction. In: Proc. of IEEE 8th International Conference on Computer and Information Technology Workshops (2008)Google Scholar
  13. 13.
    McQueen, M.A., Boyer, W.F., Flynn, M.A., Beitel, G.A.: Time-to-Compromise Model for Cyber Risk Reduction Estimation. In: Proc. of Quality of Protection Workshop (2005)Google Scholar
  14. 14.
    Nicol, D.M., Sanders, W.H., Trivedi, K.S.: Model-Based Evaluation: From Dependability to Security. IEEE Trans. on Dependable and Secure Computing 1(1), 48–65 (2004)CrossRefGoogle Scholar
  15. 15.
    Ortalo, R., et al.: Experiments with Quantitative Evaluation Tools for Monitoring Operational Security. IEEE Transaction on Software Engineering 25(5) (1999)Google Scholar
  16. 16.
    Sallhamar, K.: Stochastic Models for Combined Security and Dependability Evaluation. Ph.D. Thesis, Norwegian University of Science and Technology (2007)Google Scholar
  17. 17.
    Sallhammar, K., Knapskog, S.J.: Using Game Theory in Stochastic Models for Quantifying Security. In: Proc. of the 9th Nordic Workshop on Secure IT-Systems (NordSec 2004), Espoo, Finland, November 4-5 (2004)Google Scholar
  18. 18.
    Sallhammar, K., Helvik, B.E., Knapskog, S.J.: On Stochastic Modeling for Integrated Security and Dependability Evaluation. Journal of Networks 1(5) (2006)Google Scholar
  19. 19.
    Sallhammar, K., Knapskog, S.J., Helvik: Using Stochastic Game Theory to Compute the Expected Behavior of Attackers. In: Proc. of the 2005 International Symposium on Applications and the Internet Workshops (Saint 2005) (2005)Google Scholar
  20. 20.
    Shahriari, H.R., Makarem, M.S., Sirjani, M., Jalili, R., Movaghar, A.: Modeling and Verification of Complex Network Attacks Using an Actor-Based Language. In: Proc. the 11th International CSI Computer Conference (CSICC 2006), January 24-26 (2006)Google Scholar
  21. 21.
    Singh, S., Cukier, M., Sanders, W.: Probabilistic Validation of an Intrusion-Tolerant Replication System. In: Proc. of the 2003 International Conference on Dependable Systems and Networks (DSN 2003) (2001)Google Scholar
  22. 22.
    Steven, J., Templeton, K.L.: A Requires/Provides Model for Computer Attacks. In: Proc. of the 2000 Workshop on New Security Paradigms, Ballycotton, County Cork, Ireland, pp. 31–38 (2001)Google Scholar
  23. 23.
    Stevens, F., Courtney, T., Singh, S., Agbaria, A., Meyer, J.F., Sanders, W.H., Pal, P.: Model-Based Validation of an Intrusion-Tolerant Information System. In: Proc. of the 23rd Symposium on Reliable Distributed Systems (SRDS 2004), Florianpolis, Brazil (October 2004)Google Scholar
  24. 24.
    Trivedi, K.S.: Probability and Statistics with Reliability, Queuing, and Computer Science Applications, 2nd edn. John Wiley & Sons, Chichester (2001)zbMATHGoogle Scholar
  25. 25.
    Wang, D., Madan, B., Trivedi, K.S.: Security Analysis of SITAR Intrusion-Tolerant System. In: Proc. ACM Workshop on Survivable and Self-Regenerative Systems (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Jaafar Almasizadeh
    • 1
  • Mohammad Abdollahi Azgomi
    • 1
  1. 1.Department of Computer EngineeringIran University of Science and TechnologyTehranIran

Personalised recommendations