Using Byzantine Agreement in the Design Of IPS Systems

Intrusion detection, prevention & countermeasure systems (IPS) and architectures commonly used in commercial, as well as research environments, suffer from a number of problems that limit their effectiveness. The most common shortcoming of current IPSs is their inability to survive failures, either generated by typical faults or as a result of a deliberate malicious attack. The Wireless System Security Research Laboratory (WSSRL) attempts to correct this situation by developing a secure architecture and fault-resilient engine (SAFE), a system capable of tolerating such failures. This system makes use of solutions to the Byzantine general's problem, developed earlier by Lamport, Shostak, and Pease. Byzantine agreement protocols are used to achieve consensus about which nodes have been compromised or failed, with a series of synchronized, secure rounds of message exchanges. Once a consensus has been reached, the offending nodes can be isolated and countermeasure actions can be initiated by the system. In this manuscript, we investigate the necessary and sufficient conditions for the application of Byzantine agreement protocols to the intrusion detection problem. Further, a first implementation of this algorithm is embedded in the distributed trust manager (DTM) module of SAFE, and is discussed. The algorithms are evaluated in terms of performance (i.e., time to achieve resolution) and ability to detect attacks.