Adapting Safety Requirements Analysis to Intrusion Detection

Several requirements analysis techniques widely used in safety-critical systems are being adapted to support the analysis of secure systems. Perhaps the most relevant system safety technique for Intrusion Detection Systems is hazard analysis. Hazard analysis identi es and analyzes hazards (states that can lead to an accident) in terms of their severity of e ects and likelihood of occurrence. As Rushby points out, safety engineering techniques focus on the consequences to be avoided and explicitly consider the system context [9]. Intrusions are one such class of hazards to be avoided, and can only be understood within the context of the operational system (including both legitimate users and attackers). Fault Tree Analysis (FTA) is often used to support the hazard analysis of safety-critical systems [5, 10]. Software Fault Tree Analysis (SFTA), a re nement of FTA, o ers a way to explore intrusion scenarios in support of requirements analysis for Intrusion Detection Systems [3]. SFTA can assist in deriving requirements for the software agents that must identify and respond to intrusions. From experience with safety-critical systems, we can identify four open issues in the application of these analysis techniques to intrusion scenarios: