The development of techniques for quantitative, model-based evaluation of computer system dependability has a long and rich history. A wide array of model-based evaluation techniques are now available, ranging from combinatorial methods, which are useful for quick, rough-cut analyses, to state-based methods, such as Markov reward models, and detailed, discreteevent simulation. The use of quantitative techniques for security evaluation is much less common, and has typically taken the form of formal analysis of small parts of an overall design, or experimental red team-based approaches. Alone, neither of these approaches is fully satisfactory, and we argue that there is much to be gained through the development of a sound model-based methodology for quantifying the security one can expect from a particular design. In this work, we survey existing model-based techniques for evaluating system dependability, and summarize how they are now being extended to evaluate system security. We find that many techniques from dependability evaluation can be applied in the security domain, but that significant challenges remain, largely due to fundamental differences between the accidental nature of the faults commonly assumed in dependability evaluation, and the intentional, human nature of cyber attacks.

Abstract. Considering functional correctness and performance evaluation in a common framework is desirable, both for scientific and economic reasons. In this paper, we describe how the Cadp toolbox, originally designed for verifying the functional correctness of Lotos specifications, can also be used for performance evaluation. We illustrate the proposed approach by the performance study of the Scsi-2 bus arbitration protocol. 1

We present a new approximation algorithm based on an exact representation of the state space S, using decision diagrams, and of the transition rate matrix R, using Kronecker algebra, for a Markov model with K submodels. Our algorithm builds and solves K Markov chains, each corresponding to a different aggregation of the exact process, guided by the structure of the decision diagram, and iterates on their solution until their entries are stable. We prove that exact results are obtained if the overall model has a product-form solution. Advantages of our method include good accuracy, low memory requirements, fast execution times, and a high degree of automation, since the only additional information required to apply it is a partition of the model into the K submodels. As far as we know, this is the first time an approximation algorithm has been proposed where knowledge of the exact state space is explicitly used. 1.

Abstract. In previous work, we showed how structural information can be used to efficiently generate the state-space of asynchronous systems. Here, we apply these ideas to symbolic CTL model checking. Thanks to a Kronecker encoding of the transition relation, we detect and exploit event locality and apply better fixed-point iteration strategies, resulting in orders-of-magnitude reductions for both execution times and memory consumption in comparison to well-established tools such as NuSMV. 1

The complexity of stochastic models of real-world systems is usually managed by abstracting details and structuring models in a hierarchical manner. Systems are often built by replicating and joining subsystems, making possible the creation of a model structure that yields lumpable state spaces. This fact has been exploited to facilitate model-based numerical analysis. Likewise, recent results on model construction suggest that decision diagrams can be used to compactly represent large Continuous Time Markov Chains (CTMCs). In this paper, we present an approach that combines and extends these two approaches. In particular, we propose methods that apply to hierarchically structured models with hierarchies based on sharing state variables. The hierarchy is constructed in a way that exposes structural symmetries in the constructed model, thus facilitating lumping. In addition, the methods allow one to derive a symbolic representation of the associated CTMC directly from the given model without the need to compute and store the overall state space or CTMC explicitly. The resulting representation of a generator matrix allows the analysis of large CTMCs in lumped form. The efficiency of the approach is demonstrated with the help of two example models.

Structured (a.k.a. symbolic) representation techniques of Markov models have, to a large extent, been used effectively for representing very large transition matrices and their associated state spaces. However, their success means that the largest space requirement encountered when analyzing these models is often the representation of their iteration and solution vectors. In this paper, we present a new approach for computing bounds on solutions of transient measures in large continuous-time Markov chains (CTMCs). The approach extends existing path- and uniformizationbased methods by identifying sets of paths that are equivalent with respect to a reward measure and related to one another via a simple structural relationship. This relationship allows us to explore multiple paths at the same time, thus significantly increasing the number of paths that can be explored in a given amount of time. Furthermore, the use of a structured representation for the state space and the direct computation of the desired reward measure (without ever storing the solution vector) allow us to analyze very large models using a very small amount of storage. In addition to presenting the method itself, we illustrate its use to compute the reliability and the availability of a large distributed information service system in which faults may propagate across subsystems.

Abstract not found

Abstract. Both the logic and the stochastic analysis of discrete-state systems are hindered by the combinatorial growth of the state space underlying a high-level model. In this work, we consider two orthogonal approaches to cope with this “state-space explosion”. Distributed algorithms that make use of the processors and memory overall available on a network of N workstations can manage models with state spaces approximately N times larger than what is possible on a single workstation. A second approach, constituting a fundamental paradigm shift, is instead based on decision diagrams and related implicit data structures that efficiently encode the state space or the transition rate matrix of a model, provided that it has some structure to guide its decomposition; with these implicit methods, enormous sets can be managed efficiently, but the numerical solution of the stochastic model, if desired, is still a bottleneck, as it requires vectors of the size of the state space. 1

A key advantage of the Möbius modeling environment is the ease with which one can incorporate new modeling formalisms, model composition and connection methods, and model solution methods. We present a new state-level abstract functional interface (AFI) for Möbius that allows numerical solution methods to communicate with Möbius state-level models via the abstraction of a labeled transition system. This abstraction and its corresponding implementation yield an important separation of concerns: It is possible to treat separately the problem of representing large labeled transition systems, like generator matrices of continuous-time Markov chains, and the problem of analyzing these systems. For example, any numerical solver (e.g., Jacobi, SOR, or uniformization) that accesses a model through the Möbius state-level AFI can operate on a variety of state-space representations, including "on-the-fly," disk-based, sparse-matrix, Kronecker, and matrix-diagram representations, without requiring that the solver implementation be changed to match the statespace representation. This abstraction thus avoids redundant implementations of solvers and state-generation techniques, eases research cooperation, and simplifies comparisons of approaches as well as benchmarking. In addition to providing a formal definition of the Möbius state-level AFI, we illustrate its use on two state-space representations (a sparse matrix and a Kronecker representation) and on several numerical s...

We present a novel stochastic Petri net formalism where both discrete and continuous phase-type firing delays can appear simultaneously in the same model. By capturing non-Markovian behavior in discrete or continuous time, as appropriate, the formalism affords higher modeling fidelity. Alone, discrete or continuous phase-type Petri nets have simple underlying Markov chains, but mixing the two complicates matters. We show that, in a mixed model where discrete-time transitions are synchronized, the underlying process is semi-regenerative and we can employ Markov renewal theory to formulate stationary or time-dependent solutions. Also noteworthy are the computational trade-offs between the so-called embedded and subordinate Markov chains, which we employ to improve the overall solution efficiency. We present a preliminary stationary solution method that shows promise in terms of time and space efficiency and demonstrate it on an aeronautical data link system application. 1.