| Intrusion-tolerance is the technique of using fault-tolerance to achieve security properties. Instead of focusing on intrusion prevention or eliminating all the system vulnerabilities, it should provide an ultimate defense of the system, the aim of which is to fulfill the primary missions in the presence of intrusion or partial compromising. The tolerance paradigm in security has deserved much attention recently.However, the available intrusion tolerant architectures have the following strict requirements: 1) the system should have high ability of computing and storage; 2) the redundant components of the system should satisfy some tight requirements about quantity and quality; 3) the communications among components require reliable and high speed transmission. As a result it takes comparative cost to implement general intrusion tolerance. On the other hand, many application scenarios have tight resource restriction. This dissertation presents that how to provide prime services in resource constraint scenarios is a new progress of intrusion tolerance. Then some key problems in this direction are studied:1. The fault-tolerant routing in resource constraint scenarios is discussed. Firstly, a mathematical optimal model for available fault-tolerant stateless routings is given. Then the model is proved no analytical solutions in many scenarios, which shows that available solutions have non-ignorable computing cost, as a result not suitable for resource constraint scenarios. This thesis presents an improved fault-tolerant routing with probability load balance among multiple paths, and a lightweight algorithm for the model. In the end, the efficiency of the model and the algorithm is shown by an illustration and simulation.2. Triangular inequality based forwarding strategy is proposed. Firstly, the data forwarding are restricted in a specified area by introducing a virtual reference point. Then the relationship between reliability and this area is given. A detailed analysis shows that the reliability increases quadratically with the distance between the source node and the reference node, based on which the reliability differentiated fault-tolerant routing algorithm is given. In the end, the advantages of proposed algorithm over the related work are shown by analysis and comparisons.3. A network traffic sampling model for the network intrusion detection system (NIDS) is given. Based on differential equation theory, a quantitative analysis of the effect of NIDS on the network traffic is given firstly. Secondly, a minimum delay time of NIDS needed to detect some kinds of intrusions is analyzed. In the end, an upper bound of the sampling distance is discussed. Proofs are given to show the efficiency of our approach.4. Recently some nature-inspired algorithms are used in cryptography and information security. This thesis shows the advantages and disadvantages of those interesting work. And four feasible directions are summarized: 1). automatically designing provably secure protocol; 2) designing artificial immunity and intrusion detection system; 3) password based authentication and key establishment using hard artificial problem; 4) one-way property of evolutionary algorithm. Then the thesis focuses on the pseudorandom number generation using one-way property of evolutionary algorithm. In the end, the thesis discusses how to reduce the resource cost in the client equipments when providing secure service.
|
PDF Full Text Request