Accountability for grid computing systems
Accountability is an important security property of distributed systems. It assures that every action executed in the system can be traced back to some entity. Accountability is even more crucial for assuring the safety and security in grid computing systems. Grid computing systems provide a vast amount of computing resources such as computing power, data storage, and network bandwidth. However, to date no comprehensive approach to accountability exists for the increasingly complex grid environments, wherein the number of users and the types of resources are large, diverse, and heterogeneous. Our work addresses this inadequacy by developing a comprehensive accountability system driven by policies and supported by accountability agents. In this thesis, we first discuss the key elements of our accountability framework and types of accountability data obtained in two strategies. We introduce accountability policy that specifies which data to collect and when to collect them, and more importantly how to coordinate data collection among different administrative domains. We then show that the proposed strategies can be realized upon accountability policy by sharing it among accountability agents. ^ In order to guarantee full accountability without conflicts when the policy is shared, the enforced accountability policies should be adapted based on the different risk levels of jobs and the different significance levels of a node. The support of flexible policies helps protect grid computing systems against malicious jobs, by increasing the level of accountability. To enable support of adaptable accountability policies, we propose a profile-based policy selection mechanism. This mechanism uses profiles of each job and node and considers node's capability to determine the level of accountability policy for the job and the node. We show how this mechanism can adapt the accountability policies, while at the same time achieving at least a minimum level of accountability. ^ Accountability data collected by the accountability agents according to the flexible accountability policies provides a basis for analyzing resource usage and finding bottlenecks and detecting security breaches. Additionally, data concerning user activities and actions enables mechanisms for timely identifying malicious users of faulty nodes and helping administrators to take proper defensive actions. In this thesis, we show how accountability data can be used to detect distributed denial of service attacks performed by exploiting resources made available by grid systems to suspend mission-critical websites or the grid itself and then to protect systems from these attacks. We present two approaches for protecting against attacks targeting sites outside or inside the grid. ^ In the thesis, we also describe a fully operational implementation of our accountability system and report the results from extensive experimental evaluations of it. Our experiments, carried out using the Emulab  test-bed, demonstrate that the implemented system is efficient and scalable for grid systems consisting of large numbers of resources and users. In addition, our experiments show that our system efficiently detects the distributed denial of service attacks and is effective in protecting the normal jobs.^
Elisa Bertino, Purdue University.
Engineering, Computer|Computer Science