| In traditional security defense solutions, we prevent known security threats via access control, firewall, intrusion detection or other technologies. For system vulnerabilities are inevitable, attack approaches increasingly update, it is difficult to ensure the system's confidentiality, integrity or authenticity relying on the traditional security technologies which has the characteristics of "Block" or "Prevention". Intrusion Tolerance as the third generation security technology is the core of Survival Technology, it concerns the influence but not the reasons of the invasion, through the treatments like decentralized, single point failure prevention, etc. a system can still provide critical services for legitimate users, even if suffered attacks, invades, or was illegal controlled.Currently, there are varieties of ways to realize an intrusion tolerant system. According to the object protected, existing proposals can be divided to two major categories, namely service-oriented and data-oriented. In this topic, we mainly researched service-oriented intrusion tolerance system. Based on the understanding the development status, the basic concepts and ideas related to Intrusion Tolerance, the mastering of means or mechanisms within the intrusion tolerance system, we consulted the design ideas taken in the international typical intrusion tolerant reference model, explored a Host Intrusion Tolerant System architecture and a Network Intrusion Tolerant System scheme based on Voting and Load Balancing. Specific results are as follows:1. Based on the collection and collation of large amounts of relevant technical literatures, we summarized the development status home and broad, the basic concepts and ideas related to intrusion tolerance technology, and implementation means and mechanisms of intrusion tolerance system, also, we analyzed two internationally renowned intrusion tolerance frameworks named SITAR and MAFTIA;2. A host intrusion tolerant system's architecture was proposed, which can be applied in limited resources environment, with features of state testing, state assessment, configuration management, response and recovery processing, security and communication, etc. we described the system's work principle, detailed designed several function modules, such as state assessment, response, tolerance mechanisms trigger, communication and security event alarm.3. A network intrusion tolerance system based on voting and load balancing which fit for web service system was proposed, which comprehensively made use of redundancy, diversity, acceptance testing, load balancing, voting, group communication, reconfiguration recovery technologies. We simply discussed the system's protection principles, discussed some key mechanisms such as dynamic load balancing and voting converse, process migration, service redirection, service monitoring and network topology adaptive in depth.In view of a workable intrusion tolerant system is very complicated, in this issue, we merely sought to bring up a preliminary exploration of intrusion tolerant system in stand-alone environment or network environment, many algorithms and process adopted in need further clarified. Moreover, with so many technical problems need to be solved, it is a distance to the ultimately realization and operation of intrusion tolerant system. |
PDF Full Text Request