| Recent studies in computer security were extended by intrusion tolerance and take an AVI composite fault model to interpret the object of computer security. In AVI model, an intrusion is thought to have two underlying causes:Attack: malicious intentional fault attempted at a computing or communication system, with the intent of exploiting vulnerability in that system.Vulnerability: fault in a computer system that can be exploited with malicious intention.Which then lead to:Intrusion: a malicious operational fault resulting from a successful attack on a vulnerability.Although lots of work has been performed, when applying intrusion tolerance mechanism in practice a set of formal designing and valuating measures is still required. People want to design new systems with intrusion tolerance abilities to replace the existing systems. A reasonable valuating for intrusion tolerance abilities is also needed. We start from a medical information system and studied how to apply intrusion tolerance mechanisms to practical systems.Firstly we analyze where the vulnerabilities are in a system. System reliability modeling is a kind of security modeling. Its objective is to describe all factors influencing a system's reliability, including privileges, secrets, security properties, topology and security dependency, and threatens. We can stimulate intrusions on the reliability model to figure out potential AVI chains. This provides basis to the design of intrusion tolerance system. Three aspects are evolved in the model: participants, connection and security dependency between nodes, and model for intruder.Reliability model for GA system is a state machine model while states changes in the node services and the intruder. We take use of a state machine model checker NuSMV to help us check the possible intrusions and their sources. The model is described by NuSMV code firstly and then validated by NuSMV. After checking, we got that the AVI chains are almost from tow type sources:Frontier services are affected easily by GA core system. Since those services depend on a single core to provide many security properties, AVI chains are easily propagated. When parts of GA core system is compromised by intruder,some real time services on GA patient server and GA hospital server are affected immediately. For instance, a patient requiring timely medical instruction in a first aid might surfer dangers by an occasional intrusion.GA system relay on data security heavily. The integrity and confidentiality of data directly concern the doctor's work and the patient's privacy. And there are also many frontier services depend on the security of data.Referring existing intrusion tolerance mechanisms, this paper designed an intrusion tolerance solution for GA system. The requests from users are forwarded to request dispatching module, the module decide where to send the requests and send them out. Request filtering module authenticates the privilege of user and checks the content. Requests are then submitted to GA core cluster, where GA core system is replicated in to several replicas. One request is handled by more than one replicas. Several responses are collected and checked by response validating module, the valid responses are sent to response matching module. In that module, responses are compared and the majority same one is selected to be sent to the user. BQ system charges the data repository. Reconfiguration and recovery module manages response dispatching module and GA core cluster, and listens to alarms from IDS. IDS monitor filtering and validating module, GA core cluster, and BQ system.Base on threshold secret sharing, this paper implemented the response matching module and a simplified BQ system. Threshold secret sharing generate several shares based on a secret, several participants hold the shares. Once parts of participants gathered their shares, the original secret can be recovered. When signing the final response, response matching module obeys threshold signature scheme, the private key was hid among shares held by GA core replicas, one share per replica. The threshold value was set as f+1, where f is the maximum amounts of faulty replicas can be tolerated. According to threshold secret sharing, private key can be recovered by any set of more than f+1 shares, so only the final response can get signature, and other faulty responses can not get that.When apply encryption and decryption in BQ system's read and write operations, database stores the encrypted content and user decrypt that after reading. The secret key is shared among n shares and each replica holds a share. The threshold value is still set to f+1. Since threshold secret sharing performs partial intrusion masking, BQ system only need 2f+1replicas, while every set of f+1 replicas construct a quorum. Two quorums share one replica.Although intrusion tolerance solution add intrusion tolerance ability to GA system and enhance reliability, but the cost is also increased by redundancy. How to assess the effective of intrusion tolerance mechanism and calculate performance cost rate is requiring a quantitative analysis for intrusion tolerance solution. We present an assessment approach based on Markov process model and calculate the effective of intrusion tolerance mechanism quantitatively. The analysis result indicates that GA core system's MTTF is increased and opportunities for reconfiguration and recovery is grabbed, so the further intrusion is handicapped before f+1 replicas are compromised. The performance cost rate assessment suggests that small redundancy like 4 or 7 is a good choice.At the end of this paper, we conclude that although the existing intrusion tolerance techniques had enhanced the reliability for systems, their principle is still constrained in the schemes based on redundancy, and they didn't present specified solution to particular intrusion. So they all require high cost, but provide low optimization opportunity, and were only applied in critical services such as military information systems. We think that intrusion tolerance mechanism should embrace intrusion characters identification, and select optimum intrusion tolerance reconfiguration and recovery procedure. |
PDF Full Text Request