research-article

Architecture-based self-protection: composing and reasoning about denial-of-service mitigations

Authors:

Bradley Schmerl,

Javier Cámara,

Jeffrey Gennari,

Paulo Casanova,

Gabriel A. Moreno,

Thomas J. Glazier,

Jeffrey M. BarnesAuthors Info & Claims

HotSoS '14: Proceedings of the 2014 Symposium and Bootcamp on the Science of Security

Article No.: 2, Pages 1 - 12

https://doi.org/10.1145/2600176.2600181

Published: 08 April 2014 Publication History

Abstract

Security features are often hardwired into software applications, making it difficult to adapt security responses to reflect changes in runtime context and new attacks. In prior work, we proposed the idea of architecture-based self-protection as a way of separating adaptation logic from application logic and providing a global perspective for reasoning about security adaptations in the context of other business goals. In this paper, we present an approach, based on this idea, for combating denial-of-service (DoS) attacks. Our approach allows DoS-related tactics to be composed into more sophisticated mitigation strategies that encapsulate possible responses to a security problem. Then, utility-based reasoning can be used to consider different business contexts and qualities. We describe how this approach forms the underpinnings of a scientific approach to self-protection, allowing us to reason about how to make the best choice of mitigation at runtime. Moreover, we also show how formal analysis can be used to determine whether the mitigations cover the range of conditions the system is likely to encounter, and the effect of mitigations on other quality attributes of the system. We evaluate the approach using the Rainbow self-adaptive framework and show how Rainbow chooses DoS mitigation tactics that are sensitive to different business contexts.

References

[1]

S. Andova, H. Hermanns, and J.-P. Katoen. Discrete-time rewards model-checked. In FORMATS, volume 2791 of Lecture Notes in Computer Science, pages 88--104. Springer, 2003.

[2]

M. Atighetchi, P. Pal, F. Webber, R. Schantz, C. Jones, and J. Loyall. Adaptive cyberdefense for survival and intrusion tolerance. IEEE Internet Computing, 8(6):25--33, 2004.

Digital Library

[3]

C. Baier and J.-P. Katoen. Principles of Model Checking. MIT Press, 2008.

Digital Library

[4]

C. Barna, M. Shtern, M. Smit, V. Tzerpos, and M. Litoiu. Model-based adaptive dos attack mitigation. In Software Engineering for Adaptive and Self-Managing Systems (SEAMS), 2012 ICSE Workshop on, pages 119--128, 2012.

[5]

J. Cámara, P. Correia, R. de Lemos, D. Garlan, P. Gomes, B. Schmerl, and R. Ventura. Evolving an adaptive industrial software system to use architecture-based self-adaptation. In Proceedings of the 8th International Symposium on Software Engineering for Adaptive and Self-Managing Systems, 20-21 May 2013.

Digital Library

[6]

S.-W. Cheng. Rainbow: Cost-Effective Software Architecture-Based Self-Adaptation. PhD thesis, Carnegie Mellon University, May 2008. Institute for Software Research Technical Report CMU-ISR-08-113.

Digital Library

[7]

S.-W. Cheng and D. Garlan. Stitch: A language for architecture-based self-adaptation. Journal of Systems and Software, Special Issue on State of the Art in Self-Adaptive Systems, 85(12), December 2012.

Digital Library

[8]

S.-W. Cheng, D. Garlan, and B. Schmerl. Making self-adaptation an engineering reality. In O. Babaoghu, M. Jelasity, A. Montroser, C. Fetzer, S. Leonardi, and A. Van Moorsel, editors, Proceedings of the Conference on Self-Star Properties in Complex Information Systems, volume 3460 of LNCS. Springer-Verlag, 2005.

Digital Library

[9]

S.-W. Cheng, D. Garlan, and B. Schmerl. Architecture-based self-adaptation in the presence of multiple objectives. In ICSE 2006 Workshop on Software Engineering for Adaptive and Self-Managing Systems (SEAMS), Shanghai, China, 21-22 May 2006.

Digital Library

[10]

B. Claudel, N. Palma, R. Lachaize, and D. Hagimont. Self-protection for distributed component-based applications. In A. Datta and M. Gradinariu, editors, Stabilization, Safety, and Security of Distributed Systems, volume 4280 of Lecture Notes in Computer Science, pages 184--198. Springer Berlin Heidelberg, 2006.

Digital Library

[11]

E. M. Dashofy, A. van der Hoek, and R. N. Taylor. Towards architecture-based self-healing systems. In Proceedings of the First Workshop on Self-healing Systems, WOSS '02, pages 21--26, New York, NY, USA, 2002. ACM.

Digital Library

[12]

E. W. Dijkstra. Guarded commands, nondeterminacy and formal derivation of programs. Commun. ACM, 18(8):453--457, Aug. 1975.

Digital Library

[13]

P. Ferguson and D. Senie. Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. RFC 2267 (Informational), January 1998. Obsoleted by RFC 2827.

Digital Library

[14]

P. C. Fishburn. Utility Theory for Decision Making. John Wiley & Sons, Inc., 1970.

[15]

D. Garlan, S.-W. Cheng, A.-C. Huang, B. Schmerl, and P. Steenkiste. Rainbow: architecture-based self-adaptation with reusable infrastructure. Computer, 37(10):46--54, 2004.

Digital Library

[16]

M. Glenn. A summary of DoS/DDoS prevention, monitoring and mitigation techniques in a service provider environment. Posted on the SANS Institute Reading Room site, August 2003.

[17]

M. Handley and E. Rescorla. RFC 4732: DoS Considerations. Internet Engineering Task Force, Nov. 2006.

[18]

J. Kephart and D. Chess. The vision of autonomic computing. Computer, 36(1):41--50, 2003.

Digital Library

[19]

M. Kwiatkowska, G. Norman, and D. Parker. PRISM 4.0: Verification of probabilistic real-time systems. In G. Gopalakrishnan and S. Qadeer, editors, Proc. 23rd International Conference on Computer Aided Verification (CAV'11), volume 6806 of LNCS, pages 585--591. Springer, 2011.

Digital Library

[20]

J. Magee, N. Dulay, S. Eisenbach, and J. Kramer. Specifying distributed software architectures. In W. Schäfer and P. Botella, editors, Software Engineering --- ESEC '95, volume 989 of Lecture Notes in Computer Science, pages 137--153. Springer Berlin Heidelberg, 1995.

Digital Library

[21]

W. G. Morein, A. Stavrou, D. L. Cook, A. D. Keromytis, V. Misra, and D. Rubenstein. Using graphic turing tests to counter automated DDoS attacks against web servers. In In: Proceedings of the 10th ACM International Conference on Computer and Communications Security (CCS, 2003.

Digital Library

[22]

A. Nagarajan, Q. Nguyen, R. Banks, and A. Sood. Combining intrusion detection and recovery for enhancing system dependability. In Dependable Systems and Networks Workshops (DSN-W), 2011 IEEE/IFIP 41st International Conference on, pages 25--30, 2011.

Digital Library

[23]

D. North. A tutorial introduction to decision theory. Systems Science and Cybernetics, IEEE Transactions on, 4(3):200--210, 1968.

[24]

P. Oreizy, M. Gorlick, R. Taylor, D. Heimhigner, G. Johnson, N. Medvidovic, A. Quilici, D. Rosenblum, and A. Wolf. An architecture-based approach to self-adaptive software. Intelligent Systems and their Applications, IEEE, 14(3):54--62, 1999.

Digital Library

[25]

D. Philips. Secureimage: PHP CAPTCHA. http://www.phpcaptcha.org/, 2012. Retrieved March 21, 2014.

[26]

RSnake. Slowloris HTTP DoS. http://ha.ckers.org/slowloris, 2014. Retrieved March 21, 2014.

[27]

H. Seo and T. Cho. Modeling and simulation for detecting a distributed denial of service attack. In B. McKay and J. Slaney, editors, AI 2002: Advances in Artificial Intelligence, volume 2557 of Lecture Notes in Computer Science, pages 179--190. Springer Berlin Heidelberg, 2002.

Digital Library

[28]

M. Shaw and D. Garlan. Software Architecture: Perspectives on an Emerging Discipline. Prentice Hall, Apr. 1996.

Digital Library

[29]

The Apache Foundation. Apache JMeter^#8482;. http://jmeter.apache.org/, 2013. Retrieved March 21, 2014.

[30]

The Apache Foundation. Apache Module mod_proxy. http://httpd.apache.org/docs/2.2/mod/mod_proxy.html, 2014. Retrieved March 21, 2014.

[31]

Trustwave. modsecurity: Open source web application firewall. http://www.modsecurity.org/, 2013. Retrieved March 21, 2014.

[32]

L. von Ahn, M. Blum, N. J. Hopper, and J. Langford. CAPTCHA: Using hard AI problems for security. In Eurocrypt, pages 294--311. Springer-Verlag, 2003.

Digital Library

[33]

C.-F. Yu and V. D. Gligor. A specification and verification method for preventing denial of service. IEEE Transactions on Software Engineering, 16(6):581--592, June 1990.

Digital Library

[34]

E. Yuan, N. Esfahani, and S. Malek. A systematic survey of self-protecting software systems. ACM Transactions on Autonomous and Adaptive Systems, 8(4), January 2014.

Digital Library

[35]

E. Yuan, S. Malek, B. Schmerl, D. Garlan, and J. Gennari. Architecture-based self-protecting software systems. In Proceedings of the Ninth International ACM Sigsoft Conference on the Quality of Software Architectures (QoSA 2013), 17-21 June 2013.

Digital Library

[36]

S. Zonouz, H. Khurana, W. Sanders, and T. Yardley. RRE: A game-theoretic intrusion response and recovery engine. In Dependable Systems Networks, 2009. DSN '09. IEEE/IFIP International Conference on, pages 439--448, June 2009.

Cited By

Chehida SRutten EGiraud GMocanu S(2024)A model-based approach for self-adaptive security in CPSJournal of Systems Architecture: the EUROMICRO Journal10.1016/j.sysarc.2024.103118150:COnline publication date: 1-May-2024
https://dl.acm.org/doi/10.1016/j.sysarc.2024.103118
Jézéquel JVallecillo A(2023)Uncertainty-aware Simulation of Adaptive SystemsACM Transactions on Modeling and Computer Simulation10.1145/358951733:3(1-19)Online publication date: 13-May-2023
https://dl.acm.org/doi/10.1145/3589517
Skandylas CKhakpour NCámara J(2022)Security Countermeasure Selection for Component-Based Software-Intensive Systems2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)10.1109/QRS57517.2022.00017(63-72)Online publication date: Dec-2022
https://doi.org/10.1109/QRS57517.2022.00017
Show More Cited By

Index Terms

Architecture-based self-protection: composing and reasoning about denial-of-service mitigations
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Formal software verification
  2. Software organization and properties
    1. Software functional properties
      1. Formal methods

Recommendations

Proactive self-adaptation under uncertainty: a probabilistic model checking approach
ESEC/FSE 2015: Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering

Self-adaptive systems tend to be reactive and myopic, adapting in response to changes without anticipating what the subsequent adaptation needs will be. Adapting reactively can result in inefficiencies due to the system performing a suboptimal sequence ...
Self-protection against business logic vulnerabilities
SEAMS '20: Proceedings of the IEEE/ACM 15th International Symposium on Software Engineering for Adaptive and Self-Managing Systems

Attacks against business logic rules occur when the attacker exploits the domain rules in a malicious way. Such attacks have not received sufficient attention in research so far. In this paper, we propose a novel self-protecting approach that defends a ...
Detecting SYN flooding attacks based on traffic prediction

SYN flooding attacks are a common type of distributed denial-of-service attacks. Up to now, many defense schemes have been proposed against SYN flooding attacks. Traditional defense schemes rely on passively sniffing an attacking signature and are ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

HotSoS '14: Proceedings of the 2014 Symposium and Bootcamp on the Science of Security

April 2014

184 pages

ISBN:9781450329071

DOI:10.1145/2600176

General Chair:
Laurie A. Williams
North Carolina State University
,
Program Chairs:
David M. Nicol
University of Illinois, Urbana-Champaign
,
Munindar P. Singh
North Carolina State University

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

No. Carolina State Univeresity: North Carolina State University

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 April 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

HotSoS '14

Sponsor:

No. Carolina State Univeresity

HotSoS '14: Symposium and Bootcamp on the Science of Security

April 8 - 9, 2014

North Carolina, Raleigh, USA

Acceptance Rates

HotSoS '14 Paper Acceptance Rate 12 of 21 submissions, 57%;

Overall Acceptance Rate 34 of 60 submissions, 57%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

30
Total Citations
View Citations
323
Total Downloads

Downloads (Last 12 months)8
Downloads (Last 6 weeks)0

Reflects downloads up to 30 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Chehida SRutten EGiraud GMocanu S(2024)A model-based approach for self-adaptive security in CPSJournal of Systems Architecture: the EUROMICRO Journal10.1016/j.sysarc.2024.103118150:COnline publication date: 1-May-2024
https://dl.acm.org/doi/10.1016/j.sysarc.2024.103118
Jézéquel JVallecillo A(2023)Uncertainty-aware Simulation of Adaptive SystemsACM Transactions on Modeling and Computer Simulation10.1145/358951733:3(1-19)Online publication date: 13-May-2023
https://dl.acm.org/doi/10.1145/3589517
Skandylas CKhakpour NCámara J(2022)Security Countermeasure Selection for Component-Based Software-Intensive Systems2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)10.1109/QRS57517.2022.00017(63-72)Online publication date: Dec-2022
https://doi.org/10.1109/QRS57517.2022.00017
Lee ESeo YKim Y(2022)Self-Adaptive Framework With Master–Slave Architecture for Internet of ThingsIEEE Internet of Things Journal10.1109/JIOT.2022.31505989:17(16472-16493)Online publication date: 1-Sep-2022
https://doi.org/10.1109/JIOT.2022.3150598
Boyapati SSzabo C(2022)Self-adaptation in Microservice Architectures: A Case Study2022 26th International Conference on Engineering of Complex Computer Systems (ICECCS)10.1109/ICECCS54210.2022.00014(42-51)Online publication date: Mar-2022
https://doi.org/10.1109/ICECCS54210.2022.00014
Reynvoet MGheibi OQuin FWeyns D(2022)Detecting and Mitigating Jamming Attacks in IoT Networks Using Self-Adaptation2022 IEEE International Conference on Autonomic Computing and Self-Organizing Systems Companion (ACSOS-C)10.1109/ACSOSC56246.2022.00019(7-12)Online publication date: Sep-2022
https://doi.org/10.1109/ACSOSC56246.2022.00019
Cámara JTroya JVallecillo ABencomo NCalinescu RCheng BGarlan DSchmerl B(2022)The uncertainty interaction problem in self-adaptive systemsSoftware and Systems Modeling10.1007/s10270-022-01037-621:4(1277-1294)Online publication date: 17-Aug-2022
https://doi.org/10.1007/s10270-022-01037-6
Skandylas CKhakpour NAndersson J(2021)AT-DIFC+: Toward Adaptive and Trust-Aware Decentralized Information Flow ControlACM Transactions on Autonomous and Adaptive Systems10.1145/348729215:4(1-35)Online publication date: 20-Dec-2021
https://dl.acm.org/doi/10.1145/3487292
Skandylas CKhakpour N(2021)Design and Implementation of Self-Protecting systems: A Formal ApproachFuture Generation Computer Systems10.1016/j.future.2020.09.005115(421-437)Online publication date: Feb-2021
https://doi.org/10.1016/j.future.2020.09.005
Singh ILee S(2021)Self-adaptive and secure mechanism for IoT based multimedia services: a surveyMultimedia Tools and Applications10.1007/s11042-020-10493-581:19(26685-26720)Online publication date: 27-Jan-2021
https://doi.org/10.1007/s11042-020-10493-5
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents