Home | Introduction | Publications | Patents | Team


SCIT: Self Cleansing Intrusion Tolerance

The SCIT research project at George Mason University aims to create a secure server cluster framework that encompasses the following elements.

  • Our focus is on critical infrastructure services of computer and communication network. Typically, such services justify the use of server redundancy to improve service availability and dependability.
  • The first goal is incorruptible intrusion tolerance, which fends off or at least limits the damage of unknown and undetected attacks against critical servers. Our approach relies on mechanisms of intrusion tolerance that are shielded from external influence/attacks by hardware.
  • The second goal is to use spare, backup servers to improve both cluster security and service availability.
  • The building blocks of our solutions are constant server rotations and system self cleansing, regardless of whether an intrusion is detected or not.

This research has been supported by US Army's Telemedicine and Technology Research Center, the NIST funded Critical Infrastructure Protection Program, SUN Microsystems, Lockheed Martin, Commonwealth of Virginia CTRF fund (project partner Northrop Grumman).


Introduction to SCIT

(Excerpts from the Cluster-Sec06 paper)

It is widely accepted that increasing the level of redundancy in a system generally improves service availability and system dependability. System security, on the other hand, is recognized as a critical subject on its own but has not often been associated with the issue of redundancy. This separation is evident when managers consider further investments in hardware. Hardware investments, such as acquiring more computing powers, typically aim to improve services, to handle anticipated increases in workload, or to better assure service survivability at times of server failures they are not expected to automatically strengthen the security of the system. As visualized in Figure 1, the goal of this work is to establish the connection between cluster security and hardware redundancy in the form of spare computing powers and in the context of intrusion tolerance.

[Figure 1]

Fig.1: Relationship between additional computing power with service availability and system security in the context of SCIT

The difficulty in securing computer systems stems in large part from the increasing complexity of the systems today and the constant innovation and morphing of attack techniques. Despite intense research on computer and network security, critical information processing systems remain vulnerable to attacks [1]. We believe that the trend warrants a new thinking in computer security: there will always be attacks that are sophisticated and stealthy enough to penetrate even the best security measures and evade the most advanced intrusion detection systems. It follows that a critical system must support intrusion prevention, detection, and /tolerance/, the last of which fends off, limits, or at least slows down the damages caused by successful but undetected attacks.

Our response to the intrusion tolerance problem is /Self-Cleansing Intrusion Tolerance/, or SCIT. The underlying assumption of SCIT is that a server that has been performing services online and as a result exposed to attacks must be assumed compromised. Consequently, an online server must be periodically cleansed to restore it to a known clean state, regardless of whether an /intrusion is detected or not/. While this paranoid attitude may be overkill for an average server, it is perfectly appropriate for critical, infrastructural servers or those whose breaches result in high pecuniary losses or even the compromises to national security. For a server of such consequences, it is common practice to use a dedicated hot standby, ready to take over the online tasks when the primary fails. In our approach to security we have specialized SCIT solution to each class of servers. In a series of papers we have presented our designs of SCIT-enabled firewalls, web servers, and DNS servers. The robustness and effectiveness of the SCIT framework against cyber attacks have also been investigated.

The effectiveness of SCIT depends on constant server rotations to limit the windows for which an intruder can stay in the system. The longer this /Intruder Residence Time/ the greater the damage and loss. We anticipate that the loss curve will be an S-curve of the form in Figure 2. If the Intruder Residence Time is less than the low loss threshold, then the cost of the intrusion is low, while an Intruder Residence Time greater than the high loss threshold will lead to near max loss. The low loss threshold reflects the fact that it takes a certain time for an intruder to probe system configurations, issue malicious commands, establish backdoors, install Trojan horse programs and so on in order to gain a foothold in the target system. The steep slope between the two thresholds indicates that the intruder is the middle of achieving the ?end goals,? such as stealing sensitive information, rendering the service unavailable and/or tampering with important data.

[Figure 2]

Fig. 2: Loss curve: Loss in dollars vs. Intruder Residence Time

Although there is no hard data for building the loss curve in Figure 2, there are reports that can help the process of building such a curve. For example, in [2] it is reported that in the context of on-line banking, security experts believe that a theft of $5,000 to $10,000 can be carried out over a few weeks, while larger losses up to $1 million are likely to take four to six months.

It is emphasized that SCIT is not a substitute for the conventional defense systems against intrusion. Hardening system security raises the low-loss threshold by making it more difficult for the enemy to obtain a foothold. In the meantime, frequent server rotations reduce /Server Exposure Times/, the time window in which a server stays online and is inevitably exposed to attacks. A successful, undetected breach is /contained/ if the server exposure time is shorter than the low loss threshold, that is to say, if the compromised server is rotated offline before the breach causes significant damage.

The hardening of system security has been the subject of innumerable studies. In SCIT we provide another layer of security by reducing the attack window. Server Exposure Times can be reduced by employing more computing power to speed up server rotations. Overall our objective is to explore new metrics for security and our challenge is to analytically provide guarantees such as:

Minimum Service Guarantee With arbitrary server failures the cluster maintains predefined minimum service availability as long as the cluster still has a required number of (functioning) servers. We notice that many fault tolerance designs provide similar features.

Server Rotation Guarantee Server rotations, the primary security defense of SCIT, continue with arbitrary server failures as long as the cluster has one server more than the required number of servers to meet the minimum service requirement.

Moreover, while it is well understood that increasing server redundancy improves fault tolerance, its effectiveness in closing attack windows will be investigated through a simulation study. Results of this study show that attack windows are less than 5 minutes using the same level of redundancy as the primary-and-backup setup. Much shorter windows can be achieved by adding more computing power, either in the form of more powerful processors in individual servers to speed up self cleansing or in the form of more spare servers in the cluster to speed up server rotations.

[1] President's Information Technology Advisory Committee (PITAC), Cyber Security: A Crisis of Prioritization, February 2005. available at http://www.nitrd.gov.

[2] Sandeep Junnarkar, ?Anatomy of a hacking?, available at http://news.com.com/2009-1017-893228.html, May 2002.


Video of SCIT Web Server Demo

We have recorded a real time video demonstrating the operations of two SCIT web servers. First one is a Simple web server - a static info only website. Second one is Persistent Session web server - we use a shopping cart to demonstrate the operations. In addition we show how SCIT servers recover from two attacks - website defacement attack and software deletion attack. For best quality, download the full 15MB video http://cs.gmu.edu/~asood/scit/SCIT-Demo_0003.wmv

Demo video is also posted on You Tube - image quality is not as good as above. Click here to access the You Tube posting, or go to http://www.youtube.com/watch?v=gIN6JWInuv8

ECommerce Demo Video

Video is available for download in .mov and .wmv formats and can be viewed in streaming video mode.

The demo in Quick Time compatible format (mov) is 97 MB and can be downloaded from http://cs.gmu.edu/~asood/scit/SCIT-ECommerce-Demo.mov

ECommerce SCIT demo video in wmv format is about 280 MB and can be downloaded from http://cs.gmu.edu/~asood/scit/SCIT-ECommerce-Demo.wmv

To stream the demo video go to href=http://vimeo.com/8811055 password is scit


Publications, Media Reports and Patents

  • Ajay Nagarajan, Quyen Nguyen, Robert Banks and Arun Sood, “Combining Intrusion Detection and Recovery for Enhancing System Dependability”, 5th Workshop on Recent Advances in Intrusion-Tolerant Systems, in conjunction with 41st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2011), Hong Kong, 28 June, 2011. [WRAITS-2011.pdf]
  • Quyen Nguyen, Arun Sood, “Designing SCIT Architecture Pattern in a Cloud-based Environment”, The First International Workshop on Dependability of Clouds, Data Centers and Virtual Computing Environments (DCDV 2011) in conjunction with 41st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2011), Hong Kong, 28 June, 2011.[DCDV-2011.pdf]
  • Quyen L. Nguyen and Arun Sood, "Comparative Analysis of Intrusion-Tolerant System Architectures", IEEE Security and Privacy. Preprint. Accepted for publication August 2010. [SP-PrePrint.pdf]
  • Quyen L. Nguyen and Arun Sood, "Multiclass S-Reliability for Services in SOA", accepted for The Fifth International Conference on Software Engineering Advances, ICSEA 2010, Nice, France, August 22-27, 2010.
  • David Pham and Arun K Sood, "An Intrusion Tolerance Approach to Enhance Single Sign On Server Protection", Proc The Third International Conference on Dependability (DEPEND 2010)July 18-25, 2010 - Venice/Mestre, Italy..[DEPEND2010_SSO.pdf]
  • Ajay Nagarajan and Arun Sood, "SCIT and IDS Architectures for Reduced Data Ex-filtration" 4th Workshop on Recent Advances in Intrusion-Tolerant Systems, Chicago,IL, USA, June 28 2010[WRAITS2010_Des_Trees.pdf]
  • Quyen L. Nguyen and Arun Sood, "Realizing S-Reliability for Services via Recovery-driven Intrusion Tolerance Mechanism", 4th Workshop on Recent Advances in Intrusion-Tolerant Systems, Chicago,IL, USA, June 28 2010. [WRAITS2010_sreliability.pdf]
  • Quyen Nguyen and Arun Sood, Quantitative Approach to Tuning of a Time-Based Intrusion-Tolerant System Architecture, 3rd Workshop on Recent Advances in Intrusion Tolerant Systems, Portugal, June 29, 2009.[WRAITS2009.pdf]
  • Anantha K. Bangalore and Arun K Sood, Securing Web Servers Using Self Cleansing Intrusion Tolerance (SCIT), Proc The Second International Conference on Dependability (DEPEND 2009)June 18-23, 2009 - Athens/Vouliagmeni, Greece. [DEPEND2009.pdf]
  • Arsenault, D., and Sood, A.(2007). "Resilience: A Systems Design Imperative." CIPP Working Paper 02-07. Arlington, VA: George Mason University. [CIPP2007.pdf]
  • David Arsenault, Arun Sood, and Yih Huang, "Secure, Resilient Computing Clusters: Self-Cleansing Intrusion Tolerance with Hardware Enforced Security (SCIT/HES)" Proceedings Second International Conference on Availability, Reliability and Security (ARES 2007), Vienna, Austria, April 2007. [ARES2007.pdf]
  • Yih Huang, David Arsenault, and Arun Sood, "Incorruptible Self-Cleansing Intrusion Tolerance and Its Application to DNS Security" Journal of Networks, Academy Press, vol 1 No 5, pp 21 - 30, September/October 2006. [Network06.pdf]
  • Yih Huang, David Arsenault, and Arun Sood, "Closing Cluster Attack Windows through Server Redundancy and Rotations" Proceedings of the Second International Workshop on Cluster Security (Cluster-Sec06), Singapore, May 2006.[CSEC06.pdf]
  • Yih Huang, David Arsenault, and Arun Sood, "SCIT-DNS: Critical Infrastructure Protection through Secure DNS Server Dynamic Updates", Journal of High Speed Networking, vol 15 No 1, pp 5 19, 2006.
  • Yih Huang, David Arsenault, and Arun Sood, "Securing DNS Services through System Self Cleansing and Hardware Enhancements", Proceedings First International Conference on Availability, Reliability and Security (ARES 2006), Vienna, Austria, April 2006. [ARES06.pdf]
  • Yih Huang, David Arsenault, and Arun Sood, ?Incorruptible System Self-Cleansing for Intrusion Tolerance", Proceedings Workshop on Information Assurance (WIA 2006), Phoenix, AZ, April 2006 (in press). [WIA2006.pdf]
  • Yih Huang, David Arsenault, and Arun Sood, "SCIT-DNS: Critical Infrastructure Protection through Secure DNS Server Dynamic Updates", Proceedings of 3rd International Trusted Internet Workshop (TIW), /Bangalore, INDIA, December 2004. [SCIT-DNS-TIW04.pdf]
  • Yih Huang, Arun Sood, and Ravi K. Bhaskar, ?Countering Web Defacing Attacks with System Self-Cleansing ,? /Proceedings of 7^th Word Multiconference on Systemics, Cybernetics and Informatics/, pp. 12?16, Orlando, Florida, July 2003. [defacing.pdf]
  • Yih Huang and Arun Sood, "Self-Cleansing Systems for Intrusion Containment", Proceedings of Workshop on Self-Healing, Adaptive, and Self-Managed Systems (SHAMAN), New York City, June 2002. [shaman02.pdf]

Online Articles

  • Arun Sood, " Exposure Time - A Metric For Proactive Security Risk Management", http://www.riskbloggers.com/arunsood/2007/07/exposure-time-a-metric-for-proactive-security-risk-management/ , 23 July 2007.
  • Naresh Verma, Yih Huang, and Arun Sood, "Proactively Managing Security Risk", http://www.securityfocus.com/infocus/1896 , 07 November 2007.

Media Reports

  • Kelly Jackson Higgins, "Dark Reading News Analysis: New Intrusion Tolerance Technology Treats Attacks as Inevitable", http://www.darkreading.com/document.asp?doc_id=153621 12 May 2008
  • Kelly Jackson Higgins, "Dark Reading Port In A Storm: Are Security Breaches Inevitable?", http://www.darkreading.com/document.asp?doc_id=154016 15 May 2008
  • Jennifer Edgerly, "New Intrusion Tolerance Software Fortifies Server Security", http://gazette.gmu.edu/articles/12128/ , 18 June 2008 (abridged version at http://www.physorg.com/news132846874.html and http://www.sciencedaily.com/releases/2008/06/080616144905.htm )
  • "La tolnce aux intrusions profite de la virtualisation", http://www.atelier.fr/securite/10/18062008/tolerance-aux-intrusions-virtualisation-36715-.html 18 June 2008
  • Tim Greene, "Software makes virtual servers a moving target", Network World, http://www.networkworld.com/news/2008/061908-scit.html?page=1 , 19 June 2008 (also in http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9101418&source=rss_news50; http://www.pcworld.com/businesscenter/article/147406/limit_internet_attacks_with_virtual_servers.html)

Patents

  • "Self-Cleaning System", US 7549167. Issued 6/16/2009. Inventors: Yih Huang and Arun Sood
  • "SCIT-DNS: Critical Infrastructure Protection through Secure DNS Server Dynamic Updates", US 7680955. Issued 03/16/2010. Inventors: David Arsenault, Yih Huang and Arun Sood.
  • "Single Use Server System", US 7725531. Issued May 25, 2010 Inventors: David Arsenault, Yih Huang and Arun Sood.

Pending

  • Regular US Patent Application # 11,419,832, Data Alteration Prevention System, Filed 5/23/2006.
  • Regular US Patent Application # 12,695,710, Self-Cleansing Secure DNS Server
  • Regular US Patent Application # 12,695,686, Cache Validating SCIT DNS Server

SCIT Researchers

Ajay Nagarajan

Anantha Bangalore

David Arsenault

Yih Huang

Danny Han

David Pham

Arun Sood


Home | Introduction | Publications | Patents | Team

© 2002-2008 All Rights Reserved

>dy>>>>dy>>ml> >dy>>>>dy>>/a> | Patents | Team

© 2002-2008 All Rights Reserved

>dy>>>>dy>>ml> >dy>>>>dy>>