Professional Documents
Culture Documents
1. Introduction
Software appears in almost every part of society. It plays a more and more important role in our daily life. Insecure
software could allow an intruder to take control over it [1]. Software system intrusion events usually make newspaper
headlines. They may cause inconveniences, economic damage and even loss of lives. When lives and fortunes depend on
software, assurance of its security becomes an issue of critical concern.
Security has been identified as a major stumbling block in the realization of highly trustworthy software systems. The
cost is much higher to repair the flaws found in the late phase of development than those found in the early phase. To reduce
development cost and effort, attempts to improve software security should be done as early as possible.
Modeling and quantitatively predicting software security in the software design phase provide the possibility to
investigate and compare different solutions to the target system before realization. Sensitivity analysis on parameters in
the model enables the identification of security bottlenecks.
Petri nets [2] are powerful formal models. They are based on strict mathematical theories. Petri nets are appropriate for
modeling and analyzing systems with parallelization, synchronization and confliction [3]. Many verification and analysis
methods have been developed around them and many mature analysis tools are available [4,5]. They provide convenience
for qualitative and quantitative analysis in the software design phase. A system modeled with Petri nets is easily extended.
They also provide visual and hierarchical modeling methodologies.
A Stochastic Petri Net (SPN) [6,7] is extended from a Petri net where each transition is associated with a random
variable. The variable is exponentially distributed, and expresses the delay from the beginning of enabling to the firing
∗ Corresponding author at: Department of Computer Science and Engineering, East China University of Science and Technology, Shanghai 200237, China.
Tel.: +86 21 64240659; fax: +86 21 64252984.
E-mail addresses: cnynh@163.com (N. Yang), yhq@ecust.edu.cn (H. Yu), ssssdc@163.com (Z. Qian), xj_sh@163.com (H. Sun).
0895-7177/$ – see front matter © 2011 Elsevier Ltd. All rights reserved.
doi:10.1016/j.mcm.2011.01.055
N. Yang et al. / Mathematical and Computer Modelling 55 (2012) 102–112 103
of the transition. The reachable graph of an SPN model is isomorphic to a homogeneous Markov Chain (MC). SPNs combine
the powers of PNs and Markov processes. This paper proposes a hierarchical approach to modeling and quantifying software
security properties based on SPN in the software design phase.
However, SPN and MC both suffer from the state-space explosion problem. The number of states increases exponentially
with an increase in the number of software components and the model will become analytically intractable due to state-
space explosion. Hierarchically modeling and quantifying methods are adopted to overcome the state-space explosion
problem in this paper.
The sensitivity of the influence factor in the quantitative prediction equation is discussed in this paper. The sensitivity
analysis results can be used to identify security bottlenecks and trace back to the vulnerability of the software system in
order to enhance security.
In this paper, each software component is modeled by an SPN. The reachable graph of the SPN model under special
initial marking can be obtained. From the reachable graph, the corresponding isomorphic MC can be extracted [7,8]. Using
the existing technique, the probability distribution in the steady state can be evaluated. The probability distribution in the
steady state is used for quantitative prediction of the resistance of the software system to intrusive action. The computed
result of each component is used to quantitatively predict the overall software security based on the software architecture
hierarchically. Sensitivity analysis is launched on each component security prediction equation. To identify the critical
components that influence the software security, sensitivity analysis can also be carried out on the high level of a software
system. Modeling and calculation methods for a single component have been presented in [9]. Based on the results in [9],
this paper proposes hierarchical modeling and prediction methods.
The rest of this paper is organized as follows. Section 2 introduces work related to this paper. Issues related to stochastic
Petri nets are presented in Section 3. Section 4 proposes a hierarchical software security modeling method based on SPN.
Section 5 proposes a quantitative security prediction method in the design phase. A sensitivity analysis method for the
security prediction equations is proposed in Section 6. A case study is provided in Section 7. Section 8 concludes this paper.
2. Related work
Quantitative analyses of software dependability and reliability have received great attention for several decades.
Architecture based software reliability analysis has been especially investigated by researchers, as surveyed by Gokhale [10].
In that literature, the architecture based techniques are classified into two categories, namely, path-based and state-based.
For accuracy and other reasons, state-based approaches are usually adopted [10]. Markov models have been adopted in most
previous state-based approaches [1,11–14].
Previous literature [1,11], which concerns modeling and quantifying software security properties, is based on Markov
models.
Some disadvantages are inevitable in using Markov models as modeling tools. First, Markov models lack the abilities to
represent parallelism, synchronization, confliction and preemption. Second, they support limited analysis capabilities. Last,
but not least, a system modeled by a Markov model is hard to extend. The Markov Chain structure changes greatly for even
a small change to the system design.
Generalized stochastic Petri nets (GSPNs) have been used for systems reliability modeling [15]. Petri nets eliminate a
major difficulty in the direct construction of MC models, that is, the state-space definition. Also, Petri nets retain much of the
character of the system, such as parallelism, synchronization, confliction and preemption. Furthermore, Petri nets enable
us to represent system activities in hierarchically graphical models. The states and activities of a Petri net are composed
respectively by local states and local activities. This property is critical for model extending and amending locally. Petri nets
are recommended to be appropriate state-based models for modeling and quantifying non-functional properties [10].
Sensitivity analysis provides an approach to analyzing the impact of the changes of different parameters. Gokhale
et al. [16] developed equations to analyze the sensitivity of the performance and reliability to the changes in the parameters
of individual modules. Lo et al. [17] propose a sensitivity analysis method to cope with the problem in getting accurate
values for dynamic properties of the system and the insufficiency of the failure data.
Our previous work [9] proposes modeling, quantifying and sensitivity analysis methods for a single component in a
software system based on SPN. Methods for a software system which consists of multi components hierarchically are not
proposed in that paper. Hierarchical methods in this paper can not only mitigate the state-space explosion problem, but
also reduce the number of calculations.
A Petri net is a 5-tuple [2], PN = (P , T , F , W , M0 ). P is a finite set of places (drawn as circles). T is a finite set of transitions
(drawn as rectangles). F is a set of arcs. An arc connects a transition to a place or a place to a transition. W : F → {1, 2, . . .}
is a set of weight functions. M0 : P → {1, 2, . . .} is the initial marking. P T = φ and P T ̸= φ .
A transition is enabled if and only if each of its input places contains at least one token. The firing of a transition removes
one token from each input place and places one token in each output place.
Stochastic Petri nets are timed transition Petri nets [8] with atomic firing and a negative exponentially distributed random
variable for every transition. The variable indicates corresponding transition delays for firing from the beginning of enabling
104 N. Yang et al. / Mathematical and Computer Modelling 55 (2012) 102–112
to the actual firing. The marking sequence obtained from a transition firing sequence is isomorphic to a continuous time
Markov chain.
An SPN model is a 6-tuple, SPN = (P , T , F , W , M0 , λ), where P , T , F , W and M0 have the same meanings as those of a
traditional Petri net [2], λ = {λ1 , λ2 , . . . , λ|T | } is a set of average firing rates of transitions.
Each transition ti is associated with a random firing delay whose probability density function is a negative exponential
with rate λi . τi = 1/λi is the average firing delay of the transition ti .
Suppose that every software component contains vulnerabilities which can be compromised. The failed component can
be repaired using some techniques. A software system consists of several such components hierarchically in sequence,
parallel, loop or select styles.
This section firstly gives a component security modeling method based on SPN, which was proposed in [9]. Then, the
component models’ composing methods for sequence, parallel, loop and selection styles are proposed respectively.
Probability density functions for normal execution, attack and repair action in a component are negative exponential
with rates λi1 , λi2 and λi3 respectively.
Fig. 1, referenced from [9], demonstrates a simple model of a component represented by SPN. For description
convenience, ci is used to represent the model. The transition tie represents the normal behavior of the component. Its
execution rate is λi1 . An attack on the component by an intruder is represented by the transition tia . The attack rate is λi2 .
f
A token appearing in the place pi , called the failure place (FP), denotes that the component ci has been compromised. After
being compromised, a recovery action should be taken, such as rebooting. The transition tir represents the recovery action
after being compromised. The rate of the exponential distribution associated with the firing of transition tir is λ3i . A token
appearing in the place psi , called the success place (SP), indicates that the component has been executed successfully. The
places pbi and psi are input and output places of the component respectively.
The model in Fig. 1 can be used to quantitatively evaluate a component’s security and analyze the sensitivities to influence
from λi1 , λi2 and λi3 .
In a sequence model, components are executed in a sequential manner. Only a single component is executed at any
instant of time. The control is transferred to its successor upon the completion of a component. Fig. 2 shows an example of
components composed in sequence style.
N. Yang et al. / Mathematical and Computer Modelling 55 (2012) 102–112 105
A parallel model is usually used in a concurrent execution environment, in which a set of components are executed
concurrently to improve performance. An example of this model is depicted in Fig. 3.
Suppose that the probability of successful intrusion by an intruder in a component i is βi . So the probability of successful
intrusion of a composed system, consisting of n components, is maxni=1 (βi ). The probability of successful execution in a
parallel model composed by n components is 1 − maxni=1 (βi ).
A loop model is used in an iterative execution environment, in which a component is executed iteratively for some times.
An example of this model is depicted in Fig. 4.
The transition tloop in Fig. 4 activates the iterated component. The transition te causes the loop to stop. Suppose that the
probability of a successful intrusion by an∏ intruder in the iterative component is β . The probability of successful execution
in a loop model, with n times iteration, is i=1 (1 − β).
n
In a selection model, components are executed in a conflict manner. Only one component can be executed according to
the selection condition. The probability of a system successfully executing in a selection model is equal to that of the selected
component.
106 N. Yang et al. / Mathematical and Computer Modelling 55 (2012) 102–112
The Successfully Attacked Probability (SAP) by an intruder in the steady state is used as the security metric. The SAP is
the result of adding the probability of states which include tokens in failure places in the steady state. The higher the SAP,
the greater the probability the software system can be compromised.
Quantifying the SAP on a component consists of following three steps.
(1) Construct an isomorphic MC from the SPN model;
(2) Evaluate the SPN steady state probability distribution based on the MC;
(3) Evaluate the SAP based on the steady state probability distribution of the SPN model.
A quantitative security prediction method for a single component has been proposed in [9]. Based on the quantitative
security prediction values for components, the prediction evaluation for a software system can be calculated hierarchically
according to the model styles in Section 4.
Due to the memoryless property of the exponential distribution of firing delays, SPN models are isomorphic to Continuous
Time Markov Chains (CTMCs). In particular, a bounded SPN model is isomorphic to a finite CTMC.
The method in [8] is used to evaluate the steady state probability distribution of reachable states. The reasoning processes
of the results are omitted.
Suppose that there is an MC, which is isomorphic to the SPN model of a component and contains n states. Q = [qij ], 1 ≤
i, j ≤ n, represents a states transition matrix. qij is defined in Eq. (1).
λij
i ̸= j and there exists an arc from i to j
k
qij = (1)
−
−
λij there are k arcs depart from i.
j =1
Y = (P (S1 ), P (S2 ), . . . , P (Sr )) represents a row vector of the probability distribution of steady states. According to Eq.
(1), we can get Eq. (2).
YQ =0
n
(2)
−
P (Si ) = 1.
i=1
Thus, the value of P (Si ), i = 1, 2, . . . , n is determined. Moreover, P (Mi ) can be obtained, based on P (Si ).
The method of evaluating compromised probability for a single component has appeared in [9]. A failure place in an
SPN model is represented as pfr , r = 1, 2, . . . , k. Thus, the SAP can be evaluated by Eq. (3) after finding the probability
distribution of the steady state.
n −
− k
SAP = P [Mj (pfr ) ≥ 1]. (3)
j =1 r =1
P [M (pfr ) ≥ 1] represents the probability that the place pfr has more than one token in the steady state M.
The probability equation, shown in Eq. (4), represents the tolerance capability towards attacks on a component.
n −
− k
TP = 1 − SAP = 1 − P [Mj (pfr ) ≥ 1]. (4)
j=1 r =1
The states and activities of a Petri net are localized. So security evaluation for a software system can be calculated
hierarchically according to model styles.
Compromising any component in sequence style means a compromise of the entire software system. All the components
must execute without compromise for a successful execution of the entire software system. So the tolerance probability for
attacks on a software system, consisting of n components in a sequence style, can be written as Eq. (5).
n
∏
TPi . (5)
i=1
N. Yang et al. / Mathematical and Computer Modelling 55 (2012) 102–112 107
The compromise probability of software consisting of a parallel style is determined by the component which has the
greatest probability of being compromised. The tolerance probability for attacks on a software system, consisting of n
components in a parallel style, can be written as Eq. (6).
n
1 − max (SAPi ). (6)
i=1
A software system, realized by looping a component n times, will fail when any loop cycle is compromised. The tolerance
probability for attacks on a software system, realized by looping a component n times, can be written as Eq. (7).
n
∏
TP . (7)
i =1
The tolerance probability for attacks on a software system, consisting of n components in a selection style, is equal to
that of the selected component.
6. Sensitivity analysis
Sensitivity analysis can be used to identify performance, dependability and security bottlenecks and trace back to the
vulnerabilities. So it is useful for software optimization in the early design phase [16]. Some model parameters are difficult
to ascertain in the design phase. Sensitivity analysis can predict the influence on the quantitative analysis results from
changes in different parameters.
Effects on the security metric from changes in timed transition rates are discussed.
λi , i = 1, 2, . . . , |Tt |, is a variable in Eq. (3). Eq. (3) can be rewritten as Eq. (8).
n −
− k
SAP(λ1 , . . . , λi , . . . , λ|Tt | ) = P [Mj (pfr ) ≥ 1]. (8)
j =1 r =1
The effect from a change in the transition rate λi is evaluated by calculating the derivative to the security evaluation
prediction in Eq. (8). Eq. (9) is the derivative result to Eq. (8).
n ∑ k
P [Mj (pfr )] ≥ 1
∑
d
d(SAP(λ1 , . . . , λ|Tt | ))
j =1 r =1
.
= (9)
dλi
dλ i
Eq. (9) is the sensitivity formula for quantitative security prediction in a single component. The equation has been
proposed in [9]. It shows the impact of a change in λi on the quantitative security prediction.
The sensitivity analysis equation is also applied to whole software systems which are composed of different components
in sequence, parallel, loop or selection styles. The effect of a change in a transition rate λ of a model with sequence, parallel
and loop style can be represented as Eqs. (10)–(12). The variable n in Eqs. (10) and (11) represents the component number
within a sequence or parallel style model. The variable n in Eq. (12) represents the loop number of the component in a loop
style model.
∏ n
d TPi
i=1
(10)
dλ
d(1 − maxni=1 (SAPi ))
(11)
dλ
n
∏
d TP
i=1
.
(12)
dλ
The security sensitivity of a system model in a selection style to the change on a transition rate λ is equal to that of the
selected component.
108 N. Yang et al. / Mathematical and Computer Modelling 55 (2012) 102–112
Table 1
Reachable markings of the case in Fig. 5.
Marking p1 p2 p3
M1 1 0 0
M2 0 1 0
M3 0 0 1
7. Case study
This section presents a case study to show the applicability and feasibility of our method. The study for security modeling
and prediction evaluation of a single component is illustrated first. The evaluation for a software system consists of different
components in different styles and is hierarchically calculated based on the result of each single component.
There is a critical software component which may be compromised. A recovery mechanism is used to resume it when it
is compromised.
d(SAP) λ3 λ24 + λ1 λ3 λ4
dλ = (λ λ + λ λ + λ λ )2 (16)
2 3 4 2 4 1 3
d(SAP) λ2 λ4 (λ1 + λ4 )
dλ = (λ λ + λ λ + λ λ )2 . (17)
3 3 4 2 4 1 3
When the value of λi , i = 1, 2, 3, 4, is assigned, the sensitivity caused by them can be calculated by Eqs. (15)–(17).
The transition t4 is used for the facility of the steady state computation. The time cost for its execution is very short. So
the value for λ4 is very large. Suppose that λ4 equals to 1,000,000.
Let λ3 = 6, 10 ≤ λ1 ≤ 30 and 1 ≤ λ2 ≤ 10. Fig. 8 shows the probability distribution of SAP for different normal
execution and attack rates. It shows that the probability of the component being in the compromised state increases with
an increasing attack efficiency in the steady state.
To show the relationship between λ1 and SAP clearly, let λ2 = 5 and λ4 = 10, 000. Fig. 9 shows that SAP decreases with
increasing λ1 . It means that the faster a component is normally executed, the less probability it can be successfully intruded.
Suppose that λ1 = 15. Let 0 ≤ λ2 ≤ 10 and 0 ≤ λ3 ≤ 15. Fig. 10 shows that the probability of the component being
in the compromised state in steady state decreases with an increased resuming rate λ3 . It increases rapidly with increasing
attack rate λ2 .
Slopes of curves in Figs. 8–10 represent sensitivities for different parameters.
A complicated software system may consist of different components in sequence, parallel, loop or selection style. We
illustrate a sequence style model, which consists of two components, to show how a security prediction evaluation can be
calculated.
To evaluate the security prediction in Fig. 2, we have get the values of SAP for the two base components, i.e. SAP1 =
λ12 λ4 λ λ
λ13 λ4 +λ12 λ4 +λ11 λ13
and SAP2 = λ λ +λ 22λ 4+λ λ . As indicated in the previous section, λ4 = 1, 000, 000. The probability for
23 4 22 4 21 13
successful execution of the software system is (1 − SAP1 )(1 − SAP2 ) = ((λ13 λ4 +λ11 λ13 )/(λ13 λ4 +λ11 λ13 +λ12 λ4 ))((λ23 λ4 +
λ21 λ23 )/(λ23 λ4 + λ21 λ23 + λ22 λ4 )).
Fig. 11 shows the probability of successful execution of the composed software system influenced by the attack rates on
two different components.
110 N. Yang et al. / Mathematical and Computer Modelling 55 (2012) 102–112
Fig. 8. Relationship between normal execution rate λ1 , attack rate λ2 and SAP.
Fig. 10. Relationship between the attack rate λ2 , resume rate λ3 and SAP.
8. Conclusion
This paper proposes a hierarchical method to model and quantitatively predict software security based on stochastic Petri
nets. A sensitivity analysis method is proposed by evaluating the derivative of the security evaluation prediction equation.
N. Yang et al. / Mathematical and Computer Modelling 55 (2012) 102–112 111
0.8
0.6
Successful rate
0.4
0.2
0
20
15 20
10 15
10
λ22 5
5 λ12
0 0
Fig. 11. Relationship between successful execution rate and the components’ attack rates (λ12 and λ22 ).
Acknowledgements
This work was supported by the NSF of China under grants No. 60773094 and 60473055, Shanghai Shuguang Program
under grant No. 07SG32.
References
[1] V.S. Sharma, K.S. Trivedi, Quantifying software performancee, reliability and security: an architecture-based approach, Journal of Systems and Software
80 (4) (2007) 493–509.
[2] T. Murata, Petri nets: properties, analysis and applications, Proceedings of the IEEE 77 (4) (1989) 541–580.
[3] N. Yang, H. Yu, H. Sun, Z. Qian, Modeling UML sequence diagrams using extended Petri nets, in: International Conference on Information Science and
Applications, ICISA2010, IEEE Computer Society, 2010, pp. 596–603.
[4] A.V. Ratzer, L. Wells, H.M. Lassen, M. Laursen, J.F. Qvortrup, M.S. Stissing, M. Westergaard, S. Christensen, K. Jensen, CPN tools for editing, simulating,
and analysing coloured Petri nets, in: 24th International Conference on Applications and Theory of Petri Nets, ICATPN 2003, in: Lecture Notes in
Computer Science, vol. 2679, Springer, Berlin, Heidelberg, 2003, pp. 450–462.
[5] S. Baarir, M. Beccuti, D. Cerotti, M.D. Pierro, S. Donatelli, G. Franceschinis, The great SPN tool: recent enhancements, ACM SIGMETRICS Performance
Evaluation Review 36 (4) (2009) 4–9.
[6] M.K. Molloy, On the integration of delay and throughput measures in distributed processing models, Ph.D. thesis, University of California, Los Angeles,
1981.
[7] G. Florin, C. Fraize, S. Natkin, Stochastic Petri nets: properties, applications and tools, Microelectronics and Reliability 31 (4) (1991) 669–697.
[8] G. Balbo, Introduction to stochastic Petri nets, in: First EEF/Euro Summer School on Trends in Computer Science: Lectures on Formal Methods and
PerformanceAnalysis, in: Lecture Notes in Computer Science, vol. 2090, Springer, Berlin, Heidelberg, 2000, pp. 84–155.
[9] N. Yang, H. Yu, H. Sun, Z. Qian, Quantifying software security based on stochastic Petri nets, Journal of Computational Information Systems 6 (9) (2010)
3049–3056.
[10] S.S. Gokhale, Architecture-based software reliability analysis: overview and limitations, IEEE Transactions on Dependable and Secure Computing 4
(1) (2007) 32–40.
[11] B.B. Madan, K. Goseva-Popstojanova, K. Vaidyanathan, K.S. Trivedi, A method for modeling and quantifying the security attributes of intrusion tolerant
systems, Performance Evaluation 56 (1–4) (2004) 167–186.
112 N. Yang et al. / Mathematical and Computer Modelling 55 (2012) 102–112
[12] W.-L. Wang, D. Pan, M.-H. Chen, Architecture-based software reliability modeling, Journal of Systems and Software 79 (1) (2006) 132–146.
[13] M. de Miguel, J. Briones, J. Silva, A. Alonso, Integration of safety analysis in model-driven software development, IET Software 2 (3) (2008) 260–280.
[14] E. Böde, M. Herbstritt, H. Hermanns, S. Johr, T. Peikenkamp, R. Pulungan, J. Rakow, R. Wimmer, B. Becker, Compositional dependability evaluation for
statemate, IEEE Transactions on Software Engineering 35 (2) (2009) 274–292.
[15] H.H. Ammar, Y.F. Huang, R.-W. Liu, Hierarchical models for systems reliability, maintainability, and availability, IEEE Transactions on Circuits and
Systems 34 (6) (1987) 629–638.
[16] S.S. Gokhale, K.S. Trivedi, Reliability prediction and sensitivity analysis based on software architecture, in: 13th International Symposium on Software
Reliability Engineering, ISSRE 2002, IEEE Computer Society, 2002, pp. 64–75.
[17] J.-H. Lo, C.-Y. Huang, I.-Y. Chen, S.-Y. Kuo, M.R. Lyu, Reliability assessment and sensitivity analysis of software reliability growth modeling based on
software module structure, Journal of Systems and Software 76 (1) (2005) 3–13.