Formal approach on modeling and predicting of software system security: Stochastic petri net

To evaluate and predict component-based software security, a two-dimensional model of software security is proposed by Stochastic Petri Net in this paper. In this approach, the software security is modeled by graphical presentation ability of Petri nets, and the quantitative prediction is provided by the evaluation capability of Stochastic Petri Net and the computing power of Markov chain. Each vulnerable component is modeled by Stochastic Petri net and two parameters, Successfully Attack Probability (SAP) and Vulnerability Volume of each component to another component. The second parameter, as a second dimension of security evaluation, is a metric that is added to modeling to improve the accuracy of the result of system security prediction. An isomorphic Markov chain is obtained from a corresponding SPN model. The security prediction is calculated based on the probability distribution of the MC in the steady state. To identify and trace back to the critical points of system security, a sensitive analysis method is applied by derivation of the security prediction equation. It provides the possibility to investigate and compare different solutions with the target system in the designing phase.


Introduction
Security has been identified as a major stumbling block in the realization of highly trustworthy software systems [1]. Modeling and predicting software security in design phase provides the possibility of investigation and comparisons of different solutions of target systems. Petri Net is a formal method which is based on mathematical theories. Petri Net is useful for modeling and analysis of systems with parallelization, synchronization and conflict quality [2,3,4]. Stochastic Petri Net is extended from Petri Net where each is associated with a random variable. SPNs combine the powers of Petri Net and Markov chain processes. In this paper, an advanced approach is suggested to develop the modeling and predicting software security with SPN in design phase. Vulnerability volume of each component to another component is a new parameter that is added to security modeling by SPN.As a result, we improve the accuracy of security in software system prediction. After modeling system security by SPN, The reachable graph is obtained from SPN; The Markov Chain corresponding reachable graph can be extracted and Markov chain calculation is performed. Finally, sensitivity analysis is launched on prediction equation of each component. Sensitivity analysis result can be used to identify the security bottlenecks and trace back to vulnerability points. This paper is organized as follows: Section 2 discusses the related work. Issues related to stochastic Petri Nets are presented in section 3. Security modeling based on SPN is introduced in section 4. In section 5, an advanced approach is presented to modeling software security with SPN. Sensitivity analysis of software security model is proposed in section 6. A case study is provided in section 7. Section 8 concludes this paper.

Related works
Reliability and security analysis has received much attention over the past decades. There have doi:10.5829/idosi.JAIDM.2015.03.01.08 been some attempts to quantify the security of software system by means of Tiger Team Penetration practices, where a group of experts sit together and try to break in by exploiting any weakness it might possess. However this practice is subjective to the kind of people consisting of the Tiger Team and thus is non-reproducible [5]. There have been some approaches which focus on the process which is adopted while the software is being developed to access the security of final product [5]. One example of this is the SSECMM or Systems Security Engineering Capability Maturity Model. However, branching the software to be secured by evaluating its development process has not found much popularity. This is because even after following the best practices, there is scope of some weakness present in the final product, which would not be uncovered, until it is rigorously tested for its vulnerabilities. To improve the trustworthiness of software design, formal Threat-Driven approach is represented and explores explicit behaviors of security threats as the mediator between security goals and applications of security features. Security crisis was modeled through Petri netbased aspects [6]. Architecture-based software reliability analysis has been especially investigated by researchers such as surveyed by Gokhale [7]. In that literature, the architecture-based techniques are classified into two path-and state-based categories. For the accuracy and other reasons, state-based approaches are usually adopted [7]. Markov model has been adapted in most previous state-based approaches [1,5,8,9,10]. Some disadvantages are inevitable in using Markov models as modeling tools. First, Markov models lack the abilities to represent parallelism, synchronization, confliction and preemption. Second, they support limited analysis capabilities. Last but not least, a system modeled by a Markov model is hard to extend. The Markov Chain structure changes greatly for even a small change to the system design [1]. In the recent approach, Stochastic Petri Nets have been used for system reliability modeling [11]. It eliminates the difficulty in construction of Markov Chain. Also, Petri nets retain much of the character of the system, such as parallelism, synchronization, confliction and preemption. Furthermore, Petri nets enable us to present system activities in hieratically graphical models so they are recommended to be appropriate statebased models for modeling and quantifying nonfunctional properties [12]. Sensitivity analysis is provided an approach to investigate influence of changes in different parameters. Gokhail et al. [13] developed an equation to analyze the sensitivity of the reliability. Yang et al. [14] introduced modeling, prediction and sensitivity analysis of a component and Nianhua et al. [1] proposed a combination of components in sequence, parallel, loop and selection style. This paper developed modeling and prediction of software system security with SPN and increased software security prediction.

Security modeling based on SPN
Suppose that in component based system, each software component contains vulnerability which can be compromised and failure can be repaired by some techniques. Vulnerability is a potential weakness which can be compromised. A component security modeling method based on SPN is proposed in [14]. A software system may contain combination of such component in series, parallel, loop or selection styles. Security modeling and prediction of a system with combination of these styles was proposed in [1].

Advanced approach to software security modeling based on SPN
The only parameter of software security modeling and prediction which is proposed in [1] is a successful attack probability of each component whereas there are some other parameters that can be effective in quantitatively prediction of software security. Two components with the same successfully attack probability may have different vulnerability level over whole system. This issue isn't considered in the proposed method by [1]. Vulnerability volume of a component over whole software system is such a parameter which was ignored. This parameter effect is obvious in series and parallel styles of components. Vulnerability measure of one component depends on the type of software system. Software security prediction equations have to be rewritten by adding this variable. In this case, we will add Vulnerability volume of a component toward others components, namely, it must be investigated how much each component influences in the security of whole software system. To calculate system tolerance, successfully attack probability of a component must multiply by the ratio of its efficiency in the system security. is start place. A token appearing in the place denotes that the component i has been compromised so a recovery action should be taken, such as rebooting. The transition represents the recovery action with the rate of  3  indicates successfully execution of component.

Sequence components model based on SPN
In sequence model, components are executed in sequential manner. Only a single component is executed at instant of time. Figure 2 shows two components in sequence manner. The probability of successful attack in a sequence model composed of n components is in (1): (1) Where is the successful attack probability of component i and is a new parameter, the vulnerability volume of component i over whole system, that is addition parameter to modeling. The probability of successful execution without compromise in a sequence model composed of n components is in (2): (2)

Parallel components model based on SPN
A parallel model is usually used in a concurrent execution environment to improve performance.
An example of this model is depicted in figure 3. The probability of successful attack in a parallel model composed of n components is in (3): (3) The probability of successful execution without compromise in a parallel model composed of n components is in (4):

Loop component model based on SPN
A loop model is used in an iterative execution environment, in which a component is executed iteratively for some times. Figure 4 indicates an example of this model. The transition in figure 4 activates the iterated component.  The probability of successful attack in a loop model is in (5): The probability of successful execution without compromise in a loop model is in (6):

Selection component model based on SPN
In a selection model, components are executed with conflict. Only one component can be executed according to the selection condition. The probability of the system successfully compromised or executing in a selection model is equal to the selected component. If component i is selected, the probability of successful attack to system is calculated by (7): The probability of successful execution without compromise in selection model is in (8):

Software security prediction evaluation
In [1,14], an approach was presented for successfully attack probability by intruder to software system is security metric in steady state. SAP is computed by adding probability of system states that contain one token. The higher the SAP, the greater the probability the software system can be promised.  [1]. The method in [14] is used to evaluate the steady state probability distribution of reachable states. The method of evaluating compromised probability for a single component has appeared in [14]. A failure place in an SPN model is represented as , r = 1, 2, . . . , k . Thus, the SAP can be evaluated as (9): indicates places of probability that contain at least one token in steady state. Thus, tolerance capacity of a component toward attack is represented in (10).
So we can compute the security of hierarchal software system.

Sensitivity analysis
Sensitivity analysis is useful for software optimization in the early design phase [8]. It is difficult to study some model parameters in design phase. Sensitivity analysis can investigate change effects in parameters over quantitative analysis results. Successfully attack probability is computed by derivation over these variables [1] in (11).
Equation (11) is a sensitivity analysis of security prediction for one component. According to the new parameter that is added to modeling, sensitivity analysis can be computed for new parameter, as follow:

Case study
To evaluate the new approach, first the security modeling and prediction evaluation of a single component is illustrated, and then the evaluation for a software system including different components in different styles and in different levels of hierarchical can be calculated based on the result of each single component. Figure 5 shows a single software security critical component based on SPN. The transition 2 represents an intrusion to component. The resume action is shown by transition 3 . Existence of a token in place 2 represents compromised state caused by an intrusion. Transition 1 shows a successful execution of the component. To evaluate the prediction values using MC techniques, transition t 4 is added.

2. Extracting reachable graph
The reachable markings, shown in table 1, are obtained from figure 5. Table 1. Reachable marking obtained figure 5.
Reachable graph is specified by reachable marking and isomorphism SPN model. Isomorphic Markov chain with SPN model in figure 7 is equivalent with reachable graph of figure 6.

Evaluating security prediction
Matrix Q regarding to Markov chain is as (13): Suppose that Y = (P(M 1 ), P(M 2 ), P(M 3 )). Thus we can get (14): The calculated result for the probability distribution at steady state is shown (15) By adding vulnerability volume of a component, over whole software system, namely μ , we can rewrite (16) as follow in (17) Because in a software system with a single component, vulnerability volume over whole system, μ, is equal to 1 so onlythe impact of changes of t 1 , t 2 and t 3 to SAP are considered. We have the followings: When the value of λ i , i = 1, 2, 3, 4, is assigned, the sensitivity caused by them can be calculated by (19) -(22). The transition t 4 is used for the facility of the steady state computation. The execution time is very short. So the value for λ 4 is very large. Suppose that λ 4 equals to 1,000,000. Let λ 3 = 6, 10 ≤ λ 1 ≤ 30 and 1 ≤ λ 2 ≤ 10. Figure 8 shows the probability distribution of SAP for different normal execution and attack rates. It shows that the probability of the   Suppose that λ 1 = 15. Let 0 ≤ λ 2 ≤ 10 and 0 ≤ λ 3 ≤ 15. Figure 9 shows that the probability of the component being in the compromised state in steady state decreases with an increased resume in rate λ 3 . It increases rapidly with increasing the attack rate λ 2 . Although accuracy improvement by advanced modeling and predicting software security is obvious with a new parameter; however, it is difficult to quantitatively express the improvement of a new method, but as it was mentioned in new approach, software system security is evaluated from new dimensioned that was ignored in recent approach. These two new approaches are compared in table 2.

Conclusion
This paper proposes the two-dimensional method to model and predict software security based on stochastic Petri nets. The main contributions of the paper can be summarized as follows: •An advanced method for security of software system based on Stochastic Petri net with added metric is proposed. A software system is modeled in view of the new metric, parallelization, synchronization and confliction characteristics of a component-based system can be easily modeled by stochastic Petri nets, while Markov Chains are absent of the abilities to represent these characteristics.
•Vulnerability volume of a component is added as a new parameter of system, and security prediction equations are rewritten. Thus, adding a new dimension of security in software system increases the accuracy of software security evaluation. •A sensitivity analysis method is applied which provides a mean to identify and trace back to the critical components for security enhancement. It also provides the probability to investigate and compare different solutions to the target system before realization. We will work on the following open issues in the future:  Modeling and predicting software system security based on stochastic Petri net by just vulnerability measure as a parameter.  Advanced modeling and prediction of software system security with UML.  Implementing the system by Petri net tools and Markov chain simulation to evaluate the security of software system.