Thomas A. Longstaff

The architecture tradeoff analysis method

This paper presents the Architecture Tradeoff Analysis Method (ATAM), a structured technique for understanding the tradeoffs inherent in the architectures of software-intensive systems. This method was developed to provide a principled way to evaluate a software architectures fitness with respect to multiple competing quality attributes: modifiability, security, performance, availability, and so forth. These attributes interact-improving one often comes at the price of worsening one or more of the others-as is shown in the paper, and the method helps us to reason about architectural decisions that affect quality attribute interactions. The ATAM is a spiral model of design: one of postulating candidate architectures followed by analysis and risk mitigation, leading to refined architectures.

Survivability: protecting your critical systems

Society is increasingly dependent upon large-scale, distributed systems that operate in unbounded network environments. Survivability helps ensure that such systems deliver essential services and maintain essential properties in the face of attacks, failures, and accidents.

Are we forgetting the risks of information technology

The complexity and interconnectedness of information systems is growing. There must be some way to systematically assess the risk to critical infrastructures. Work began two decades ago (1980s) on a comprehensive theoretical framework to model and identify risks to large-scale and complex systems. The framework, hierarchical holographic modeling (HHM) (Y.Y. Haimes, 1981; 1998) is to conventional modeling schemes what holography is to conventional photography. Holography captures images in three dimensions, as compared with conventional photographys two-dimensional, planar representation. Likewise, HHM endorses a gestalt and holistic philosophy, which allows it to capture more dimensions than modeling schemes that yield planar models. HHM promotes a systemic process that identifies most, if not all, important and critical sources of risk.

Survivable network system analysis: a case study

The Survivable Network Analysis method permits assessment of survivability at the architecture level. Steps include system mission and architecture definition, essential capability definition, compromisable capability definition, and survivability analysis of architectural soft-spots that are both essential and compromisable. The article summarizes application of the method to a subsystem of a large-scale, distributed health care system.

Survivability analysis of network specifications

Survivability is the ability of a system to maintain a set of essential services despite the presence of abnormal events, such as faults and intrusions. Ensuring system survivability has increased in importance as critical infrastructures have become heavily dependent on computers. In this paper, we present a systematic method for performing survivability analysis of networks. A system architect injects fault and intrusion events into a given specification of a network and then visualizes the effects of the injected events in the form of scenario graphs. In our method, we automatically generate scenario graphs using model checking. Out method enables further global analysis, such as reliability analysis, where mathematical techniques used in different domains are combined in a systematic manner. We illustrate our ideas on an abstract model of the United States Payment System.

Characterization of defense mechanisms against distributed denial of service attacks

We propose a characterization of distributed denial of service (DDOS) defenses where reaction points are network-based and attack responses are active. The purpose is to provide a framework for comparing the performance and deployment of DDOS defenses. We identify the characteristics in attack detection algorithms and attack responses by reviewing defenses that have appeared in the literature. We expect that this characterization will provide practitioners and academia insights into deploying DDOS defense as network services.

Strategic Alternative Responses to Risks of Terrorism

The terrorist acts of September 11, 2001 were a wake-up call for changing our traditional response to risks of terrorism. Given that government and worldwide think-tank organizations maintain that risks of terrorism will continue for the indefinite future, the following questions deserve strategic answers. How long can we respond to terrorism with tactical measures only, sustain current curtailments of some of our freedoms, travel, and quality of life, and absorb losses in human life and properties? Should not underlying strategic motivation lead to the tactical measures? Why do so many groups and individuals in some developing countries hate us? Is it because they fear that the ideas we export through television, movies, literature, and music have a corrupting influence on their cultures? Is it because of past operations that we conducted in such countries as Iran, Nicaragua, El Salvador, and Granada? Can the genesis of the risks of terrorism to the homeland be traced to the unfavorable socioeconomic conditions in less-privileged and developing countries, where civil and religious freedoms are close to nonexistent, and sanitary conditions, health and education, and critical infrastructures of essential utilities are almost at the same level that existed in the United States almost a century ago? If we could make progress at improving the quality of life of the billions of people in the developing countries and become more sensitive to their needs, cultures, and heritage, would their hatred subside? What other measures can we take to reduce their hatred, without compromising our basic cultural and democratic principles or their cultural and social heritage?

A holistic roadmap for survivable infrastructure systems

The role of a holistic risk assessment and management process in information technology (IT), information assurance (IA), and survivable dependable systems is the subject of this paper. To address the multiple dimensions and perspectives of the risks of terrorism to cyber and interconnected physical infrastructures, hierarchical holographic modeling is introduced and is related to the risk assessment and management process. The definition of information assurance as the trust that information presented by the system is accurate and is properly represented necessitates that trust, knowledge management, organizational behavior, and other nontechnology-based considerations be addressed in the protection of IA against terrorist attacks.

Computational Evaluation of Software Security Attributes

In the current state of practice, security properties of software systems are typically assessed through subjective, labor-intensive human evaluation. Moreover, much of the quantitative security analysis research to date is characterized by the development of approximate solutions and/or based on assumptions that severely constrain the operational utility of the results. In order to achieve a dramatic increase in maturing the discipline of software security engineering, a fundamentally different approach to analysis and evaluation of security attributes is required. The computational security attributes (CSA) approach to software security analysis provides a new approach for specification of security attributes in terms of data and transformation of data by programs. This paper provides an introduction to the CSA approach, provides behavioral requirements for several security attributes, and discusses possible application of the CSA approach to support analysis of security attributes during software development, acquisition, verification, and operation.

Why is there no science in cyber science?: a panel discussion at NSPW 2010

As researchers with scientific training in fields that depend on experimental results to make progress, we have long been puzzled by the resistance of the experimental computer science community in general, and computer security research in particular, to the use of the methods of experimentation and reporting that are commonplace in most scientific undertakings. To bring our concerns to a broader audience, we proposed a discussion topic for NSPW 2010 that covers the history and practicality of experimental information security with an emphasis on exposing the pros and cons of the application of rigorous scientific experimental methodology in our work. We focused on discussion points that explore the challenges we face as scientists, and we tried to identify a set of concrete steps to resolve the apparent conflict between desire and practice. We hoped that the application of these steps to the papers accepted at NSPW could be an early opportunity to begin a journey toward putting more science into cyber science. The discussion, as expected, was wide ranging, interesting, and often frustrating. This paper is a slight modification of the discussion proposal that was accepted by NSPW with the addition of a brief summary of the discussion.