Diversity and Defence in Depth for Security - A Probabilistic Approach (D3S)

An important part of security is defence in depth: multiple layers of defence used to reduce the probability of a successful attack on a system or organisation. Crucially, for defence in depth these defences must be diverse in their ability to detect and/or prevent intrusion attempts. Here, as in security in general, there is a need to support decisions through quantitative approaches, seeking to answer questions like: "should a given available budget be spent on a specific defence X or two weaker defences Y and Z which, however, if combined promise better security than X alone?", "in this threat environment, what is the likelihood of a successful intrusion achieving damage worth D over one year?" etc. This project aims to produce methods for answering such questions, inevitably in probabilistic terms, with clear understanding of how much trust can be put in these methods.

We will consider these layers of defence: AntiVirus (AV) products, Intrusion Detection Systems (IDS), Firewalls, as well as the implicit layers for defence created by the inherent robustness to attack of the applications and platforms being attacked (e.g. diverse operating systems and applications).

The probabilistic models that will result from this research will be of two broad types:
- Conceptual models - models that are used to conceptualise the problem domain and enable understanding of relative importance of different factors and theoretical limits of the benefits of diversity with the various protection layers but that are defined at a reasonably high level of abstraction making it difficult to observe and quantify the parameters of these models in practice;
- Operational models - models the parameters of which can be observed and the model can be used in operation for security assessment and prediction.

Successful operation models achieve prediction, given a sequence of previous observations, in the presence of limited change. Successful conceptual models more modestly clarify non-intuitive universal truths and help to analyse scenarios (e.g. showing best- and worst-case effects rather than likely effects) for which data are insufficient for prediction

The open problems that we address regarding the assessment of the potential gains from defence in depth include:
- Designing multi-layered defences. There are at least three dimensions to the design:
- The choice of diversity architecture: how many devices, how many types of devices etc.)
- How they are combined (e.g., for products that flag possible attacks, whether a security response requires consensus among multiple layers, or just one to give an alarm,or a certain majority is required).
- The nature of the assets to be protected.
- Security requirements are usually expressed in terms of (at least) three constituent attributes: Confidentiality, Integrity and Availability (CIA). An important issue is that designs that improve one of these attributes may make others worse, and probabilistic models help to manage these trade-offs.
- There is a difference between measuring how secure a defence system has been in the past and predicting how secure it will be, as attackers develop new techniques and security vendors try to adapt. We need methods that allow us to predict the security of one (or several) layers of defences based on what we have seen in the past. Predictions may be in terms of the probabilities of: the time to next attack; the rate of attacks that we can expect in a given time interval; vulnerabilities existing in a set of defences etc; and since these will never be infallible we need methods for assessing how well they perform so that their users know how much confidence to have in these predictions.

There should be no need to emphasise here the growing importance of IT security for our society. The current IT infrastructure is vulnerable to attack, and there is no short or medium term prospect of eliminating this vulnerability with certainty by avoiding all errors in design, configuration and use.
This project addresses a crucial issue for the improvement of security, i.e., the ability to reason rigorously and quantitatively about the costs and benefits of alternative solutions. The move to cloud computing will provide opportunities for diversification and a growing need to assess whether the diversification of the end systems as well as the protection systems is effective.
D3S aims to produce decision guidance for intrusion and malware detection via diversity in intrusion detection/prevention systems, anti-virus software, firewalls, operating systems and applications in the form of methods that use sound probabilistic reasoning and empirical measurement.
If successful, D3S will thus produce breakthroughs for those required to design, procure and assess security-relevant systems.

Who will benefit from this Research and How with they benefit?
In more detail we expect the following specific beneficiaries from the research in D3S:
- Designers, procurers and assessors of security-relevant systems: this includes any organisation, in both private and public sector, who must ensure that their systems, and the data and information they hold in their systems, are kept secure. Additionally, organisations such as CESG who provide guidance to government, businesses and home users on selection, deployment and configuration of security systems would also be a significant beneficiary. The philosophy of D3S - to offer decision guidance based on sound probabilistic models which are underpinned by pertinent empirical data - promises a radical improvement for decision makers in security. In particular, Defence and regulated industries: heavily regulated industries such as defence, nuclear energy and other safety critical or critical infrastructure industries come under regulatory and real pressure to demonstrate a high level of security of the systems before they are deployed (apart from the reliability and safety requirements which are already mandatory). The levels of security required may be difficult to demonstrate with a single protection device and hence diversity may be necessary to demonstrate the viability of the required level.
- Designers and vendors of security tools: academic prototypes of diverse deployment of anti-virus engines and a commercial solution for email scanning which also uses diverse anti-virus software. D3S will make clearer the design issues in building security solutions which employ diverse products. This may encourage more vendors to build middleware and "glue" software which enables the employment of diverse products rather than relying on homogenous products which create a single point of failure.

What will be done to ensure that they have the opportunity to benefit from this Research?
We will collaborate with academic institutions and industry in Europe and the US. This will help with a wide dissemination of the research findings in D3S. We will use the following channels to disseminate the research:
- our role in the EPSRC Research Institute in Trustworthy Industrial Control Systems, which has a strong component of communication with industry and government;
- contacts within DSTL and CESG to inform defence and governmental departments of D3S findings;
- IFIP working group 10.4 on Dependable Computing where several of us are active members;
- our contacts from our research collaborations, e.g. our past EU-funded project IRRIIS and current EU-funded project AFTER and SeSaMo (embedded system security)
- industry conferences, e.g. InfoSec (http://www.infosec.co.uk/)
- our Continuous Professional Development (CPD) and MSc courses
- relevant conferences and journals.