An Architecture for an Adaptive Intrusion-Tolerant Server

  • Alfonso Valdes
  • Magnus Almgren
  • Steven Cheung
  • Yves Deswarte
  • Bruno Dutertre
  • Joshua Levy
  • Hassen Saïdi
  • Victoria Stavridou
  • Tomás E. Uribe
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2845)


We describe a general architecture for intrusion-tolerant enterprise systems and the implementation of an intrusion-tolerant Web server as a specific instance. The architecture comprises functionally redundant COTS servers running on diverse operating systems and platforms, hardened intrusion-tolerance proxies that mediate client requests and verify the behavior of servers and other proxies, and monitoring and alert management components based on the EMERALD intrusion-detection framework. Integrity and availability are maintained by dynamically adapting the system configuration in response to intrusions or other faults. The dynamic configuration specifies the servers assigned to each client request, the agreement protocol used to validate server replies, and the resources spent on monitoring and detection. Alerts trigger increasingly strict regimes to ensure continued service, with graceful degradation of performance, even if some servers or proxies are compromised or faulty. The system returns to less stringent regimes as threats diminish. Servers and proxies can be isolated, repaired, and reinserted without interrupting service.


Intrusion Detection Application Server Client Request Software Rejuvenation Monitoring Subsystem 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Almgren, M., Lindqvist, U.: Application-integrated data collection for security monitoring. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 22–36. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  2. 2.
    Cowan, C., Pu, C., Maier, D., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q., Hinton, H.: StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In: Proc. 7th USENIX Security Conference, January 1998, pp. 63–78 (1998)Google Scholar
  3. 3.
    Cukier, M., Lyons, J., Pandey, P., Ramasamy, H.V., Sanders, W.H., Pal, P., Webber, F., Schantz, R., Loyall, J., Watro, R., Atighetchi, M., Gossett, J.: Intrusion tolerance approaches in ITUA. In: Fast Abstract Supplement of the 2001 Intl. Conf. on Dependable Systems and Networks, July 2001, pp. B–64, B–65 (2001)Google Scholar
  4. 4.
    Cukier, M., Ren, J., Sabnis, C., Henke, D., Pistole, J., Sanders, W.H., Bakken, D.E., Berman, M.E., Karr, D.A., Schantz, R.: AQuA: an adaptive architecture that provides dependable distributed objects. In: 17th IEEE Symposium on Reliable Distributed Systems (SDRS-17), October 1998, pp. 245–253. IEEE Computer Society Press, Los Alamitos (1998)Google Scholar
  5. 5.
    Curry, D., Debar, H.: Intrusion detection message exchange format: Data model and extensible markup language (XML) document type definition (November 2001) (work in progress)Google Scholar
  6. 6.
    Deswarte, Y., Blain, L., Fabre, J.-C.: Intrusion tolerance in distributed computing systems. In: Proc. Intl. Symposium on Security and Privacy, May 1991, pp. 110–121. IEEE press, Los Alamitos (1991)Google Scholar
  7. 7.
    Fabre, J.-C., Deswarte, Y., Laprie, J.-C., Powell, D.: Saturation: Reduced idleness for improved fault-tolerance. In: 18th International Symposium on Fault-Tolerant Computing (FTCS-18), pp. 200–205. IEEE Computer Society Press, Los Alamitos (1988)Google Scholar
  8. 8.
    Fabre, J.-C., Pérennou, T.: A metaobject architecture for fault-tolerant distributed systems: The FRIENDS approach. IEEE Transactions on Computers 47, 78–95 (1998)CrossRefGoogle Scholar
  9. 9.
    Gonzalez, O., Shrikumar, H., Stankovic, J., Ramamritham, K.: Adaptive fault tolerance and graceful degradation under dynamic hard real-time scheduling. In: 18th IEEE Real-Time Systems Symposium (RTSS 1997). IEEE Computer Society Press, Los Alamitos (December 1997)Google Scholar
  10. 10.
    Holzmann, G.J.: Design and Validation of Computer Protocols. Prentice Hall, Engelwood Cliffs (1991)Google Scholar
  11. 11.
    Huang, Y., Kintala, C., Kolettis, N., Fulton, N.: Software rejuvenation: Analysis, module and applications. In: 25th Symposium on Fault Tolerant Computing, June 1995, pp. 381–390. IEEE Computer Society Press, Los Alamitos (1995)Google Scholar
  12. 12.
    Real Secure server sensor policy guide version 6.0 (May 2001),
  13. 13.
    Just, J.E., Reynolds, J.C.: HACQIT (Hierarchical Adaptive Control of QoS for Intrusion Tolerance). In: 17th Annual Computer Security Applications Conference (2001)Google Scholar
  14. 14.
    Lindqvist, U., Porras, P.: Detecting computer and network misuse through the production-based expert system toolset (P-BEST). In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, May 1999, pp. 146–161. IEEE press, Los Alamitos (1999)Google Scholar
  15. 15.
    Lindqvist, U., Porras, P.: eXpert-BSM: A host-based intrusion detection solution for Sun Solaris. In: Proc. of the 17th Annual Computer Security Applications Conference (December 2001)Google Scholar
  16. 16.
    Liu, P., Jajodia, S.: Multi-phase damage confinement in database systems for intrusion tolerance. In: Proc. 14th IEEE Computer Security Foundations Workshop, June 2001, pp. 191–205 (2001)Google Scholar
  17. 17.
    Permeh, R., Maiffret, M.: ida Code Red worm. Security Advisory AL20010717, eEye Digital Security (July 2001),
  18. 18.
    Porras, P.: Mission-based correlation. Personal communication, SRI International (2001),
  19. 19.
    Porras, P., Neumann, P.: EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In: National Information Security Conference (October 1997)Google Scholar
  20. 20.
    Porras, P., Valdes, A.: Live traffic analysis of TCP/IP gateways. In: Proc. Symposium on Network and Distributed System Security. Internet Society (March 1998)Google Scholar
  21. 21.
    Powell, D., Arlat, J., Beus-Dukic, L., Bondavalli, A., Coppola, P., Fantechi, A., Jenn, E., Rabéjac, C., Wellings, A.: GUARDS: A generic upgradable architecture for realtime dependable systems. IEEE Transactions on Parallel and Distributed Systems 10, 580–599 (1999)CrossRefGoogle Scholar
  22. 22.
    Powell, D., Bonn, G., Seaton, D., Veríssimo, P., Waeselynck, F.: The Delta-4 approach to dependability in open distributed computing systems. In: Proc. 18 Int. Symp. on Fault-Tolerant Computing Systems (FTCS-18), June 1988, pp. 246–251. IEEE Computer Society Press, Los Alamitos (1988)Google Scholar
  23. 23.
    Ranger, G.R., Khosla, P.K., Bakkaloglu, M., Bigrigg, M.W., Goodson, G.R., Oguz, S., Pandurangan, V., Soules, C.A.N., Strunk, J.D., Wylie, J.J.: Survivable storage systems. In: DARPA Information Survivability Conference and Exposition II, June 2001, pp. 184–195. IEEE Computer Society, Los Alamitos (2001)Google Scholar
  24. 24.
    Rivest, R.: The MD5 message digest algorithm. Internet Engineering Task Force, RFC1321 (April992)Google Scholar
  25. 25.
    Rodrigues, L., Verissimo, P.: xAMp: a multi-primitive group communications service. In: 11th Symposium on Reliable Distributed Systems, October 1992, pp. 112–121 (1992)Google Scholar
  26. 26.
    Roesch, M.: Snort: Lightweight intrusion detection for networks. In: USENIX LISA (1999) (November 1999),
  27. 27.
    Schneider, F.B.: Enforceable security policies. Information and System Security 3(1), 30–50 (2000)CrossRefGoogle Scholar
  28. 28.
    Tripwire white papers (2001),
  29. 29.
    Valdes, A., Skinner, K.: Adaptive, model-based monitoring for cyber attack detection. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 80–92. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  30. 30.
    Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 54–68. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  31. 31.
    Vigna, G., Eckmann, S., Kemmerer, R.: The STAT tool suite. In: DISCEX 2000. IEEE press, Los Alamitos (January 2000)Google Scholar
  32. 32.
    Wang, F., Gong, F., Sargor, C., Goseva-Popstojanova, K., Trivedi, K., Jou, F.: SITAR: a scalable intrusion tolerance architecture for distributed server. In: Second IEEE SMC Information Assurance Workshop (2001)Google Scholar
  33. 33.
    Wensley, J., Lamport, L., Goldberg, J., Green, M., Levitt, K., Melliar-Smith, P., Shostack, R., Weinstock, C.: SIFT: the design and analysis of a fault-tolerant computer for aircraft control. Proc. IEEE 66, 1240–1255 (1978)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Alfonso Valdes
    • 1
  • Magnus Almgren
    • 1
  • Steven Cheung
    • 1
  • Yves Deswarte
    • 1
  • Bruno Dutertre
    • 1
  • Joshua Levy
    • 1
  • Hassen Saïdi
    • 1
  • Victoria Stavridou
    • 1
  • Tomás E. Uribe
    • 1
  1. 1.System Design LaboratorySRI InternationalMenlo ParkUSA

Personalised recommendations