Closing cluster attack windows through server redundancy and rotations

It is well-understood that increasing redundancy in a system generally improves the availability and dependability of the system. In server clusters, one important form of redundancy is spare servers. Cluster security, while universally recognized as an important subject in its own right, has not often been associated with the issue of redundancy. In prior work, we developed a self-cleansing intrusion tolerance (SCIT) architecture that strengthens cluster security through periodic server rotations and self-cleansing. In this work, we consider the servers in the cleansing mode as redundant, spare hardware and develop a unified control algorithm that manages the requirements of both security and service availability. We show the advantages of our algorithm in the following areas: (1) Intrusion tolerance through constant server rotations and cleansing, (2) Survivability in events of server failures, (3) Guarantee of service availability as long as the cluster has a minimum number of functioning servers, and (4) Scalability, the support of using high degrees of hardware/server redundancy to improve security and fault tolerance. We provide proofs for important properties of the proposed algorithm. The effects of varying degrees of server redundancy in reducing attack windows are investigated through simulation

[1]  John Nguyen,et al.  Storage: high-availability file server with heartbeat , 2001 .

[2]  Arun K. Sood,et al.  Securing DNS services through system self cleansing and hardware enhancements , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[3]  Peter S. Weygant,et al.  Clusters for High Availability: A Primer of HP Solutions , 1996 .

[4]  Arun K. Sood,et al.  Incorruptible system self-cleansing for intrusion tolerance , 2006, 2006 IEEE International Performance Computing and Communications Conference.

[5]  Herb Schwetman,et al.  CSIM19: a powerful tool for building system models , 2001, Proceeding of the 2001 Winter Simulation Conference (Cat. No.01CH37304).

[6]  Michael Atighetchi,et al.  Adaptive cyberdefense for survival and intrusion tolerance , 2004, IEEE Internet Computing.

[7]  Alfonso Valdes,et al.  Design Assurance Arguments for Intrusion Tolerance , 2002 .

[8]  William Yurcik,et al.  Achieving Fault-Tolerant Software with Rejuvenation and Reconfiguration , 2001, IEEE Softw..

[9]  David A. Patterson,et al.  Embracing Failure: A Case for Recovery-Oriented Computing (ROC) , 2001 .

[10]  Yves Deswarte,et al.  Intrusion tolerance in distributed computing systems , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[11]  Richard E. Schantz,et al.  Survival by defense-enabling , 2001, NSPW '01.

[12]  Y. Huang Self-Cleansing Systems for Intrusion Containment , 2006 .

[13]  Rong Wang Intrusion Tolerant Systems Characterization and Acceptance Monitor Design , 2001 .

[14]  Y. Huang,et al.  Countering Web Defacing Attacks with System Self Cleansing , 2003 .

[15]  Tim Burke,et al.  A high-availability clustering architecture with data integrity guarantees , 2001, Proceedings 42nd IEEE Symposium on Foundations of Computer Science.

[16]  Arun K. Sood,et al.  SCIT-DNS: Critical infrastructure protection through secure DNS server dynamic updates , 2006, J. High Speed Networks.

[17]  Jong Sou Park,et al.  A rejuvenation methodology of cluster recovery , 2005, CCGrid 2005. IEEE International Symposium on Cluster Computing and the Grid, 2005..

[18]  Yennun Huang,et al.  Software rejuvenation: analysis, module and applications , 1995, Twenty-Fifth International Symposium on Fault-Tolerant Computing. Digest of Papers.

[19]  Kishor S. Trivedi,et al.  Analysis and implementation of software rejuvenation in cluster systems , 2001, SIGMETRICS '01.