Presentation is loading. Please wait.

Presentation is loading. Please wait.

On the Definition of Survivability J. C. Knight and K. J. Sullivan, Department of Computer Science, University of Virginia, December 2000.

Published byNelson Doyle Modified over 8 years ago

Similar presentations

Presentation on theme: "On the Definition of Survivability J. C. Knight and K. J. Sullivan, Department of Computer Science, University of Virginia, December 2000."— Presentation transcript:

1 On the Definition of Survivability J. C. Knight and K. J. Sullivan, Department of Computer Science, University of Virginia, December 2000.

2 Outline Introduction Introduction Definitions of Survivability Definitions of Survivability Critical Information System Characteristics Critical Information System Characteristics Survivability Survivability Example Example Conclusion and Future Work Conclusion and Future Work

3 Introduction

4 Introduction Failure of the information systems will often cause a major loss of service, and so their dependability has become a major concern. Failure of the information systems will often cause a major loss of service, and so their dependability has become a major concern. Dependability is a system property that is usually stated as a set of requirements with which the system has to comply. Dependability is a system property that is usually stated as a set of requirements with which the system has to comply.

5 Introduction (Cont ’ d) Dependability has many facets: Dependability has many facets: Reliability (R(t)) Reliability (R(t)) Availability (A(t)) Availability (A(t)) Safety Safety

6 Introduction (Cont ’ d) R(t), is defined to be the probability that the system will meet its requirements up until time t when operating in a prescribed environment. R(t), is defined to be the probability that the system will meet its requirements up until time t when operating in a prescribed environment. A(t), is the probability that the system will be operating correctly at time t. A(t), is the probability that the system will be operating correctly at time t.

7 Introduction (Cont ’ d) Different facets of dependability are suitable for different systems. Different facets of dependability are suitable for different systems. Reliability: Avionics Reliability: Avionics Availability: School Availability: School Safety: Nuclear Weapon Safety: Nuclear Weapon

8 Introduction (Cont ’ d) What is needed is a precise notion of what forms of degraded service are acceptable to the application, under what circumstances each from is most useful, and the fraction of time degraded service level acceptable. What is needed is a precise notion of what forms of degraded service are acceptable to the application, under what circumstances each from is most useful, and the fraction of time degraded service level acceptable.

9 Definitions of Survivability

10 Aircraft combat survivability is the capability of an aircraft to avoid and/or withstand a man- made hostile environment. Aircraft combat survivability is the capability of an aircraft to avoid and/or withstand a man- made hostile environment. A property of a system, subsystem, equipment, process, or procedure that provides a defined degree of assurance that the named entity will continue to function during and after a natural or man-made disturbance. A property of a system, subsystem, equipment, process, or procedure that provides a defined degree of assurance that the named entity will continue to function during and after a natural or man-made disturbance.

11 Definitions of Survivability (Cont ’ d) The degree to which essential functions are still available even though some part of the system is down. The degree to which essential functions are still available even though some part of the system is down. The ability of a network computing system to provide essential services in the presence of attacks and failures, and recover full services in a timely manner. The ability of a network computing system to provide essential services in the presence of attacks and failures, and recover full services in a timely manner.

12 Definitions of Survivability (Cont ’ d) Above all, they do not have the precision needed to permit a clear determination of whether a given system should be considered to be survivable and what are essential services. Above all, they do not have the precision needed to permit a clear determination of whether a given system should be considered to be survivable and what are essential services. A second problem with a definition of this form is that it provide no testable criterion for the term being defined. A second problem with a definition of this form is that it provide no testable criterion for the term being defined.

13 Critical Information System Characteristics

14 System Size System Size Critical information systems are very large. Critical information systems are very large. Externally Observable Damage Externally Observable Damage Externally observable damage must be both expected and dealt with. Externally observable damage must be both expected and dealt with. Damage and Repair Sequences Damage and Repair Sequences Less service available over time as damage increases and progressively more available as repairs are conducted. Less service available over time as damage increases and progressively more available as repairs are conducted.

15 Critical Information System Characteristics (Cont ’ d) Time-Dependent Damage Effects Time-Dependent Damage Effects The impact or loss associated with damage tends to increase with time. The impact or loss associated with damage tends to increase with time. Heterogeneous Criticality Heterogeneous Criticality Long-term power outage are more critical to hospitals than to homes. Long-term power outage are more critical to hospitals than to homes.

16 Critical Information System Characteristics (Cont ’ d) Complex Operational Environment Complex Operational Environment They carry risks of natural, accidental, and malicious disruption from a wide variety of sources. They carry risks of natural, accidental, and malicious disruption from a wide variety of sources. Time-Varying Operational Environment Time-Varying Operational Environment Security threats have increased dramatically from negligible levels to significant threats in recent times. Security threats have increased dramatically from negligible levels to significant threats in recent times.

17 Critical Information System Characteristics (Cont ’ d) For the developer of a critical information system, knowing what service is require in the event that full service cannot be provided is very important. For the developer of a critical information system, knowing what service is require in the event that full service cannot be provided is very important.

18 Survivability

19 Survivability Informally by a survivable system we mean a system that has the ability to continue to provide service (possibly degraded or different) in a given operating environment what various events cause major damage to the system or its operating environment. Informally by a survivable system we mean a system that has the ability to continue to provide service (possibly degraded or different) in a given operating environment what various events cause major damage to the system or its operating environment. In fact, the appropriate goal of survivability is to maintain as much of the fundamental customer value of the services stream as is cost-effective. In fact, the appropriate goal of survivability is to maintain as much of the fundamental customer value of the services stream as is cost-effective.

20 Survivability (Cont ’ d) We observe that survivability needs to specify the various different forms of tolerable service that the system is to provide given notion that circumstances might force a change in service to the user. We observe that survivability needs to specify the various different forms of tolerable service that the system is to provide given notion that circumstances might force a change in service to the user. The set of tolerable services are the different form of service that the system must be capable of providing. The set of tolerable services are the different form of service that the system must be capable of providing.

21 Survivable System A system is survivable if it complies with it ’ s survivability specification. A system is survivable if it complies with it ’ s survivability specification.

22 Survivability and Fault Tolerance The informal notion of an event that causes damages which we have used is referred to formally as a fault. The informal notion of an event that causes damages which we have used is referred to formally as a fault. Fault tolerance is a mechanism that can be used to achieve certain dependability properties. Fault tolerance is a mechanism that can be used to achieve certain dependability properties.

23 Survivability and Fault Tolerance (Cont ’ d) Describing a system as fault tolerant is really a statement about the system ’ s design, not its dependability. Describing a system as fault tolerant is really a statement about the system ’ s design, not its dependability. Survivability is a dependability property, it is not synonymous with fault tolerance. Survivability is a dependability property, it is not synonymous with fault tolerance.

24 Survivability and Security A survivable system is expected to continue to provide one of the forms of tolerable service after many different forms of damage have occurred. A survivable system is expected to continue to provide one of the forms of tolerable service after many different forms of damage have occurred. Security is impacted by some aspects of design for dependability since the introduction of redundancy makes protection of a system from deliberate faults more diffcult. Security is impacted by some aspects of design for dependability since the introduction of redundancy makes protection of a system from deliberate faults more diffcult.

25 Survivability Specification E = A statement of the assumed operating environment for the system. E = A statement of the assumed operating environment for the system. R = A set of specifications each of which is a complete statement of a tolerable form of service that a system must provide. R = A set of specifications each of which is a complete statement of a tolerable form of service that a system must provide. P = A probability distribution across the set of specifications, R. P = A probability distribution across the set of specifications, R.

26 Survivability Specification (Cont ’ d) M = A finite-state machine denoted by the four- tuple with the following meanings. M = A finite-state machine denoted by the four- tuple with the following meanings. S: A finite set of states each of which has a unique label which is one of the specifications defined in R. S: A finite set of states each of which has a unique label which is one of the specifications defined in R. S 0 : is the initial or preferred state for the machine. S 0 : is the initial or preferred state for the machine. V: A finite set of customer values. V: A finite set of customer values. T: A state transition matrix. T: A state transition matrix.

27 The Meaning of Four-Tuple Environment─E Environment─E E is a definition of the environment in which the survivable system has to operate. E is a definition of the environment in which the survivable system has to operate. Specification─R Specification─R R is the set of specifications of tolerable forms of service for the system R is the set of specifications of tolerable forms of service for the system

28 The Meaning of Four-Tuple (Cont ’ d) Probability Distribution─P Probability Distribution─P A probability is associated with each member of the set R with the sum of these probabilities being one. A probability is associated with each member of the set R with the sum of these probabilities being one. The critical quantities that cannot be determined are the probability of a failure of most forms of software and the probability of a malicious attack against a system. The critical quantities that cannot be determined are the probability of a failure of most forms of software and the probability of a malicious attack against a system.

29 The Meaning of Four-Tuple (Cont ’ d) Finite-state Machine─F Finite-state Machine─F F is defines precisely how and when the system is required to move from providing one form of tolerable service to another. F is defines precisely how and when the system is required to move from providing one form of tolerable service to another. The computation of customer value associated with the different states(V) has to be an on-going activity since value changes with time and other factors. The computation of customer value associated with the different states(V) has to be an on-going activity since value changes with time and other factors.

30 Example

31 Hypothetical Banking Network

32 Survivability Specification Example

33 Survivability Specification Interpretation R 1 Preferred. R 1 Preferred. This specification defines complete and normal functionality. This specification defines complete and normal functionality. R 2 Industry/Government. R 2 Industry/Government. This specification limits service to major industrial and government clients only. This specification limits service to major industrial and government clients only. Services are restricted to electronic transfer of large sums. Services are restricted to electronic transfer of large sums.

34 Survivability Specification Interpretation (Cont ’ d) R 3 Financial Markets. R 3 Financial Markets. This specification defines service for all the major financial markets including the stock, bond the commodity markets, but no other client organizations. This specification defines service for all the major financial markets including the stock, bond the commodity markets, but no other client organizations. R 4 Government Bonds. R 4 Government Bonds. This specification defines service for processing of sales and redemptions of government bonds only and only by major corporate clients. This specification defines service for processing of sales and redemptions of government bonds only and only by major corporate clients.

35 Survivability Specification Interpretation (Cont ’ d) R 5 Foreign Exchange. R 5 Foreign Exchange. This specification defines service in which transfers of foreign currency into or out of country are the only available service. This specification defines service in which transfers of foreign currency into or out of country are the only available service.

36 Survivability Specification Interpretation (Cont ’ d) Time and Value Factor Time and Value Factor The settlement by the clearing houses and the Federal Reverse Bank occurs during the late afternoon. The settlement by the clearing houses and the Federal Reverse Bank occurs during the late afternoon. Domestic markets are closed at night. Domestic markets are closed at night. Stock, bond, and commodity markets must be accommodated when trading volumes are exceptionally and unexpectedly high. Stock, bond, and commodity markets must be accommodated when trading volumes are exceptionally and unexpectedly high.

37 Survivability Specification Interpretation (Cont ’ d) Clearly, customer values associated with the financial payment system vary dramatically over time. Clearly, customer values associated with the financial payment system vary dramatically over time.

38 Conclusion and Future Work

39 Formal definition of survivability. Formal definition of survivability. Value evaluation. Value evaluation. Time function evaluation. Time function evaluation. Quantitative index to evaluate survivability. Quantitative index to evaluate survivability.

40 Thanks For Your Attention

Download ppt "On the Definition of Survivability J. C. Knight and K. J. Sullivan, Department of Computer Science, University of Virginia, December 2000."

Similar presentations

h Protection from cyber attacks is achieved by acting on several levels: first, at the physical and material, placing the server in a place as safe as.

h Protection from cyber attacks is achieved by acting on several levels: first, at the physical and material, placing the server in a place as safe as.
Gender Perspectives in Introduction to Tariffs Gender Module #5 ITU Workshops on Sustainability in Telecommunication Through Gender & Social Equality.

Gender Perspectives in Introduction to Tariffs Gender Module #5 ITU Workshops on Sustainability in Telecommunication Through Gender & Social Equality.
Risk Management Introduction Risk Management Fundamentals

Risk Management Introduction Risk Management Fundamentals
Auditing Concepts.

Auditing Concepts.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
Term Paper OLOMOLA,Afolabi(101-80024). Dependability Modellling.

Term Paper OLOMOLA,Afolabi( ). Dependability Modellling.
Software Requirements

Software Requirements
1 Software Testing and Quality Assurance Lecture 38 – Software Quality Assurance.

1 Software Testing and Quality Assurance Lecture 38 – Software Quality Assurance.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
© 2002 South-Western Publishing 1 Chapter 10 Foreign Exchange Futures.

© 2002 South-Western Publishing 1 Chapter 10 Foreign Exchange Futures.
Ensuring Non-Functional Properties. What Is an NFP?  A software system’s non-functional property (NFP) is a constraint on the manner in which the system.

Ensuring Non-Functional Properties. What Is an NFP?  A software system’s non-functional property (NFP) is a constraint on the manner in which the system.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering.
Course Instructor: Aisha Azeem

Course Instructor: Aisha Azeem
Chapter 11: Testing The dynamic verification of the behavior of a program on a finite set of test cases, suitable selected from the usually infinite execution.

Chapter 11: Testing The dynamic verification of the behavior of a program on a finite set of test cases, suitable selected from the usually infinite execution.
©Ian Sommerville 2006Critical Systems Slide 1 Critical Systems Engineering l Processes and techniques for developing critical systems.

©Ian Sommerville 2006Critical Systems Slide 1 Critical Systems Engineering l Processes and techniques for developing critical systems.
1 Engineering Economic Decisions Lecture No.1 Professor C. S. Park Fundamentals of Engineering Economics Copyright © 2005.

1 Engineering Economic Decisions Lecture No.1 Professor C. S. Park Fundamentals of Engineering Economics Copyright © 2005.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Chapter 7 Administration of the Fire Department

Chapter 7 Administration of the Fire Department
EMPLOY THE RISK MANAGEMENT PROCESS DURING JOB PLANNING and EXECUTION

EMPLOY THE RISK MANAGEMENT PROCESS DURING JOB PLANNING and EXECUTION
SMB’s Options Training Program Presents:

SMB’s Options Training Program Presents:

Similar presentations

Ads by Google