Towards Autonomic Mode Control of a Scalable Intrusion Tolerant Architecture Tadashi DOHI and Toshikazu UEMURA Department of Information Engineering, Graduate School of Engineering Hiroshima University, 1-4-1 Kagamiyama, Higashi-Hiroshima, 739-8527, Japan E-mail: dohi@rel.hiroshima-u.ac.jp Abstract. In this article we consider an intrusion tolerant system with two detec- tion modes; automatic detection mode and manual detection mode for intrusions, and describe the dynamic transition behavior by a continuous-time semi-Markov chain (CTSMC). Based on the embedded Markov chain (EMC) approach, we de- rive the steady-state probability of the CTSMC, the steady-state system availabil- ity and the mean time to security failure (MTTSF). Especially, we show necessary and sufficient conditions to exist the optimal switching time from an automatic detection mode to a manual detection mode, which maximizes the steady-state system availability. Next, we develop an autonomic mode control scheme to es- timate the optimal switching time without specifying any probability distribu- tion function in an adaptive way, where the basic idea comes from a statistically non-parametric algorithm by means of the total time on test concept. Numerical examples through a simulation study are presented for illustrating the optimal switching of detection mode, and investigating the asymptotic property of the resulting autonomic mode control scheme. Key words: autonomic control, intrusion tolerance, SITAR, system availability, MTTSF, CTSMC, EMC approach, statistical estimation, non-parametric algo- rithm, adaptive optimization. 1 Introduction Although traditional security approaches which may be categorized into intrusion de- tection approaches establish proactive barriers such as a firewall, unfortunately, the efficiency of a single barrier is not still enough to prevent attack from sophisticated new skills by malicious attackers. As the result, the number of network attack incidents is tremendously increasing still now on. In contrast to pursue the nearly impossibility of a perfect barrier unit, the concept of intrusion tolerance is becoming much popular in recent years. An intrusion tolerant system can avoid severe security failures caused by intrusion and/or attack, and can provide intended services to users in a timely manner even under attack. This is inspired from traditional techniques commonly used for toler- ating accidental faults in hardware and/or software systems, and can provide the system dependability which is defined as a property of a computer-based system, such that re- liance can justifiably be placed on the service it delivers [1]. Most efforts in security have been focused on specification, design and implementation issues. In fact, several