Intent-Driven Secure System Design

Given the typical complexity of networked systems in terms of number of components and their interconnections, manually designing their architecture is inherently difficult, and the design process requires expert knowledge and skills. If we also consider the security requirements that networked systems must meet, the task becomes even more demanding, since the manual audit and security mitigation of the architecture are time and labor intensive. This led to research on automated system design, including ways to cover the related security aspects. In this paper we present a methodology for secure system design that uses an intent-based representation of the network service requirements as input, which is annotated with security requirements, and applies the Design Space Exploration (DSE) approach to generate the system design. Security is handled via a MITRE ATT&CK-based security knowledge base, and a set of security check functions, so that the resulting system design meets not only the functional and quantitative requirements, but also the specified security requirements. We implemented this methodology as the secure system designer SecureWeaver by extending the functionality of an existing intent-based system designer that targeted IT/NW services, named Weaver. A case study of a typical corporate network scenario is used to illustrate the feasibility of the methodology in producing a system design that mitigates the associated security threats. The performance evaluation we conducted for this scenario demonstrates that the added security check overhead does not have a significant impact on the overall performance characteristics of the framework.