Abstract
With advances and globalization of information technology such as big data and cloud computing, topics about potential risks with security vulnerabilities have been brought to the forefront. Considerable efforts have been made to estimate security risks with an unlimited cycle of disclosed vulnerabilities in the form of threats or attacks and management strategies to mitigate these risks. On the other hand, reliability is often considered as one of the most vital factors that affect functioning of critical computing systems. Existing works on risk analysis have mostly focused on either security or reliability, but not both. In addition, the existing approaches for quantifying risks are mostly based on simple multiplications of frequencies and quantitative consequences of hazard occurrence without considering dependencies among the hazards. In this dissertation research, an integrated framework is explored for simultaneously and systematically modeling and quantifying both reliability and security risks of modern technological systems. Under the framework, we advance the state of the art in quantitative security risk assessment by modeling sequential cyber-attacks, where multiple sequence-dependent hazardous actions are performed to launch a successful attack. Continuous-time Markov chain (CTMC) and semi-Markov process (SMP) based methods are proposed to estimate the occurrence probability of a security risk for systems undergoing the sequential cyber-attack. While the CTMC-based method is limited to the exponentially distributed state transition time, the proposed SMP-based approach is applicable to analyzing attacks with arbitrary types of transition time distributions. Both methods are illustrated using case studies where Trojan attacks in the banking application are modeled and analyzed. In this dissertation research, we make another contribution by modeling and analyzing survivability and vulnerability of a cloud RAID (Redundant Array of Independent Disks) storage system subject to disk faults and cyber-attacks. The cloud RAID survivability is concerned with the system’s ability to function correctly even under the circumstance of hazardous behaviors including disk failures and malicious attacks. The cloud RAID invulnerability is concerned with the system’s ability to function correctly while occupying a certain state immune to malicious attacks. A CTMC-based method is suggested to perform the time-dependent disk level survivability and invulnerability analysis and an SMP-based approach is implemented to analyze the steady-state disk survivability and invulnerability. Combinatorial methods are suggested for the cloud RAID system level analysis, which can accommodate both homogeneous (based on combinatorics) and heterogeneous (based on multi-valued decision diagrams) disks. A detailed case study on a cloud RAID 5 system is conducted to illustrate the application of the proposed methods. Impacts of parameters modeling different attack, recovery and rescue behaviors on the disk and system survivability and invulnerability are also investigated.