Design of an intrusion-tolerant system considering quality of service and diversity

Abstract

Improvements in networking technologies have provided users with useful information services. Such information services may bring convenience and efficiency, but might be accompanied by vulnerabilities to a variety of attacks. Therefore, a variety of research to enhance the security of the systems and get the services at the same time has been carried out. Especially, research on intrusion-tolerant systems (ITSs) has been conducted in order to survive against every intrusion, rather than to detect and prevent them. In this paper, we present two schemes to provide the appropriate level of service and security service. The first scheme is effective resource conversion (ERC), which transforms the assigned resources depending on the system status. The ITS based on ERC changes the number of virtual machines (VMs) to process requests and recover, instead of using the fixed number of VMs as in conventional approaches. The second scheme finds software combinations that minimize the risk of common vulnerabilities. The ITS based on ERC employs redundant components to eliminate the SPOF problem and improve system reliability. However, systems that include identical components have common vulnerabilities that can be exploited to attack the servers. We analyze software vulnerability data from the National Vulnerability Database (NVD). Based on the analysis results, we present a scheme that finds software combinations that improve intrusion tolerance of the system. We implement these schemes with CSIM20, and simulation results prove that proposed schemes are appropriate for a recovery-based intrusion tolerant architecture.