TC: Small: Collaborative Research: Symbiosis in Byzantine Fault Tolerance and Intrusion Detection

TC：小型：协作研究：拜占庭容错和入侵检测的共生

• 批准号: 1018910
• 负责人: Geoffrey Voelker
• 金额: $ 23.8万
• 依托单位: University of California-San Diego
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2010
• 资助国家: 美国
• 起止时间: 2010-08-15 至 2014-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1018910&HistoricalAwards=false
• 关键词: TC; Small; Collaborative; Research; Symbiosis

Two principal components for providing protection in large-scale distributed systems are Byzantine fault-tolerance (BFT) and intrusion detection systems (IDS). BFT is used to implement strictly consistent replication of state in the face of arbitrary failures, including those introduced by malware and Internet pathogens. Intrusion detection relates to a broad set of services that detect events that could indicate the presence of an ongoing attack. IDSs are far from perfect -- they can both miss attacks or misinterpret events as being malicious. In addition, IDSs themselves are vulnerable to attack. These two components approach different parts of system security. Each, however, has the potential to improve the other, which is the theme of this project. The integration of these two efforts, at both the fundamental and system levels, has proven elusive. Fault-tolerant distributed algorithms have been designed to use failure detectors for some time, but only as an abstraction. Intrusion detection has been, for the most part, a service that gives some general improvement in system security. Attempting to marry these two approaches could be a large step towards making BFT a truly practical approach in multisite systems, and gives a novel way to integrate multiple IDSs to improve the security in a multisite system with nonuniform and varying trust. Some examples of such benefit are (1) Any evidence gathered by BFT about suspicious behavior can be useful for an IDS, since it could indicate that the system has been compromised. (2) Information from an IDS can be used by BFT to influence its behavior towards the servers of the replicated service. This could, for example, allow BFT to stop using a site even though the service has not (yet) been affected, or to assume a more benign set of failures for a site that appears to be well managed. (3) The way that BFT reacts to suspicious behavior is a complex policy that could, at least in part, be moved to IDS. Doing so would allow the policy to be tuned. (4) A further detection method is to compare the internal suspicions of BFT with the external suspicions of the IDS. (5) BFT can be used to detect and cope with attacks on an IDS. (6) IDS can confirm that parties in a BFT set are behaving according to the BFT protocol which if so can improve the performance of a BFT system. This research explores this potential of a merged system by developing a version of BFT for wide-area networks that is designed with several IDSs as part of the architecture. The IDS will serve as a suspicion detector that allows BFT to define sets of sites that trust each other, and can thus use a lower latency protocol among them. The IDSs will use BFT to agree upon detection states to make more useful detections. Information collected by BFT will be used by the IDS to detect malicious behavior. And, BFT and IDS will, where possible, check each other to increase the detection power of the system. A prototype of the system will be implement and a simple synthetic application to measure performance and sensitivity to a set of simulated attacks will be built.

在大规模分布式系统中提供保护的两个主要组件是拜占庭容错(BFT)和入侵检测系统(IDS)。BFT用于在面临任意故障(包括由恶意软件和互联网病原体引入的故障)时实现严格一致的状态复制。入侵检测涉及一系列广泛的服务，这些服务检测可能指示存在持续攻击的事件。入侵检测系统远非完美--它们都可能错过攻击或将事件误解为恶意事件。此外，入侵检测系统本身也容易受到攻击。这两个组件处理系统安全的不同部分。然而，每个人都有改进另一个人的潜力，这是本项目的主题。事实证明，这两项努力在根本和系统层面上的整合都是难以捉摸的。容错分布式算法被设计为使用故障检测器已经有一段时间了，但只是作为一种抽象。入侵检测在很大程度上是一种在系统安全性方面有所改善的服务。尝试将这两种方法结合起来可能是朝着使BFT成为多站点系统中真正实用的方法迈出的一大步，并提供了一种新的方法来集成多个入侵检测系统，以提高具有非一致和变化信任的多站点系统的安全性。这种好处的一些例子是：(1)BFT收集的关于可疑行为的任何证据都可能对入侵检测系统有用，因为它可能表明系统已被攻破。(2)来自入侵检测系统的信息可以被BFT用来影响其对复制服务的服务器的行为。例如，这可能允许BFT停止使用某个站点，即使该服务(尚未)受到影响，或者假设一个似乎管理良好的站点出现了一系列更为温和的故障。(3)BFT对可疑行为的反应方式是一项复杂的策略，至少部分可以转移到入侵检测系统。这样做将允许对政策进行调整。(4)进一步的检测方法是将BFT的内部怀疑与入侵检测系统的外部怀疑进行比较。(5)BFT可用于检测和应对对入侵检测系统的攻击。(6)入侵检测系统可以确认BFT集合中的各方是否按照BFT协议进行行为，如果是这样，则可以提高BFT系统的性能。这项研究通过开发广域网的BFT版本来探索合并系统的这种潜力，该版本的设计将几个IDS作为体系结构的一部分。入侵检测系统将充当怀疑检测器，允许BFT定义相互信任的站点集，从而可以在它们之间使用较低的延迟协议。入侵检测系统将使用BFT来商定检测状态，以进行更有用的检测。入侵检测系统将使用BFT收集的信息来检测恶意行为。而且，BFT和入侵检测系统将在可能的情况下相互检查，以增加系统的检测能力。该系统的原型将被实现，并将建立一个简单的合成应用程序来测量性能和对一组模拟攻击的敏感度。