Resilience Requirements, Design, and Testing - October 2014

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s):  Kevin Sullivan, Mladen Vouk, Ehab Al-Shaer
Researchers: Ashiq Rahman and Mohamed Alsaleh (UNCC), Anoosha Vangaveeti (NCSU), Chong Tang (UVA)

HARD PROBLEM(S) ADDRESSED

Characterization of attack-resiliency of software needs to be done  from its very inception because without such characterization attack resiliency is not properly testable or implementable.

• Resilient Architectures - vulnerability avoidance, evaluation and tolerance strategies and architectures.
• Security Metrics and Models - development of metrics and models for static and dynamic assessment of resilience of software.

PUBLICATIONS
Report papers written as a results of this research. If accepted by or submitted to a journal, which journal. If presented at a conference, which conference.

• Shweta Subramani, "A Study of Fedora Security Profile," M.S., NC State University, July 2014

ACCOMPLISHMENT HIGHLIGHTS

• Taxonomy of formal definitions and  metrics related to attack resilience
• New metric: We define attack resiliency as the ability of the system to maintian a sublinear growth in damage with the increasing attack resources/scale. The attack scale is measure of the magnitude of various attributes of the attack including the attack probability, intensity, extent,, distribution, severity, diversity (different types), etc. The potential damage (or risk) is estimated based on (1) the likelihood of successful attack, and (2) the attack impact on the system mission or requirements such as confidentiality, integrity and availability.