Dependable Intrusion Tolerance - PowerPoint PPT Presentation

1 / 12

About This Presentation

Title:

Dependable Intrusion Tolerance

Description:

Proof-Based Triggers. Diversified Server Bank. HP/UX/Openview Server. Linux/Apache ... High-level policy is decomposed into proof-based triggers ... – PowerPoint PPT presentation

Number of Views:229

Avg rating:3.0/5.0

Slides: 13

Provided by: phillip101

Category:

more less

Transcript and Presenter's Notes

Title: Dependable Intrusion Tolerance

1
Dependable Intrusion Tolerance

Alfonso Valdes
Victoria Stavridou
Yves Deswarte
Hassen Saïdi

2
Dependable Intrusion Tolerance

Intrusion Detection to Date
Seeks to detect possibly infinite number of
attacks in progress
Relies on signature analysis and probabilistic
(including Bayes) techniques
Response components immature
No concept of intrusion tolerance

New Emphasis
Detection, diagnosis, and recovery
Finite number of attacks or deviations from
expected system behavior
Seek a synthesis of intrusion detection,
unsupervised learning, and proof-based methods
for the detection aspect
Concepts from fault tolerance are adapted to
ensure delivery of service (possibly degraded)

3
Ideas Adapted from Fault Tolerance

Faults (including malicious faults) are
inevitable, need to provide service in spite of
these
Faults are manifest in errors
Ideally, detected before they lead to failure
Service is provided in a redundant fashion in
spite of error
Distributed server bank
Diverse platforms/OS

4
Reusable Architecture
Diversified Server Bank
Distributed Tolerance Proxy (Diverse platform/OS)
HP/UX/Openview Server
Solaris/Enterprise Server
WinNT/IIS Server
Classic Firewall
Linux/Apache
Tolerance Proxy Server
Challenge/ Response Protocols
Report Consolidation
2
1
Symptomatic anomaly detector
Hardened EMERALD IDS
1 Firewall Filter Insertion 2 Dynamic Proxy
Configuration 3 HTTP Service Management 4 Sensor
Management
Proof-Based Triggers
5
Complementary Architecture Components

Proof based triggers Formal models used on-line
to provide continuous checks
Intrusion detection (EMERALD signature
components)
Competitive learning (Symptomatic Anomaly
Detection) monitors the delivered service for
unanticipated QOS deviations
Challenge/response Protocols present a request of
the service bank for which the reply is known
Components are on diverse platforms and OS

6
Proof-Based Triggers (Formal Models used On-Line)

Policy is captured within a formal framework
High-level policy is decomposed into proof-based
triggers
Triggers detect departures from policy
Policy dynamically changes through the policy
activator
Due to triggers, or
Response to manual selection
Which triggers are active depends on policy
variant in effect (e. g. INFOCON level)

7
Challenge/Response

Periodically submitted by Tolerance Proxy to each
component
Frequency of challenge can change according to
policy
Challenge is a random number
Response is computed from this challenge and an
integrity check on the component

8
Diagnosis

Alarm/anomaly reports from diverse sources
Forwarded to distributed tolerance proxy service
Tolerance proxy components consolidate reports,
resolving conflict as needed
The aggregate decision of the tolerance proxy
components must itself be validated
Response, if warranted, is jointly determined
Desired conclusions from inference
Intrusion or anomaly has been detected
(confidence of detection?)
Component has been compromised (confidence in
component?)
Server is down

9
Response/Recovery

Error masking Reliably determine and deliver
valid response in case of non-agreement, if
possible.
Client is unaware of error
Identify and repair suspicious component
Failed Server Reboot, perform integrity checks
on content
If source of intrusion is reliably identified,
reconfigure firewall dynamically to block this
(for some time interval)
Failed tolerance proxy server Restart, rebuild
its state dynamically from its peers

10
Risks/Mitigation