Presentation is loading. Please wait.

Presentation is loading. Please wait.

DARPA ITS PI Meeting – Honolulu – July 17-21, 2000Slide 1 Aegis Research Corporation Intrusion Tolerance Using Masking, Redundancy and Dispersion DARPA.

Published byKamryn Benn Modified over 10 years ago

Similar presentations

Presentation on theme: "DARPA ITS PI Meeting – Honolulu – July 17-21, 2000Slide 1 Aegis Research Corporation Intrusion Tolerance Using Masking, Redundancy and Dispersion DARPA."— Presentation transcript:

1 DARPA ITS PI Meeting – Honolulu – July 17-21, 2000Slide 1 Aegis Research Corporation Intrusion Tolerance Using Masking, Redundancy and Dispersion DARPA ITS PI Meeting – Honolulu – July 17-21, 2000 Janet Lepanto Bill Weinstein The Charles Stark Draper Laboratory, Inc. Aegis Research Corporation ® Aegis Research Corporation

2 DARPA ITS PI Meeting – Honolulu – July 17-21, 2000Slide 2 Aegis Research Corporation Technical Objectives Develop an ITS architecture that supports layered defenses and provides resilience to attacks –Limit an attacker’s ability to ascertain the current state of the system configuration –Enable a system to tolerate subtle attacks whose characteristics are not known a priori –Guarantee data integrity in the face of a successful attack on one of the servers

3 DARPA ITS PI Meeting – Honolulu – July 17-21, 2000Slide 3 Aegis Research Corporation Technical Approach Adapt key concepts from fault-tolerant computing to address subtle attacks that may elude firewalls and algorithms that look for patterns of abnormal behavior –Masking faults so that their effects do not propagate to the system “output” –Rollback of execution to an uncompromised system state to recover from the effects of a fault –Synchronization to enable voting among redundant copies of data Incorporate these concepts in an ITS composed largely of untrusted unmodified COTS servers and databases augmented by a small set of trusted components Test these concepts in a series of phased experiments

4 DARPA ITS PI Meeting – Honolulu – July 17-21, 2000Slide 4 Aegis Research Corporation Basic Architecture External WAN External Firewall Data Base Transaction Mediator Gateway Switched IP Server (1) Server (N) Server (2) Configuration Manager Authentication Server Switched IP COTS Trusted Other

5 DARPA ITS PI Meeting – Honolulu – July 17-21, 2000Slide 5 Aegis Research Corporation Extended Architecture Authentication Server COTS Trusted Other Switched IP External WAN External Firewall Gateway Configuration Manager Switched IP Transaction Mediator Data Base Web Server (1) Web Server (1) Servers (Set 3) Switched IP Transaction Mediator Data Base Web Server (1) Web Server (1) Servers (Set 2) Switched IP Transaction Mediator Data Base Web Server (1) Web Server (1) Servers (Set 1)

6 DARPA ITS PI Meeting – Honolulu – July 17-21, 2000Slide 6 Aegis Research Corporation Experiment Plan Four phases of experiments will test the response of our ITS mechanisms to Red Team attacks –Initial mechanisms for attack disruption (Year 1) –Initial mechanisms for system recovery (Year 2) –Refined mechanisms for attack disruption and system recovery – Initial mechanisms for synchronization and voting (Year 3) –Refined mechanisms for synchronization and voting for distributed servers (Year 4)

7 DARPA ITS PI Meeting – Honolulu – July 17-21, 2000Slide 7 Aegis Research Corporation Risk Management Primary Risks –Dispersion of application transactions within a single session –Rapid validation of server configuration –Efficient synchronization and voting in a transaction-oriented environment Risk Mitigation –Aegis has performed configuration analyses and has begun preliminary work in fingerprint modification –Dispersion techniques are employed today for load balancing; the challenge in the proposed application is to reduce the granularity at which dispersion is done –Draper has successfully applied synchronization, voting, and rollback in fault-tolerant system designs

8 DARPA ITS PI Meeting – Honolulu – July 17-21, 2000Slide 8 Aegis Research Corporation Quantitative Metrics Percent of successful Red Team attacks Time to achieve successful Red Team attacks Impact of ITS mechanisms on system performance

9 DARPA ITS PI Meeting – Honolulu – July 17-21, 2000Slide 9 Aegis Research Corporation Expected Major Achievements Verification that attacks can be impeded by dispersion Demonstration that data integrity can be maintained in the presence of unknown system vulnerabilities or unrecognized attack signatures Demonstration that data integrity can be maintained in the event of a successfully completed attack on a single server

10 DARPA ITS PI Meeting – Honolulu – July 17-21, 2000Slide 10 Aegis Research Corporation Task Schedule 1.1 Dev & Implmt Fingerprint Masking 1.2 Dev & Implmt Dynamic Assign 1.3 Dev & Implmt Config Evalution 1.4 Integration & Experimentation 1.5 Program Management 2.1 Dev & Implmt Transaction Mediator 2.2 Dev & Implmt Assess & Rollback 2.3 Integration & Experimentation 2.4 Program Management 3.1 Refine Fingerprint & Dynam Assign 3.6 Dev Sync of Redundant Databases 3.2 Implement Sync & Voting 3.3 Refine Config Assessment 3.4 Integration & Experimentation 3.5 Program Management 4.1 Refine Sync & Voting 4.2 Implmt Distribution of Servs & DBs 4.3 Integration & Experimentation 4.5 Program Management Task Name 7 10 1 4 7 10 1 4 7 10 1 4 7 10 1 4 7 CY 2000CY 2001CY 2002CY 2003 Phase 1 – Basic Architecture Phase 2 – Extended Architecture CY 2004 Initial Mechanisms Attack Disruption Initial Mechanisms System Recovery Refined Mechanisms Attack Disruption Refined Mechs Sync & Voting Distrib Sys

11 DARPA ITS PI Meeting – Honolulu – July 17-21, 2000Slide 11 Aegis Research Corporation Technology Transfer Mechanisms for technology transfer to DARPA, other government agencies, the Services, and industry include –Formal documentation of the development and analysis of the prototype algorithms at the conclusion of each phase of our proposed effort –Documentation of the results of experiments –Technical papers published in the open literature and presented at conferences and workshops –Leveraging our Team’s link to government agencies with vested interests in ITS technology –Supporting government source selection for manufacturing and licensing our ITS technology

12 DARPA ITS PI Meeting – Honolulu – July 17-21, 2000Slide 12 Aegis Research Corporation Required Support from DARPA PM Coordination of experiments in the DARPA Technical Integration Center (TIC) facility

13 DARPA ITS PI Meeting – Honolulu – July 17-21, 2000Slide 13 Aegis Research Corporation Conclusion Problem –How can we tolerate unknown attack signatures and attacks that exploit unknown system vulnerabilities? Approach –Adapt concepts that have been successfully implemented in Byzantine fault-tolerant systems Benefits –Development and maintenance required for a relatively small number of trusted elements in the network architecture –COTS elements can be upgraded/improved with minimal impact on system security –Protects against “new” attacks

Download ppt "DARPA ITS PI Meeting – Honolulu – July 17-21, 2000Slide 1 Aegis Research Corporation Intrusion Tolerance Using Masking, Redundancy and Dispersion DARPA."

Similar presentations

Computer Systems & Architecture Lesson 2 4. Achieving Qualities.

Computer Systems & Architecture Lesson 2 4. Achieving Qualities.
Distributed Systems Major Design Issues Presented by: Christopher Hector CS8320 – Advanced Operating Systems Spring 2007 – Section 2.6 Presentation Dr.

Distributed Systems Major Design Issues Presented by: Christopher Hector CS8320 – Advanced Operating Systems Spring 2007 – Section 2.6 Presentation Dr.
DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001Slide 1 Aegis Research Corporation Not for Public Release Survivability Validation Framework for Intrusion.

DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001Slide 1 Aegis Research Corporation Not for Public Release Survivability Validation Framework for Intrusion.
Randomized Failover Intrusion Tolerant Systems (RFITS) Ranga Ramanujan Noel Schmidt Architecture Technology Corporation Odyssey Research Associates DARPA.

Randomized Failover Intrusion Tolerant Systems (RFITS) Ranga Ramanujan Noel Schmidt Architecture Technology Corporation Odyssey Research Associates DARPA.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Yingping Huang and Gregory Madey University of Notre Dame A W S utonomic eb-based imulation Presented by Tariq M. King Published by the IEEE Computer Society.

Yingping Huang and Gregory Madey University of Notre Dame A W S utonomic eb-based imulation Presented by Tariq M. King Published by the IEEE Computer Society.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
SE curriculum in CC2001 made by IEEE and ACM: Overview and Ideas for Our Work Katerina Zdravkova Institute of Informatics

SE curriculum in CC2001 made by IEEE and ACM: Overview and Ideas for Our Work Katerina Zdravkova Institute of Informatics
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Network Enabled Capability Through Innovative Systems Engineering Service Oriented Integration of Systems for Military Capability Duncan Russell, Nik Looker,

Network Enabled Capability Through Innovative Systems Engineering Service Oriented Integration of Systems for Military Capability Duncan Russell, Nik Looker,
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Enterprise Network Security Accessing the WAN Lecture week 4.

Enterprise Network Security Accessing the WAN Lecture week 4.
Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.

Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.
Network Support for Cloud Services Lixin Gao, UMass Amherst.

Network Support for Cloud Services Lixin Gao, UMass Amherst.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
BA 378: Accounting Information Systems Instructor: Dr. James R. Coakley.

BA 378: Accounting Information Systems Instructor: Dr. James R. Coakley.
Chapter 2 The process Process, Methods, and Tools

Chapter 2 The process Process, Methods, and Tools
FMEA-technique of Web Services Analysis and Dependability Ensuring Anatoliy Gorbenko Vyacheslav Kharchenko Olga Tarasyuk National Aerospace University.

FMEA-technique of Web Services Analysis and Dependability Ensuring Anatoliy Gorbenko Vyacheslav Kharchenko Olga Tarasyuk National Aerospace University.

Similar presentations

Ads by Google