Assessment of Server State via Inter-Clone Differences

In the global internet it is impossible to predict future challenges in server security. A publicly available server must perform its service and at the same time resist malicious intrusions and break-in attempts. This short paper examines a scenario of two cloned servers that run in parallel in order to detect previously unknown, novel attacks. One server is internet-exposed, the other runs in a separate, protected network. A selection of system events is recorded on both and a subsequent analysis step compares and correlates the stream of events produced by each server. If the exposed server behaves in a unique way in comparison to its protected clone, this may be a sign of a successful intrusion. In practice, the task of events comparison is non-trivial. This short paper explores the obstacles and challenges, and develops a restricted scenario for practical implementation and evaluation. Initial prototype results suggest the viability of the presented approach.