TY - JOUR T1 - Cloud Data Protection for the Masses JF - Computer Y1 - 2012 A1 - Song,D. A1 - Elaine Shi A1 - Fischer, I. A1 - Shankar,U. KW - Cloud computing KW - cloud data protection KW - cloud platform architecture KW - cloud users KW - Maintenance KW - rapid development KW - security of data KW - strong data protection AB - Offering strong data protection to cloud users while enabling rich applications is a challenging task. Researchers explore a new cloud platform architecture called Data Protection as a Service, which dramatically reduces the per-application development effort required to offer data protection, while still allowing rapid development and maintenance. VL - 45 SN - 0018-9162 CP - 1 ER - TY - CONF T1 - The Provenance of WINE T2 - Dependable Computing Conference (EDCC), 2012 Ninth European Y1 - 2012 A1 - Tudor Dumitras A1 - Efstathopoulos, P. KW - Benchmark testing KW - CYBER SECURITY KW - cyber security experiments KW - data attacks KW - data collection KW - dependability benchmarking KW - distributed databases KW - distributed sensors KW - experimental research KW - field data KW - information quality KW - MALWARE KW - Pipelines KW - provenance KW - provenance information KW - raw data sharing KW - research groups KW - security of data KW - self-documenting experimental process KW - sensor fusion KW - software KW - variable standards KW - WINE KW - WINE benchmark AB - The results of cyber security experiments are often impossible to reproduce, owing to the lack of adequate descriptions of the data collection and experimental processes. Such provenance information is difficult to record consistently when collecting data from distributed sensors and when sharing raw data among research groups with variable standards for documenting the steps that produce the final experimental result. In the WINE benchmark, which provides field data for cyber security experiments, we aim to make the experimental process self-documenting. The data collected includes provenance information – such as when, where and how an attack was first observed or detected – and allows researchers to gauge information quality. Experiments are conducted on a common test bed, which provides tools for recording each procedural step. The ability to understand the provenance of research results enables rigorous cyber security experiments, conducted at scale. JA - Dependable Computing Conference (EDCC), 2012 Ninth European ER - TY - CONF T1 - Characterizing Attackers and Attacks: An Empirical Study Y1 - 2011 A1 - Salles-Loustau,G. A1 - Berthier,R. A1 - Collange,E. A1 - Sobesto,B. A1 - Michel Cukier KW - attack sessions KW - attacker characterization KW - attacker skill measurement KW - honey net infrastructure KW - honey pot configurations KW - IP address KW - keystroke profile analysis KW - opportunity target KW - rogue software exploitation KW - security of data KW - SSH-based authentication proxy AB - This paper describes an empirical research study to characterize attackers and attacks against targets of opportunity. A honey net infrastructure was built and deployed over 167 days that leveraged three different honey pot configurations and a SSH-based authentication proxy to attract and follow attackers over several weeks. A total of 211 attack sessions were recorded and evidence was collected at each stage of the attack sequence: from discovery to intrusion and exploitation of rogue software. This study makes two important contributions: 1) we introduce a new approach to measure attacker skills, and 2) we leverage keystroke profile analysis to differentiate attackers beyond their IP address of origin. M3 - 10.1109/PRDC.2011.29 ER - TY - CONF T1 - Dynamic Enforcement of Knowledge-Based Security Policies T2 - Computer Security Foundations Symposium (CSF), 2011 IEEE 24th Y1 - 2011 A1 - Mardziel,P. A1 - Magill,S. A1 - Hicks, Michael W. A1 - Srivatsa,M. KW - abstract interpretation KW - belief networks KW - belief tracking KW - Data models KW - dynamic enforcement KW - Facebook KW - information flow KW - knowledge based systems KW - knowledge-based security KW - knowledge-based security policy KW - privacy KW - probabilistic computation KW - probabilistic logic KW - probabilistic polyhedral domain KW - probabilistic polyhedron KW - probability KW - query analysis KW - Security KW - security of data KW - semantics KW - Waste materials AB - This paper explores the idea of knowledge-based security policies, which are used to decide whether to answer queries over secret data based on an estimation of the querier's (possibly increased) knowledge given the results. Limiting knowledge is the goal of existing information release policies that employ mechanisms such as noising, anonymization, and redaction. Knowledge-based policies are more general: they increase flexibility by not fixing the means to restrict information flow. We enforce a knowledge-based policy by explicitly tracking a model of a querier's belief about secret data, represented as a probability distribution, and denying any query that could increase knowledge above a given threshold. We implement query analysis and belief tracking via abstract interpretation using a novel probabilistic polyhedral domain, whose design permits trading off precision with performance while ensuring estimates of a querier's knowledge are sound. Experiments with our implementation show that several useful queries can be handled efficiently, and performance scales far better than would more standard implementations of probabilistic computation based on sampling. JA - Computer Security Foundations Symposium (CSF), 2011 IEEE 24th PB - IEEE SN - 978-1-61284-644-6 M3 - 10.1109/CSF.2011.15 ER - TY - CONF T1 - Predicting Trust and Distrust in Social Networks T2 - Privacy, Security, Risk and Trust (PASSAT), 2011 IEEE Third International Conference on and 2011 IEEE Third International Confernece on Social Computing (SocialCom) Y1 - 2011 A1 - DuBois,T. A1 - Golbeck,J. A1 - Srinivasan, Aravind KW - distrust prediction KW - Electronic publishing KW - Encyclopedias KW - graph theory KW - inference algorithm KW - Inference algorithms KW - inference mechanisms KW - Internet KW - negative trust KW - online social networks KW - positive trust KW - Prediction algorithms KW - probability KW - random graphs KW - security of data KW - social media KW - social networking (online) KW - spring-embedding algorithm KW - Training KW - trust inference KW - trust probabilistic interpretation KW - user behavior KW - user satisfaction KW - user-generated content KW - user-generated interactions AB - As user-generated content and interactions have overtaken the web as the default mode of use, questions of whom and what to trust have become increasingly important. Fortunately, online social networks and social media have made it easy for users to indicate whom they trust and whom they do not. However, this does not solve the problem since each user is only likely to know a tiny fraction of other users, we must have methods for inferring trust - and distrust - between users who do not know one another. In this paper, we present a new method for computing both trust and distrust (i.e., positive and negative trust). We do this by combining an inference algorithm that relies on a probabilistic interpretation of trust based on random graphs with a modified spring-embedding algorithm. Our algorithm correctly classifies hidden trust edges as positive or negative with high accuracy. These results are useful in a wide range of social web applications where trust is important to user behavior and satisfaction. JA - Privacy, Security, Risk and Trust (PASSAT), 2011 IEEE Third International Conference on and 2011 IEEE Third International Confernece on Social Computing (SocialCom) PB - IEEE SN - 978-1-4577-1931-8 M3 - 10.1109/PASSAT/SocialCom.2011.56 ER - TY - CONF T1 - Sectored Random Projections for Cancelable Iris Biometrics T2 - 2010 IEEE International Conference on Acoustics Speech and Signal Processing (ICASSP) Y1 - 2010 A1 - Pillai,J.K. A1 - Patel, Vishal M. A1 - Chellapa, Rama A1 - Ratha,N. K KW - biometric pattern KW - Biometrics KW - Cancelable Biometrics KW - cancelable iris biometrics KW - data mining KW - data privacy KW - Degradation KW - Eyelashes KW - Eyelids KW - Iris KW - iris recognition KW - pattern recognition KW - privacy KW - random processes KW - Random Projections KW - Robustness KW - sectored random projection KW - Secure Biometrics KW - Security KW - security of data AB - Privacy and security are essential requirements in practical biometric systems. In order to prevent the theft of biometric patterns, it is desired to modify them through revocable and non invertible transformations called Cancelable Biometrics. In this paper, we propose an efficient algorithm for generating a Cancelable Iris Biometric based on Sectored Random Projections. Our algorithm can generate a new pattern if the existing one is stolen, retain the original recognition performance and prevent extraction of useful information from the transformed patterns. Our method also addresses some of the drawbacks of existing techniques and is robust to degradations due to eyelids and eyelashes. JA - 2010 IEEE International Conference on Acoustics Speech and Signal Processing (ICASSP) PB - IEEE SN - 978-1-4244-4295-9 M3 - 10.1109/ICASSP.2010.5495383 ER - TY - CONF T1 - Analyzing the process of installing rogue software Y1 - 2009 A1 - Berthier,R. A1 - Arjona,J. A1 - Michel Cukier KW - Linux KW - Linux target computers KW - malicious actions KW - rogue software installation KW - security of data AB - This practical experience report presents the results of an experiment aimed at understanding the sequence of malicious actions following a remote compromise. The type of rogue software installed during attacks was used to classify and understand sequences of malicious actions. For this experiment, we used four Linux target computers running SSH with simple passwords. During the eight-month data collection period, we recorded a total of 1,171 attack sessions. In these sessions, attackers typed a total of 20,335 commands that we categorized into 24 specific actions. These actions were analyzed based on the type of rogue software installed by attackers. M3 - 10.1109/DSN.2009.5270293 ER - TY - JOUR T1 - Prioritizing Vulnerability Remediation by Determining Attacker-Targeted Vulnerabilities JF - Security Privacy, IEEE Y1 - 2009 A1 - Michel Cukier A1 - Panjwani,S. KW - attacker-targeted vulnerabilities KW - intrusion detection KW - malicious connections KW - security of data KW - vulnerability remediation KW - Windows service pack AB - This article attempts to empirically analyze which vulnerabilities attackers tend to target in order to prioritize vulnerability remediation. This analysis focuses on the link between malicious connections and vulnerabilities, where each connection is considered malicious. Attacks requiring multiple connections are counted as multiple attacks. As the number of connections increases, so does the cost of recovering from the intrusion. The authors deployed four honey pots for four months, each running a different Windows service pack with its associated set of vulnerabilities. They then performed three empirical analyses to determine the relationship between the number of malicious connections and the total number of vulnerabilities, the number of malicious connections and the number of the vulnerabilities for different services, and the number of known successful attacks and the number of vulnerabilities for different services. VL - 7 SN - 1540-7993 CP - 1 M3 - 10.1109/MSP.2009.13 ER - TY - CONF T1 - Analysis of Computer Security Incident Data Using Time Series Models Y1 - 2008 A1 - Condon,E. A1 - He,A. A1 - Michel Cukier KW - Computer networks KW - computer security incident data KW - NETWORK SECURITY KW - resource allocation KW - security of data KW - telecommunication security KW - time series KW - time series model AB - Organizations face increasing challenges in addressing and preventing computer and network security incidents. There are financial consequences from security incidents. These include lost time and resources used during recovery, possible theft of personal and/or proprietary information, and reputational damage that may negatively impact stock prices or reduce consumer confidence in a company. Being able to understand and predict trends in computer and network security incidents can aid an organization with resource allocation for prevention of such incidents, as well as evaluation of mitigation strategies. We look at using time series models with a large set of security incident data. We examine appropriateness of the data for modeling and consider needed transformations. Parameter search and model selection criteria are discussed. Then, forecasts from time series models are compared to forecasts from Non-Homogeneous Poisson Process (NHPP) software reliability growth (SRG) models. M3 - 10.1109/ISSRE.2008.39 ER - TY - CONF T1 - On the Comparison of Network Attack Datasets: An Empirical Analysis Y1 - 2008 A1 - Berthier,R. A1 - Korman,D. A1 - Michel Cukier A1 - Hiltunen,M. A1 - Vesonder,G. A1 - Sheleheda,D. KW - ATLAS KW - distributed network telescope KW - Internet KW - intrusion detection systems KW - network attack datasets KW - network malicious activity KW - network security operators KW - security of data AB - Network malicious activity can be collected and reported by various sources using different attack detection solutions. The granularity of these solutions provides either very detailed information (intrusion detection systems, honeypots) or high-level trends (CAIDA, SANS). The problem for network security operators is often to select the sources of information to better protect their network. How much information from these sources is redundant and how much is unique? The goal of this paper is to show empirically that while some global attack events can be correlated across various sensors, the majority of incoming malicious activity has local specificities. This study presents a comparative analysis of four different attack datasets offering three different levels of granularity: 1) two high interaction honeynets deployed at two different locations (i.e., a corporate and an academic environment); 2) ATLAS which is a distributed network telescope from Arbor; and 3) Internet Protecttrade which is a global alerting service from AT amp;T. M3 - 10.1109/HASE.2008.50 ER - TY - CONF T1 - Fable: A Language for Enforcing User-defined Security Policies T2 - IEEE Symposium on Security and Privacy, 2008. SP 2008 Y1 - 2008 A1 - Swamy,N. A1 - Corcoran,B.J. A1 - Hicks, Michael W. KW - Access control KW - Automata KW - Collaborative work KW - Communication system security KW - Computer languages KW - computer security KW - Data security KW - enforcement policy KW - FABLE KW - Government KW - high-level security goals KW - information flow KW - Information security KW - Language-based security KW - programming languages KW - Programming profession KW - provenance KW - security automata KW - security labels KW - security of data KW - user-defined security policies KW - verified enforcement KW - Web programming language AB - This paper presents FABLE, a core formalism for a programming language in which programmers may specify security policies and reason that these policies are properly enforced. In FABLE, security policies can be expressed by associating security labels with the data or actions they protect. Programmers define the semantics of labels in a separate part of the program called the enforcement policy. FABLE prevents a policy from being circumvented by allowing labeled terms to be manipulated only within the enforcement policy; application code must treat labeled values abstractly. Together, these features facilitate straightforward proofs that programs implementing a particular policy achieve their high-level security goals. FABLE is flexible enough to implement a wide variety of security policies, including access control, information flow, provenance, and security automata. We have implemented FABLE as part of the LINKS web programming language; we call the resulting language SELlNKS. We report on our experience using SELlNKS to build two substantial applications, a wiki and an on-line store, equipped with a combination of access control and provenance policies. To our knowledge, no existing framework enables the enforcement of such a wide variety of security policies with an equally high level of assurance. JA - IEEE Symposium on Security and Privacy, 2008. SP 2008 PB - IEEE SN - 978-0-7695-3168-7 M3 - 10.1109/SP.2008.29 ER - TY - CONF T1 - On the Use of Security Metrics Based on Intrusion Prevention System Event Data: An Empirical Analysis Y1 - 2008 A1 - Chrun,D. A1 - Michel Cukier A1 - Sneeringer,G. KW - empirical analysis KW - Internet KW - Internet attack group KW - intrusion prevention system event data KW - network traffic monitoring KW - organization security metrics KW - security of data AB - With the increasing number of attacks on the Internet, a primary concern for organizations is the protection of their network. To do so, organizations install security devices such as intrusion prevention systems to monitor network traffic. However, data that are collected by these devices are often imperfect. The contribution of this paper is to try to define some practical metrics based on imperfect data collected by an intrusion prevention system. Since attacks greatly differ, we propose to group the attacks into several attack type groups. We then define a set of metrics for each attack type group. We introduce an approach that consists in analyzing the evolution of these metrics per attack type group by focusing on outliers in order to give an insight into an organizationpsilas security. The method is assessed for an organization of about 40,000 computers. The results were encouraging: outliers could be related to security issues that, in some cases, had not been previously flagged. M3 - 10.1109/HASE.2008.52 ER - TY - CONF T1 - Applying Software Reliability Models on Security Incidents Y1 - 2007 A1 - Condon,E. A1 - Michel Cukier A1 - He,Tao KW - computer security incidents KW - consumer confidence KW - data theft KW - network security incidents KW - nonhomogenous Poisson process KW - reliability growth process KW - reputational damage KW - security of data KW - software reliability KW - stock prices AB - Computer and network security incidents have increasing financial consequences as demand for network accessibility and connectivity to resources continues to rise. These security incidents can lead to direct financial losses either through data theft of personal and/or proprietary information as well as a reputational damage which may negatively impact stock prices or consumer confidence in a company. This paper examines a large set of security incident data using tools from the software reliability community. We look at applying Non-Homogenous Poisson Process (NHPP) models as a method for describing the reliability growth process. We examine the full set of incidents as well as subsets of the data based on incident types. We look at using the Laplace test to guide selection of the appropriate models. Then, based on the trend results, we apply various NHPP models (i.e., Goel-Okumutu, S-Shaped, Duane, and K-Stage Curve) to illustrate the relevance of using these models to fit the incident data and to predict future incidents. M3 - 10.1109/ISSRE.2007.29 ER - TY - CONF T1 - A Comparison between Internal and External Malicious Traffic Y1 - 2007 A1 - Michel Cukier A1 - Panjwani,S. KW - Computer networks KW - Data analysis KW - external traffic KW - honeypot target computers KW - internal traffic KW - malicious traffic data KW - security of data KW - user activity profile AB - This paper empirically compares malicious traffic originating inside an organization (i.e., internal traffic) with malicious traffic originating outside an organization (i.e., external traffic). Two honeypot target computers were deployed to collect malicious traffic data over a period of fifteen weeks. In the first study we showed that there was a weak correlation between internal and external traffic based on the number of malicious connections. Since the type of malicious activity is linked to the port that was targeted, we focused on the most frequently targeted ports. We observed that internal malicious traffic often contained different malicious content compared to that of external traffic. In the third study, we discovered that the volume of malicious traffic was linked to the day of the week. We showed that internal and external malicious activities differ: where the external malicious activity is quite stable over the week, the internal traffic varied as a function of the users' activity profile. M3 - 10.1109/ISSRE.2007.32 ER - TY - CONF T1 - An empirical study of filesystem activity following a SSH compromise Y1 - 2007 A1 - Molina,J. A1 - Gordon,J. A1 - Chorin,X. A1 - Michel Cukier KW - attack activity KW - filesystem activity KW - filesystem data monitoring KW - intrusion detection systems evaluation KW - meta data KW - metadata KW - security of data KW - SSH compromised attacks AB - Monitoring filesystem data is a common method used to detect attacks. Once a computer is compromised, attackers will likely alter files, add new files or delete existing files. The changes that attackers make may target any part of the filesystem, including metadata along with files (e.g., permissions, ownerships and inodes). In this paper, we describe an empirical study that focused on SSH compromised attacks. First statistical data on the number of files targeted and the associated activity (e.g., read, write, delete, ownership and rights) is reported. Then, we refine the analysis to identify and understand patterns in the attack activity. M3 - 10.1109/ICICS.2007.4449675 ER - TY - CONF T1 - Profiling Attacker Behavior Following SSH Compromises Y1 - 2007 A1 - Ramsbrock,D. A1 - Berthier,R. A1 - Michel Cukier KW - Linux KW - Linux honeypot computers KW - profiling attacker behavior KW - remote compromise KW - rogue code KW - security of data KW - SSH compromises KW - system configuration AB - This practical experience report presents the results of an experiment aimed at building a profile of attacker behavior following a remote compromise. For this experiment, we utilized four Linux honeypot computers running SSH with easily guessable passwords. During the course of our research, we also determined the most commonly attempted usernames and passwords, the average number of attempted logins per day, and the ratio of failed to successful attempts. To build a profile of attacker behavior, we looked for specific actions taken by the attacker and the order in which they occurred. These actions were: checking the configuration, changing the password, downloading a file, installing/running rogue code, and changing the system configuration. M3 - 10.1109/DSN.2007.76 ER - TY - CONF T1 - Managing policy updates in security-typed languages T2 - 19th IEEE Computer Security Foundations Workshop, 2006 Y1 - 2006 A1 - Swamy,N. A1 - Hicks, Michael W. A1 - Tse,S. A1 - Zdancewic,S. KW - Access control KW - Computer languages KW - Data security KW - Database systems KW - dynamic queries KW - dynamic semantics KW - Educational institutions KW - high level languages KW - Information security KW - information-flow policy management KW - Lattices KW - Network servers KW - Operating systems KW - policy update management KW - Robustness KW - role-based security policies KW - RT role-based trust-management framework KW - Rx security-typed programming language KW - security of data KW - statically verified transactions KW - transitive flows AB - This paper presents Rx, a new security-typed programming language with features intended to make the management of information-flow policies more practical. Security labels in Rx, in contrast to prior approaches, are defined in terms of owned roles, as found in the RT role-based trust-management framework. Role-based security policies allow flexible delegation, and our language Rx provides constructs through which programs can robustly update policies and react to policy updates dynamically. Our dynamic semantics use statically verified transactions to eliminate illegal information flows across updates, which we call transitive flows. Because policy updates can be observed through dynamic queries, policy updates can potentially reveal sensitive information. As such, Rx considers policy statements themselves to be potentially confidential information and subject to information-flow metapolicies JA - 19th IEEE Computer Security Foundations Workshop, 2006 PB - IEEE SN - 0-7695-2615-2 M3 - 10.1109/CSFW.2006.17 ER - TY - CONF T1 - Modeling the Symptomatic Fixes Archetype in Enterprise Computer Security Y1 - 2006 A1 - Rosenfeld,S. N. A1 - Rus,I. A1 - Michel Cukier KW - business data processing KW - decision making KW - decision-making KW - enterprise computer security KW - human factors KW - security of data KW - security-risk mitigation KW - symptomatic fixes archetype modeling KW - system dynamics model KW - system modeling AB - To support decision-making for security-risk mitigation and the appropriate selection of security countermeasures, we propose a system dynamics model of the security aspects of an enterprise system. We developed such an executable model, incorporating the concept of archetypes. We present here one archetype for computer security, namely symptomatic fixes (or shifting the burden). Using simulation, we show one instance of how this archetype can be used for recognizing and diagnosing typical situations, as well as for fixing problems. The global effects of changes and behavioral trends are examined, and other instances of symptomatic fixes in security are described as well VL - 1 M3 - 10.1109/COMPSAC.2006.62 ER - TY - CONF T1 - A Software Architectural Approach to Security by Design T2 - Computer Software and Applications Conference, 2006. COMPSAC '06. 30th Annual International Y1 - 2006 A1 - Ray,A. A1 - Cleaveland, Rance KW - architecture description notation KW - Clocks KW - communication semantics KW - Computer architecture KW - computer crime KW - computer security KW - Connectors KW - Costs KW - Degradation KW - Delay KW - Educational institutions KW - security design KW - security of data KW - Software architecture KW - software engineering AB - This paper shows how an architecture description notation that has support for timed events can be used to provide a meta-language for specifying exact communication semantics. The advantages of such an approach is that a designer is made fully aware of the ramifications of her design choices so that an attacker can no longer take advantage of hidden assumptions JA - Computer Software and Applications Conference, 2006. COMPSAC '06. 30th Annual International PB - IEEE VL - 2 SN - 0-7695-2655-1 M3 - 10.1109/COMPSAC.2006.102 ER - TY - JOUR T1 - Wireless Network Security and Interworking JF - Proceedings of the IEEE Y1 - 2006 A1 - Shin,M. A1 - Ma,J. A1 - Mishra,A. A1 - Arbaugh, William A. KW - 3G mobile communication KW - 3G systems KW - Authentication KW - Bandwidth KW - Communication system security KW - computer network security KW - computer security KW - Data security KW - internetworking KW - Land mobile radio cellular systems KW - Paper technology KW - security architectures KW - security of data KW - telecommunication security KW - wireless communication KW - wireless communications KW - Wireless LAN KW - wireless network security KW - Wireless networks KW - wireless technologies KW - WLAN systems AB - A variety of wireless technologies have been standardized and commercialized, but no single technology is considered the best because of different coverage and bandwidth limitations. Thus, interworking between heterogeneous wireless networks is extremely important for ubiquitous and high-performance wireless communications. Security in interworking is a major challenge due to the vastly different security architectures used within each network. The goal of this paper is twofold. First, we provide a comprehensive discussion of security problems and current technologies in 3G and WLAN systems. Second, we provide introductory discussions about the security problems in interworking, the state-of-the-art solutions, and open problems. VL - 94 SN - 0018-9219 CP - 2 M3 - 10.1109/JPROC.2005.862322 ER - TY - CONF T1 - Automated checking for Windows host vulnerabilities Y1 - 2005 A1 - Tamizi,M. A1 - Weinstein,M. A1 - Michel Cukier KW - application vulnerabilities KW - computing system security KW - Ferret-Windows software tool KW - host vulnerabilities KW - network vulnerabilities KW - open-source software KW - operating systems (computers) KW - plug-in module KW - program diagnostics KW - security of data KW - software reliability KW - software tools KW - system attacks KW - Windows host vulnerability checking KW - Windows platforms AB - Evaluation of computing system security requires knowledge of the vulnerabilities present in the system and of potential attacks against the system. Vulnerabilities can be classified based on their location as application vulnerabilities, network vulnerabilities, or host vulnerabilities. This paper describes Ferret-Windows, a new software tool for checking host vulnerabilities on the Windows platforms. This tool helps system administrators by quickly finding vulnerabilities that are present on a host. It is designed and implemented in a modular way: a plug-in module is used for each vulnerability checked, and each possible output format is specified by a plug-in module. Moreover, several vulnerability fixing plug-in modules exist to help users remove specific vulnerabilities. As a result, Ferret-Windows is extensible, and can easily be kept up-to-date through the addition of checks for new vulnerabilities as they are identified. Finally, Ferret-Windows is a freely available open-source software M3 - 10.1109/ISSRE.2005.11 ER - TY - CONF T1 - Ferret: a host vulnerability checking tool Y1 - 2004 A1 - Sharma,Anil A1 - Martin,J.R. A1 - Anand,N. A1 - Michel Cukier A1 - Sanders,W. H. KW - Ferret software tool KW - host vulnerability checking tool KW - open-source software KW - Perl KW - plug-in module KW - program verification KW - security auditing tool KW - security evaluation KW - security of data KW - software tools AB - Evaluation of computing system security requires knowledge of the vulnerabilities present in the system and of potential attacks against the system. Vulnerabilities can be classified based on their location as application vulnerabilities, network vulnerabilities, or host vulnerabilities. We describe Ferret, a new software tool for checking host vulnerabilities. Ferret helps system administrators by quickly finding vulnerabilities that are present on a host. It is designed and implemented in a modular way: a different plug-in module is used for each vulnerability checked, and each possible output format is specified by a plug-in module. As a result, Ferret is extensible, and can easily be kept up-to-date through addition of checks for new vulnerabilities as they are discovered; the modular approach also makes it easy to provide specific configurations of Ferret tailored to specific operating systems or use environments. Ferret is a freely available open-source software implemented in Perl. M3 - 10.1109/PRDC.2004.1276595 ER - TY - JOUR T1 - The dangers of mitigating security design flaws: a wireless case study JF - IEEE Security & Privacy Y1 - 2003 A1 - Petroni,N. L. A1 - Arbaugh, William A. KW - Communication system security KW - computer security KW - cryptography KW - design flaw mitigation KW - Dictionaries KW - legacy equipment KW - privacy KW - Protection KW - Protocols KW - security design flaws KW - security of data KW - synchronous active attack KW - telecommunication security KW - Telecommunication traffic KW - wired equivalent privacy protocol KW - Wireless LAN KW - wireless local area networks KW - Wireless networks AB - Mitigating design flaws often provides the only means to protect legacy equipment, particularly in wireless local area networks. A synchronous active attack against the wired equivalent privacy protocol demonstrates how mitigating one flaw or attack can facilitate another. VL - 1 SN - 1540-7993 CP - 1 M3 - 10.1109/MSECP.2003.1176993 ER - TY - JOUR T1 - A secure PLAN JF - IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applications and Reviews Y1 - 2003 A1 - Hicks, Michael W. A1 - Keromytis,A. D A1 - Smith,J. M KW - active networks KW - active-network firewall KW - Authentication KW - Authorization KW - Contracts KW - cryptography KW - Environmental management KW - Extraterrestrial measurements KW - functionally restricted packet language KW - general-purpose service routines KW - Internet KW - latency overhead KW - namespace-based security KW - packet switching KW - PLANet KW - Planets KW - privilege level KW - programmable networks KW - Safety KW - safety risks KW - secure PLAN KW - security of data KW - security risks KW - trust management KW - two-level architecture KW - virtual private network KW - Virtual private networks KW - Web and internet services AB - Active networks, being programmable, promise greater flexibility than current networks. Programmability, however, may introduce safety and security risks. This correspondence describes the design and implementation of a security architecture for the active network PLANet. Security is obtained with a two-level architecture that combines a functionally restricted packet language, PLAN, with an environment of general-purpose service routines governed by trust management. In particular, a technique is used which expands or contracts a packet's service environment based on its level of privilege, termed namespace-based security. The design and implementation of an active-network firewall and virtual private network is used as an application of the security architecture. Measurements of the system show that the addition of the firewall imposes an approximately 34% latency overhead and as little as a 6.7% space overhead to incoming packets. VL - 33 SN - 1094-6977 CP - 3 M3 - 10.1109/TSMCC.2003.817347 ER - TY - CONF T1 - P5 : a protocol for scalable anonymous communication T2 - 2002 IEEE Symposium on Security and Privacy, 2002. Proceedings Y1 - 2002 A1 - Sherwood,R. A1 - Bhattacharjee, Bobby A1 - Srinivasan, Aravind KW - Broadcasting KW - communication efficiency KW - Computer science KW - cryptography KW - data privacy KW - Educational institutions KW - Internet KW - large anonymous groups KW - P5 protocol KW - packet-level simulations KW - Particle measurements KW - Peer to peer computing KW - peer-to-peer personal privacy protocol KW - privacy KW - Protocols KW - receiver anonymity KW - scalable anonymous communication KW - security of data KW - sender anonymity KW - sender-receiver anonymity KW - Size measurement KW - telecommunication security AB - We present a protocol for anonymous communication over the Internet. Our protocol, called P5 (peer-to-peer personal privacy protocol) provides sender-, receiver-, and sender-receiver anonymity. P5 is designed to be implemented over current Internet protocols, and does not require any special infrastructure support. A novel feature of P5 is that it allows individual participants to trade-off degree of anonymity for communication efficiency, and hence can be used to scalably implement large anonymous groups. We present a description of P5, an analysis of its anonymity and communication efficiency, and evaluate its performance using detailed packet-level simulations. JA - 2002 IEEE Symposium on Security and Privacy, 2002. Proceedings PB - IEEE SN - 0-7695-1543-6 M3 - 10.1109/SECPRI.2002.1004362 ER - TY - CONF T1 - Quantifying the cost of providing intrusion tolerance in group communication systems Y1 - 2002 A1 - Ramasamy,H. V. A1 - Pandey,P. A1 - Lyons,J. A1 - Michel Cukier A1 - Sanders,W. H. KW - consistent group membership KW - crash-fault-tolerant group communication system KW - cryptography KW - finite state machines KW - groupware KW - intrusion-tolerant microprotocols KW - malicious intrusions KW - multicast communication KW - reliable ordered multicast properties KW - security of data KW - Transport protocols AB - Group communication systems that provide consistent group membership and reliable, ordered multicast properties in the presence of faults resulting from malicious intrusions have not been analyzed extensively to quantify the cost of tolerating these intrusions. This paper attempts to quantify this cost by presenting results from an experimental evaluation of three new intrusion-tolerant microprotocols that have been added to an existing crash-fault-tolerant group communication system. The results are analyzed to identify the parts that contribute the most overhead during provision of intrusion tolerance at the group communication system level. M3 - 10.1109/DSN.2002.1028904 ER - TY - CONF T1 - A trend analysis of exploitations T2 - 2001 IEEE Symposium on Security and Privacy, 2001. S&P 2001. Proceedings Y1 - 2001 A1 - Browne,H. K A1 - Arbaugh, William A. A1 - McHugh,J. A1 - Fithen,W. L KW - Computer science KW - computer security exploits KW - Data analysis KW - data mining KW - Educational institutions KW - exploitations KW - Performance analysis KW - Predictive models KW - Regression analysis KW - Risk management KW - security of data KW - software engineering KW - system intrusions KW - System software KW - trend analysis KW - vulnerabilities KW - vulnerability exploitation AB - We have conducted an empirical study of a number of computer security exploits and determined that the rates at which incidents involving the exploit are reported to CERT can be modeled using a common mathematical framework. Data associated with three significant exploits involving vulnerabilities in phf, imap, and bind can all be modeled using the formula C=I+S×√M where C is the cumulative count of reported incidents, M is the time since the start of the exploit cycle, and I and S are the regression coefficients determined by analysis of the incident report data. Further analysis of two additional exploits involving vulnerabilities in mountd and statd confirm the model. We believe that the models will aid in predicting the severity of subsequent vulnerability exploitations, based on the rate of early incident reports JA - 2001 IEEE Symposium on Security and Privacy, 2001. S&P 2001. Proceedings PB - IEEE SN - 0-7695-1046-9 M3 - 10.1109/SECPRI.2001.924300 ER - TY - JOUR T1 - Safety and security of programmable network infrastructures JF - IEEE Communications Magazine Y1 - 1998 A1 - Alexander,S. A1 - Arbaugh, William A. A1 - Keromytis,A. D A1 - Smith,J. M KW - Access control KW - error protection KW - IP networks KW - Multicast protocols KW - network architecture KW - network operating systems KW - network service model KW - operating system KW - Power system dynamics KW - Power system modeling KW - Power system reliability KW - programmable languages KW - programmable network infrastructures KW - programming languages KW - Proposals KW - Protection KW - reliability properties KW - Safety KW - Secure Active Network Environment KW - Security KW - security of data KW - service creation KW - service providers KW - Switches KW - telecommunication computing KW - telecommunication network reliability KW - Web and internet services AB - Safety and security are two reliability properties of a system. A “safe” system provides protection against errors of trusted users, while a “secure” system protects against errors introduced by untrusted users. There is considerable overlap between mechanisms to support each property. Requirements for rapid service creation have stimulated the development of programmable network infrastructures, where end users or service providers can customize the properties of a network infrastructure while it continues to operate. A central concern of potential users of such systems is their reliability and, most specifically, their safety and security. In this article we explain the impact the network service model and architecture have on safety and security, and provide a model with which policies can be translated into restrictions of a general system. We illustrate these ideas with the Secure Active Network Environment (SANE) architecture, which provides a means of controlling access to the functions provided by any programmable infrastructure VL - 36 SN - 0163-6804 CP - 10 M3 - 10.1109/35.722141 ER - TY - JOUR T1 - A secure active network environment architecture: realization in SwitchWare JF - IEEE Network Y1 - 1998 A1 - Alexander,D. S A1 - Arbaugh, William A. A1 - Keromytis,A. D A1 - Smith,J. M KW - access protocols KW - AEGIS secure bootstrap architecture KW - architecture KW - Authentication KW - Collaboration KW - Communication switching KW - dynamic integrity checks KW - extended LAN KW - Functional programming KW - implementation KW - integrity KW - Intelligent networks KW - IP networks KW - Local area networks KW - network infrastructure KW - network infrastructures KW - network operating systems KW - network-level solutions KW - node KW - node-to-node authentication KW - packet switching KW - Proposals KW - ramming system KW - SANE KW - secure active network environment architecture KW - security of data KW - Switches KW - SwitchWare KW - trusted state KW - Web and internet services AB - An active network is a network infrastructure which is programmable on a per-user or even per-packet basis. Increasing the flexibility of such network infrastructures invites new security risks. Coping with these security risks represents the most fundamental contribution of active network research. The security concerns can be divided into those which affect the network as a whole and those which affect individual elements. It is clear that the element problems must be solved first, since the integrity of network-level solutions will be based on trust in the network elements. In this article we describe the architecture and implementation of a secure active network environment (SANE), which we believe provides a basis for implementing secure network-level solutions. We guarantee that a node begins operation in a trusted state with the AEGIS secure bootstrap architecture. We guarantee that the system remains in a trusted state by applying dynamic integrity checks in the network element's runtime system, using a novel naming system, and applying node-to-node authentication when needed. The construction of an extended LAN is discussed VL - 12 SN - 0890-8044 CP - 3 M3 - 10.1109/65.690960 ER - TY - JOUR T1 - Security for virtual private intranets JF - Computer Y1 - 1998 A1 - Arbaugh, William A. A1 - Davin,J. R A1 - Farber,D. J A1 - Smith,J. M KW - businesses KW - Clouds KW - Companies KW - core operating system components KW - cryptography KW - Data security KW - employee homes KW - encryption KW - functional roles KW - hard drive KW - Home computing KW - home working KW - integrity checking KW - Internet KW - Local area networks KW - multiple personalities KW - network authentication KW - network environment KW - operating system modifications KW - Operating systems KW - Roads KW - secure identity based lending KW - security management KW - security of data KW - shared applications KW - SIBL KW - single hardware platform KW - smart cards KW - symmetric algorithm KW - system partition KW - telecommuting KW - Teleworking KW - trust relationship KW - trustworthy system KW - virtual private intranets AB - As telecommuting grows, businesses must consider security when extending their network environment to employees' homes. Researchers at the University of Pennsylvania have addressed the problem with smart cards, operating system modifications, and network authentication. We note the distinction between trust and integrity: trust is determined through the verification of components and the dependencies among them, while integrity demonstrates that components haven't been modified. Thus integrity checking in a trustworthy system is about preserving an established trust or trust relationship. Our solution to the challenge of isolating functional roles that may share a single hardware platform is called secure identity based lending (SIBL). SIBL provides multiple personalities by partitioning the hard drive into n+1 partitions, where n is the number of supported personalities. All personalities use the system partition for core operating system components and shared applications. Each of the personalities is also associated with one of the remaining partitions, which are encrypted using a symmetric algorithm VL - 31 SN - 0018-9162 CP - 9 M3 - 10.1109/2.708450 ER - TY - CONF T1 - A secure and reliable bootstrap architecture T2 - , 1997 IEEE Symposium on Security and Privacy, 1997. Proceedings Y1 - 1997 A1 - Arbaugh, William A. A1 - Farber,D. J A1 - Smith,J. M KW - active networks KW - AEGIS architecture KW - bootstrap architecture KW - Computer architecture KW - computer bootstrapping KW - data integrity KW - Distributed computing KW - Hardware KW - hardware validity KW - initialization KW - integrity chain KW - integrity check failures KW - Internet KW - Internet commerce KW - IP networks KW - Laboratories KW - lower-layer integrity KW - Microprogramming KW - Operating systems KW - recovery process KW - reliability KW - robust systems KW - Robustness KW - Security KW - security of data KW - software reliability KW - system integrity guarantees KW - system recovery KW - transitions KW - Virtual machining AB - In a computer system, the integrity of lower layers is typically treated as axiomatic by higher layers. Under the presumption that the hardware comprising the machine (the lowest layer) is valid, the integrity of a layer can be guaranteed if and only if: (1) the integrity of the lower layers is checked and (2) transitions to higher layers occur only after integrity checks on them are complete. The resulting integrity “chain” inductively guarantees system integrity. When these conditions are not met, as they typically are not in the bootstrapping (initialization) of a computer system, no integrity guarantees can be made, yet these guarantees are increasingly important to diverse applications such as Internet commerce, security systems and “active networks”. In this paper, we describe the AEGIS architecture for initializing a computer system. It validates integrity at each layer transition in the bootstrap process. AEGIS also includes a recovery process for integrity check failures, and we show how this results in robust systems JA - , 1997 IEEE Symposium on Security and Privacy, 1997. Proceedings PB - IEEE SN - 0-8186-7828-3 M3 - 10.1109/SECPRI.1997.601317 ER -