Modeling and Authentication Analysis of Self-Cleansing Intrusion-Tolerant System Based on GSPN

Abstract

Self-cleansing intrusion-tolerant systems mitigate attacker intrusions and control through periodic recovery, thereby enhancing both availability and security. However, vulnerabilities in the control link render these systems susceptible to request forgery attacks. Furthermore, existing research on the modeling and performance analysis of such systems remains insufficient. To address these issues, this paper introduces an authentication mechanism to fortify control link security and employs Generalized Stochastic Petri Nets for system evaluation. We constructed Petri net models for three distinct scenarios: a traditional system, a system compromised by forged controller requests, and a system fortified with authentication mechanism. Subsequently, isomorphic Continuous-Time Markov Chains were derived to facilitate theoretical analysis. Quantitative evaluations were performed by deriving steady-state probabilities and conducting simulations on the PIPE platform. To further assess practicality, we conduct scalability analysis under varying system scales and parameter settings, and implement a prototype in a virtualized testbed to experimentally validate the analytical findings. Evaluation results indicate that authentication mechanism ensures the reliable execution of cleansing strategies, thereby improving system availability, enhancing security, and mitigating data leakage risks.

1. Introduction

The proliferation of internet technology has significantly expanded the functionality and data volume of network systems. However, inherent limitations in design and implementation make vulnerabilities a prevalent and unavoidable characteristic of these systems. The existence of such vulnerabilities and backdoors is a primary driver of cybersecurity incidents [1]. Consequently, as the scale of these systems grows, so does the number of potential vulnerabilities, exacerbating threats to system security. While established technologies like firewalls, intrusion detection systems, and vulnerability scanners have enhanced system security to some extent, traditional defense paradigms remain challenged by the “easy to attack, hard to defend” asymmetry against continuously evolving and highly unpredictable attack vectors.

Attackers are able to infiltrate target systems, leveraging multiple attack vectors such as zero-day vulnerabilities, flaws in software configuration and access control policies, or by social engineering users into installing or running malicious software [2]. Characteristic-matching defense systems, which rely on analyzing historical attack samples, are inherently limited in their ability to detect unknown threats and adapt to attack variants. Therefore, the research goal of network security technology should be to find a new defensive approach that does not rely on attack characteristics and behavioral information, so as to alleviate the growing problem of cyberspace security [3].

To address the “easy to attack, hard to defend” asymmetry in cyberspace, the academic community has intensified research into proactive defense technologies [4]. This effort has spurred the development of mature technologies such as cyberspace mimic defense [5], deception defense [6], moving target defense [7], and intrusion tolerance [8]. Unlike preventive defense strategies, intrusion tolerance focuses on maintaining continuous service delivery even when the system is compromised [8]. Self-Cleansing Intrusion Tolerance (SCIT) is a prominent example of this paradigm [9]. SCIT utilizes virtualization to dynamically switch between online and offline server instances, allowing the system to rapidly revert to a known-secure state post-intrusion. Rather than relying on traditional detection and prevention, SCIT ensures system availability and resilience through periodic “self-cleansing” operations. This approach enables swift service restoration and prevents attackers from establishing persistent control or causing lasting damage.

The foundational theory of Self-Cleansing Intrusion Tolerance, proposed by Bangalore et al. [9], pioneered a shift in defensive focus from intrusion prevention to loss control, thereby balancing system security with availability. Subsequent work [10,11] integrated SCIT’s benefits with the elastic redundancy of cloud platforms to develop a cost-effective, scalable cloud service architecture, further exploring serverless computing’s potential for cost reduction. SCIT has also been incorporated into the Moving Target Defense (MTD) domain. For instance, Qi et al. [12] combined server switching with software diversification to increase the randomness and unpredictability of the operating environment, subsequently enhancing the system’s overall defensive posture. Within Software-Defined Networking (SDN), Sanoussi et al. [13] proposed ITC (Intrusion-Tolerant Controller), a scheme for multi-controller architectures that combines recovery models with MTD strategies to strengthen the security of the SDN control plane.

Regarding data security, Sood et al. [14] applied an SCIT-based MTD approach to healthcare information systems, enhancing security and mitigating data leakage risks. However, their study lacked an in-depth analysis of SCIT’s theoretical efficacy in this context. Nagarajan et al. [15] proposed a hybrid architecture integrating SCIT with intrusion detection systems (IDS). They validated the approach’s effectiveness in reducing the likelihood of data breaches using decision tree analysis and Monte Carlo simulations.

In the domain of system performance evaluation, a closely related study by El et al. [16] proposed a modeling technique for SCIT systems based on semi-Markov processes. Their approach integrated the SCIT mechanism with preventive maintenance to construct a semi-Markov model, enabling numerical analysis of metrics like system availability and mean time to security failure (MTTSF). Distinct from prior research, our work addresses a critical yet overlooked vulnerability: the unauthenticated SCIT control link’s susceptibility to forged request attacks. These attacks can directly disrupt cleansing operations, potentially causing a complete failure of the intrusion tolerance functionality. To mitigate this threat, we introduce an authentication mechanism designed to secure the infrastructure against such spoofing attacks. We employ Generalized Stochastic Petri Nets (GSPN) for system modeling and evaluation. Compared to the semi-Markov process method, GSPN offers superior capabilities for describing complex attack-defense scenarios; it not only supports quantitative analysis but also intuitively illustrates the adversarial interactions between the attacker and the SCIT strategy, including conditional triggers and concurrent behaviors. Accordingly, we construct GSPN models for various scenarios to comparatively assess the destructiveness of forged controller request attacks and the defensive efficacy of the authentication mechanism. Furthermore, we conduct numerical assessments of key metrics, including system availability, security, and data leakage risk.

The main contributions of this paper are summarized as follows:

• We identify a critical yet underexplored vulnerability in SCIT systems: the susceptibility of unauthenticated control links to forged controller requests. To address this, we introduce an identity authentication mechanism that effectively prevents spoofing attacks and ensures the reliable execution of cleansing operations.
• We develop a concise and expressive GSPN-based modeling framework that captures traditional SCIT behavior, forged request attacks, and the authentication-enhanced mechanism within a unified formalism, enabling intuitive representation of adversarial interactions alongside rigorous quantitative analysis.
• We perform a comprehensive evaluation combining steady-state analysis and PIPE-based simulation, and further extend the study with scalability analysis under varying system sizes and parameter settings. In addition, we implement a prototype and conduct testbed experiments to validate the analytical results. The results demonstrate that the authentication-enhanced design improves availability and security while significantly reducing data leakage risks compared with traditional SCIT systems.

2. Defense Scenarios

The self-cleansing intrusion-tolerant system mitigates network attacks through the periodic rotation of servers between online and offline states. This core mechanism shortens the server’s online exposure window, thereby compressing the effective timeframe available to an attacker. This strategy is key to ensuring service availability.

To systematically evaluate our model and quantify the impact of different defense strategies on system performance, we designed three progressive assessment scenarios.

As depicted in Figure 1, Scenario I models the traditional self-cleansing intrusion-tolerant system, which serves as the evaluation baseline. In this baseline model, the controller schedules server rotations according to a predetermined strategy, periodically cleansing potential intrusions and restoring the system to a secure state. While this baseline model can effectively interrupt attacks and restore services, it lacks security hardening for the control channel. This omission creates a theoretical vulnerability to forged controller request attacks.

Scenario II, depicted in Figure 2, builds upon the baseline by introducing threats to the control link. In this scenario, attackers can perform conventional intrusions and, more critically, monitor the control channel. By analyzing communication protocols, they can then spoof legitimate controller instructions to manipulate server states. Such attacks cause servers to execute unexpected state transitions, such as unplanned shutdowns, thereby severely undermining system availability and the effectiveness of the security policy.

Authentication technology is a cornerstone of information security, ensuring that system resources are accessible only to legitimate entities [17]. To mitigate the threats identified in Scenario II, Scenario Scenario III enhances the SCIT model with an authentication mechanism, as depicted in Figure 3. In this enhanced model, before executing any control instruction, a server must first use the authentication mechanism to verify the identity of the command’s originator. Only validated controllers are permitted to establish a secure channel for subsequent operations; all unauthenticated or spoofed requests are rejected outright. Moreover, this model extends the authentication layer to the client side. Users are now required to authenticate their identity before accessing services, which restricts unauthorized access and further strengthens the system’s overall security posture.

3. GSPN-Based Modeling and Analysis

Petri nets are a formal modeling tool that integrates graphical representation with rigorous mathematical semantics. They excel at capturing the concurrent, synchronous, and resource-contentious behaviors inherent in complex systems, making them widely applicable for performance evaluation, availability analysis, and system modeling. Structurally, a Petri net is a bipartite directed graph consisting of Places and Transitions. Places represent system states or resource availability, while Transitions denote the events or actions that cause state changes. The system’s global state is defined by the distribution of Tokens across its places—a configuration known as a Marking. The dynamic evolution of the system unfolds as transitions “fire,” consuming tokens from input places and producing them in output places. This token flow simulates the system’s operational dynamics. To enhance modeling power, extensions such as Inhibitor Arcs can be introduced. An inhibitor arc prevents a transition from firing if its corresponding place contains tokens, thereby enabling the modeling of negative conditions and complex control logic.

Building upon the basic Petri net model, Generalized Stochastic Petri Nets incorporate concepts of time and stochasticity to enhance modeling precision regarding the dynamic behaviors of real-world systems. In GSPN, transitions are categorized into two types: Timed Transitions and Immediate Transitions. Timed Transitions represent stochastic events with non-zero durations; their firing delays typically follow an exponential distribution, characterized by corresponding rate parameters. Conversely, Immediate Transitions describe instantaneous actions such as logical judgments, strategy selections, or scheduling decisions that consume no time. These transitions fire instantaneously once enabled. Semantically, Immediate Transitions possess higher priority than Timed Transitions, ensuring that the system prioritizes the completion of all immediate logical evolutions within any given state.

Leveraging the aforementioned mechanisms, the dynamic behavior of GSPN can be systematically characterized through the evolution of markings. Depending on whether enabling immediate transitions exist under the current marking, system states are partitioned into Vanishing States and Tangible States. Vanishing States represent only instantaneous logical evolution processes and consume zero time, whereas Tangible States correspond to states where the system actually resides, with residence times governed by the exponential distributions of timed transitions. By eliminating and reducing Vanishing States, the reachable state space of the GSPN can be rigorously mapped to a Continuous-Time Markov Chain (CTMC).

Following the mapping from GSPN to CTMC, the challenge of quantitative system analysis is effectively transformed into the numerical solution of the CTMC. By solving the corresponding steady-state balance equations or transient probability equations, key performance and reliability metrics can be derived, including steady-state probability distribution, availability, mean response time, throughput, and the probability of failure or intrusion occurrences. Consequently, GSPN establishes a comprehensive analysis framework that progresses from structural modeling and dynamic behavior description to stochastic process modeling and numerical evaluation, thereby providing a solid theoretical foundation and engineering feasibility for the quantitative assessment of complex systems [18]. Figure 4 illustrates the fundamental components of a GSPN.

3.1. Scenario I: Traditional Self-Cleansing Intrusion Tolerance Model

As shown in Figure 5, this model represents the core operational cycle of the self-cleansing intrusion-tolerant system. For clarity, the model simplifies the self-cleansing process into two primary states: “online service” ($P_{online}$) and “offline ready” ($P_{ready}$) and integrates the attacker’s intrusion path and the system’s recovery mechanisms. The model’s initial marking places one token in $P_{online}$ and another in $P_{normal}$. This signifies that the server is initially online and the system is secure. Upon reaching a preset runtime threshold, the controller issues a cleansing command, causing transition $T_{clean}$ to fire. This consumes the token from $P_{online}$ and generates a token in $P_{ready}$, transitioning the server from online service to the “offline ready” state after cleansing. Subsequently, to bring the server back online, transition $T_{deploy}$ is activated. This transition consumes the token in $P_{ready}$ and deposits a new token in $P_{online}$, thus restoring the server to active service and completing one full self-cleansing cycle.

While the server is in its “online service” state (indicated by a token in $P_{online}$), an attacker can scan and reconnoiter it. This behavior corresponds to the activation of transition $T_{scan}$, which consumes the token from the secure state place $P_{normal}$ and deposits a new one in $P_{exposure}$. As a result, the system transitions to a “risk exposure” state, signifying that a vulnerability has been identified but not yet exploited. If a cleansing operation occurs during this “risk exposure” phase (i.e., $T_{clean}$ fires), a recovery mechanism is initiated. The pre-emptive cleansing enables transition $T_{recove{r}_1}$, which consumes the token from $P_{exposure}$ and regenerates one in $P_{normal}$, thereby pre-emptively restoring the system to a secure state before an exploit can occur. Alternatively, if the attacker exploits the vulnerability before a cleansing cycle begins, transition $T_{exploit}$ fires. This action consumes the token from $P_{exposure}$ and places one in $P_{attacked}$, indicating a successful system compromise. The scheduled cleansing cycle proceeds even if the server is compromised. Following the firing of $T_{clean}$, the inhibitor arc condition for $T_{recove{r}_2}$ is met, enabling it to fire. This recovery transition then consumes the token from $P_{attacked}$ and generates a new token in $P_{normal}$, effectively restoring the compromised server to a secure state.

Following a successful compromise (indicated by a token in place $P_{attacked}$), the attacker can proceed to initiate data theft. This action is modeled by the firing of transition $T_{theft}$, which consumes the token from $P_{attacked}$ and deposits one in $P_{leak}$. This signifies that a data leakage event is in progress. If a self-cleansing operation is initiated at this juncture, the data theft process is interrupted. This recovery is implemented in the model by the immediate transition $T_{recove{r}_3}$. It fires to consume the token from $P_{leak}$ and regenerate one in $P_{normal}$, thereby restoring the system to a secure state and terminating the data leak.

The set of all reachable markings for the GSPN model, each defined by a unique distribution of tokens across the places, is enumerated in

Table 1. Reachable markings’ set of Scenario I.

State	${\mathit{P}}_{\mathit{attacked}}$	${\mathit{P}}_{\mathit{exposure}}$	${\mathit{P}}_{\mathit{leak}}$	${\mathit{P}}_{\mathit{normal}}$	${\mathit{P}}_{\mathit{online}}$	${\mathit{P}}_{\mathit{ready}}$
$M_0$	0	0	0	1	1	0
$M_1$	0	0	0	1	0	1
$M_2$	1	0	0	0	1	0
$M_3$	0	0	1	0	1	0
$M_4$	0	1	0	0	1	0

:

Reachability analysis of the GSPN model yields the corresponding continuous-time Markov chain illustrated in Figure 6. In this CTMC, each directed edge is labeled with ${\lambda }_i$, representing the average firing rate of the corresponding transition $T_i$ in the GSPN model.

Based on the CTMC depicted in Figure 6, the transition rate matrix Q is formulated as follows:

$$Q=\left[\begin{array}{ccccc}-{\lambda }_{clean}-{\lambda }_{scan}& {\lambda }_{clean}& 0& 0& {\lambda }_{scan}\\ {\lambda }_{deploy}& -{\lambda }_{deploy}& 0& 0& 0\\ 0& {\lambda }_{clean}& -{\lambda }_{clean}-{\lambda }_{theft}& {\lambda }_{theft}& 0\\ 0& {\lambda }_{clean}& 0& -{\lambda }_{clean}& 0\\ 0& {\lambda }_{clean}& {\lambda }_{exploit}& 0& -{\lambda }_{clean}-{\lambda }_{exploit}\end{array}\right]$$

(1)

The steady-state probability vector of the CTMC is denoted by $\pi =\{p_0,p_1,p_2,p_3,p_4\}$, where each component $p_i$ represents the steady-state probability of the system residing in marking $M_i$. This vector $\pi$ is determined by solving the system of linear equations defined by the global balance equation ($\pi Q=0$) and the normalization condition (${\sum }_{i=0}^4{p}_i=1$). The resulting steady-state probabilities for each marking are presented as follows:

$$\begin{array}{cc}\hfill p_0=& 1/\{1+({\lambda }_{clean}+{\lambda }_{scan}){\lambda }_{deploy}^{-1}+{\lambda }_{scan}({\lambda }_{clean}+\hfill \\ \hfill & {\lambda }_{exploit}{)}^{-1}+{\lambda }_{exploit}{\lambda }_{scan}{({\lambda }_{clean}+{\lambda }_{theft})}^{-1}({\lambda }_{clean}+\hfill \\ \hfill & {\lambda }_{exploit}{)}^{-1}(1+{\lambda }_{theft}{\lambda }_{clean}^{-1})\}\hfill \\ \hfill p_1=& ({\lambda }_{clean}+{\lambda }_{scan}){\lambda }_{deploy}^{-1}{p}_0\hfill \\ \hfill p_2=& {\lambda }_{exploit}{\lambda }_{scan}{({\lambda }_{clean}+{\lambda }_{theft})}^{-1}{({\lambda }_{clean}+{\lambda }_{exploit})}^{-1}{p}_0\hfill \\ \hfill p_3=& {\lambda }_{theft}{\lambda }_{exploit}{\lambda }_{scan}{\lambda }_{clean}^{-1}({\lambda }_{clean}+\hfill \\ \hfill & {\lambda }_{theft}{)}^{-1}{({\lambda }_{clean}+{\lambda }_{exploit})}^{-1}{p}_0\hfill \\ \hfill p_4=& {\lambda }_{scan}{({\lambda }_{clean}+{\lambda }_{exploit})}^{-1}{p}_0\hfill \end{array}$$

(2)

We define two key performance metrics based on the GSPN model. First, steady-state availability is defined as the summed steady-state probability of all normal operational markings. Second, steady-state security is the summed steady-state probability of all non-compromised markings. Leveraging these definitions and the previously computed steady-state probabilities, the formal expressions for these two metrics are presented as follows:

$$\begin{array}{cc}\hfill p_{availability}=& p(M\left(P_{online}\right)>0\wedge (M\left(P_{normal}\right)>0\vee M\left(P_{exposure}\right)>0))\hfill \\ \hfill =& p_0+p_4\hfill \\ \hfill p_{security}=& 1-p(M\left(P_{attacked}\right)>0\vee M\left(P_{leak}\right)>0)\hfill \\ \hfill =& 1-p_2-p_3\hfill \end{array}$$

(3)

where the notation $M\left(P_i\right)$ represents the number of tokens in place $P_i$ under marking M.

Upon a successful server compromise, the associated risk of data leakage is quantified by the following equation:

$$p_{leak}=p(M\left(P_{leak}\right)>0)=p_3$$

(4)

3.2. Scenario II: Forged Controller Request Attack

In the forged controller request attack scenario, an attacker first eavesdrops on legitimate controller commands and subsequently forges malicious requests that mimic them. Conventional self-cleansing intrusion tolerance mechanisms are ineffective against this type of sophisticated forgery attack. Within the GSPN model (Figure 7), this attack is represented by the firing of transition $T_{forge}$. This event consumes one token from place $P_{online}$ and one from $P_{exposure}$, depositing a new token into place $P_{crashed}$. The presence of a token in $P_{crashed}$ signifies that the server has transitioned to a crashed state. Due to the nature of this forgery attack, self-cleansing mechanisms fail, necessitating manual intervention by an administrator. Such interventions may include system reconfiguration, firewall rule updates to block the attack source, or modification of the control command format. This manual repair process is modeled by the firing of transition $T_{repair}$. The firing consumes the token from $P_{crashed}$ and regenerates one token each in places $P_{online}$ and $P_{normal}$, effectively restoring the system to its initial, secure state.

The set of all reachable markings for the GSPN model is enumerated in

Table 2. Reachable markings’ set of Scenario II.

State	${\mathit{P}}_{\mathit{attacked}}$	${\mathit{P}}_{\mathit{crashed}}$	${\mathit{P}}_{\mathit{exposure}}$	${\mathit{P}}_{\mathit{leak}}$	${\mathit{P}}_{\mathit{normal}}$	${\mathit{P}}_{\mathit{online}}$	${\mathit{P}}_{\mathit{ready}}$
$M_0$	0	0	0	0	1	1	0
$M_1$	0	0	0	0	1	0	1
$M_2$	0	0	1	0	0	1	0
$M_3$	0	1	0	0	0	0	0
$M_4$	0	0	0	1	0	1	0
$M_5$	1	0	0	0	0	1	0

.

Applying reachability analysis to the GSPN model yields its isomorphic continuous-time Markov chain, as depicted in Figure 8.

From the CTMC model depicted in Figure 8, we derive the transition rate matrix Q, as defined in Equation (5).

$$Q=\left[\begin{array}{cccccc}-{\lambda }_a& {\lambda }_{clean}& {\lambda }_{scan}& 0& 0& 0\\ {\lambda }_{deploy}& -{\lambda }_{deploy}& 0& 0& 0& 0\\ 0& {\lambda }_{clean}& -{\lambda }_b& {\lambda }_{forge}& 0& {\lambda }_{exploit}\\ {\lambda }_{repair}& 0& 0& -{\lambda }_{repair}& 0& 0\\ 0& {\lambda }_{clean}& 0& 0& -{\lambda }_{clean}& 0\\ 0& {\lambda }_{clean}& 0& 0& {\lambda }_{theft}& -{\lambda }_c\end{array}\right]$$

(5)

where ${\lambda }_a={\lambda }_{clean}+{\lambda }_{scan}$, ${\lambda }_b={\lambda }_{clean}+{\lambda }_{forge}+{\lambda }_{exploit}$, ${\lambda }_c={\lambda }_{clean}+{\lambda }_{theft}$.

The steady-state probability vector of the CTMC is denoted as $\pi =\{p_0,p_1,\dots ,p_5\}$. These probabilities are determined by solving the system of linear equations derived from the global balance equations ($\pi Q=0$) and the normalization condition (${\sum }_{i=0}^5{p}_i=1$), yielding the solution presented in Equation (6).

$$\begin{array}{cc}\hfill p_0=& ({\lambda }_{clean}+{\lambda }_{forge}+{\lambda }_{exploit}){\lambda }_{scan}^{-1}{p}_2\hfill \\ \hfill p_1=& [({\lambda }_{clean}+{\lambda }_{forge}+{\lambda }_{exploit})({\lambda }_{clean}+\hfill \\ \hfill & {\lambda }_{scan}){\lambda }_{scan}^{-1}-{\lambda }_{forge}]{\lambda }_{deploy}^{-1}{p}_2\hfill \\ \hfill p_2=& 1/\{({\lambda }_{clean}+{\lambda }_{forge}+{\lambda }_{exploit}){\lambda }_{scan}^{-1}[1+({\lambda }_{clean}+\hfill \\ \hfill & {\lambda }_{scan}\left){\lambda }_{deploy}^{-1}\right]+{\lambda }_{forge}({\lambda }_{repair}^{-1}-{\lambda }_{deploy}^{-1})+1+\hfill \\ \hfill & {\lambda }_{exploit}{({\lambda }_{clean}+{\lambda }_{theft})}^{-1}({\lambda }_{theft}+1)\}\hfill \\ \hfill p_3=& {\lambda }_{forge}{\lambda }_{repair}^{-1}{p}_2\hfill \\ \hfill p_4=& {\lambda }_{theft}{\lambda }_{exploit}{\lambda }_{clean}^{-1}{({\lambda }_{clean}+{\lambda }_{theft})}^{-1}{p}_2\hfill \\ \hfill p_5=& {\lambda }_{exploit}{({\lambda }_{clean}+{\lambda }_{theft})}^{-1}{p}_2\hfill \end{array}$$

(6)

The system’s steady-state availability and security are defined as:

$$\begin{array}{cc}\hfill p_{availability}=& p(M\left(P_{online}\right)>0\wedge (M\left(P_{normal}\right)>0\vee M\left(P_{exposure}\right)>0))\hfill \\ \hfill =& p_0+p_2\hfill \\ \hfill p_{security}=& 1-p(M\left(P_{attacked}\right)>0\vee M\left(P_{crashed}\right)>0\vee M\left(P_{leak}\right)>0)\hfill \\ \hfill =& 1-p_3-p_4-p_5\hfill \end{array}$$

(7)

The risk of data leakage is then quantified using Equation (8):

$$p_{leak}=p(M\left(P_{leak}\right)>0)=p_4$$

(8)

3.3. Scenario III: SCIT Model Based on Authentication Improvement

In our proposed model, a potentially forged controller request initiates a certificate-based authentication process. As depicted in the GSPN model (Figure 9), this event corresponds to the firing of transition $T_{forge}$, which moves a token from the $P_{exposure}$ place to the $P_{verify}$ place, signaling the system’s entry into the “under verification” state.

When the system is in the verification state (i.e., a token is in place $P_{verify}$), its evolution can follow one of three mutually exclusive paths:

• A legitimate cleansing command preempts the authentication process. This event is modeled by the firing of priority transition $T_{clean}$, which moves a token from $P_{online}$ to $P_{ready}$, transitioning the server to the “offline ready” state. Concurrently, the loss of the token in $P_{online}$ triggers the immediate transition $T_{recove{r}_3}$, which returns the token from $P_{verify}$ to $P_{normal}$, thereby resolving the verification state and securing the server.
• Authentication Failure. If the verification completes without interruption and the attacker’s identity forgery fails, transition $T_{fail}$ fires. This moves the token from $P_{verify}$ to $P_{denied}$, signifying a rejected attack attempt. Subsequently, the immediate transition $T_{recove{r}_4}$ is triggered, which moves the token from $P_{denied}$ back to $P_{normal}$ to reset the server state.
• Successful Attack. A successful attack, where the attacker either forges an identity or bypasses authentication via an unknown vulnerability, is modeled by the firing of transition $T_{success}$. This transition consumes one token from both $P_{verify}$ and $P_{online}$, and deposits a new token into $P_{crashed}$, forcing the server into an unexpected downtime state.

To model an exploit-based attack, an attacker must first pass an authentication challenge. This initial attempt triggers the transition $T_{exploit}$, which moves a token from $P_{exposure}$ to $P_{auth}$, placing the system into an “authentication-in-progress” state. From this state, three exclusive outcomes are possible:

• The initiation of a server cleansing during the authentication process enables the immediate transition $T_{recove{r}_2}$. Its firing returns the token from $P_{auth}$ to $P_{normal}$, thereby aborting the authentication attempt.
• If the attacker passes authentication, transition $T_{pass}$ fires. This moves the token from $P_{auth}$ to $P_{attacked}$, signifying that the server has been compromised.
• Conversely, if the authentication fails, transition $T_{reject}$ fires. This event moves the token from $P_{auth}$ to $P_{denied}$, indicating that the attack attempt has been successfully thwarted.

Data theft is modeled by transition $T_{theft}$, which moves a token from $P_{attacked}$ to $P_{leak}$ to signify a data breach. This state persists until a cleansing operation blocks the attacker’s access and triggers the recovery transition $T_{recove{r}_6}$. The firing of $T_{recove{r}_6}$ then moves the token from $P_{leak}$ back to $P_{normal}$, completing the defense and recovery loop.

In summary, the model’s reachable marking set, defined by the token distribution across its places, is presented in

Table 3. Reachable markings’ set of Scenario III.

State	${\mathit{P}}_{\mathit{attacked}}$	${\mathit{P}}_{\mathit{auth}}$	${\mathit{P}}_{\mathit{crashed}}$	${\mathit{P}}_{\mathit{denied}}$	${\mathit{P}}_{\mathit{leak}}$	${\mathit{P}}_{\mathit{exposure}}$	${\mathit{P}}_{\mathit{normal}}$	${\mathit{P}}_{\mathit{online}}$	${\mathit{P}}_{\mathit{ready}}$	${\mathit{P}}_{\mathit{verify}}$
$M_0$	0	0	0	0	0	0	1	1	0	0
$M_1$	0	0	1	0	0	0	0	0	0	0
$M_2$	0	0	0	0	0	1	0	1	0	0
$M_3$	0	0	0	0	0	0	0	1	0	1
$M_4$	0	1	0	0	0	0	0	1	0	0
$M_5$	0	0	0	0	0	0	1	0	1	0
$M_6$	0	0	0	1	0	0	0	1	0	0
$M_7$	1	0	0	0	0	0	0	1	0	0
$M_8$	0	0	0	0	1	0	0	1	0	0

.

From the reachable markings listed in Table 3 and their corresponding transition relationships, we construct the continuous-time Markov chain shown in Figure 10.

The continuous-time Markov chain from Figure 10 yields the transition rate matrix shown in Equation (9).

$$Q=\left[\begin{array}{ccccccccc}-{\lambda }_a& 0& {\lambda }_{scan}& 0& 0& {\lambda }_{clean}& 0& 0& 0\\ {\lambda }_{repair}& -{\lambda }_{repair}& 0& 0& 0& 0& 0& 0& 0\\ 0& 0& -{\lambda }_b& {\lambda }_{forge}& {\lambda }_{exploit}& {\lambda }_{clean}& 0& 0& 0\\ 0& {\lambda }_{success}& 0& -{\lambda }_c& 0& {\lambda }_{clean}& {\lambda }_{fail}& 0& 0\\ 0& 0& 0& 0& -{\lambda }_d& {\lambda }_{clean}& {\lambda }_{reject}& {\lambda }_{pass}& 0\\ {\lambda }_{deploy}& 0& 0& 0& 0& -{\lambda }_{deploy}& 0& 0& 0\\ 0& 0& 0& 0& 0& {\lambda }_{clean}& -{\lambda }_{clean}& 0& 0\\ 0& 0& 0& 0& 0& {\lambda }_{clean}& 0& -{\lambda }_e& {\lambda }_{theft}\\ 0& 0& 0& 0& 0& {\lambda }_{clean}& 0& 0& -{\lambda }_{clean}\end{array}\right]$$

(9)

where ${\lambda }_a={\lambda }_{scan}+{\lambda }_{clean}$, ${\lambda }_b={\lambda }_{forge}+{\lambda }_{exploit}+{\lambda }_{clean}$, ${\lambda }_c={\lambda }_{success}+{\lambda }_{clean}+{\lambda }_{fail}$, ${\lambda }_d={\lambda }_{clean}+{\lambda }_{reject}+{\lambda }_{pass}$, ${\lambda }_e={\lambda }_{clean}+{\lambda }_{theft}$.

Let $\pi =\{p_0,p_1,\dots ,p_8\}$ be the steady-state probability vector of the CTMC. The individual probabilities $p_i$ are obtained by solving the system of linear equations $\pi Q=0$ and ${\sum }_{i=0}^8{p}_i=1$. The resulting values are presented in Equation (10).

$$\begin{array}{cc}\hfill p_0=& ({\lambda }_{forge}+{\lambda }_{exploit}+{\lambda }_{clean}){\lambda }_{scan}^{-1}{p}_2\hfill \\ \hfill p_1=& {\lambda }_{success}{\lambda }_{forge}{\lambda }_{repair}^{-1}{({\lambda }_{success}+{\lambda }_{clean}+{\lambda }_{fail})}^{-1}{p}_2\hfill \\ \hfill p_2=& 1/\left\{\right[({\lambda }_{forge}+{\lambda }_{exploit}+{\lambda }_{clean}){\lambda }_{scan}^{-1}+1+\hfill \\ \hfill & {\lambda }_{forge}({\lambda }_{clean}+{\lambda }_{fail}){({\lambda }_{success}+{\lambda }_{clean}+{\lambda }_{fail})}^{-1}{\lambda }_{clean}^{-1}+\hfill \\ \hfill & {\lambda }_{exploit}{\lambda }_{clean}^{-1}](1+{\lambda }_{clean}{\lambda }_{deploy}^{-1})+\hfill \\ \hfill & {\lambda }_{success}{\lambda }_{forge}{\lambda }_{repair}^{-1}{({\lambda }_{success}+{\lambda }_{clean}+{\lambda }_{fail})}^{-1}\}\hfill \\ \hfill p_3=& {\lambda }_{forge}{({\lambda }_{success}+{\lambda }_{clean}+{\lambda }_{fail})}^{-1}{p}_2\hfill \\ \hfill p_4=& {\lambda }_{exploit}{({\lambda }_{clean}+{\lambda }_{reject}+{\lambda }_{pass})}^{-1}{p}_2\hfill \\ \hfill p_5=& [({\lambda }_{scan}+{\lambda }_{clean})({\lambda }_{forge}+{\lambda }_{exploit}+{\lambda }_{scan}){\lambda }_{deploy}^{-1}{\lambda }_{scan}^{-1}-\hfill \\ \hfill & {\lambda }_{success}{\lambda }_{forge}{\lambda }_{deploy}^{-1}{({\lambda }_{success}+{\lambda }_{clean}+{\lambda }_{fail})}^{-1}]p_2\hfill \\ \hfill p_6=& [{\lambda }_{fail}{\lambda }_{forge}{\lambda }_{clean}^{-1}{({\lambda }_{success}+{\lambda }_{clean}+{\lambda }_{fail})}^{-1}+\hfill \\ \hfill & {\lambda }_{reject}{\lambda }_{exploit}{\lambda }_{clean}^{-1}{({\lambda }_{clean}+{\lambda }_{reject}+{\lambda }_{pass})}^{-1}]p_2\hfill \\ \hfill p_7=& {\lambda }_{pass}{\lambda }_{exploit}{({\lambda }_{clean}+{\lambda }_{theft})}^{-1}{({\lambda }_{clean}+{\lambda }_{reject}+{\lambda }_{pass})}^{-1}{p}_2\hfill \\ \hfill p_8=& {\lambda }_{theft}{\lambda }_{pass}{\lambda }_{exploit}{\lambda }_{clean}^{-1}{({\lambda }_{clean}+{\lambda }_{theft})}^{-1}{({\lambda }_{clean}+{\lambda }_{reject}+{\lambda }_{pass})}^{-1}{p}_2\hfill \end{array}$$

(10)

Using the previously defined metrics, the system’s steady-state availability and security are quantitatively evaluated with Equation (11).

$$\begin{array}{cc}\hfill p_{availability}=& p(M\left(P_{online}\right)>0\wedge (M\left(P_{attacked}\right)+M\left(P_{leak}\right))=0)\hfill \\ \hfill =& p_0+p_2+p_3+p_4+p_6\hfill \\ \hfill p_{security}=& 1-p((M\left(P_{attacked}\right)+M\left(P_{leak}\right))>0\vee M\left(P_{crashed}\right)>0)\hfill \\ \hfill =& 1-p_1-p_7-p_8\hfill \end{array}$$

(11)

The risk of data leakage is given by:

$$p_{leak}=p(M\left(P_{leak}\right)>0)=p_8$$

(12)

3.4. Methodology for Scalability Analysis

As illustrated in Figure 5, Figure 7 and Figure 9, the preceding analyses were limited to single-server scenarios. To evaluate the scalability and overall performance of the proposed mechanism in multi-server deployments, we conducted an extended analysis. We assume that the cleansing processes of individual instances are mutually independent, as are the attack sequences targeting different instances. Given that any single instance is characterized by the previously constructed Petri net model, and that all instances share identical structures and parameters, we constructed a system-level Petri net comprising n replicas by duplicating the single-instance model. This approach enables a unified evaluation of the multi-instance system. To quantify system-level metrics, the following criteria were adopted: the system is considered available if at least one server remains available; it is deemed insecure if any server enters a compromised state; and a system-wide data leakage risk is identified if a data breach occurs in any server.

4. Results

4.1. Experimental Environment and Configuration

To quantitatively evaluate the proposed scheme, we employed the PIPE [19,20] modeling tool to construct a generalized stochastic Petri net model for each of the three scenarios. The key model parameters, including the average firing rates (${\lambda }_i$) of timed transitions ($T_i$), were configured as detailed in

Table 4. The average transition triggering rate of Scenario I/II/III.

	Scenario I	Scenario II	Scenario III
${\lambda }_{deploy}$	50	50	50
${\lambda }_{scan}$	1	1	1
${\lambda }_{exploit}$	2	2	2
${\lambda }_{theft}$	2	2	2
${\lambda }_{forge}$	-	1	1
${\lambda }_{repair}$	-	0.5	0.5
${\lambda }_{pass}$	-	-	1
${\lambda }_{reject}$	-	-	1
${\lambda }_{success}$	-	-	1
${\lambda }_{fail}$	-	-	1

.

A parameter sensitivity analysis was conducted to evaluate the influence of the cleansing firing rate (${\lambda }_{clean}$) on system performance. In this analysis, ${\lambda }_{clean}$ was varied from 1 to 15 for each attack scenario, and the resulting system performance was simulated. The findings are illustrated in Figure 11, Figure 12 and Figure 13.

The proposed Self-Cleaning Intrusion Tolerance (SCIT) system was implemented in Golang (version 1.24.0) and deployed within a controlled network environment for simulation. The experimental platform consisted of a physical server equipped with an Intel Xeon E5-2603 v4 CPU (1.70 GHz) and 16 GB of RAM. A VMware virtualization environment was deployed on this server to host the three virtual machines (VMs) constituting the experimental scenario. These VMs were designated as the Service Node, Controller Node, and Client/Attacker Node, tasked with service provisioning, cleansing control, and system evaluation (encompassing liveness detection and attack simulation), respectively. Detailed VM configurations are provided in

Table 5. Virtual Machine Configuration.

Node	Role and Function	System	Resource Allocation
$V{M}_1$	Provides external network services; performs cleansing	Debian 11	2 vCPU/2GB RAM
$V{M}_2$	Issues cleansing policies and commands; controls cleansing operations	Debian 11	1 vCPU/1GB RAM
$V{M}_3$	Performs liveness probing; launches attacks and records results	Debian 11	2 vCPU/2GB RAM

.

Regarding parameter settings, the unit time was fixed at 30 s, while the cleaning frequency was incremented from 1 to 15. For each frequency interval, the system operated continuously for 30 min to quantify service availability, security, and data leakage risks.

4.2. Numerical Results and Analysis

Figure 11 illustrates the impact of the cleansing firing rate, ${\lambda }_{clean}$, on system availability across different scenarios. A key observation is the significant drop in availability when controller request forgery attacks are present, which underscores the critical role of the authentication mechanism in preventing such intrusions.

The relationship between ${\lambda }_{clean}$ and availability is non-monotonic and exhibits a clear trade-off. Initially, at low cleansing rates, attackers have a prolonged attack window, leading to persistent low availability. As ${\lambda }_{clean}$ increases, the server exposure time shortens, enabling faster threat removal and service recovery, which causes a corresponding rise in availability. However, beyond a certain threshold, increasing ${\lambda }_{clean}$ becomes detrimental. This occurs for two reasons. First, the security benefits plateau as the attacker’s impact is already maximally mitigated. Second, the defense mechanism itself introduces overhead, as frequent cleansing operations increase server downtime for maintenance. Eventually, this overhead-induced availability loss outweighs the security gains, causing the overall system availability to decline.

Figure 12 illustrates how the cleansing firing rate, ${\lambda }_{clean}$, affects system security. The results highlight two key findings. First, controller request forgery attacks significantly degrade system security. The authentication mechanism effectively counters this threat by intercepting malicious traffic, thereby elevating system security even beyond the Scenario I. Second, system security is positively correlated with ${\lambda }_{clean}$. This is because a higher cleansing rate shortens the attacker’s window of opportunity, thwarting complex, multi-stage attacks that require time to deploy malicious payloads or establish backdoors. Consequently, a higher ${\lambda }_{clean}$ reduces the probability of a successful intrusion, leading to enhanced overall system security.

Figure 13 shows a strong negative correlation between the cleansing firing rate (${\lambda }_{clean}$) and the risk of data leakage. This is because higher cleansing frequencies compress the attacker’s window of opportunity, hindering the completion of the full attack chain from initial penetration to final data exfiltration. Consequently, the probability of successful data leakage declines sharply with an increasing ${\lambda }_{clean}$. Interestingly, an anomalous result appears at lower cleansing rates: the data leakage risk in Scenario II is lower than in the Scenario I. This effect occurs because unintended server outages, triggered by forged commands, inadvertently shorten the server’s effective exposure time, thus limiting opportunities for data theft. This finding highlights a complex interplay between availability and security threats. Scenario III achieves the lowest risk by design, using an authentication mechanism to proactively deny unauthorized access, thus offering the most robust defense against data leakage.

To evaluate scalability, multi-instance scenarios were simulated by replicating the single-instance Petri net model n times (where $n=1,2,3$), with the cleaning trigger rate uniformly set to 1. As illustrated in Figure 14, system availability exhibits a distinct upward trend as n increases. This improvement is primarily attributed to the redundancy inherent in multi-instance deployments, which enhances fault tolerance: even if specific instances malfunction or become unavailable, the remaining instances can maintain service continuity, thereby boosting overall availability. Conversely, as the number of instances grows, system security declines, and the risk of data leakage escalates. This trend arises because expanding the system scale significantly amplifies the attack surface; the increased number of intrusion paths and targets raises both the probability of successful intrusion and the risk of data leakage. A comparison across the three scenarios reveals that for availability and security metrics, the Authentication-Enhanced SCIT achieves optimal performance, followed by the traditional SCIT. Scenario II (susceptible to forgery attacks) exhibits the poorest performance. Regarding data leakage risk specifically, the Authentication-Enhanced SCIT maintains its superiority. Notably, however, Scenario II outperforms the traditional SCIT in this specific metric, a phenomenon consistent with the data leakage risk analysis presented earlier.

4.3. Experimental Evaluation of the Prototype System

In the experimental setup, services were deployed as Docker containers acting as the protected targets. To simulate destructive intrusions, system panics were manually induced within the containers to provoke service anomalies. A ping interface was exposed as a health-check endpoint for continuous service status monitoring. Probe responses categorized system behavior into three distinct states: (1) Normal Operation, indicated by a successful response; (2) Service Failure, signified by an error response resulting from a successful attack; and (3) Maintenance/Unavailable, characterized by connection errors distinct to the system’s cleaning and rotation phases (i.e., node reset or switching).

VM3 operated concurrently as a legitimate client and an attacking node, initiating continuous attacks and liveness probes while logging response data. Based on the acquired logs over a 30-min operational window, two key metrics were derived:

• Availability: Defined as the ratio of successful probe responses to the total volume of probes issued.
• Security: Calculated as the proportion of non-compromised system states–comprising the sum of successful responses and connection errors–relative to the total probe count. This metric effectively quantifies system resilience by excluding instances of service failure resulting from successful intrusions.

To assess the risk of data exfiltration, a dedicated interface was deployed on the service node to emulate a buffer overflow vulnerability. When an attack triggers the buffer overflow, the system is considered to have suffered a confidentiality violation, as such vulnerabilities are widely recognized to potentially lead to unauthorized data disclosure. In this experimental setting, a data leakage event is operationally defined as the successful triggering of a buffer overflow vulnerability, serving as an indicator of compromised confidentiality rather than a direct measurement of actual data exfiltration. Accordingly, the interface returns a Boolean value, where False indicates no overflow and True indicates a successful breach.

Based on the statistical analysis of the interface responses, Data Leakage Probability is quantified as the ratio of positive leakage indicators (returning True) to the total volume of attack requests issued within a 30-min experimental window. This metric reflects the attack success rate in triggering confidentiality-compromising conditions and serves as a quantitative indicator of data exfiltration risk.

The experimental results are presented in Figure 15. Overall, the experimental data aligns closely with the analytical results derived from the Petri net model, exhibiting comparable trends and numerical ranges. This close correspondence confirms that the established model accurately captures the system’s behavioral characteristics across various parameter configurations. Minor discrepancies between the datasets are primarily attributable to non-ideal factors inherent in the virtualized environment, including resource contention, scheduling overhead, and network latency fluctuations. However, these deviations do not compromise the validity of the core conclusions. Ultimately, these empirical results corroborate the effectiveness of the Petri net analysis, providing a solid foundation for subsequent parameter selection and mechanism optimization.

The integration of an authentication mechanism inevitably incurs additional communication overhead. To quantify this, Round-Trip Time (RTT) was measured at the application layer–defined as the interval between request transmission and response reception–and the average latency was computed over 1000 independent trials. Results indicate that, while controlling for network conditions and system configurations, the deployment of authentication imposes an average end-to-end latency penalty of 11.72 ms.

5. Conclusions

This paper addresses the vulnerability of traditional self-cleansing intrusion-tolerant systems to controller command forgery attacks by designing and evaluating an authentication-enhanced intrusion tolerance framework. Our GSPN-based analysis demonstrates that the proposed architecture yields superior system availability, bolstered security, and reduced data leakage risk compared to conventional approaches. By integrating an authentication layer with proactive defense mechanisms, our work offers a robust foundation for building highly resilient network services. In addition, scalability analysis under different system scales and parameter settings, together with prototype-based experiments, further validates the effectiveness and practical feasibility of the proposed design. Future research will extend this model by exploring adaptive cleansing strategies. Such strategies would enable the system to dynamically adjust its defense intensity based on real-time threat intelligence, paving the way for more intelligent and efficient intrusion tolerance in dynamic adversarial environments.