Browsing by Author "Peng Ning, Committee Chair"

Filter results by typing the first few letters
Now showing 1 - 8 of 8
  • No Thumbnail Available
    Integrating Multiple Information Resource to Analyze Intrusion Alerts
    (2006-12-22) Zhai, Yan; Ting Yu, Committee Member; Peng Ning, Committee Chair; Douglas Reeves, Committee Member; Purushothaman Iyer, Committee Member
    Intrusion detection systems (IDSs) are important components of network security. However, it is well known that current IDSs generate large amount of alerts, including both true and false alerts. Other than proposing new techniques to detect intrusions without such problems, this thesis presents some work we have done in improving the study of IDS alerts by incorporating other sources of relevant information. In particular, the work covers four issues. The first issue is to integrate and reason about IDS alerts as well as reports by system monitoring or vulnerability scanning tools (discussed in Chapter 3). To facilitate the modeling of intrusion evidence, this approach classifies intrusion evidence into either event-based evidence or state-based evidence. Event-based evidence refers to observations (or detections) of intrusive actions (e.g., IDS alerts), while state-based evidence refers to observations of the effects of intrusions on system states. Based on the interdependency between event-based and state-based evidence, we developed techniques to automatically integrate complementary evidence into Bayesian networks, and reason about uncertain or unknown intrusion evidence based on verified evidence. The second issue is the study of the robustness of the Bayesian analysis framework toward inaccuracies in the assignments of prior confidence with sensitivity analysis and qualitative analysis (discussed in Chapter 4). By performing sensitivity analysis and qualitative analysis on the Bayesian networks used to reason about intrusion evidence, we can measure or approximate individual evidence's influence on the reasoning results. Such study on the framework's robustness properties can provide guide line for evidence collection and analyses. The third issue is to improve alert correlation by integrating alert correlation techniques with OS-level object dependency tracking (discussed in Chapter 5). With the support of more detailed and precise information from OS-level event logs, higher accuracy in alert correlation can be achieved. The chapter also discusses the application of such integration in making hypotheses about possibly missed attacks. The fourth issue is to correlate intrusion alert and other security event information from multiple heterogeneous sources while protecting the privacy for each participating parties (discussed in Chapter 6). Based on a sanitization scheme utilizing both generalization and randomization, we proposed several techniques to flexibly balance between the privacy protection and the analysis capability of the sanitized data. We also studied the various analyses supported by the sharing framework and its security against some different types of attacks. Finally, the conclusion of my dissertation is provided and future work is pointed out.
  • No Thumbnail Available
    Mechanisms for Protecting Software Integrity in Networked Systems
    (2008-12-02) Kil, Chongkyung; Tao Xie, Committee Member; Peng Ning, Committee Chair; Douglas S. Reeves, Committee Member; S. Purushothaman Iyer, Committee Member
    Protecting software integrity is a key to successfully maintain its own credibility and reduce the financial and technical risks caused from a lack of integrity. Although researchers have been putting effort on improving software development techniques and preventing human errors during the software development process, it is still a daunting task to make non-vulnerable software in practice. For example, the national vulnerability database shows that a set of new software vulnerabilities are discovered every day. Since developing non-vulnerable software is hardly achievable, in this research, we look for a way to achieve software integrity while they are used. In particular, this dissertation investigates three mechanisms to protect software integrity at runtime. Firstly, this dissertation presents a protection mechanism that can thwart attacks that try to exploit memory corruption vulnerabilities of software. The protection mechanism is provided by randomizing the program's runtime memory address layout and the memory objects. As a result, it hinders memory corruption attacks by preventing an attacker being able to easily predict their target addresses. The protection mechanism is implemented by a novel binary rewriting tool that can randomly place the code and data segments of programs and perform fine-grained permutation of function bodies in the code segment as well as global variables in the data segment. Our evaluation results show minimal performance overhead with orders of magnitude improvement in randomness. Secondly, this dissertation investigates a vulnerability identification mechanism named as CBones that can discover how unknown vulnerabilities in C programs are exploited by verifying program structural constraints. This mechanism is also useful in developing integrity patches for vulnerable programs where applying security patch is increasingly common in these days. CBones automatically extracts a set of program structural constraints via binary analysis of the compiled program executable. CBone then verifies these constraints while it monitors the program execution to detect and isolate the security bugs. Our evaluation with real-world applications that known to have vulnerabilities shows that CBones can discover all integrity vulnerabilities with no false alarms, pinpoint the corrupting instructions, and provide information to facilitate the understanding of how an attack exploits a security bug. Lastly, this dissertation identifies the need of dynamic attestation to overcome the limitations of existing remote attestation approaches. To the best of our knowledge, we are the first to introduce the notion of dynamic attestation and propose use of dynamic system properties to provide the integrity proof of a running system. To validate our idea, we develop an application-level dynamic attestation system named as ReDAS(Remote Dynamic Attestation System) that can verify runtime integrity of software. ReDAS provides the integrity evidence of runtime applications by checking their dynamic properties: structural integrity and global data integrity. These properties are collected from each application, representing the application's unique runtime behavior that must be satisfied at runtime. ReDAS also uses hardware support provided by TPM to protect the integrity evidence from potential attacks. Our evaluation with real-world applications shows that ReDAS is effective in capturing runtime integrity violations with zero false alarms, and demonstrates that ReDAS incurs 8% overhead on average while performing integrity measurements.
  • No Thumbnail Available
    Mitigating Voice over IP Spam Using Computational Puzzles
    (2008-08-31) Zhou, Yuzheng; S. Purushothaman Iyer, Committee Member; Peng Ning, Committee Chair; Ting Yu, Committee Member
  • No Thumbnail Available
    Resilient Data Aggregation in Wireless Sensor Networks
    (2005-07-29) Anantharaju, Srinath; Peng Ning, Committee Chair; Douglas Reeves, Committee Member; Ting Yu, Committee Member
    Sensor nodes are low-cost and low-power devices that are prone to node compromises, communication failures and malfunctioning of sensing hardware. As a result, some nodes may report outlying data values, introducing significant deviations in the aggregated sensor readings. This thesis presents a practical resilient outlier detection technique to filter out the influence of the outlying data reported by faulty or compromised nodes. The proposed outlier detection algorithm is based on event localization using minimum mean squared error (MMSE) estimation combined with threshold-based consistency checking to detect outliers. Data aggregation is one of the key techniques commonly used to develop lightweight communication protocols applicable to wireless sensor networks. The proposed approach handles localization of multiple events by grouping the sensor readings into spatially correlated clusters and performing an event-centric detection of outliers. In the entire process of data aggregation, the outlier detection technique fits as a preprocessing stage for reducing the effect of outliers on the aggregated result. Suitable extensions to the basic outlier detection algorithm are proposed to effectively apply the algorithm to both centralized and decentralized sensor network architectures. This thesis further includes studies that test the effectiveness of the proposed approach, including the detection rate, the false positive rate, degree of damage and the resilience to malicious readings introduced by the attackers. The experimental results show that on average the proposed approach detects as high as 80-90% of the outliers while resulting in 5-15% false positive rate when the network consists of 40-45% outliers. The experiments also show that the extent of damage on the aggregated result is below 50% due to the elimination of outliers before aggregation. Finally, the resilient data aggregation process requires modest computational and memory requirements with zero communication overhead in the centralized case and about 20% overhead in the decentralized settings.
  • No Thumbnail Available
    Security Mechanisms for Protecting Foundational Services in Wireless Sensor Networks.
    (2010-08-09) Liu, An; Xiaogang Wang, Committee Chair; Peng Ning, Committee Chair; Douglas Reeves, Committee Member; Ting Yu, Committee Member; Xuxian Jiang, Committee Member
  • No Thumbnail Available
    Security Mechanisms for Wireless Sensor Networks
    (2005-06-28) Liu, Donggang; Mladen A. Vouk, Committee Member; Carla D. Savage, Committee Member; Douglas S. Reeves, Committee Member; Peng Ning, Committee Chair
    Wireless sensor networks have received a lot of attention recently due to its wide applications in military and civilian operations. Example applications include target tracking, scientific exploration, and data acquisition in hazardous environments. Security becomes one of the main concerns when there are malicious attacks against the network. However, providing security services in such networks turns out to be a challenging task due to the resource constraints on sensor nodes and the node compromise attacks. These features and challenges motivate the research on security mechanisms for wireless sensor networks. This dissertation includes three studies on security mechanisms for wireless sensor networks. The first study extends the capabilities of $mu$TESLA, a broadcast authentication technique for wireless sensor networks, so that it can cover long time period and support a large number of sensor nodes as well as potential senders in the network. The second study addresses how to establish pairwise keys between sensor nodes in a wireless sensor network. A key pre-distribution framework based on bivariate polynomial pool is developed for this purpose. Two efficient instantiations of this framework are also provided: a {em random subset assignment} scheme and a {em hypercube-based} key pre-distribution scheme. To further improve the pairwise key establishment in static sensor networks, prior deployment knowledge, post deployment knowledge and group-based deployment knowledge are used to facilitate key pre-distribution. The third study investigates how to enhance the security of location discovery in sensor networks. An attack-resistant MMSE method and a voting-based method are developed to tolerate malicious attacks against location discovery. Both methods can survive malicious attacks even if the attacks bypass traditional cryptographic protections such as authentication, as long as the benign beacon signals constitute the majority of the 'consistent' beacon signals. In addition, a number of techniques are proposed to detect and revoke malicious beacon nodes that supply malicious beacon signals to sensor nodes.
  • No Thumbnail Available
    TIAA: A Toolkit for Intrusion Alert Analysis
    (2004-03-30) Hu, Yiquan; Rudra Dutta, Committee Member; Peng Ning, Committee Chair; Douglas S. Reeves, Committee Member
    Intrusion Detection has been studied for about twenty years. Intrusion Detection Systems (IDSs) are usually considered to be the second line of defense to protect against malicious activities along with the prevention-based security mechanisms such as authentication and access control. However, traditional IDSs have two major limitations. First, they usually focus on low-level attacks or anomalies, and raise alerts independently, although there may be logical connections between them. Second, in a typical environment there are a lot of false alerts reported by traditional IDSs, which are mixed with true alerts. Thus, the intrusion analysts or the system administrators are often overwhelmed by the volume of alerts. To address the aforementioned problems and thus to improve the usability of the current IDSs, the Toolkit for Intrusion Alert Analysis (TIAA) [17] is developed. The primary goal of TIAA is to provide system support for interactive analysis of intrusion alerts reported by traditional IDSs. TIAA is based on the alert correlation techniques previously developed in [16] and [15]. In addition, several new utilities are developed to facilitate the analysis of potentially large sets of intrusion alerts. More specifically, these new utilities include alert aggregation/disaggregation, clustering analysis, frequency analysis, link analysis, and association analysis. Finally, TIAA includes two additional visual representations of analysis results besides the hyper-alert correlation graphs proposed in [16], making it easier for a human analyst to understand the analysis results. It is envisaged that a human analyst and TIAA form a man-machine team, with TIAA performing automated tasks such as intrusion alert correlation and execution of analysis utilities, and the human analyst deciding what sets of alerts to analyze and how the analysis utilities are applied. This thesis presents the implementation of TIAA, including several analysis utilities, an improved alert collection system, and an integrated analysis environment with a user-friendly graphical user interface (GUI). This thesis also reports several experiments that evaluate the TIAA system using DARPA 2000 datasets and Cyber Panel Grand Challenge Problem datasets. The experimental results show that the TIAA system can greatly improve the analysis of intrusion alerts, and can cooperate with general underlying IDSs.
  • No Thumbnail Available
    Trustworthy and Resilient Time Synchronization in Wireless Sensor Networks
    (2006-08-10) Sun, Kun; Cliff Wang, Committee Co-Chair; Douglas S. Reeves, Committee Member; Mladen A. Vouk, Committee Member; Wenye Wang, Committee Member; Peng Ning, Committee Chair
    Wireless sensor networks have received a lot of attention recently due to its wide applications. Accurate and synchronized time is crucial in many sensor network applications due to the need for consistent distributed sensing and coordination. A number of time synchronization schemes have been proposed recently to address the resource constraints in sensor networks. However, all these techniques cannot survive malicious attacks in hostile environments. This dissertation includes three secure time synchronization techniques, secure single-hop pair-wise time differences, fault-tolerant cluster-wise time synchronization, and secure and resilient global time synchronization, to achieve time synchronization in different scopes of sensor networks. First, we develop a secure single-hop pair-wise time synchronization technique that provides time difference between two neighbor nodes using hardware-assisted, authenticated medium access control (MAC) layer timestamping. This technique can effectively defeats external attacks that attempt to mislead single-hop pairwise time synchronization. Moreover, it can handle high data rate such as those produced by MICAz motes. Second, we propose a fault-tolerant cluster-wise time synchronization scheme to provide a common clock among a cluster of nodes, where the nodes in the cluster can communicate through broadcast. This scheme guarantees an upper bound of time difference between normal nodes in a cluster, provided that the malicious nodes are no more than one third of the cluster. Unlike the traditional fault-tolerant time synchronization approaches, the proposed technique does not introduce collisions between synchronization messages, nor does it require costly digital signatures. Third, we develop two secure and resilient global time synchronization schemes: level-based time synchronization and diffusion-based time synchronization. The basic idea of both schemes is to provide redundant ways for one node to synchronize its clock with another far-away node, so that it can tolerate partially missing or false synchronization information provided by compromised nodes. Both schemes achieve global time synchronization based on a model where all the sensor nodes synchronize their clocks to some common source, which is assumed to be well synchronized to an external clock. The level-based scheme builds a level hierarchy in the sensor network, and then synchronizes the whole network level by level. The diffusion-based scheme allows each node to diffuse its clock to its neighbor nodes after it has been synchronized. Both schemes are secure against external attacks and resilient against compromised nodes. We adapt a novel use of the uTESLA broadcast authentication protocol for local authenticated broadcast, reducing the message overhead as well as the message collisions. We implement a secure and resilient global time synchronization protocol, TinySeRSync, on MICAz motes running TinyOS and perform a thorough evaluation through field experiments in a network of 60 MICAz motes. The evaluation results indicate that TinySeRSync is a practical system for secure and resilient global time synchronization in wireless sensor networks.