New Intrusion Tolerance Technology Treats Attacks as Inevitable

First there was intrusion detection, then intrusion prevention, and now, intrusion tolerance. A professor and researcher at George Mason University is readying the commercial rollout of a new, patent-pending technology that basically assumes an attack or infection on a server is inevitable, so it instead minimizes the impact of an intrusion.

Called self-cleansing intrusion tolerance (SCIT), the new security method doesn’t replace IDS, IPS, firewalls, or other traditional security tools, but rather adds another layer that minimizes the damage of an attack, says Arun Sood, professor of computer science and director of the Laboratory of Interdisciplinary Computer Science at GMU in Fairfax, Va. “An intruder is going to get through irrespective of how much investment you make [with security tools] and how hard you try. It’s about how you contain” an intrusion, Sood says.

“Intrusion tolerance is different than intrusion detection and intrusion prevention -- it doesn’t do any detection and prevention,” he says. “Today’s servers are all exposed… we try to contain the losses by reducing the exposure time of the server to the Internet.”

Sood, who will outline his SCIT technology this week at IntrusionWorld in Baltimore, says the basic idea is to regularly rotate Web, DNS, or other servers on- and offline to “cleanse” the exposed machine to a previously unblemished state that’s never been online -- and automatically have another clean (virtual) machine take its place. This cycle would occur at regular intervals, regardless of whether an intrusion had occurred or not. It’s a fatalistic approach to Internet-borne attacks: “Because servers are online for such a long time, if someone wants to deliberately intrude, he has a sitting duck on which he can work,” Sood says.

SCIT is geared for short transactions such as Web apps, but not for things like media streaming or FTP, he says. The researchers’ demonstration servers are set at sub-minute intervals for the “cleansing,” he says. A DNS server, for instance, goes offline every 45 seconds. The goal is to keep servers exposed to the Internet at sub-minute intervals, but without disrupting the application. So far, the researchers have tested SCIT on Web, DNS, and single sign-on servers, using redundant servers as well as virtual servers based on VMware.

Sood says lower exposure times provide better protection for the servers, but also require more compute cycles. He says it’s basically a way to disrupt an attack -- SCIT makes it tougher on the bad guys to exploit vulnerabilities and is basically used as an additional layer of security, but it focuses more on the server itself.

But Thomas Ptacek, principal with Matasano Security, argues that there is no way to truly cleanse a system. "I don't understand how you can minimize exposure to servers by replacing one vulnerable server with another," Ptacek says. "This seems like yet another scheme that forgets that attacks take milliseconds, not days."

Meanwhile, Sood is licensing SCIT from GMU for his new startup called SCIT Labs. His research is currently funded in part by Lockheed Martin, which is also testing the technology in-house, and he’s also gotten funding and support for his startup from Sun Microsystems, he says.

“We will start by selling plug-compatible software[...] to make servers plug-compatible to this,” Sood says. The software will handle the server rotation and self-cleansing operations for the SCIT approach.

The GMU professor and his colleagues first came up with the SCIT concept over five years ago, but that was when virtualization was new, and it rendered SCIT inoperable due to performance reasons. “The performance was lousy” in our first implementation, he says, but VMware performance has improved greatly since then, he adds.

Sood is still in the process of raising funding for his company, which he plans to launch this year.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.