Intrusion Tolerance by Unpredictable Adaptation

About the Project

The “Intrusion Tolerance by Unpredictable Adaptation (ITUA)” project was supported by the Defense Advanced Research Projects Agency (DARPA). It was a joint effort of BBN Technologies, the University of Illinois, the University of Maryland, and Boeing. The principal investigator was Partha Pal. BBN has their own ITUA project page.

People at the University of Illinois

People at BBN

People at the University of Maryland

Faculty
- Michel Cukier
Student
- Wei Zhang

People at Boeing

David Corman
Jeanna Gossett

Background and Motivation

Three factors have significantly lowered our ability to withstand hostile attacks on critical information systems: 1) an economic mandate to construct systems with more cost-effective commercial off-the-shelf (COTS) solutions, thereby accepting known and unknown limitations; 2) the increasingly sophisticated nature of commonly available technologies, capable of mounting more complex and sustained attack patterns against these systems; and 3) the fact that systems are increasingly inter-networked and need to remain open to meet interoperability goals. The first of these factors makes it more likely that some systems will be compromised and corrupted by adversaries. The second makes it likely that preplanned, coordinated, and sustained attacks will be mounted against high-value systems. The third implies that effects of successful intrusion will be compounded as multiple systems are impacted. All of these factors led to the ITUA project, which significantly increased our understanding and tolerance of such attacks, thereby indirectly raising the ante on mounting a successful attack of this type.

Our technical approach to this problem area was to combine advanced redundancy management techniques (specifically countering faults resulting from a partially successful attack) with techniques that produce unpredictable (to the attacker) and variable responses to complicate the ability to preplan a coordinated attack. We developed new Byzantine algorithms that tolerate the characteristic Byzantine faults resulting from a class of staged, coordinated intrusions. This first line of defense was augmented with reactive indeterminacy, based on distributed system techniques for flexible reconfiguration using an adaptive middleware and a set of decentralized managers, to coordinate these distributed responses to adapt the system’s resources and redundancy aspects. The result was an intrusion-tolerant core of proactive mechanisms augmented with reactive techniques for tolerating preplanned sustained attack profiles.

The inability of an adversary to preplan a sustained attack effectively in light of expected (but unpredictable) responses makes successful attacks both less likely and more expensive. This innovative approach became possible because of significant advances in developing flexible and agile distributed system infrastructure that were being made in parallel.

Investigation of recent nuisance attacks on networked systems revealed the increasing sophistication of attackers, and made this type of new attack scenario very plausible. The work required a combination of expertise from three different technical areas as well as a realistic domain-specific context for ensuring a result relevant to current and future systems and concepts. Byzantine fault-tolerance techniques were a starting point, but needed to be augmented to account for the fact that attacks may be staged. Security techniques are needed but cannot by themselves prevent partially successful attacks on modern infrastructure. Distributed systems research and development is enabling a new generation of systems that can dynamically reconfigure to meet changes in operating conditions flexibly. Our team encompassed expertise in all three of those areas in order to devise an innovative, multi-phased approach to constructing intrusion-tolerant systems, for a specific pattern of intrusion (coordinated, partially successful, sustained).

Manual

ITUA-AQuA-Gateway-Manual Download

Publications

Overcoming Byzantine Failures using Checkpointing.
A. Agbaria and R. Friedman. (03AGB02)
University of Illinois at Urbana-Champaign Coordinated Science Laboratory technical report no. UILU-ENG-03-2228 (CRHC-03-14), December 2003.

Providing Intrusion Tolerance with ITUA.
T. Courtney, J. Lyons, H. V. Ramasamy, W. H. Sanders, M. Seri, M. Atighetchi, P. Rubel, C. Jones, F. Webber, P. Pal, R. Watro, M. Cukier, and J. Gossett. (02COU01)
Supplemental Volume of the 2002 International Conference on Dependable Systems & Networks (DSN-2002), Washington, DC, June 23-26, 2002, pp. C-5-1 to C-5-3.

Intrusion Tolerance Approaches in ITUA.
M. Cukier, J. Lyons, P. Pandey, H. V. Ramasamy, W. H. Sanders, P. Pal, F. Webber, R. Schantz, J. Loyall, R. Watro, M. Atighetchi, and J. Gossett. (01CUK01)
FastAbstract in Supplement of the 2001 International Conference on Dependable Systems and Networks, Göteborg, Sweden, July 1-4, 2001, pp. B-64 to B-65.

Intrusion-Tolerant State Transfer for Group Communication Systems.
V. Gupta. (03GUP02)
Master’s Thesis, University of Illinois, 2003.

Dependability and Performance Evaluation of Intrusion-Tolerant Server Architectures.
V. Gupta, V. Lam, H. V. Ramasamy, W. H. Sanders, and S. Singh. (03GUP01)
Dependable Computing: Proceedings of the First Latin-American Symposium (LADC 2003), São Paulo, Brazil, October 21-24, 2003, Lecture Notes in Computer Science vol. 2847 (Rogério de Lemos, Taisy Silva Weber, and João Batista Camargo Jr., eds), Berlin: Springer, 2003, pp. 81-101.

Stochastic Modeling of Intrusion-Tolerant Server Architectures for Dependability and Performance Evaluation.
V. Gupta, V. Lam, H. V. Ramasamy, W. H. Sanders, and S. Singh. (03GUP03)
University of Illinois at Urbana-Champaign Coordinated Science Laboratory technical report UILU-ENG-03-2227 (CRHC-03-13), December 2003.

An Adaptive Quality of Service Aware Middleware for Replicated Services.
S. Krishnamurthy. (02KRI04)
Ph.D. Thesis, University of Illinois, 2002.

A Replication Protocol for an Intrusion-Tolerant System Design.
J. P. Lyons. (03LYO01)
Master’s Thesis, University of Illinois, 2003.

An Architecture for Adaptive Intrusion-Tolerant Applications.
P. Pal, P. Rubel, M. Atighetchi, F. Webber, W. H. Sanders, M. Seri, H. Ramasamy, J. Lyons, T. Courtney, A. Agbaria, M. Cukier, J. Gossett, and I. Keidar. (04PAL01)
Special issue of Software: Practice and Experience on Experiences with Auto-adaptive and Reconfigurable Systems, vol. 36, no. 11-12, September-October 2006, pp. 1331-1354.

Survival by Defense-Enabling.
P. Pal, F. Webber, R. Schantz, J. Loyall, R. Watro, W. Sanders, M. Cukier, and J. Gossett. (01PAL01)
Proceedings of the New Security Paradigms Workshop 2001, Cloudcroft, New Mexico, September 11-13, 2001, pp. 71-78.

Reliable Delivery and Ordering Mechanisms for an Intrusion-Tolerant Group Communication System.
P. Pandey. (01PAN01)
Master’s Thesis, University of Illinois, 2001.

Group Communication Protocols and a Framework for Intrusion-Tolerant Distributed Applications.
H. V. Ramasamy. (04RAM02)
Supplemental Volume of the IFIP World Computer Congress, Toulouse, France, August 22-27, 2004.

A Group Membership Protocol for an Intrusion-Tolerant Group Communication System.
H. V. Ramasamy. (02RAM01)
Master’s Thesis, University of Illinois at Urbana-Champaign, 2002.

Parsimonious Service Replication for Tolerating Malicious Attacks in Asynchronous Environments.
H. V. Ramasamy. (05RAM05)
Ph.D. thesis, University of Illinois at Urbana-Champaign, 2005.

CoBFIT: A Component-Based Framework for Intrusion Tolerance.
H. V. Ramasamy, A. Agbaria, and W. H. Sanders. (04RAM03)
Proceedings of the 30th Euromicro Conference, Rennes, France, August 31-September 3, 2004, pp. 591-600. [IEEE Xplore entry]

A Parsimonious Approach for Obtaining Resource-Efficient and Trustworthy Execution.
H. V. Ramasamy, A. Agbaria, and W. H. Sanders. (05RAM04)
IEEE Transactions on Dependable and Secure Computing, vol. 4, no. 1, January-March 2007, pp. 1-17. [IEEE Xplore entry]

Parsimony-Based Approach for Obtaining Resource-Efficient and Trustworthy Execution.
H. V. Ramasamy, A. Agbaria, and W. H. Sanders. (05RAM01)
Dependable Computing: Proceedings of the 2nd Latin-American Symposium (LADC 2005), Salvador, Brazil, October 25-28, 2005, LNCS vol. 3747, Springer-Verlag, pp. 206-225.

Semi-Passive Replication in the Presence of Byzantine Faults.
H. V. Ramasamy, A. Agbaria, and W. H. Sanders. (04RAM01)
University of Illinois at Urbana-Champaign Coordinated Science Laboratory technical report no. UILU-ENG-04-2202 (CRHC-04-02), February 2004.

Formal Specification and Verification of a Group Membership Protocol for an Intrusion-Tolerant Group Communication System.
H. V. Ramasamy, M. Cukier, and W. H. Sanders. (02RAM02)
Proceedings of the 2002 Pacific Rim International Symposium on Dependable Computing (PRDC 2002) Tsukuba, Japan, December 16-18, 2002, pp. 9-18. [IEEE Xplore entry]

Formal Specification and Verification of a Group Membership Protocol for an Intrusion-Tolerant Group Communication System.
H. V. Ramasamy, M. Cukier, and W. H. Sanders. (03RAM05)
in Foundations of Intrusion Tolerant Systems (Jay Lala, ed.), pp. 251-260. Los Alamitos, CA: IEEE Computer Society, 2003. (Reprint of the conference paper with the same name.) [IEEE Xplore entry]

Formal Verification of an Intrusion-Tolerant Group Membership Protocol.
H. V. Ramasamy, M. Cukier, and W. H. Sanders. (03RAM01)
IEICE Transactions on Information and Systems special issue on Dependable Computing, vol. E86-D, no. 12, December 2003, pp. 2612-2622.

Experiences with Building an Intrusion-Tolerant Group Communication System.
H. V. Ramasamy, P. Pandey, M. Cukier, and W. H. Sanders. (06RAM02)
Software-Practice and Experience, vol. 38, no. 6, May 2008, pp. 639-666.

Quantifying the Cost of Providing Intrusion Tolerance in Group Communication Systems.
H. V. Ramasamy, P. Pandey, J. Lyons, M. Cukier, and W. H. Sanders. (01RAM01)
Proceedings of the 2002 International Conference on Dependable Systems and Networks (DSN-2002), Washington, DC, June 23-26, 2002, pp. 229-238. [IEEE Xplore entry]

Quantifying the Cost of Providing Intrusion Tolerance in Group Communication Systems.
H. V. Ramasamy, P. Pandey, J. Lyons, M. Cukier, and W. H. Sanders. (03RAM06)
in Foundations of Intrusion Tolerant Systems (Jay Lala, ed.), pp. 241-250. Los Alamitos, CA: IEEE Computer Society, 2003. (Reprint of the conference paper with the same name.) [IEEE Xplore entry]

The CoBFIT Toolkit.
H. Ramasamy, M. Seri, and W. H. Sanders. (07RAM01)
Proceedings of the 26th Annual ACM SIGACT-SIGOPS Symposium on Principles of Distributed Computing (PODC 2007), Portland, Oregon, Aug. 12-15, 2007, pp. 350-351. [ACM DOI: http://dx.doi.org/10.1145/1281100.1281167]

Probabilistic Validation of Intrusion Tolerance.
W. H. Sanders, M. Cukier, F. Webber, P. Pal, and R. Watro. (02SAN02)
Fast Abstract in the Supplemental Volume of the 2002 International Conference on Dependable Systems & Networks (DSN-2002), Washington, DC, June 23-26, 2002, pp. B-78 to B-79.

A Configurable CORBA Gateway for Providing Adaptable System Properties.
M. Seri, T. Courtney, M. Cukier, V. Gupta, S. Krishnamurthy, J. Lyons, H. Ramasamy, J. Ren, and W. H. Sanders. (02SER01)
Supplemental Volume of the 2002 International Conference on Dependable Systems & Networks (DSN-2002), Washington, DC, June 23-26, 2002, pp. G-26 to G-30.

Ferret: A Host Vulnerability Checking Tool.
A. Sharma, J. R. Martin, N. Anand, M. Cukier, and W. H. Sanders. (03SHA01)
Proceedings of the 10th IEEE Pacific Rim International Symposium on Dependable Computing (PRDC-10), Papeete, Tahiti, French Polynesia, March 3-5, 2004, pp. 389-394. [IEEE Xplore entry]

Probabilistic Validation of an Intrusion-Tolerant Replication System.
S. Singh. (03SIN02)
Master’s Thesis, University of Illinois, 2003.

Probabilistic Validation of an Intrusion-Tolerant Replication System.
S. Singh, M. Cukier, and W. H. Sanders. (03SIN01)
Proceedings of the 2003 International Conference on Dependable Systems and Networks (DSN-2003), San Francisco, CA, June 22-25, 2003, pp. 615-624. [IEEE Xplore entry]