Towards a library of composable models to estimate the performance of security solutions

Abstract

Complex distributed dependable systems, such as web-based applications that contain sensitive data and are exposed to many users, have to meet different, and sometimes conflicting, non functional requirements, such as security and performance requirements. A typical example of this trade-off is the performance degradation introduced in a system by the raising of security solutions. Several proposals have been made to estimate the performance of security methodologies, but they are often grounded to existing standards such as IPsec and SSL. In this paper we tackle the problem from a model-based viewpoint: we introduce basic performance models for security mechanisms, which can be considered as building bricks to compose in order to model security services. To this goal, we introduce rules that drive the composition. Security service models can then be integrated with functional models of critical applications to estimate the performance of the adopted security solutions. We represent models as Generalized Stochastic Petri Nets (GSPNs). This is a first step towards a Security Library containing composable performance models of security mechanisms and services and representing an instrument to support designers in decisions related to the security vs performance trade-off. We show how to use our models on an example of banking system.