SITAR Project Develops New Methods to Protect Computers

Triangle software researchers will complete in June a three-year experimental project on a new kind of security software called an intrusion-tolerant system developed in part by electrical and computer engineering professor Kishor Trivedi at Duke’s Pratt School of Engineering.

The researchers from Duke and the Advanced Network Research Group at MCNC in Research Triangle Park say continuing security breaches, whether attacks by malicious software or theft of confidential information, demonstrate the need for better computer security. The researchers call their approach a Scalable Intrusion-Tolerant Architecture for Distributed Services, or SITAR for short.

Legions of security products already stand guard, including authentication and encryption software, antivirus programs, firewalls, and intrusion detection systems. Market-research firm IDC says governments, corporations and individuals spent $6 billion on internet security defenses in 2001.

None of this protection slowed the Slammer worm that struck in January. A tiny bit of computer code, Slammer hijacked 75,000 computers within ten minutes and used them to overload crucial internet servers. Slammer shut down the internet in South Korea, stalled thousands of Bank of America ATMs, and blocked one town’s emergency 911 response system.

The recurrence of disruptive attacks does not surprise Feiyi Wang, principal investigator of the Duke/MCNC project. Wang says, "It is unrealistic to believe perimeter defenses will always succeed in keeping malicious software and people from penetrating networked systems."

History supports Wang’s view. Slammer was just the latest in a long list of infamous worms and viruses, including those with evocative names such as LoveLetter and Code Red. Malicious hackers still succeed in stealing credit-card numbers. "Denial of service" attacks, which use malicious software to block access to major web sites, seem certain to continue. All such security failures pale beside the prospect of large-scale cyberattacks by well-funded terrorists and nation-states.

The prospect of such disastrous attacks is why the team led by Wang and Duke’s Trivedi developed SITAR. Its aim is to keep networked systems working despite hostile intrusions. An intrusion-tolerant system shifts the focus from finding and eliminating the attacking agent to containing and counteracting its effects. Intrusion tolerance does this in part by borrowing some old tricks from the field-proven world of "fault-tolerant" computing.

"Techniques invented to keep computer systems operating when equipment and software fails can be adapted to keep systems operating despite the harmful effects of attacks," said Trivedi.

SITAR employs fault-tolerance principles such as providing redundancy in key functions and diversity in configuration. For example, a critical task might run simultaneously on two computers, each of which uses a different operating system and a different program to do the same job. A successful attack would have to subvert two different programs running on two different computers with two different operating systems.

SITAR’s first line of defense consists of "proxy servers," computers that stand as intermediaries between the protected system and the outside world. The proxy servers screen incoming requests for service and decide whether to pass a request on to internal servers that do the real work.

For example, a proxy server might pass on a single request to each of three servers providing the same critical function. When the three internal servers respond to the request, their responses first go to software modules called "Acceptance Monitors." These perform a variety of checks to determine whether each response is of an appropriate form and reasonable character for the request submitted.

The next stop for the responses is a set of SITAR components called "Ballot Monitors." As the name suggests, the Ballot Monitors perform a voting procedure to decide whether to permit the response to go out. In a simple treatment of this example, a Ballot Monitor would compare the three responses to the single original request. If all three responses were the same, the response would be sent on. If two responses are the same and the other differs, the two that agree would determine the response that goes out. Proxy servers would then pass it on to the external user who sent the request in the first place. SITAR would also recognize that something is amiss.

While the SITAR system is deciding the correct response, SITAR’s Audit Control Module examines logs of system activities and periodically runs diagnostic tests looking for signs of trouble. Recognizing trouble, however, requires some basis for analysis. One of SITAR’s goals is to define stochastic models (models based on probabilities) that predict the mean time to security failure and the likelihood that any specific problem will result. According to Bharat Madan of Duke, "We use stochastic models to quantify security. Our aim is to improve estimates of the parameters by conducting experiments."

Based on information about the state of the system, an Adaptive Reconfiguration Module makes changes to preserve security and maximize performance. The top priority is to ensure that the most important services work acceptably.

SITAR is one of more than 20 projects in intrusion tolerance funded by the Defense Advanced Research Projects Agency (DARPA) under a program called OASIS (Organically Assured and Survivable Information Systems). The goal of this research is to ensure that the military’s information systems continue working even in the face of persistent attacks.

After working on SITAR, Wang is optimistic about intrusion-tolerant systems. "Over time," Wang says, "we can develop techniques for building systems that keep providing an acceptable level of services despite intrusions. Systems will not be truly invulnerable, but they will be 'survivable.' They will keep working."