Qos and Control-theoretic Techniques for Intrusion Tolerance

As we increasingly rely on information systems to support a multitude of critical operations, it becomes more and more important that these systems are able to deliver quality of service, even in the face of intrusions. One common class of cyber-attacks is the flooding of the system’s resources with requests for service. Thus, a reliable information system must be able to adeptly handle a large number of requests efficiently so that legitimate users may still use the system even as illegitimate users are attempting to flood the system. This report examines two host-based resources and presents simulated models of modifications that can be made to these resources to make them capable of handling a number of requests. The two resources examined are a router and a web server. There are two different quality of service models presented for the router. The first model implements a router with a feedback control loop that monitors the instantaneous quality of service guarantee and adjusts the router’s admission control of new requests accordingly. This model is compared to the basic router model that represents the typical configuration currently in use. The resulting comparison indicates that the feedback control loop is an improvement on the existing basic router. It decreases the time-in-system for data packets, and reduces packet loss, but does not fully utilize its bandwidth as well as a basic router with over-characterization. The second router model suggests a new approach of queuing new requests for service. This approach is called Adjusted Weighted Shortest Processing Time and queues data packets according to a weight, which is dependent on their initial priority weight and the amount of time they have awaited service. The new approach is compared to two other queuing disciplines – Weighted Shortest Processing Time and First-Come First-Serve. We present data that indicate that the Adjusted Weighted Shortest Processing Time discipline improves the high time-in-system variance that exists in the Weighted Shortest Processing Time discipline, but it does not fairly allocate resources to both high and low priority data packets. For the web server, six queuing disciplines are simulated and analyzed for their efficiency in delivering quality of service. These disciplines are Best Effort, Differentiated Services, Apparent Tardiness Cost, Earliest Due Date, Weighted Shortest Processing Time, and Weighted Only. These disciplines are compared on the basis of selected quality of service measurements, including lateness, drop rate, time-in-system, and throughput. We find that there is not necessarily one best queuing rule to follow; the appropriate discipline selection depends on the needs of that web server.