An architecture for adaptive intrusion‐tolerant applications

Applications that are part of a mission‐critical information system need to maintain a usable level of key services through ongoing cyber‐attacks. In addition to the well‐publicized denial of service (DoS) attacks, these networked and distributed applications are increasingly threatened by sophisticated attacks that attempt to corrupt system components and violate service integrity. While various approaches have been explored to deal with DoS attacks, corruption‐inducing attacks remain largely unaddressed. We have developed a collection of mechanisms based on redundancy, Byzantine fault tolerance, and adaptive middleware that help distributed, object‐based applications tolerate corruption‐inducing attacks. In this paper, we present the ITUA architecture, which integrates these mechanisms in a framework for auto‐adaptive intrusion‐tolerant systems, and we describe our experience in using the technology to defend a critical application that is part of a larger avionics system as an example. We also motivate the adaptive responses that are key to intrusion tolerance, and explain the use of the ITUA architecture to support them in an architectural framework. Copyright © 2006 John Wiley & Sons, Ltd.

[1]  William H. Sanders,et al.  Quantifying the cost of providing intrusion tolerance in group communication systems , 2002, Proceedings International Conference on Dependable Systems and Networks.

[2]  John A. Zinky,et al.  Architectural Support for Quality of Service for CORBA Objects , 1997, Theory Pract. Object Syst..

[3]  Richard E. Schantz,et al.  Survival by defense-enabling , 2001, NSPW '01.

[4]  Flaviu Cristian,et al.  The Timed Asynchronous Distributed System Model , 1998, IEEE Trans. Parallel Distributed Syst..

[5]  William H. Sanders,et al.  AQuA: an adaptive architecture that provides dependable distributed objects , 1998, Proceedings Seventeenth IEEE Symposium on Reliable Distributed Systems (Cat. No.98CB36281).

[6]  William H. Sanders,et al.  Probabilistic validation of an intrusion-tolerant replication system , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[7]  Vishu Gupta,et al.  Intrusion-Tolerant State Transfer for Group Communication Systems , 2003 .

[8]  John A. Zinky,et al.  Specifying and measuring quality of service in distributed object systems , 1998, Proceedings First International Symposium on Object-Oriented Real-Time Distributed Computing (ISORC '98).

[9]  Michael Gertz,et al.  The Willow Architecture: Comprehensive Survivability for Large-Scale Distributed Applications , 2001 .

[10]  William H. Sanders,et al.  Formal specification and verification of a group membership protocol for an intrusion-tolerant group communication system , 2002, 2002 Pacific Rim International Symposium on Dependable Computing, 2002. Proceedings..

[11]  William H. Sanders,et al.  A Configurable CORBA Gateway for Providing Adaptable System Properties , 2002 .

[12]  Sylvia Pantaleo Warning , 1933, Encyclopedia of Evolutionary Psychological Science.

[13]  P. Pal Demonstrating intrusion tolerance with ITUA , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[14]  Fred B. Schneider,et al.  Implementing fault-tolerant services using the state machine approach: a tutorial , 1990, CSUR.

[15]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[16]  James Patrick Lyons,et al.  A Replication Protocol for an Intrusion-Tolerant System Design , 2003 .

[17]  David E. Bakken,et al.  Developing a heterogeneous intrusion tolerant CORBA system , 2002, Proceedings International Conference on Dependable Systems and Networks.

[18]  Sadie Creese,et al.  Conceptual Model and Architecture of MAFTIA , 2003 .

[19]  David E Corman,et al.  Transforming Legacy Systems to Obtain Information Superiority , 2001 .

[20]  Magnus Almgren,et al.  An Architecture for an Adaptive Intrusion-Tolerant Server , 2002, Security Protocols Workshop.

[21]  Rick Smith,et al.  Intrusion tolerance via network layer controls , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[22]  Nancy A. Lynch,et al.  Impossibility of distributed consensus with one faulty process , 1983, PODS '83.

[23]  John A. Zinky,et al.  Open implementation toolkit for building survivable applications , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[24]  Michael Atighetchi,et al.  Defense-enabling using advanced middleware-an example , 2001, 2001 MILCOM Proceedings Communications for Network-Centric Operations: Creating the Information Force (Cat. No.01CH37277).

[25]  Bill Nelson,et al.  APOD Experiment 1-Final Report , 2002 .

[26]  William H. Sanders,et al.  Formal Verification of an IntrusionTolerant Group Membership Protocol , 2003 .

[27]  Peter G. Neumann,et al.  Experience with EMERALD to Date , 1999, Workshop on Intrusion Detection and Network Monitoring.

[28]  Joseph P. Loyall,et al.  Building Adaptive and Agile Applications Using Intrusion Detection and Response , 2000, NDSS.

[29]  André Schiper,et al.  Lightweight causal and atomic group multicast , 1991, TOCS.