01-06-2012, 05:36 PM
Self-Protection in a Clustered Distributed System
Self-Protection in a Clustered.pdf (Size: 540.48 KB / Downloads: 75)
INTRODUCTION
THE complexity of today’s distributed computing environments
is such that the presence of bugs and security
holes is statistically unavoidable.Avery promising approach
to this issue is to implement a self-protected system which
refers to the capability of a system to protect itself against
intrusions, i.e., detect them and fight them back.
This paper presents a self-protected system in the context
of cluster-based applications. We consider that the hardware
environment is composed of a cluster of machines interconnected
through a local area network with an Internet
access via a router. The software environment is composed of
a set of application components deployed on the cluster.
These assumptions correspond to the point of view of a
machine provider which rents his cluster infrastructure to
different customers.Weconsider that each customer has a set
of machines exclusively allocated to his applications. However,
the local network and the Internet access are shared by
all the applications. Therefore, the threat may come from
outside of the cluster through the Internet, but also from
inside because of a hostile accredited customer.
RELATED WORK
This section reviews the main tools and techniques
currently used by security experts to fight against intrusions
and the existing systems which implement a self-protected
behavior.
Intrusion Detection
Two main approaches have been explored [20] to ensure
intrusion detection: misuse intrusion detection and anomaly
intrusion detection. These approaches have been used in the
case of Firewalls and Intrusion Detection Systems (IDS).
While Firewalls are often used as filtering gateways to
detect and to block illegal communication in real time, IDS
mainly work offline and perform deep analysis to trigger
alarms afterward. Misuse intrusion detection aims at detecting
traces of well-identified attacks.
Backtracking Tools
Backtracking tools [14] record detailed data about the
system activity so that once an intrusion attempt has been
detected, it is possible to determine the sequence of events
that led to the intrusion and the potential extent of the
damage (e.g., data theft/loss). The Taser system [10]
provides the ability to restore the system in a trusted state.
It enhances the file system with a selective self-recovery
capability. Taser logs all file system access for each process.
If a process is compromised, Taser computes illegal access
for each file and is able to rollback illegal modifications.
Such backtracking tools can help to automate parts of this
process but human expertise is still required for an accurate
understanding of the attack.
Self-Protected Systems
Self-protected systems are systems which are able to
autonomously fight back intrusions in real time.
Rootsense [15] is an example of self-protected system. It
differs from classical IDS in the sense that it detects and
blocks intrusions in realtime. It audits events within
different level of the host operating system and correlates
them to comprehensively capture the global system state. It
restricts the detection domain to root compromises only;
doing so reduces runtime overhead and increases detection
accuracy. It also adopts a dual approach to intrusion
detection: a root penetration detector detects attempts to
hijack the system and a root misbehavior detector tracks
misbehavior by root processes (if the system was hijacked).
MLIDS [1] (multilevel intrusion detection system) is
another example of self-protected system.
DESIGN OF THE SELF-PROTECTED SYSTEM
Our approach relies on the capacity to maintain a consistent
view of the global architecture of the cluster in terms of
machines, software and their interconnections (the sense of self
in Forrest’s terminology [7]). For that purpose, human
administrators use a deployment manager provided by the
infrastructure to remotely install and interconnect software in
the cluster. This deployment manager is the only way to add
or remove software in the cluster. Therefore, this manager
initializes the view of the global architecture and traps all
modifications to maintain the consistency of the view.
Self-Protection Manager
The self-protection manager is responsible of the management
of the System Representation and its use to detect illegal
communications and to take counter-measures.
Management of the System Representation
In order to manage such a System Representation, we rely on
the services associated with the component framework we
used (Fractal [3]). Traditionally, a component framework
provides services for the deployment of a component
architecture and the modification (reconfiguration) of this
architecture. Therefore, any administration action (machine
or software installation or startup) is achieved as an action on
the component architecture and reflected on the real
environment, which implicitly maintains consistency between
the two levels.