TC: Small: Collaborative Research: Symbiosis in Byzantine Fault Tolerance and Intrusion Detection

TC：小型：协作研究：拜占庭容错和入侵检测的共生

• 批准号: 1018871
• 负责人: Karl Levitt
• 金额: $ 25万
• 依托单位: University of California-Davis
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2010
• 资助国家: 美国
• 起止时间: 2010-08-15 至 2015-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1018871&HistoricalAwards=false
• 关键词: TC; Small; Collaborative; Research; Symbiosis

Two principal components for providing protection in large-scale distributed systems are Byzantine fault-tolerance (BFT) and intrusion detection systems (IDS). BFT is used to implement strictly consistent replication of state in the face of arbitrary failures, including those introduced by malware and Internet pathogens. Intrusion detection relates to a broad set of services that detect events that could indicate the presence of an ongoing attack. IDSs are far from perfect -- they can both miss attacks or misinterpret events as being malicious. In addition, IDSs themselves are vulnerable to attack. These two components approach different parts of system security. Each, however, has the potential to improve the other, which is the theme of this project. The integration of these two efforts, at both the fundamental and system levels, has proven elusive. Fault-tolerant distributed algorithms have been designed to use failure detectors for some time, but only as an abstraction. Intrusion detection has been, for the most part, a service that gives some general improvement in system security. Attempting to marry these two approaches could be a large step towards making BFT a truly practical approach in multisite systems, and gives a novel way to integrate multiple IDSs to improve the security in a multisite system with nonuniform and varying trust. Some examples of such benefit are (1) Any evidence gathered by BFT about suspicious behavior can be useful for an IDS, since it could indicate that the system has been compromised. (2) Information from an IDS can be used by BFT to influence its behavior towards the servers of the replicated service. This could, for example, allow BFT to stop using a site even though the service has not (yet) been affected, or to assume a more benign set of failures for a site that appears to be well managed. (3) The way that BFT reacts to suspicious behavior is a complex policy that could, at least in part, be moved to IDS. Doing so would allow the policy to be tuned. (4) A further detection method is to compare the internal suspicions of BFT with the external suspicions of the IDS. (5) BFT can be used to detect and cope with attacks on an IDS. (6) IDS can confirm that parties in a BFT set are behaving according to the BFT protocol which if so can improve the performance of a BFT system. This research explores this potential of a merged system by developing a version of BFT for wide-area networks that is designed with several IDSs as part of the architecture. The IDS will serve as a suspicion detector that allows BFT to define sets of sites that trust each other, and can thus use a lower latency protocol among them. The IDSs will use BFT to agree upon detection states to make more useful detections. Information collected by BFT will be used by the IDS to detect malicious behavior. And, BFT and IDS will, where possible, check each other to increase the detection power of the system. A prototype of the system will be implement and a simple synthetic application to measure performance and sensitivity to a set of simulated attacks will be built.

在大规模分布式系统中提供保护的两个主要组成部分是拜占庭容错（BFT）和入侵检测系统（IDS）。BFT用于在面对任意故障时实现严格一致的状态复制，包括恶意软件和互联网病原体引入的故障。 入侵检测涉及一组广泛的服务，这些服务检测可能指示正在进行的攻击的存在的事件。IDS远非完美-它们可能会错过攻击或将事件误解为恶意事件。 此外，入侵检测系统本身也容易受到攻击。 这两个组件处理系统安全的不同部分。 然而，每一个都有潜力改善另一个，这就是这个项目的主题。 事实证明，在根本和系统两级将这两项努力结合起来是难以实现的。容错分布式算法已经被设计为使用故障检测器一段时间了，但只是作为一个抽象。入侵检测在很大程度上是一种在系统安全性方面提供一些一般性改进的服务。 尝试将这两种方法结合起来可能是使BFT成为多站点系统中真正实用的方法的一大步，并提供了一种新的方法来集成多个IDS以提高具有不均匀和变化的信任的多站点系统中的安全性。这种好处的一些例子是：（1）BFT收集的关于可疑行为的任何证据都可能对IDS有用，因为它可能表明系统已经受到损害。(2)BFT可以使用来自IDS的信息来影响其对复制服务的服务器的行为。例如，这可以允许BFT停止使用一个网站，即使该服务尚未受到影响，或者为一个似乎管理良好的网站假设一组更良性的故障。(3)BFT对可疑行为的反应方式是一个复杂的策略，至少部分可以转移到IDS。这样做可以调整政策。(4)另一种检测方法是将BFT的内部怀疑与IDS的外部怀疑进行比较。(5)BFT可以用来检测和科普入侵检测系统上的攻击。(6)IDS可以确认BFT集合中的各方根据BFT协议进行行为，如果是这样，则可以提高BFT系统的性能。 本研究通过开发一个用于广域网的BFT版本来探索合并系统的这种潜力，该版本设计有几个IDS作为架构的一部分。 IDS将作为一个怀疑检测器，允许BFT定义相互信任的站点集，从而可以在它们之间使用较低的延迟协议。 IDS将使用BFT来商定检测状态，以进行更有用的检测。IDS将使用BFT收集的信息来检测恶意行为。而且，BFT和IDS将在可能的情况下相互检查，以增加系统的检测能力。该系统的原型将实现和一个简单的综合应用程序来衡量性能和敏感性的一组模拟攻击将被建立。