Overall Goals

MAFTIA investigated the dependability of distributed applications for very large and heterogeneous user populations, such as Internet-based supply-chain management, auctioning in electronic commerce, and the IT infrastructure of large companies and administrations.

We were primarily interested in systems that are very privacy or security demanding. Such systems should ideally remain operational, providing the correct, intended service and protecting all confidential information from unauthorised access, in spite of malicious faults, as well as accidental faults. Coping with accidental faults, especially operational hardware faults, is a relatively well-understood problem.

However, the problems of repairing the effects of attacks, and of finding means of resuming proper operation, are typically dealt with manually by system administrators. Coping with such attacks automatically is a relatively new and very challenging requirement.

Such an approach, which we call "intrusion-tolerance", contrasts with the more usual security paradigm of preventing attacks from leading to intrusions at all.

For example, most systems using a public-key infrastructure (PKI) put all trust in one single trusted third party (TTP), and if this party fails then security can no longer be guaranteed. Similarly, most work on classical access control assumes a single trustworthy administrative authority which is infeasible in a large-scale heterogeneous environment of mutual mistrust such as the Internet.

Finally, intrusion detection systems rarely consider the possibility of insider attacks. These examples show that the existing paradigm is not sufficient. It is too complex and too expensive to aim at avoiding all damage to the system.