Systematic Analysis of Vulnerabilities and Synthesis of Security Attack Models for ATM Networks

Abstract

As complex systems, networks consist of a number of constituent elements that are geographically dispersed, are semiautonomous in nature, and interact with one another and with users, asynchronously. Given that the network design task is already intrinsically complex, it is natural for the traditional network designer to focus, in order to save time and effort, only on those principles and interactions, say D, that help accomplish the key design objectives of the network. The remainder of the interactions, say U, are viewed as “don’t cares” or passive, bearing no adverse impact under normal operating conditions. In reality, however, both internal and external stress may introduce abnormal operating conditions into the network under which the set U may begin to induce any number of unintended effects, even catastrophic failure. A secure network design must not only protect its internal components from obvious attacks from the external world, but, and this is equally important, resist internal attacks from two sources, foreign elements that successfully penetrate into the network and attack from within and one or more of the internal components that spin out of control and become potentially destructive. This chapter introduces the notion of network vulnerability analysis, conceptually organized into three phases. Phase I focuses on systematically examining every possible interaction from the perspective of its impact on the key design objectives of the network, and constitutes an indispensable element of secure network design. Given that the number of interactions in a typical real-world network is large, to render the effort tractable, phase I must be driven from a comprehensive and total understanding of the fundamental principles that define the network. Ph ase I is likely to yield a nonemp ty set of potent ial scenarios und er which t he networ k may become vuln erable. In phase II , each of these weaknesses is selected, one at a time, and where possible, a corresponding at tack model is synthesized. The purpose of the attack model is to manifest the vulnerability through an induced excitement and guide its effect at an observable out put. The attack model assumes the form of a distinct executable code description , encapsulating the abnormal behavior of the network , and assumes an underlying executable code description that emulates the norm al network behavior . In phase III, the attack models are simulated, one at a time, on an appropriate test bed, with two objectives. First , the simulation verifies the thinking underlying the attack model, i.e., whether the attack model succeeds in triggering the vulnerability and forcing its manifestation to be detected at an observable output. When the first objective is met, the simulation often reveals the impact of the attack model on network performance. Under the second objective, the extent of the impact is captured through an innovative metric design. The idea of vulnerability analysis closely resembles the techniques of fault simulation and test generation in the discipline of computer-aided design of integrated circuits (ICs) . Under fault simulation, to detect the presence of faults in a manufactured IC, first a fault model is proposed, reflecting the type of suspected failures, and second, the IC is “fault simulated” to flush out as many of the internal faults as possible at the observable outputs.