A Dependable Intrusion Detection Architecture Based on Agreement Services

In this paper, we show that the use of diversified COTS servers allows to detect intrusions corresponding to unknown attacks. We present an architecture that ensures both confidentiality and integrity at the COTS server level and we extend it to enhance availability. Replication techniques implemented on top of agreement services are used to avoid any single point of failure. On the one hand we assume that COTS servers are complex softwares that contain some vulnerabilities and thus may exhibit arbitrary behaviors. While on the other hand other basic components of the proposed architecture are simple enough to be exhaustively verified. That's why we assume that they can only suffer from crash failures. The whole system is assumed to be asynchronous and furthermore messages can be lost. In the particular case of Web servers connected to databases, we identify the properties that have to be maintained and the alarms that have to be raised. We describe in details how the different replicated levels interact together and, for each level, we precise the reasons that have led us to use a particular agreement service. Performance evaluations are conducted to measure the quality of service of the Intrusion Detection System (quantity of false positives and lack of false negatives) and the additional cost induced by the mechanisms used to ensure the availability of this secure architecture.

[1]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[2]  Frédéric Tronel Application des problèmes d'accord à la tolérance aux défaillances dans les systèmes distribués asynchrones , 2003 .

[3]  Rong Wang,et al.  Design and implementation of acceptance monitor for building scalable intrusion tolerant system , 2001, Proceedings Tenth International Conference on Computer Communications and Networks (Cat. No.01EX495).

[4]  Yves Deswarte,et al.  An intrusion tolerant architecture for dynamic content internet servers , 2003, SSRS '03.

[5]  Miguel Oom Temudo de Castro,et al.  Practical Byzantine fault tolerance , 1999, OSDI '99.

[6]  Raimundo José de Araújo Macêdo,et al.  A consensus protocol based on a weak failure detector and a sliding round window , 2001, Proceedings 20th IEEE Symposium on Reliable Distributed Systems.

[7]  Sam Toueg,et al.  Unreliable failure detectors for reliable distributed systems , 1996, JACM.

[8]  Michael K. Reiter,et al.  The Rampart Toolkit for Building High-Integrity Services , 1994, Dagstuhl Seminar on Distributed Systems.

[9]  Eric Totel,et al.  COTS Diversity Based Intrusion Detection and Application to Web Servers , 2005, RAID.

[10]  Raimundo José de Araújo Macêdo,et al.  A general framework to solve agreement problems , 1999, Proceedings of the 18th IEEE Symposium on Reliable Distributed Systems.

[11]  David Powell,et al.  Group communication , 1996, CACM.

[12]  Yves Deswarte,et al.  Intrusion tolerance in distributed computing systems , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[13]  Paulo Veríssimo,et al.  The Delta-4 approach to dependability in open distributed computing systems , 1988, [1988] The Eighteenth International Symposium on Fault-Tolerant Computing. Digest of Papers.

[14]  Kenneth P. Birman,et al.  Selected Papers from the International Workshop on Theory and Practice in Distributed Systems , 1994 .

[15]  Magnus Almgren,et al.  An Adaptive Intrusion-Tolerant Server Architecture , 2004 .

[16]  I. Bey,et al.  Delta-4: A Generic Architecture for Dependable Distributed Computing , 1991, Research Reports ESPRIT.

[17]  Lorenzo Strigini,et al.  On Designing Dependable Services with Diverse Off-the-Shelf SQL Servers , 2003, WADS.

[18]  Fabíola Greve,et al.  Réponses efficaces au besoin d'accord dans un groupe , 2002 .

[19]  Peter A. Barrett,et al.  Using passive replicates in Delta-4 to provide dependable distributed computing , 1989, [1989] The Nineteenth International Symposium on Fault-Tolerant Computing. Digest of Papers.

[20]  Arun Venkataramani,et al.  Separating agreement from execution for byzantine fault tolerant services , 2003, SOSP '03.