Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Willow System Implementation Intrusion Tolerance Through Secure System Reconfiguration OASIS PI Meeting Santa Rosa, CA August 2002.

Published byHortense Thornton Modified over 9 years ago

Similar presentations

Presentation on theme: "The Willow System Implementation Intrusion Tolerance Through Secure System Reconfiguration OASIS PI Meeting Santa Rosa, CA August 2002."— Presentation transcript:

1 The Willow System Implementation Intrusion Tolerance Through Secure System Reconfiguration OASIS PI Meeting Santa Rosa, CA August 2002

2 The Willow Team University of Colorado:  Alexander Wolf, Dennis Heimbigner, Antonio Carzaniga  Naveed Arshad, Marco Castaldi, John Giacomoni  Nathan Ryan University of Virginia:  John Knight, Jonathan Hill, Phil Varner, Sean Travis  Aaron Crickenberger, Rich Honhart, Serge Egelman, Warren Hall, Mi Peng, Mike Peck, Brian Garback University of CA, Davis:  Prem Devanbu, Michael Gertz, Brian Toone

3 Willow Team Photograph

4 Aspects of Intrusion Tolerance Very Large Networks Interdependent Networks Heterogeneous Nodes Explicit Sense/Analyze/Respond Non-Local Faults Sequential Faults

5 Network Sensors Actuators Network State &Analysis Model Tolerate Unanticipat’d Faults Tolerate Anticipated Faults Change to Planned Posture Update System Deploy System Trust-Mediated External Input Dimensions of Intrusion Tolerance

6 Recent Progress Willow system implementation goals:  Implement all functionality  Design to scale to expected network sizes Topics:  Target system testbed  Willow system error detection/analysis  Willow system communication—Siena: Site select addressing Result harvesting  Willow system actuation  Trust-mediated information access  Evaluation and preliminary tests

7 Target Testbed System Servers - Immunix Clients - Windows

8 Reactive Control Mechanism Servers - Immunix Clients - Windows Error Detection & Recovery Synthesis Translator Surviv. Spec. New notation & translator New language features: Proper treatment of time General class structure Wide Area Domain Local Area Domain Network Nodes LIRA Andrea Agent LIRA Andrea Agent LIRA Andrea Agent LIRA Andrea Agent LIRA Andrea Agent Sensors Visualization Administrator’s Workbench

9 Willow Communications Servers - Immunix Clients - Windows Error Detection & Recovery Synthesis Sensor Data Actuation Commands Event notification Many inf. sources:  Trusted  Untrusted Mediation structure to provide most trusted Pub/sub implementation for control Two extensions:  Site select addressing  Result harvest Visualization Administrator’s Workbench Trust-Mediated External Input

10 Willow Control Communications Publisher Subscriber Siena Result Harvesting Site Select Addressing SelectorReceptor Subscriptions Publication

11 Site Select Addressing Specialized use of publish/subscribe:  Published messages contain selection parameters  Received only by sites with matching receptors Efficient, property-based addressing of receiver sites Built a general selection function language on the Siena publish/subscribe system Receivers are dynamic—can change their properties Messages they receive depend only on their recent properties Previous work:  Control of robot groups in MURDOCH system  Distributed query in query/response paradigm (Colorado)

12 Advantages Of Site Select Addressing Brings all benefits of pub/sub to control:  Qualitative addressing, does not require explicit knowledge of receivers  Flexible, easy-to-use, one-to-many messaging Selection functions limited to AND are O(1) router table-efficient Selection function language not efficient for all Boolean expressions. OR causes exponential router table costs Issues:  Dynamic changes in receiver properties take time to propagate through distributed routing tables  Time scales with network size  May not receive some messages issued after properties are changed to be relevant, due to lag in network routing setup

13 Publish/Subscribe Result Harvesting Reply mechanism for distributed Publish/Subscribe, implemented for the Siena system Gathers responses to a published message:  All receivers can respond  Responses in a histogram  Reports histogram to publisher Re-uses the forwarding tree generated in the propagation of the publication Merges histograms at the convergences on the return to the root of the tree Comprehensive performance analysis paper in preparation

14 Utility Of Result Harvesting General uses for very large networks:  Publish content and learn number of recipients  Publish orders and harvest responses  Publish queries and harvest results  Content-routed RPC (i.e., pub/sub-style) Efficient implementation of query/response Site-Select command—messaging via site- select addressing followed by result harvesting

15 LIRA/ANDREA Architecture Agents Wide Area Domain Local Area Domain Network Nodes LIRA Andrea Agent LIRA Andrea Agent LIRA Andrea Agent LIRA Andrea Agent LIRA Andrea Agent Servers - Immunix Clients - Windows

16 Siena Publish/Subscribe Bus LIRA/ANDREA Agent Structure LIRA Interface (Set/Ack, Get/Reply, Notify, Call/Return) Attribute Model SSM SSL Attribute Model Monitor Call Handler Intention Council Local Sense Monitor Set Sensor Event Change Event Set Notify, Call Call Ack Reply Return Result Set Get Local Ack Reply Ack Return Result ‘Displayed’ attributes are the SSM ‘Antigen’ One to Many Command, Many to One Result Harvesting Peer-to-peer communications Intra-agent communications LIRA Andrea Agent Peer-to-peer

17 Trust Mediation in Willow Client systems express trust requirements Trust rating system assigns trust ratings to information sources Trust ratings stored in trust broker Mediator evaluates queries using trust ratings 1. Infer trust ratings for queries 2. Select source(s) and evaluate

18 Modeling Trust Ratings of Sources: Completeness Trust model based on difference in tuples V corresponds to a belief about the content of a given relation R corresponds to the actual content presented by a source V  R means that R is rated as over-the-top with respect to completeness

19 Trust Mediation Benefits Source selection by rating queries using inference rules (e.g.,) …and similarly for other relational algebra constructors Facilitates interaction with trusted or partially trusted sources Level of abstraction for designing security policies

20 Willow Team At OASIS PI Meeting

21 First Experiment – A Worm (Yes, we wrote a worm…) Goal—detect and respond to fast-moving worm But we only have six machines, so it’s just a feasibility experiment Fault tolerance:  Error det.: >3 local alarms in 1 min  growing attack  Error rec.: kill worm process on affected nodes and harvest process forensics (follow the worm)  Error det.: >15 local alarms in 1 min  wide-area attack  Error rec: use forensics to kill application network-wide

22 Test Application—A JBI Siena Router Air Tasking Orders Database Map Database Weather Sensors Aircraft Observer Observation And Command Interface

23 Future Plans Wide-area implementation across all Willow sites Implementation on ~300-node testbed for performance measurement Multiple asynchronous control loops Variety of security attack scenarios Variety of non-malicious damage scenarios Performance measurement of:  Site-select commands  Result harvesting

24 Expected Major Results Technology:  Efficient/scalable/secure control architecture for large networks (specification, synthesis, communication, configuration, coordination, mediation, actuation, etc.)  Rigorous performance analysis of the components and the composite architecture Demonstrations:  Wide-area Willow & JBI implementations  Survive (recall the definition): Worm attack on large network Random physical damage to our JBI Coordinated security attacks on our JBI

25 Questions?

26 Performance Of Result Harvesting Pub/Sub network with fixed branching factor Hierarchical dispatch network Branching factor b=number of children dispatchers per dispatcher Peer-to-peer dispatch network with homogenous connection Topology (near same number of connections per node).

27 Publish/Subscribe Result Harvesting a)Branching factor b=maximum number of connections-1. B) Then 1) Worst case publication (sent to the entire network of nodes, set N) 2) with the worst possible replies (each reply unique, histogram degenerates to a list) 3) generates a forwarding tree of height log(b, |N|) 4) Results in total histogram of size |N| 5) average histogram size at dispatch nodes in the tree is O(log(|N|)) 6) average merge cost and bandwidth cost at dispatch node are both O(log(|N|)) 7) merge and bandwidth costs to the root node are O(|N|) 8) merge and bandwidth costs next to leaves is O(1) C) In such a branching factor-compliant network (b fixed, see above), given the network should support P worst case simultaneous messages originated from different publishers, then we can compute 1)average bandwidth requirement as O(Plog(|N|)) 2)peak bandwidth requirement as O(|N|) (no factor of P here assuming P messages have been published from different nodes) 3)same for merge computation cost

28 Site Select Addressing 1 2 Command 2 2 1 2 Implementation via publish/subscribe LIRA Andrea Agent

29 Uses Of Site Select Addressing Site-select publication with Siena harvest makes effective command paradigm Selective publication—send content to sites with relevant properties Combine Site-Select messaging with Siena harvest for command and control of very large systems

Download ppt "The Willow System Implementation Intrusion Tolerance Through Secure System Reconfiguration OASIS PI Meeting Santa Rosa, CA August 2002."

Similar presentations

Programming Languages for End-User Personalization of Cyber-Physical Systems Presented by, Swathi Krishna Kilari.

Programming Languages for End-User Personalization of Cyber-Physical Systems Presented by, Swathi Krishna Kilari.
A component- and message-based architectural style for GUI software

A component- and message-based architectural style for GUI software
A Cooperative Approach to Support Software Deployment Using the Software Dock by R. Hall, D. Heimbigner, A. Wolf Sachin Chouksey Ebru Dincel.

A Cooperative Approach to Support Software Deployment Using the Software Dock by R. Hall, D. Heimbigner, A. Wolf Sachin Chouksey Ebru Dincel.
1 Message Oriented Middleware and Hierarchical Routing Protocols Smita Singhaniya Sowmya Marianallur Dhanasekaran Madan Puthige.

1 Message Oriented Middleware and Hierarchical Routing Protocols Smita Singhaniya Sowmya Marianallur Dhanasekaran Madan Puthige.
Extensible Networking Platform 1 1 - IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood

Extensible Networking Platform IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood
Small-Scale Peer-to-Peer Publish/Subscribe

Small-Scale Peer-to-Peer Publish/Subscribe
Network Operating Systems Users are aware of multiplicity of machines. Access to resources of various machines is done explicitly by: –Logging into the.

Network Operating Systems Users are aware of multiplicity of machines. Access to resources of various machines is done explicitly by: –Logging into the.
Sebastian Smith ○ Lance Hutchinson ○ Ben Damonte ○ Jennifer Knowles ○ Dr. Monica Nicolescu ○ Dr. Sergiu Dascalu Department of Computer Science and Engineering,

Sebastian Smith ○ Lance Hutchinson ○ Ben Damonte ○ Jennifer Knowles ○ Dr. Monica Nicolescu ○ Dr. Sergiu Dascalu Department of Computer Science and Engineering,
Extensible Scalable Monitoring for Clusters of Computers Eric Anderson U.C. Berkeley Summer 1997 NOW Retreat.

Extensible Scalable Monitoring for Clusters of Computers Eric Anderson U.C. Berkeley Summer 1997 NOW Retreat.
Matching Patterns Servers assemble sequences of notifications from smaller subsequences or from single notifications.This technique requires an advertisement.

Matching Patterns Servers assemble sequences of notifications from smaller subsequences or from single notifications.This technique requires an advertisement.
Design and Evaluation of a Wide-Area Event Notification Service Antonio Carzaniga David S. Rosenblum Alexander L. Wolf.

Design and Evaluation of a Wide-Area Event Notification Service Antonio Carzaniga David S. Rosenblum Alexander L. Wolf.
95-702 OCT 1 Master of Information System Management Organizational Communications and Distributed Object Technologies Lecture 5: Distributed Objects.

OCT 1 Master of Information System Management Organizational Communications and Distributed Object Technologies Lecture 5: Distributed Objects.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
SensIT PI Meeting, April 17-20, 2001 1 Distributed Services for Self-Organizing Sensor Networks Alvin S. Lim Computer Science and Software Engineering.

SensIT PI Meeting, April 17-20, Distributed Services for Self-Organizing Sensor Networks Alvin S. Lim Computer Science and Software Engineering.
Distributed Robot Agent Brent Dingle Marco A. Morales.

Distributed Robot Agent Brent Dingle Marco A. Morales.
16: Distributed Systems1 DISTRIBUTED SYSTEM STRUCTURES NETWORK OPERATING SYSTEMS The users are aware of the physical structure of the network. Each site.

16: Distributed Systems1 DISTRIBUTED SYSTEM STRUCTURES NETWORK OPERATING SYSTEMS The users are aware of the physical structure of the network. Each site.
©Silberschatz, Korth and Sudarshan18.1Database System Concepts Centralized Systems Run on a single computer system and do not interact with other computer.

©Silberschatz, Korth and Sudarshan18.1Database System Concepts Centralized Systems Run on a single computer system and do not interact with other computer.
Fuego Event Service: Towards Modularity in Event Routing Sasu Tarkoma Rutgers-Helsinki Workshop 9.5.2006.

Fuego Event Service: Towards Modularity in Event Routing Sasu Tarkoma Rutgers-Helsinki Workshop
Background Notification services in LAN Provides Notification Selection Notification Delivery Done on a centralized server (hence not scalable) Challenge.

Background Notification services in LAN Provides Notification Selection Notification Delivery Done on a centralized server (hence not scalable) Challenge.
Course Instructor: Aisha Azeem

Course Instructor: Aisha Azeem

Similar presentations

Ads by Google