SITAR: A Scalable Intrusion-Tolerant Architecture for Distributed Services-A Technology Summary

This paper presents a intrusion tolerant architecture for distributed services, especially COTS servers. It is motivated by two observations: First, no security precautions can guarantee that a system will not be penetrated; Second, mission critical applications need to provide minimal level of services even under active attacks or partially compromised. The emphasis of proposed architecture is on the continuity of operation. In this context, effects are more important than causes because a system will have to deal with and survive an adverse effect long before a determination is made as to whether the cause was an malicious attack, or a accidental failure. We utilize the techniques of both redundancy and diversity as our building blocks. Five critical components are defined in this proposed architecture: (1) Proxy Servers enforce the service policy specified by current intrusion tolerant strategy and policies determine which COTS servers the request should be “forwarded” to and how the final result be presented. (2) Acceptance Monitors apply validity checks to the response, optionally forward them to Ballot monitors along with indication of checking results. Acceptance monitors also detect signs of compromise on the COTS servers and generate intrusion triggers. (3) Ballot Monitors serve as “representatives” for the respective COTS servers to solve conflicts, and decide a final response through either a majority voting or Byzantine agreement process. The actual process taken will depend on the current level of detected security threat. (4) Adaptive Reconfiguration module receives intrusion trigger information from other modules (including Acceptance Monitors), evaluates threats, the tolerance objectives, cost/performance impact, and generate new configurations for the system. (5) Audit Control verifies the audit records and identifies abnormal behaviors in components by conducting periodic diagnosis tests. Keywords— Intrusion tolerance, intrusion detection and response, distributed system security, adaptive reconfiguration, voting Feiyi Wang and Frank Jou are with Advanced Network Research Group, MCNC, Research Triangle Park, NC. Email: {fwang2,jou}@mcnc.org Fengmin Gong is with Intrusion Detection Technology Division of IntruVert Network Inc. Email: [email protected] Chandramouli Sargor is with CoSine Communications, Inc., Redwood City, CA. Email: [email protected] Katerina Goseva-Popstojanova is a research associate in Duke University, Durham, NC. Email: [email protected] Kishor Trivedi is a professor in Duke University, Duhram, NC. Email: [email protected] This work is sponsored by the U.S. Department of Defense Advanced Research Projects Agency (DARPA) under contract N6600100-C-8057