Intrusion Tolerance by Unpredictability and Adaptation
About the Project
The "Intrusion Tolerance by Unpredictable Adaptation (ITUA)" project is supported by the Defense Advanced Research Projects Agency (DARPA). It is a joint effort of BBN Technologies, the University of Illinois, the University of Maryland, and Boeing Corporation. The University of Illinois has their own ITUA project page
Technical Motivation
Intrusions into computer systems have become as ubiquitous as computers themselves, affecting matters ranging from personal finances to national security. While there is little doubt that these intrusions pose a serious threat, previous and continuing attempts to secure information systems completely are proving to be difficult or impossible in the short run, and perform poorly or are too expensive. There are at least three major factors that have continued (and are likely to continue) to diminish our ability to withstand hostile attacks on critical information systems:
The first of these factors makes it more likely that some system components will be compromised and corrupted by adversaries. The second makes it likely that preplanned, coordinated and sustained attacks will be mounted on against high-value systems. The third implies that effects of successful intrusion will be compounded as multiple systems are attacked. These three factors have motivated the ITUA project, which aims to significantly increase our understanding of cyber-attack and to use that understanding in the design of better defenses.
- An economic mandate to construct systems with more cost-effective COTS parts, accepting any security problem that come with them;
- The increasingly sophisticated nature of commonly available technologies capable of mounting more complex and sustained attacks against these systems; and
- The fact that systems are increasingly more inter-networked and need to remain open to meet inter-operability goals.
Goal
The goal of this project is to develop technology and system design techniques for building information systems that will tolerate, i.e., continue to function without violating program and data integrity, a class of attacks. We will investigate planned attacks that are carried out in multiple phases in a coordinated manner focusing on the impacts they have on system resources. We will develop algorithms and software tools that will allow applications to adapt to the effects of such attacks. Our approach will build upon adaptive middleware technology that enables applications to be aware of and responsive to the availability and quality of system resources.
Scope and Technical Approach
The general scope of the project is to develop advanced redundancy management techniques, specifically addressing the faults resulting from planned and multi-staged attacks, with techniques that produce unpredictable (to the attacker) and variable responses to complicate the ability to plan and coordinate attacks. We will develop new algorithms that tolerate the characteristic Byzantine faults resulting from these attacks. These algorithms may be approximate, trading accuracy for performance, and will support graceful degradation when resources become scarce. This advanced redundancy mechanism, our first line of defense, will be augmented with reactive indeterminacy based on distributed system techniques for flexible reconfiguration using adaptive middleware and a set of decentralized managers, to coordinate these distributed responses to adapt the system's resources and redundancy aspects. If successful, the result will be an intrusion-tolerant core of proactive mechanisms augmented with reactive techniques for tolerating planned and multi-stage attacks. The inability of an adversary to plan a sustained attack effectively in the light of expected (but unpredictable) responses makes successful attacks both less likely and more expensive. In addition, we will employ defensive meausres to protect the redundancy and adaptive mechanisms from abuse by the attackers.
Innovative Claims
The following are the key distinguisihing aspects of our approach:
- We are defending against planned and multi-staged attacks that impact system resources and cause arbitrary failure of system components. These failures may occur simultaneously in multiple places or propagate in cascading waves.
- Traditional approaches to intrusion tolerance aim to protect the infrastructure from attackers by using techniques like detection, diagnosis, containment, recovery, eradication and prevention. Our approach is to use adaptation to cope with the effects that an attack may have on system resources. In some sense, that could be described as indirect recovery.
- The tolerance mechanism we are developing lie in the middle-- between the application and the infrastructure resources, brokering awareness and control of each side to the other.
- Use of unpredictability is not uncommon as a security technique in the intelligence community. Our idea is to use unpredictable adaptation to subvert the intelligent adversary's ability to launch planned attacks on computer systems.
- The algorithms we are developing for Byzantine tolerance allow approximate solutions, balancing accuracy, cost and availabiliy of resources. This facilitates graceful degradation(as opposed to stopping the application altogether) when the attacker has taken control over some of the resources.
Quad Charts
- As submitted to DARPA in 2001 (Powerpoint version)
Presentations
- Demonstration at DISCEX III, April 2003
- Presentation at the OASIS summer 2002 PI meeting, August 21 2002
- Presentation at the Workshop on Intrusion-Tolerant Systems DSN June 2002 powerpoint version
- Presentation at the OASIS winter 2002 PI meeting, Hilton Head Island, SC, March 2002 pdf version
- Presentation at the OASIS summer 2001 PI meeting, Santa Fe,NM,July 2001 powerpoint version.
- Presentation at the OASIS winter 2001 PI meeting, Norfolk,VA,February 2001 powerpoint version.
- Kick-off presentation at the IA&S Joint PI meeting, Honolulu, July 2000(Powerpoint version) (This link refers to the IA&S password protected site.)
Papers
- Providing Intrusion Tolerance With ITUA
M. Cukier, T. Courtney, J. Lyons, H. V. Ramasamy, W. H. Sanders, M. Seri, M. Atighetchi, P. Rubel, C. Jones, F. Webber, P. Pal. R. Watro, and J. Gossett.
Supplement of the 2002 International Conference on Dependable Systems and Networks, June 23-26, 2002.
- Intrusion Tolerance Approaches in ITUA
M. Cukier, J. Lyons, P. Pandey, H. V. Ramasamy, W. H. Sanders, P. Pal, F. Webber, R. Schantz, J. Loyall,R. Watro, M. Atighetchi, and J. Gossett.
FastAbstract in Supplement of the 2001 International Conference on Dependable Systems and Networks, Goeteborg, Sweden, July 1-4, 2001, pp. B-64 to B-65
- Intrusion Tolerant Systems
Pal P, Webber F, Schantz RE, and Loyall JP.
Proceedings of the IEEE Information Survivability Workshop (ISW-2000), 24-26 October 2000, Boston, Massachusetts.
- Survival by Defense-Enabling
Pal P, Webber F, Schantz RE, Loyall JP, Watro R, Sanders W, Cukier M and Gossett J.
Proceedings of the New Security Paradigms Workshop 2001, Cloudcroft, New Mexico, September 11-13, 2001, pp. 71-78.
- Assessing Adaptation in the Context of Security and Survivability
Rubel P and Pal P.
Presented as a position paper in the First Workshop on Information-Security-System Rating and Ranking (ISSRR), Williamsburg, VA, May 2001.
- Quantifying the Cost of Providing Intrusion Tolerance in Group Communication Systems
H. V. Ramasamy, P. Pandey, J. Lyons, M. Cukier, and W. H. Sanders.
Proceedings of the 2002 International Conference on Dependable Systems and Networks (DSN-2002), Washington, DC, June 23-26, 2002.
- Probabilistic Validation of Intrusion Tolerance.
W. H. Sanders, M. Cukier, F. Webber, P. Pal, and R. Watro.
Digest of Fast Abstracts: The International Conference on Dependable Systems and Networks, Bethesda, Maryland, June 2002.
- A Configurable CORBA Gateway for Providing Adaptable System Properties
M. Seri, T. Courtney, M. Cukier, V. Gupta, S. Krishnamurthy, J. Lyons, H. Ramasamy, J. Ren, and W. H. Sanders.
Proceedings of the Workshop on Dependable Middleware-Based Systems (WDMS 2002), Washington, DC, June 26, 2002, to appear.
- Reliable Delivery and Ordering Mechanisms for an Intrusion-Tolerant Group Communication System
P. Pandey Reliable
Master's Thesis, University of Illinois, 2001
- A Group Membership Protocol for an Intrusion-Tolerant Group Communication System.
H. V. Ramasamy
Master's Thesis, University of Illinois at Urbana-Champaign, 2002.
- Formal Specification and Verification of a Group Membership Protocol for an Intrusion-Tolerant Group Communication System.
H. V. Ramasamy, M. Cukier, and W. H. Sanders.
Submitted for publication.
Other technical documents
- The ITUA intrusion model (a somewhat more formal attempt to organize the scope and assumptions of the project) can be found here This is an evolving document, we plan to refine it as the project progresses.
Other Technical Activities Related to the Project
- Impediments to Building Survivable Systems: An Experience Report
P. Rubel, P. Pal, F. Webber, M. Atighetchi, and C. Jones
accepted at the IEEE ISW - 2001/2002 workshop
- Franklin Webber was on a panel on "Integrating Fault Tolerane and Security in Distributed Information Systems" at the 19th IEEE Symposium on Reliable Distributed Systems (October 16-18, 2000, Nuremberg, Germany).
- Partha Pal presented our work-in-progress at the IEEE ISW-2000 workshop (October 24-26, 2000, Boston).
- Bill Sanders represented our project in the joint EU-US workshop on Intrusion and Attack Tolerance at the (January 29-30, 2001, Lisbon).
ITUA People
BBN
- Michael Atighetchi
- Chris Jones
- Joe Loyall
- Partha Pal
- Rick Schantz
- Paul Rubel
- Franklin Webber
- Idit Keidar - MIT / The Technion
University of Illinois at Urbana Champaign
University of Maryland
The Boeing Company
- David Corman
- Jeanna Gossett
Useful Links
Last modified October 31, 2003
This project is a DARPA/ITO-funded research effort under the Information Assurance and Survivability, Intrusion Tolerant Systems (now OASIS) program.
