Malicious-and Accidental-Fault Tolerance for Internet Applications
IST Research Project IST-1999-11583
1 January 2000 - 28 February 2003

Check out a summary of the project, or browse through the original project proposal.

MAFTIA involved experts from 5 countries and 6 organisations. The Industrial Advisory Board provided valuable feedback on the work of the project.

Research was organised into six workpackages.

Find out more about the key scientific results and achievements, and the benefits of this research collaboration.

Conceptual Model and Architecture
WP1 concentrated on the Conceptual Model and Architecture of attack tolerance.

Dependable Middleware
WP2 developed a modular and scalable cryptographic group-oriented middleware suite

Intrusion Detection
WP3 investigated ways of reducing the high rate of false positives and false negatives for existing Intrusion Detection Systems (IDSs), whilst making the IDS itself intrusion-tolerant

Trusted Third Parties
WP4 designed a generic architecture for dependable Trusted Third Party (TTP) services based on results from WP2.

Distributed Authorisation
In WP5, we defined a framework for access control and authorisation

Verification and Assessment
worked towards formalisation of the MAFTIA conceptual model

Intrusion Detection

Intrusion Detection Systems (IDSs) can be seen as necessary building blocks that should help in tolerating attacks An IDS is expected to raise an alarm when an attack occurs. Unfortunately, existing solutions can fail to deliver that service in two different ways:

  1. They can miss attacks; this is usually referred to as a false negative. There are two main reasons for this to happen: i) by design, the IDS is not able to detect a given attack, or ii) the IDS has been corrupted — or killed — by a malicious user.
  2. They can erroneously detect an attack; this is usual referred to as a false positive. Again, two main reasons can lead to false positives: i) the system detects abnormalities in the use of a system and concludes that they are caused by attacks, which is not always the case, or ii) the system is looking for simplistic traces of attacks that can also potentially — but rarely — be discovered when no attack is taking place.
The goal of our work was to address the lack of dependability of large-scale IDSs. More specifically, we were interested in finding solutions to the well-known problems of the high rate of false positive and false negative alarms generated by existing solutions. It is worth noting that these false alarms can also be due to attacks against the IDS itself, therefore the need to design an IDS which is itself tolerant to attacks.

Thus, we studied and evaluated how notions such as fault injection, diversity and distributed reasoning could be used to address the weaknesses of existing IDS solutions. In particular, we assessed the various ways of combining the output of those IDSs to reduce the global rate of false positive/negative alarms. This implies the implementation of some error compensation technique to build a fault-tolerant system of IDSs.

A study of existing IDS techniques showed that in order to detect the introduction or activation of as many intentional faults as possible — i.e., in order to maximise the fault coverage — one has to combine several techniques. Each technique is bound, by design, to generate false positive and negative alarms in some circumstances. We developed this work to characterise the failure modes of the various families of ID techniques, and defined a taxonomy of vulnerabilities to define the fault assumptions that we wanted to deal with. We then used these two results to show how to maximise the fault coverage provided by a system of IDSs and to implement error-compensation mechanisms using correlations between the information coming from the various sources. Finally, we explored ways in which the MAFTIA middleware could be used to build a more intrusion-tolerant IDS.