Ph.D. Student Seminarph.D. Status Report

Ph.D. Student SeminarPh.D. Status Report

November 19, 2003

Software Engineering group, IDI, NTNU

Ph.D. Status Report

Name Surname

Siv Hilde Houmb

Supervisors

Professor Tor Stålhane, Professor Maria Letizia Jaccheri, Per R. Hokstad Sintef Teknologiledelse, Sikkerhet og pålitelighet

Year of Ph.D.

Second year

Title of Ph.D.

‘Quantifying security risks using "all" available data: A risk-based integrated system development and risk management approach’

Description of Ph.D. work

Motivation/background

How can we prevent security attacks from happening and how are we able to know how to best spend the resources available? First of all, we need knowledge of the threats related to our systems. Monitoring the network and analysing log files will provide some of the desired knowledge. The only drawback with this method is that we may not be able to register an attack before it strikes us and leaves us fumbling to get the system back to its normal status. To be able to gain “knowledge” about future events one might base oneself on objective empirical data. The problem is however, that the amount of objective data is rarely sufficient enough. To supplement the scarcely amount of available data one may also make use of experts experience and knowledge as e.g. in subjective expert judgment. Subjective expert judgment uses experts’ ability to express uncertainty about future events based on their experience and knowledge on the domain in question. This is partly incorporated into the MBRA (model-based risk assessment) methodology in the framework provided by the EU IST-project CORAS. However, CORAS does not support the ability to combine all data sources available and are not designed for use in a subjective expert judgment setting.

Subjectivity is not a new subject. It has been discussed within the probability domain since the seventies [3][4]. There have also been activities on the area of aggregating subjective expert judgment, such as for example the research by R. Cooke and his colleges at the department of Mathematics and Informatics, Delft University of Technology, The Netherlands that that led to the program Exalibur [1]. However, the challenges when combining different sources of input data does not only lies in how to mathematically aggregate the sources, but also how data affect each other and in particular in this case how objective data may affect or calibrate the subjective data provided by the experts. The PhD work consist of two main parts; 1.) Refining the CORAS system development and risk management process in order to support quantification of risk and 2.) Provide a method for combining all data sources available when quantifying risks.

Research theme/focus

The main approach on evaluation risk in security critical systems has been on providing qualitative frameworks for evaluating the security levels of systems, such as the Common Criteria. Such framework makes use of best practice in development from particular domains and provides guidelines on how one should achieve a certain level. The evaluation is performed by an evaluator, a domain expert on the particular system under evaluation. These framework are often too rigid to be feasible for small systems or systems with a short time to market. For such systems a risk-based development is more effective, since it gives the developer the change to choose which risks to take and which to treat. In order to be able to do this we need to quantify the risk, provide numbers such as frequency of occurrence, impact in terms of loss or gain of value and the effect of a certain countermeasure.

The focus of the research is to be able to make use of all available data sources when quantifying risk. In order to do this one needs a process that supports the quantification and a method to collect, calibrate, and combine the different data sources. The main objective is therefore to combine the use of empirical data with the use of subjective expert judgment in a way that makes the most out of both approaches.

More information can be found in the attachment “Description of PhD Thesis for Siv Hilde Houmb (August 2002 – August 2006)”.

Research design

The research is at the current stage divided into four main parts; 1.) Refining the CORAS system development and risk management process in order to support quantification of risk and 2.) Provide a method for combining all data sources available when quantifying risks, 3) Background material, and 4) Trials.

In part 1 the CORAS MBRA methodology will be extended and refined for quantification of risks. This work is based on the experience gained during the six CORAS trials, the assessment reports and the methodology assessment reports from these trials, the work done in my Master Thesis and the work done by Telenor FoU and Scanpower AS on kvantrisk (quantification of availability of services). The work will be performed in co-operation with my supervisors and Cand. Real. Ole-Arnt Johnsen, moreCom AS. Part 2 is also based on the work with kvantrisk, but also the work done by my supervisor Per R. Hockstad, and the work by Roger Cooke at Delft University of Technology, The Netherlands. The trials will be a combination of trials to collect data to use when developing and testing part 2 and as a risk assessment performed either at Telenor or moreCom AS(?) if possible.

More information can be found in the attachment “Description of PhD Thesis for Siv Hilde Houmb (August 2002 – August 2006)”.

Preliminary results

The preliminary results are documented through two articles and a tutorial published this year (see publication list).

Preliminary conclusion

CORAS MBRA methodology seems as a good platform for supporting quantification of risks. The methodology is currently being tested by Sintef and a group of students at UiO. When it comes to the combination of objective and subjective data we have come up with some suggestions on how to do the combination, but this needs to be documented and evaluated before any conclusions can be drawn. Both of these issues will be addressed in the two papers described in the sections “Activity last 6 months” and “Activity next 6 months”.

Open issues

The trials are still not settled and scheduled. The same goes for the stay abroad. There are also a lot of other open issues related to the actual research, but these are documented in the previous sections.

Status

This semester I have been taking one regular PhD-course, attended two external courses for which I will apply credit for and held one full-day tutorial. There have been some changes in terms of my original plan and I will apply for the approval of the changes before Christmas. This means that I have enough credits to conclude the course-part of my PhD. However, I will take one more course as a substitution to the course DIF5904, Stochastic processes in system theory to upgrade my mathematical and statistical knowledge level. I will try to find a similar course at the visiting University Autumn 2004.

List of publications for Siv Hilde Houmb, NTNU

Date: 18.11.2003

Articles with referee (6)

Houmb, S.H., den Braber, F, Soldal Lund, M., and Stølen, K.Towards a UML Profile for Model-based Risk Assessment. Proc. Satellite Workshop on Critical System Development with UML at Fifth International Conference on the Unified Modeling Language (UML'2002), pp. 79-92, Munich University of Technology 2002.

Stølen, K., den Braber, F., Fredriksen, R., Gran, B.A., Houmb, S.H., Soldal Lund, M., Stamatiou, Y.C., Aagedal, J.Ø.Model-based risk assessment - the CORAS approach, To appear in Proc. 1st iTrust Workshop, 2002.

Dimitrakos, T, Ritchie, B., Raptis, D., Jan Øyvind Aagedal, J.Ø., den Braber, F., Stølen, K., Houmb, S.H.. Integrating model-based security risk management into eBusiness systems development - the CORAS approach. In Proc. 2nd IFIP Conference on E-Commerce, E-Business, E-Government (I3E'2003), pp.159-175, Kluwer, 2002.

Stølen, K., den Braber, F., Fredriksen, R, Gran, B.A., Houmb, S.H., Soldal Lund, M., Stamatiou, Y.C., Aagedal, J.Ø. Model-based risk assessment - the CORAS approach. In Proc. Norsk Informatikkkonferanse (NIK'2002), pp. 239-249, Tapir, 2002.

Houmb, S.H., Kvernstad Hansen, K. Towards a UML Profile for Model-based Risk Assessment of Security Critical Systems. In Proceedings of the UML`03 workshop, CSDUML, TUM-I0323, pp. 95-103, Munich University of Technology, 2003.

Houmb, S.H., Jurjens, J. Developing Secure Networked Web-based Systems Using Model-based Risk Assessment and UMLsec. To appear in Proceedings from APSEC 2003, Thailand, December 2003.

Articles without referee (1)

Houmb, S.H., Er vi i stand til å kvantifisere risiko?, Elektronikk No. 9, pp. 44-47, 2002

Abstract with referee (1)

Houmb, S.H., Stølen Gustavsen, T., Stølen, K., Gran, B.A.Model-based Risk Analysis of Security Critical Systems, In Proc. of the 7th Nordic Workshop on Secure It Systems, pp. 193-194, Simone Fischer-Hubner and Erland Jonsson (Eds.), Karlstad University Press, Karlstad, November 2002.

Chapters in book (1)

Stølen, K., den Braber, F., Dimitrakos, T., Fredriksen, R., Gran, B.A., Houmb, S.H., Stamatiou, Y.C., Aagedal, J.Ø. Model-Based Risk Assessment in a Component-Based Software Engineering Process: The CORAS Approach to Identify Security Risks, Chapter in book titled Business Component-Based Software Engineering edited by Franck Barbier, pp. 189-207, ISBN: 1-4020-7207-4, Kluwer, 2002.

Research reports (1)

Gran, B.A., Stathiakis, N., Dahll, G., Fredriksen, R., Thumem, A.P-J., Henriksen, E., Skipenes, E., Soldal Lund, M., Stølen, K., Houmb, S.H., Mork-Knudsen, E., Wisløff, E.D. The CORAS methodology for model-based risk assessment. IST-2000-25031 CORAS (Risk Assessment of Security Critical Systems), public deliverable, 29.08.2003.

Posters (2)

Houmb, S.H. Stochastic Models and Mobile E-commerce: Are stochastic models usable in the analysis of risk in mobile e-Commerce?, Poster describing Master Thesis in Informatics for the competition Yngre forskere 2002 during the poster session at Studiemøtet 2002, Sandefjord, 13 June 2002.

Houmb, S.H., Kvernstad Hansen, K. Security Assessment UML –documenting risk. Poster at poster session during workshop on Critical Systems Development with UML (CDUML`03), October 2003.

Research prices (1)

Houmb, S.H., Elektronikk`s price for Young Researchers 2002 for Cand.Scient thesis “Stochastic Models and Mobile E-commerce: Are stochastic models usable in the analysis of risk in mobile e-Commerce?”, Studiemøtet 2002 in Sandefjord, 13 June 2002.

Credit plan

Course title / Term
DIF8614: Distributed systems / Autumn 2002
Empirical software engineering / Autumn 2002
DIF 8616: IT-emner / Spring 2003
SIF 8054: Programvarekvalitet og prosessforbedring / Autumn 2002
SIE5939: Evaluation of IT-security / Autumn 2003
DIF5904: Stochastic processes and system theory / Delayed until Autumn 2004
DIXPRES-01: Towards a UML Profile for Model-Based Risk Assessment / Autumn 2002
DIXPRES-02: Towards a UML Profile for Model-Based Risk Assessment of Security Critical Systems (titled changed) / Autumn 2003
DIXPRES-03: Critical Systems Development using MBRA and UMLsec: Methods and Tools with Dr. Jan Jürjens, TU Muchen. Full-day tutoril. (title changed) / Autumn 2003
DIXIL-01: Bayesian Belief Network (done as an external course at Hugin AS) / Autumn 2003
DIXIL-02: Subjective Expert Judgment (the effort has been incorporated into an article I have submitted to the special issue of SoSym (Software and Systems Modelling), Springer Verlage for Critical Development of Secure Systems. I will exchange this course for the one-week course of formal methods that I attended in September at ETH, Zurich. / Autumn 2003

Credit status

I have made some changes to my original credit plan for which I will apply for before Christmas. The main difference is a change in the title for two of the planned publications or presentations and one of the self study courses (DIXIL-02: Subjective Expert Judgment), which has been exchanged with an external course in formal methods at ETH, Zurich this semester. Next semester I will do the last required presentation in the course IT-emner and then I have fulfilled the requirements for the credit part of the PhD work. However, I will try to substitute the planned course on stochastic processes with a similar course at the University for which I will visit during my stay abroad autumn 2004.

Activity last 6 months

The last six months I have started working on refining and extending the CORAS MBRA methodology for quantification of risks (part 1) and began looking into how to make use of all available data when quantifying risk (part 2). Right now I`m writing two papers, one on the process and one on the “algorithm”. I have also worked on the background material and have about 100 pages on this part at the moment. Part of both the background and the process is included in the article submitted to the special issue of SoSym (Software and Systems Modelling), Springer Verlage for Critical Development of Secure Systems.

When it comes to the courses I have attended a one-week course in formal methods, a three-days course in Bayesian Belief Network, DIE5904: Evaluation of IT-security, given a full-day tutorial at the conference LADC’03 in Sao Paulo, Brasil and presented the paper “Towards a UML Profile for Model-based Risk Assessment of Security Critical Systems” at CSDUML’03. This article reports on the work done by Kine Kvernstad Hansen during her diploma thesis for which I supervised. The duty work I have done the last six months is to finish the supervision of three diploma students, assist TDT4235: Programvarekvalitet og prosessforbedring, and supervised two fifth year projects, one related to AIBO and one to Honeypots.

Activity next 6 months

The next semester I will give the remaining presentation in the course IT-emner and try to finish and publish the article on the process and the one of the “algorithm”, along with the article on security issues in FIPA agent systems, which I wrote during the course on distributed systems. The FIPA-article is written in co-operation with Judith Rossebø, Telenor FoU and John Ronan, TSSG, WIT, Ireland and is part of the security work done in the IST-2000-25187 TORRENT. I hope to be able to more or less finish the background part of the thesis next semester and to be able to submit the article describing the work by Jan Jürjens and myself for which we have been working on for quite a while now.

Further, I hope to be able to run a first trial of the process and “algorithm” described in the two articles that I`m currently working on during next semester. However, there are a lot of work that has to be done on the first version of the process and “algorithm” in order to arrange a trial.

The duty work the next semester will be concentrated on supervising two (maybue three) diploma students, one on Honeypot and the other on AIBO (and the third on extending the CORAS platform).

In autumn 2004 I plan to go abroad for one semester and have started looking for interesting places to go. At the moment I have talk with Professor Dr. Eric Sharf at QMUL and will talk with Professor Dr. Robert France at the State University of Colorado and Professor Dr. David Basin at ETH, Zurich. At the moment Colorado State University seems like an interesting place and Professor Dr. Robert France did show some interests in the work I presented at CSDUML’ 02 and CSDUML’03.

References

[1].Cooke, Roger M., "Experts in Uncertainty: Opinion and Subjective Probability in Science", Oxford University Press, ISBN: 0-19-506465, 1991.

[2].Maes, Pattie and Morris, Joan, "Sardine: An Agent-facilitated Airline Ticket Bidding System", MIT Media Laboratory, Cambridge, 2000.

[3].De Finetti, B., "Theory of Probability Volume 1", John Wiley & Sons, 1973.

[4].De Finetti, B., "Theory of Probability Volume 2", John Wiley & Sons, 1973.

Appendix

Description of PhD Thesis for Siv Hilde Houmb (August 2002 – August 2006)

Title: “Subjective expert judgment in security critical systems: Aggregating expert opinions with the help of agent technology”

Description

The main focus area of the PhD is subjective expert judgment in a security setting. Security in this case relates to breach of confidentiality, integrity, availability and non-repudiation to hardware, software or data. A security attack can be caused by accidental events, or malevolent activity performed by either insiders or outsiders.

The PhD work consists of four parts. Part one is related to modelling of subjective expert judgement, which is split into two sub problems 1a.) models to collect subjective expert judgment and 1b.) models to express subjective expert judgment. Part two relates to aggreating subjective expert judgments. The methodology used for this part will probably be based on weightening of expert based on work done at Delft, University of Technology Faculty of Information Technology and Systems in the Netherlands [1]. Part three relates to using the available (objective) data in conncetion with the subjective expert judgment provided. The main issue here will be on how the objective and the subjective data can coexist and complement each other to give a more precise description of the real world. Part four deals with the use of agents to negotiate between the experts involved (and the objective data?). The negotiation will be based on the results from part two, where the agent negotiate between the subjective expert judgment collected based on the weightening algorithm developped in part two. The negotiation will be based on the idea behind slashdot.org, where experst within the information technology area publish articles. The articles is then rated according to a rating altgorithm where experts rates other experts, which gives us a hierarchy of trust amoung the experts involved.