Browsing by Author "Dr. Douglas S. Reeves, Committee Member"

Filter results by typing the first few letters
Now showing 1 - 11 of 11
  • No Thumbnail Available
    Active Timing Based Techniques for Attack Attribution through Stepping Stones
    (2006-08-22) Peng, Pai; Dr. Peng Ning, Committee Chair; Dr. Douglas S. Reeves, Committee Member; Dr. S. Purushothaman Iyer, Committee Member; Dr. Ting Yu, Committee Member
    The purpose of the research is to study the active timing based techniques used for attack attribution through stepping stone computers, where attackers sequentially connect through multiple intermediate hosts to hide their traces. The difficulties of tracing back such attacks come from not only the normal operations of networks and stepping stones, but also the intentional interference of the attackers. Encryption, repacketization, timing perturbation, and meaningless chaff packets could all significantly affect attribution result. In this thesis, I have investigated multiple research problems related to the active timing based attack attribution. First, I present a correlation scheme that can successfully identify stepping stone connections even if both chaff packets and timing perturbations are introduced by attackers simultaneously. In this scheme, we enhance the existing active watermark schemes and focus on identifying the possible corresponding packets in the flows to be correlated. We develop a series of algorithms to effectively and efficiently decode the embedded watermarks when chaff packets are inserted, and use theoretical analysis and experimental evaluation to validate these algorithms. We also investigate how our correlation scheme can be used to deal with the countermeasure when stepping stone connections are split and then merged, and propose an approach to mitigate the problem of packet loss and retransmission. Next, I present the research on the secrecy issues of the quantization based watermark scheme. We propose an attacking approach based on analyzing the one-way packet transit delays between adjacent stepping stones. Our attack contains several techniques that can infer important watermark parameters and remove/duplicate the embedded watermarks. These techniques enable an attacker to defeat the watermarking system in certain cases by removing watermarks from the stepping stone connections, or replicating watermarks to non-stepping stone connections. We have also developed techniques to detect in realtime whether a stepping stone connection is being watermarked for trace-back purpose. Experiments using real-world data are performed and the results demonstrate that for the quantization based watermark scheme, (1) embedded watermarks can be successfully recovered and duplicated when the watermark parameters are not chosen carefully, and (2) the watermark existence in a network flow can be quickly detected. Third, I present the research result on the secrecy of the probabilistic watermark scheme. Following the ideas of analyzing the quantization based watermark scheme, we propose attacks that can detect the watermark existence, recovery important watermark parameters, and remove/duplicate watermark to effectively defeat the watermark scheme. We also investigate the problem of realtime watermark recovery and removal, and propose an online attacking algorithm. Experiments are then conducted to validate our analysis. Finally, I investigate the secrecy issues of the interval based watermark scheme and propose several security enhancements to deter possible timing analysis attacks. I demonstrate that the interval based scheme is not robust against several attacks we construct, which can quickly detect watermark existence, recover watermark parameters and defeat the watermark scheme. Through experiment, we validate that the improved scheme with security enhancements will significantly increase the resistance to all of these severe attacks.
  • No Thumbnail Available
    Architecture for using Java bytecode for processing Digital Items
    (2003-12-19) Gopinadhan, Gautam; Dr. Greg T. Byrd, Committee Chair; Dr. Frank Mueller, Committee Member; Dr. Douglas S. Reeves, Committee Member
    The MPEG-21 Multimedia Framework aims to provide an end-to-end framework for transparent and universal access to media content. It defines mechanisms to represent, process and exchange aggregate media objects, called Digital Items. One of the main requirements in MPEG-21 is to devise a mechanism for making Digital Items dynamic, by allowing program code to be packaged along with them. This executable code consists of operations that are used to process the Digital Item. The design of this mechanism is categorized into three parts: a specification to express and package these processing operations, an engine on the platform to execute the processing operations, and base APIs on the platform that will assist in implementing these processing operations. This thesis proposes a solution that uses Java for expressing Digital Item processing operations. Also as a part of this solution, it proposes adapting the MPEG-J specification to define an engine for the execution of the the Java based processing operations. The MPEG-J specification is an application engine specification for the execution of mobile Java code, defined in the MPEG-4 systems standard. The MPEG-21 standards committee later realized that two kinds of processing operations should be supported: simple processing operations, and complex processing operations. It was decided that a scripting language should be used to support simple processing operations, while complex processing operations should be supported by a language like Java. The thesis adapts the first solution and proposes a second one to use Java to specify complex processing operations under the new architecture. Apart from the specification of the two solutions, the thesis focusses on maintaining compatibility between the solutions and other parts of the MPEG-21 architecture. Other contributions of this thesis are the arguments for design choices made and recommendations presented to the MPEG-21 standards committee.
  • No Thumbnail Available
    Correlation Analysis of Intrusion Alerts
    (2006-05-11) Xu, Dingbang; Dr. Peng Ning, Committee Chair; Dr. S. Purushothaman Iyer, Committee Member; Dr. Douglas S. Reeves, Committee Member; Dr. Ting Yu, Committee Member
    Security systems such as intrusion detection systems (IDSs) are widely deployed into networks to better protect digital assets. However, there are several problems related to current IDSs. (1) IDSs may flag a large number of alerts everyday, thus overwhelming the security officers. (2) Among the alerts flagged by IDSs, false alerts (i.e., false positives) are mixed with true ones, and usually it is difficult to differentiate between them. (3) Existing IDSs may not detect all attacks launched by adversaries. These problems make it very challenging for human users or intrusion response systems to understand the alerts and take appropriate actions. Thus, it is necessary to perform alert correlation. My dissertation focuses on correlation analysis of intrusion alerts. In particular, I have worked on the following issues. The first issue is the efficiency of alert correlation. This work is extended from our previous correlation method. The initial implementation is a Database Management System based toolkit. To improve its performance, we propose to adapt main memory index structures and database query optimization techniques to facilitate timely correlation of intensive alerts. We present three techniques named hyper-alert container, two-level index, and sort correlation, and study the performance of these techniques. The second issue is to learn attack strategies. We notice that understanding the strategies of attacks is crucial for security applications such as network forensics and intrusion response. We propose techniques to automatically learn attack strategies from intrusion alerts, where attack strategies are modeled as directed graphs with nodes representing attacks and edges representing constraints between corresponding nodes. We further present techniques to measure the similarity between attack strategies using the techniques in error tolerant graph/subgraph isomorphism. The third issue is how to hypothesize and reason about attacks missed by IDSs. We notice that current alert correlation methods depend heavily on the underlying IDSs for providing alerts, and cannot deal with attacks missed by IDSs. We present techniques to hypothesize attacks possibly missed by the IDSs, to infer attribute values for hypothesized attacks, to validate and prune hypothesized attacks through examining raw audit data, and to consolidate hypothesized attacks to get concise attack scenarios. The fourth issue is to correlate alerts from different security systems. We notice that complementary security systems such as IDSs and firewalls are widely deployed in networks. We propose a correlation approach based on triggering events and common resources. Our approach first performs alert clustering such that the alerts in each cluster share similar triggering events. We further propose techniques to build attack scenarios through identifying common resources between different attacks. The fifth issue is privacy-privacy alert correlation. We notice that there are privacy concerns when intrusion alerts are shared and correlated among different organizations. We propose one generalization based scheme and three perturbation based schemes to anonymize alerts to protect data privacy. To evaluate privacy protection, we use entropy to guide alert anonymization. In addition, to learn the utility of anonymized alerts, we further perform correlation analysis for anonymized data sets. We focus on estimating similarity values between anonymized attributes and building attack scenarios from anonymized data sets. Finally, the conclusion of my dissertation is provided and future work is pointed out.
  • No Thumbnail Available
    Facilitating Alert Correlation Using Resource Trees
    (2005-08-08) Mahalati, Jaideep; Dr. Peng Ning, Committee Chair; Dr. Douglas S. Reeves, Committee Member; Dr. Ting Yu, Committee Member
    With the steady increase in the number of attacks against networks and hosts, security systems such as intrusion detection systems are widely deployed into networks. Intrusion detection systems may flag large numbers of alerts, where false alerts are mixed with true ones. To understand the security threats and take appropriate actions, it is necessary to perform alert correlation. One class of alert correlation methods is the prerequisite and consequence based approach, where the prerequisite of an attack is the necessary condition to launch the attack, and the consequence of an attack is the possible outcome if the attack succeeds. Through matching the consequence of earlier attacks with the prerequisites of later ones, attack scenarios can be discovered. However, one limitation of these approaches is that the specification of prerequisites and consequences for different alert types usually is time-consuming and error-prone. To address this limitation, this thesis proposes a resource tree based method to facilitate the specification of prerequisites and consequences. Attacks can be viewed from the perspective of resources. Example resources include various network services and privileges. This thesis further organizes resources into trees, where the nodes in the trees are labelled with conditions (represented by predicates). To specify the prerequisite and consequence of an attack, it is required to look for the desirable resource trees related to the attack's prerequisite and consequence, then traverse the trees to find the appropriate nodes, and finally select the suitable predicates to put into the prerequisite and consequence. This approach is simple and less expert-dependent. The usability study and comprehensiveness study (with more than 3000 alert types) demonstrate the effectiveness of this approach. Correlation results with different datasets further show that prerequisites and consequences defined using our methodology can be effectively used for alert correlation.
  • No Thumbnail Available
    Integrating Alerts From Multiple Homogeneous Intrusion Detection Systems
    (2003-06-06) Serrano, Alfredo; Dr. Peng Ning, Committee Chair; Dr. Rudra Dutta, Committee Member; Dr. Douglas S. Reeves, Committee Member
    Intrusion Detection is a relatively young area of research, begun in the early 1980's. Currently most intrusion detection systems (IDSs) produce a large number of alerts based on low level attacks or anomalies. More distressing is that a large number of alerts are false positives. The false alert rate becomes even more important as networks become larger. Effectively monitoring a large network requires the deployment of multiple intrusion detection systems at key points on the network. Yet, this deployment increases the number of alerts that administrators must attend to. In addition, since most IDSs produce alerts based on low-level attacks, they give no indication about the relationship between alerts. In this work, we describe a method for correlating intrusion alerts from low level alerts produced by multiple homogenous IDSs. Our technique extends the intrusion alert correlation technique developed at North Carolina State University, which uses an intrusion alert's prerequisites and consequences to construct high-level attack scenarios. The prerequisite of an alert specifies what must be true in order for the corresponding attack to be successful, and the consequences describe what can possibly be true if the attack succeeds. The extended technique relaxes the temporal constrains on alert from different IDSs to account for any possible timestamp inconsistencies (due to network delays, lack of system clock synchronization, host workload). Our correlation method reduces alert volume, and improves performance with reduction in false positives compared to uncorrelated alerts. Our correlation of alerts from multiple intrusion systems provides for an automated method to show not only the relationship between alerts from one IDS, but also the relationships between alerts from different IDSs. Therefore, our method gives a more complete view of attack scenarios.
  • No Thumbnail Available
    Localization in Wireless Sensor Networks with Inaccurate Range Measurements
    (2004-09-03) Ramadurai, Vaidyanathan; Dr. Mihail L. Sichitiu, Committee Chair; Dr. Wenye Wang, Committee Member; Dr. Arne A. Nilsson, Committee Member; Dr. Douglas S. Reeves, Committee Member
    We refer to localization as the problem of estimating the spatial coordinates of wireless nodes in an ad-hoc network. Wireless sensor network is an example of such a network, where localization as a problem has been a challenging topic for several years. The position of sensor nodes can be either manually configured before deployment or a GPS receiver can be built into each of these nodes. The former approach is very tedious and error-prone while the latter is a costly proposition in terms of volume, money and power consumption. In this thesis, we consider the problem of determining the positions of wireless nodes using range measurements from multiple, sparsely located, beacon stations with known locations. Clusters of unknown nodes collaborate among themselves in estimating their positions with the help of beacon stations. The major problem is overcoming range measurement inaccuracies. We propose a simple position estimation algorithm that features robustness with respect to range measurement inaccuracies, has low complexity and distributed implementation using only local information. We analyze the performance of the algorithm based on rigorous simulation and theory. We then extend the simple algorithm to a probabilistic algorithm that overcomes some of the drawbacks present in the simple algorithm. The algorithm was designed and implemented in a wireless test-bed consisting of IEEE 802.11 based iPAQs to study its performance. Most of the current localization systems are based on multiple beacons assisting unknown nodes. In an attempt to eliminate some of the drawbacks present in such systems, we also propose and study a single mobile beacon based localization method where a mobile beacon assists unknown nodes in estimating their positions. An implementation of this method in a wireless testbed was used to evaluate the performance.
  • No Thumbnail Available
    Performance Analysis of Optical Burst Switched Networks
    (2002-07-29) Xu, Lisong; Dr. Michael Devetsikiotis, Committee Member; Dr. Douglas S. Reeves, Committee Member; Dr. George N. Rouskas, Committee Co-Chair; Dr. Harry G. Perros, Committee Chair
    In this dissertation, we studied the performance of Optical Burst Switching (OBS). OBS is a promising new solution for the next-generation optical Internet. In the first part of the dissertation, we studied a novel WDM ring network with OBS. The ring consists of N nodes, and each node owns a home wavelength on which it transmits its bursts. The ring operates under the fixed transmitter tunable receiver (FTTR) scheme. Control information is transmitted on a separate control channel. We proposed five different burst switching access protocols. We also studied the performance of these access protocols in terms of throughput, packet delay, throughput fairness, and delay fairness under different network parameters: average packet arrival rate, maximum burst size, and minimum burst size. Finally, we proposed a new offset calculation method, which can significantly simplify the access protocol design, and reduce the packet delay for all access protocols. In the second part of the dissertation, we analyzed an edge node of a WDM OBS mesh network using a new burst arrival process, which is more realistic than the well-known Poisson process. The edge node is modeled as a closed non-product-form queueing network, consisting of special nodes with orbiting customers. Despite the rich literature in queueing network analysis, this particular queueing network with orbiting customers has not been analyzed before. We developed algorithms for both the single-class and multi-class queueing networks. The single-class queueing network is solved using Marie's method. In the case of no converters, we obtained a closed-form expression of the conditional throughput of the special node with orbiting customers. The multi-class queueing network is analyzed by decomposition. Specifically, a multiple-class queueing network is decomposed into a set of two-class queueing networks, and each of them is then solved by Neuse and Chandy's Heuristic Aggregation Method. We also developed a much faster approximation algorithm for the analysis of an edge OBS node with a large number of wavelengths. Comparisons against simulation data suggest that our algorithms have a good accuracy.
  • No Thumbnail Available
    Scalable authorization in role-based access control using negative permissions and remote authorization
    (2003-06-02) Shah, Arpan Pramod; Dr. Peng Ning, Committee Member; Dr. Douglas S. Reeves, Committee Member; Dr. Gregory T. Byrd, Committee Chair
    Administration of access control is a major issue in large-scale computer systems. Many such computer systems proposed over recent years aim at reducing the effort required to govern access. Role-based access control (RBAC) systems are a huge benefit to this point. They reduce the tasks of an administrator or authorities when users take on different roles in an organization and need to be assigned different access rights or privileges based on these roles. RBAC is a very expressive and flexible access control mechanism that makes it possible to have security policies based on the principle of least privilege, static and dynamic separation of duties, conflicts between roles and permissions, and many more. This research proposes the use of negative permissions and remote authorization for improving the scalability of an RBAC implementation. We discuss how negative permissions would fit in the proposed RBAC model. The thesis describes a mechanism to implement such an RBAC system utilizing negative authorizations. Our implementation is an extension of the Java 2 security architecture to support negative authorizations. We provide support for hierarchy of roles and de-confliction of positive and negative authorizations using the most specific takes precedence model. Future extensions to the model and optimizations to the implemented algorithm are proposed. Another aspect of this thesis is the application of above RBAC model in a distributed environment utilizing a remote authorization management system. A remote authorization mechanism is appropriate in many client-server systems where there is control over the resources at an intermediate communication stack or a middleware component enforces the access rules. In our client-server architecture, an authorization server uses an RBAC system to control access to resources under its domain, and the enforcement of access rules is provided by a security overlay on privileged resources. We address how our negative permissions and remote authorization schemes augment RBAC scalability. We provide the requisite abstraction through UML and architecture diagrams for implementation in other languages and systems. A comparison of this work to other related research done in the RBAC domain is carried out, and future work in this area is discussed.
  • No Thumbnail Available
    A Simulation Study of Wavelength Assignment and Reservation Policies with Signaling Delays
    (2002-11-21) Iyer, Vijay R; Dr. George N. Rouskas, Committee Chair; Dr. Douglas S. Reeves, Committee Member; Dr. Rudra Dutta, Committee Member
    This thesis studies the effect of non-negligible signaling delays on the performance of wavelength-assignment heuristics, wavelength reservation schemes, routing schemes, holding time (average being 1/μ) of the lightpaths and traffic loads (average being λ/μ), in second-generation optical wide area networks (WANs). A network simulator was developed using the C++ language for this study. The simulator supports any input topology with single or multi-fiber links, many routing schemes (static, alternate and dynamic), dynamic traffic loads, and may be modified easily to accomodate different wavelength-assignment policies. The signaling messages used, in our study, to establish lightpaths, follow the Constrained-Routing Label Distribution Protocol (CR-LDP) semantics. The problem studied here falls under the general category of Routing and Wavelength Assignment (RWA) Problem which has been proved to be NP-hard. Previous studies have mostly considered static routing (with static or dynamic traffic demand), and static traffic demand (with static or alternate routing) under zero propagation delays. A few papers in the recent past have studied the effect of signaling delays but have been limited in scope. We study the effect of varying holding times, compare random versus first-fit wavelength assignment policy, compare fixed versus alternate routing, compare backward wavelength reservation schemes to forward reservation schemes, and lastly study the effect of traffic loads. We find that, in general, the random wavelength assignment policy performs better than first-fit policy and that under certain conditions, alternate routing scheme performs worse than fixed routing scheme.
  • No Thumbnail Available
    A Toolkit for Intrusion Alerts Correlation based on Prerequisites and Consequences of Attacks
    (2002-12-19) Cui, Yun; Dr. Peng Ning, Committee Chair; Dr. Douglas S. Reeves, Committee Member; Dr. Gregory T. Byrd, Committee Member
    Intrusion Detection has been studied for about twenty years. Intrusion Detection Systems (IDSs) are usually considered the second line of defense to protect against malicious activities along with the prevention-based security mechanisms such as authentication and access control. However, traditional IDSs have two major weaknesses. First, they usually focus on low-level attacks or anomalies, and raise alerts independently, though there may be logical connections between them. Second, there are a lot of false alerts reported by traditional IDSs, which are mixed with true alerts. Thus, the intrusion analysts or the system administrators are often overwhelmed by the volume of alerts. Motivated by this observation, we propose a technique to construct high-level attack scenarios by correlating low-level intrusion alerts using their prerequisites and consequences. The prerequisite of an alert specifies what must be true in order for the corresponding attack to be successful, and the consequence describes what is possibly true if the attack indeed succeeds. We conjecture that the alerts being correlated together have a higher possibility to be true alerts than the uncorrelated ones. If this is true, through this correlation, not only can we construct the high-level attack scenarios, but also differentiate between true alerts and false alerts. In this thesis work, I implement an alert correlation tool based on this framework. It consists of the following components: a knowledge base, an alert preprocessor, an alert correlation engine and a graph output component. To further facilitate analysis of large amounts of intrusion alerts, I develop three utilities, namely adjustable graph reduction, focused analysis, and graph decomposition. I also perform a sequence of experiments to evaluate the aforementioned techniques using DARPA 2000 evaluation datasets and DEFCON 8 CTF dataset. The experimental results show that the proposed techniques are effective. First, we successfully construct attack scenarios behind the low-level alerts; Second, the false alert rates are significantly reduced after the attention is focused on alerts that are correlated with others; Third, the three utilities greatly reduce the complexity of the correlated alerts, while at the same time maintaining the structure of the correlated alerts.
  • No Thumbnail Available
    A VoIP anti-Spam System based on Reverse Turing Test
    (2008-05-16) Wang, Ting; Dr. Ting Yu, Committee Member; Dr. Douglas S. Reeves, Committee Member; Dr. Peng Ning, Committee Chair
    A reverse Turing test based anti-voice-Spam scheme in conjunction with black/white listing is proposed, demonstrated and verified to mitigate the Spam threats to the security of a VoIP network. The first part of this work demonstrates the feasibility of VoIP Spam generation and routing without going though a proxy server. The second part studies the implementation and evaluation of using a reverse Turing test to detect the spams, as well as the Turing-like challenge design considerations. It is demonstrated in this thesis that VoIP spam can be automatically generated and routed without the involvement and control of a proxy server or registrar. Without specific SIP configuration knowledge of the target phone, a fake INVITE message was sent to the target and a SIP session was successfully established to broadcast spam messages. This was also verified by the test result from monitor and simulation software SIPp. In the process, an automatic UDP port scanner was implemented to find the listening port of the victim machine. The VoIP spam detection system consists of two components, a regular SIP based VoIP softphone and a challenge selection & grading program. The challenge is a randomly picked voice question from a pool of pre-recorded questions designed by the user. A set of challenge design guidelines was discussed particularly for the application to a VoIP environment. The reverse Turing test was implemented and evaluated for usability, correctness and performance merits. The time requirement for installation and configuration is short. About 75% of evaluators used less than 10 minutes to install and configure our tool. The experimental results show the program works well with a high passing rate for human users and a low passing rate for the machine users. Over 86% evaluators who speak English as the 2nd language passed the English audio challenge based VoIP anti-Spam filter, whereas around 96% of native speakers pass the tests. On the other hand, the A.I. chatter robot in our experiments failed 98% of the challenges. Also the resource consumption of this system is very little. According to the reports we received from users, the average disk space consumes about 4.63 MB.