Software Engineering Institute

This report presents an extended analysis of CERT Coordination Center incidents data (from 1988 to 1995) and applies the results to simulate attacks and their impacts on network sites. The data were sanitized prior to the analysis to ensure complete anonymity. A model for the incidents process is discussed and extended. It consists of three parts: a stochastic process for the random occurrence of incidents at sites, a model for the state transition process for an attacked system given a level of defense, and a method of estimating the expected survivability of the system given possible degradations due to these attacks. This approach leads to the estimation of a survivability/cost function, which shows the tradeoffs involved between cost and system survivability. Information Systems (IS) managers can use this to determine the most appropriate level of defense for the network systems of their organizations. The stochastic process was simulated based on parameter values obtained from actual reported data. Extensive sensitivity analyses are reported that indicate how expected survivability would change with varying parameter analysis results values. The report concludes with a discussion of future work to be done and the appendix has details of the simulation model and further data.