| Intrusion Tolerance (IT) is the core of"the Third Generation Security (3GS)"presented by DARPA, USA. Different form traditional security technologies, IT aims to maintain the integrity, confidentiality and availability of the critcal data and services provided by the whole system when some components are attacked or ruined. Intrusion-tolerant strategies for Web applications are popularly studied now. The purpose of these researches is to provide the clients with highly safe and available Web service under increasingly rampant Internet attacks; therefore these researches are of great theoretical and practical significance.First this paper proposes architecture of an intrusion-tolerant Web system based on analyzing design target and technology route. This intrusion-tolerant system adopting redundancy, diversity and self-adaption reconfiguration can provide service continuously, which is consists of tolerant proxy server, redundant server, IDS and administrator. All of this provides the technique scheme for the discussion in two kinds of important mechanism-the protecting scheme of Web private key based on proactive secret sharing and voting mechanism.The protecting scheme of Web private key based on traditional secret sharing is not applicable because the adversary has so much time to mount attacks that this will reduce the security of private key. Aiming at the shortage of traditional scheme, this paper presents a material scheme based on proactive secret sharing. The new scheme can maintain the long-time security and confidentiality of private key, whose shares are periodically renewed without changing the key but via cooperating with n share servers mutually and the private key is not exposed in the process of renewing and verifying in such a way that the effective time for the adversary will be reduced to a single time period. In addition, the paper proposes the RSA key PSS algorithm with improved verifiable scheme and provides detailedly share initialization, renewal and recovery algorithms.Voting is the pivotal mechanism of the intrusion-tolerant Web system with redundant servers. After analyzing the usual flow of voting, the paper presents improved voting mechanism, which filters error Web servers that vote ineffectively to induce the numbers of servers executing voting and enhance the speed of voting. And then the paper proposes an improved FTP-DS algorithm to find error Web servers with mining sequential pattern on system error log. At last the experiments on KDDCUP99 dataset are done for verifying improved algorithm. The experimental results show that the improved algorithm outperforms FTP-DS algorithm on mining speed and the detective rate.Researches on these intrusion-tolerant strategies for Web applications enrich the research of intrusion-tolerant Web service system and offer a new means to protect Web server. |
PDF Full Text Request