The design and implementation of an intrusion tolerant system

Reynolds, James C.; Just, James E.; Lawson, E.; Clough, L.; Maglich, R.; Levitt, Karl N.

doi:10.1109/fits.2003.1264943

Cited by 7 publications

(5 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…DREME [11] defends against SQL injection attacks by using redundant database variants and diverse processes. HACQIT [29] uses server diversity (IIS and Apache) to mediate storage accesses from vulnerable web applications and introduces replay attack prevention using blacklists. Finally, Gao et al [23] and STILO [44] use probabilistic anomaly detection over system calls to identify misbehaving variants.…”

Section: Related Workmentioning

confidence: 99%

n-m-Variant Systems: Adversarial-Resistant Software Rejuvenation for Cloud-Based Web Applications

Polinsky,

Martin,

Enck

et al. 2019

Preprint

View full text Add to dashboard Cite

Web servers are a popular target for adversaries as they are publicly accessible and often vulnerable to compromise. Compromises can go unnoticed for months, if not years, and recovery often involves a complete system rebuild. In this paper, we propose n-m-Variant Systems, an adversarial-resistant software rejuvenation framework for cloud-based web applications. We improve the state-of-the-art by introducing a variable m that provides a knob for administrators to tune an environment to balance resource usage, performance overhead, and security guarantees. Using m, security guarantees can be tuned for seconds, minutes, days, or complete resistance. We design and implement an n-m-Variant System prototype to protect a Mediawiki PHP application serving dynamic content from an external SQL persistent storage. Our performance evaluation shows a throughput reduction of 65% for 108 seconds of resistance and 83% for 12 days of resistance to sophisticated adversaries, given appropriate resource allocation. Furthermore, we use theoretical analysis and simulation to characterize the impact of system parameters on resilience to adversaries. Through these efforts, our work demonstrates how properties of cloud-based servers can enhance the integrity of Web servers.

show abstract

Section: Related Workmentioning

confidence: 99%

n-m-Variant Systems: Adversarial-Resistant Software Rejuvenation for Cloud-Based Web Applications

Polinsky,

Martin,

Enck

et al. 2019

Preprint

View full text Add to dashboard Cite

show abstract

“…We downloaded and saved the rules of Snort for three different default rule configurations available from the Snort webpages (Community rules, Registered rules, and Subscribed rules). The difference between these rules are explained in the Snort website 5 . In summary, the website states the following for these different rules: the Subscribed (paid) rules are the ones that are available to users in real-time as they are released; the Registered rules are available to registered users 30 days after the Subscribed users; the Community rules are a small subset of the subscribed/registered rule sets and are freely available to all users.…”

Section: Description Of the Experiments And The Architecturementioning

confidence: 99%

“…Research projects studied distributed systems using diverse off-the-shelf products for intrusion tolerance (e.g. the U.S. projects Cactus [4], HACQIT [5] and SITAR 6 ; the EU MAFTIA project 7 ), but only sparse research exists on how to choose diverse defenses (some examples in [6], [7] [3,8]).…”

Section: Related Workmentioning

confidence: 99%

Diversity in Open Source Intrusion Detection Systems

Asad

Gashi

2018

Developments in Language Theory

View full text Add to dashboard Cite

We present an analysis of the diversity that exists in the rules and blacklisted IP addresses of the Snort and Suricata Intrusion Detection Systems (IDSs). We analysed the evolution of the rulesets and blacklisted IP addresses of these two IDSs over a 5month period between May and October 2017. We used three different off-the-shelf default configurations of the Snort IDS and the Emerging Threats (ET) configuration of the Suricata IDS. Analysing the differences in these systems allows us to get insights on where the diversity in the behaviour of these systems comes from and how does it evolve over time. This gives insight to Security architects on how they can combine and layer these systems in a defence-in-depth deployment. To the best of our knowledge a similar experiment has not been performed before. We will also show results on the observed diversity in behaviour of these systems, when they analysed the network data of the DMZ network of City, University of London.

show abstract

“…Vandiver et al [43] use a setting of replicated databases and synchronize at the level of SQL transactions. Reynolds et al [34] diversify a web server using different products running on different operating systems and synchronize at the level of HTTP requests. Rodrigues et al [35] replicate file systems at the level of the NFS protocol.…”

Section: Related Workmentioning

confidence: 99%

Runtime Defense against Code Injection Attacks Using Replicated Execution

Salamat

Jackson

Wagner

et al. 2011

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

The number and complexity of attacks on computer systems are increasing. This growth necessitates proper defense mechanisms. Intrusion detection systems play an important role in detecting and disrupting attacks before they can compromise software. Multi-variant execution is an intrusion detection mechanism that executes several slightly different versions, called variants, of the same program in lockstep. The variants are built to have identical behavior under normal execution conditions. However, when the variants are under attack, there are detectable differences in their execution behavior. At run time, a monitor compares the behavior of the variants at certain synchronization points and raises an alarm when a discrepancy is detected. We present a monitoring mechanism that does not need any kernel privileges to supervise the variants. Many sources of inconsistencies, including asynchronous signals and scheduling of multi-threaded or multi-process applications, can cause divergence in behavior of variants. These divergences cause false alarms. We provide solutions to remove these false alarms. Our experiments show that the multi-variant execution technique is effective in detecting and preventing code injection attacks. The empirical results demonstrate that dual-variant execution has on average 17% performance overhead when deployed on multi-core processors.

show abstract

The design and implementation of an intrusion tolerant system

Cited by 7 publications

References 5 publications

n-m-Variant Systems: Adversarial-Resistant Software Rejuvenation for Cloud-Based Web Applications

n-m-Variant Systems: Adversarial-Resistant Software Rejuvenation for Cloud-Based Web Applications

Diversity in Open Source Intrusion Detection Systems

Runtime Defense against Code Injection Attacks Using Replicated Execution

Contact Info

Product

Resources

About