Closing cluster attack windows through server redundancy and rotations

It is well-understood that increasing redundancy in a system generally improves the availability and dependability of the system. In server clusters, one important form of redundancy is spare servers. Cluster security, while universally recognized as an important subject in its own right, has not often been associated with the issue of redundancy. In prior work, we developed a self-cleansing intrusion tolerance (SCIT) architecture that strengthens cluster security through periodic server rotations and self-cleansing. In this work, we consider the servers in the cleansing mode as redundant, spare hardware and develop a unified control algorithm that manages the requirements of both security and service availability. We show the advantages of our algorithm in the following areas: (1) Intrusion tolerance through constant server rotations and cleansing, (2) Survivability in events of server failures, (3) Guarantee of service availability as long as the cluster has a minimum number of functioning servers, and (4) Scalability, the support of using high degrees of hardware/server redundancy to improve security and fault tolerance. We provide proofs for important properties of the proposed algorithm. The effects of varying degrees of server redundancy in reducing attack windows are investigated through simulation.

[1]  Alfonso Valdes,et al.  Design Assurance Arguments for Intrusion Tolerance , 2002 .

[2]  Tim Burke,et al.  A high-availability clustering architecture with data integrity guarantees , 2001, Proceedings 42nd IEEE Symposium on Foundations of Computer Science.

[3]  J. H. Lala Intrusion tolerant systems , 2000, Proceedings. 2000 Pacific Rim International Symposium on Dependable Computing.

[4]  David A. Patterson,et al.  Embracing Failure: A Case for Recovery-Oriented Computing (ROC) , 2001 .

[5]  Yennun Huang,et al.  Software rejuvenation: analysis, module and applications , 1995, Twenty-Fifth International Symposium on Fault-Tolerant Computing. Digest of Papers.

[6]  Jong Sou Park,et al.  A rejuvenation methodology of cluster recovery , 2005, CCGrid 2005. IEEE International Symposium on Cluster Computing and the Grid, 2005..

[7]  Yves Deswarte,et al.  Intrusion tolerance in distributed computing systems , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[8]  Arun K. Sood,et al.  Incorruptible system self-cleansing for intrusion tolerance , 2006, 2006 IEEE International Performance Computing and Communications Conference.

[9]  Michael Atighetchi,et al.  Adaptive cyberdefense for survival and intrusion tolerance , 2004, IEEE Internet Computing.

[10]  Arun K. Sood,et al.  SCIT-DNS: Critical infrastructure protection through secure DNS server dynamic updates , 2006, J. High Speed Networks.

[11]  William Yurcik,et al.  Achieving Fault-Tolerant Software with Rejuvenation and Reconfiguration , 2001, IEEE Softw..

[12]  Arun K. Sood,et al.  Securing DNS services through system self cleansing and hardware enhancements , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[13]  Richard E. Schantz,et al.  Survival by defense-enabling , 2001, NSPW '01.

[14]  Kishor S. Trivedi,et al.  Analysis and implementation of software rejuvenation in cluster systems , 2001, SIGMETRICS '01.