Self Cleansing Intrusion Tolerance – Next Generation Server Security

12:00noon, Oct 02, Thursday, 2008, ST2, 430


Arun Sood
Computer Science Department
George Mason University


The current intrusion prevention (firewalls) or detection approaches require prior knowledge of all the attack modalities and software vulnerabilities. These approaches are good at fighting yesterday's wars, but what about the serious current and future threats? What about the malware installed on servers? What about inadvertent configuration errors by system administrators? Our response to these formidable challenges is Self Cleansing Intrusion Tolerance (SCIT). SCIT represents a paradigm shift as compared to firewalls and IDSs. SCIT servers are focused on limiting the losses that can occur because of an intrusion. To achieve this goal we limit the exposure time of the server to the internet. In the SCIT approach we have achieved sub-minute exposure time for servers without service interruption. We emphasize that SCIT is not a replacement technology but instead complements and adds to existing approaches.

Today’s servers are on-line for extended periods – often several months at a time. In general, servers are brought off-line only for patch application or upgrades. Thus, attackers have ample time to explore, experiment and understand the server configuration. In this sense, the servers are sitting ducks and easy targets. SCIT technology, intends to make the task of the attackers more difficult by limiting the exposure time of the servers. SCIT facilitates the use of different forms of diversity to constantly change the system configuration, change what the attackers sees, and this, in turn, makes the attackers task more difficult.

Our underlying assumption is that all software has vulnerabilities. Further, the more complex the software, the greater the likelihood of vulnerabilities and constant patching of the software has now become costly. There are many on-going efforts to develop methodologies that will lead to less vulnerable software products. In the meantime, for servers that are exposed to the internet, like those servers in the DMZ, SCIT provides an additional layer of defense.

SCIT technical publications are available at A Google search shows that in the last three months there have been many news reports about SCIT. This includes articles in Network World, Computer World, Dark Reading, etc and some blogs. Pointers to a few articles is included at the above website. This shows the increasing interest in intrusion tolerance as a viable strategy.

Our research has been supported by the US Army, NIST through the Critical Infrastructure Protection Program, SUN Microsystems, with on-going support from Lockheed Martin, and Commonwealth of Virginia CTRF fund (Northrop Grumman is a partner).

Short Bio

Dr. Arun Sood is Professor of Computer Science and Director of Laboratory of Interdisciplinary Computer Science at George Mason University, Fairfax, Virginia. He was formerly department chair. He is CEO of a SCIT Labs Inc - start up that is licensing SCIT technology from the university. He has published more than 150 papers, and two edited books. He has been awarded 1 patent, and has applied for 4 patents based on SCIT. List of publications and a detailed resume is available at He was awarded BTech (1966) from Indian Institute of Technology, Delhi, and MS (1967) and PhD (1971) by Carnegie Mellon University. All degrees in Electrical Engineering.