Sustaining Intrusion-Tolerance by Proactive Replacement

We propose and study proactive replacement as a strategy for ensuring that the number of intrusions does not exceed the design threshold within an intrusiontolerant system. State machine replicas periodically replace themselves, en masse, by selecting a successor set from a large server farm housing spare machines that have been cleaned-up subsequent to any prior use. Selection is random to thwart adversary’s preference for any particular type of successor machines. Optionally, successors’ identities can be kept anonymous from selecting replicas, forcing the adversary to discover first the new replicas’ identities before launching attacks. Practicability of the proposed strategy is established in two ways. Architecture and combinations of well-known protocols for selection and state-transfer are outlined for the three replacement schemes proposed. Using analytical estimations and simulations, the replacement schemes are shown to be effective in sustaining tolerance capability by comparing them with a proactive recovery scheme that is assisted by an idealized Wormhole. With the availability and affordability of redundant machines, proactive replacement is a useful tolerance-sustaining strategy either on its own or in combination with its orthogonal counter-part, proactive recovery. © 2009 University of Newcastle upon Tyne. Printed and published by the University of Newcastle upon Tyne, Computing Science, Claremont Tower, Claremont Road, Newcastle upon Tyne, NE1 7RU, England. Bibliographical details EZHILCHELVAN, P., CLARKE, D., MITRANI, I., SHRIVASTAVA. Sustaining Intrusion-Tolerance by Proactive Replacement [By] P. Ezhilchelvan, D. Clarke, I. Mitrani, S. Shrivastava. Newcastle upon Tyne: University of Newcastle upon Tyne: Computing Science, 2009. (University of Newcastle upon Tyne, Computing Science, Technical Report Series, No. CS-TR-1146)