Automated Adaptive Intrusion Containment in Systems of Interacting Services
Author
Yu-Sung Wu, Bingrui Foo, Yu-Chun Mao, Saurabh Bagchi, Eugene Spafford+
Tech report number
CERIAS TR 2005-87
Abstract
Large scale distributed systems typically have interactions among different services that create an avenue for
propagation of a failure from one service to another. The failures being considered may be the result of natural failures or
malicious activity, collectively called disruptions. To make these systems tolerant to failures it is necessary to contain the
spread of the occurrence automatically once it is detected. The objective is to allow certain parts of the system to continue to
provide partial functionality in the system in the face of failures. Real world situations impose several constraints on the
design of such a disruption tolerant system of which we consider the following - the alarms may have type I or type II errors;
it may not be possible to change the service itself even though the interaction may be changed; attacks may use steps that are
not anticipated a priori; and there may be bursts of concurrent alarms.
We present the design and implementation of a system named ADEPTS as the realization of such a disruption tolerant
system. ADEPTS uses a directed graph representation to model the spread of the failure through the system, presents
algorithms for determining appropriate responses and monitoring their effectiveness, and quantifies the effect of disruptions
through a high level survivability metric. ADEPTS is demonstrated on a real e-commerce testbed with actual attack patterns
injected into it.
Key alpha
Automated Adaptive Intrusion Containment in Systems of Interacting Services, automated adaptive intrusion response, intrusion containment, e-commerce system, survivability, attack graphs.
Publisher
Purdue ECE TECH REPORT 05-14
Publication Date
2005-11-01
Keywords
automated adaptive intrusion response, intrusion containment, e-commerce system, survivability, attack graphs.