The design and implementation of an intrusion tolerant system

Reynolds, James C.; Just, James E.; Lawson, E.; Clough, L.; Maglich, R.; Levitt, Karl N.

doi:10.1109/dsn.2002.1028912

Cited by 42 publications

(28 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…VirusTotal (VT) is a web service that allows the analysis of a given malware sample by the signature-based engines of different AntiVirus vendors 3 . All the engines are always kept up-to-date with the latest version of the signatures.…”

Section: Experimental Setup and Architecturementioning

confidence: 99%

“…In the field of intrusion tolerance there have already been examples of implementing intrusion tolerant architectures which employ diverse intrusion detection systems for detecting malicious behaviour [3]. Similarly, a recent publication [4] has also detailed an implementation of an AntiVirus (AV) platform which makes use of diverse AntiVirus products for malware detection.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

An Experimental Study of Diversity with Off-the-Shelf AntiVirus Engines

Gashi

Stanković

Leita³

et al. 2009

2009 Eighth IEEE International Symposium on Network Computing and Applications

View full text Add to dashboard Cite

Abstract-Fault tolerance in the form of diverse redundancy is well known to improve the detection rates for both malicious and non-malicious failures. What is of interest to designers of security protection systems are the actual gains in detection rates that they may give. In this paper we provide exploratory analysis of the potential gains in detection capability from using diverse AntiVirus products for the detection of self-propagating malware. The analysis is based on 1599 malware samples collected by the operation of a distributed honeypot deployment over a period of 178 days. We sent these samples to the signature engines of 32 different AntiVirus products taking advantage of the VirusTotal service. The resulting dataset allowed us to perform analysis of the effects of diversity on the detection capability of these components as well as how their detection capability evolves in time.

show abstract

Section: Experimental Setup and Architecturementioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

An Experimental Study of Diversity with Off-the-Shelf AntiVirus Engines

Gashi

Stanković

Leita³

et al. 2009

2009 Eighth IEEE International Symposium on Network Computing and Applications

View full text Add to dashboard Cite

show abstract

“…Early works on software diversity construct intrusion tolerance systems [3,21] with software providing semantically-close functionalities. This architecture is then utilized for developing diversity-based intrusion detection techniques [6,10,11,16,25].…”

Section: Related Workmentioning

confidence: 99%

On Detection of Erratic Arguments

Han

Yan

Deng

et al. 2012

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

View full text Add to dashboard Cite

Abstract. Due to the erratic nature, the value of a function argument in one normal program execution could become illegal in another normal execution context. Attacks utilizing such erratic arguments are able to evade detections as fine-grained context information is unavailable in many existing detection schemes. In order to obtain such fine-grained context information, a precise model on the internal program states has to be built, which is impractical especially monitoring a closed source program alone. In this paper, we propose an intrusion detection scheme which builds on two diverse programs providing semantically-close functionality. Our model learns underlying semantic correlation of the argument values in these programs, and consequently gains more accurate context information compared to existing schemes. Through experiments, we show that such context information is effective in detecting attacks which manipulate erratic arguments with comparable false positive rates.

show abstract

“…Interestingly, our architecture could be used to automatically fix any type of software fault, such as invalid memory dereference, by plugging in the appropriate repair module. When it is impossible to automatically obtain a software fix, we can use content-filtering as in [29] to temporarily protect the service. The possibility of combining the two techniques is a topic of future research.…”

Section: Discussionmentioning

confidence: 99%

“…The HACQIT architecture [29] uses various sensors to detect new types of attacks against secure servers, access to which is limited to small numbers of users at a time. Any deviation from expected or known behavior results in the possibly subverted server to be taken off-line.…”

Section: Related Workmentioning

confidence: 99%