TC: Small: Collaborative Research: Symbiosis in Byzantine Fault Tolerance and Intrusion Detection

TC：小型：协作研究：拜占庭容错和入侵检测的共生

• 批准号: 1018871
• 负责人: Karl Levitt
• 金额: $ 25万
• 依托单位: University of California-Davis
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2010
• 资助国家: 美国
• 起止时间: 2010-08-15 至 2015-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1018871&HistoricalAwards=false
• 关键词: TC; Small; Collaborative; Research; Symbiosis

Two principal components for providing protection in large-scale distributed systems are Byzantine fault-tolerance (BFT) and intrusion detection systems (IDS). BFT is used to implement strictly consistent replication of state in the face of arbitrary failures, including those introduced by malware and Internet pathogens. Intrusion detection relates to a broad set of services that detect events that could indicate the presence of an ongoing attack. IDSs are far from perfect -- they can both miss attacks or misinterpret events as being malicious. In addition, IDSs themselves are vulnerable to attack. These two components approach different parts of system security. Each, however, has the potential to improve the other, which is the theme of this project. The integration of these two efforts, at both the fundamental and system levels, has proven elusive. Fault-tolerant distributed algorithms have been designed to use failure detectors for some time, but only as an abstraction. Intrusion detection has been, for the most part, a service that gives some general improvement in system security. Attempting to marry these two approaches could be a large step towards making BFT a truly practical approach in multisite systems, and gives a novel way to integrate multiple IDSs to improve the security in a multisite system with nonuniform and varying trust. Some examples of such benefit are (1) Any evidence gathered by BFT about suspicious behavior can be useful for an IDS, since it could indicate that the system has been compromised. (2) Information from an IDS can be used by BFT to influence its behavior towards the servers of the replicated service. This could, for example, allow BFT to stop using a site even though the service has not (yet) been affected, or to assume a more benign set of failures for a site that appears to be well managed. (3) The way that BFT reacts to suspicious behavior is a complex policy that could, at least in part, be moved to IDS. Doing so would allow the policy to be tuned. (4) A further detection method is to compare the internal suspicions of BFT with the external suspicions of the IDS. (5) BFT can be used to detect and cope with attacks on an IDS. (6) IDS can confirm that parties in a BFT set are behaving according to the BFT protocol which if so can improve the performance of a BFT system. This research explores this potential of a merged system by developing a version of BFT for wide-area networks that is designed with several IDSs as part of the architecture. The IDS will serve as a suspicion detector that allows BFT to define sets of sites that trust each other, and can thus use a lower latency protocol among them. The IDSs will use BFT to agree upon detection states to make more useful detections. Information collected by BFT will be used by the IDS to detect malicious behavior. And, BFT and IDS will, where possible, check each other to increase the detection power of the system. A prototype of the system will be implement and a simple synthetic application to measure performance and sensitivity to a set of simulated attacks will be built.

在大规模分布式系统中提供保护的两个主要组件是拜占庭容错 (BFT) 和入侵检测系统 (IDS)。 BFT 用于在面对任意故障（包括由恶意软件和互联网病原体引入的故障）时实现严格一致的状态复制。 入侵检测涉及广泛的服务，这些服务检测可能表明存在持续攻击的事件。 IDS 远非完美——它们可能会错过攻击或将事件误解为恶意事件。 此外，IDS 本身也容易受到攻击。 这两个组件涉及系统安全的不同部分。 然而，每个人都有潜力改进另一个人，这就是这个项目的主题。 事实证明，这两项努力在基础层面和系统层面的整合是难以实现的。容错分布式算法被设计为使用故障检测器已有一段时间，但仅作为一种抽象。在大多数情况下，入侵检测是一种可以总体提高系统安全性的服务。 尝试将这两种方法结合起来可能是朝着使 BFT 成为多站点系统中真正实用的方法迈出的一大步，并提供了一种集成多个 IDS 的新颖方法，以提高具有不一致和变化信任的多站点系统的安全性。这种好处的一些例子是 (1) BFT 收集的有关可疑行为的任何证据都对 IDS 有用，因为它可能表明系统已受到损害。 (2) BFT 可以使用来自 IDS 的信息来影响其对复制服务的服务器的行为。例如，这可以允许 BFT 停止使用某个站点，即使该服务（尚未）受到影响，或者为看起来管理良好的站点假设一组更良性的故障。 (3) BFT 对可疑行为的反应方式是一项复杂的策略，可以至少部分转移到 IDS。这样做可以调整政策。 (4)进一步的检测方法是将BFT的内部怀疑与IDS的外部怀疑进行比较。 (5) BFT可用于检测和应对针对IDS的攻击。 (6) IDS 可以确认 BFT 集合中的各方正在按照 BFT 协议行事，如果是这样，可以提高 BFT 系统的性能。 这项研究通过开发用于广域网的 BFT 版本来探索合并系统的潜力，该版本的设计将多个 IDS 作为架构的一部分。 IDS 将充当可疑检测器，允许 BFT 定义相互信任的站点集，从而可以在其中使用较低延迟的协议。 IDS 将使用 BFT 就检测状态达成一致，以进行更有用的检测。 BFT 收集的信息将被 IDS 用于检测恶意行为。并且，BFT 和 IDS 将在可能的情况下相互检查以提高系统的检测能力。将实施系统原型，并构建一个简单的综合应用程序来测量性能和对一组模拟攻击的敏感性。