Abstract
Determining whether a user or system is exercising appropriate security practices is difficult in any context. Such difficulties are particularly pronounced when uncontrolled or unknown platforms join public networks. Commonly practiced techniques used to vet these hosts, such as system scans, have the potential to infringe on the privacy of users. In this article, we show that it is possible for clients to prove both the presence and proper functioning of security infrastructure without allowing unrestricted access to their system. We demonstrate this approach, specifically applied to antivirus security, by requiring clients seeking admission to a network to positively identify the presence or absence of malcode in a series of puzzles. The implementation of this mechanism and its application to real networks are also explored. In so doing, we demonstrate that it is not necessary for an administrator to be invasive to determine whether a client implements required security practices.
- Aronsson, H. A. 1995. Zero knowledge protocols and small systems. www.tml.hut.fi/Opinnot/Tik-110.501/1995/zeroknowledge.Google Scholar
- Bailey, M., Cooke, E., Jahanian, F., Watson, D., and Nazario, J. 2005. The blaster worm: Then and now. IEEE Secur. Priv. Mag., 3, 4, 26--31. Google ScholarDigital Library
- Bellovin, S. M. 1989. Security problems in the TCP/IP protocol suite. SIGCOMM Comput. Comm. Rev. 19, 2, 32--48. Google ScholarDigital Library
- Brickell, E., Camenisch, J., Chen, L. 2004. Direct anonymous attestation. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
- Buldas, A., Laud, P., and Lipmaa, H. 2002. Eliminating counterevidence with applications to accountable certicate management. J. Comput. Secur. 10, 3, 273--296. Google ScholarDigital Library
- Chinchani, R. and van den Berg, E. 2005. A fast static analysis approach to detect exploit code inside network flows. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection. Google ScholarDigital Library
- Computer Emergency Response Team (CERT). www.cert.org.Google Scholar
- Congdon, P. 2003. RFC 3580 - IEEE 802.1X Remote authentication dial in user service (RADIUS) usage guidelines. Google ScholarDigital Library
- Dierks, T. and Allen, C. 1999. The TLS protocol version 1.0. Internet Engineering Task Force, RFC 2246. Google ScholarDigital Library
- European Institute for Computer Anti-Virus Research. 2003. Eicar---anti-virus test file. www.eicar.org/anti_virus_test_file.htm.Google Scholar
- Eustice, K., Kleinrock, L., Markstrum, S., Popek, G., Ramakrishna, V., and Reiher, P. 2003. Securing nomads: The case for quarantine, examination, and decontamination. In Proceedings of the Workshop on New Security Paradigms. 123--128. Google ScholarDigital Library
- Evers, J. 2006. Microsoft's antivirus package makes a splash. http://news.com.com/2100-7355-6104926.html?tag=tb.Google Scholar
- Fogla, P. and Lee, W. 2006. Evading network anomaly detection systems: Formal reasoning and practical techniques. In Proceedings of the 13th ACM Conference on Computer and Communications Security. Google ScholarDigital Library
- Garetto, M., Gong, W., and Towsley, D. 2003. Modeling malware spreading dynamics. In Proceedings of IEEE INFOCOM.Google Scholar
- Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., and Boneh, D. 2003. Terra: A virtual machine-based platform for trusted computing. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP). 193--206. Google ScholarDigital Library
- Goldwasser, S., Micali, S., and Rackoff, C. 1985. The knowledge complexity of interactive proof-systems. In Proceedings of the ACM Symposium on Theory of Computing (STOC). Google ScholarDigital Library
- Gordon S. 1995. Is a good virus simulator still a bad idea? www.research.ibm.com/ antivirus/SciPapers/Gordon/Simulators.html.Google Scholar
- Harris, N. 2004. Securing network will help business owner mitigate legal liabilities. http://www.bizjournals.com/houston/stories/2004/01/19/focus5.html.Google Scholar
- Insecure.org. 2005. Nmap---Free security scanner for network exploration & security audits. www.insecure.org/nmap/.Google Scholar
- Intel Corporation. 2006. Intel 64 and IA-32 architectures; software developers manual, Volume 2A. http://www.intel.com/design/processor/manuals/253666.pdf.Google Scholar
- Juels, A. and Brainard, J. 1999. Client puzzles: A cryptographic countermeasure against connection depletion attacks. In Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS).Google Scholar
- Kato, T., Tsunehiro, T., Tsunoda, M., and Miyake, J. 2003. A secure flash card solution for remote access for mobile workforce. IEEE Trans. Consum. Electron. 49, 561--566. Google ScholarDigital Library
- Kawase, T., Watanabe, A., and Sasase, I. 1998. Proposal of secure remote access using encryption. Global Telecommunications Conference (GLOBECOM'98). The Bridge to Global Integration. IEEE, 2, 868--873.Google Scholar
- Kim, H. and Karp, B. 2004. Autograph: Toward automated, distributed worm signature detection. In USENIX Security Symposium. Google ScholarDigital Library
- Needham, R. and Schroeder, M. 1978. Using encryption for authentication in large networks of computers. Commun. ACM, 21, 993--999. Google ScholarDigital Library
- Newsome, J., Karp, B., and Song, D. 2005. Polygraph: Automatically generating signatures for polymorphic worms. In IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- Olsen, F. 2002. The growing vulnerability of campus networks. http://chronicle.com/ free/v48/i27/27a03501.htm.Google Scholar
- OpenSSH. www.openssh.com.Google Scholar
- OpenSSL. www.openssl.org/.Google Scholar
- Paxson, V. 1999. Bro: A system for detecting network intruders in real-time. Comput. Netw., 31, 23--24. Google ScholarDigital Library
- Rahman, M. and Bhattacharya, P. 2003. Remote access and networked appliance control using biometrics features. IEEE Trans. Consum. Electron. 49, 348--353. Google ScholarDigital Library
- Sailer, R., Jaeger, T., Zhang, X., and van Doorn, L. 2004. Attestation-based policy enforcement for remote access. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
- Sailer, R., Zhang, X., Jaeger, T., and van Doorn, L. 2004. Design and implementation of a TCG-based integrity measurement architecture. In Proceedings of the 13th USENIX Security Symposium, 223--238. Google ScholarDigital Library
- Scheuermann, D. 2002. The smartcard as a mobile security device. Electron. Comm. Engin. J. 205--210.Google ScholarCross Ref
- Singh, S., Estan, C., Varghese, G., and Savage, S. 2004. Automated worm fingerprinting. In ACM/USENIX Symposium on Operating System Design and Implementation (OSDI). Google ScholarDigital Library
- Snort. The de facto standard for intrusion detection/prevention. www.snort.org.Google Scholar
- Staniford, S., Paxson, V., and Weaver, N. 2002. How to own the internet in your spare time. In Proceedings of the USENIX Security Symposium. Google ScholarDigital Library
- Steiner, J., Neuman, B., and Schiller, J. 1998. Kerberos: An authentication service for open network systems. USENIX.Google Scholar
- Sygate Web site. 2002. Sygate Secure Enterprise. www.sygate.com/products/sygate-secure-enterprise.htm.Google Scholar
- Symantec. Symantec Client Security. enterprisesecurity.symantec.com/products/products.cfm? ProductID=154.Google Scholar
- Toth, T. and Kruegel, C. 2002. Accurate buffer overflow detection via abstract payload execution. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection. Google ScholarDigital Library
- Trusted Computing Group. www.trustedcomputinggroup.org.Google Scholar
- Wang, K. and Stolfo, S. J. 2004. Anomalous payload-based network intrusion detection. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection.Google Scholar
- Waters, B., Juels, A., Halderman, J., and Felten, E. 2004. New client puzzle outsourcing techniques for dos resistance. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
- Zone Labs. Zone Labs Integrity SecureClient. http://www.zonelabs.com/store/content/company/ corpsales/secureClientOverview.jsp.Google Scholar
Index Terms
- Noninvasive Methods for Host Certification
Recommendations
Detecting, validating and characterizing computer infections in the wild
IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conferenceAlthough network intrusion detection systems (IDSs) have been studied for several years, their operators are still overwhelmed by a large number of false-positive alerts. In this work we study the following problem: from a large archive of intrusion ...
A fuzzy logic approach for detecting redirection spam
Redirection spam is a relatively newer technique whereby spammers redirect the search user to an unwanted webpage or download malware on the victim's machine without his consent. Spammers are making use of chained redirections to hide their nefarious ...
A Comparative study of Open Source IDSs according to their Ability to Detect Attacks
NISS '19: Proceedings of the 2nd International Conference on Networking, Information Systems & SecurityIn this paper, we focus on the important role of intrusion detection systems for detecting unauthorized actions initiated from both internal and external network by collecting and monitoring network traffic. We give a study of the open source Next-...
Comments