A dependable intrusion detection architecture based on agreement services

Michel Hurfin; Jean Pierre Le Narzul; Frédéric Majorczyk; Ludovic Mé; Ayda Saidane; Eric Totel; Frédéric Tronel

doi:10.1007/978-3-540-49823-0_27

A dependable intrusion detection architecture based on agreement services

Michel Hurfin, Jean Pierre Le Narzul, Frédéric Majorczyk, Ludovic Mé, Ayda Saidane, Eric Totel, Frédéric Tronel

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

In this paper, we show that the use of diversified COTS servers allows to detect intrusions corresponding to unknown attacks. We present an architecture that ensures both confidentiality and integrity at the COTS server level and we extend it to enhance availability. Replication techniques implemented on top of agreement services are used to avoid any single point of failure. On the one hand we assume that COTS servers are complex softwares that contain some vulnerabilities and thus may exhibit arbitrary behaviors. While on the other hand other basic components of the proposed architecture are simple enough to be exhaustively verified. That's why we assume that they can only suffer from crash failures. The whole system is assumed to be asynchronous and furthermore messages can be lost. In the particular case of Web servers connected to databases, we identify the properties that have to be maintained and the alarms that have to be raised. We describe in details how the different replicated levels interact together and, for each level, we precise the reasons that have led us to use a particular agreement service. Performance evaluations are conducted to measure the quality of service of the Intrusion Detection System (quantity of false positives and lack of false negatives) and the additional cost induced by the mechanisms used to ensure the availability of this secure architecture.

Original language	English
Title of host publication	Stabilization, Safety, and Security of Distributed Systems - 8th International Symposium, SSS 2006. Proceedings
Publisher	Springer Verlag
Pages	378-394
Number of pages	17
ISBN (Print)	3540490183, 9783540490180
DOIs	https://doi.org/10.1007/978-3-540-49823-0_27
Publication status	Published - 1 Jan 2006
Externally published	Yes
Event	8th International Symposium on Self-Stabilizing Systems, SSS 2006 - Dallas, TX, United States Duration: 17 Nov 2006 → 19 Nov 2006

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	4280 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	8th International Symposium on Self-Stabilizing Systems, SSS 2006
Country/Territory	United States
City	Dallas, TX
Period	17/11/06 → 19/11/06

Keywords

Agreement protocols
COTS
Dependability
Diversity
Intrusion detection

Access to Document

10.1007/978-3-540-49823-0_27

Cite this

Hurfin, M., Narzul, J. P. L., Majorczyk, F., Mé, L., Saidane, A., Totel, E., & Tronel, F. (2006). A dependable intrusion detection architecture based on agreement services. In Stabilization, Safety, and Security of Distributed Systems - 8th International Symposium, SSS 2006. Proceedings (pp. 378-394). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 4280 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-540-49823-0_27

Hurfin, Michel ; Narzul, Jean Pierre Le ; Majorczyk, Frédéric et al. / A dependable intrusion detection architecture based on agreement services. Stabilization, Safety, and Security of Distributed Systems - 8th International Symposium, SSS 2006. Proceedings. Springer Verlag, 2006. pp. 378-394 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{ab8ed3bc1dde4290844c29fe7aa3f6f1,

title = "A dependable intrusion detection architecture based on agreement services",

abstract = "In this paper, we show that the use of diversified COTS servers allows to detect intrusions corresponding to unknown attacks. We present an architecture that ensures both confidentiality and integrity at the COTS server level and we extend it to enhance availability. Replication techniques implemented on top of agreement services are used to avoid any single point of failure. On the one hand we assume that COTS servers are complex softwares that contain some vulnerabilities and thus may exhibit arbitrary behaviors. While on the other hand other basic components of the proposed architecture are simple enough to be exhaustively verified. That's why we assume that they can only suffer from crash failures. The whole system is assumed to be asynchronous and furthermore messages can be lost. In the particular case of Web servers connected to databases, we identify the properties that have to be maintained and the alarms that have to be raised. We describe in details how the different replicated levels interact together and, for each level, we precise the reasons that have led us to use a particular agreement service. Performance evaluations are conducted to measure the quality of service of the Intrusion Detection System (quantity of false positives and lack of false negatives) and the additional cost induced by the mechanisms used to ensure the availability of this secure architecture.",

keywords = "Agreement protocols, COTS, Dependability, Diversity, Intrusion detection",

author = "Michel Hurfin and Narzul, \{Jean Pierre Le\} and Fr{\'e}d{\'e}ric Majorczyk and Ludovic M{\'e} and Ayda Saidane and Eric Totel and Fr{\'e}d{\'e}ric Tronel",

year = "2006",

month = jan,

day = "1",

doi = "10.1007/978-3-540-49823-0\_27",

language = "English",

isbn = "3540490183",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "378--394",

booktitle = "Stabilization, Safety, and Security of Distributed Systems - 8th International Symposium, SSS 2006. Proceedings",

note = "8th International Symposium on Self-Stabilizing Systems, SSS 2006 ; Conference date: 17-11-2006 Through 19-11-2006",

}

Hurfin, M, Narzul, JPL, Majorczyk, F, Mé, L, Saidane, A, Totel, E & Tronel, F 2006, A dependable intrusion detection architecture based on agreement services. in Stabilization, Safety, and Security of Distributed Systems - 8th International Symposium, SSS 2006. Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 4280 LNCS, Springer Verlag, pp. 378-394, 8th International Symposium on Self-Stabilizing Systems, SSS 2006, Dallas, TX, United States, 17/11/06. https://doi.org/10.1007/978-3-540-49823-0_27

A dependable intrusion detection architecture based on agreement services. / Hurfin, Michel; Narzul, Jean Pierre Le; Majorczyk, Frédéric et al.
Stabilization, Safety, and Security of Distributed Systems - 8th International Symposium, SSS 2006. Proceedings. Springer Verlag, 2006. p. 378-394 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 4280 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - A dependable intrusion detection architecture based on agreement services

AU - Hurfin, Michel

AU - Narzul, Jean Pierre Le

AU - Majorczyk, Frédéric

AU - Mé, Ludovic

AU - Saidane, Ayda

AU - Totel, Eric

AU - Tronel, Frédéric

PY - 2006/1/1

Y1 - 2006/1/1

N2 - In this paper, we show that the use of diversified COTS servers allows to detect intrusions corresponding to unknown attacks. We present an architecture that ensures both confidentiality and integrity at the COTS server level and we extend it to enhance availability. Replication techniques implemented on top of agreement services are used to avoid any single point of failure. On the one hand we assume that COTS servers are complex softwares that contain some vulnerabilities and thus may exhibit arbitrary behaviors. While on the other hand other basic components of the proposed architecture are simple enough to be exhaustively verified. That's why we assume that they can only suffer from crash failures. The whole system is assumed to be asynchronous and furthermore messages can be lost. In the particular case of Web servers connected to databases, we identify the properties that have to be maintained and the alarms that have to be raised. We describe in details how the different replicated levels interact together and, for each level, we precise the reasons that have led us to use a particular agreement service. Performance evaluations are conducted to measure the quality of service of the Intrusion Detection System (quantity of false positives and lack of false negatives) and the additional cost induced by the mechanisms used to ensure the availability of this secure architecture.

AB - In this paper, we show that the use of diversified COTS servers allows to detect intrusions corresponding to unknown attacks. We present an architecture that ensures both confidentiality and integrity at the COTS server level and we extend it to enhance availability. Replication techniques implemented on top of agreement services are used to avoid any single point of failure. On the one hand we assume that COTS servers are complex softwares that contain some vulnerabilities and thus may exhibit arbitrary behaviors. While on the other hand other basic components of the proposed architecture are simple enough to be exhaustively verified. That's why we assume that they can only suffer from crash failures. The whole system is assumed to be asynchronous and furthermore messages can be lost. In the particular case of Web servers connected to databases, we identify the properties that have to be maintained and the alarms that have to be raised. We describe in details how the different replicated levels interact together and, for each level, we precise the reasons that have led us to use a particular agreement service. Performance evaluations are conducted to measure the quality of service of the Intrusion Detection System (quantity of false positives and lack of false negatives) and the additional cost induced by the mechanisms used to ensure the availability of this secure architecture.

KW - Agreement protocols

KW - COTS

KW - Dependability

KW - Diversity

KW - Intrusion detection

U2 - 10.1007/978-3-540-49823-0_27

DO - 10.1007/978-3-540-49823-0_27

M3 - Conference contribution

AN - SCOPUS:33845518354

SN - 3540490183

SN - 9783540490180

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 378

EP - 394

BT - Stabilization, Safety, and Security of Distributed Systems - 8th International Symposium, SSS 2006. Proceedings

PB - Springer Verlag

T2 - 8th International Symposium on Self-Stabilizing Systems, SSS 2006

Y2 - 17 November 2006 through 19 November 2006

ER -

Hurfin M, Narzul JPL, Majorczyk F, Mé L, Saidane A, Totel E et al. A dependable intrusion detection architecture based on agreement services. In Stabilization, Safety, and Security of Distributed Systems - 8th International Symposium, SSS 2006. Proceedings. Springer Verlag. 2006. p. 378-394. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-540-49823-0_27

A dependable intrusion detection architecture based on agreement services

Abstract

Publication series

Conference

Keywords

Access to Document

Fingerprint

Cite this