Computer Network Security

In the complex world of information services, we are realizing that system dependencies upon one another have not only operational implications but also security implications. These security implications are multifold. Beyond allowing an attacker to propagate over an information system by leveraging stepping stones vulnerabilities, it also allows a defender to select the most interesting enforcement points for its policies, overall reducing the cost of managing the security of these complex systems. In this paper, we present a dependency model that has been designed for the purpose of providing security operators with a quantitative decision support system for deploying and managing security policies.

The Internet (together with other communications systems) has become a critical infrastructure in industrialized societies. We will examine to which extent this infrastructure needs to be secured for applications to be deployed securely. We will give examples for application layer attacks that cannot be defended against at the infrastructure layer. Hence, deploying a secure infrastructure is not sufficient to protect critical applications. Conversely, we will give examples where an application can be protected without relying on security services provided by the infrastructure. Hence, deploying a secure infrastructure is not necessary to protect critical applications. We will argue that it is only essential for the computing infrastructure to protect its own execution integrity and for the communications infrastructure to offer availability.

Today, the majority of security errors in software systems are due to implementation errors, as opposed to flaws in fundamental algorithms (e.g., cryptography). Type-safe languages, such as Java, help rule out a class of these errors, such as code-injection through buffer overruns. But attackers simply shift to implementation flaws above the level of the primitive operations of the language (e.g., SQL-injection attacks). Thus, next-generation languages need type systems that can express and enforce application-specific security policies.

This article discusses the state of the art of cryptographic algorithms as deployed for securing computing networks. While it has been argued that the design of efficient cryptographic algorithms is the ”easy” part of securing a large scale network, it seems that very often security problems are identified in algorithms and their implementations.

To share information and retain control (share-but-protect) is a classic cyber security problem for which effective solutions continue to be elusive. Where the patterns of sharing are well defined and slow to change it is reasonable to apply the traditional access control models of lattice-based, role-based and attribute-based access control, along with discretionary authorization for further fine-grained control as required. Proprietary and standard rights markup languages have been developed to control what a legitimate recipient can do with the received information including control over its further discretionary dissemination. This dissemination-centric approach offers considerable flexibility in terms of controlling a particular information object with respect to already defined attributes of users, subjects and objects. However, it has many of the same or similar problems that discretionary access control manifests relative to role-based access control. In particular specifying information sharing patterns beyond those supported by currently defined authorization attributes is cumbersome or infeasible. Recently a novel mode of information sharing called group-centric was introduced by these authors. Group-centric secure information sharing (g-SIS) is designed to be agile and accommodate ad hoc patterns of information sharing. In this paper we review g-SIS models, discuss their relationship with traditional access control models and demonstrate their agility relative to these.

A side channel is an information channel that unintentionally communicates information about a program as a side effect of the implementation. Recent studies have illustrated the use of shared caches as side channels to extract private keys from computationally secure cryptographic applications. The cache side channel is imperfect in the sense that the attacker’s ability to detect cache leakage of critical data is limited by the timing issues. Moreover, some detected leakages are due to non-critical data. Thus, it is difficult to assess the degree of vulnerability given the imperfect nature of the side-channel. Similarly, when solutions that further degrade the quality of the channel, but do not necessarily close it completely, are employed, it is difficult to evaluate their effectiveness. To address this need, this paper proposes a mathematical model to evaluate the expected leakage in a cache as a function of the cache parameters and the victim application behavior. We use simulation to quantify these parameters for typical attack scenarios to validate the model. We demonstrate that the proposed model accurately estimates side channel leakage for for AES and Blowfish encryption and decryption on a variety of cache configurations.

The BDMP (Boolean logic Driven Markov Processes) modeling formalism has recently been adapted from reliability engineering to security modeling. It constitutes an attractive trade-off in terms of readability, modeling power, scalability and quantification capabilities. This paper develops and completes the theoretical foundations of such an adaptation and presents new developments on defensive aspects. In particular, detection and reaction modeling are fully integrated in an augmented theoretical framework. Different use-cases and quantification examples illustrate the relevance of the overall approach.

While there exist strong security concepts and mechanisms, implementation and enforcement of these security measures is a critical concern in the security domain. Normal users, unaware of the implications of their actions, often attempt to bypass or relax the security mechanisms in place, seeking instead increased performance or ease of use. Thus, the human in the loop becomes the weakest link. This shortcoming adds a level of uncertainty unacceptable in highly critical information systems. Merely educating the user to adopt safe security practices is limited in its effectiveness; there is a need to implement a technically sound measure to address the weak human factor across a broad spectrum of systems. In this paper, we present a game theoretic model to elicit user cooperation with the security mechanisms in a system. We argue for a change in the design methodology, where users are persuaded to cooperate with the security mechanisms after suitable feedback. Users are offered incentives in the form of increased Quality of Service (QoS) in terms of application and system level performance increase. User’s motives and their actions are modeled in a game theoretic framework using the class of generalized pursuit-evasion differential games.

Sometimes the analysis of covert channel is weakly dependent on the correctness of probabilistic models, but more often the result of such analysis is seriously dependent on the choice of a probabilistic model. We show how the problem of detection of covert communications depends on the correctness of the choice of probabilistic model. We found the dependence of judgments about invisibility of covert communication from the bans in a probabilistic model of the legal communication.

Intelligent systems often operate in a blend of cyberspace and physical space. Cyberspace operations—planning, actions, and effects in realms where signals affect intelligent systems—often occur in milliseconds without human intervention. Decisions and actions in cyberspace can affect physical space, particularly in SCADA—supervisory control and data acquisition—systems. For critical military missions, intelligent and autonomous systems must adhere to commander intent and operate in ways that assure the integrity of mission operations. This paper shows how policy, expressed using an access-control logic, serves as a bridge between commanders and implementers. We describe an access-control logic based on a multi-agent propositional modal logic, show how policies are described, how access decisions are justified, and give examples of how concepts of operations are analyzed. Our experience is policy-based design and verification is within the reach of practicing engineers. A logical approach enables engineers to think precisely about the security and integrity of their systems and the missions they support.

In this paper, we present a new framework of runtime security policy enforcement. Building on previous studies, we examine the enforcement power of monitors able to transform their target’s execution, rather than simply accepting it if it is valid, or aborting it otherwise. We bound this ability by a restriction stating that any transformation must preserve equivalence between the monitor’s input and output. We proceed by giving examples of meaningful equivalence relations and identify the security policies that are enforceable with their use. We also relate our work to previous findings in this field. Finally, we investigate how an a priori knowledge of the target program’s behavior would increase the monitor’s enforcement power.

Verification of security for mobile networks requires specification and verification of security policies in multiple-domain environments. Mobile users present challenges for specification and verification of security policies in such environments. Formal methods are expected to ensure that the construction of a system adheres to its specification. Formal methods for specification and verification of security policies ensure that the security policy is consistent and satisfied by the network elements in a given network configuration. We present a method and a model checking tool for formal specification and verification of location and mobility related security policies for mobile networks. The formal languages used for specification are Predicate Logic and Ambient Calculus. The presented tool is capable of spatial model checking of Ambient Calculus specifications for security policy rules and uses the NuSMV model checker for temporal model checking.

Partner key management (PKM) is an interoperable credential management protocol for online commercial transactions of high value. PKM reinterprets traditional public key infrastructure (PKI) for use in high-value commercial transactions, which require additional controls on the use of credentials for authentication and authorization. The need for additional controls is met by the use of partner key practice statements (PKPS), which are machine-readable policy statements precisely specifying a bank’s policy for accepting and processing payment requests. As assurance is crucial for high-value transactions, we use an access-control logic to: (1) describe the protocol, (2) assure the logical consistency of the operations, and (3) to make the trust assumptions explicit.

A new computationally difficult problem defined over non-commutative finite groups is proposed as cryptographic primitive. The problem is used to construct public key agreement protocol and algorithms for public and commutative encryption. Finite non-commutative groups of the four-dimension vectors over the ground field are constructed and investigated as primitives for implementing the protocols and algorithms based on the proposed difficult problem.

The goal of this paper is to explore the potential of Role based Trust management language RTT as a means for specifying security policies and using credentials to ensure that confidential resources are not being granted to unauthorized users. The paper describes formally the syntax and semantics of the language and defines RTT credential graphs and credential chains as a means for answering security queries. Backward and forward search algorithms to build a credential chain are given.

The paper presents the formulation of the problem of access control to information resources located in virtual local area networks. We define the initial data, the objective function and constraints of the problem. To solve the proposed problem we suggest the method of genetic optimization of access control scheme based on the poly-chromosomal representation of intermediate points. The results of computer simulation and evaluation of the proposed method are discussed.

The paper addresses to application of sequences alignment intellectual algorithms for the intrusion detection needs. These algorithms are used in bioinformatics to detect regions of similarity in several gene sequences. We propose two techniques of their utilization. Using the first technique it is possible to detect the mutations of attack, having a signature of it. The second technique is applicable to anomaly detection. We discuss what algorithms of sequences alignment can be used in these methods and show the effectiveness of these techniques on practice.

Botnets have become the most powerful tool for attackers to victimize countless users across cyberspace. Previous work on botnet detection has mainly focused on identifying infected bot computers or IP addresses and not on identifying bot processes on a host machine. This paper aims to fill this gap by presenting a bot process detection technique based on process symptoms such as: TCP connection attempts, DNS activities, digital signatures, unauthorized process tampering, and process hiding. We partition symptoms into sets which are input into classifiers generating individual detection models which are later appropriately integrated so as to improve the detection accuracy. The integrated approach correctly identified two bot processes and did not produced any false positives and false negatives.

Feature selection is an important pre-processing step in intrusion detection. Achieving reduction of the number of relevant traffic features without negative effect on classification accuracy is a goal that greatly improves overall effectiveness of an intrusion detection system. A major challenge is to choose appropriate feature-selection methods that can precisely determine the relevance of features to the intrusion detection task and the redundancy between features. Two new feature selection measures suitable for the intrusion detection task have been proposed recently [11,12] the correlation-feature-selection (CFS) measure and the minimal-redundancy-maximal-relevance (mRMR) measure. In this paper, we validate these feature selection measures by comparing them with various previously known automatic feature-selection algorithms for intrusion detection. The feature-selection algorithms involved in this comparison are the previously known SVM-wrapper, Markov-blanket and Classification & Regression Trees (CART) algorithms as well as the recently proposed generic-feature-selection (GeFS) method with 2 instances applicable in intrusion detection: the correlation-feature-selection (GeFS _CFS ) and the minimal-redundancy-maximal-relevance (GeFS _mRMR ) measures. Experimental results obtained over the KDD CUP’99 data set show that the generic-feature-selection (GeFS) method for intrusion detection outperforms the existing approaches by removing more than 30% of redundant features from the original data set, while keeping or yielding an even better classification accuracy.

Natural Language Processing (NLP) in combination with Machine Learning techniques plays an important role in the field of automatic text analysis. Motivated by the successful use of NLP in solving text classification problems in the area of e-Participation and inspired by our prior work in the field of polymorphic shellcode detection we gave classical NLP-processes a trial in the special case of malicious code analysis. Any malicious program is based on some kind of machine language, ranging from manually crafted assembler code that exploits a buffer overflow to high level languages such as Javascript used in web-based attacks. We argue that well known NLP analysis processes can be modified and applied to the malware analysis domain. Similar to the NLP process we call this process Machine Language Processing (MLP). In this paper, we use our e-Participation analysis architecture, extract the various NLP techniques and adopt them for the malware analysis process. As proof-of-concept we apply the adopted framework to malicious code examples from Metasploit.

Multi-agent systems allow a multitude of heterogenous systems to collaborate in a simple manner. It is easy to provide and gather information, distribute work and coordinate tasks without bothering with the differences of the underlying systems. Unfortunately, multiple networking and security problems arise from the dynamic behavior of multi-agent systems and the distributed heterogeneous environments in which they are used. With our work we provide a solution enabling secure collaboration and agent execution as well as agent mobility in multi-hop environments. We achieve this by using a secure unstructured P2P framework as communication layer and integrate it with a well known multi-agent system.

The agent-based computing represents a promising paradigm for emerging ubiquitous computing and ambient intelligence scenarios due to the nature of the mobile agents that fit perfectly in these environments. However, the lack of the appropriate security mechanisms is hindering the application of this paradigm in real world applications. The protection of malicious hosts is the most difficult security problem to solve in mobile agent systems. In this paper we describe our solution, which is a mechanism to solve this problem. Our work is based in a new agent migration protocol based on the use of tamper resistant cryptographic hardware. Concretely, we base our work on the use of the Trusted Computing technology. The result of our work is a library built on JADE that implements the secure migration for agents named Secure Migration Library for Agents (SecMiLiA). This library provides a friendly use of the Trusted Computing technology for agent based system developers.

The paper outlines to the problem of correlation between security and scalability of software protection against tampering based on the remote entrusting principles. The goal of the paper is to propose a technique allowing choosing the most effective combination of different protection methods to apply. The technique is aimed at finding a trade-off between performance of the protection mechanism and its security, ensuring both a necessary security level and an appropriate scalability. The technique encompasses the evaluation of particular protection methods belonging to the whole protection mechanism and getting quantitative metrics of their performance and security level.

This paper introduces a novel class-based method of survivable routing for connection-oriented IP-MPLS/WDM networks, called MLS-GEN-H. The  algorithm is designed to provide differentiated levels of service survivability in order to respond to varying requirements of end-users. It  divides the complex problem of survivable routing in IP-MPLS/WDM networks into two subproblems, one for each network layer, which enables finding the solutions in a relatively short time. A genetic approach is applied to improve the quality of results by solving the problem iteratively.

Modeling results show that, after a reasonable number of iterations, a good solution (up to 22.55% better than the initial one) is found and further improvement is hardly possible.

This paper presents an approach for predictive security analysis in a business process execution environment. It is based on operational formal models and leverages process and threat analysis and simulation techniques in order to be able to dynamically relate events from different processes and architectural layers and evaluate them with respect to security requirements. Based on this, we present a blueprint of an architecture which can provide decision support by performing dynamic simulation and analysis while considering real-time process changes. It allows for the identification of close-future security-threatening process states and will output a predictive alert for the corresponding violation.

Virtualization allows to manage a lot of properties of computer systems including the security of information processing. Goal of this investigation is to state conditions of the ability of virtualization mechanism to guarantee satisfying of the security policy. It is formally proved that if the virtual environment is untrusted, virtualization mechanism should be run on the trusted operating system.

The paper addresses to the technique of integrity control based on security settings evaluation which is made over variable software components. There are formal foundations of integrity control related to finding security settings which form trusted security environment. It also uses iterative search for security settings which are compatible and agreed with each other. Our approach results to a schema of Security and Integrity Control System that combines principles of automated control system and security management.