%0 Journal Article %J Computer %D 2012 %T Cloud Data Protection for the Masses %A Song,D. %A Elaine Shi %A Fischer, I. %A Shankar,U. %K Cloud computing %K cloud data protection %K cloud platform architecture %K cloud users %K Maintenance %K rapid development %K security of data %K strong data protection %X Offering strong data protection to cloud users while enabling rich applications is a challenging task. Researchers explore a new cloud platform architecture called Data Protection as a Service, which dramatically reduces the per-application development effort required to offer data protection, while still allowing rapid development and maintenance. %B Computer %V 45 %P 39 - 45 %8 2012 %@ 0018-9162 %G eng %N 1 %0 Conference Paper %B Dependable Computing Conference (EDCC), 2012 Ninth European %D 2012 %T The Provenance of WINE %A Tudor Dumitras %A Efstathopoulos, P. %K Benchmark testing %K CYBER SECURITY %K cyber security experiments %K data attacks %K data collection %K dependability benchmarking %K distributed databases %K distributed sensors %K experimental research %K field data %K information quality %K MALWARE %K Pipelines %K provenance %K provenance information %K raw data sharing %K research groups %K security of data %K self-documenting experimental process %K sensor fusion %K software %K variable standards %K WINE %K WINE benchmark %X The results of cyber security experiments are often impossible to reproduce, owing to the lack of adequate descriptions of the data collection and experimental processes. Such provenance information is difficult to record consistently when collecting data from distributed sensors and when sharing raw data among research groups with variable standards for documenting the steps that produce the final experimental result. In the WINE benchmark, which provides field data for cyber security experiments, we aim to make the experimental process self-documenting. The data collected includes provenance information – such as when, where and how an attack was first observed or detected – and allows researchers to gauge information quality. Experiments are conducted on a common test bed, which provides tools for recording each procedural step. The ability to understand the provenance of research results enables rigorous cyber security experiments, conducted at scale. %B Dependable Computing Conference (EDCC), 2012 Ninth European %P 126 - 131 %8 2012/// %G eng %0 Conference Paper %D 2011 %T Characterizing Attackers and Attacks: An Empirical Study %A Salles-Loustau,G. %A Berthier,R. %A Collange,E. %A Sobesto,B. %A Michel Cukier %K attack sessions %K attacker characterization %K attacker skill measurement %K honey net infrastructure %K honey pot configurations %K IP address %K keystroke profile analysis %K opportunity target %K rogue software exploitation %K security of data %K SSH-based authentication proxy %X This paper describes an empirical research study to characterize attackers and attacks against targets of opportunity. A honey net infrastructure was built and deployed over 167 days that leveraged three different honey pot configurations and a SSH-based authentication proxy to attract and follow attackers over several weeks. A total of 211 attack sessions were recorded and evidence was collected at each stage of the attack sequence: from discovery to intrusion and exploitation of rogue software. This study makes two important contributions: 1) we introduce a new approach to measure attacker skills, and 2) we leverage keystroke profile analysis to differentiate attackers beyond their IP address of origin. %P 174 - 183 %8 2011/12// %G eng %R 10.1109/PRDC.2011.29 %0 Conference Paper %B Computer Security Foundations Symposium (CSF), 2011 IEEE 24th %D 2011 %T Dynamic Enforcement of Knowledge-Based Security Policies %A Mardziel,P. %A Magill,S. %A Hicks, Michael W. %A Srivatsa,M. %K abstract interpretation %K belief networks %K belief tracking %K Data models %K dynamic enforcement %K Facebook %K information flow %K knowledge based systems %K knowledge-based security %K knowledge-based security policy %K privacy %K probabilistic computation %K probabilistic logic %K probabilistic polyhedral domain %K probabilistic polyhedron %K probability %K query analysis %K Security %K security of data %K semantics %K Waste materials %X This paper explores the idea of knowledge-based security policies, which are used to decide whether to answer queries over secret data based on an estimation of the querier's (possibly increased) knowledge given the results. Limiting knowledge is the goal of existing information release policies that employ mechanisms such as noising, anonymization, and redaction. Knowledge-based policies are more general: they increase flexibility by not fixing the means to restrict information flow. We enforce a knowledge-based policy by explicitly tracking a model of a querier's belief about secret data, represented as a probability distribution, and denying any query that could increase knowledge above a given threshold. We implement query analysis and belief tracking via abstract interpretation using a novel probabilistic polyhedral domain, whose design permits trading off precision with performance while ensuring estimates of a querier's knowledge are sound. Experiments with our implementation show that several useful queries can be handled efficiently, and performance scales far better than would more standard implementations of probabilistic computation based on sampling. %B Computer Security Foundations Symposium (CSF), 2011 IEEE 24th %I IEEE %P 114 - 128 %8 2011/06/27/29 %@ 978-1-61284-644-6 %G eng %R 10.1109/CSF.2011.15 %0 Conference Paper %B Privacy, Security, Risk and Trust (PASSAT), 2011 IEEE Third International Conference on and 2011 IEEE Third International Confernece on Social Computing (SocialCom) %D 2011 %T Predicting Trust and Distrust in Social Networks %A DuBois,T. %A Golbeck,J. %A Srinivasan, Aravind %K distrust prediction %K Electronic publishing %K Encyclopedias %K graph theory %K inference algorithm %K Inference algorithms %K inference mechanisms %K Internet %K negative trust %K online social networks %K positive trust %K Prediction algorithms %K probability %K random graphs %K security of data %K social media %K social networking (online) %K spring-embedding algorithm %K Training %K trust inference %K trust probabilistic interpretation %K user behavior %K user satisfaction %K user-generated content %K user-generated interactions %X As user-generated content and interactions have overtaken the web as the default mode of use, questions of whom and what to trust have become increasingly important. Fortunately, online social networks and social media have made it easy for users to indicate whom they trust and whom they do not. However, this does not solve the problem since each user is only likely to know a tiny fraction of other users, we must have methods for inferring trust - and distrust - between users who do not know one another. In this paper, we present a new method for computing both trust and distrust (i.e., positive and negative trust). We do this by combining an inference algorithm that relies on a probabilistic interpretation of trust based on random graphs with a modified spring-embedding algorithm. Our algorithm correctly classifies hidden trust edges as positive or negative with high accuracy. These results are useful in a wide range of social web applications where trust is important to user behavior and satisfaction. %B Privacy, Security, Risk and Trust (PASSAT), 2011 IEEE Third International Conference on and 2011 IEEE Third International Confernece on Social Computing (SocialCom) %I IEEE %P 418 - 424 %8 2011/10/09/11 %@ 978-1-4577-1931-8 %G eng %R 10.1109/PASSAT/SocialCom.2011.56 %0 Conference Paper %B 2010 IEEE International Conference on Acoustics Speech and Signal Processing (ICASSP) %D 2010 %T Sectored Random Projections for Cancelable Iris Biometrics %A Pillai,J.K. %A Patel, Vishal M. %A Chellapa, Rama %A Ratha,N. K %K biometric pattern %K Biometrics %K Cancelable Biometrics %K cancelable iris biometrics %K data mining %K data privacy %K Degradation %K Eyelashes %K Eyelids %K Iris %K iris recognition %K pattern recognition %K privacy %K random processes %K Random Projections %K Robustness %K sectored random projection %K Secure Biometrics %K Security %K security of data %X Privacy and security are essential requirements in practical biometric systems. In order to prevent the theft of biometric patterns, it is desired to modify them through revocable and non invertible transformations called Cancelable Biometrics. In this paper, we propose an efficient algorithm for generating a Cancelable Iris Biometric based on Sectored Random Projections. Our algorithm can generate a new pattern if the existing one is stolen, retain the original recognition performance and prevent extraction of useful information from the transformed patterns. Our method also addresses some of the drawbacks of existing techniques and is robust to degradations due to eyelids and eyelashes. %B 2010 IEEE International Conference on Acoustics Speech and Signal Processing (ICASSP) %I IEEE %P 1838 - 1841 %8 2010/03// %@ 978-1-4244-4295-9 %G eng %R 10.1109/ICASSP.2010.5495383 %0 Conference Paper %D 2009 %T Analyzing the process of installing rogue software %A Berthier,R. %A Arjona,J. %A Michel Cukier %K Linux %K Linux target computers %K malicious actions %K rogue software installation %K security of data %X This practical experience report presents the results of an experiment aimed at understanding the sequence of malicious actions following a remote compromise. The type of rogue software installed during attacks was used to classify and understand sequences of malicious actions. For this experiment, we used four Linux target computers running SSH with simple passwords. During the eight-month data collection period, we recorded a total of 1,171 attack sessions. In these sessions, attackers typed a total of 20,335 commands that we categorized into 24 specific actions. These actions were analyzed based on the type of rogue software installed by attackers. %P 560 - 565 %8 2009/07/29/2 %G eng %R 10.1109/DSN.2009.5270293 %0 Journal Article %J Security Privacy, IEEE %D 2009 %T Prioritizing Vulnerability Remediation by Determining Attacker-Targeted Vulnerabilities %A Michel Cukier %A Panjwani,S. %K attacker-targeted vulnerabilities %K intrusion detection %K malicious connections %K security of data %K vulnerability remediation %K Windows service pack %X This article attempts to empirically analyze which vulnerabilities attackers tend to target in order to prioritize vulnerability remediation. This analysis focuses on the link between malicious connections and vulnerabilities, where each connection is considered malicious. Attacks requiring multiple connections are counted as multiple attacks. As the number of connections increases, so does the cost of recovering from the intrusion. The authors deployed four honey pots for four months, each running a different Windows service pack with its associated set of vulnerabilities. They then performed three empirical analyses to determine the relationship between the number of malicious connections and the total number of vulnerabilities, the number of malicious connections and the number of the vulnerabilities for different services, and the number of known successful attacks and the number of vulnerabilities for different services. %B Security Privacy, IEEE %V 7 %P 42 - 48 %8 2009/02//jan %@ 1540-7993 %G eng %N 1 %R 10.1109/MSP.2009.13 %0 Conference Paper %D 2008 %T Analysis of Computer Security Incident Data Using Time Series Models %A Condon,E. %A He,A. %A Michel Cukier %K Computer networks %K computer security incident data %K NETWORK SECURITY %K resource allocation %K security of data %K telecommunication security %K time series %K time series model %X Organizations face increasing challenges in addressing and preventing computer and network security incidents. There are financial consequences from security incidents. These include lost time and resources used during recovery, possible theft of personal and/or proprietary information, and reputational damage that may negatively impact stock prices or reduce consumer confidence in a company. Being able to understand and predict trends in computer and network security incidents can aid an organization with resource allocation for prevention of such incidents, as well as evaluation of mitigation strategies. We look at using time series models with a large set of security incident data. We examine appropriateness of the data for modeling and consider needed transformations. Parameter search and model selection criteria are discussed. Then, forecasts from time series models are compared to forecasts from Non-Homogeneous Poisson Process (NHPP) software reliability growth (SRG) models. %P 77 - 86 %8 2008/11// %G eng %R 10.1109/ISSRE.2008.39 %0 Conference Paper %D 2008 %T On the Comparison of Network Attack Datasets: An Empirical Analysis %A Berthier,R. %A Korman,D. %A Michel Cukier %A Hiltunen,M. %A Vesonder,G. %A Sheleheda,D. %K ATLAS %K distributed network telescope %K Internet %K intrusion detection systems %K network attack datasets %K network malicious activity %K network security operators %K security of data %X Network malicious activity can be collected and reported by various sources using different attack detection solutions. The granularity of these solutions provides either very detailed information (intrusion detection systems, honeypots) or high-level trends (CAIDA, SANS). The problem for network security operators is often to select the sources of information to better protect their network. How much information from these sources is redundant and how much is unique? The goal of this paper is to show empirically that while some global attack events can be correlated across various sensors, the majority of incoming malicious activity has local specificities. This study presents a comparative analysis of four different attack datasets offering three different levels of granularity: 1) two high interaction honeynets deployed at two different locations (i.e., a corporate and an academic environment); 2) ATLAS which is a distributed network telescope from Arbor; and 3) Internet Protecttrade which is a global alerting service from AT amp;T. %P 39 - 48 %8 2008/12// %G eng %R 10.1109/HASE.2008.50 %0 Conference Paper %B IEEE Symposium on Security and Privacy, 2008. SP 2008 %D 2008 %T Fable: A Language for Enforcing User-defined Security Policies %A Swamy,N. %A Corcoran,B.J. %A Hicks, Michael W. %K Access control %K Automata %K Collaborative work %K Communication system security %K Computer languages %K computer security %K Data security %K enforcement policy %K FABLE %K Government %K high-level security goals %K information flow %K Information security %K Language-based security %K programming languages %K Programming profession %K provenance %K security automata %K security labels %K security of data %K user-defined security policies %K verified enforcement %K Web programming language %X This paper presents FABLE, a core formalism for a programming language in which programmers may specify security policies and reason that these policies are properly enforced. In FABLE, security policies can be expressed by associating security labels with the data or actions they protect. Programmers define the semantics of labels in a separate part of the program called the enforcement policy. FABLE prevents a policy from being circumvented by allowing labeled terms to be manipulated only within the enforcement policy; application code must treat labeled values abstractly. Together, these features facilitate straightforward proofs that programs implementing a particular policy achieve their high-level security goals. FABLE is flexible enough to implement a wide variety of security policies, including access control, information flow, provenance, and security automata. We have implemented FABLE as part of the LINKS web programming language; we call the resulting language SELlNKS. We report on our experience using SELlNKS to build two substantial applications, a wiki and an on-line store, equipped with a combination of access control and provenance policies. To our knowledge, no existing framework enables the enforcement of such a wide variety of security policies with an equally high level of assurance. %B IEEE Symposium on Security and Privacy, 2008. SP 2008 %I IEEE %P 369 - 383 %8 2008/05/18/22 %@ 978-0-7695-3168-7 %G eng %R 10.1109/SP.2008.29 %0 Conference Paper %D 2008 %T On the Use of Security Metrics Based on Intrusion Prevention System Event Data: An Empirical Analysis %A Chrun,D. %A Michel Cukier %A Sneeringer,G. %K empirical analysis %K Internet %K Internet attack group %K intrusion prevention system event data %K network traffic monitoring %K organization security metrics %K security of data %X With the increasing number of attacks on the Internet, a primary concern for organizations is the protection of their network. To do so, organizations install security devices such as intrusion prevention systems to monitor network traffic. However, data that are collected by these devices are often imperfect. The contribution of this paper is to try to define some practical metrics based on imperfect data collected by an intrusion prevention system. Since attacks greatly differ, we propose to group the attacks into several attack type groups. We then define a set of metrics for each attack type group. We introduce an approach that consists in analyzing the evolution of these metrics per attack type group by focusing on outliers in order to give an insight into an organizationpsilas security. The method is assessed for an organization of about 40,000 computers. The results were encouraging: outliers could be related to security issues that, in some cases, had not been previously flagged. %P 49 - 58 %8 2008/12// %G eng %R 10.1109/HASE.2008.52 %0 Conference Paper %D 2007 %T Applying Software Reliability Models on Security Incidents %A Condon,E. %A Michel Cukier %A He,Tao %K computer security incidents %K consumer confidence %K data theft %K network security incidents %K nonhomogenous Poisson process %K reliability growth process %K reputational damage %K security of data %K software reliability %K stock prices %X Computer and network security incidents have increasing financial consequences as demand for network accessibility and connectivity to resources continues to rise. These security incidents can lead to direct financial losses either through data theft of personal and/or proprietary information as well as a reputational damage which may negatively impact stock prices or consumer confidence in a company. This paper examines a large set of security incident data using tools from the software reliability community. We look at applying Non-Homogenous Poisson Process (NHPP) models as a method for describing the reliability growth process. We examine the full set of incidents as well as subsets of the data based on incident types. We look at using the Laplace test to guide selection of the appropriate models. Then, based on the trend results, we apply various NHPP models (i.e., Goel-Okumutu, S-Shaped, Duane, and K-Stage Curve) to illustrate the relevance of using these models to fit the incident data and to predict future incidents. %P 159 - 168 %8 2007/11// %G eng %R 10.1109/ISSRE.2007.29 %0 Conference Paper %D 2007 %T A Comparison between Internal and External Malicious Traffic %A Michel Cukier %A Panjwani,S. %K Computer networks %K Data analysis %K external traffic %K honeypot target computers %K internal traffic %K malicious traffic data %K security of data %K user activity profile %X This paper empirically compares malicious traffic originating inside an organization (i.e., internal traffic) with malicious traffic originating outside an organization (i.e., external traffic). Two honeypot target computers were deployed to collect malicious traffic data over a period of fifteen weeks. In the first study we showed that there was a weak correlation between internal and external traffic based on the number of malicious connections. Since the type of malicious activity is linked to the port that was targeted, we focused on the most frequently targeted ports. We observed that internal malicious traffic often contained different malicious content compared to that of external traffic. In the third study, we discovered that the volume of malicious traffic was linked to the day of the week. We showed that internal and external malicious activities differ: where the external malicious activity is quite stable over the week, the internal traffic varied as a function of the users' activity profile. %P 109 - 114 %8 2007/// %G eng %R 10.1109/ISSRE.2007.32 %0 Conference Paper %D 2007 %T An empirical study of filesystem activity following a SSH compromise %A Molina,J. %A Gordon,J. %A Chorin,X. %A Michel Cukier %K attack activity %K filesystem activity %K filesystem data monitoring %K intrusion detection systems evaluation %K meta data %K metadata %K security of data %K SSH compromised attacks %X Monitoring filesystem data is a common method used to detect attacks. Once a computer is compromised, attackers will likely alter files, add new files or delete existing files. The changes that attackers make may target any part of the filesystem, including metadata along with files (e.g., permissions, ownerships and inodes). In this paper, we describe an empirical study that focused on SSH compromised attacks. First statistical data on the number of files targeted and the associated activity (e.g., read, write, delete, ownership and rights) is reported. Then, we refine the analysis to identify and understand patterns in the attack activity. %P 1 - 5 %8 2007/12// %G eng %R 10.1109/ICICS.2007.4449675 %0 Conference Paper %D 2007 %T Profiling Attacker Behavior Following SSH Compromises %A Ramsbrock,D. %A Berthier,R. %A Michel Cukier %K Linux %K Linux honeypot computers %K profiling attacker behavior %K remote compromise %K rogue code %K security of data %K SSH compromises %K system configuration %X This practical experience report presents the results of an experiment aimed at building a profile of attacker behavior following a remote compromise. For this experiment, we utilized four Linux honeypot computers running SSH with easily guessable passwords. During the course of our research, we also determined the most commonly attempted usernames and passwords, the average number of attempted logins per day, and the ratio of failed to successful attempts. To build a profile of attacker behavior, we looked for specific actions taken by the attacker and the order in which they occurred. These actions were: checking the configuration, changing the password, downloading a file, installing/running rogue code, and changing the system configuration. %P 119 - 124 %8 2007/06// %G eng %R 10.1109/DSN.2007.76 %0 Conference Paper %B 19th IEEE Computer Security Foundations Workshop, 2006 %D 2006 %T Managing policy updates in security-typed languages %A Swamy,N. %A Hicks, Michael W. %A Tse,S. %A Zdancewic,S. %K Access control %K Computer languages %K Data security %K Database systems %K dynamic queries %K dynamic semantics %K Educational institutions %K high level languages %K Information security %K information-flow policy management %K Lattices %K Network servers %K Operating systems %K policy update management %K Robustness %K role-based security policies %K RT role-based trust-management framework %K Rx security-typed programming language %K security of data %K statically verified transactions %K transitive flows %X This paper presents Rx, a new security-typed programming language with features intended to make the management of information-flow policies more practical. Security labels in Rx, in contrast to prior approaches, are defined in terms of owned roles, as found in the RT role-based trust-management framework. Role-based security policies allow flexible delegation, and our language Rx provides constructs through which programs can robustly update policies and react to policy updates dynamically. Our dynamic semantics use statically verified transactions to eliminate illegal information flows across updates, which we call transitive flows. Because policy updates can be observed through dynamic queries, policy updates can potentially reveal sensitive information. As such, Rx considers policy statements themselves to be potentially confidential information and subject to information-flow metapolicies %B 19th IEEE Computer Security Foundations Workshop, 2006 %I IEEE %P 13 pp.-216 - 13 pp.-216 %8 2006/// %@ 0-7695-2615-2 %G eng %R 10.1109/CSFW.2006.17 %0 Conference Paper %D 2006 %T Modeling the Symptomatic Fixes Archetype in Enterprise Computer Security %A Rosenfeld,S. N. %A Rus,I. %A Michel Cukier %K business data processing %K decision making %K decision-making %K enterprise computer security %K human factors %K security of data %K security-risk mitigation %K symptomatic fixes archetype modeling %K system dynamics model %K system modeling %X To support decision-making for security-risk mitigation and the appropriate selection of security countermeasures, we propose a system dynamics model of the security aspects of an enterprise system. We developed such an executable model, incorporating the concept of archetypes. We present here one archetype for computer security, namely symptomatic fixes (or shifting the burden). Using simulation, we show one instance of how this archetype can be used for recognizing and diagnosing typical situations, as well as for fixing problems. The global effects of changes and behavioral trends are examined, and other instances of symptomatic fixes in security are described as well %V 1 %P 178 - 188 %8 2006/09// %G eng %R 10.1109/COMPSAC.2006.62 %0 Conference Paper %B Computer Software and Applications Conference, 2006. COMPSAC '06. 30th Annual International %D 2006 %T A Software Architectural Approach to Security by Design %A Ray,A. %A Cleaveland, Rance %K architecture description notation %K Clocks %K communication semantics %K Computer architecture %K computer crime %K computer security %K Connectors %K Costs %K Degradation %K Delay %K Educational institutions %K security design %K security of data %K Software architecture %K software engineering %X This paper shows how an architecture description notation that has support for timed events can be used to provide a meta-language for specifying exact communication semantics. The advantages of such an approach is that a designer is made fully aware of the ramifications of her design choices so that an attacker can no longer take advantage of hidden assumptions %B Computer Software and Applications Conference, 2006. COMPSAC '06. 30th Annual International %I IEEE %V 2 %P 83 - 86 %8 2006/09/17/21 %@ 0-7695-2655-1 %G eng %R 10.1109/COMPSAC.2006.102 %0 Journal Article %J Proceedings of the IEEE %D 2006 %T Wireless Network Security and Interworking %A Shin,M. %A Ma,J. %A Mishra,A. %A Arbaugh, William A. %K 3G mobile communication %K 3G systems %K Authentication %K Bandwidth %K Communication system security %K computer network security %K computer security %K Data security %K internetworking %K Land mobile radio cellular systems %K Paper technology %K security architectures %K security of data %K telecommunication security %K wireless communication %K wireless communications %K Wireless LAN %K wireless network security %K Wireless networks %K wireless technologies %K WLAN systems %X A variety of wireless technologies have been standardized and commercialized, but no single technology is considered the best because of different coverage and bandwidth limitations. Thus, interworking between heterogeneous wireless networks is extremely important for ubiquitous and high-performance wireless communications. Security in interworking is a major challenge due to the vastly different security architectures used within each network. The goal of this paper is twofold. First, we provide a comprehensive discussion of security problems and current technologies in 3G and WLAN systems. Second, we provide introductory discussions about the security problems in interworking, the state-of-the-art solutions, and open problems. %B Proceedings of the IEEE %V 94 %P 455 - 466 %8 2006/02// %@ 0018-9219 %G eng %N 2 %R 10.1109/JPROC.2005.862322 %0 Conference Paper %D 2005 %T Automated checking for Windows host vulnerabilities %A Tamizi,M. %A Weinstein,M. %A Michel Cukier %K application vulnerabilities %K computing system security %K Ferret-Windows software tool %K host vulnerabilities %K network vulnerabilities %K open-source software %K operating systems (computers) %K plug-in module %K program diagnostics %K security of data %K software reliability %K software tools %K system attacks %K Windows host vulnerability checking %K Windows platforms %X Evaluation of computing system security requires knowledge of the vulnerabilities present in the system and of potential attacks against the system. Vulnerabilities can be classified based on their location as application vulnerabilities, network vulnerabilities, or host vulnerabilities. This paper describes Ferret-Windows, a new software tool for checking host vulnerabilities on the Windows platforms. This tool helps system administrators by quickly finding vulnerabilities that are present on a host. It is designed and implemented in a modular way: a plug-in module is used for each vulnerability checked, and each possible output format is specified by a plug-in module. Moreover, several vulnerability fixing plug-in modules exist to help users remove specific vulnerabilities. As a result, Ferret-Windows is extensible, and can easily be kept up-to-date through the addition of checks for new vulnerabilities as they are identified. Finally, Ferret-Windows is a freely available open-source software %P 10 pp. -148 - 10 pp. -148 %8 2005/11// %G eng %R 10.1109/ISSRE.2005.11 %0 Conference Paper %D 2004 %T Ferret: a host vulnerability checking tool %A Sharma,Anil %A Martin,J.R. %A Anand,N. %A Michel Cukier %A Sanders,W. H. %K Ferret software tool %K host vulnerability checking tool %K open-source software %K Perl %K plug-in module %K program verification %K security auditing tool %K security evaluation %K security of data %K software tools %X Evaluation of computing system security requires knowledge of the vulnerabilities present in the system and of potential attacks against the system. Vulnerabilities can be classified based on their location as application vulnerabilities, network vulnerabilities, or host vulnerabilities. We describe Ferret, a new software tool for checking host vulnerabilities. Ferret helps system administrators by quickly finding vulnerabilities that are present on a host. It is designed and implemented in a modular way: a different plug-in module is used for each vulnerability checked, and each possible output format is specified by a plug-in module. As a result, Ferret is extensible, and can easily be kept up-to-date through addition of checks for new vulnerabilities as they are discovered; the modular approach also makes it easy to provide specific configurations of Ferret tailored to specific operating systems or use environments. Ferret is a freely available open-source software implemented in Perl. %P 389 - 394 %8 2004/03// %G eng %R 10.1109/PRDC.2004.1276595 %0 Journal Article %J IEEE Security & Privacy %D 2003 %T The dangers of mitigating security design flaws: a wireless case study %A Petroni,N. L. %A Arbaugh, William A. %K Communication system security %K computer security %K cryptography %K design flaw mitigation %K Dictionaries %K legacy equipment %K privacy %K Protection %K Protocols %K security design flaws %K security of data %K synchronous active attack %K telecommunication security %K Telecommunication traffic %K wired equivalent privacy protocol %K Wireless LAN %K wireless local area networks %K Wireless networks %X Mitigating design flaws often provides the only means to protect legacy equipment, particularly in wireless local area networks. A synchronous active attack against the wired equivalent privacy protocol demonstrates how mitigating one flaw or attack can facilitate another. %B IEEE Security & Privacy %V 1 %P 28 - 36 %8 2003/02//Jan %@ 1540-7993 %G eng %N 1 %R 10.1109/MSECP.2003.1176993 %0 Journal Article %J IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applications and Reviews %D 2003 %T A secure PLAN %A Hicks, Michael W. %A Keromytis,A. D %A Smith,J. M %K active networks %K active-network firewall %K Authentication %K Authorization %K Contracts %K cryptography %K Environmental management %K Extraterrestrial measurements %K functionally restricted packet language %K general-purpose service routines %K Internet %K latency overhead %K namespace-based security %K packet switching %K PLANet %K Planets %K privilege level %K programmable networks %K Safety %K safety risks %K secure PLAN %K security of data %K security risks %K trust management %K two-level architecture %K virtual private network %K Virtual private networks %K Web and internet services %X Active networks, being programmable, promise greater flexibility than current networks. Programmability, however, may introduce safety and security risks. This correspondence describes the design and implementation of a security architecture for the active network PLANet. Security is obtained with a two-level architecture that combines a functionally restricted packet language, PLAN, with an environment of general-purpose service routines governed by trust management. In particular, a technique is used which expands or contracts a packet's service environment based on its level of privilege, termed namespace-based security. The design and implementation of an active-network firewall and virtual private network is used as an application of the security architecture. Measurements of the system show that the addition of the firewall imposes an approximately 34% latency overhead and as little as a 6.7% space overhead to incoming packets. %B IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applications and Reviews %V 33 %P 413 - 426 %8 2003/08// %@ 1094-6977 %G eng %N 3 %R 10.1109/TSMCC.2003.817347 %0 Conference Paper %B 2002 IEEE Symposium on Security and Privacy, 2002. Proceedings %D 2002 %T P5 : a protocol for scalable anonymous communication %A Sherwood,R. %A Bhattacharjee, Bobby %A Srinivasan, Aravind %K Broadcasting %K communication efficiency %K Computer science %K cryptography %K data privacy %K Educational institutions %K Internet %K large anonymous groups %K P5 protocol %K packet-level simulations %K Particle measurements %K Peer to peer computing %K peer-to-peer personal privacy protocol %K privacy %K Protocols %K receiver anonymity %K scalable anonymous communication %K security of data %K sender anonymity %K sender-receiver anonymity %K Size measurement %K telecommunication security %X We present a protocol for anonymous communication over the Internet. Our protocol, called P5 (peer-to-peer personal privacy protocol) provides sender-, receiver-, and sender-receiver anonymity. P5 is designed to be implemented over current Internet protocols, and does not require any special infrastructure support. A novel feature of P5 is that it allows individual participants to trade-off degree of anonymity for communication efficiency, and hence can be used to scalably implement large anonymous groups. We present a description of P5, an analysis of its anonymity and communication efficiency, and evaluate its performance using detailed packet-level simulations. %B 2002 IEEE Symposium on Security and Privacy, 2002. Proceedings %I IEEE %P 58 - 70 %8 2002/// %@ 0-7695-1543-6 %G eng %R 10.1109/SECPRI.2002.1004362 %0 Conference Paper %D 2002 %T Quantifying the cost of providing intrusion tolerance in group communication systems %A Ramasamy,H. V. %A Pandey,P. %A Lyons,J. %A Michel Cukier %A Sanders,W. H. %K consistent group membership %K crash-fault-tolerant group communication system %K cryptography %K finite state machines %K groupware %K intrusion-tolerant microprotocols %K malicious intrusions %K multicast communication %K reliable ordered multicast properties %K security of data %K Transport protocols %X Group communication systems that provide consistent group membership and reliable, ordered multicast properties in the presence of faults resulting from malicious intrusions have not been analyzed extensively to quantify the cost of tolerating these intrusions. This paper attempts to quantify this cost by presenting results from an experimental evaluation of three new intrusion-tolerant microprotocols that have been added to an existing crash-fault-tolerant group communication system. The results are analyzed to identify the parts that contribute the most overhead during provision of intrusion tolerance at the group communication system level. %P 229 - 238 %8 2002/// %G eng %R 10.1109/DSN.2002.1028904 %0 Conference Paper %B 2001 IEEE Symposium on Security and Privacy, 2001. S&P 2001. Proceedings %D 2001 %T A trend analysis of exploitations %A Browne,H. K %A Arbaugh, William A. %A McHugh,J. %A Fithen,W. L %K Computer science %K computer security exploits %K Data analysis %K data mining %K Educational institutions %K exploitations %K Performance analysis %K Predictive models %K Regression analysis %K Risk management %K security of data %K software engineering %K system intrusions %K System software %K trend analysis %K vulnerabilities %K vulnerability exploitation %X We have conducted an empirical study of a number of computer security exploits and determined that the rates at which incidents involving the exploit are reported to CERT can be modeled using a common mathematical framework. Data associated with three significant exploits involving vulnerabilities in phf, imap, and bind can all be modeled using the formula C=I+S×√M where C is the cumulative count of reported incidents, M is the time since the start of the exploit cycle, and I and S are the regression coefficients determined by analysis of the incident report data. Further analysis of two additional exploits involving vulnerabilities in mountd and statd confirm the model. We believe that the models will aid in predicting the severity of subsequent vulnerability exploitations, based on the rate of early incident reports %B 2001 IEEE Symposium on Security and Privacy, 2001. S&P 2001. Proceedings %I IEEE %P 214 - 229 %8 2001/// %@ 0-7695-1046-9 %G eng %R 10.1109/SECPRI.2001.924300 %0 Journal Article %J IEEE Communications Magazine %D 1998 %T Safety and security of programmable network infrastructures %A Alexander,S. %A Arbaugh, William A. %A Keromytis,A. D %A Smith,J. M %K Access control %K error protection %K IP networks %K Multicast protocols %K network architecture %K network operating systems %K network service model %K operating system %K Power system dynamics %K Power system modeling %K Power system reliability %K programmable languages %K programmable network infrastructures %K programming languages %K Proposals %K Protection %K reliability properties %K Safety %K Secure Active Network Environment %K Security %K security of data %K service creation %K service providers %K Switches %K telecommunication computing %K telecommunication network reliability %K Web and internet services %X Safety and security are two reliability properties of a system. A “safe” system provides protection against errors of trusted users, while a “secure” system protects against errors introduced by untrusted users. There is considerable overlap between mechanisms to support each property. Requirements for rapid service creation have stimulated the development of programmable network infrastructures, where end users or service providers can customize the properties of a network infrastructure while it continues to operate. A central concern of potential users of such systems is their reliability and, most specifically, their safety and security. In this article we explain the impact the network service model and architecture have on safety and security, and provide a model with which policies can be translated into restrictions of a general system. We illustrate these ideas with the Secure Active Network Environment (SANE) architecture, which provides a means of controlling access to the functions provided by any programmable infrastructure %B IEEE Communications Magazine %V 36 %P 84 - 92 %8 1998/10// %@ 0163-6804 %G eng %N 10 %R 10.1109/35.722141 %0 Journal Article %J IEEE Network %D 1998 %T A secure active network environment architecture: realization in SwitchWare %A Alexander,D. S %A Arbaugh, William A. %A Keromytis,A. D %A Smith,J. M %K access protocols %K AEGIS secure bootstrap architecture %K architecture %K Authentication %K Collaboration %K Communication switching %K dynamic integrity checks %K extended LAN %K Functional programming %K implementation %K integrity %K Intelligent networks %K IP networks %K Local area networks %K network infrastructure %K network infrastructures %K network operating systems %K network-level solutions %K node %K node-to-node authentication %K packet switching %K Proposals %K ramming system %K SANE %K secure active network environment architecture %K security of data %K Switches %K SwitchWare %K trusted state %K Web and internet services %X An active network is a network infrastructure which is programmable on a per-user or even per-packet basis. Increasing the flexibility of such network infrastructures invites new security risks. Coping with these security risks represents the most fundamental contribution of active network research. The security concerns can be divided into those which affect the network as a whole and those which affect individual elements. It is clear that the element problems must be solved first, since the integrity of network-level solutions will be based on trust in the network elements. In this article we describe the architecture and implementation of a secure active network environment (SANE), which we believe provides a basis for implementing secure network-level solutions. We guarantee that a node begins operation in a trusted state with the AEGIS secure bootstrap architecture. We guarantee that the system remains in a trusted state by applying dynamic integrity checks in the network element's runtime system, using a novel naming system, and applying node-to-node authentication when needed. The construction of an extended LAN is discussed %B IEEE Network %V 12 %P 37 - 45 %8 1998/06//May %@ 0890-8044 %G eng %N 3 %R 10.1109/65.690960 %0 Journal Article %J Computer %D 1998 %T Security for virtual private intranets %A Arbaugh, William A. %A Davin,J. R %A Farber,D. J %A Smith,J. M %K businesses %K Clouds %K Companies %K core operating system components %K cryptography %K Data security %K employee homes %K encryption %K functional roles %K hard drive %K Home computing %K home working %K integrity checking %K Internet %K Local area networks %K multiple personalities %K network authentication %K network environment %K operating system modifications %K Operating systems %K Roads %K secure identity based lending %K security management %K security of data %K shared applications %K SIBL %K single hardware platform %K smart cards %K symmetric algorithm %K system partition %K telecommuting %K Teleworking %K trust relationship %K trustworthy system %K virtual private intranets %X As telecommuting grows, businesses must consider security when extending their network environment to employees' homes. Researchers at the University of Pennsylvania have addressed the problem with smart cards, operating system modifications, and network authentication. We note the distinction between trust and integrity: trust is determined through the verification of components and the dependencies among them, while integrity demonstrates that components haven't been modified. Thus integrity checking in a trustworthy system is about preserving an established trust or trust relationship. Our solution to the challenge of isolating functional roles that may share a single hardware platform is called secure identity based lending (SIBL). SIBL provides multiple personalities by partitioning the hard drive into n+1 partitions, where n is the number of supported personalities. All personalities use the system partition for core operating system components and shared applications. Each of the personalities is also associated with one of the remaining partitions, which are encrypted using a symmetric algorithm %B Computer %V 31 %P 48 - 55 %8 1998/09// %@ 0018-9162 %G eng %N 9 %R 10.1109/2.708450 %0 Conference Paper %B , 1997 IEEE Symposium on Security and Privacy, 1997. Proceedings %D 1997 %T A secure and reliable bootstrap architecture %A Arbaugh, William A. %A Farber,D. J %A Smith,J. M %K active networks %K AEGIS architecture %K bootstrap architecture %K Computer architecture %K computer bootstrapping %K data integrity %K Distributed computing %K Hardware %K hardware validity %K initialization %K integrity chain %K integrity check failures %K Internet %K Internet commerce %K IP networks %K Laboratories %K lower-layer integrity %K Microprogramming %K Operating systems %K recovery process %K reliability %K robust systems %K Robustness %K Security %K security of data %K software reliability %K system integrity guarantees %K system recovery %K transitions %K Virtual machining %X In a computer system, the integrity of lower layers is typically treated as axiomatic by higher layers. Under the presumption that the hardware comprising the machine (the lowest layer) is valid, the integrity of a layer can be guaranteed if and only if: (1) the integrity of the lower layers is checked and (2) transitions to higher layers occur only after integrity checks on them are complete. The resulting integrity “chain” inductively guarantees system integrity. When these conditions are not met, as they typically are not in the bootstrapping (initialization) of a computer system, no integrity guarantees can be made, yet these guarantees are increasingly important to diverse applications such as Internet commerce, security systems and “active networks”. In this paper, we describe the AEGIS architecture for initializing a computer system. It validates integrity at each layer transition in the bootstrap process. AEGIS also includes a recovery process for integrity check failures, and we show how this results in robust systems %B , 1997 IEEE Symposium on Security and Privacy, 1997. Proceedings %I IEEE %P 65 - 71 %8 1997/05/04/7 %@ 0-8186-7828-3 %G eng %R 10.1109/SECPRI.1997.601317