Survivability Modelling of Lithuanian Government Information System

Information systems provide critical services in nearly all the areas of life. Services must be provided in a secure and reliable manner. The targeted security and availability characteristics are defined in security policy or the formal regulations. The main part of the information system is a computer system which is addressed in this research. Survivability characteristic is suitable for the information system security evaluation [1–4] and will be used in this research. Stochastic computer system model was composed and investigated using Möbius tool. The information systems of different category were simulated and the obtained results were analyzed.


Introduction
Information systems provide critical services in nearly all the areas of life.Services must be provided in a secure and reliable manner.The targeted security and availability characteristics are defined in security policy or the formal regulations.The main part of the information system is a computer system which is addressed in this research.
Survivability characteristic is suitable for the information system security evaluation [1][2][3][4] and will be used in this research.Stochastic computer system model was composed and investigated using Möbius tool.The information systems of different category were simulated and the obtained results were analyzed.

Computer system security regulation
Lithuanian government information systems are well regulated and will be addressed in this research.According to orders of the Minister of Interior of the Republic of Lithuania information systems are categorised based on their vitality for the state [5] and the requirements to the system recovery time and accessibility are set [6].These requirements are summarised in Table 1.The requirements for first and second system categories are very high and system recovery time should be no longer than 15 minutes for first category and 1 hour for second category.The system accessibility is set to 99 percent for first and 96 percent for second category.The requirements for third and fourth system categories are set only for working hours and working days.Also each category has no less than a specified number of subsystems (Table 1).Requirements to major security mechanisms, which must be implemented for each category, are different.Every higher category system must have additional security mechanisms alongside security mechanisms which are specified for lower category systems.
Four information system models were composed according to the requirements presented in Table 1.The creation of models and simulation results are presented in the following sections.

Simulation model
This simulation addresses one aspect of information security -computer network risks rising from the outer perimeter of the computer system.Structure of computer system model is presented in Fig. 1.Incidents are grouped by the threats to confidentiality, integrity and availability and have different severity levels (j) -high (j = 1), medium (j = 2) and low (j = 3).
Incidents are independent and occur by exponential law targeting the specific module (m) (subsystem) of the modelled computer system considering its rate of use, which is expressed as module usage probability (P M (m)).
All the system modules are protected by the security mechanisms (N m ) regulated by the law [6].Computer system modules have different importance which is represented by its weight (w(m)).After the incident, computer system's module is compromised or not, by that affecting the state of the whole system.
Probability that the systems degradation will be detected at zero time is very small, but when the period of time after the system was compromised is getting longer the incident detection probability rises.We made an assumption, that incident detection probability is linear and distributed according to triangular law.In this case, the time, when one of the system modules is compromised but incident is not detected, may vary from zero to upper bound of triangular distribution.This time corresponds to the situation, when compromised module is accessible and may provide inadequate service for the system's users.Therefore it is important to minimise incident detection time as much as possible.
According to the same assumptions, triangular distribution for system recovery time is used, i.e. module recovery probability rises, when time period after incident detection is getting longer.During recovery time compromised module is not accessible by the users.The average system recovery time must satisfy the requirements presented in Table 1.Four computer system simulation models (one model per system category) were composed using Stochastic Activity Network (SAN) formalism.Simulation models are organised using Möbius tool [7], where models design repeats the block diagram presented in Fig. 1.The detailed SAN model description can be found in our previous work [8], where one system category was presented using SAN model and model parameter values were determined by risk analysis.In this work a new approach is presented.It allows to find the system compromise probabilities and apply them to simulate computer system survivability.Each model has different number of modules (subsystems): first category has 7 modules; second category has 5 modules, third category has 3 modules and fourth category has 2 modules.

System compromise probabilities
To simulate system survivability we need to know system compromise probabilities, i.e. the probabilities that particular incident will compromise a system.These probabilities depend on incident severity and the amount of implemented security mechanisms.The best way to do this is to collect an accurate statistical data about incidents during some tangible time period.But in many cases this statistical data is not available, e.g.system is in development stage or is just implemented.We suggest to use some theoretical characteristics of the system compromise probability for this purpose.
Fig. 2 shows the characteristics which represent how the system compromise probabilities depend on the amount of implemented security mechanisms.There are three characteristics, each for different incident severity level.First one is most severe.That means, that compromise probability is higher when incidents are more severe.Compromise probability curves were drawn based on these hypotheses:  The amount of basic security mechanisms must be higher to withstand the most severe incidents;  If incidents are less severe, then less of security mechanisms are enough;  When little or no mechanisms are used, the influence of all severity incidents are almost the same, as even least sever incident will compromise the system;  When all possible security mechanisms are implemented, the influence of all severity incidents are almost the same, as even the most sever incidents will be repelled.
The formulas which satisfy the curves in the Fig. 2 (where  Th = 0 and  mi = 0) are:     0.04 3 0.8 0.004 here x -the amount of implemented security mechanisms [0-100];  Th -coefficients for assessing the threat type ( C -confidentiality,  A -availability,  I -integrity);  micoefficients for assessing modules ability to withstand incidents.These formulas were used in simulation to find out the exact values of compromise probabilities.Threat type is evaluated using  Th coefficients.These coefficients represent the security mechanism ability to deal with specific threat and may have positive or negative values.For example, if particular security mechanism is more suitable to secure module from confidentiality threats than integrity threats, when  C coefficient will have negative value (lower compromise probability) and  I coefficient will have positive value (higher compromise probability).
The system modules ability to withstand incident is different from module to module.This difference is evaluated using the  mi coefficients, which also may have positive or negative values.If module is more important to whole system (this is represented by module weight w(m)) when implemented security mechanisms are adjusted more accurate, this means that  mi coefficient for this particular module will be positive, i.e. the system compromise probability will be lower.Proposed formulas allow adopt system compromise probabilities based on threat type, incident severity and security mechanisms set.Also these formulas can be easily modified to fit the needs of real computer system.

Simulation Results
Survivability is the quantitative security characteristic of computer system.Survivability is the degree to which a system has been able to withstand an attack or attacks, and is still able to provide services at a certain level in its new state after attack.
When service or the system survives in the maximal functional state b 1 (where b 2 , b 3 ,…, b n other states, when one, two or more system's modules are compromised) during the system usage time t all , then such characteristic can be called maximal survivability S max Namely the maximum system survivability was addressed in this research.Survivability characteristics were found by averaging time which system's modules spend in not compromised state.
Different services or modules providing these services represent different importance to the mission of the system, this must be considered.When survivability of the system S can be described as: here S(m) is the survivability of computer system module m, and w(m) is the weight of the module.
The main parameter values used in simulation are provided below:  The simulation time period is 365 days, i.e. 1 year. Computer system faces 3 incidents per day.Incidents are independent and distributed exponentially.
 Incidents appearance probabilities:  Confidentiality -P C (j=1)=0.04, P C (j=2)=0.1, P C (j=3)=0.2;  Integrity -P I (j=1)=0.01,P I (j=2)=0.05, . These values are hypothetical and were chosen only for simulation purposes.Incidents appearance probability values were chosen based on the following considerations.Attack on the computer system data integrity is most complicated one, because the attacker must gain access to the system, elevate access rights, find needed data, perform manipulations and hide the tracks.Therefore, appearance probability values of integrity incidents are the lowest ones.Finding confidential information is easier, the information also can be leaked accidentally.Those two types of the attacks require the knowledge and the experience of the attacker.To perform denial of service attack disturbing computer system availability is the least complicated as the Botnets for the attack can be leased, scripts and tools to perform such attack are widely available.Therefore, availability incident appearance probabilities are the highest.The computer systems of the 1 st and 2 nd category were designed with higher accessibility requirements, therefore survivability characteristics (Fig. 3a) obtained by simulation are higher and less depend on the amount of implemented security mechanisms.

Fig. 2 .
Fig. 2. The dependence of computer system compromise probability (P(x)) characteristics on the amount of implemented security mechanisms (x)

Fig. 3 .
The dependence of computer system survivability characteristics on the amount of implemented security mechanisms: a) 1 st and 2 nd system categories, b) 3 th and 4 th system categories

Table 1 .
Requirements to the Lithuanian government system accessibility and recovery time Note: wh -working hours, wd -working days