New Intrusion Tolerance Software Fortifies Server Security
Posted: June 18, 2008 at 1:00 am, Last Updated: November 30, -0001 at 12:00 am
In today’s world it is common to manage security using two approaches: intrusion prevention and intrusion detection.
Just think of your home. Locking your doors and windows is an example of intrusion prevention. Now, add an alarm to those doors and windows and you’ve just increased your security by adding an intrusion detection system.
Much like our homes, our computer networks and servers rely on the same two strategies for security. However, sometimes these two security strategies alone are not enough.
Despite an increased focus and large investments in computer security, critical infrastructure systems remain vulnerable to attacks, says Arun Sood, Mason professor of computer science.
The increasing sophistication and incessant morphing of cyber attacks lend importance to the concept of intrusion tolerance: a system must fend off, or at least limit, the damage caused by unknown or undetected attacks.
“The problem is that no matter how much investment is made in intrusion prevention and detection, intruders will still manage to break through and trespass on computer servers,” says Sood. “By looking at this problem from a different angle, we developed a way to contain the losses that may occur because of an intrusion.”
Sood, director of Mason’s Laboratory of Interdisciplinary Computer Science, along with Yin Huang, senior research scientist in the Mason’s Center for Secure Information Systems, created the Self Cleansing Intrusion Tolerance (SCIT) technology to provide an additional layer of defense along with standard intrusion prevention and detection systems. While typical approaches to computer security are reactive and require prior knowledge of all attack modalities and software vulnerabilities, intrusion tolerance is a proactive approach to security, Sood notes.
In the SCIT approach, it is assumed that a server that has been online has been compromised. SCIT servers focus on limiting the losses that can occur because of an external intrusion. The servers achieve this goal by limiting the exposure time, or duration, that the server is continuously connected to the Internet. Through the use of virtualization technology, duplicate servers are created, and an online server is periodically cleansed and restored to a known clean state, regardless of whether or not an intrusion has been detected. These regular cleansings take place in randomly timed intervals.
“This approach of regular cleansings, when coupled with existing intrusion prevention and detection systems, leads to increased overall security,” says Sood. “We know that intrusion detection systems can detect sudden increases in data throughput from a server, so to avoid detection, hackers steal data at low rates. SCIT interrupts the flow of data regularly and automatically, and the data ex-filtration process is interrupted every cleansing cycle. Thus, SCIT, in partnership with intrusion detection systems, limits the volume of data that can be stolen.”
By reducing exposure time, SCIT provides an additional level of protection while the server’s vulnerabilities are found and fixed and configuration errors are corrected.
SCIT was funded by the Center for Innovative Technology (in partnership with Northrop Grumman), Lockheed Martin, National Institute of Standards and Technology through the Critical Infrastructure Protection Program, Sun Microsystems and the U.S. Army’s Telemedicine and Technology Research Center. Four patents are pending on the SCIT technology.