A dependable intrusion detection architecture based on agreement services

Authors:
Michel Hurfin;Jean-Pierre Le Narzul;Frédéric Majorczyk;Ludovic Mé;Ayda Saidane;Eric Totel;Frédéric Tronel
Affiliations:
INRIA Rennes, IRISA, Rennes cedex, France;GET ENST Bretagne, Cesson-Sévigné, France;Supélec, Cesson-Sévigné, France;Supélec, Cesson-Sévigné, France;Supélec, Cesson-Sévigné, France;Supélec, Cesson-Sévigné, France;University of Rennes, IRISA, Rennes cedex, France
Venue:
SSS'06 Proceedings of the 8th international conference on Stabilization, safety, and security of distributed systems
Year:
2006

Citing 10
Cited 0

Unreliable failure detectors for reliable distributed systems

Journal of the ACM (JACM)
Group communication

Communications of the ACM
Practical Byzantine fault tolerance

OSDI '99 Proceedings of the third symposium on Operating systems design and implementation
The Byzantine Generals Problem

ACM Transactions on Programming Languages and Systems (TOPLAS)
Delta Four: A Generic Architecture for Dependable Distributed Computing

Delta Four: A Generic Architecture for Dependable Distributed Computing
The Rampart Toolkit for Building High-Integrity Services

Selected Papers from the International Workshop on Theory and Practice in Distributed Systems
A General Framework to Solve Agreement Problems

SRDS '99 Proceedings of the 18th IEEE Symposium on Reliable Distributed Systems
Separating agreement from execution for byzantine fault tolerant services

SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
An intrusion tolerant architecture for dynamic content internet servers

Proceedings of the 2003 ACM workshop on Survivable and self-regenerative systems: in association with 10th ACM Conference on Computer and Communications Security
COTS diversity based intrusion detection and application to web servers

RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection

Quantified Score

Hi-index	0.01

Visualization

Abstract

In this paper, we show that the use of diversified COTS servers allows to detect intrusions corresponding to unknown attacks. We present an architecture that ensures both confidentiality and integrity at the COTS server level and we extend it to enhance availability. Replication techniques implemented on top of agreement services are used to avoid any single point of failure. On the one hand we assume that COTS servers are complex softwares that contain some vulnerabilities and thus may exhibit arbitrary behaviors. While on the other hand other basic components of the proposed architecture are simple enough to be exhaustively verified. That's why we assume that they can only suffer from crash failures. The whole system is assumed to be asynchronous and furthermore messages can be lost. In the particular case of Web servers connected to databases, we identify the properties that have to be maintained and the alarms that have to be raised. We describe in details how the different replicated levels interact together and, for each level, we precise the reasons that have led us to use a particular agreement service. Performance evaluations are conducted to measure the quality of service of the Intrusion Detection System (quantity of false positives and lack of false negatives) and the additional cost induced by the mechanisms used to ensure the availability of this secure architecture.