Evaluating security measures of a layered system

Most distributed systems that we use in our daily lives have layered architecture since such architectures allow separation of processing between multiple processes in different layers thereby reducing the complexity of the system. Unauthorized control over such systems can have potentially serious consequences ranging from huge monetary loss to even loss of human life. Hence considerable research attention is being given towards building tools and techniques for quantitative modeling and evaluation of security properties. This paper proposes a high-level stochastic model to estimate security of a layered system. It discusses evaluation of availability and integrity as two major security properties of a 3 layered Architecture consisting of Client, Web-server, and Data base. Using Mobius software, this study models the change in vulnerability of a layer owing to an intrusion in another layer. Furthermore, it analyzes the impact on the security of the upper layers due to an intruded lower layer. While maintaining a system availability of 88.48%, this study indicates that increasing the system host attack rate in the Database layer from 10 to 100 will reduce system availability to 73%, while the same modification for Web-server layer will contribute to 60% availability.