Denial of service attacks on peer-to-peer (p2p) systems can arise from sources otherwise considered non-malicious. We focus on one such commonly prevalent source, called "churn". Churn arises from continued and rapid arrival and failure (or departure) of a large number of participants in the system, and traces from deployments have shown that it can lead to extremely stressful networking conditions. It has the potential to increase host loads and block a large fraction of normal insert and lookup operations in the peer-to-peer system. This paper studies a cooperative web caching system that is resistant to churn attacks. Based on the Kelips peer-to-peer routing substrate, it imposes a constant load on participants and is able to reorganize itself continuously under churn. Peer pointers are automatically established among more available participants, thus ensuring high cache hit rates even when the system is stressed under churn. In addition, the system improves on the network locality of cache accesses in previous web caching schemes. The paper presents experimental results from a real implementation running over a commodity PC cluster, as well as trace-based simulations that use real host availability traces obtained from another deployed p2p system.
{"title":"A churn-resistant peer-to-peer web caching system","authors":"Prakash Linga, Indranil Gupta, K. Birman","doi":"10.1145/1036921.1036922","DOIUrl":"https://doi.org/10.1145/1036921.1036922","url":null,"abstract":"Denial of service attacks on peer-to-peer (p2p) systems can arise from sources otherwise considered non-malicious. We focus on one such commonly prevalent source, called \"churn\". Churn arises from continued and rapid arrival and failure (or departure) of a large number of participants in the system, and traces from deployments have shown that it can lead to extremely stressful networking conditions. It has the potential to increase host loads and block a large fraction of normal insert and lookup operations in the peer-to-peer system. This paper studies a cooperative web caching system that is resistant to churn attacks. Based on the Kelips peer-to-peer routing substrate, it imposes a constant load on participants and is able to reorganize itself continuously under churn. Peer pointers are automatically established among more available participants, thus ensuring high cache hit rates even when the system is stressed under churn. In addition, the system improves on the network locality of cache accesses in previous web caching schemes. The paper presents experimental results from a real implementation running over a commodity PC cluster, as well as trace-based simulations that use real host availability traces obtained from another deployed p2p system.","PeriodicalId":414343,"journal":{"name":"SSRS '03","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2003-10-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129524106","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
High confidence in a system's survivability requires an accurate understanding of the system's threat environment and the impact of that environment on system operations. This paper describes a framework for intrusion-aware design called trustworthy refinement through intrusion-aware design (TRIAD). The spiral structure of TRIAD iterates through three sectors of activity for developing the architectural strategy, for instantiating the architecture using technical components, and for analyzing the impact of the threat environment on system operations. TRIAD helps developers of complex, internetworked information systems to formulate, implement, and maintain a coherent, justifiable, and affordable survivability strategy that addresses mission-compromising threats for their organization. TRIAD facilitates planning for the inevitable change to the threat and operational environment and helps trace the effect of change back to the survivability requirements and architecture.
{"title":"TRIAD: a framework for survivability architecting","authors":"A. Moore, R. Ellison","doi":"10.1145/1036921.1036933","DOIUrl":"https://doi.org/10.1145/1036921.1036933","url":null,"abstract":"High confidence in a system's survivability requires an accurate understanding of the system's threat environment and the impact of that environment on system operations. This paper describes a framework for intrusion-aware design called trustworthy refinement through intrusion-aware design (TRIAD). The spiral structure of TRIAD iterates through three sectors of activity for developing the architectural strategy, for instantiating the architecture using technical components, and for analyzing the impact of the threat environment on system operations. TRIAD helps developers of complex, internetworked information systems to formulate, implement, and maintain a coherent, justifiable, and affordable survivability strategy that addresses mission-compromising threats for their organization. TRIAD facilitates planning for the inevitable change to the threat and operational environment and helps trace the effect of change back to the survivability requirements and architecture.","PeriodicalId":414343,"journal":{"name":"SSRS '03","volume":"105 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2003-10-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128952748","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In this paper we describe SelectCast, a self-repairing multicast overlay routing facility for supporting publish/subscribe applications. Select Cast is a peer-to-peer protocol, and lever-ages Astrolabe, a secure distributed information management system. SelectCast uses replication to recover quickly from transient failures, as well as Astrolabe's aggregation facilities to recover from long-term failures or adapt to changes in load or QoS requirements. In order to evaluate the scalability and performance of SelectCast, and compare these with other multicast facilities, we built a multicast testing facility on NetBed. This paper reports latency and load results for SelectCast, compared to both native IP multicast and Yoid.
{"title":"SelectCast: a scalable and self-repairing multicast overlay routing facility","authors":"Adrian Bozdog, R. V. Renesse, D. Dumitriu","doi":"10.1145/1036921.1036925","DOIUrl":"https://doi.org/10.1145/1036921.1036925","url":null,"abstract":"In this paper we describe SelectCast, a self-repairing multicast overlay routing facility for supporting publish/subscribe applications. Select Cast is a peer-to-peer protocol, and lever-ages Astrolabe, a secure distributed information management system. SelectCast uses replication to recover quickly from transient failures, as well as Astrolabe's aggregation facilities to recover from long-term failures or adapt to changes in load or QoS requirements. In order to evaluate the scalability and performance of SelectCast, and compare these with other multicast facilities, we built a multicast testing facility on NetBed. This paper reports latency and load results for SelectCast, compared to both native IP multicast and Yoid.","PeriodicalId":414343,"journal":{"name":"SSRS '03","volume":"7 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2003-10-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132351582","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Sara Miner More, Michael Malkin, Jessica Staddon, D. Balfanz
We propose a new method for distributing a common key to a dynamic group over an unreliable channel. In [15], an unconditionally secure "self-healing" protocol that solves this problem and has significant advantages over previous work in this area is presented. However, the protocol suffers from inconsistent robustness, high overhead and expensive maintenance costs. We propose a more practical self-healing protocol that attempts to address these three problems. First, we use a sliding window to make error recovery consistently robust. Second, we significantly reduce overhead. Finally, we give the group manager the ability to spread the cost of personal key distribution over multiple sessions, rather than having to distribute new personal keys to all users at the same time.
{"title":"Sliding-window self-healing key distribution","authors":"Sara Miner More, Michael Malkin, Jessica Staddon, D. Balfanz","doi":"10.1145/1036921.1036930","DOIUrl":"https://doi.org/10.1145/1036921.1036930","url":null,"abstract":"We propose a new method for distributing a common key to a dynamic group over an unreliable channel. In [15], an unconditionally secure \"self-healing\" protocol that solves this problem and has significant advantages over previous work in this area is presented. However, the protocol suffers from inconsistent robustness, high overhead and expensive maintenance costs. We propose a more practical self-healing protocol that attempts to address these three problems. First, we use a <i>sliding window</i> to make error recovery consistently robust. Second, we significantly reduce overhead. Finally, we give the group manager the ability to spread the cost of personal key distribution over multiple sessions, rather than having to distribute new personal keys to all users at the same time.","PeriodicalId":414343,"journal":{"name":"SSRS '03","volume":"19 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2003-10-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134633669","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Jiwu Jing, Peng Liu, D. Feng, Ji Xiang, Neng Gao, Jingqiang Lin
Certification Authorities (CA) are a critical component of a PKI. All the certificates issued by a CA will become invalid when the (signing) private key of the CA is compromised. Hence it is a very important issue to protect the private key of an online CA. ARECA systems, built on top of threshold cryptography, ensure the security of a CA through a series of defense-in-depth protections. ARECA systems won't be compromised when a few system components are compromised or some system administrators betray. The private key of a CA is protected by distributing different shares of the key to different (signing) components and by ensuring that any component of the CA is unable to reconstruct the private key. In addition, the multi-layer system architecture of ARECA makes it very difficult to attack from outside. Several threshold-cryptography-based methods are proposed in the literature to construct an intrusion tolerant CA, and the uniqueness of ARECA is that it engineers a novel two phase signature composition scheme and a multi-layer CA protection architecture. As a result, ARECA is (a) practical, (b) highly resilient to both insider and outsider attacks that compromise one or more components, and (c) can prevent a variety of outside attacks.
{"title":"ARECA: a highly attack resilient certification authority","authors":"Jiwu Jing, Peng Liu, D. Feng, Ji Xiang, Neng Gao, Jingqiang Lin","doi":"10.1145/1036921.1036927","DOIUrl":"https://doi.org/10.1145/1036921.1036927","url":null,"abstract":"Certification Authorities (CA) are a critical component of a PKI. All the certificates issued by a CA will become invalid when the (signing) private key of the CA is compromised. Hence it is a very important issue to protect the private key of an online CA. ARECA systems, built on top of threshold cryptography, ensure the security of a CA through a series of defense-in-depth protections. ARECA systems won't be compromised when a few system components are compromised or some system administrators betray. The private key of a CA is protected by distributing different shares of the key to different (signing) components and by ensuring that any component of the CA is unable to reconstruct the private key. In addition, the multi-layer system architecture of ARECA makes it very difficult to attack from outside. Several threshold-cryptography-based methods are proposed in the literature to construct an intrusion tolerant CA, and the uniqueness of ARECA is that it engineers a novel two phase signature composition scheme and a multi-layer CA protection architecture. As a result, ARECA is (a) practical, (b) highly resilient to both insider and outsider attacks that compromise one or more components, and (c) can prevent a variety of outside attacks.","PeriodicalId":414343,"journal":{"name":"SSRS '03","volume":"4 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2003-10-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128315871","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This paper describes a generic architecture for intrusion tolerant Internet servers. It aims to build systems that are able to survive attacks in the context of an open network such as the Internet. To do so, the design is based on fault tolerance techniques, in particular redundancy and diversification. These techniques give a system the additional resources to continue delivering the correct service to its legitimate clients even when active attacks are corrupting parts of the system components.
{"title":"An intrusion tolerant architecture for dynamic content internet servers","authors":"Ayda Saïdane, Y. Deswarte, V. Nicomette","doi":"10.1145/1036921.1036934","DOIUrl":"https://doi.org/10.1145/1036921.1036934","url":null,"abstract":"This paper describes a generic architecture for intrusion tolerant Internet servers. It aims to build systems that are able to survive attacks in the context of an open network such as the Internet. To do so, the design is based on fault tolerance techniques, in particular redundancy and diversification. These techniques give a system the additional resources to continue delivering the correct service to its legitimate clients even when active attacks are corrupting parts of the system components.","PeriodicalId":414343,"journal":{"name":"SSRS '03","volume":"28 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2003-10-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131643960","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Self-regenerative capabilities are a new trend in survivable system design. Self-regeneration ensures the property that a system's vulnerabilities cannot be exploited to the extent that the mission objective is compromised, but instead that the vulnerabilities are eventually removed, and system functionality is restored. To establish the usefulness of self-regenerative capabilities in the design of survivable systems, it is important to ensure that a system satisfying the self-regenerative requirement is survivable, and software engineering practices and tool support are available for building self-regenerative systems. This paper emphasizes the need for formal definition of the concept of self-regenerative systems in general and self-regenerative software components in particular. We propose a simple formal definition of a self-regenerative software component and we propose to adapt well-established formal software validation techniques to build tool support to implement self-regenerative capabilities at the component level.
{"title":"Self-regenerative software components","authors":"Hassen Saïdi, B. Dutertre, Joshua Levy, A. Valdes","doi":"10.1145/1036921.1036935","DOIUrl":"https://doi.org/10.1145/1036921.1036935","url":null,"abstract":"Self-regenerative capabilities are a new trend in survivable system design. Self-regeneration ensures the property that a system's vulnerabilities cannot be exploited to the extent that the mission objective is compromised, but instead that the vulnerabilities are eventually removed, and system functionality is restored. To establish the usefulness of self-regenerative capabilities in the design of survivable systems, it is important to ensure that a system satisfying the self-regenerative requirement is survivable, and software engineering practices and tool support are available for building self-regenerative systems. This paper emphasizes the need for formal definition of the concept of self-regenerative systems in general and self-regenerative software components in particular. We propose a simple formal definition of a self-regenerative software component and we propose to adapt well-established formal software validation techniques to build tool support to implement self-regenerative capabilities at the component level.","PeriodicalId":414343,"journal":{"name":"SSRS '03","volume":"24 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2003-10-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124862658","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
There is good reason to base intrusion detection on data from the host. Unfortunately, most operating systems do not provide all the data needed in readily available logs. Ironically, perhaps, Window NT and its successor, Windows 2000, provide much of the necessary data, at least for security events. We have developed a host-based intrusion detector for these platforms that meets the generally accepted criteria for a good Intrusion Detection System. Its architecture is sufficiently flexible to meet these criteria largely by relying on native mechanisms. Where there are identified gaps in the data from the native security event log, they can be filled by data from other sensors by using the same event-logging interface. The IDS will also terminate unauthorized processes, delete unauthorized files, and restore deleted or modified files continually without lengthy recovery due to compromise. We call this feature Continual Repair. It is an existence proof that self-regenerative systems are possible.
{"title":"Continual repair for windows using the event log","authors":"James C. Reynolds, L. Clough","doi":"10.1145/1036921.1036932","DOIUrl":"https://doi.org/10.1145/1036921.1036932","url":null,"abstract":"There is good reason to base intrusion detection on data from the host. Unfortunately, most operating systems do not provide all the data needed in readily available logs. Ironically, perhaps, Window NT and its successor, Windows 2000, provide much of the necessary data, at least for security events. We have developed a host-based intrusion detector for these platforms that meets the generally accepted criteria for a good Intrusion Detection System. Its architecture is sufficiently flexible to meet these criteria largely by relying on native mechanisms. Where there are identified gaps in the data from the native security event log, they can be filled by data from other sensors by using the same event-logging interface. The IDS will also terminate unauthorized processes, delete unauthorized files, and restore deleted or modified files continually without lengthy recovery due to compromise. We call this feature Continual Repair. It is an existence proof that self-regenerative systems are possible.","PeriodicalId":414343,"journal":{"name":"SSRS '03","volume":"57 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2003-10-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123335508","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Proxy-network based overlays have been proposed to protect Internet Applications against Denial-of-Service attacks by hiding an application's location. We study how a proxy network's topology influences the effectiveness of location-hiding. We present two theorems which quantitatively characterize when proxy networks are robust against attacks (attackers' impact can be quickly and completely removed), and when they are vulnerable to attacks (attackers' impact cannot be completely removed). Using these theorems, we study a range of proxy network topologies, and identify those topologies favorable for location-hiding and resisting Denial-of-Service attacks. We have found that popular overlay network topologies such as Chord [25], which has been suggested for location-hiding, is in fact not a favorable topology for such purposes; we have also shown that CAN [21], a less popular overlay network, can be a good topology for location-hiding. Our theoretical results provide a set of sound design principles on proxy networks used for location-hiding.
{"title":"Tolerating denial-of-service attacks using overlay networks: impact of topology","authors":"Ju Wang, L. Lu, A. Chien","doi":"10.1145/1036921.1036926","DOIUrl":"https://doi.org/10.1145/1036921.1036926","url":null,"abstract":"Proxy-network based overlays have been proposed to protect Internet Applications against Denial-of-Service attacks by hiding an application's location. We study how a proxy network's topology influences the effectiveness of location-hiding. We present two theorems which quantitatively characterize when proxy networks are robust against attacks (attackers' impact can be quickly and completely removed), and when they are vulnerable to attacks (attackers' impact cannot be completely removed). Using these theorems, we study a range of proxy network topologies, and identify those topologies favorable for location-hiding and resisting Denial-of-Service attacks. We have found that popular overlay network topologies such as Chord [25], which has been suggested for location-hiding, is in fact not a favorable topology for such purposes; we have also shown that CAN [21], a less popular overlay network, can be a good topology for location-hiding. Our theoretical results provide a set of sound design principles on proxy networks used for location-hiding.","PeriodicalId":414343,"journal":{"name":"SSRS '03","volume":"9 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2003-10-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130633757","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Security is an important QoS attribute for characterizing intrusion tolerant computing systems. Frequently however, the security of computing systems is assessed in a qualitative manner based on the presence and absence of certain functional characteristics and security mechanisms. Such a characterization is not only ad hoc, it also lacks rigorous scientific and systematic basis. Some recent research efforts have emphasized the need for a quantitative assessment of security attributes for intrusion tolerant systems. Intrusion tolerant systems are not only complex, but also have to operate in an environment made unpredictable due to the unpredictable actions of bona-fide and non bona-fide users. This makes quantitative security analysis a difficult problem. Earlier approaches to security modelling have been based on the use of Markov models. Capturing details of real architectures in a manually constructed Markov model is difficult. We advocate the use of higher level formalism based on stochastic Petri nets for modelling and quantitative security analysis of intrusion tolerant systems. To validate our approach, we use an experimental intrusion tolerant systems known as the SITAR (scalable intrusion tolerant architecture) currently being implemented jointly at MCNC and Duke University as our target system. It is shown that the resulting analysis is useful in determining gains in security by reconfiguring such a system in terms of increase in redundancy under varying threat levels.
{"title":"Security analysis of SITAR intrusion tolerance system","authors":"Dazhi Wang, B. Madan, Kishor S. Trivedi","doi":"10.1145/1036921.1036924","DOIUrl":"https://doi.org/10.1145/1036921.1036924","url":null,"abstract":"Security is an important QoS attribute for characterizing intrusion tolerant computing systems. Frequently however, the security of computing systems is assessed in a qualitative manner based on the presence and absence of certain functional characteristics and security mechanisms. Such a characterization is not only ad hoc, it also lacks rigorous scientific and systematic basis. Some recent research efforts have emphasized the need for a quantitative assessment of security attributes for intrusion tolerant systems. Intrusion tolerant systems are not only complex, but also have to operate in an environment made unpredictable due to the unpredictable actions of bona-fide and non bona-fide users. This makes quantitative security analysis a difficult problem. Earlier approaches to security modelling have been based on the use of Markov models. Capturing details of real architectures in a manually constructed Markov model is difficult. We advocate the use of higher level formalism based on stochastic Petri nets for modelling and quantitative security analysis of intrusion tolerant systems. To validate our approach, we use an experimental intrusion tolerant systems known as the SITAR (scalable intrusion tolerant architecture) currently being implemented jointly at MCNC and Duke University as our target system. It is shown that the resulting analysis is useful in determining gains in security by reconfiguring such a system in terms of increase in redundancy under varying threat levels.","PeriodicalId":414343,"journal":{"name":"SSRS '03","volume":"36 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2003-10-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128443969","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: