Investigation of a Markov Model for Computer System Security Threats

This work investigates a model of computer system security threats formulated in the language of Markov processes. In this model the operation of a computer system is considered as a sequence of failures and recoveries, which result from information security threats affecting the system. The model is described in detail: explicit analytical formulas for probabilities of computer system states at any time are derived, some extreme cases discussed, and the system’s long-run dynamics is analyzed. The dependence of a secure state probability (i.e. a state with no threats) on the probabilities of threats is investigated separately. In particular, it is shown that this dependence takes on essentially different forms for odd and even times. For example, in case of one threat the secure state probability shows non-monotonic dependence on the probability of threats at even times; this function admits at least one local minimum in its region of definition. The indicated feature is considered important because it allows identifying the most dangerous areas of threats where the secure state probability can be below the permissible level. Finally, an important characteristic of the model is introduced, i.e., the relaxation time, by means of which the permissible value range of the system’s protection parameters, is constructed.


INTRODUCTION
The significance of modeling to information security and protection is hard to overestimate.Apart from full-scale testing, which is very expensive and labor-intensive in application, the modeling technique remains almost the sole alternative to available approaches for studying modern secure computer systems.The development and use of relevant models in this field are also necessary for elaborating proper theoretical justification of protection tools and techniques used in designing and running real facilities.
The models formulated in the language of random Markov processes occupy a special niche in the range of available information security models.These models are used to solve an incredibly broad spectrum of applied tasks such as including cyber attack detection in computer networks [1][2][3], modeling computer virus spread [4], detection of intrusion into computer systems and networks [5,6], and optimizing secure information systems and making them more reliable [7,8].Another recent trend is increased interest in hidden Markov models applied in cryptography [9] and computer virology [10].
In the Markov models studied in papers [11][12][13][14] the computer systems that face information security threats are treated as systems with failures and recoveries.This approach to computer system security makes it possible to use an elaborate set of mathematical tools from the reliability theory: these tools have proven their worth in designing complex engineering systems [15,16].In particular, papers [11,12] propose the Markov model with a finite number of states that characterize the extent to which information security threats affect the computer system.The authors of these papers have conducted a preliminary investigation of the model, justified its correctness, and provided an interpretation of results obtained in this model.
This study provides a more in-depth analysis of the Markov model of information security threats proposed in [11,12].In addition to exploring the model's certain nontrivial features, we also discuss the possibility of applying it to enhancing operational reliability of computer systems and searching for optimal values of information security parameters.
The paper is structured as described below.
Section 1 provides a detailed description of the explored Markov model of information security threats.We provide explicit analytical equations for probabilities of computer system states at any time and, in particular, show that the secure (no-threat) state probability as a function of time is expressed as an additive combination of a monotonically decreasing and oscillating relation.This same section shows that the oscillatory component in the model dynamics can be neglected for long time ranges.
Section 2 is about investigating the dependence of the secure state probability on parameters that characterize information security threat probabilities.It is shown that this dependence is essentially different for odd and even time instants; in particular, in the case of one threat the secure state probability is a monotonically decreasing function of threat probability at odd times, while having at least one local minimum at even times.The indicated feature is critically important because tracking this feature will allow revealing the most dangerous regions of threats at which the probability of detecting the system in a secure state will be below the permissible level.
Section 3 is about applying the considered model of information security threats to searching for the permissible region of values of system protection parameters.Unlike the traditional approach that is accepted in the theory of reliability and consists in calculating the probability of the system's failsafe operation for a set period, our alternative approach relies on introducing the system "relaxation time."

DESCRIPTION OF THE MODEL
Let us consider a computer system (referred to hereafter as simply "system") affected by independent external threats with probabilities , , , : . Assuming that the simultaneous action of two or more threats is impossible and, moreover, the next threat can emerge only after the previous one is successfully countered.According to this, at each time the system is found in an state: , , , , or .When the system is found in secure state , no threat is actualized.State , where , is characterized by the influence of an threat.That said, the next moment of time offers two alternatives: either this threat will be eliminated with probability and the system will go back to , or the threat will put the system out of action with probability .In the latter case we shall assume that the system enters state .The state diagram of the model is given in Fig. 1.The dynamics of the considered system is a simple Markov chain with matrix of transition probabilities (1) where .
Let us use to denote the probability of the system being in state at time .This probability is defined via system state probabilities at time instant as (2) or as the following matrix where is the vector of system state probabilities at .Equation (3) can be used to record (4) where means degrees of matrix .Assuming that at the initial time the system was in , i.e., .It can be shown that in this case the probabilities of system states at any time can be expressed as Here, a positive value , which we will further call the model -parameter, is defined as (8) Let us prove the derived formulas by induction according to .At , Eqs. ( 5)-( 7) are checked directly.We assume that they hold for some .Using the explicit form of matrix (1) for components of vector we have Equation ( 9) can be rewritten using ( 5), (6), and (8) as Then, by virtue of (9), Eq. ( 11) is rewritten as taking into account of ( 5)-( 7) and identical relation , this expression can be written as q w q w q w q w p t q w w qr q w q w w Thus, if ( 5)-( 7) hold for some , they will also hold for .As a consequence, these equations are realized by induction for any .
The absence of protection in the system is characterized by setting , .Then, according to (8), we have , i.e., in this case coincides with the probability of zero actualization of any threat.Thus, the system state probability equation is recorded as (12) The limit expressions easily derived from these equations for system state probabilities at are: (13) Limit relations (13) will hold in general as well, when not all are zero.This is proven simply by making sure that quantities in round parentheses on the right part of Eq. ( 5) are always less than one in magnitude This follows from the fact that the quantities are the real roots of quadratic equation and belong to range by virtue of inequalities and .
It follows from the foregoing that, when quite a lot of time has passed, the system will most likely be found in state whereas the probability of finding it in other states will be negligibly small.That is why, will be treated as an "absorbing state" (however, this is easily seen on the state diagram in Fig. 1).
The strongest practical interest is raised by function , which denotes the probability of finding the system in a secure state at an arbitrary time .It follows from the foregoing that the indicated probability will decrease with an increase in ; as a general matter, however, this relation is not monotonic.This is easily evidenced by Eq. ( 5): is presented as the difference of the two terms in square parentheses: the first term is the monotonically decreasing function of , and the second term is oscillatory due to the negative value of .Actually, the rate of decrease and the oscillation magnitude of depend on the concrete values of model parameters and .The dependence on at two different values of and for are plotted in Fig. 2.
Since q 1 = 0.8, r 1 = 0.9 q 1 = 0.2, r 1 = 0.1 the second term in square parentheses in ( 5) is an infinitely small quantity of higher order than the first one.This means that the oscillation magnitude of rapidly decreases with an increase in and the approximate formula for large times is (14) The condition for the applicability of ( 14) is easy to evaluate.We assume that , then, the requirement is equivalent to following inequation (15) Thus, if the system is considered at times compliant with (15), approximate expression (14) differs from the true probability of by a value not more than .

SECURE STATE PROBABILITY AS A FUNCTION OF THREAT PROBABILITY
Now we shall investigate the dependence of secure state probability on threat probabilities , , .For this purpose, we shall, first of all, analyze a simpler case when the system is affected by one threat only: . Let denote the probability of this threat and the respective parameter of eliminating this threat.In this case the matrix of transition probabilities is written as (16) We assume further in the section that and .
It follows from ( 4) and ( 16) that is a polynomial in the variable q of degree .Thus (17) Using ( 5) for , it is easy to find the explicit form of coefficients as (18) Here denotes the binomial coefficient of for .In particular, the result obtained using ( 17) and ( 18) for the limit values of is written as 0 ( ) p 0 q q = .0 5 r = , , , 2 3 4 5 t (19) Note that the system behaves differently at for odd and even times: at odd times the probability of finding the system in a secure state is always zero, whereas a similar situation at even times differs from zero and monotonically decreases with the increase in t (remember that ).The indicated feature follows from the fact that at odd times the system fights against an emerging threat (i.e., runs in state ) and the efficiency of this fight depends on the value of .
Quantity written as (17) allows us to assume that the secure state probability for the system is generally not a monotonic function of threat probability .The examples provided in Fig. 3 include dependencies -at for four different times .It is seen that at even times, treated as a function of has explicit minimums, whereas at odd this function monotonically decreases in the interval .It seems that this dependency will hold for any , although a rigorous proof has yet to be found.Nevertheless, the existence of at least one local minimum for as a function of at even is easily proven by analysis.Finding the derivative of from ( 17), we have (20) At even the given polynomial will have at least one real root so that .Indeed, using ( 5) it is easily verified that Since function (20) has different signs at the ends of interval at even , the conclusion drawn by virtue of this function's continuity is that it is equal to zero at least in one point in interval .That said, the signs of derivative at and show that at least one of the indicated points delivers the local minimum of (17).Thus, at even times treated as a function of has at least one local minimum within .Returning to the general case of an arbitrary number of threats, we note that in a certain sense it comes down to the case of a single threat already considered.Indeed, according to ( 5) and ( 8), the secure state probability for the system affected by threats with probabilities will be the same as for a system with one threat with probability and protection parameter on condition that In particular, the equation polynomial in and is easily derived using ( 17) and ( 18) for probability : Quantity as a function of should be considered in convex region .Using (19), it is easy to see that the boundary conditions observed are: It should also be noted that, unlike a single-threat case, function at random has generally no local minimums inside the region.Nevertheless, it can have conditional extremums in this region.To study even for odd , , , , them is an important, though technically complicated task, the solution of which will be the subject of our subsequent studies.

RELAXATION TIME AND CONSTRUCTING THE PERMISSIBLE REGION
OF SECURITY PARAMETERS As was shown in Section 1, the probability of finding the system in a secure state after a long period will be close to zero.Considering that this result is inevitable, we can, nevertheless, investigate the conditions in which the system will be in a secure state as long as possible.It is natural to expect that these conditions will be confined to certain restrictions imposed on internal system parameters .Now we shall get down to strict formulations and consider system dynamics for times compliant with inequality (15); in this case, a result accurate to -order values is approximately found as (21) The aspect that will matter hereafter is that in the considered approximation, is a monotonically decreasing function of .Relaxation time will be the time in which the secure state probability for the system decreases twofold as compared with .The result immediately found using (21) from equation is Assume that is a fixed moment of time.Our immediate task will be to find values of security parameters at which .In other words, we shall be interested in the conditions in which the probability of finding the system in a secure state at time not exceeding is relatively high.
Using (22), let us rewtrite inequality as We shall consider this inequality as the restriction for system protection parameters ; since the latter are included only in the expression for w-parameter, it will be necessary to solve (23) for variable .It is easy to see that the respective solution is written as (24) where is the real root of equation ( 25) that belongs to range .
, , , The restriction for is found by substituting Eq. ( 8) for the parameter in (24) and recorded as , which we shall refer to as "permissible," in the value space of protection parameters.Thus, relaxation time will not be less than the fixed value of only for values of from the permissible region .
We shall now provide several examples of constructing the permissible region of protection parameters for systems with one and two threats, respectively.EXAMPLE 1.In case of one threat the system is characterized by two parameters, namely and .It follows from ( 26) and ( 27) that permissible region of protection parameter in section , where In this formula is the root of (25) that belongs to interval .The results of numerically modeling as a function of for three different values of are given in Fig. 4. It is seen that, with an increase in , this value tends asymptotically to 1 and thus reduces the permissible region of .EXAMPLE 2. Let us consider the system with two threats the probabilities of which are and .According to (26) and (27), the permissible region of security parameters is the convex region where is the root of (25) that belongs to interval . The examples plotted in Fig. 5 are the permissible regions at and for times .
2 0 45 q = , , 0 10 20 30 t In conclusion, we shall discuss the potential application of the results to choosing the optimal set of security parameter values.This problem plays a vital applied role, e.g., in designing and developing information protection systems [17,18].
The above described algorithm can help us reduce the set of potential protection parameter values to ; within this region, however, their choice is not limited anymore.To further specify the values of , we need additional conditions to confine the protection parameters region, e.g., to one specific point.The natural problem statement that guarantees the uniqueness of the respective solution is the task to find the minimum or maximum of a certain objective function considered in the region of : (28) where is for certain defined coefficients the interpretation of which (as well as of objective function ) depends on the optimization task being solved.In the simplest case the objective function can be chosen in a linear form according to variables Stated in this manner, searching for the minimum or maximum of target function (28) in convex region is a standard linear programming problem the solution of which is covered in several papers (see.e.g.[19]).

CONCLUSIONS
The model of information security threats that is described in terms of Markov processes has been considered.The model dynamics is presented as a sequence of computer system failures and recoveries that result from the action of random external threats.Explicit analytical formulas for the system state probabilities have been derived, some extreme cases have been discussed, and the system's long-term behavior has been analyzed.The dependence of the secure state probability for the system on the probability of threats has been investigated; in particular, it is shown that this dependence takes on essentially different forms for odd and even times.In addition, such a parameter as the relaxation time has been introduced and the algorithm of its construction presented; this is an important characteristic of the model, used to define the permissible value region of system security parameters.

Fig. 2 .
Fig. 2. Secure state probability as a function of at different values of and in case of one threat.

Fig. 3 .
Fig. 3. Secure state probability as a function of at and .

Fig. 4 .
Fig. 4. Value as a function of at .