Redundancy and Diversity in Security

Redundancy and diversity are commonly applied principles for fault tolerance against accidental faults. Their use in security, which is attracting increasing interest, is less general and less of an accepted principle. In particular, redundancy without diversity is often argued to be useless against systematic attack, and diversity to be of dubious value. This paper discusses their roles and limits, and to what extent lessons from research on their use for reliability can be applied to security, in areas such as intrusion detection. We take a probabilistic approach to the problem, and argue its validity for security. We then discuss the various roles of redundancy and diversity for security, and show that some basic insights from probabilistic modelling in reliability and safety indeed apply to examples of design for security. We discuss the factors affecting the efficacy of redundancy and diversity, the role of ”independence” between layers of defense, and some of the tra! de-offs facing designers.

[1]  Eric Miller,et al.  Testing and evaluating computer intrusion detection systems , 1999, CACM.

[2]  John E. Dobson,et al.  Reliability and Security Issues in Distributed Computing Systems , 1986, Symposium on Reliability in Distributed Software and Database Systems.

[3]  Algirdas Avizienis,et al.  A fault tolerance approach to computer viruses , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[4]  Bev Littlewood,et al.  Modeling software design diversity: a review , 2001, CSUR.

[5]  Kathleen A. Jackson INTRUSION DETECTION SYSTEM (IDS) PRODUCT SURVEY , 1999 .

[6]  Lorenzo Strigini,et al.  Estimating Bounds on the Reliability of Diverse Systems , 2003, IEEE Trans. Software Eng..

[7]  Marco Casassa Mont,et al.  Towards Diversity of COTS Software Applications: Reducing Risks of Widespread Faults and Attacks , 2002 .

[9]  Dominique Alessandri,et al.  Using Rule-Based Activity Descriptions to Evaluate Intrusion-Detection Systems , 2000, Recent Advances in Intrusion Detection.

[10]  C. Pu,et al.  Survivability From a Sow ’ s Ear : The Retrofit Security Requirement , 1998 .

[11]  David E. Bakken,et al.  Developing a heterogeneous intrusion tolerant CORBA system , 2002, Proceedings International Conference on Dependable Systems and Networks.

[12]  Matti A. Hiltunen,et al.  Using Redundancy to Increase Survivability , 2000 .

[13]  David H. Ackley,et al.  Building diverse computer systems , 1997, Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).

[14]  Bharat B. Madan,et al.  Modeling and quantification of security attributes of software systems , 2002, Proceedings International Conference on Dependable Systems and Networks.

[15]  S. M. Cherry Striking at the Internet's heart , 2001 .

[16]  Karl N. Levitt,et al.  The design and implementation of an intrusion tolerant system , 2002, Proceedings International Conference on Dependable Systems and Networks.

[17]  Bev Littlewood,et al.  Modelling the effects of combining diverse software fault removal techniques , 1999 .

[18]  Harrick M. Vin,et al.  Heterogeneous networking: a new survivability paradigm , 2001, NSPW '01.

[19]  Yves Deswarte,et al.  Intrusion tolerance in distributed computing systems , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[20]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[21]  Jean-Claude Laprie,et al.  Diversity against accidental and deliberate faults , 1998, Proceedings Computer Security, Dependability, and Assurance: From Needs to Solutions (Cat. No.98EX358).

[22]  S. M. Cherry Took a licking, kept on ticking [Internet security] , 2002 .

[23]  Dipankar Dasgupta,et al.  Immunity-Based Intrusion Detection System: A General Framework , 1999 .

[24]  Bev Littlewood,et al.  Modeling the Effects of Combining Diverse Software Fault Detection Techniques , 2000, IEEE Trans. Software Eng..

[25]  Lorenzo Strigini,et al.  Diversity for off-the-shelf components , 2000 .

[26]  Nancy R. Mead,et al.  Survivability: Protecting Your Critical Systems , 1999, IEEE Internet Comput..

[27]  Lorenzo Strigini,et al.  Choosing Effective Methods for Design Diversity - How to Progress from Intuition to Science , 1999, SAFECOMP.

[28]  Feiyi Wang,et al.  SITAR: a scalable intrusion-tolerant architecture for distributed services , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[29]  Calton Pu,et al.  Immunix: Survivability Through Specialization , 1997 .

[30]  William H. Sanders,et al.  Probabilistic validation of an intrusion-tolerant replication system , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[31]  Kymie M. C. Tan,et al.  Benchmarking anomaly-based detection systems , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.

[32]  R.K. Cunningham,et al.  Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[33]  Matti A. Hiltunen,et al.  Survivability through customization and adaptability: the Cactus approach , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[34]  David Wright,et al.  Towards Operational Measures of Computer Security , 1993, J. Comput. Secur..

[35]  Bev Littlewood The impact of diversity upon common mode failures , 1996 .