The design of adaptive intrusion tolerance system based on virtualization

Abstract

Recently the building of strong intrusion tolerance systems is in great demand since the openness and the distributed nature of information systems are easily used to compromise the systems by intentional attacks. To achieve intrusion tolerance by enabling the systems survive various types of intrusions, we suggest a novel approach, Adaptive Cluster Transformation (ACT) and several advanced schemes, in this paper. Instead of using a fixed cluster size as in conventional approaches, ACT adapts a variable cluster size depending on the system status. This is proved to maintain good quality of service (QoS). In addition, the early prediction of incoming massive packets makes ACT possible to replace any damaged clusters with new ones consisting of pristine virtual machines (VMs). This also contributes to defend the system against a Denial of Service (DoS). Two schemes are suggested in order to complement ACT:vulnerability-based VM selection and fast transformation based on historical data. In case current cluster should be expanded, new VMs are chosen based on each VM`s vulnerability. It is verified that this process helps to reduce the data leakage of whole system through adjusting the frequency of exposure according to vulnerability. Also, if enough historical data is secured, much more fast transformation than the case of using only ACT is possible. This is because next incoming packet rate is expected through historical data map generated through enough learning process. The performance of ACT is compared with other fixed size of VM cluster architectures by CSIM 20. And it is verified that the proposed method is more effective in maintaining the specific level of QoS as well as providing strong security to targeted system. Furthermore, as the number of exposure increases, the rate of information leakage with vulnerability-based VM selection is drastically decreased.