Supplementary Material for "Intrusion Tolerance for Networked Systems Through Two-Level Feedback Control"

Supplementary material for the paper "Intrusion Tolerance for Networked Systems Through Two-Level Feedback Control" 

The paper is submitted to "International Conference on Dependable Systems and Networks, 2024". Author names withheld for double-blind reviewing.

• The file proofs_and_hyperparameters.pdf contains proofs of Theorem 1--2 and Corollary 1 in the paper. It also includes formulas for computing the belief state (Eq. 4) and for computing the curves in Fig. 6. It also includes a complete list of hyperparameters used for all experiments detailed in the paper.
• The file ids_alerts_statistics.json contains the statistics used to produce Fig. 10 in the paper and to define the parameter Z for the experiments in section VIII.
  • The JSON file contains a single object with the following keys: 'conditionals_counts', 'conditionals_kl_divergences', 'conditionals_probs', 'conditions', 'descr', 'emulation_name', 'id', 'initial_distributions_counts', 'initial_distributions_probs', 'initial_maxs', 'initial_means', 'initial_mins', 'initial_stds', 'maxs', 'means', 'metrics', 'mins', 'num_conditions', 'num_measurements', 'num_metrics', 'stds'. 
  • The key "conditionals_counts" leads to another object with the following keys: 'A:CVE-2010-0426 exploit_D:Continue_M:[]', 'A:CVE-2015-3306 exploit_D:Continue_M:[]', 'A:CVE-2015-5602 exploit_D:Continue_M:[]', 'A:CVE-2016-10033 exploit_D:Continue_M:[]', 'A:Continue_D:Continue_M:[]', 'A:DVWA SQL Injection Exploit_D:Continue_M:[]', 'A:FTP dictionary attack for username=pw_D:Continue_M:[]', 'A:Ping Scan_D:Continue_M:[]', 'A:SSH dictionary attack for username=pw_D:Continue_M:[]', 'A:Sambacry Explolit_D:Continue_M:[]', 'A:ShellShock Explolit_D:Continue_M:[]', 'A:TCP SYN (Stealth) Scan_D:Continue_M:[]', 'A:Telnet dictionary attack for username=pw_D:Continue_M:[]', 'intrusion', 'no_intrusion'
  • The above keys correspond to different types of intrusions, see Table 6 in the paper.
  • Each of the keys listed above leads to a new object with 1551 keys which correspond to different types of metrics collected from the infrastructure. The metric used for produce Fig. 10 in the paper is called "alerts_weighted_by_priority". This key leads to another object where the keys correspond to the number of alerts weighted by priority and the values correspond to the measurements from the system.
• The file intrusion_traces.zip contains 6400 intrusion traces. Each trace contains a list of attacker actions and the corresponding measurements from the system. When unzipped, it is a directory with 64 files which take up 1500GB. Each file contains 100 traces in JSON format.
• The file source_code_and_docker_files.zip contains the source code and the docker containers used for the experiments. It is a system we have developed for 3 years. It includes 225,000 lines of Python, 40,000 lines of JavaScript, 3000 lines of Dockerfiles, 2500 lines of Makefile, and 1800 lines of Bash. When unzipped one can find documentation about the source code in a file called "documentation.pdf" and in the README file.