GGrantIndex
← Search

TC: Small: Collaborative Research: Symbiosis in Byzantine Fault Tolerance and Intrusion Detection

$250,000FY2010CSENSF

University Of California-Davis, Davis CA

Investigators

Abstract

Two principal components for providing protection in large-scale distributed systems are Byzantine fault-tolerance (BFT) and intrusion detection systems (IDS). BFT is used to implement strictly consistent replication of state in the face of arbitrary failures, including those introduced by malware and Internet pathogens. Intrusion detection relates to a broad set of services that detect events that could indicate the presence of an ongoing attack. IDSs are far from perfect -- they can both miss attacks or misinterpret events as being malicious. In addition, IDSs themselves are vulnerable to attack. These two components approach different parts of system security. Each, however, has the potential to improve the other, which is the theme of this project. The integration of these two efforts, at both the fundamental and system levels, has proven elusive. Fault-tolerant distributed algorithms have been designed to use failure detectors for some time, but only as an abstraction. Intrusion detection has been, for the most part, a service that gives some general improvement in system security. Attempting to marry these two approaches could be a large step towards making BFT a truly practical approach in multisite systems, and gives a novel way to integrate multiple IDSs to improve the security in a multisite system with nonuniform and varying trust. Some examples of such benefit are (1) Any evidence gathered by BFT about suspicious behavior can be useful for an IDS, since it could indicate that the system has been compromised. (2) Information from an IDS can be used by BFT to influence its behavior towards the servers of the replicated service. This could, for example, allow BFT to stop using a site even though the service has not (yet) been affected, or to assume a more benign set of failures for a site that appears to be well managed. (3) The way that BFT reacts to suspicious behavior is a complex policy that could, at least in part, be moved to IDS. Doing so would allow the policy to be tuned. (4) A further detection method is to compare the internal suspicions of BFT with the external suspicions of the IDS. (5) BFT can be used to detect and cope with attacks on an IDS. (6) IDS can confirm that parties in a BFT set are behaving according to the BFT protocol which if so can improve the performance of a BFT system. This research explores this potential of a merged system by developing a version of BFT for wide-area networks that is designed with several IDSs as part of the architecture. The IDS will serve as a suspicion detector that allows BFT to define sets of sites that trust each other, and can thus use a lower latency protocol among them. The IDSs will use BFT to agree upon detection states to make more useful detections. Information collected by BFT will be used by the IDS to detect malicious behavior. And, BFT and IDS will, where possible, check each other to increase the detection power of the system. A prototype of the system will be implement and a simple synthetic application to measure performance and sensitivity to a set of simulated attacks will be built.

View original record on NSF Award Search →
TC: Small: Collaborative Research: Symbiosis in Byzantine Fault Tolerance and Intrusion Detection · GrantIndex