Defeating denial-of-service attacks in a self-managing N-Variant system

Jessica Jones, Jason D. Hiser, Jack W. Davidson, Stephanie Forrest

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

N-variant systems protect software from attack by executing multiple variants of a single program in parallel, checking regularly that they are behaving consistently. The variants are designed to behave identically during normal operation and differently during an attack. When different behavior (divergence) is detected, N-variant systems self-heal by either rolling back to a safe state or restarting. Unfortunately, an attacker can create a denial-of-service (DoS) attack from a diverging input by using it to force an N-variant system into an endless diverge/restart cycle. This paper describes a defense, CRISPR-Inspired Program Resiliency (Crispy), that automatically protects N-variant systems from such DoS attacks. Crispy mitigates DoS attacks against N-variant systems using an automatic signature generation technique modeled on CRISPR/Cas, the bacterial adaptive immune system. Experiments on two webservers using exploits developed by an independent Red Team showed Crispy protected against 87.5% of DoS attacks with zero false positives. Overhead was minimal and varied according to the number of signatures maintained, which can be tailored to the threat model and performance requirements.

Original languageEnglish (US)
Title of host publicationProceedings - 2019 IEEE/ACM 14th International Symposium on Software Engineering for Adaptive and Self-Managing Systems, SEAMS 2019
PublisherIEEE Computer Society
Pages126-138
Number of pages13
ISBN (Electronic)9781728133683
DOIs
StatePublished - May 1 2019
Event14th IEEE/ACM International Symposium on Software Engineering for Adaptive and Self-Managing Systems, SEAMS 2019 - Montreal, Canada
Duration: May 25 2019May 26 2019

Publication series

NameICSE Workshop on Software Engineering for Adaptive and Self-Managing Systems
Volume2019-May
ISSN (Print)2157-2305
ISSN (Electronic)2156-7891

Conference

Conference14th IEEE/ACM International Symposium on Software Engineering for Adaptive and Self-Managing Systems, SEAMS 2019
CountryCanada
CityMontreal
Period5/25/195/26/19

Fingerprint

Immune system
Denial-of-service attack
Experiments

Keywords

  • adaptive systems
  • security
  • software systems

ASJC Scopus subject areas

  • Hardware and Architecture
  • Software

Cite this

Jones, J., Hiser, J. D., Davidson, J. W., & Forrest, S. (2019). Defeating denial-of-service attacks in a self-managing N-Variant system. In Proceedings - 2019 IEEE/ACM 14th International Symposium on Software Engineering for Adaptive and Self-Managing Systems, SEAMS 2019 (pp. 126-138). [8787016] (ICSE Workshop on Software Engineering for Adaptive and Self-Managing Systems; Vol. 2019-May). IEEE Computer Society. https://doi.org/10.1109/SEAMS.2019.00024

Defeating denial-of-service attacks in a self-managing N-Variant system. / Jones, Jessica; Hiser, Jason D.; Davidson, Jack W.; Forrest, Stephanie.

Proceedings - 2019 IEEE/ACM 14th International Symposium on Software Engineering for Adaptive and Self-Managing Systems, SEAMS 2019. IEEE Computer Society, 2019. p. 126-138 8787016 (ICSE Workshop on Software Engineering for Adaptive and Self-Managing Systems; Vol. 2019-May).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Jones, J, Hiser, JD, Davidson, JW & Forrest, S 2019, Defeating denial-of-service attacks in a self-managing N-Variant system. in Proceedings - 2019 IEEE/ACM 14th International Symposium on Software Engineering for Adaptive and Self-Managing Systems, SEAMS 2019., 8787016, ICSE Workshop on Software Engineering for Adaptive and Self-Managing Systems, vol. 2019-May, IEEE Computer Society, pp. 126-138, 14th IEEE/ACM International Symposium on Software Engineering for Adaptive and Self-Managing Systems, SEAMS 2019, Montreal, Canada, 5/25/19. https://doi.org/10.1109/SEAMS.2019.00024
Jones J, Hiser JD, Davidson JW, Forrest S. Defeating denial-of-service attacks in a self-managing N-Variant system. In Proceedings - 2019 IEEE/ACM 14th International Symposium on Software Engineering for Adaptive and Self-Managing Systems, SEAMS 2019. IEEE Computer Society. 2019. p. 126-138. 8787016. (ICSE Workshop on Software Engineering for Adaptive and Self-Managing Systems). https://doi.org/10.1109/SEAMS.2019.00024
Jones, Jessica ; Hiser, Jason D. ; Davidson, Jack W. ; Forrest, Stephanie. / Defeating denial-of-service attacks in a self-managing N-Variant system. Proceedings - 2019 IEEE/ACM 14th International Symposium on Software Engineering for Adaptive and Self-Managing Systems, SEAMS 2019. IEEE Computer Society, 2019. pp. 126-138 (ICSE Workshop on Software Engineering for Adaptive and Self-Managing Systems).
@inproceedings{9c4558ed4669415b9ca077590c4849fe,
title = "Defeating denial-of-service attacks in a self-managing N-Variant system",
abstract = "N-variant systems protect software from attack by executing multiple variants of a single program in parallel, checking regularly that they are behaving consistently. The variants are designed to behave identically during normal operation and differently during an attack. When different behavior (divergence) is detected, N-variant systems self-heal by either rolling back to a safe state or restarting. Unfortunately, an attacker can create a denial-of-service (DoS) attack from a diverging input by using it to force an N-variant system into an endless diverge/restart cycle. This paper describes a defense, CRISPR-Inspired Program Resiliency (Crispy), that automatically protects N-variant systems from such DoS attacks. Crispy mitigates DoS attacks against N-variant systems using an automatic signature generation technique modeled on CRISPR/Cas, the bacterial adaptive immune system. Experiments on two webservers using exploits developed by an independent Red Team showed Crispy protected against 87.5{\%} of DoS attacks with zero false positives. Overhead was minimal and varied according to the number of signatures maintained, which can be tailored to the threat model and performance requirements.",
keywords = "adaptive systems, security, software systems",
author = "Jessica Jones and Hiser, {Jason D.} and Davidson, {Jack W.} and Stephanie Forrest",
year = "2019",
month = "5",
day = "1",
doi = "10.1109/SEAMS.2019.00024",
language = "English (US)",
series = "ICSE Workshop on Software Engineering for Adaptive and Self-Managing Systems",
publisher = "IEEE Computer Society",
pages = "126--138",
booktitle = "Proceedings - 2019 IEEE/ACM 14th International Symposium on Software Engineering for Adaptive and Self-Managing Systems, SEAMS 2019",

}

TY - GEN

T1 - Defeating denial-of-service attacks in a self-managing N-Variant system

AU - Jones, Jessica

AU - Hiser, Jason D.

AU - Davidson, Jack W.

AU - Forrest, Stephanie

PY - 2019/5/1

Y1 - 2019/5/1

N2 - N-variant systems protect software from attack by executing multiple variants of a single program in parallel, checking regularly that they are behaving consistently. The variants are designed to behave identically during normal operation and differently during an attack. When different behavior (divergence) is detected, N-variant systems self-heal by either rolling back to a safe state or restarting. Unfortunately, an attacker can create a denial-of-service (DoS) attack from a diverging input by using it to force an N-variant system into an endless diverge/restart cycle. This paper describes a defense, CRISPR-Inspired Program Resiliency (Crispy), that automatically protects N-variant systems from such DoS attacks. Crispy mitigates DoS attacks against N-variant systems using an automatic signature generation technique modeled on CRISPR/Cas, the bacterial adaptive immune system. Experiments on two webservers using exploits developed by an independent Red Team showed Crispy protected against 87.5% of DoS attacks with zero false positives. Overhead was minimal and varied according to the number of signatures maintained, which can be tailored to the threat model and performance requirements.

AB - N-variant systems protect software from attack by executing multiple variants of a single program in parallel, checking regularly that they are behaving consistently. The variants are designed to behave identically during normal operation and differently during an attack. When different behavior (divergence) is detected, N-variant systems self-heal by either rolling back to a safe state or restarting. Unfortunately, an attacker can create a denial-of-service (DoS) attack from a diverging input by using it to force an N-variant system into an endless diverge/restart cycle. This paper describes a defense, CRISPR-Inspired Program Resiliency (Crispy), that automatically protects N-variant systems from such DoS attacks. Crispy mitigates DoS attacks against N-variant systems using an automatic signature generation technique modeled on CRISPR/Cas, the bacterial adaptive immune system. Experiments on two webservers using exploits developed by an independent Red Team showed Crispy protected against 87.5% of DoS attacks with zero false positives. Overhead was minimal and varied according to the number of signatures maintained, which can be tailored to the threat model and performance requirements.

KW - adaptive systems

KW - security

KW - software systems

UR - http://www.scopus.com/inward/record.url?scp=85071091713&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85071091713&partnerID=8YFLogxK

U2 - 10.1109/SEAMS.2019.00024

DO - 10.1109/SEAMS.2019.00024

M3 - Conference contribution

AN - SCOPUS:85071091713

T3 - ICSE Workshop on Software Engineering for Adaptive and Self-Managing Systems

SP - 126

EP - 138

BT - Proceedings - 2019 IEEE/ACM 14th International Symposium on Software Engineering for Adaptive and Self-Managing Systems, SEAMS 2019

PB - IEEE Computer Society

ER -