Architectural Refinement for the Design of Survivable Systems

Robert J. Ellison
Andrew P. Moore

Technical Note
CMU/SEI-2001-TN-008

This paper describes a process for systematically refining an enterprise system architecture to resist, recognize, and recover from deliberate, malicious attacks by applying reusable design primitives that help ensure the survival of the enterprise mission. Systems of interest may be unbounded; that is, have no central administration and no unified security policy. The survivable architecture refinement is an iterative risk-driven process which adopts the structure of Boehm’s Spiral Model. The cycles of the spiral structure represent different types of attack that need to be considered--network-based attacks, application-based attacks, and data-content attacks. We illustrate our survivable architecture refinement process through its application to e-commerce. E-commerce examples are representative of the lack of full control and visibility that characterize unbounded systems.