TY - GEN
T1 - Defeating denial-of-service attacks in a self-managing N-Variant system
AU - Jones, Jessica
AU - Hiser, Jason D.
AU - Davidson, Jack W.
AU - Forrest, Stephanie
N1 - Publisher Copyright:
© 2019 IEEE.
PY - 2019/5
Y1 - 2019/5
N2 - N-variant systems protect software from attack by executing multiple variants of a single program in parallel, checking regularly that they are behaving consistently. The variants are designed to behave identically during normal operation and differently during an attack. When different behavior (divergence) is detected, N-variant systems self-heal by either rolling back to a safe state or restarting. Unfortunately, an attacker can create a denial-of-service (DoS) attack from a diverging input by using it to force an N-variant system into an endless diverge/restart cycle. This paper describes a defense, CRISPR-Inspired Program Resiliency (Crispy), that automatically protects N-variant systems from such DoS attacks. Crispy mitigates DoS attacks against N-variant systems using an automatic signature generation technique modeled on CRISPR/Cas, the bacterial adaptive immune system. Experiments on two webservers using exploits developed by an independent Red Team showed Crispy protected against 87.5% of DoS attacks with zero false positives. Overhead was minimal and varied according to the number of signatures maintained, which can be tailored to the threat model and performance requirements.
AB - N-variant systems protect software from attack by executing multiple variants of a single program in parallel, checking regularly that they are behaving consistently. The variants are designed to behave identically during normal operation and differently during an attack. When different behavior (divergence) is detected, N-variant systems self-heal by either rolling back to a safe state or restarting. Unfortunately, an attacker can create a denial-of-service (DoS) attack from a diverging input by using it to force an N-variant system into an endless diverge/restart cycle. This paper describes a defense, CRISPR-Inspired Program Resiliency (Crispy), that automatically protects N-variant systems from such DoS attacks. Crispy mitigates DoS attacks against N-variant systems using an automatic signature generation technique modeled on CRISPR/Cas, the bacterial adaptive immune system. Experiments on two webservers using exploits developed by an independent Red Team showed Crispy protected against 87.5% of DoS attacks with zero false positives. Overhead was minimal and varied according to the number of signatures maintained, which can be tailored to the threat model and performance requirements.
KW - adaptive systems
KW - security
KW - software systems
UR - http://www.scopus.com/inward/record.url?scp=85071091713&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85071091713&partnerID=8YFLogxK
U2 - 10.1109/SEAMS.2019.00024
DO - 10.1109/SEAMS.2019.00024
M3 - Conference contribution
AN - SCOPUS:85071091713
T3 - ICSE Workshop on Software Engineering for Adaptive and Self-Managing Systems
SP - 126
EP - 138
BT - Proceedings - 2019 IEEE/ACM 14th International Symposium on Software Engineering for Adaptive and Self-Managing Systems, SEAMS 2019
PB - IEEE Computer Society
T2 - 14th IEEE/ACM International Symposium on Software Engineering for Adaptive and Self-Managing Systems, SEAMS 2019
Y2 - 25 May 2019 through 26 May 2019
ER -