A Markov Decision Process Model for Intrusion Tolerance Problems

We formulate and analyze a simplest Markov decision process model for intrusion tolerance problems, assuming that (i) each attack proceeds through one or more steps before the system's security fails, (ii) defensive responses that target these intermediate steps may only sometimes thwart the attack and (iii) reset responses that are sensible upon discovering an attack's completion may not always recover from the security failure. The analysis shows that, even in the ideal case of perfect detectors, it can be sub-optimal in the long run to employ defensive responses while under attack; that is, depending on attack dynamics and response effectiveness, the total overhead of ongoing defensive countermeasures can exceed the total risk of intermittent security failures. The analysis similarly examines the availability loss versus the risk reduction of employing preemptive resets, isolating key factors that determine whether system recovery is best initiated reactively or proactively. We also discuss model extensions and related work looking towards intrusion tolerance applications with (i) imperfect or controllable detectors, (ii) multiple types of attacks, (iii) continuous-time dynamics or (iv) strategic attackers.