“SieveQ: A Layered BFT Protection System for Critical Services”

From Navigators

Jump to: navigation, search

Miguel Garcia, Nuno Ferreira Neves, Alysson Bessani

IEEE Transactions on Dependable and Secure Computing, Jun. 2016.

accepted for publication.
Abstract: Firewalls play a crucial role in assuring the security of today’s critical infrastructures, forming a first line of defense by being placed strategically at the front-end of the networks. Sometimes, however, they have exploitable weaknesses, allowing an adversary to bypass them in different ways. Therefore, their design should include improved resilience capabilities to allow them to operate correctly in highly adverse environments. This paper proposes SieveQ, a message queue service that protects and regulates the access to critical systems, in a way similar to an application-level firewall. SieveQ achieves fault and intrusion tolerance by employing an architecture based on two filtering layers, enabling efficient removal of invalid messages at early stages and decreasing the costs associated with Byzantine Fault-Tolerant (BFT) replication of previous solutions. Our experimental evaluation shows that SieveQ improves existing replicated-firewalls resilience in the presence of corrupted messages by faulty nodes. Furthermore, it accommodates high loads, as it is able to handle sixteen times more security events per second than what was processed by the SIEM employed in the 2012 Summer Olympic Games.

Download paper

Download SieveQ: A Layered BFT Protection System for Critical Services

Export citation

BibTeX

Project(s): Project:SEGRID, Project:MASSIF

Research line(s): Fault and Intrusion Tolerance in Open Distributed Systems (FIT)

Personal tools
Navigators toolbox