SITAR : A Scalable Intrusion-Tolerant Architecture for Distributed Services
Program Area:
Intrusion Tolerant Systems
Technical Areas:
Tolerance Technologies and Tolerance Triggers
A. Innovative Claims
The direct approach of building systems that can prevent general attacks has not been very successful, as evidenced by the lack of deployment with trusted computing base (TCB) model. Intrusion detection and response research, in contrast, has so far mostly concentrated on known and well defined attacks. We believe that this narrow focus of attacks accounts for almost all the successes of the commercial intrusion detection systems (IDS). A number of well respected research and commercial IDSs have been evaluated at MIT Lincoln Labs in the past two years. Two aspects of the results are very intriguing. First, new and novel attacks present a formidable challenge to these systems. Second, little improvement in performance (e.g. true detection rate and false positive rate) was shown by those systems after one year's further development.
What could possibly be the main reason for this undesirable state-of-the-art? We believe that this is due to the fundamental limitation of the current intrusion detection and response approach. As soon as we focus our attention on the intrusion attacks themselves, we cannot expect to develop a general protection mechanism because all attacks are not well-defined and there are always unknown attacks. Although intrusion tolerance must also deal with intrusion attacks, it is inherently tied to the functions and services that require protection (i.e. to be made intrusion tolerant). It is this focus that makes intrusion tolerance the most promising approach to build our defense from. As a first advantage, we can now develop intrusion triggers by focusing on only those events that pose a threat to the services under consideration instead of on arbitrary events. Second, we can leverage many well-developed techniques from the fault-tolerant and dependable computing research. As a third advantage, newly developed intrusion-tolerance techniques can eventually be used to build new information systems that will be invulnerable to intrusions (to the degree that desirable levels of services can be maintained regardless of intrusions).
MCNC and Duke University propose to develop a scalable intrusion-tolerant architecture for distributed services in a network environment. There are several novel aspects to our proposed effort: (1) we focus on one generic class of services (network-distributed services built from COTS components) as the target for protection. This target presents us with enough challenging problems to solve while remaining concrete enough for us to explore specific intrusion-tolerance issues associated with it. (2) Two specific kinds of challenges are addressed in our novel architecture. The first one is how some of the very basic techniques of fault-tolerance (e.g., redundancy and diversity) apply to our target. The second is how we deal with the external attacks and compromised components, which exhibit very unpredictable behavior compared to accidental or planted faults. (3) Our dynamic reconfiguration strategies will be based on an intrusion-tolerance model built within the architecture. (4) Model-based (using analysis and simulation) and measurement-based approaches will be used to evaluate the security of the architecture and to carry out cost-benefit tradeoff studies.
The main tasks for the first half of the project will be to study faults versus intrusions, to develop a model of intrusion-tolerance, and to define an initial architecture. Next, we will conduct analytical/simulation-based tradeoff studies, create a prototype system, and evaluate the prototype through experimental measurements. MCNC's strong expertise in security management and intrusion assessment is complemented by Duke's advanced research experience in fault-tolerant computing and dependability assessment. The collaborative team has a successful track record of working together and contributing to DARPA research programs.
B. Proposal Roadmap
1. Goal of work:
The main objectives of the proposed research include, for the short-term, an intrusion-tolerant Web server prototype using COTS server technologies; for the long-term, an evaluated and demonstrated architecture for building general intrusion-tolerance services in a networked environment, and a set of tools (analytical and simulation) and algorithms for applying general fault-tolerant techniques to intrusion tolerance.
2. Tangible benefits to the end users:
An architecture for building scalable intrusion-tolerant services out of COTS systems and a prototype Web server system for providing intrusion tolerant services.
3. Critical technical barriers:
Understanding what are the differences between accidental/intentional faults in fault tolerance and intrusions in information assurance; developing approaches for applying fault-tolerant techniques to intrusion tolerance; addressing both short-term (using COTS) and long-term (intrusion-tolerant engineering) goals at the same time.
4. Main elements of the proposed approach:
A scalable intrusion-tolerant service architecture based on multi-layered defense strategy, that integrates intrusion triggers, Proxy Servers, and techniques from fault-tolerance and dependable systems; a set of strategies for adaptive reconfiguration to deal with the unpredicatability of active intrusions; a combination of analytical, simulation, and measurement-based approaches to ensure security of the intrusion-tolerant components.
5. Specific basis for confidence in proposed approach:
The team's insights into the intrusion tolerance challenges, MCNC's track record in intrusion detection and assessment research, Duke's track record in fault-tolerance and dependable systems research.
6. Nature of expected results:
An architecture design with associated intrusion-tolerance model, algorithms, and adaptive strategies; prototype implementation; and evaluation results/experience.
7. Risk if the work is not done:
Potentially maintaining the status quo of our ability to defend against intrusions while the risk of serious cyberspace attacks increases at an accelerated pace.
8. Criteria for evaluating progress and capabilities:
Milestones are planned at critical points so that we can evaluate the progress, review and incorporate new ideas into the design; design and implementation will be evaluated using analysis, simulation and experiments.
