CERIAS Security Seminar Podcast

Christine Task, "A Practical Beginners' Guide to Differential Privacy"

Wed, 25 Apr 2012 17:30:00 PDT

Differential privacy is a very powerful approach to protecting individual privacy in data-mining; it's also an approach that hasn't seen much application outside academic circles. There's a reason for this: many people aren't quite certain how it works. Uncertainty poses a serious problem when considering the public release of sensitive data. Intuitively, differentially private data-mining applications protect individuals by injecting noise which "covers up" the impact any individual can have on the query results. In this talk, I will discuss the concrete details of how this is accomplished, exactly what it does and does not guarantee, common mistakes and misconceptions, and give a brief overview of useful differentially privatized data-mining techniques. This talk will be accessible to researchers from all domains; no previous background in statistics or probability theory is assumed. My goal in this presentation is to offer a short-cut to researchers who would like to apply differential privacy to their work and thus enable a broader adoption of this powerful tool.

Steve Battista, "What firmware exists in your computer and how the fight for your systems will be below your operating system"

Wed, 18 Apr 2012 17:30:00 PDT

Many security professionals look to software on hardrives as the source of compromise. To detect compromises, they use systems to check the hashes of all files on disk, When a machine is compromised, they wipe the hardrive, and assume that the machine in clean. The battlefield between attackers and defenders is moving to the firmware level. This presentation will explore what firmware exists in your computer and how the fight for your systems will be below your operating system and what can be done about this.

Traian Truta, ": K-Anonymity in Social Networks: A Clustering Approach"

Wed, 11 Apr 2012 17:30:00 PDT

The proliferation of social networks, where individuals share private information, has caused, in the last few years, a growth in the volume of sensitive data being stored in these networks. As users subscribe to more services and connect more with their friends, families, and colleagues, the desire to use this information from the networks has increased. Online social interaction has become very popular around the globe and most sociologists agree that this will not fade away. Social network sites gather confidential information from their users (for instance, the social network site PacientsLikeMe collects confidential health information) and, as a result, social network data has begun to be analyzed from a different, specific privacy perspective. Since the individual entities in social networks, besides the attribute values that characterize them, also have relationships with other entities, the risk of disclosure increases. In this talk we present a greedy algorithm for anonymizing a social network and a measure that quantifies the information loss in the anonymization process due to edge generalization.

Nabeel Mohamed, "Privacy preserving attribute based group key management"

Wed, 28 Mar 2012 17:30:00 PDT

Group key management (GKM) is a fundamental building block in any secure group communication applications. In fact, successful management of group keys is critical to the security of any cryptosystem. In this talk, I will first give an overview of the traditional GKM approaches and their limitations to support current technological trends and large dynamic systems. Then I will present a new approach to GKM that is expressive and privacy preserving. The talk is based on our work appeared in ICDE 2010, CCS 2011 and CollaborateCom 2011.

Randall Brooks, "Adding a Software Assurance Dimension to Supply Chain Practices"

Wed, 21 Mar 2012 17:30:00 PDT

There is a long history of supply chain management, from which many related policies, practices, processes, and enabling artifacts have been developed and employed by those business enterprises that acquire hardware and software components from a third party. Traditionally, Supply Chain Risk Management (SCRM) has been the focal point of supply chain practices and has focused on business and contractual issues, although recent efforts have increasingly included engineering expertise for product quality evaluations. This presentation advocates the introduction of a security assurance dimension to the SCRM process. It does not, however, propose the addition of an independent, parallel track of SCRM process for security assurance evaluation, but rather practical steps for augmenting those SCRM processes that already exist. Just as is the case in legacy SCRM, the cyber dimension of SCRM is based on assessing and balancing risk vs. cost. The goal is to minimize the added costs associated with improved information assurance by efficiently incorporating relevant practices industry, government, and academia to provide a security assurance dimension into the supply chain process. SCRM-relevant industry and government practices will be presented in this paper in such a way that supply chain staff can easily make use of them, even without a background in information security. Also, it will be clearly noted when subcontract management, information assurance engineering, or other business or technical expertise may be needed to complement traditional supply chain activities in the pursuit of cyber-based SCRM. Points of discussion common to both hardware and to software component acquisition will include: 1. Acquirer business risk 2. End customer mission criticality and mission assurance 3. Subcontract management 4. Supplier secure development assessment 5. Supplier management practices for their suppliers 6. Supplier business assessment 7. Product assessment Points of discussion peculiar to hardware component acquisition will include: 1. Quality vs. counterfeiting vs. malicious alteration 2. ASICS, FPGAs, and microprocessors 3. Information storage in volatile memory 4. Information storage in non-volatile memory and permanent disk storage Points of discussion peculiar to software component acquisition will include: 1. COTS, contracted software, open source, and freeware 2. Software pedigree and provenance 3. License management of open source

Chenyun Dai, "Privacy-Preserving Assessment of Location Data Trustworthiness"

Wed, 07 Mar 2012 18:30:00 PST

Assessing the trustworthiness of location data corresponding to individuals is essential in several applications, such as forensic science and epidemic control. To obtain accurate and trustworthy location data, analysts must often gather and correlate information from several independent sources, e.g., physical observation, witness testimony, surveillance footage, etc. However, such information may be fraudulent, its accuracy may be low, and its volume may be insufﬁcient to ensure highly trustworthy data. On the other hand, recent advancements in mobile computing and positioning systems, e.g., GPS-enabled cell phones, highway sensors, etc., bring new and effective technological means to track the location of an individual. Nevertheless, collection and sharing of such data must be done in ways that do not violate an individual’s right to personal privacy. Previous research efforts acknowledged the importance of assessing location data trustworthiness, but they assume that data is available to the analyst in direct, unperturbed form. However, such an assumption is not realistic, due to the fact that repositories of personal location data must conform to privacy regulations. In this work, we study the challenging problem of reﬁning trustworthiness of location data with the help of large repositories of anonymized information. We show how two important trustworthiness evaluation techniques, namely common pattern analysis and conﬂict/support analysis, can beneﬁt from the use of anonymized location data. We have implemented a prototype of the proposed privacy-preserving trustworthiness evaluation techniques, and the experimental results demonstrate that using anonymized data can signiﬁcantly help in improving the accuracy of location trustworthiness assessment.

Nishanth Chandran, "Cryptographic protocols in the era of cloud computing"

Wed, 29 Feb 2012 18:30:00 PST

With the advent of cloud computing, our view of cryptographic protocols has changed dramatically. In this talk, I will give an overview of some of the newer challenges that we face in cloud cryptography and outline some of the techniques used to solve these problems. In particular, a few questions that I will address are: 1) How can we store sensitive data in the cloud, in an encrypted manner, and yet allow controlled access to certain portions of this data? 2) How can we ensure reliability of data across cloud servers that may be connected by only a low-degree communication network, even when some of the servers may become corrupted? 3) How can users authenticate themselves to the cloud in a user-friendly way? This talk will assume no prior knowledge of cryptography and is based on works that appear at TCC 2012, ICALP 2010 and STOC 2010.

Ben Calloni, "Vulnerability Path and Assessment"

Wed, 22 Feb 2012 18:30:00 PST

US Government, Department of Defense, and Enterprise computer systems must be trusted to protect data with varying levels of sensitivity / security. Affordability requirements are driving the need to incorporate many diverse commercial software products of unknown quality and pedigree into said systems. While there exist many Static Code Analysis products, the depth, rigor, and coverage of these tools is incomplete and inconsistent. In addition, finding and eliminating computer flaws or weaknesses is not the same as determining true vulnerabilities. Further there is significant cost reduction that can occur if automated support for establishing the case for trust and assurance can be achieved. The collection of evolving standards known as the OMG Software Assurance (SwA) Ecosystem is supported and endorsed by AFRL, NIST, SEI, OSD/NII, and DHS Cyber Security Division among others. The SwA Ecosystem defines several standard protocols to enable interoperability for tools, services and security researchers in developing, exchanging and utilizing machine-readable content (e.g. vulnerability patterns, enumerations, rules) for security assurance of existing software based systems. This standard-based plug-and-play framework integrates software analysis and data mining tools and facilitates highly automated fact-oriented approach to assurance by providing traceability link between assurance claims and high-fidelity system facts as evidence to justify assurance claims. This presentation will focus on the work funded by AFRL and OSD/NII to addressing the Vulnerability Path Assessment piece of the Ecosystem.

Simson Garfinkel, "Forensic Carving of Network Packets with bulk_extractor and tcpflow"

Wed, 15 Feb 2012 18:30:00 PST

Using validated carving techniques, we show that popular operating systems (\eg Windows, Linux, and OSX) frequently have residual IP packets, Ethernet frames, and associated data structures present in system memory from long-terminated network traffic. Such information is useful for many forensic purposes including establishment of prior connection activity and services used; identification of other systems present on the system's LAN or WLAN; geolocation of the host computer system; and cross-drive analysis. We show that network structures can also be recovered from memory that is persisted onto a mass storage medium during the course of system swapping or hibernation. We present our network carving techniques, algorithms and tools, and validate these against both purpose-built memory images and a readily available forensic corpora. These techniques are valuable to both forensics tasks, particularly in analyzing mobile devices, and to cyber-security objectives such as malware analysis.

Kelley Misata, "Digital Citizenship: A Target's View of Security and Life Online"

Wed, 08 Feb 2012 18:30:00 PST

As technological advancements continue to expand the range of information access, issues of privacy and cyber security have risen to the forefront. Technology is only one part of a larger conversation. Looking through a different lens, consider the humans behind the machines. Technology can now be used with unprecedented ease and anonymity as a malicious vehicle to harass, defame and stalk. This presentation recounts the very personal and in-depth journey of a target of cyberstalking whose efforts to navigate within the system have been met with both successes and failures. Learn the profound impact this journey has had on life online as well as off, catalyzing a shift in perspective from fear to redefining responsible digital citizenship. The conversation will provide new insights into security issues, communication, and business management, as well as the limitations of the systems currently in place.

George Vanecek, "Is it time to add Trust to the Future Internet/Web?"

Wed, 01 Feb 2012 18:30:00 PST

The future web, and Internet, are undergoing a humanization of their technologies which increasingly make their services more personalized, individualized and transparent. This is jointly fueled by the inexpensive yet easily accessible huge computing and storage capacities in clouds, the adoption of personal, mobile smart devices used across consumer/enterprise interchangeably, and the emergence of personal agents and services attaining personalized perception of the real-world and its control on behalf of the users. In this human/machine convergences, trust is being recognized as potentially playing a huge role in addressing future human/machine security, commerce and social on-line issues. However, trust has been adopted only partially and independently by certain services and not made integral in the fabric of the Internet or the web. This talk explores the technical and social issues for the establishment of a ubiquitous trust network in the Future Internet. The talk reviews necessary technologies from the Semantic Web, Intercloud, and broader Identity methodologies, and provides a number of use cases for how the Future Internet would benefit from the trust network.

Frank Tompa, "A Flexible System for Access Control"

Wed, 25 Jan 2012 18:30:00 PST

A variety of mechanisms have been used in access control systems to support enterprises' diverse security needs. For example, some enterprises might allow individual users to assign privileges on files that they own, whereas others might require that permissions be granted and revoked by security administrators only; some enterprises wish to operate under closed access policies (where permission is denied unless explicitly granted), whereas others prefer to allow access only if the number of positive authorizations exceeds the number of negative ones. We will explore two frameworks, namely creation time policies and conflict resolution policies, that together allow software vendors to support a wide variety of discretionary access control mechanisms using a single code base.

Salmin Sultana, " Secure Provenance Transmission for Data Streams"

Wed, 18 Jan 2012 18:30:00 PST

Many application domains, such as real-time financial analysis, e-healthcare systems, sensor networks, are characterized by continuous data streaming from multiple sources and through intermediate processing by multiple aggregators. Keeping track of data provenance in such highly dynamic context is an important requirement, since data provenance is a key factor in assessing data trustworthiness which is crucial for many applications. Provenance management for streaming data requires addressing several challenges, including the assurance of high processing throughput, low bandwidth consumption, storage efficiency and secure transmission. In this talk, I will discuss a novel approach to securely transmit provenance for streaming data (focusing on sensor network) by embedding provenance into the inter-packet timing domain while addressing the above mentioned issues. As provenance is hidden in another host-medium, our solution can be conceptualized as watermarking technique. However, unlike traditional watermarking approaches, we embed provenance over the inter-packet delays rather than in the sensor data themselves, hence avoiding the problem of data degradation due to watermarking. Provenance is extracted by the data receiver utilizing an optimal threshold-based mechanism which minimizes the probability of provenance decoding errors. The resiliency of the scheme against outside and inside attackers is established through an extensive security analysis. Experiments show that our technique can recover provenance upto a certain level against perturbations to inter-packet timing characteristics.

Stephen Elliott, ""Introduction to Biometrics""

Wed, 11 Jan 2012 18:30:00 PST

A discussion about biometrics, performance and error. Learn more about biometric technologies and challenges related to performance.

Apu Kapadia, "Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones"

Wed, 30 Nov 2011 18:30:00 PST

We introduce Soundcomber, a "sensory malware" for smartphones that uses the microphone to steal private information from phone conversations. Soundcomber is lightweight and stealthy. It uses targeted profiles to locally analyze portions of speech likely to contain information such as credit card numbers. It evades known defenses by transferring small amounts of private data to the malware server utilizing smartphone-specific covert channels. Additionally, we present a general defensive architecture that prevents such sensory malware attacks.

Loukas Lazos, "Jam me if you can: Mitigating the Impact of Inside Jammers"

Wed, 16 Nov 2011 18:30:00 PST

The open nature of the wireless medium leaves wireless communications exposed to interference caused by the concurrent operation of co-located wireless devices over the same frequency bands. While unintentional signal interference is managed at the physical and mac layers using an array of techniques (advanced signal processing, channel coding and error correction, spread spectrum communications, multiple access protocols, etc.), in a hostile environment, wireless communications remain vulnerable to intentional interference attacks typically referred to as jamming. Jamming can take the form of an external attack launched by "foreign" devices that are unaware of the network secrets (e.g., cryptographic credentials) or its protocols. Such external attacks are relatively easy to neutralize through a combination of cryptography-based measures and spreading techniques. In contrast, when jamming attacks are launched from compromised nodes, they are much more sophisticated in nature. These attacks exploit knowledge of network secrets (e.g., cryptographic keys and pseudo-random spreading codes) and its protocol semantics to maximize their detrimental impact by selectively and adaptively targeting critical data transmissions. In this talk, we discuss the feasibility and impact of selective jamming attacks in the presence of inside adversaries. The attacker's selectivity is considered at different granularities, namely on a per-channel basis and on a per-packet basis. We describe several mitigation methods that do not rely on the existence of shared secrets, but defeat selectivity via a combination of temporary packet hiding and uncoordinated frequency hopping.

Zhongshu Gu, "Process Implanting: A New Active Introspection Framework for Virtualization"

Wed, 09 Nov 2011 18:30:00 PST

Previous research on virtual machine introspection proposed "out-of-box" approach by moving out security tools from the guest operating system. However, compared to the traditional "in-the-box" approach, it remains a challenge to obtain a complete semantic view due to the semantic gap between the guest VM and the hypervisor. In this paper, we present Process Implanting, a new active VM introspection framework, to narrow the semantic gap by implanting a process from the host into the guest VM and executing it under the cover of an existing running process. With the protection and coordination from the hypervisor, the implanted process can run with a degree of stealthiness and exit gracefully without leaving negative impact on the guest operating system. We have designed and implemented a proof-of-concept prototype on KVM which leverages hardware virtualization. We also propose and demonstrate application scenarios for Process Implanting in the area of VM security.

Morgan Greenwood, "SureView AMP, Active Malware Protection, detecting malware anti virus solutions miss"

Wed, 02 Nov 2011 17:30:00 PDT

Learn how organization's proactivly protect against malware that traditional signature-based anti virus solutions miss.

Sheila Becker, "Securing Application-Level Topology Estimation Networks: Facing the Frog-Boiling Attack"

Wed, 26 Oct 2011 17:30:00 PDT

Peer-to-peer real-time communication and media streaming applications optimize their performance by using application-level topology estimation services such as virtual coordinate systems. Virtual coordinate systems allow nodes in a peer-to-peer network to accurately predict latency between arbitrary nodes without the need of performing extensive measurements. However, systems that leverage virtual coordinates as supporting building blocks, are prone to attacks conducted by compromised nodes that aim at disrupting, eavesdropping, or mangling with the underlying communications. Recent research proposed techniques to mitigate basic attacks (inflation, deflation, oscillation) considering a single attack strategy model where attackers perform only one type of attack. In this work we explore supervised machine learning techniques to mitigate more subtle yet highly effective attacks (frog-boiling, network-partition) that are able to bypass existing defenses. We evaluate our techniques on the Vivaldi system against a more complex attack strategy model, where attackers perform sequences of all known attacks against virtual coordinate systems, using both simulations and Internet deployments.

Julia M. Taylor, Victor Raskin, and Eugene H. Spafford, "Ontological Semantic Technology Goes Phishing"

Wed, 19 Oct 2011 17:30:00 PDT

The talk reports on an early stage of on-going research on the application of computational semantic techniques to detect phishing, i. e., mass mailings intended to sweep up personal details for later malicious use by the phishers themselves or their potential customers. Our personal experience as targets of phishing has shown that the texts are getting increasingly polished, plausible, and sophisticated, often making it difficult even for humans to tell phishing from bona fide, if unadvised messages. In this talk, we will demonstrate, on a few examples, how Ontological Semantic Technology can help to achieve machine natural language understanding that allows the computer to match and, augmented by the best existing technologies, possibly exceed human ability to detect the meaning-based clues pointing to phishing and to reason accordingly. We will also discuss the problem of automatic phishing detection and share our thoughts on applying the most feasible and promising techniques on a large corpus of phishing emails.

Dan McWhorter and Steve Surdu, "Enterprise-Wide Intrusions Involving Advanced Threats"

Wed, 12 Oct 2011 17:30:00 PDT

Since early 2010 Google, Sony, Epsilon CitiBank, International Monetary Fund, RSA, various law enforcement agencies and many other organizations have been compromised by different attack groups. These groups include hacktivist organizations like Anonymous, Eastern European organized crime and state-sponsored teams referred to as the Advanced Persistent Threat. Mandiant will draw upon investigations it has conducted over the last eighteen months to: Illustrate major differences among the attack groups Describe the tactics attackers use to breach their victims Outline the investigative approaches required to contain active attack groups Detail remediation techniques that are most successful at removing attackers from the networks. The information covered will not be theoretical. All the material will anonymously reference actual cases Mandiant has conducted – some of which have not received media attention to date.

Hal Aldridge, "Trusted Computing and Security for Embedded Systems"

Wed, 05 Oct 2011 17:30:00 PDT

Computer hardware and software that perform real-world functions such as flight control, telecommunications switching, and network routing form a class of systems called embedded systems. These embedded systems have challenges that differ from general purpose computing. The security challenges of embedded systems have become a topic of concern in critical infrastructure such as SmartGrid. This presentation will discuss the embedded systems security challenges and a possible solution, Trusted Computing. Trusted Computing provides a tight coupling of hardware and software for security which can provide significant security enhancements over software only solutions and is highly applicable to embedded systems.

Xukai Zou, "Weighted Multiple Secret Sharing"

Wed, 28 Sep 2011 17:30:00 PDT

Secret sharing is important in information and network security and has broad applications in the real world. Since an elegant secret sharing mechanism was first proposed by Shamir in 1979 (also Blakley did the similar work then), many schemes have appeared in literature. These schemes deal with either single or multiple secrets and their shares have either the same weight or different weights. Weighted shares mean that different shares have different capabilities in recovering the secret(s) -- a more (less) weighted share needs fewer (more) other shares to recover the secret(s). In this talk, we will first discuss two primary categories of (representative) methods implementing secret sharing: polynomial based, i.e., Shamir’s scheme, and Chinese Remainder Theorem (CRT) based, i.e., Mignotte's scheme. Then we present a new CRT based weighted multiple secret sharing scheme, based on the identification of a direct relation between the length (i.e., the number of bits) and the weight of shares. The new scheme can also be naturally applied to other cases such as sharing a single secret with same-weight shares and is remarkably simple and easy to implement. Compared to both Shamir's scheme and Mignotte's scheme, the new scheme is more efficient than both schemes in share computation and more efficient than Shamir's scheme (and as efficient as Mignotte's scheme) in secret recovery. One prominent and unique advantage of the new scheme is that it admits non-whole number weights which the existing schemes have not offered. Thus, the sizes of shares can vary distantly in fine-tuned granularity to fit different requirements and constraints of various devices such as sensors, PDAs, cell phones, iPads and to allow the new scheme to apply to broader applications involving wireless/sensor networks and pervasive computing.

Joe Leonard, " Methods and Techniques for Protecting Data in Real Time on the Wire"

Wed, 21 Sep 2011 17:30:00 PDT

The ongoing explosion of data and information throughout the enterprise is undeniable. Sensitive data, whether structured or unstructured, finds itself replicated and dispersed. This creates a challenge for information security professionals to prevent the flow of this information to unauthorized or inappropriate destinations. The security community has made great progress in protecting this data and information while it is at rest or in use. But ... is there more that can be done? Companies are now asking, "Who moved my data and where did it go? Was it an appropriate flow from one internal department to another? Was the flow intended for a trusted business partner? Or ... was my data heading for an unknown destination, a competitor or a pool of cybercriminals?" End point controls, access controls, database monitoring and encryption are all important components of a solid layered security approach. However tools that provide visibility and control over "data in motion" deliver critical capabilities that none of these other components can adequately address. When prioritizing various components or layers of an information security implementation, it has been argued that a solid "data in motion" component can provide 80% of the bang for 20% of the buck (and effort!) This presentation focuses on methods and techniques in wire speed detection and control of data in motion. The presentation will include: approaches to detecting simple patterns emphasizing low false positives advances in wire speed pattern matching enabling protection of specific fields or combination of fields in a database policy designs that combine network application controls with content identification and control wire speed blocking that does not require a proxy

David Zage, "What does Knowledge Discovery, Predictability, and Human Behavior have to do with Computer Security"

Wed, 14 Sep 2011 17:30:00 PDT

Vast resources are devoted to predicting human behavior in domains such as economics, popular culture, and national security, but the quality of such predictions is often poor. Thus, it is tempting to conclude that this inability to make good predictions is a consequence of some fundamental lack of predictability on the part of humans. However, recent work offers evidence that the failure of standard prediction methods does not indicate an absence of human predictability but instead reflects: 1. misunderstandings regarding which features of human dynamics actually possess predictive power 2. the fact that, until recently, it has not been possible to measure these predictive features in real world settings. This talk introduces some of the science behind these basic observations and demonstrates their utility in various case studies. We begin by considering social groups in which individuals are influenced by the behavior of others. Correctly identify and understanding the social forces in these situations can increase the extent to which the outcome of a social process can be predicted in its very early stages. This finding is then leveraged to design prediction methods which outperform existing techniques for predicting social network dynamics. We also look at the analysis of the predictability of adversary behavior in the co-evolutionary "arms races" that exist between attackers and defenders in many domains. Our analysis reveals that conventional wisdom regarding these co-evolving systems is incomplete, and provides insights which enable the development of predictive methods for computer network security.

Steven Gianvecchio, "Detecting Bots in Online Games using Human Observational Proofs"

Wed, 07 Sep 2011 17:30:00 PDT

The abuse of online games by automated programs, known as bots, has grown significantly in recent years. The conventional methods for distinguishing bots from humans, such as CAPTCHAs, are not effective in a gaming context. This talk presents a non-interactive approach based on human observational proofs for continuous game bot detection. HOPs differentiate bots from human players by passively monitoring input actions that are difficult for current bots to perform in a human-like manner. The talk describes a prototype HOP-based game bot defense system that analyzes user-input actions with a cascade-correlation neural network to distinguish bots from humans. The experimental results show that the HOP system is effective in capturing game bots in World of Warcraft, raising the bar against game exploits and forcing attackers to build more complicated bots for detection evasion in the future.

Tamir Tassa, "Non-homogeneous anonymizations"

Wed, 31 Aug 2011 17:30:00 PDT

Privacy Preserving Data Publishing (PPDP) is an evolving research field that is targeted at developing anonymization techniques to enable publishing data so that privacy is preserved while data distortion is minimized. Up until recently most of the research on PPDP considered partition-based anonymization models. The approach in such models is to partition the database records into groups and then homogeneously generalize the quasi-identifiers in all records within a group, as a countermeasure against linking attacks. We describe in this talk alternative anonymization models which are not based on partitioning and homogeneous generalization. Such models extend the set of acceptable anonymizations of a given table, whence they allow achieving similar privacy goals with much less information loss. We shall briefly review the basic models of homogeneous anonymization (e.g. k-anonymity and l-diversity) and then define non-homogeneous anonymization, discuss its privacy, describe algorithms and demonstrate the advantage of such anonymizations in reducing the information loss. We shall then discuss the usefulness of those models for data mining purposes. In particular, we will show that the reduced information loss that characterizes such anonymizations translates also to enhanced accuracy when using the anonymized tables to learn classification models. Based on joint works with Aris Gionis, Arnon Mazza, Mark Last and Sasha Zhmudyak

Scott Hollenbeck, "Provisioning Protocol Challenges in an Era of gTLD Expansion"

Wed, 24 Aug 2011 17:30:00 PDT

The number of generic top-level domains in the Internet's Domain Name System has been increasing slowly since 2000. In July 2011 the Internet Corporation for Assigned Names and Numbers (ICANN) approved a long-awaited plan to significantly increase the number of generic top-level domain names. With a specific focus on users of the Extensible Provisioning Protocol (EPP), this presentation will describe the practical challenges faced by participants in the domain name provisioning ecosystem in the face of evolving domain name management requirements.

Eric Katz, "Mobile Phones and Evidence Preservation"

Wed, 27 Apr 2011 17:30:00 PDT

Jose Fernandez, ""Semantic Security: or How I Learned to Stop Worrying and Looooooove the Internet""

Wed, 20 Apr 2011 17:30:00 PDT

My late friend Robert Garigue, a pioneer of Information Warfare and one of the most original and visionary corporate Chief Information Security Officer, first described the notion a "semantic attack" as the eventual non plus ultra in the hacking arsenal. Semantic attacks do not target directly the information-carrying or information-bearing portions of a system, but rather those components of the system that give it meaning and value; i.e. the semantic components that help us, among other things, establish and maintain truth and trust. When Garigue first coined the phrase "Hack not system, hack the belief system" many of us misinterpreted this as a cry for addressing the non-electronic non-technological "soft" components of the system, i.e. humans and their decision making cycles. In fact, social engineering, phishing attacks and other forms of internet-based cons are in some sense instances of such cyber-mediated attacks on the "meat computers" we have in our brains. However, reality is fast catching up with Science Fiction, and our decision making whether as citizens in a democracy, consumers, military leaders, politicians, businessmen and even intellectuals, is increasingly depending on Internet-based sources and systems. Our increased use and reliance on search engines, social networks, blogospheres, wikis and other non traditional media, for our daily decision making has made it such that an increased portion of the semantic system is computer-based. How are we to define, evaluate or measure the security of these new cybernetic semantic components? Join me on a highly speculative tour of "Semantic Security" (tm), a new subfield of Computer Security, ripe with lots of low-hanging, easily solvable research problems. Believe me!!

Ronda R. Henning, "FuzzyFusion™, an application architecture for multisource information fusion"

Wed, 13 Apr 2011 17:30:00 PDT

The correlation of information from disparate sources has long been an issue in data fusion research. Traditional data fusion addresses the correlation of information from sources as diverse as single-purpose sensors to all-source multi-media information. Information system vulnerability information is similar in its diversity of sources and content, and in the desire to draw a meaningful conclusion, namely, the security posture of the system under inspection. FuzzyFusion™, a data fusion model that is being applied to the computer network operations domain is presented. This model has been successfully prototyped in an applied research environment and represents a next generation assurance tool for system and network security.

Carter Bullard, "Society, Law Enforcement and the Internet: Models for Give and Take"

Wed, 06 Apr 2011 17:30:00 PDT

Krannert Auditorium, Purdue University, West Lafayette, IN The interaction of society, law enforcement and telecommunications has evolved over the last 140 years to a successful balance of give and take. Society gives, providing well-defined processes and procedures that allow the government, law enforcement and citizens regulated access to information routinely collected by telecommunications service providers. And society benefits, where its justice systems can effectively use the information in support of criminal investigations and civil dispute resolutions. Internet technology has been designed, developed and deployed without any consideration to this relationship, and the technical and social void that has emerged isactively being exploited, reducing the security of the Internet, and the natural compensatory actions threaten innovation and privacy. Our presentation discusses how a comprehensive policy regarding Internet communications identifying information (CII), could align the Internet with the existing public private partnerships that have evolved, minimizing the threats to privacy that an Internet ‘wiretapping’ strategy alone could generate.

Kim Trieu, "Wireless Technologies and how it relates to cyber security research"

Wed, 23 Mar 2011 17:30:00 PDT

If you are interested in what cyber-related technologies will be most relevant at the time you graduate, and where many of the cutting-edge jobs will be, then this talk will be of interest. This presentation will be a high level view of where Lockheed Martin and what where we think the government is heading in terms of Cyber security and especially in wireless technologies realm such as Wi-Fi, Cellular, Wi-Max, and Zigbee communications. This presentation will also discuss the cyber capabilities in Hanover, MD and the new NexGen cyber security center in Gaithersburg. The presentation will lead into how some of our interns contributed to the cyber arena and later were hired and became permanent members of the Lockheed team. We would like the talk to be as interactive as possible to help answer questions from students and graduates on cyber security topics and how Lockheed Martin can help those starting their careers in the cyber security domain.

Michael Schearer, "Exploiting Banners for Fun and Profits"

Wed, 09 Mar 2011 18:30:00 PST

SHODAN is a computer search engine. But it is unlike any other search engine. While other search engines scour the web for content, SHODAN scans for information about the sites themselves. The result is a search engine that aggregates banners from well-known services. This presentation will focus on the applications of SHODAN to penetration testers, and in particular will detail a number of case studies demonstrating passive vulnerability analysis including default passwords, descriptive banners, and complete pwnage. For penetration testers, SHODAN is a game-changer, and a goldmine of potential vulnerabilities.

Casey Deccio, ""Modeling DNS Security: Misconfiguration, Availability, and Visualization""

Wed, 02 Mar 2011 18:30:00 PST

The Domain Name System (DNS) is one of the components most critical to Internet functionality. The ubiquity of the DNS necessitates both the accuracy and availability of responses. While the DNS Security Extensions (DNSSEC) add authentication to the DNS, they also increase the complexity of an already complex name resolution system. Many deployments have suffered from server misconfiguration or maintenance neglect which increase the likelihood of name resolution failure for a domain name, even if servers are responsive. Our research introduces metrics for quantifying DNSSEC availability and evaluates these metrics on production signed DNS zones to show the pervasiveness of misconfiguration. We present methodology for increasing robustness of name resolution in the presence of DNSSEC misconfiguration. In our survey of production signed zones, we observe that nearly one-third of the validation errors detected might be mitigated using the technique proposed in our research. As part of my talk, I will also demo an online DNS visualization tool designed to assist administrators in identifying critical issues with their DNSSEC deployments. This is joint work with researchers at UC Davis and Intel Corporation.

Jan Vitek, "A couple of results about JavaScript"

Wed, 23 Feb 2011 18:30:00 PST

This talk will summarize two recent results on JavaScript. "The Eval that Men Do": Transforming text into executable code with a function such as JavaScript’s eval endows programmers with the ability to extend applications, at any time, and in almost any way they choose. But this expressive power comes at a price. Reasoning about the dynamic behavior of programs that use this features becomes difficult. A better understanding of how eval is used could lead to increased performance and security. I will report on a large-scale study of the use of eval in JavaScript-based web applications. We have recorded the behavior 317 MB of strings given as arguments to 481,844 calls to the eval function. We provide statistics on the nature and content of strings used in eval expressions, as well as their provenance and data obtained by observing their dynamic behavior. "Flexible Access Control Policies with Delimited Histories and Revocation": Providing security guarantees for software systems built out of untrusted components requires the ability to enforce fine-grained access control policies. This is evident in Web 2.0 applications where JavaScript code from different origins is often combined on a single page, leading to well-known vulnerabilities. We present a security infrastructure which allows users and content providers to specify access control policies over delimited histories and allows for revocation of the history, and reversion to a safe state if a violation is detected. We report on an empirical evaluation in the context of a production browser. We show examples of security policies which prevent real attacks without imposing drastic restrictions on legacy applications. We have evaluated our proposal with two non-trivial policies on 50 of the Alexa top websites with no changes to the legacy JavaScript code. Between 72% and 84% of the sites were fully functional, and only 1 site was rendered non-functional.

Fariborz Farahmand, "Understanding insiders: An analysis of risk-taking behavior *"

Wed, 09 Feb 2011 18:30:00 PST

There is considerable research being conducted on insider threats directed to developing new technologies. At the same time, existing technology is not being fully utilized because of non-technological issues that pertain to economics and the human dimension. Issues related to how insiders actually behave are critical to ensuring that the best technologies are meeting their intended purpose. In our research, we have investigated accepted models of perceptions of risk and characteristics unique to insider threat, and we have introduced ordinal scales to these models to measure insider perceptions of risk. We have also investigated decision theories, leading to a conclusion that prospect theory, developed by Tversky and Kahneman, may be used to describe the risk-taking behavior of insiders and can be accommodated in our model. Our results indicate that there is an inverse relationship between perceived risk and benefit by insiders and that their behavior cannot be explained well by the models that are based on the traditional methods of engineering risk analysis and expected utility. We discuss the results of validating that model with forty-two senior information security executives from a variety of organizations. We also discuss how the model may be used to identify characteristics of insiders’ perceptions of risk and benefit, their risk-taking behavior and how to frame insider decisions. Finally, we recommend understanding risk of detection and creating a fair working environment to reduce the likelihood of committing criminal acts by insiders.

Torsten Braun, "User and Machine Authentication and Authorization Infrastructure for Distributed Testbeds"

Wed, 26 Jan 2011 18:30:00 PST

The Wisebed wireless sensor network testbed provides a federated experimentation facility covering several European universities. For scalable management of access control we have designed and implemented a single-sign-on and attribute-based authentication and authorization infrastructure based on the Shibboleth software, which has been developed by the Internet2 Middleware Initiative. Shibboleth is usually used for protecting browser-based access of web resources. We have designed and implemented an extension to protect web services using the Simple Object Access Protocol. This extension allows both user and machine authentication for web services. As a proof of concept, we implemented a complete reservation system for sensor nodes in the Wisebed test-bed federation. Two different user interfaces based on a web page and an iPhone application have been implemented. Although implemented for Shibboleth, the architecture can be easily adapted to other authentication and authorization infrastructures.

Somesh Jha, "Retrofitting Legacy Code for Security"

Wed, 19 Jan 2011 18:30:00 PST

Research in computer security has historically advocated Design for Security, the principle that security must be proactively integrated into the design of a system. While examples exist in the research literature of systems that have been designed for security, there are few examples of such systems deployed in the real world. Economic and practical considerations force developers to abandon security and focus instead on functionality and performance, which are more tangible than security. As a result, large bodies of legacy code often have inadequate security mechanisms. Security mechanisms are added to legacy code on-demand using ad hoc and manual techniques, and the resulting systems are often insecure. This talk advocates the need for techniques to retrofit systems with security mechanisms. In particular, it focuses on the problem of retrofitting legacy code with mechanisms for authorization policy enforcement. It introduces a new formalism, called fingerprints, to represent security-sensitive operations. Fingerprints are code templates that represent accesses to security-critical resources, and denote key steps needed to perform operations on these resources. This talk develops both fingerprint mining and fingerprint matching algorithms. Fingerprint mining algorithms discover fingerprints of security-sensitive operations by analyzing source code. This talk presents two novel algorithms that use dynamic program analysis and static program analysis, respectively, to mine fingerprints. The fingerprints so mined are used by the fingerprint matching algorithm to statically locate security-sensitive operations. Program transformation is then employed to statically modify source code by adding authorization policy lookups at each location that performs a security-sensitive operation. These techniques have been applied to three real-world systems. These case studies demonstrate that techniques based upon program analysis and transformation offer a principled and automated alternative to the ad hoc and manual techniques that are currently used to retrofit legacy software with security mechanisms. Time permitting, we will talk about other problems in the context of retrofitting legacy code for security. I will also indicate where ideas from model-checking have been used in this work.

Fariborz Farahmand, "Risk Perception and Trust in Cloud"

Wed, 12 Jan 2011 18:30:00 PST

Many companies today are paying attention to cloud computing and new aspects of large-scale, distributed computing. This emerging paradigm of the information age offers exciting benefits to companies and users, but cloud computing, like any other innovation, faces challenges such as security and privacy risks. How do different stakeholders perceive these risks and the effectiveness of the mitigations? And, how are these reflected in their trust in the cloud? The answers to these questions can affect the outcome of policy debates, and the allocation of resources in controlling security issues of cloud environments. This work presents an introduction to the cloud and some of its advantages and disadvantages. It discusses the role of risk perception and trust in security and privacy challenges of the cloud. It also makes recommendations addressing these challenges.

Matthew Hashim, "Nudging the Digital Pirate: Behavioral Issues in the Piracy Context"

Wed, 01 Dec 2010 18:30:00 PST

Piracy is a significant source of concern facing software developers, music labels, and movie production companies. Firms continue to invest in digital rights management technologies to thwart piracy, but their efforts are quickly defeated by hackers and pirates. In the context of piracy, we observe a surprising phenomenon: pirates may often choose to purchase the digital good after pirating it. This is quite interesting given the minimal risk of being caught. Since piracy is often considered a victimless crime, we theorize that moral obligation may mediate other constructs from the theory of planned behavior. We believe this is a consequence of the desire for an individual to rationalize unethical behavior, especially when the crime is victimless. We also identify under what circumstances an individual might be susceptible to exogenous nudging from a software company. Salient constructs under initial purchase and piracy conversion intentions are compared to document under which situations they become relevant to the potential pirate.

Michael Kirkpatrick, "Security Applications for Physically Unclonable Functions"

Wed, 17 Nov 2010 18:30:00 PST

Physically unclonable functions (PUFs) are hardware structures that create unique characteristics for distinct copies of a device. Specifically, the physical nature of manufacturing a device introduces slight variations that can be neither controlled nor predicted. PUFs quantify these differences into a random one-way function. In our work, we have explored multiple application scenarios for integrating PUFs into security systems. In the first application, we propose leveraging PUFs to bind access requests to known, trusted devices. This scheme also offers a lightweight key exchange protocol that can reduce the computational cost for low-power embedded devices. In our second work, we have designed PEAR, a portable authentication token based on PUFs that allows for privacy-preserving transactions with websites. Finally, we have created PUF ROKs, which are read-once cryptographic keys based on PUFs. In this talk, we will introduce these applications, highlighting the advantages of deploying PUFs over competing technologies, as well as presenting the results of our empirical and formal analyses of these prototypes.

Nikita Borisov, "Detecting Coordinated Attacks with Traffic Analysis"

Wed, 10 Nov 2010 18:30:00 PST

Coordinated attacks, such as botnets, present a major threat to today's computing infrastructures. They are able to evade traditional detection techniques by using zero-day and polymorphic exploits, partitioning misbehavior, and encrypting communications. I will discuss our work that aims to identify coordinated activity itself by analyzing the patterns of network communication and inferring information via the available side information. First, I will discuss the detection of linked network flows that relay traffic across compromised computers, called stepping stones. We use statistical techniques to locate timing correlation between flows, aided by active perturbation of network delays to insert a specialized pattern, called a watermark. I will show that the use of watermarks provides superior detection performance over passive correlation and present two watermark designs: RAINBOW, a low-overhead watermark for enterprise-level stepping stone detection, and SWIRL, a scalable design that can be used in the wide area. I will then discuss our work on using community detection to locate groups of computers organized into a structured peer-to-peer topology. Our tool, BotGrep, finds tightly connected components in communication graphs using several graph-theoretic metrics and heuristics. It is designed to scale to very large data sets, allowing large core ISPs to detect previously unknown peer-to-peer botnets.

Trent Jaeger, "Tackling System-Wide Integrity"

Wed, 03 Nov 2010 17:30:00 PDT

Computing system compromises occur because system integrity is not managed effectively. The various parties that contribute to a system, programmers, OS distributors, and system administrators, do not account for integrity threats comprehensively, leading to recurrence of the same kinds of attacks. The problem is that we lack scalable and automated approaches for these parties to assess the integrity of their individual components that enables one to build upon the efforts of others. In this talk, I will discuss an conceptual approach to composing system-wide integrity from enforcement of multiple system layers. This approach is motivated by various work in information flow security, but we find that managing system-wide integrity requires different inferencing approaches and care in mapping actual components to the model. In particular, we will discuss methods to establish a specifications of integrity, validating the initial integrity of system components and channels, and composing systems from such components that protect runtime integrity. We will demonstrate the use of methods on Xen and Linux systems for deploying cloud computing applications. We show that accounting for integrity in component design can lead to comprehensive system-wide management.

P. Madhusudan, "The role of automata theory in software verification"

Wed, 27 Oct 2010 17:30:00 PDT

The 80s and 90s saw a revolution in hardware verification, where automata theory played a prominent role, formalizing model-checking and establishing the basis of verification using the logic-automata connection. We shift focus to software verification and ask how exactly would automata theory be useful in program analysis. Drawing from work in recent years in software verification in my research group as well as in the field, I will identify several key areas, ranging from modeling, abstraction, model-checking, interface synthesis, testing, to logical reasoning with dynamic data-structures, where automata theory promises to provide the right abstractions and yield effective tools for program analysis.

Sam King, "Trust and Protection in the Illinois Browser Operating System"

Wed, 20 Oct 2010 17:30:00 PDT

Current web browsers are complex, have enormous trusted computing bases, and provide attackers with easy access to modern computer systems. In this talk we introduce the Illinois Browser Operating System (IBOS), a new operating system and a new browser that reduces the trusted computing base for web browsers. In our architecture we expose browser-level abstractions at the lowest software layer, enabling us to remove almost all traditional OS components and services from our trusted computing base by mapping browser abstractions to hardware abstractions directly. We show that this architecture is flexible enough to enable new browser security policies, can still support traditional applications, and adds little overhead to the overall browsing experience. I will also talk briefly about some of my groups recent work in defending against malicious hardware.

Alex Liu, "Fast Regular Expression Matching using Small TCAMs for Network Intrusion Detection and Prevention Systems"

Wed, 13 Oct 2010 17:30:00 PDT

Regular expression (RegEx) matching is a core component of deep packet inspection in modern networking and security devices. Prior RegEx matching algorithms are either software-based or FPGA-based. Software-based solutions have to be implemented in customized ASIC chips to achieve high-speed, the limitations of which include high deployment cost and being hard-wired to a specific solution and thus limited ability to adapt to new RegEx matching solutions. Although FPGA-based solutions can be modified, resynthesizing and updating FPGA circuitry in a deployed system to handle RegEx updates is slow and difficult. In this talk, we present the first hardware-based RegEx matching solution that uses Ternary Content Addressable Memories (TCAMs), which are off-the-shelf chips and have been widely deployed in modern networking devices for packet classification. There are three main reasons why TCAM-based RegEx matching works well. First, a small TCAM is capable of encoding a large Deterministic Finite Automata (DFA) with carefully designed algorithms leveraging the ternary nature and first-match semantics of TCAMs. Second, TCAMs facilitate high-speed RegEx matching because TCAMs are essentially high-performance parallel lookup systems: any lookup takes constant time (i.e, a few CPU cycles) regardless of the number of occupied entries. Third, because TCAMs are off-the-shelf chips that are widely deployed in modern networking devices, it is easy to design networking devices that include our TCAM based RegEx matching solution.

Mihaela Vorvoreanu, Lorraine G. Kisselburgh, "Global Study of Web 2.0 Use in Organizations"

Wed, 06 Oct 2010 17:30:00 PDT

In this seminar, we present results from a global study about Web 2.0 use in organizations. The study, commissioned by McAfee, Inc., included a worldwide survey of over 1,000 organizational IT leaders, and in-depth interviews with industry experts. Data paint a rich picture of adoption and usage trends, as well as security concerns related to Web 2.0 technologies.

Sergey Panasyuk, "Assured Processing through Obfuscation"

Wed, 29 Sep 2010 17:30:00 PDT

In this seminar, an Obfuscation Module is discussed. This module provides a means to perform computation on untrusted computing systems while maintaining the confidentiality and integrity of the information. Being able to do so not only enables assured processing, such as running a program with certain assurances that the algorithm will remain protected, but it can also increase the defensive posture of cyber systems. When an executable is requested by the operating system, the module will apply obfuscation techniques to repackage it. Once repackaged, it will send the new executable to the host system. In this way, the untrusted system will never have access to the original executable image but a convoluted equivalent of it, protecting the confidentiality of the image and the algorithm which it implements, since it is cost prohibitive to unscramble the available executable.

Petros Mouchtaris, "Security of Mobile Ad Hoc Networks (MANETs)"

Wed, 22 Sep 2010 17:30:00 PDT

This talk will initially provide an overview of Telcordia's cyber security research. The talk will then focus on Telcordia's research in securing MANETs. MANETs are networks that do not require a fixed infrastructure (like base stations or access points) that are typically used in commercial wireless networks. In MANETs, messages are relayed from node to node from the source of a packet towards the destination. If there is a "sufficient" number of nodes covering a specific area, communication between the source and the destination can be achieved. MANETs have attracted a lot of interest in applications where fixed infrastructure may not be available or has been destroyed such as vehicle to vehicle communication, military networks, and disaster relief support. The key value of MANETs is their ability to allow nodes to join forces quickly to form a network. Achieving the potential value of MANETs in a secure manner though is a significant challenge. This talk will discuss Telcordia's research and progress in this area.

Xiaofeng Wang, "Side Channel Threats in the Software-as-a-Service Era: Challenges and Responses"

Wed, 15 Sep 2010 17:30:00 PDT

With software-as-a-service becoming mainstream, more and more applications are delivered to the client through the Web. Unlike a desktop application, a web application is a "two-part" program, with its components deployed both in the browser and in the web server. The communication between these two components inevitably leaks out the program's internal states to those eavesdropping on its web traffic, simply through the side channel features of the communication such as packet length and timing, even if the traffic is entirely encrypted. In this talk, I will present our discovery showing that such side-channel leaks are both fundamental and realistic: a set of high-profile web applications are found to disclose highly sensitive user data such as one's family incomes, health profiles, investment secrets and more through their side channels. More importantly, we found that the root causes of the problem are some fundamental characteristics of web applications: stateful communication, low entropy input for better interaction, and significant traffic distinctions. This indicates that a significant improvement of the current web-application development practice becomes necessary. As a response to this urgent call, I will also describe in this talk a new technique we developed, called Sidebuster, which facilitates detection and quantification of side-channel vulnerabilities during development of web applications.

Xeno Kovah, "Rootkits"

Wed, 08 Sep 2010 17:30:00 PDT

This talk will examine the state of current and proposed rootkits, to try and answer the following question: are rootkits stupid and lame? The speaker will provide supporting evidence that most all rootkits are eminently detectable, in theory. But theory doesn’t matter if tools for detection are not used in practice. Therefore the talk will highlight the few weaknesses in detection methodologies and many weaknesses in tools, so that the audience can think about what they could do to make the world more secure.

Ashish Kundu, "Data in the Cloud: Authentication Without Leaking"

Wed, 01 Sep 2010 17:30:00 PDT

Assurance of authenticity as well as confidentiality of data is an important problem, in cloud computing and in third-party data distribution environments. Existing data authentication schemes for structured and semi-structured data such as trees and graphs leak information, leading to privacy and confidentiality breaches. We have developed schemes for leakage-free authentication of trees and graphs. Our schemes are provably secure and efficient. In this talk, I would present these schemes as well as describe how to address the problem for disconnected trees/graphs (forests) (e.g., a set of databases). Time permitting, we would discuss some of the applications of these schemes. Our solutions have several applications in the cloud-based service offerings such as in the database and e-mail as services, storage and distribution of healthcare and biological data, and in security of social networks.

Cristina Nita-Rotaru, "Secure Network Coding for Wireless Mesh Networks"

Wed, 25 Aug 2010 17:30:00 PDT

In this talk we identify two general frameworks (inter-flow and intra-flow) that encompass several network coding-based systems proposed in wireless mesh networks. Our systematic analysis of the components of these frameworks reveals vulnerabilities to a wide range of attacks, which may severely degrade system performance. We then focus on addressing the most severe and generic attack against network coding systems, known as packet pollution attack. We show that existing cryptographic mechanisms that were proposed to solve the problem have a prohibitive cost that makes them impractical in wireless mesh networks. We propose the first practical defense mechanisms to pollution attacks in network coding for wireless mesh networks. The experimental results show that the proposed mechanisms can effectively filter out polluted packets and quickly identify and isolate attacker nodes while incurring small computation and bandwidth overhead.

Victor Raskin & Julia Taylor, ""Ontological Semantic Technology for Detecting Insider Threat and Social Engineering""

Wed, 28 Apr 2010 17:30:00 PDT

The paper describes a computational system, an application and implementation of the mature Ontological Semantic Technology, for detecting unintentional inferences in casual unsolicited and unrestricted verbal output of individuals, potentially responsible for leaked classified information to people with unauthorized access. Uses of the system for cases of insider threat and/or social engineering are discussed.

Stephen Dill, "The role of System Security Engineering in the engineering lifecycle"

Wed, 21 Apr 2010 17:30:00 PDT

This seminar will provide an overview of how Information Security (AKA Cyber Security, AKA INFOSEC) engineering, requirements analysis and security policies and other activities fit into the overall life cycle of an IT system. We will define an INFOSEC systems engineering methodology using industry best practices and we will define the major steps or key activities in that systems engineering methodology. We will also discuss what the role of Information Systems Security Engineering and the Systems Security Engineers should be in the Life Cycle processes.

Christian Hammer, "Security of JavaScript in a Browser Environment"

Wed, 14 Apr 2010 17:30:00 PDT

The power of modern websites emerges to a large extent from the ability to combine content from different sources. As an example, a site may include a Google map next to business information a user had been searching for. Combining content from possibly untrusted sites gives rise to all sorts of security concerns, as JavaScript has no concept of separating scripts from different sources. This has lead to several recent attacks like the Samy or Yamanner worms. This talk presents the state of the art in securing JavaScript for such settings and proposes a sandboxing facility for in-browser script separation.

Yvo Desmedt, "60 years of scientific research in cryptography: a reflection"

Wed, 07 Apr 2010 17:30:00 PDT

Shannon started the unclassified scientific research in cryptography with his October 1949 paper. First we briefly survey the scientific research in cryptography since then. We discuss the strengths and weaknesses of this research, attempting to present a balanced viewpoint. The lecture will also discuss the progress we have not made. We will show that not everything in modern cryptography is rosy. Besides above examples, we will also talk about the discrepancy between the massive number of applications of cryptography studied by academics and the fact most of these are being viewed as completely irrelevant to the real world.

David Bell, "Everything I Needed to Know about Security, I Learned in 1974"

Wed, 31 Mar 2010 17:30:00 PDT

The security field is an excellent illustration of the maxim that ``the more things change, the more they stay the same.'' Thus while technical details change, underlying security principles remain remarkably constant. Dr. Bell's talk ``Everything I Needed to Know about Security, I Learned in 1974'' covers the lessons he learned in his early modeling work, how they have remained valid since, and how those principles inform his view of 21st-Century challenges.

David Zage, "A Platform for Creating Efficient, Robust, and Resilient Peer-to-Peer Systems"

Wed, 24 Mar 2010 17:30:00 PDT

The rapid growth of communication environments such as the Internet has spurred the development of a wide range of systems and applications based on peer-to-peer ideologies. As these applications continue to evolve, there is an increasing effort towards improving their overall performance. This effort has led to the incorporation of measurement-based adaptivity mechanisms and network awareness into peer-to-peer applications, which can greatly increase peer-to-peer performance and dependability. Unfortunately, these mechanisms are often vulnerable to attack, making the entire solution less suitable for real-world deployment. In this work, we study how to create robust systems components for adaptivity, network awareness, and responding to identified threats. These components can form the basis for creating efficient, high-performance, and resilient peer-to-peer systems.

Pascal Meunier, "Making of the CWE Top-25, 2010 Edition"

Wed, 10 Mar 2010 18:30:00 PST

For the second time, MITRE's Common Weakness Enumeration project has released a Top-25 list. However, this year's is a much more sophisticated document, created using a systematic and more rigorous approach. It contains several sections and tables as well as profiles, and isn't only a list. I will explain what the CWE is, what the purpose of the Top-25 is, how it was created, which problems it faced and which it still faces, how it has been improved since last year, and how you can use it.

Wonjun Lee, "Detection and protection from denial of service attacks in grids by accountability agents"

Wed, 03 Mar 2010 18:30:00 PST

By exploiting existing vulnerabilities, malicious parties can take advantage of resources made available by grid systems to attack mission critical websites or the grid itself. In this paper, we present two approaches for protecting against attacks aiming at targets located outside or inside the grid. Our approach is based on special-purpose software agents, referred to as accountability agents that collect provenance and resource usage data in order to perform detection and protection. We show the effectiveness of our approach and the performance of the accountability agent based system by conducting various experiments on a grid-emulated testbed.

Kevin Hoffman, "Ribbons, A Partially-Shared Memory Programming Model"

Wed, 24 Feb 2010 18:30:00 PST

We present ribbons, a shared memory programming model that allows for more implicit sharing of memory than processes but is more restrictive than threads. Ribbons structure the heap into protection domains. Privileges between these protection domains are carefully controlled to provide the ability to fully or partially “sandbox” certain portions of a program’s computation. RibbonJ, a backwards-compatible extension of Java, is deﬁned to easily create programs that leverage the ribbons model. RibbonJ is implemented within Jikes RVM, and avoids the overhead of inline security checks and read or write barriers by leveraging the memory protection mechanisms already supported in modern hardware and operating systems. This is joint work with Harrison Metzger and Professor Patrick Eugster.

Hyo-Sang Lim, "Provenance-based Data Trustworthiness Assessment in Data Streams"

Wed, 17 Feb 2010 18:30:00 PST

This talk presents a systematic approach for estimating the trustworthiness of data items in data stream environments (such as sensor networks). The approach uses the data item provenance as well as their values. To obtain trust scores, the approach exploits a cyclic framework which well reflects the inter-dependency property: the trust scores of data items affect the trust scores of network nodes, and vice versa. The trust scores of data items are computed from their value similarity and provenance similarity. The value similarity comes from the principle that “the more similar values for the same event, the higher the trust scores,” and we compute it under the assumption of normal distribution. The provenance similarity is based on the principle that “the more different provenances with similar values, the higher the trust scores,” and we compute it using the tree similarity. Since new data items continuously arrive in DSMSs, we need to evolve (i.e., recompute) trust scores to reflect those new items. As evolution scheme, we propose the batch mode for computing scores (non)periodically along with the immediate mode. Experimental results show that the approach is efficient and effective in data stream environments.

Marcus Rogers, "Dissecting Digital Data: Context & Meaning through Analytics"

Wed, 10 Feb 2010 18:30:00 PST

This talk will look at how analytics can be used to increase our understanding of what digital evidence actually means. The real value of evidence is often related to the context and meaning of the data ; not just on its mere existence. The talk will examine how analytics can be used to answer core investigative and intelligence questions and where meaning can be found.

Greg Stephens, "Detecting Insider Theft of Trade Secrets"

Wed, 03 Feb 2010 18:30:00 PST

Trusted insiders who misuse their privileges to gather and steal sensitive information represent a potent threat to businesses. Applying access controls to protect sensitive information can reduce the threat but has significant limitations. Even if access controls are set properly, they don't protect against rogue employees who legitimately need to access sensitive information. Since 2002, researchers at MITRE have investigated methods for detecting insiders who misuse their legitimate access to steal information. A three-year, internally funded research effort developed and evaluated a research prototype of a system called Elicit (Exploit Latent Information to Counter Insider Threats) to help analysts identify insider threats. Work on Elicit prompted a team of engineers and social scientists to experimentally explore how malicious insiders use information differently from a benign baseline group. This talk presents results from the research prototype evaluation, discusses preliminary results from the double-blind study of malicious insiders, and offers some essential aspects for detecting insider threats gleaned from these efforts.

Stephen Elliott, "Applications of biometric technologies"

Wed, 20 Jan 2010 18:30:00 PST

In today's society, biometric technologies are being used in a number of different applications. This discussion will introduce the concept of biometric technologies, and outline various challenges and solutions that are being undertaken in the biometrics lab at Purdue University.

Eugene Spafford, ""Thinking Outside the Box""

Wed, 13 Jan 2010 18:30:00 PST

Kelly Caine, " Human Factors Approaches to Preserving Privacy"

Wed, 09 Dec 2009 18:30:00 PST

Threats to privacy are not only due to traditional computer security issues; human factors issues such as unintentional disclosure of information also have an impact on privacy preservation. In this talk I will discuss two examinations of psychological aspects of privacy and how they relate to technology. First, I will present results from an investigation of everyday privacy behaviors and discuss how these naturally occurring behaviors can guide the design of privacy protective technology. Then, I will introduce the concept of misclosure, which is the unintentional disclosure of information, and provide multiple example misclosures. I will conclude by demonstrating that misclosures a) occur frequently b) occur across systems and c) may be preventable by considering human factors during design.

Andrew Scholnick, "Cyber Security Trends and Disruptors"

Wed, 02 Dec 2009 18:30:00 PST

The Director of the VeriSign iDefense Applied Vulnerability Research Labs discusses current cyber security trends identified in 2008 and manifested in 2009 from Cyber Crime, Cyber War, Cyber Espionage and Cyber Terrorism. He will then look over the horizon to identify some potential Cyber Security Disruptors; ideas or technologies coming down the pike that will fundamentally change how the security community protects its enterprise and its customers.

Gerome Miklau, "Safely Analyzing Sensitive Network Data"

Wed, 18 Nov 2009 18:30:00 PST

Social and communication networks are formed by entities (such as individuals or computer hosts) and their connections (which may be contacts, relationships, or flows of information). Such networks are analyzed to understand the influence of individuals in organizations, the transmission of disease in communities, the operation of computer networks, among many other topics. While network data can now be recorded at unprecedented scale, releasing it can result in unacceptable disclosures about participants and their relationships. As a result, privacy concerns are severely constraining the dissemination of network data and disrupting the emerging field of network science. Our recent work investigates the properties of a network that can be accurately studied without threatening the privacy of individuals and their connections. We adopt the rigorous condition of differential privacy, and develop algorithms for releasing randomly perturbed statistics about the topology of a sensitive network. This talk will focus on two basic analysis tasks: the estimation of the degree distribution of a network and the study of small structural patterns that occur in a network (sometimes called motif analysis). We show that the degree distribution of a network can be very accurately estimated by a novel technique in which constraints are applied to the noisy output to improve utility. This technique is of general interest, and can be used to boost the accuracy of differentially private output in other tasks as well. We show that studying motifs is fundamentally harder, but can be done with acceptable accuracy if the privacy condition is relaxed.

Leszek Lilien, "Some Thoughts on the Pervasive Trust Foundation for the Future Internet Architecture. A position presentation."

Wed, 11 Nov 2009 18:30:00 PST

We start with presenting motivation and goals for the Future Internet, and reviewing basics of trust in computing. The Pervasive Trust Foundation (PTF) for the Future Internet is proposed next. This includes presenting motivation for trust foundation for the Future Internet, showing placement of security services and mechanisms within the architecture, and trust considerations for security services. Inefficient operation of the PTF-based architecture is the main obstacle to making such architecture a reality. There are two classes of approaches that can reduce operational costs. First, inherent PTF properties result in automatic cost-saving. Second, additional cost-saving techniques --such as leveraging high-trust enclaves, or using enclave "insurers"-- can be used. The architectural principles presented here are a position statement, and their practical verification will require substantial research efforts.

Zahid Pervaiz, "Multi-Policy Access Control for Healthcare using Policy Machine"

Wed, 04 Nov 2009 18:30:00 PST

Access control policies in healthcare domain define permissions for users to access different medical records. A Role Based Access Control (RBAC) mechanism allows management of privileges to medical records for users when they assume certain roles thus mitigating the threat of inside attacks. Such a threat emanates from unauthorized users. We can provide a selective combination of policies where sensitive records can be available only to a specific role, say the primary doctor, under Discretionary Access Control (DAC) whereby in turn he/she may share the record with other physicians for consultation after permission from the patient. This mechanism allows not only a better compliance of principle of least privilege but also helps to mitigate the threat of authorized insiders disclosing sensitive information. Our research is being prototyped on the Policy Machine (PM) developed by the National Institute of Standards and Technology (NIST). PM allows integration and co-existence of multiple policies. Currently, we are expanding the capabilities of PM to provide a flexible healthcare access control policy which has the benefits of context awareness and discretionary access. We will present the newly implemented temporal RBAC model on PM and describe initial capabilities for secure management of healthcare data.

Andre Koenig, "Security in Infrastructureless and Decentralized Communication Networks - Possibilities, Results, and Evaluation Challenges"

Wed, 28 Oct 2009 17:30:00 PDT

Infrastructureless and decentralized communication substrates such as mobile ad hoc networks and peer-to-peer systems enable setting up communication services beyond borders of contemporary wired or cellular client/server systems. Yet, due to their specific characteristics like wireless multihop data transmission and lack of central trusted instances, infrastructureless and decentralized networks are also beyond the protection of contemporary security mechanisms. This especially requires consideration in possible first responder or military application scenarios. Various new threats targeting each layer of the ISO/OSI model have been identified. Central questions regarding security include how to deal with misbehavior and how to protect information in networks without well-defined borders, consisting of devices, services, and users from multiple administrative domains. In this talk we present possible solutions for excluding misbehaving nodes from infrastructureless networks to recover the availability of the network in presence of attacks. We further present mathematical tools for governing cooperative decision processes without central trusted instances as basis for security objectives such as authentication and access control in decentralized systems. We show evaluation results based on analytical models as well as simulation and testbed studies and highlight general challenges regarding the evaluation of protocols and algorithms for infrastructureless decentralized communication networks.

Juhee Kwon, "Information Security Management and IT Executives in a Top Management Team"

Wed, 21 Oct 2009 17:30:00 PDT

As information assets have become a critical factor for enterprises to stay competitive, there is an increasing awareness of information security management. However, they are easily overlooked by those who focus only on the IT side, failing to see that human resources and policies are the most likely cause of information risks, which need to become real enterprise-wide and strategic issues. This paper examines the impacts of an IT executive’s structural status in Top Management Teams (TMTs) on information security risk management. E-Business has made it imperative for IT executives to adopt cross-functional roles due to the increased importance of securing and managing risks to information assets across the enterprise. Therefore, IT executive representation and status in a TMT is necessary to strategically and operationally conduct liaison activities between IT groups and other business units. However, there is little empirical research examining the effects of IT executives’ structural status on managing information security risks. We employ logistical regression to examine the data from 2003 to 2008 with information security breach reports and executive compensation data. We augment this data with IT internal controls information provided by external auditors. Our results demonstrate high IT executive engagement and fair compensation are associated with reduced levels of both IT internal controls weaknesses and reported information security breaches. Second, we find that pay dispersion in a TMT increases the probability of information security breaches, while IT executive turnover is not significantly associated with breaches. As a comprehensive analysis across the accounting, human resources, and information systems literature, this study gives firms new insights into how they set IT executive compensation strategies as well as delegate authority and responsibility for ensuring confidentiality, integrity, and availability of information assets.

Raquel Hill, "PlugNPlay Trust for Embedded Communication Systems"

Wed, 14 Oct 2009 17:30:00 PDT

Given the proliferation of malware, the integrity of embedded communication systems is becoming a growing concern. Recent compromises to systems such as ATMs and network switches and routers provide evidence of the potential security problems of embedded communication systems. Trusted communication channels that pass sensitive information should only be established after the integrity of the remote system can be assured. Security hardware, such as the Trusted Computing Group’s (TCG’s) Trusted Platform Module (TPM) provides a mechanism to measure and authenticate the integrity of individual machines. This device can be readily found in many laptops today, however we are unaware of its use as a mechanism for providing or denying communication access to services based on the integrity of remote systems. In this work, we propose PlugNPlay Trust, an integrity framework which is a drop-in solution for providing a hardware root of trust for embedded applications. The PlugNPlay Trust design exploits the static nature of embedded communication systems and independently provides remote attestation and identity verification for the host application using the TPM. This framework, coupled with the attestation and dynamic firewall exception services we authored, enables remote parties to confirm the integrity of embedded communication systems, thereby limiting the effects and the proliferation of malware in compromised systems. Although there are preexisting technologies for interfacing with the TPM directly, we implemented the first prototype for allowing or denying access to networked services based on the trustworthiness of a remote system. The PlugNPlay framework simplifies the integration of existing TPM related tools and provides a ready to use platform for trusted computing research.

Gary McGraw, "The Building Security In Maturity Model (BSIMM)"

Wed, 07 Oct 2009 17:30:00 PDT

As a discipline, software security has made great progress over the last decade. There are now at least 46 large scale software security initiatives underway in enterprises including global financial services firms, independent software vendors, defense organizations, and other verticals. In 2008, Brian Chess, Sammy Migues and I interviewed the executives running nine initiatives using the twelve practices of the Software Security Framework as our guide. Those companies among the nine who graciously agreed to be identified include: Adobe, The Depository Trust and Clearing Corporation (DTCC), EMC, Google, Microsoft, QUALCOMM, and Wells Fargo. The resulting data, drawn from real programs at different levels of maturity was used to guide the construction of the Building Security In Maturity Model (BSIMM). This talk will describe the observation-based maturity model, drawing examples from many real software security programs. A maturity model is appropriate because improving software security almost always means changing the way an organization works---people, process, and automation are all required. While not all organizations need to achieve the same security goals, all successful large scale software security initiatives share common ideas and approaches. Whether you rely on the Cigital Touchpoints, Microsoft's SDL, or OWASP CLASP, there is much to learn from practical experience. Since its March release, the BSIMM is being expanded to include BSIMM Europe, BSIMM II, and BSIMM Lite. Use the BSIMM as a yardstick to determine where you stand and what kind of software security plan will work best for you.

Richard Power, "Starting Over After A Lost Decade, In Search of a Bold New Vision for Cyber Security"

Wed, 30 Sep 2009 17:30:00 PDT

Starting Over After A Lost Decade, In Search of a Bold New Vision for Cyber Security: It is not enough to develop a comprehensive cyber security program that exists in isolation from the world beyond the cloud and the cables. We have to understand the political, economic and social environments that impact our ability to deliver security, as well as our own organizational cultures. We cannot wage a 21st Century struggle for hearts and minds with a 20th Century world-view anymore than we can wage a 21st Century struggle to secure information and systems with 20th Century technology. A bold new vision is needed, one that is holistic and evolves out of transformative metaphors that reframe our concepts about security.

Rick Aldrich, "The Importance of Law in Cybersecurity, Recent Developments and Trends in Cyberlaw"

Wed, 23 Sep 2009 17:30:00 PDT

Information security professionals increasingly need to be familiar with developments in cyberlaw to ensure they comport their actions with the contours of the law. Unfortunately, with technology changing far faster than the statutes, judges are increasingly being called upon to fill in the interstices. In this interactive session, facts from actual cases will be presented in a “You Be the Judge” format to highlight important developments in recent cases and identify key trends in the case law. What is the legal efficacy of a click-through consent banner and how does this impact information security professionals? What constitutes an “interception” and what types of interceptions are legal and illegal? What law dictates whether an employer can or cannot inspect its employee’s personal e-mail messages? Do individuals have to divulge their encryption keys requested to do so by border guards or law enforcement agents? Are there jurisdictional borders in cyberspace? Who has jurisdiction and how does the law apply in virtual worlds? How do extradition laws apply to cybercrimes? These and many other questions will be answered in this interactive seminar.

Jerry Saulman, "From Security Architecture to Implementation"

Wed, 16 Sep 2009 17:30:00 PDT

From security architecture to implementation details... what matters when a customer faces a project to implement a global J2EE application? This presentation will cover some of the more pertinent concepts and details involved from real world experiences in customer environments.

Peter Mork, "Database Assurance: Anomaly Detection for Relational Databases"

Wed, 09 Sep 2009 17:30:00 PDT

Behind countless complex applications lurk trusty relational databases that are responsible for managing the data that fuel these applications. For example, relational databases are used to support electronic medical health record systems, timecard reporting systems, and transportation systems. Ideally, the relational database system has been sufficiently hardened to prevent exfiltration or modification of data. Unfortunately, adversaries often have insider access to the networks and machines on which the database is running and can easily circumvent such security measures. Therefore, in this research project, we create profiles of known, legitimate behavior so that we can flag any anomalous behavior as potentially illegitimate. In this presentation, because SQL injection remains the #1 attack vector, I will first illustrate how SQL injection attacks can exfiltrate data from a database system. I will then discuss various locations within the database engine that one might monitor activity, highlighting the benefits of placing a monitor between the query optimizer and query execution engine. Next, I will describe how we use cross-feature analysis to generate profiles of legitimate behavior and how these profile are used at run-time to identify anomalous activity. Then, I will present experimental results both in terms of performance overhead and precision/recall. I will conclude with a discussion of when our techniques are most applicable and how a clever adversary might nevertheless elude our monitor.

Ragib Hasan, "Fake Picassos, Tampered History, and Digital Forgery: Protecting the Genealogy of Bits with Secure Provenance"

Wed, 02 Sep 2009 17:30:00 PDT

As increasing amounts of valuable information are produced and persist digitally, the ability to determine the origin of data becomes important. In science, medicine, commerce, and government, data provenance tracking is essential for rights protection, regulatory compliance, management of intelligence and medical data, and authentication of information as it flows through workplace tasks. While significant research has been conducted in this area, the associated security and privacy issues have not been explored, leaving provenance information vulnerable to illicit alteration as it passes through untrusted environments. In this talk, we show how to provide strong integrity and confidentiality assurances for data provenance information in an untrusted distributed environment. We describe our provenance-aware system prototype that implements provenance tracking of data writes at the application layer, which makes it extremely easy to deploy. We present empirical results that show that, for typical real-life workloads, the run-time overhead of our approach to recording provenance with confidentiality and integrity guarantees ranges from 1% - 13%. For more details, please refer to http://dais.cs.uiuc.edu/provenance

Ian Goldberg, "Sphinx: A Compact and Provably Secure Mix Format"

Wed, 26 Aug 2009 17:30:00 PDT

Mix networks, originally proposed in 1981, provide a way for Internet users to send messages--such as email, blog posts, or tweets--without automatically revealing their identities or their locations. In this talk, we will describe Sphinx, a cryptographic message format used to relay anonymized messages within a mix network. It is the first scheme to support a full set of security features: compactness, efficiency, provable security, indistinguishable replies, hiding the path length and relay position, as well as providing unlinkability for each leg of the message's journey over the network. We will compare Sphinx to other mix formats, and will also briefly outline Sphinx's security reduction proof.

Joe Judge, "Software Assurance: Motivation, Background, and Acquisition Pursuits"

Wed, 22 Apr 2009 17:30:00 PDT

This Software Assurance (SwA) is a slightly different spin on the SwA presentation and discussion. The need for measurable SwA, for the purposes of presenting and assurance "case" and explained with a practitioner's point of view. Current pursuits and practices are shared with the context of what is needed from the SwA industry.

John D'Arcy, "USER AWARENESS OF SECURITY COUNTERMEASURES AND ITS IMPACT ON INFORMATION SYSTEMS MISUSE: A DETERRENCE APPROACH"

Wed, 15 Apr 2009 17:30:00 PDT

Intentional insider misuse of information systems resources (i.e., IS misuse) represents a significant threat to organizations. For example, industry statistics suggest that between 50-75% of security incidents originate from within an organization. Because of the large number of misuse incidents, it has become important to understand how to reduce such behavior. General deterrence theory suggests that certain controls can serve as deterrent mechanisms by increasing the perceived threat of punishment for IS misuse. This study presents an extended deterrence theory model that combines work from criminology, social psychology, and information systems. The model posits that user awareness of security countermeasures directly influences the perceived certainty and severity of organizational sanctions associated with IS misuse, which leads to reduced IS misuse intention. The model is then tested on 269 computer users from eight different companies. The results suggest that three practices deter IS misuse: user awareness of security policies; security education, training, and awareness (SETA) programs; and computer monitoring. The results also suggest that perceived severity of sanctions is more effective in reducing IS misuse than certainty of sanctions. Further, there is evidence that the impact of sanction perceptions vary based on one’s level of morality. The results have implications for both the research and practice of IS security.

Johann-Christoph Freytag, "Privacy – from accessing databases to location based services"

Wed, 08 Apr 2009 17:30:00 PDT

Over the last years it has become apparent that privacy issues become more and more important when accessing data sources either on the Web or by database management systems. That is, the user does not only want to hide the query, but also the result of that query from others. In the past the problem of querying a database privately was solved by organizational rather than by technical means. In this talk we describe the problem of querying databases privately more formally and discuss existing solutions from the area of private information retrieval (PIR). The lack of efficiency and scalability motivated us look for alternative approaches using a so called “secure co-processor” (built by IBM). We introduce a set of algorithms that take advantage of the (physical) properties of the co-processor and show which algorithms are necessary to guarantee privacy for database queries. In the last part of my talk I briefly describe our vision how to extend the current privacy approach to location-based services, in particular to moving objects such as vehicles (cars).

Melissa Dark, "An Analysis of Data Breach Disclosure"

Wed, 01 Apr 2009 17:30:00 PDT

In the past six years, 44 states in the United States have embraced a new form of privacy and identity theft regulation – mandatory disclosure of data breach information. Information disclosure regulation is a form of legislation considered effective for issues that span consumer protection and risk and where market mechanisms would/could work effectively to shape consumer and producer behavior and bring about allocative efficiency. Informational regulation is a new approach in the data privacy milieu, but has a precedent in environmental and health policy. While data breach information disclosure policies intend to have an impact on consumer and producer behavior, little is known about the costs and benefits of these policies and whether they are in fact enhancing social welfare in the area of identity theft and privacy. This talk addresses this relatively nascent public policy phenomenon with a focus on future considerations for policy analysis in this area to determine if and how such policy may be affecting the state of information assurance and security in the USA.

, "Rick Clark, Ontario Systems"

Wed, 25 Mar 2009 17:30:00 PDT

Arjan Durresi, "Security for the Next Internet over Heterogeneous Environments"

Wed, 11 Mar 2009 17:30:00 PDT

The networking research community is working to design the Next Generation Internet, which will meet the needs of the twenty-first century. The first requirement for the Next Generation Internet is security. Furthermore, the Internet will include heterogeneous environment, such as cellular and sensor networks. In this talk, I will present our research work related to above mentioned problems and focusing on a new security oriented Internet architecture and security solutions for heterogeneous environments. It should allow receivers to set policies for how and where they receive their information. The Next Generation Internet should be designed for mobile objects. Naming, addressing architecture, and routing have to be such that these objects can move and decide how and where they want to receive their Internet traffic with full rights of privacy of their location, if desired. In this talk, I will present our research work related to above mentioned problems and focusing on Internet architecture, mobile, wireless and security issues.

Jeremy Rasmussen, "The Best Defense is Information"

Wed, 04 Mar 2009 18:30:00 PST

In the course of doing security vulnerability testing for government and commercial clients over the past 10 years, our Information Security Solutions team at Sypris Electronics has seen a lot of interesting things—perhaps none more so than a recent attack witnessed on a client’s network targeted by a buffer overflow on a popular application. The attack launched a trojan horse, which then dropped in another piece of malware that stealthily connected out to several sites to receive command and control. We will go down the rabbit hole with the attack (as much as I can publicly divulge), talk about our approach to the forensic investigation, and how the client was advised to implement countermeasures to provide an overall framework of security against future attacks. It is possible people may have known about this particular exploit for more than six months before it was publicly disclosed, and the vendor still has not published a patch for it. Therefore, in this talk, we will also explore the concept of responsible disclosure, information sharing (minus attribution), and how all of this possibly fits into the Presidential Comprehensive National Cybersecurity Initiative (CNCI).

Mummoorthy Murugesan, "Providing Privacy through Plausibly Deniable Search"

Wed, 25 Feb 2009 18:30:00 PST

Query-based web search is becoming an integral part of many people's daily activities. Most do not realize that their search history can be used to identify them (and their interests). In July 2006, AOL released an anonymized search query log of some 600K randomly selected users. While valuable as a research tool, the anonymization was insufficient: individuals could be identified from the contents of the queries alone Government requests for such logs serves to increase the concern. To address this problem, we propose a client-centered approach of "plausibly deniable search". Each user query is substituted with a standard, closely-related query intended to fetch the desired results. In addition, a set of k-1 cover queries are issued; these have characteristics similar to the standard query but on unrelated topics. The system provides a property that any of these k queries will produce the same of set of k queries, giving k possible topics the user could have been searching for. We use Latent Semantic Indexing (LSI) based technique to generate queries, and evaluate on the DMOZ webpage collection to show the effectiveness of the proposed approach.

Charles Killian, "Mace: Systems and Language Support for Building Correct, High-Performance Networked Services"

Wed, 18 Feb 2009 18:30:00 PST

Building distributed systems is particularly difficult because of the asynchronous, heterogeneous, and failure-prone environment where these systems must run. This asynchrony makes verifying the correctness of systems implementations even more challenging. Tools for building distributed systems must strike a compromise between reducing programmer effort and increasing system efficiency. Mace is a C++ language extension, compiler, runtime, and toolset, that translates a concise but expressive distributed system specification into a C++ implementation. Mace exploits a natural decomposition of distributed systems into a layered, event-driven state machine. A key design principle of Mace is to separate each service algorithm from the implementation mechanics (serialization, dispatch, synchronization, etc.), debugging code (logging and property testing), and its utility services (lower-level services providing a specified interface). Our experience indicates that precisely because Mace imposes limits on the design structure of distributed systems, it supports the implementation of a wide variety of high-level supporting tools, including model checking, simulation, live debugging, and visualization. Mace is fully operational, has been in development for four years, and has been used to build a wide variety of Internet-ready distributed systems. This talk will describe both the Mace programming language design and MaceMC, the first model checker that can find liveness violations in unmodified systems implementations.

Mehmet Sahinoglu, "Quantitative Risk Assessment of Software Security and Privacy, and Risk Management with Game Theory"

Wed, 11 Feb 2009 18:30:00 PST

The need for information security is undeniable and self-evident. The pervasiveness of this critical topic requires primarily risk assessment and management through quantitative means. To conduct an assessment; repeated security probes, surveys, and input data measurements must be taken and verified toward the goal of risk mitigation with minimal cost. One can evaluate risk using a probabilistically accurate statistical estimation scheme in a quantitative security meter (SM) model that mimics the events of the breach of security. An empirical study using Java code is presented and its accuracy is veriﬁed by discrete-event or Monte Carlo simulations. The design improves as more data are collected and updated. Practical aspects of the SM are presented with a real-world example as related to a PC user and a risk-management scenario using the Game Theory approach for optimal cost mitigation results. Index Terms(10)— Quantitative Risk Assessment, Cost Mitigation, Countermeasure, Security, Privacy, Management, Simulation, Threat, Vulnerability, Game Theory

Cassio Goldschmidt, "The dark side of software engineering and how to defend against it"

Wed, 04 Feb 2009 18:30:00 PST

If you create an application that runs on one or more computers connected to a network such as the internet, your code will be attacked. Consequences of compromised systems often include loss of trust, reputation and revenue. Software will always have defects and vulnerabilities. Strikes against digital assets are unquestionably on the rise. We can, however, make it substantially harder to find and exploit vulnerabilities by identifying insecure coding practices and developing secure alternatives. During this practical session, we'll examine in detail the principles behind some of the worst attack patterns seen today in the software industry. Most importantly, we'll learn effective defense programming techniques every developer must employ when building software.

Ryan Riley, "An Alternate Memory Architecture for Code Injection Prevention"

Wed, 28 Jan 2009 18:30:00 PST

Code injection attacks, in their various forms, have been in existence and been an area of consistent research for a number of years. A code injection attack is a method whereby an attacker inserts malicious code into a running computing system and transfers execution to his malicious code. In this way he can gain control of a running process or operating system due to the fact that his injected code will run at the same privilege level as the entity being attacked. At the user-level, these attacks can be used to gain access to a system through an application bug. At the kernel-level, they are commonly used to install kernel rootkits and hide an attacker's presence on a machine. In this talk I will discuss code injection with regards to the memory architecture of modern computer systems. I will compare two common memory architectures, von Neumann and Harvard, with respect to their susceptibility to code injection attacks and the advantages and disadvantages of each in practice. Based on this, I will present a third memory architecture which is immune to code injection attacks and describe implementations of it that are able to stop code injection at the user and kernel levels. My experimental results show that this architecture is able to effectively and efficiently prevent code injection attacks against unmodified operating systems and applications running on standard x86 hardware.

Paul Kidwell, "A Rules Based Statistical Algorithm for Keystroke Detection"

Wed, 21 Jan 2009 18:30:00 PST

A rules-based statistical algorithm (RBSA) identifies packets in any TCP connection that are client keystrokes of an ssh login. The input data of the algorithm are the packet arrival times and TCP/IP headers of the connection packets at a point along the path of the connection. The algorithm is applied to all connections seen by a network monitor; ssh port 22 connections are classified as client-keystrokes or scp file transfers, and ssh keystroke connections are discovered for all other ports. This forms a network login database that can be further analyzed for network security monitoring and forensics. One application is to an "inside'' network in which the monitor sees all connections between the inside and outside. The model --- which uses the packet sizes, flags, and interarrival times --- first goes through the packets identifying epochs of different activities, and then goes back and uses more detailed information for the classification. Performance from three types of packet traces is excellent. Previous work has proceeded by forming connection summary statistics from the headers and timestamps, and classifying the connection as one with keystrokes or not using the statistics. The RBSA takes on a much more ambitious task of classifying each packet as a client keystroke packet or not, but in the end the classification of the connection has extremely low false positives and false negatives. One important property of the RBSA is that it does not employ packet payload, as is done in some connection-level surveillance methods, so it cannot be defeated by an attacker through payload encryption. A second important property is that the inside network can be a large enterprise, allowing monitoring and forensics across a very large number of hosts from a single device."

Chris Clifton, "Measuring Privacy: A Risk-Based Approach"

Wed, 14 Jan 2009 18:30:00 PST

There have been significant research developments in technology to protect privacy. Unfortunately, few of these have made the transition to practice. A large part of the problem is the lack of an accepted way to measure privacy. Legal and regulatory terms do not translate well into technological solutions, and the plethora of technical approaches do not seem to resonate with privacy advocates. This talk will discuss issues and challenges, with examples of the reason why a clear standard is difficult. A risk-based approach will be presented that allows anonymization based on controlling the potential damage from disclosure. This approach will be compared with more traditional anonymization measures, showing the difficulty of measuring the potential for harm from those measures. This represents joint work with Mehmet Ercan Nergiz (Purdue University) and Maurizio Atzori (University of Pisa).

Ibrahim Baggili, "Extending anonymity research to high-tech white collar crimes and IT Insider threat: A critical step"

Wed, 10 Dec 2008 18:30:00 PST

Theories of deindividuation share common grounds, one of which is anonymity. For decades, it has been hypothesized that anonymity affects human behavior. With the rise of the popularity and development of personal computing, claims are made that individuals perceive themselves to be more anonymous in computer mediated environments. This perception may be a major factor contributing to the engagement of individuals in online antisocial behaviors and in cyber criminal activities like high-tech white collar crimes and Information Technology (IT) insider threat crimes. This talk presents an overview of the literature on anonymity and the deindividuation theory. A philosophical bind is then made between the various effects of anonymity, high-tech white collar crimes and IT insider threat crimes. These philosophical accounts may be used as a cornerstone for scientific research in the new cyber crime phenomenon.

Weidong Cui, "Automatic Signature Generation for Unknown Vulnerabilities"

Wed, 03 Dec 2008 18:30:00 PST

In this talk, I will present a new approach to automatically generate a vulnerability signature for an unknown vulnerability, given a zero-day attack instance. Our approach is based on two systems we developed: Tupni and ShieldGen. Tupni takes one or more input instances and reverse engineers their format by analyzing how an application parses and processes them. Its reverse-engineered format has a rich set of information, including record sequences, record types and input constraints. We have implemented a prototype of Tupni and demonstrated that it can effectively reverse engineer ten common, real-world file and network message formats. ShieldGen can generate a vulnerability signature for an unknown vulnerability, given a zero-day attack instance and its format. The key novelty of ShieldGen is that it leverages knowledge of the input format to generate new potential attack instances, uses a zero-day detector as an oracle to determine if an instance can still exploit the vulnerability, and then takes the feedback of the oracle to guide its search for the vulnerability signature. We have implemented a prototype of ShieldGen and used it to generate high-quality vulnerability signatures for three real-world vulnerabilities. By feeding the input format generated by Tupni to ShieldGen, we can automatically generate a vulnerability signature even when the format of the attack instance is unknown. We have integrated Tupni with ShieldGen and demonstrated that we can automatically generate the vulnerability signature for a real-world WMF vulnerability given a single malicious WMF file.

Sylvia Osborn, "The Role Graph Model and its Extensions"

Wed, 19 Nov 2008 18:30:00 PST

The Role Graph Model was first introduced by Nyanchama and Osborn in 1994. It has been extended over the years to include parameterized roles, an administrative model and a delegation model. We will show how the semantics of our role graph operations differ from those of the ANSI standard. Then we will discuss how to simulate DAC, and how the underlying basic model helped us to understand and expand the model to deal with delegation. The present and future of RBAC will also be discussed.

John Oritz, "John Oritz, SRA International"

Wed, 12 Nov 2008 18:30:00 PST

Steganography is a discipline of computer science whose aim is to conceal the existence of information. Steganography synergizes various technologies including data compression, digital signal processing, information theory, data networks, cryptography, coding theory, and the human audio and visual system. Strap on your seatbelt. I will present some key concepts of steganography, describe a number of basic and advanced spatial and transform domain techniques (with lots of pictures and sounds for the “attention-challenged”), and demonstrate these techniques using custom steganography software. The demonstrations include a Least Significant Bit (LSB) technique, High-Capacity Hiding in Jpegs, and time modulation in audio.

Scott Orton, "The "merge" of Anti-Tamper and Information Assurance - lessons learned from the Anti-Tamper discipline"

Wed, 05 Nov 2008 18:30:00 PST

Scott Orton is the Anti-Tamper (AT) subject matter expert at Raytheon and was previously responsible for establishing the DOD AT executive agency. Scott will discuss the trends in information security driving the merge of AT and IA. He will also discuss valuable lessons learned from the AT community that have applicability in IA.

Kenji Takahashi, "Trends in Identity Management"

Wed, 29 Oct 2008 17:30:00 PDT

Currently many initiatives are being proposed for identity management, such as OpenID, SAML, CardSpace/Information Cards, and OAuth, as its importance is becoming apparent. Identity management is as an integral part of service infrastructures to make identity available to services across organizations in a secure and privacy protected manner. The identity data are crucial to successfully providing the privileged and personalized experiences for legitimate users of services. Also it is important that the users should have strong control over their identity data to foster a socially responsible service industry. This talk will give an overview of trends in identity management, and illustrate best practices and lessons learned in real settings using case studies. The talk will also highlight standard harmonization (SAML/Liberty, OpenID, CardSpace/Information Cards, etc.) and explore the future research agenda (e.g., mobile applications).

Federica Paci, "Access Control and Resiliency for WS-BPEL"

Wed, 22 Oct 2008 17:30:00 PDT

Business processes –the next generation workflows- have attracted considerable research interest in the last fifteen years. More recently, several XML-based languages have been proposed for specifying and orchestrating business processes, resulting in the WS-BPEL language. Even if WS-BPEL has been developed to specify automated business processes that orchestrate activities of multiple Web services, there are many applications and situations requiring that people be considered as additional participants that can influence the execution of a process. Significant omissions from WS-BPEL are the specification of activities that require interactions with humans to be completed, called human activities, and the specification of authorization information associating users with human activities in a WS-BPEL business process and authorization constraints, such as separation of duty, on the execution of human activities. This talk investigates the problem of access control and resiliency for WS-BPEL processes. Access control in the context of business process means checking whether a user claiming the execution of an activity is authorized and the execution does not violate authorization constraints. Resiliency means that even if some users become unavailable, the remaining users can still complete the execution of the process according to the stated authorizations and authorization constraints. We present RBAC-WS-BPEL, an RBAC model for WS-BPEL business processes that supports the specification of resiliency constraints, authorizations and authorization constraints on business process activities. Resiliency constraints are evaluated when a WS-BPEL process is deployed, to check if there is a sufficient number of authorized users to perform the process so that authorization constraints are satisfied and the process terminates even if some users become unavailable. Authorizations and authorization constraints are evaluated whenever a user claims the execution of a business process’s activity to determine if the execution of the activity by the user does not violate any authorization constraints and does not prevent some other subsequent activities from completing.

Adam Dugger, "Signature Analysis Coupled With Slicing Analysis for the Validation of Software"

Wed, 15 Oct 2008 17:30:00 PDT

What if you could determine exactly where, in any compiled binary, a security threat existed? Answering this question has been the fundamental goal of anti-virus software for many years past, with limited success. Instead, what if you could determine not where security threats do exist, but where they could possibly exist? This is certainly a step in the right direction for total software security -- one which puts us well on our way to being able to develop applications safe against hidden malicious code. All of this is possible with the machine code analysis methodology known as Signature Analysis. However, consider the following question: What if you could determine exactly where, in any compiled binary, a security threat might exist, and, further, precisely what this threat might affect later in the application’s execution? This information can be retrieved by combining the capabilities of Code Slicing Analysis with the previously mentioned Signature Analysis. This paradigm not only assists in hardening against currently known threats, but it also identifies areas that are affected by those threats. These principles form the framework for a novel static technique for ensuring software integrity. The goal of this seminar is to present these ideas and to discuss possible future applications.

Yuecel Karabulut, "Measuring the Attack Surfaces of Enterprise Software Systems"

Wed, 08 Oct 2008 17:30:00 PDT

Software vendors have traditionally focused on improving code quality for improving software security and quality. The code quality improvement effort aims toward reducing the number of design and coding errors in software. In principle, we can use formal correctness proof techniques to identify and remove all errors in software with respect to a given specification and hence remove all its vulnerabilities. In practice, however, building large and complex software devoid of errors, and hence security vulnerabilities, remains a very difficult task. Software vendors can minimize the risk associated with the exploitation of future vulnerabilities. One way to minimize the risk is by reducing the attack surfaces of their software. A smaller attack surface makes the exploitation of the vulnerabilities harder and lowers the damage of exploitation, and hence mitigates the security risk. We believe that a complete risk mitigation strategy requires a combination of code quality efforts and attack surface measurement. SAP and CMU collaborated to develop a new attack surface measurement method for measuring the attack surfaces of SAP software systems implemented in Java. We implemented a tool and demonstrated the feasibility of our approach by measuring the attack surface of an SAP software system. In this talk, we will present the attack surface measurement method and report on its application.

Dave Keppler, "Resilient Systems for Mission Assurance"

Wed, 01 Oct 2008 17:30:00 PDT

The ability for information services to continue operating despite attacks is a core enabler of mission assurance goals. Existing security techniques lack this concept of resilience and are inadequate for protecting critical services and data against targeted attacks by sophisticated adversaries. Widely implemented signature and anomaly-based detection techniques fail to keep pace with the advancement of attacker sophistication. Our objective is to develop and prototype resilience techniques that make applications impervious to the damaging effects of attacks without relying on identifying and filtering specific attacks. We employ effects-based countermeasures to impart resilience to applications, creating an environment inhospitable to attack goals, and countering previously unknown attacks on service utility, in particular, code injection and data subversion.

Ashish Kamra, "Responding to Anomalous Database Requests"

Wed, 24 Sep 2008 17:30:00 PDT

Organizations have recently shown increased interest in database activity monitoring and anomaly detection techniques to safeguard their internal databases. Once an anomaly is detected, a response from the database is needed to contain the effects of the anomaly. However, the problem of issuing an appropriate response to a detected database anomaly has received little attention so far. In this work, we propose a framework and a policy language for issuing a response to a database anomaly based on the characteristics of the anomaly. We also propose a novel approach to dynamically change the state of the access control system in order to contain the damage that may be caused by the anomalous request. We have implemented our mechanisms in the PostgreSQL DBMS and we discuss relevant implementation issues. We have also carried out an experimental evaluation to assess the performance overhead introduced by our response mechanism. The experimental results show that the techniques are very efficient.

Shimon Modi, "Fingerprint Sensor Interoperability: Analysis of Error Rates for Fingerprint Datasets Acquired from Multiple Fingerprint Sensors"

Wed, 17 Sep 2008 17:30:00 PDT

The last decade has witnessed a huge increase in deployment of biometric systems, and while most of these systems have been single vendor, monolithic architectures the issue of interoperability is bound to arise as distributed architectures are considered for large scale deployments. The distortions and variations introduced when acquiring fingerprint images propagate from the acquisition subsystem all the way to the matching subsystem. These variations ultimately affect performance rates of the overall fingerprint recognition system. Fingerprint images captured using the same sensor technology during enrollment and recognition phases will introduce similar distortions, thus making it easier to compensate for such distortions and reducing its effect on the performance of the overall fingerprint recognition system. However, an impact on performance is expected, but unpredictable, when different fingerprint sensor technologies are used during enrollment and recognition phases. The purpose of this study was to examine the effect of sensor dependent variations and distortions, characteristics of the sensor and characteristics of the finger skin on the interoperability matching error rates of minutiae based fingerprint recognition systems. Fingerprint images were be collected from 9 different fingerprint sensors from 190 subjects for analysis of this research study. A statistical analysis framework for testing interoperability was formulated for this research, which included parametric and non-parametric tests. The statistical analysis framework tested similarity of minutiae count, similarity of image quality and similarity of performance between native and interoperable datasets. Interoperability performance analysis was conducted on each sensor dataset and also by grouping datasets based on the acquisition technology and interaction type of the acquisition sensor. The end objective of this study was to provide greater insight into the effect of a fingerprint dataset acquired from various sensors on performance measured in terms of error rates like false non match rates (FNMR) and false match rates (FMR).

Dennis Moreau, "Virtualization: Resource Coupling and Security across the Stack"

Wed, 10 Sep 2008 17:30:00 PDT

Virtualization technology can deliver better IT asset utilization, more agile IT asset allocation, more efficient use of resources, while supporting a potentially more secure IT infrastructure. Virtualization accomplishes these benefits by leveraging mechanisms which provide a) asset isolation, b) resource sharing and c) provisioning dynamics. This session will address how to use configuration and behavioral information to address the increased complexity of security, compliance and risk assessment in virtualized environments. Comprehensive security and risk situation awareness of more dynamic, more interdependent, and more insulated assets, will allow enterprises to take fuller advantage of the promised benefits of virtualization. This session will also briefly address extension of these considerations to the cloud and utility computing infrastructures.

Gabriel Ghinita, "Private Queries in Location Based Services: Anonymizers are not Necessary"

Wed, 03 Sep 2008 17:30:00 PDT

Mobile devices equipped with positioning capabilities (e.g., GPS) can ask location-dependent queries to Location Based Services (LBS). To protect privacy, the user location must not be disclosed. Existing solutions utilize a trusted anonymizer between the users and the LBS. This approach has several drawbacks: (i) All users must trust the third party anonymizer, which is a single point of attack. (ii) A large number of cooperating, trustworthy users is needed. (iii) Privacy is guaranteed only for a single snapshot of user locations; users are not protected against correlation attacks (e.g., history of user movement). We propose a novel framework to support private location-dependent queries, based on the theoretical work on Private Information Retrieval (PIR). Our framework does not require a trusted third party, since privacy is achieved via cryptographic techniques. Compared to existing work, our approach achieves stronger privacy for snapshots of user locations; moreover, it is the first to provide provable privacy guarantees against correlation attacks. We use our framework to implement approximate and exact algorithms for nearest-neighbor search. We optimize query execution by employing data mining techniques, which identify redundant computations. Contrary to common belief, the experimental results suggest that PIR approaches incur reasonable overhead and are applicable in practice.

Minaxi Gupta, "Exploitable Redirects on the Web: Identification, Prevalence, and Defense"

Wed, 27 Aug 2008 17:30:00 PDT

Web sites on the Internet often use redirection. Unfortunately, without additional security, many of the redirection links can be manipulated and abused to mask phishing attacks. In this work, we prescribe a set of heuristics to identify redirects that can be exploited. Using these heuristics, we examine the prevalence of exploitable redirects present in today's Web. Finally, we propose techniques for Web servers to secure their redirects and for clients to protect themselves from being misled by manipulated redirects. This work was presented at the USENIX Workshop On Offensive Technologies (WOOT) in July, 2008. Subsequently, several online press venues have covered it, including The Washington Post, SC Magazine, and Herald Times.

Jacob West, "Static source code analysis"

Wed, 16 Apr 2008 17:30:00 PDT

Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution. Highlights include: * The most common security short-cuts and why they lead to security failures * Why programmers are in the best position to get security right * Where to look for security problems * How static analysis helps * The critical attributes and algorithms that make or break a static analysis tool We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review. Along the way we'll look at examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar errors.

Jack Jones, "Shifting focus: Aligning security with risk management"

Wed, 09 Apr 2008 17:30:00 PDT

With few exceptions, executive management doesn’t care about security. They care about risk. In this session, Jack will discuss the differences and share his experiences in taking the information security program at a Fortune 100 financial services company from a security focus to one of risk management. This presentation will cover why the change took place, how it took place (what worked and what didn’t), and the practical benefits that resulted.

Hao Chen, "Exploiting Opportunistic Scheduling in Cellular Data Networks"

Wed, 02 Apr 2008 17:30:00 PDT

Third Generation (3G) cellular networks utilize time-varying and location-dependent channel conditions to provide broadband services. They employ opportunistic scheduling to efficiently utilize spectrum under fairness or QoS constraints. Opportunistic scheduling algorithms rely on collaboration among all mobile users to achieve their design objectives. However, we demonstrate that rogue cellular devices can exploit vulnerabilities in opportunistic scheduling algorithms, such as Proprotional Fair (PF), to usurp the majority of time slots in 3G networks. Our simulations show that only five rogue device per 50-user cell can use up to 90% of the time slots, and can cause 2 seconds of end-to-end inter-packet transmission delay on VoIP applications for every user in the same cell, rendering VoIP applications useless. To defend against these attacks, we explore several detection and prevention schemes, including modifications to the PF scheduler and a secure handoff procedure. This is a joint with with Denys Ma, Radmilo Racic, and Xin Liu.

Sencun Zhu, "Towards Event Source Location Privacy in Wireless Sensor Networks"

Wed, 26 Mar 2008 17:30:00 PDT

For sensor networks deployed to monitor and report real events, event source location privacy is an attractive and critical security property, which unfortunately is also very difficult and expensive to achieve. This is not only because adversaries may attack against sensor source privacy through traffic analysis, but also because sensor networks are very limited in resources. In this talk, we will discuss the techniques we have developed for enhancing source location privacy in sensor networks under a global adversarial model. Specifically, we will propose the notion of statistically strong source anonymity, where carefully chosen dummy traffic will be introduced to hide the real event sources. In addition, several privacy-preserving mechanisms will be employed to drop dummy messages on their roads to the base station to prevent explosion of network traffic.

Daniel Hoffman, "Hacking the Mobile Workforce"

Wed, 05 Mar 2008 18:30:00 PST

Companies spend millions of dollars implementing security technologies to protect their corporate networks. Laptop computers and other mobile devices lose this protection once they leave the confines of the corporate office. This presentation will define mobility-related threats, show live hacks and define best security practices to address these risks, with a particular focus on Network Access Control and NAP technologies.

Buzz Walsh, "Managing Security Polarities"

Wed, 27 Feb 2008 18:30:00 PST

There is inherent tension between network performance and security. With the rapidly evolving drive for military and economic data being accessible via Service Oriented Architectures, the import of securing such data is increasing and the consequences for a security breach often are detailed in our daily media. Complex security architectures are maturing, but broad questions remain about how to certify or accredit the transactions occurring in Net-Centric Enterprise Services. This presentation does not propose a solution and is intended to motivate discussion, collaboration and directed research.

Ta-Wei "David" Wang, "Reading the Disclosures with New Eyes: Bridging the Gap between Information Security Disclosures and Incidents"

Wed, 20 Feb 2008 18:30:00 PST

This paper investigates the relationship between information security related disclosures in financial reports and the impacts of information security incidents through cross-sectional and cluster analysis. First, by drawing upon the theories of disclosures in the accounting literature, we examine the effect of the number of disclosures on stock price reactions to information security incidents from 1997 to 2006. Our findings suggest that first-time disclosed information security risk factors in financial reports can mitigate the impact of information security incidents on business value. Second, a cluster analysis is performed on the disclosures in financial reports before and after the incidents. The results demonstrate that companies react to information security incidents by disclosing additional and more specific risk factors in subsequent financial reports. A prediction model is also built to classify disclosures as a belonging to a firm reported in the as breached or non-breached. The model can correctly classify a disclosure with approximately 75% accuracy which help investors and auditors assess information provided by the firm. This paper not only contributes to the literature in information security and accounting but also sheds light on how managers can evaluate their information security policies and convey information security practices more effectively to the investors.

Myron Cramer, "Beyond the Enclave: Evolving Concepts in Security Architectures"

Wed, 13 Feb 2008 18:30:00 PST

This presentation discusses evolving concepts in security architectures. Current security architectures are based on the enclave architecture model. This model organizes and separates networked information systems into trusted, untrusted, and shared areas. Security components are located within these areas to provide the required security services based upon system requirements. While this model has many advantages in a basic client server business model, it has limitations with the evolving need to share information. This talk discusses the enclave security architecture and how it is implemented within enterprise networks. It also discusses information sharing needs that are difficult to meet within the constructs of the enclave as well as some of the security limitations of the enclave model. Potential solutions include incorporating new architectural concepts and new technologies to provide a greater variety of robust enterprise implementation options.

Anand Singh, "What are CSO's thinking about? Top information security initiatives for 2008 and beyond …"

Wed, 30 Jan 2008 18:30:00 PST

2006 and 2007 were seminal years which saw emergence of several information security threats and significant data breaches. The media focus on various incidents have made consumers much more aware of information security and hence, any significant security breach results in a significant loss of brand image. As a result, corporate boards are demanding more information security controls as a part of their risk management oversight. This has forced a rethink among the C-suite executives and has increased the importance of information security in their eyes. The CSO's are seeing an elevation in prestige and importance and are becoming empowered to contribute to the organizational strategy by defining information security as a part of organizational governance and risk management framework. The objectives of this talk are two fold. First, the focus will be on practical aspects of information security in most organizations. I will describe how Information Security is becoming a more central function and how the organizational roles and responsibilities are transforming as a result. Second, I will talk about the top information security initiatives for 2008 and what is driving those including examples and explanations of what transpired in several security breaches. Some of those initiatives are governance, wireless security, hardening of network infrastructure and data loss prevention. Throughout this talk, where applicable, I will also identify information security challenges that have not proven tractable in the hope that it will help inspire research ideas.

Edward W. Felten, "Electronic Voting: Danger and Opportunity"

Wed, 23 Jan 2008 18:30:00 PST

Electronic voting machines have made our elections less reliable and less secure, but recent developments offer hope of a better system in the future. Current research offers the hope of a future voting system that is more reliable and more secure than ever before, at reasonable cost, by combining high-tech and low-tech methods so that each can compensate for the weaknesses of the other. This talk will sketch what this future might look like, and will highlight some of the research that may make it possible.

Paul Syverson & Roger Dingledine, "Tor: Anonymous communications for government agencies, corporations, journalists... and you"

Wed, 16 Jan 2008 18:30:00 PST

What do the Department of Defense and the Electronic Frontier Foundation have in common? They have both funded the development of Tor (torproject.org), a free-software anonymizing network that helps people around the world use the Internet in safety. Tor's 1500 volunteer servers carry traffic for several hundred thousand users including ordinary citizens who want protection from identity theft and prying corporations, corporations who want to look at a competitor's website in private, law enforcement and government intelligence agencies who need to do operations on the Internet without being noticed, and aid workers in the Middle East who need to contact their home servers without fear of physical harm. We'll give an overview of the Tor architecture, and talk about why you'd want to use it, what security it provides, and policy and legal issues. Then we can open it up for discussion about open research questions, wider social implications, and other topics the audience wants to consider.

Eric Cole, "Security in a Changing World"

Wed, 09 Jan 2008 18:30:00 PST

While the world is constantly changing, the core principles of security have not changed that much, yet organizations are stilling be compromised. This talk will look at some of the problems in cyber space and some unique solutions for securing information.

Ventkat Venkatakrishnan, "CANDID: Preventing SQL Injection Attacks using Dynamic Candidate Evaluations"

Wed, 28 Nov 2007 18:30:00 PST

SQL injection attacks are one of the topmost threats for applications written for the Web. These attacks are launched through specially crafted user input on web applications that use low level string operations to construct SQL queries. In this talk, I will present a novel and powerful scheme for automatically transforming web applications to render them safe against all SQL injection attacks. A characteristic diagnostic feature of SQL injection attacks is that they change the intended structure of queries issued. Our technique for detecting SQL injection is to dynamically mine the programmer-intended query structure on any input, and detect attacks by comparing it against the structure of the actual query issued. We propose a simple and novel mechanism for mining programmer intended queries by dynamically evaluating runs over benign candidate inputs. This mechanism is theoretically well founded and is based on inferring intended queries by considering the symbolic query computed on a program run. Our approach has been implemented in a tool called CANDID that retrofits Web applications written in Java to defend them against SQL injection attacks. We report experimental results that show that our approach performs remarkably well in practice. (Joint work with Sruthi Bandhakavi, Prithvi Bisht and P. Madhusudan)

Steve Myers, Indiana University, "Wireless Router Insecurity: The Next Crimeware Epidemic"

Wed, 14 Nov 2007 18:30:00 PST

The widespread adoption of home routers by the general public has added a new target for malware and crimeware authors. A router's ability to manipulate essentially all network traffic coming in to and out of a home, means that malware installed on these devices has the ability to launch powerful Man-In-The-Middle (MITM) attacks, a form of attack that has previously been largely ignored. Making matters worse, many homes have deployed wireless routers which are insecure if the attacker has geographic proximity to the router and can connect to it over its wireless channel. However, some have downplayed this risk by suggesting that attackers will be unwilling to spend the time and resources necessary, nor risk exposure to attack a large number of routers in this fashion. In this talk, we will consider the ability of malware to propagate from wireless router to wireless router over the wireless channel, infecting large urban areas where such routers are deployed relatively densely. We develop an SIR epidemiological model, and use it to simulate the spread of malware over major metropolitan centers in the US. Using hobbyist collected wardriving data from Wigle.net and our model, we show the potential for the infection of tens of thousands of routers in short periods of time is quite feasible. We consider simple prescriptive suggestions to minimize the likelihood that such attacks are ever performed. Next, we show a simple yet worrisome attacks that can easily and silently be performed from infected routers. We call this attack 'Trawler Phishing'. The attack generalizes a well understood failure of many web-sites to properly implement SSL, and allows attackers to harvest credentials from victims over a period of time, without the need to use spamming techniques or mimicked, but illegitimate web-sites, as in traditional phishing attacks, bypassing the most effective phishing prevention technologies. Further, it allows attackers to easily form data-portfolios on many victims, making collected data substantially more valuable. We consider prescriptive suggestions and countermeasure for this attack. The work on epidemiological modeling is joint work with Hao Hu, Vittoria Colizza and Alex Vespignani. The work on trawler phishing is joint work Sid Stamm.

Richard Thieme, "Security, Soft Boundaries, and oh-so-subtle Strategies:How to Play Chess While the Board is Disappearing"

Wed, 07 Nov 2007 18:30:00 PST

Non-state and state intelligence are converging in a context of fluid boundaries. It is increasingly difficult to know who is inside and who is not. Creating a trusted network does not resolve the most critical security problems because those problems begin at the interface of the network and the human user. The identity and intention of that human user is critical, but that is often what is most difficult to discern. This emergent world of ambiguous boundaries and multiple identities challenges our models and descriptions of the playing field. Even with a program, we can't always tell the players, because both players and program are morphing. And it's worse than that: the ethical guidelines of the past, rooted in religious systems thousand of years old, are going through the looking-glass, too, along with the structures of spirituality and religion. Identity-shift applies to God and Self as well as the social and cultural structures in which they are embedded. This speech confronts the transformation of the structures in which we live, identifies some consequences of identity-shift, and distinguishes the business of security from the myths of the security business. It points to new ways to organize our lives that complement rather than replace traditional methods of defending electronic and human networks.

Abhilasha Bhargav-Spantzel, "Protocols and Systems for Privacy Preserving Protection of Digital Identity"

Wed, 31 Oct 2007 17:30:00 PDT

In order to support emerging online activities within the digital information infrastructure, such as commerce, healthcare, entertainment and scientific collaboration, it is increasingly important to verify and protect the digital identity of the individuals involved. Identity management systems manage the digital identity life cycle of individuals that includes issuance, usage and revocation of digital identifiers. Identity management systems have improved the management of identity information and user convenience; however they do not provide specific solutions to address protection of identity from threats such as identity theft and privacy violation. One major shortcoming of current approaches is the lack of strong verification techniques for management and protection of digital identifiers. Moreover current identity management systems do not consider neither biometric nor history-based identifiers. Both biometric and history-based identifiers are increasingly becoming an integral part of an individual's identity. Such types of identity data also need to be used with other digital identifiers and protected against misuse. In this presentation I introduce a number of techniques that address the above problems. The approach is based on the concept of privacy preserving multi-factor identity verification. The main technique consists of verifying multiple identifier claims of an individual, without revealing extraneous identity information. A distinguishing feature of our approach is that we employ identity protection and verification techniques at all stages of the identity life cycle. In addition we develop techniques to use biometrics in a secure and privacy preserving manner. We also enhance our approach with the use of history-based identifiers.

George Heron, "Secure Virtualization"

Wed, 24 Oct 2007 17:30:00 PDT

The potential for security to be tightly integrated into virtual machine technology is an exciting prospect. Not only does virtualization offer IT departments the opportunity to reduce costs, but it also offers increased agility. Now that application vendors are coming to understand the benefits of virtual machine technology, the technical world has also started to take note of supplementary services, such as security products and functions, which can also reside in these virtualized environments. Heron will discuss the future of security in virtualized environments and how IT professionals can take a Security Risk Management (SRM) approach to securing their virtual machines.

Srdjan Capkun, "From Securing Navigation Systems to Securing Wireless Communication"

Wed, 17 Oct 2007 17:30:00 PDT

Recent rapid development of wireless networks of sensors, actuators and identifiers dictates the digitalization of our physical world and the creation of the "internet of things". In this new internet, each wireless device will sense and provide contextual information, of which crucial component are locations of devices and objects. In this talk, we present recent research results in secure computation and verification of locations of wireless devices: we show that current localization systems are highly vulnerable to attacks and we demonstrate that out solutions can prevent these attacks. We further illustrate how location-awareness can help in solving some of the fundamental security challenges of wireless networks, e.g., enabling authenticated and confidential communication without pre-shared keys of credentials.

Neil Daswani, "What Every Engineer Needs To Know About Security And Where To Learn It"

Wed, 10 Oct 2007 17:30:00 PDT

This talk discusses how engineers can go about learning what they need to know to prevent the most significant emerging data security vulnerabilities, and the impact these vulnerabilities are having on electronic commerce. I'll review how attacks such as XSRF (Cross-Site-Request-Forgery) and SQL Injection work, and how to defend against them. I'll present some industry-wide statistics on software security vulnerabilities reported to various databases, and emerging trends in the field of software security. Finally, I'll discuss the current state of security education, and provide pointers to certification programs, books, and organizations where engineers can learn more.

David Ehinger, "The Effect of Rootkits on the Corporate Environment"

Wed, 26 Sep 2007 17:30:00 PDT

Jill Frisby, "Protecting Data Privacy: A Practical Guide to Managing Risk"

Wed, 19 Sep 2007 17:30:00 PDT

Protecting valuable information assets, including personal data about employees, students, customers, and medical patients, is an enterprise-wide responsibility. Like all components of good corporate governance, it begins with senior leadership establishing a culture of awareness about the importance of safeguarding these assets, and extends through coordinated actions among all business units, divisions, and departments. When creating data privacy programs, organizations should align them with their strategic enterprise risk management objectives and follow a top-down approach to achieve the greatest benefit. This presentation will focus on a practical approach to data privacy, that seeks to understand the business needs for data and align a data privacy protection program to those needs. Effective programs prevent companies from ending up in the news, disclosing a data loss, by enabling its employees to stay vigilant for situations where data may be at risk. Topics to be discussed include: * The Goals of an Effective Data Privacy Program * Current Data Privacy Landscape * Common Privacy Program Pitfalls * Key Components of a Successful Data Privacy Program * The Top Down Data Privacy Risk Assessment * Data Privacy Roles and Responsibilities * High Level Roadmap and Ideas to Consider for Future Strategy

Ron Buskey, " Security issues within embedded software development"

Wed, 12 Sep 2007 17:30:00 PDT

Software development processes and tools used for small communication devices have changed significantly over the years. Some of these practices and processes have resulted in improvements in quality and time to market for their target products, but in some cases have unintended results for the security and trustedness of those same products. This talk will look at several of these practices and approaches that can drive improvements in quality and productivity metrics for embedded communication software development teams yet create vulnerabilities and/or weaken the security architecture for those products.

Yvo Desmedt, "Applying Recreational Mathematics to Secure Multiparty Computation"

Wed, 05 Sep 2007 17:30:00 PDT

The problem of a mice traveling through a maze is well known. The maze can be represented using a planar graph. We present a variant of the maze. We consider a grid vertex colored planar graph in which an adversary can choose up to t colors and remove all vertices that have these colors and their adjacent edges. We call the grid in which these vertices and adjacent edges are removed a reduced grid. The problem is that a mice must be able to move in the reduced grid from the first row to the last row, and from the first column to the last column, and this for all possible reductions. We present three types of solutions to construct such grids. The efficiency of these solutions is discussed. The problem finds its origin in the problem of secure multiparty computation. Imagine going to a medical doctor in Iraq who needs to prescribe some medication, which might be counterindicated. The typical solution is to disclose all medical records to the doctor. If secure multiparty computation would be used, the medical doctor in Iraq only learns from the distributed medical databases whether the medication is, or is not, counterindicated. We consider the problem of parties each having a secret belonging to a non-abelian group. The parties want to compute the product of these secrets without leaking anything that does not follow trivially from the product. Our solution is black box, i.e., independent of the non-abelian group. This has applications to threshold block ciphers and post-quantum cryptography.

Klemens Boehm, "Towards Effective and Efficient Behavior-based Trust Models"

Wed, 29 Aug 2007 17:30:00 PDT

Trust models have been touted to facilitate cooperation among unknown entities. In our current work, we are interested in behavior-based trust models, i.e., models that derive the trustworthiness of an entity from its behavior in previous interactions. Existing proposals in this field typically feature one specific trust model. Further, various publications exist which have proposed different centrality measures to rank individuals, i.e., compute their reputation based on feedback, and have demonstrated their effectiveness in certain (rather specific) situations. This presentation in turn proposes a framework for behavior-based trust models for open environments with the following distinctive characteristic. Based on a relational representation of behavior-specific knowledge, we propose a trust-policy algebra allowing for the specification of a wide range of trust policies. Since the evaluation of the standing of an entity requires centrality indices, we propose a first-class operator of our algebra for their computation. The presentation concludes with an objective comparison of the effectiveness of the various centrality measures in reputation systems.

Bill Horne, "Role Discovery"

Wed, 22 Aug 2007 17:30:00 PDT

The first step in migrating to a role based access control (RBAC) system, is role development, in which teams of people meticulously define sets of roles that meet the needs of an organization's security and business requirements. Because it is so labor intensive, role development is the most expensive step in migrating to RBAC. In this talk, I will describe an approach called role discovery to help assist with the role development process. We attack the problem by finding simplifications of a bipartite graph that models the existing access control rules. Biclique covers of this graph are a fundamental tool in our approach. I will describe some of the theoretical background of this problem as well as some experimental results testing the approach on several real-world datasets.

Umut Topkara, "Passwords Decay, Words Endure: Towards Secure and Re-usable Multiple Password Mnemonics"

Wed, 25 Apr 2007 17:30:00 PDT

Human aspects of information security were identified at the early stages in the history of time shared computing. The recent surge in attacks that exploit security vulnerabilities involving human factors have also put them under the spotlight of various research fields including human-computer interaction, information security and cognitive science. The human centered vulnerabilities involve an interplay of a broad range of actors from Information Technology specialists (who might mis-configure the security hardware and software or enforce impractical security policies) to end users (who might have a poor understanding of good security practices or not know the possible impact of weak security). This talk will focus on human aspects of authentication mechanisms. I will present two methods that we have developed to reinforce the security of existing systems by improving their usability. Previous studies have repeatedly shown that users find it taxing to remember truly random passwords. Many users choose easy to guess --therefore not secure-- passwords, since they require the least effort to recall. Experienced users adopt "mnemonic phrases" to generate and easily recall more secure passwords. However, regularity in the human languages may render such passwords vulnerable against a brute force attack. In the first part of the talk, I will present a method that we developed to automatically generate mnemonic phrases which can yield secure passwords in an effort to increase the usability of text password authentication. Many computer users need to remember a multiplicity of usernames and passwords for different systems, and the users tend to reuse passwords across these systems which may have different security guarantees. In such cases remembering a different mnemonic phrase for each password does not scale and quickly becomes a challenging task. In the second part of the talk, I will present a scheme that helps the users remember a multiplicity of truly random passwords. The new scheme is applicable to an existing password authentication system without any modification, as it does not require any form of involvement from the service provider (e.g., bank, brokerage). Nor does it require the user to have any computing device at hand (not even a calculator). The scheme is such that changes to passwords do not necessitate a change in what the user remembers. Hence, passwords can be frequently changed without any additional burden on the memory of the user, thereby increasing the system's security.

Mercan Topkara, "Hiding the Message Behind the Words: Advances in Natural Language Watermarking"

Wed, 18 Apr 2007 17:30:00 PDT

The Internet has become one of the main sources of knowledge acquisition, harboring resources such as online newspapers, web portals for scientific documents, personal blogs, encyclopedias, and advertisements. It has become a part of our daily life to search and access this immense amount of online information, and more recently we have also started to contribute to this pool of information our own creativity in the form of text, images and video. Unfortunately, it is still an open question as to how we, as authors, can control the way that the information we create is distributed or re-used. Rights management problems are serious for text since it is much easy for other people to download and manipulate copyrighted text from Internet and later re-use it free from control. There is a need for a rights protection system that ``travels with the content''. Digital watermarking is an information hiding mechanism that embeds the copyright information in the document. Besides traveling with the content of the documents, digital watermarks are also imperceptible (i.e., seamless) to the user, which makes the process of removing them from the document challenging. Using linguistic features for information hiding into natural language text is an exciting and new idea. This talk begins with a short survey of existing technologies in natural language watermarking, and then focuses on a recently developed natural language watermarking system that is practical, easy-to-use and provides resilience to attacks through the use of ambiguity in natural language. The talk is aimed for a general audience, and will be self-contained covering the necessary background information.

Dr. Charles P. Pfleeger, "Dumb Ideas in Computer Security"

Wed, 11 Apr 2007 17:30:00 PDT

Every profession goes through mistakes and unwise steps, especially in its early years. It is through trial and error that leaders and innovators of the profession are able to advance knowledge. Computer security is no exception. Both insiders' and outsiders' choices have held back and even harmed the state of computing. Of course, hindsight is usually more accurate than foresight. This talk picks a handful of ideas that in retrospect have turned out dumb, ideas such as compound complexity, single-state hardware, downloaded code, and incomplete mediation. For each idea we will see from where the idea came, why it is unwise, and why we should have known better. From these examples, we will see how better choices can be made in the future.

Dr. Albert M. K. Cheng, "Automatic Debugging and Verification of RTL-Specified Real-Time Systems via Incremental Satisfiability Counting and On-Time and Scalable Intrusion Detection in Embedded Systems"

Wed, 28 Mar 2007 17:30:00 PDT

Abstract 1: Real-time logic (RTL) is useful for the verification of a safety assertion with respect to the specification of a real-time system. Since the satisfiability problem for RTL is undecidable, the systematic debugging of a real-time system appears impossible. With RTL, each propositional formula corresponds to a verification condition. The number of truth assignments of a propositional formula can help us determine the specific constraints which should be added or modified to derive the expected solutions. This talk describes this debugging approach and how it can be embedded into autonomous systems. We have implemented a tool called ADRTL for automatic debugging of RTL specifications. The confidence of our approach is high as we have effectively evaluated ADRTL on several existing industrial applications, including the NASA X-38 Crew Return Vehicle avionics. Abstract 2: Embedded systems are becoming ubiquitous and are increasingly interconnected or networked, making them more vulnerable to security attacks. A large class of these systems such as SCADA and PCS has real-time and safety constraints. Therefore, in addition to satisfying these requirements, achieving system security emerges as a critical challenge to ensure that users can trust these embedded systems to perform correct operations. One objective in a secure system is to identify attacks by detecting anomalous system behaviors. This part of the talk describes the challenges in the design and implementation of such intrusion detection system (IDS), addressing (1) accuracy: the IDS identifies no or as few false positives as the resource (time, space, power, etc.) and/or policy constraints allow, and no or as few false negatives as the resource and/or policy constraints allow; (2) efficiency/timeliness: the IDS does not violate the host embedded system's application deadlines and has a reasonable space overhead; (3) scalability: the IDS can scale to work with large embedded systems; and (4) power-awareness: the IDS does not significantly reduce the operational period of battery-powered embedded systems. We conclude with an outline of one of several promising embedded IDS approaches under investigation. This approach is based on automatic rule-base generation and semantic analysis.

Dan Geer, "A quant looks at the future"

Wed, 21 Mar 2007 17:30:00 PDT

If there is a difference between information and bits we had better find it soon. The bit-count is bounding upward, no one dares throw anything away, and once "search" supplants "organize" there is no going back. Information may or may not want to be free, but it wants to be in motion, so much so that ISPs see their future in movie rentals and the speed of light determines how far away your trade submission servers can be from the Exchange and still do micro-arbitrage. Like a gas, information has to be collected, purified, and compressed to be of value, so any leak, impurity, or loss of containment is a loss of value, per se. The street price of drugs has a more stable floor than the street price of stolen data, the percentage of attack tools that are privately held is rising, and the workfactor for information defense is the integral of the workfactor for information offense, yet we do not have the quantitative tools to value our information. That is possibly the key -- quantitative information risk management that is on par with quantitative financial risk management.

Eugene Schultz, "Intrusion Detection Event Correlation: Approaches, Benefits and Pitfalls"

Wed, 07 Mar 2007 18:30:00 PST

Over the years intrusion detection technology has improved to the point that it is highly useful to both the commercial and non-commercial sector. This technology is, however, by no means anything close to perfect. Even the best intrusion detection systems miss a fairly large proportion of attacks that occur; they also tend to yield unacceptably high false alarm rates. Correlating the output of multiple systems and devices is a promising solution for the limitations in today's intrusion detection systems. There have been numerous advances in intrusion detection event correlation, yet this technology lags behind intrusion detection technology. How events are correlated makes a big difference concerning the value of event correlation. This talk will cover the various approaches to event correlation as well as their advantages and disadvantages.

Bhavani Thuraisingham, "Assured Information Sharing between Trustworthy, Semi-trustworthy and Untrustworthy Coalition Partners"

Wed, 28 Feb 2007 18:30:00 PST

Data mining is the process of posing queries and extracting patterns, often previously unknown from large quantities of data using pattern matching or other reasoning techniques. Data mining has many ap-plications in security including for national security as well as for cyber security. The threats to national security include attacking buildings, destroying critical infrastructures such as power grids and telecom-munication systems. Data mining techniques are being investigated to find out who the suspicious people are and who is capable of carrying out terrorist activities. Cyber security is involved with protecting the computer and network systems against corruption due to Trojan horses, worms and viruses. Data mining is also being applied to provide solutions such as intrusion detection and auditing. The first part of the presentation will discuss my joint research with Prof. Latifur Khan and our students at the University of Texas at Dallas on data mining for cyber security applications For example; anomaly detection techniques could be used to detect unusual patterns and behaviors. Link analysis may be used to trace the viruses to the perpetrators. Classification may be used to group various cyber attacks and then use the profiles to detect an attack when it occurs. Prediction may be used to determine potential future attacks depending in a way on information learnt about terrorists through email and phone conversations. Data mining is also being applied for intrusion detection and auditing. Other applications include data mining for malicious code detection such as worm detection and managing firewall policies. This second part of the presentation will discuss the various types of threats to national security and de-scribe data mining techniques for handling such threats. Threats include non real-time threats and real-time threats. We need to understand the types of threats and also gather good data to carry out mining and obtain useful results. The challenge is to reduce false positives and false negatives. The third part of the presentation will discuss some of the research challenges. We need some form of real-time data mining, that is, the results have to be generated in real-time, we also need to build models in real-time for real-time intrusion detection. Data mining is also being applied for credit card fraud de-tection and biometrics related applications. While some progress has been made on topics such as stream data mining, there is still a lot of work to be done here. Another challenge is to mine multimedia data including surveillance video. Finally, we need to maintain the privacy of individuals. Much research has been carried out on privacy preserving data mining. In summary, the presentation will provide an overview of data mining, the various types of threats and then discuss the applications of data mining for malicious code detection and cyber security. Then we will discuss the consequences to privacy.

Howard Schmidt, "Cyber Security and the "NEW" world enterprise"

Wed, 21 Feb 2007 18:30:00 PST

As cyber security has evolved in the new world of distributed computing there have been dramatic changes to the nature of our security needs. Mr. Schmidt will talk about issues that affect large enterprises, small and medium business and end users. He will talk about common threats, and the possibility of frameworks which would protect ourselves, our civil rights and our privacy while ensuring improved security.

Stuart Shapiro, "Scenario-Driven Construction of Enterprise Information Policy"

Wed, 07 Feb 2007 18:30:00 PST

Information policy at the enterprise level is invariably an exercise in gaps and inconsistencies. The range of concerns—including security—is broad, the environment tends to be heterogeneous and dispersed, the contextual scope is significant, and the stakeholders are numerous. MITRE ran headlong into this problem as it set about conceiving and implementing a new enterprise IT architecture, with questions increasingly raised regarding what policies the new architecture had to be capable of supporting. The MITRE Information Policy Framework (MIPF) is the mechanism MITRE developed to answer these questions. The MIPF supports systematic, structured analysis and formulation of information policy in five areas: security, privacy, management, stewardship, and sharing. This presentation will discuss the structure and use of the MIPF, with an emphasis on security requirements.

Chris Clifton, "Mathematically Defining Privacy"

Wed, 31 Jan 2007 18:30:00 PST

Computer systems ease the sharing and use of information, but accessibility of information leads to privacy concerns. Technology is being developed to address this issue - enabling use of information while controlling the disclosure. But is this enough to protect privacy? How do we even know if it is enough? This talk will survey recent developments in privacy and anonymity technology, emphasizing the variety of privacy definitions, their benefits, and their weaknesses.

Wojciech Szpankowski, "WHAT IS INFORMATION?"

Wed, 24 Jan 2007 18:30:00 PST

Information permeates every corner of our lives and shapes our universe. Understanding and harnessing information holds the potential for significant advances. The breadth and depth of underlying concepts of the science of information transcend traditional disciplinary boundaries of scientific and commercial endeavors. Information can be manifested in various forms: business information is measured in dollars; chemical information is contained in shapes of molecules; biological information stored and processed in our cells prolongs life. So what is information? In this talk we first attempt to identify the most important features of information and define it in the broadest possible sense. We subsequently turn to the notion and theory of information introduced by Claude Shannon in 1948 that served as the backbone for digital communication. We go on to bridge Shannon information with Boltzmann's entropy, Maxwell's demon, Landauer's principle and Bennett's irreversible computations. We point out, however, that while Shannon created a successful and beautiful theory of information for communication, a wide spread application of information theory to economics, biology, life science and complex networks seems to be still awaiting us. We shall discuss some examples that recently crop up in biology, chemistry, computer science, and quantum physics. We conclude with a list of challenges for future research. We hope to put forward some educated questions, rather than answers, to the issues and tools that lay before researchers interested in information.

Vipin Swarup, "Research Challenges in Assured Information Sharing"

Wed, 17 Jan 2007 18:30:00 PST

Assured information sharing has been a "grand challenge" problem of information security for several decades. Currently, there is broad consensus that the state-of-practice of information sharing is inadequate. One primary problem is that people on the field (e.g., soldiers, firefighters) have mission-critical need for sensitive information but are often among the least trusted principals in their organizations and hence do not receive the information. Another problem is that data producers claim ownership of the data they produce and place sharing constraints on that data despite the competing interests of multiple parties over that data. In this talk, we highlight these and other problems and discuss a wide range of technical solutions that are needed. We elaborate on the need to balance the risks of sharing data with the risks of not sharing data and present several proposed approaches for doing so. We also describe how obligation policies play an important role in addressing some information sharing issues.

Virginia Rezmierski, "Computer-Related Incidents: Factors Related to Cause and Prevention"

Wed, 10 Jan 2007 18:30:00 PST

Computer-related incidents that have the potential to destabilize, violate, or damage, the resources, services, policies, or data of the community or individual members of the community are happening in increasing numbers. Despite the news, we know that they are happening not just in academia which has been painted as insecure and wide-open, but in corporate and not-for-profit environments as well. We have inclinations about what is causing these incidents, but now we also have facts. While we look for technical fixes to the problems, the real factors that are related to the cause of these incidents may not be technical at all, but rather human. This presentation will discuss the "Computer Incident Factor Analysis and Categorization Project", CIFAC, which was carried on at the University of Michigan under funding from the National Science Foundation. Dr. Rezmierski will present the project findings and will discuss what they mean for colleges, universities, corporations, not-for-profit organizations and individuals. The presentation will include discussion of actual incidents, the statistical methodology and findings, and the recommendations put forward by the researcher team.

Marc Rogers, " The Psychology of Computer Deviance: How it can assist in digital evidence analysis."

Wed, 06 Dec 2006 18:30:00 PST

The talk will look at the phenomenon of deviant computer behavior and how understanding the individuals who engage in this behavior can benefit digital evidence investigations. A brief overview of the current research on computer deviance will be presented. An investigative process model will also be introduced that will assist in the investigation and analysis of computer crimes.

Dongyan Xu, "OS-Level Taint Analysis for Malware Investigation and Defense"

Wed, 29 Nov 2006 18:30:00 PST

The Internet is facing threats from increasingly stealthy and sophisticated malware. Recent reports have suggested that new computer worms and malware deliberately avoid fast massive propagation. Instead, they lurk in infected machines and inflict contaminations over time, such as rootkit and backdoor installation, botnet creation, and data/identity theft. In defense against Internet malware, the following tasks are critical: (1) raising timely alerts to trigger a malware investigation, (2) determining the break-in point of malware, i.e. the vulnerable software via which the malware initially infiltrates the victim, and (3) identifying all contaminations inflicted by the malware during its residence in the victim. In this talk, I will present Process Coloring, an information flow-preserving, provenance-aware approach to malware investigation. In particular, I will demonstrate that through the preservation and tainting of malware break-in provenance along OS-level information flows, malware investigators will be able to improve the efficiency and effectiveness of existing log-based intrusion investigation tools. Furthermore, process coloring brings the new capability of runtime malware alert, which cannot be achieved by existing log-based tools. I will also present results of our experiments with a number of real-world Internet worms as well as a highly tamper-resistant implementation of process coloring using virtualization-based techniques.

Richard Power, "One Step Forward, Two Steps Back, or Two Steps Forward, One Step Back: A Ten Year Retrospective on Cyber Crime and Cyber Security (1996-2006)"

Wed, 15 Nov 2006 18:30:00 PST

This presentation explores the evolution of cyber crime and cyber security as global issues over the past decade. It examines the growth of cyber bank robbery, cyber extortion, identity theft, economic espionage, denial of service, cyber vandalism, cyber stalking and other criminal endeavors. It also sheds a harsh light on corporate and government response to these problems: technologies, organization, professional issues, awareness and education, etc. The presentation includes a compelling timeline, explores fascinating case studies and also provides real-world cyber security recommendations for governments, businesses and families.

David Zage, "Mitigating Attacks Against Measurement-Based Adaptation Mechanisms in Unstructured Multicast Overlay Networks"

Wed, 08 Nov 2006 18:30:00 PST

Many multicast overlay networks maintain application-specific performance goals such as bandwidth, latency, jitter and loss rate by dynamically changing the overlay structure using measurement- based adaptation mechanisms. This results in an unstructured overlay where no neighbor selection constraints are imposed. Although such networks provide resilience to benign failures, they are susceptible to attacks conducted by adversaries that compromise overlay nodes. Previous defense solutions proposed to address attacks against overlay networks rely on strong organizational constraints and are not effective for unstructured overlays. In this work, we identify, demonstrate and mitigate insider attacks against measurement-based adaptation mechanisms in unstructured multicast overlay networks. The attacks target the overlay network construction, maintenance, and availability and allow malicious nodes to control significant traffic in the network, facilitating selective forwarding, traffic analysis, and overlay partitioning. We propose techniques to decrease the number of incorrect or unnecessary adaptations by using outlier detection. We demonstrate the attacks and mitigation techniques in the context of a mature, operationally deployed overlay multicast system, ESM, through real- life deployments and emulations conducted on the PlanetLab and DETER testbeds, respectively.

Paula DeWitte, "Developing an Operational Framework for Integrated System Security"

Wed, 01 Nov 2006 18:30:00 PST

Systems are composed of multiple complex levels including the physical infrastructure, personnel or “humans-in-the-loop”, administration policies and procedures, computers, networks, and the communication protocols for connectivity that tie the system into a workable unit. Each aspect is in itself a complex system. When we consider system security, we tend to focus on the electronic components—the connectivity, computers, and network—over the non-electronic. Although we rigorously implement security in the various system components, the security is rarely integrated across the boundaries of the entire system spectrum. We tend to implement security on the distinct levels of the system without considering the impact or interaction with other system levels. For example, we may fully implement encryption, passwords, and firewalls and feel that our electronic systems are secure, while the weakest link may be staff members who fall victim to social engineering techniques and unknowingly reveal sufficient information to allow a perpetrator to circumvent our best security. Or we may have fortified computer systems and well trained personnel, but neglect the fact that we are being monitored through the building’s walls, floors, and windows. Without true understanding of the nature of the interactions of the system, we cannot fully understand how vulnerabilities in one level of the system such as the physical infrastructure can be exploited to allow attacks on another level such as the computer networks. By taking advantage of these vulnerabilities, perpetrators are able to circumvent even the most effective computer and network security, breach that security, and achieve their goals. We only need to consider the current challenges of insider threats or threats from coordinated attacks on the physical infrastructure and the computer networks to appreciate the need for better integrated system security. Our goal is to provide analytical tools for the real world, focusing on the decision makers who implement security policies across the system spectrum. Further, to be effective, these analytical tools must be implemented within an organizing framework that provides both an integrated view of security as well as the insight and understanding necessary to make effective security issues. This necessitates the development of step-by-step processes for analyzing and implementing security decisions. While this may seem to be a soft and less complete technical solution, it is actually implementing technology at the highest level because of the integration required to address each aspect of the system as well as the multi-disciplinary approach blending computer science, engineering, psychology, linguistics, and management in developing such analytic tools. This presentation will discuss work in progress in developing these analytical tools as well as the overarching framework for implementing integrated system security. Our intention is to understand “what can be” or “what could happen”. With this insight, they can more effectively provide prevention, protection, or remediation strategies.

Qihua Wang, "Beyond Separation of Duty: An Algebra for Specifying High-level Security Policies"

Wed, 25 Oct 2006 17:30:00 PDT

A high-level security policy states an overall requirement for a sensitive task. One example of a high-level security policy is a separation of duty policy, which requires a sensitive task to be performed by a team of at least k users. It states a high-level requirement about the task without the need to refer to individual steps in the task. While extremely important and widely used, separation of duty policies state only quantity requirements and do not capture qualification requirements on users involved in the task. This talk will introduce a novel algebra that enables the specification of high-level policies that combine qualification requirements with quantity requirements motivated by separation of duty considerations. A high-level policy associates a task with a term in the algebra and requires that all sets of users that perform the task satisfy the term. The syntax and semantics of the algebra, as well as the algebraic properties of its operators will be presented. The talk will also discuss results for computational problems related to the algebra and compare the algebra with regular expressions.

Nitin Khanna, "Forensics Characterization of Printers and Image Capture devices"

Wed, 18 Oct 2006 17:30:00 PDT

The falling cost and wide availability of electronic devices have led to their widespread use by individuals, corporations, and governments. These devices, such as computers, cell phones, digital cameras, and printers, all contain various sensors which generate data that are stored or transmitted to another device. One example of this is a security system containing a network of video cameras, temperature sensors, alarms, computers, and other devices. In such a network, it is important to be able to trust the data from each of these sensors. Forensic techniques can be used to uniquely identify each device using the data it produces. This is different from simply securing the data being sent across the network because we are also authenticating the sensor that is creating the data. Forensic characterization of a device allows identification of the type of device, make, model, configuration, and other characteristics based solely on observation of the data that the device produces. These characteristics that uniquely identify a device are called device signatures. As an example, the noise characteristics in a digital image can be used as a signature of the camera that produced it. Similarly, the ‘‘noise’’ characteristics of a print engine can be used as a signature of the printer that generated a document. This talk will present current research and techniques for forensic characterization of printers and image capture devices such as digital cameras and scanners.

Nora Rifon, "Network Security Begins at Home: Changing Consumer Behavior for i-Safety"

Wed, 11 Oct 2006 17:30:00 PDT

Virus and worm attacks that spread through holes in popular consumer software emphasize the role the online public must play in preserving the safety and integrity of the Internet. To protect the network commons, more users must engage in safe online behavior by such actions as controlling their private information, updating software security patches, downloading protective software, and filtering their email. While network security remains an abstract notion to the general public, online consumers can understand the issue in terms of their personal privacy behavior, actions that result in the undesired disclosure of information and unwanted intrusions on their personal cyberspace. In her talk, Professor Rifon will discuss a social-psychological approach to understanding Internet user privacy and security safety related behaviors.

Danfeng Yao, "Verification of Integrity for Outsourced Content Publishing and Database Queries"

Wed, 04 Oct 2006 17:30:00 PDT

In outsourced content publishing, the data owner gives the content to a service provider who answers requests from users. Similarly, in outsourced databases, the data owner delegates a service provider to answer queries. Outsourcing enables fast and fault-tolerant delivery of information. However, since service providers in outsourced systems may not be trusted by users, the user needs to verify the integrity of information obtained. First, I present a cryptographic solution for the verification of pseudonymized documents. A document can be pseudonymized by the service provider on the fly, based on the data owner's policies and the user's access permissions. Our pseudonym protocol is simple and efficient, and only requires the data owner to prepare and sign the document once. Second, I present a solution for integrity verification of database aggregate queries, such as sum and max. We design proofs of correctness and completeness of aggregate results. What makes the problem challenging is that individual data entries may be sensitive (such as in medical databases), and should not be revealed to the user. We give cryptographic protocols to support verification of query results in a privacy-preserving fashion.

Ravi Sandhu, "The Secure Information Sharing Problem and Solution Approaches"

Wed, 27 Sep 2006 17:30:00 PDT

The secure information sharing problem is one of the oldest and most fundamental and elusive problems in information security. Mission objectives dictate that Information must be shared and made available to authorized recipients, and yet information must be protected from leakage and subversion by malicious insiders and malicious software. The doctrine of "share but protect" indicates the inherent conflict in achieving effective secure information sharing. In this talk we demonstrate the complexity and richness of the secure information sharing problem space. We then identify some "sweet spots" that appear promising in their practical benefit and feasibility of solutions. We describe the PEI models approach to decompose security problems into the three layers of policy models (topmost), enforcement models (middle), and implementation models (bottom). We discuss how this approach can be applied to the secure information sharing problem. Finally we indicate how modern trusted computing technology can be used to solve important variations of this problem.

Gene Kim, " Prioritizing Processes and Controls for Effective and Measurable Security"

Wed, 20 Sep 2006 17:30:00 PDT

Are your security & IT controls really effective? Do you know how your security & IT operations compare to high performers? In this presentation, Gene Kim will share the work he has been doing over the last six years with the IT Process Institute (ITPI), Software Engineering Institute, and Institute of Internal Auditors, codifying the observed practices of high-performing IT organizations. These high performers have a culture of change management, a culture of causality and a perpetual desire to detect variance before it causes a catastrophic event. Specifically, Gene will discuss the ITPI IT Controls Benchmarking Survey of practice, a recently completed research project which has quantified the value, effectiveness, efficiency and security of controls. This landmark research has uncovered an alternative approach to being an effective security executive, based on measuring security by its ability to maintain its existing commitments; integrate controls into daily IT operations (prevent); put automated controls in place to variance before loss events (detect); reduce the percent of security incidents that result in loss events (detect); and successfully investigate and conclude security investigations. Attendees will learn about the key research findings: * That high performers have 5-8x higher operational and security effectiveness and efficiency measures * The 20% of IT controls that have 80% of the measurable benefits, and how to implement and the prescriptive steps to take in order to achieve defined security results * The certain processes and controls that have shown catalytic and sustaining properties, meaning that the value they add demonstrably exceeds the cost to implement, and report out on them.

Hyogon Kim, "Real-Time Visualization of Network Attacks on High-Speed Links"

Wed, 13 Sep 2006 17:30:00 PDT

In this talk, we will see that malicious traffic flows such as denial-of-service attacks and various scanning activities can be visualized in an intuitive manner. A simple but novel idea of plotting a packet using its source IP address, destination IP address, and the destination port in a 3-dimensional space graphically reveals ongoing attacks. Leveraging this property, combined with the fact that only three header fields per each packet need to be examined, a fast attack detection and classification algorithm can be devised.

Ed Finkler, "A Multi-layered Approach to Web Application Defense"

Wed, 06 Sep 2006 17:30:00 PDT

Defending against attacks on a web application is by nature is complex process, one that must address everything from coding practices to user management to network architecture. This talk will describe a number of techniques that, used in concert, will make your web app a much tougher cookie to crack. Primary focus will be on open-source "XAMP" setups, but the concepts should be applicable to most other systems.

Sid Stamm, "Invasive Browser Sniffing and Countermeasures"

Wed, 30 Aug 2006 17:30:00 PDT

We describe the detrimental effects of browser cache/ history sniffing in the context of phishing attacks, and detail an approach that neutralizes the threat by means of URL personalization; we report on an implementation performing such personalization on the fly, and analyze the costs of and security properties of our proposed solution.

Ehab Al-Shaer, Ph.D., "Toward Autonomic Security Policy Management"

Wed, 23 Aug 2006 17:30:00 PDT

The assurance of network security is dependent not only on the protocols but also on polices that determine the functional behavior of network security devices. Network security devices such as Firewalls, IPSec gateways, IDS/IPS operate based on locally configured access control policies. However, the complexity of managing security polices, particularly in enterprise networks, poses many challenges for deploying effective security. For example, security policies are usually configured in isolation from each other, even though they are not necessarily independent as they interact with each other to form the global security policy. As a result of such ad-hoc management, policy inconsistencies and network vulnerability are created. In addition security policy might grow in size causing a significant performance overhead in security devices. A major performance gain can be achieved if policies can be dynamic optimized to adapt to traffic properties (called traffic-aware policy optimization). This talk will explain these challenges and present the recent research results in the area of automated verification, and optimization of network security polices.

Virgil D. Gligor, "On the Evolution of Adversary Models for Security Protocols - from the Beginning to Sensor Networks"

Tue, 25 Apr 2006 22:00:00 PDT

Invariably, new technologies introduce new vulnerabilities which, in principle, enable new attacks by increasingly potent adversaries. Yet new systems are more adept at handling well-known attacks by old adversaries than anticipating new ones. Our adversary models seem to be perpetually out of date: often they do not capture adversary attacks enabled by new vulnerabilities and sometimes address attacks rendered impractical by new technologies. In this talk, I provide a brief overview of adversary models beginning with those required by program and data sharing technologies, continuing with those required by computer communication and networking technologies, and ending with those required by mobile ad-hoc and sensor network technologies. I argue that mobile ad-hoc and sensor networks require new adversary models (e.g., different from those of Dolev-Yao and Byzantine adversaries). I illustrate this with adversaries that attack perfectly sensible and otherwise correct protocols of mobile ad-hoc and sensor networks. These attacks cannot be countered with traditional security protocols as they require emergent security properties.

John Black, "Recent Attacks on MD5"

Tue, 18 Apr 2006 22:00:00 PDT

Cryptology is typically defined as cryptography (the construction of cryptographic algorithms) and cryptanalysis (attacks on these algorithms). Both are important, but the latter is more fun. Cryptographic hash functions are one of the core building blocks within both security protocols and other application domains. In the last few decades a wealth of these functions have been developed, but the two in most widespread usage are MD5 and SHA1. Recently, there has been a great deal of activity regarding the cryptanalysis of MD5. We survey the recent attacks on the MD5 hash function from the modest progress in the mid 90s to the startling recent results instigated by Xiaoyun Wang. We will look at the details of these attacks, some recent improvements, two applications, and discuss the current outlook on cryptographic hashing.

David Carroll, "Identity Management Strategies and Integration Perspectives"

Tue, 11 Apr 2006 22:00:00 PDT

For large government agencies and corporations there can be significant value in the use of identity, access, and rights management infrastructures or IDM. The organizations investment in directory services, authorization services, rights management, and public key systems all combine to form a sometimes complex infrastructure. The products that are deployed may be based upon standards such as WS-Security, SAML, and X509.3 but many are still hampered by proprietary vendor implementation, lack of understanding of the capability of the technology as it relates to business process, or unwise architectural decisions. This seminar will focus on how the models for IDM are maturing and comment on how the urgency to deploy solutions changes when combined with service oriented architecture. The seminar will give practical examples from the experience of working within large scale infrastructures in both corporate and government environments. It will conclude with commentary on the IDM issues and solutions revolving around the largest government identity management effort to date

Dave Ford, "Chaos,Complexity, Cybernetics and Therminator:"

Tue, 04 Apr 2006 22:00:00 PDT

In the days after Presidential Decision Directive 63 "Therminator: was born at NSA. This talk gives an overview of the applications of strategies from non-linear dynamics, complexity theory and elements from cybernetics in the context of reducing high-dimensional data sets (e.g. internet traffic) and explains why simple equilibrium thermodynamics is the weapon of choice.

Minaxi Gupta, "Spoofing-resistant Packet Routing for the Internet""

Tue, 28 Mar 2006 21:00:00 PST

The forgery of source IP addresses, called IP spoofing, is commonly exploited to launch damaging denial-of-service (DoS) attacks in the Internet. Currently proposed spoofing prevention approaches either focus on protecting only the target of such attacks and not the routing fabric used to forward spoofed packets, or fail under commonly occurring situations like path asymmetry. We will presents a hop-wise packet marking approach that equips the routers to drop spoofed packets close to their origination. Our approach has utmost concern for immediate deployability and simulations show that it dramatically reduces the amount of spoofing possible even under partial deployment.

Julie Earp, "Privacy Policies in Web-based Healthcare"

Tue, 21 Mar 2006 21:00:00 PST

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has resulted in the presence of very descriptive privacy policies on healthcare websites. These policies are intended to notify users about the organization's privacy practices; however, they are typically not easy to read, leading few people to actually read them. Given the fact that these policies are not optional, but required by HIPAA, they should be presented in a clear and concise manner that encourages consumers to read them. At the present time, this is not the case. This seminar will present the preliminary results of our study that compares various ways to present privacy management information to healthcare consumers. The study involved an online experiment and survey of 993 Internet users.

Marina Blanton, "Dynamic and Efficient Key Management for Access Hierarchies"

Tue, 07 Mar 2006 21:00:00 PST

Hierarchies arise in the context of access control whenever the set of users can be modeled as a set of partially ordered classes (i.e., represented as a directed graph). In such systems, a user that belongs to a particular class inherits privileges of all of its descendant classes. The problem of key management for an access hierarchy then consists in assigning a key to each class in the hierarchy so that keys for descendant classes can be obtained via an efficient key derivation process. We propose an efficient solution to this problem with a number of important properties, some of which are: a single key per class, local handling of changes to the hierachy, and provable security against collusion. Whereas many previous schemes had some of these properties, ours is the first that satisfies all of them. In addition, we give techniques to exponentially lower key derivation time for trees with only a contant increase in the space to store the hierarchy.

Rafae Bhatti, "A Policy Engineering Framework for Federated Access Management"

Tue, 28 Feb 2006 21:00:00 PST

Federated systems are an emerging paradigm for information sharing and integration. Such systems require access management policies that not only protect user privacy and resource security but also allow scalable and seamless interoperation. Current solutions to distributed access control generally fail to simultaneously address both dimensions of the problem. This talk describes the design of a policy-engineering framework, called xFederate, for specification and enforcement of access management policies in federated systems. It has been designed from the perspectives of both security management and software engineering to not only allow specification of requirements for federated access management but also allow development of standardized policy definitions and constructs that facilitate policy deployment and enforcement in a federated system. The framework also includes the design of an administrative model targeted at access control policy administration in a decentralized environment. Two profiles of the policy language, namely a SAML profile and a WS-Policy profile, have been developed to integrate the framework with industry standards for federation and policy-based management in the emerging Web services paradigm. The talk will include an online demo of a research prototype that illustrates the use of xFederate as an enabling technology for secure Web services with applications in federated digital libraries and federated electronic healthcare management.

Mike Burmester, "Provable security in mobile ad hoc networks"

Tue, 14 Feb 2006 21:00:00 PST

Mobile ad hoc networks (MANETs) are collections of wireless mobile nodes with links that are made or broken in an arbitrary way. Communication is achieved via routes whose node relay packets. Several routing algorithms have been proposed in the literature. These focus mainly on efficiency with security relegated to weak adversary models. In this talk we consider the security of distributed MANET applications in malicious adversary models. We model a MANET by a stochastic finite state machine that is subject to mobility, medium and markovian constraints and describe an adversary structure that addresses the malicious attacks that are particular to MANETS (wormhole attacks, Sybil attacks, packet dropping, selfishness). We then show how the traditional cryptographic framework for provable security can be adapted to this particular adversary structure. Finally we consider two complementary approaches that can be used to achieve provably secure routing in our adversary model: a reactive approach that traces malicious behavior and a proactive approach that tolerates malicious behavior.

Brian Carrier, "Categories of Digital Forensic Investigation Techniques"

Tue, 07 Feb 2006 21:00:00 PST

This talk examines formal concepts of digital forensic investigations. To date, the field has had an applied focus and little theory exists to formally define analysis techniques and requirements. This work defines an extended finite state machine (FSM) model and uses it to describe a computer's history, which contains the primitive and abstract states and events that existed and occurred. Using this model, categories of analysis techniques can be defined. This talk describes the model, describes the categories of analysis techniques, and compares the existing tools to the analysis technique categories.

Abhilasha Bhargav-Spantzel, "Digital Identity Management and Theft Protection"

Tue, 31 Jan 2006 21:00:00 PST

Digital identity management technology is fundamental in customizing user experience, protecting privacy, underpinning accountability and compliance in today

Paul Thompson, "Semantic Attacks and Security"

Tue, 24 Jan 2006 21:00:00 PST

Attacks on computer and other networked systems can be categorized as physical, syntactic and semantic. Physical attacks seek to destroy hardware, while syntactic attacks, such as computer worms and viruses, target the network infrastructure. Semantic attacks are directed at the mind of the user of a computer system, or, more generally, any decision process in an automated system. For example, a false, or misleading, discussion group posting which leads readers of the posting to become victims of a pump-and-dump scheme, whereby the price of a company

Jean Camp, "Net Trust: Identification Through Social Context"

Tue, 17 Jan 2006 21:00:00 PST

In the nineties the disconnection between physical experience and the digital networked experience was celebrated - individuals are said to move into cyberspace, become virtual and leave the constraints of the physical realm. The increase in fraud, difficulties in securing email, and increasing prevalent browser-based attacks illustrate that the lack physical signaling information can also be costly. I introduce a trust that evaluation system, Net Trust. The trust evaluation system offered in Net Trust builds on the technical construction of networks of trust, reputation systems, and social browsing. Net Trust is explicitly a socio-technical solution; the solution employs a user

Simson Garfinkel, "Cross-Drive Forensic Analysis"

Tue, 10 Jan 2006 21:00:00 PST

This talk introduces cross-drive analysis (CDA), a new approach for performing analysis of forensic data sets that are too large or complex to be analyzed with today's existing tools. CDA works by performing systematic information extraction and cross-correlation across an entire data set. CDA was used to analyze 182 disk drives acquired on the secondary market; it automatically identified drives containing a high concentration of confidential financial records and three pairs of drives, each previously used by the same organization. CDA shows strong promise in allowing forensic examiners to prioritize their work and in automatically identifying members of preexisting social networks.

Jelena Mirkovic, "Clouseau: A practical IP spoofing defense through route-based filtering"

Tue, 06 Dec 2005 21:00:00 PST

IP spoofing accompanies many malicious activities and is even means for performing reflector DDoS attacks. Route-based filtering (RBF) enables a router to filter spoofed packets based on their incoming interface - this information is stored in an incoming table. Packets arriving on the expected incoming interface for their source address are considered legitimate, while all the other packets are filtered as spoofed. Past research has shown that RBF can be very effective when deployed at the vertex cover of the Internet AS-map (about 1500 ASes) but no practical approach has been proposed for incoming table construction. We first show that RBF achieves high effectiveness even if the number of deploying points is very small (30 chosen deployment points reduce the amount of the spoofed Internet traffic to 5%). We further show that completeness of the incoming tables is critical for filtering effectiveness - partially full tables are as good as empty. This implies that routers cannot rely on reports of a few participating domains to build their incoming tables, but instead must devise means of accurately "guessing" incoming interface information for all traffic they see. Their guessing strategy must quickly react to offending traffic and determine with high accuracy whether the reason for the offense was a route change (in which case incoming interface information must be updated) or spoofing. We next propose a protocol called Clouseau which builds accurate incoming tables at RBF routers, and keeps these tables up to date in face of frequent route changes. Clouseau infers incoming table information by applying randomized drops to offending TCP traffic and observing its retransmission behavior. No communication is required with packet sources or other RBF routers, which makes Clouseau suitable for partial deployment. The inference process is further resilient to subversion by an attacker who is familiar with the design of Clouseau.

Stanislaw Jarecki, "Secret Handshakes"

Tue, 29 Nov 2005 21:00:00 PST

Secret Handshake is an authentication protocol with non-standard and strong anonymity property: Namely, the secrecy of the *affiliations* (i.e. the certificates) of party A who engages in this authentication protocol with party B will be protected against any B* (i.e. a malicious party which pretends to be B) who does not meet A's authentication criteria. This strong secrecy and anonymity protection turns out to be possible, and quite efficiently so, based on various standard cryptographic assumptions. The talk will give an overview of the problem, the various solutions, and the several efficiency and security issues involved in making such anonymous authentication schemes practical.

Shouhuai Xu, "Privacy-preserving Policy-driven Access Control with Mixed Credentials"

Tue, 15 Nov 2005 21:00:00 PST

Access control in decentralized systems is an important problem that has not been fully understood, except perhaps that it should be based on credentials. There are mainly two research approaches towards this goal: one is to pursue powerful individual credentials yet without necessarily considering flexible access control policies, the other is to consider flexible policies yet without necessarily accommodating the useful credential schemes that have become available. This paper proposes a unified approach that simultaneously consider flexible policies and useful credentials. A first realization of this approach is the notion of assembly signatures (and identifications), which are: (1) privacy-preserving, meaning that the access requestor's privacy is ensured; (2) policy-driven, meaning that the validity of a signature is with respect to a given access control policy; (3) ``mixed credentials"-based, meaning that a signature is constructed out of various anonymous and non-anonymous credentials. (This is a joint work with Moti Yung)

Anna Squicciarini, "Privacy and anonymity in Trust Negotiations"."

Tue, 08 Nov 2005 21:00:00 PST

Trust negotiation is an emerging approach for establishing trust in open systems, where sensitive interactions may often occur between entities with no prior knowledge of each other. Although several proposals today exist of systems for the management of trust negotiation, none of them provides a comprehensive approach to the problem of privacy preservation. Trust negotiation systems, however, by their very nature may represent a threat to privacy. Credentials, exchanged during negotiations, often contain sensitive personal information that thus needs to be selectively released. As we believe that trust negotiation systems must effectively address privacy issues to be widely acceptable, we have investigated privacy in the context of trust negotiations. In this talk, we will propose the main results obtained so far in the area of trust negotiation as part of the Ph.D. activity. We propose a set of privacy preserving features to be included in any trust negotiation system, such as the support for the P3P standard, as well as a number of innovative features such as a novel format to encode digital credentials specifically designed for preserving privacy. Finally, we illustrate techniques for supporting anonymous trust negotiations as part of a privacy-preserving trust negotiations, to carry on trust negotiations without revealing identity related information.

Bryant G. Tow, "A Demonstration in the Need for a Layered Security Model"

Tue, 25 Oct 2005 21:00:00 PDT

Dr. Angelos D. Keromytis, "Toward Self-healing Software"

Tue, 18 Oct 2005 21:00:00 PDT

As systems grow in size and complexity, our ability to protect them through manual intervention or static defenses degrades. We believe that, in addition to proper design principles and proactive mechanisms, automated reactive approaches must be employed to close the gap in the attacker vs. defender capabilities. Toward this goal, we have been examining the possibility of software systems that self-diagnose and repair themselves in the presence of previously unknown attacks and failures, with minimal or no human intervention. In this talk, I will discuss our research in self-healing software systems. I will introduce the concepts of "micro-speculation" and "error virtualization", which can be combined to provide a generic mechanism for dealing with low-level software failures and vulnerabilities. I will describe the use of these techniques in two system prototypes of self-healing software that address such vulnerabilities: the Worm Vaccine architecture and STEM (Selective Transactional EMulation). I will close the talk with a discussion of our preliminary work toward software Application Communities, groups of identical instances of an application that cooperate to improve their collective security.

Dan Massey, "Securing the Internet's Domain Name System"

Tue, 04 Oct 2005 21:00:00 PDT

This talk considers security challenges facing the Internet's Domain Name System (DNS). The DNS is one of the most widely used and least secure Internet systems. Viirtually every Internet application relies on the DNS to convert names into IP addresses and the DNS provides a wide range of other critical mappings such as identifying mail servers and locate services. But despite its importance, the original DNS design gave very little thought to security and a variety of misdirection and denial of service attacks are possible. For example, a web browser relies on the DNS to convert www.purdue.edu into an IP address. The DNS supplies the web browser with an IP address (more precisely an "A" resource record set) such as 129.82.100.64 (is this address correct?). If this address is wrong, the browser will be directed to the wrong site. If the DNS fails to return a response, the browser will not be able to load the desired web page. Currently, both the operational and research communities are making considerable efforts to improve DNS security. After nearly a decade of development, the IETF has standardized DNS Security Extensions that add public key authentication into the DNS. The hierarchical structure of the DNS is leveraged to authenticate public keys, keys can be managed offline, and the signatures allow a resolver to authenticate a response. However several open issues remain, including key revocation, support for dynamic updates, resolver security policies, incremental deployment, and commercial challenges. The DNS Security Extension enable a number of new techniques, but basic problems on denial of service remain. The research community has largely focused on denial of service attacks against critical top level servers could potentially cause considerable damage to the DNS service. This has led to proposals for replacing the DNS tree with a distributed hash table attacking a few critical top level servers. This talk will argues that, despite some major flaws, the DNS Security Extensions provide the necessary tools to build a robust and secure DNS. By using these tools appropriately, a wholesale replacement of the DNS system by other approaches can and should be avoided.

Ting Yu, "A Framework for Identifying Compromised Nodes in Sensor Networks"

Tue, 20 Sep 2005 21:00:00 PDT

Sensor networks are vulnerable to physical attacks. Once a node's cryptographic key is compromised, an attacker may completely impersonate it, and introduce arbitrary false information into the network. Most existing techniques focus on detecting and tolerating false information introduced by compromised nodes. They cannot pinpoint exactly where the false information is introduced and who is responsible for it. We propose an application-independent framework for identifying compromised sensor nodes. In this framework, sensor nodes may conceptually observe the activity of each other following the deployment topology of a sensor network. An alert is generated if a node observes an abnormal activity. Such alerts are collected by the base station, which further reason and finally identify compromised nodes. We develop efficient and accurate reasoning algorithms that can effectively deal with collusion and local majorities. Our algorithms are optimal in the sense that they identify the largest number of compromised nodes without introducing false positives.

Peter Bajcsy, "Toward Hazard Aware Spaces: Knowing Where, When and What Hazards Occur"

Tue, 13 Sep 2005 21:00:00 PDT

While considering all existing hazards for humans due to (a) natural disastrous events, (b) failures of human hazard attention or (c) intentional harmful behaviors of humans, we address the problem of building hazard aware spaces (HAS) to alert innocent people. We have researched and developed components of a prototype HAS system for detecting fire using wireless "smart" micro electro-mechanical systems (MEMS) sensors, such as, the MICA sensors, and spectral cameras, for instance, thermal infrared (IR), visible spectrum and multi-spectral cameras. Within this context, my presentation overviews technical challenges and prototype scientific solutions to (1) robotic sensor deployment, (2) localization of sensors and objects, (3) synchronization of sensors and cameras, (4) calibration of spectral cameras and sensors, (5) proactive camera control, (6) hazard detection, (7) human alert, (8) hazard confirmation, and (9) hazard understanding and containment. The work presented will also include theoretical and practical limitations that have to be understood when working with novel technologies. http://www.ncsa.uiuc.edu/people/pbajcsy/

Ed Finkler, "Real World Web Application Security"

Tue, 06 Sep 2005 21:00:00 PDT

This talk deals with practical issues of web application security, with an emphasis on open-source web service tools such as Apache, PHP, and MySQL. Recent exploits in widely-used open source web applications such as phpBB and Wordpress underline the need for web app developers to make security a primary consideration. We'll discuss the most common types of attacks and how to defend against them, both on a code, application, and network design level.

Himanshu Khurana, "Minimizing Trust Liabilities in Secure Group Messaging Infrastructures"

Tue, 30 Aug 2005 21:00:00 PDT

Large-scale collaborative applications are characterized by a large number of users and other processing end entities that are distributed over geographically disparate locations. Therefore, these applications use messaging infrastructures that scale to the application needs and enable users to process messages without concern for message transmission and delivery. Widespread use of these infrastructures is hindered by the need for scalable security services; viz., services for confidentiality, integrity, and authentication. Current solutions for providing security for these systems use trusted servers (or a network of servers), which consequently bear significant trust liabilities of maintaining confidentiality, integrity, and authentication of messages and keys that are processed by the servers. In this talk we look at current approaches for secure messaging in three commonly used messaging infrastructures: email, group communication, and publish/subscribe. We then show how novel encryption techniques can be used to minimize trust liabilities in these infrastructures in a scalable manner. We are in the process of developing prototypes of our solutions. We will discuss the prototype designs and present some initial experimentation results.

Stephen Elliott, "An Introduction to Biometric Technologies"

Tue, 23 Aug 2005 21:00:00 PDT

This lecture provides an introduction to biometric technologies. Various technologies will be examined, including iris, face, voice, dynamic signature, fingerprint, and keystroke dynamics. An overview of assessing performance, discussing implementations, as well as system design will be covered.

Sheng Zhong, "PrivacyEnhancing k-Anonymization of Customer Data"

Wed, 27 Apr 2005 07:30:00 PDT

In order to protect individuals' privacy, the technique of k-anonymization has been proposed to de-associate sensitive attributes from the corresponding identifiers. In this work, we provide privacy-enhancing methods for creating k-anonymous tables in a distributed scenario. Specifically, we consider a setting in which there is a set of customers, each of whom has a row of a table, and a miner, who wants to mine the en- tire table. Our objective is to design protocols that allow the miner to obtain a k-anonymous table representing the customer data, in such a way that does not reveal any extra information that can be used to link sensitive attributes to corresponding identifiers, and without requiring a central authority who has access to all the original data. We give two different formulations of this problem, with provably private solutions. Our solutions enhance the privacy of k-anonymization in the distributed scenario by maintaining end-to-end privacy from the original customer data to the final k-anonymous results.

Marianne Winslett, "Traust and PeerTrust2: Applying Trust Negotiation to Real Systems"

Wed, 20 Apr 2005 07:30:00 PDT

Automated trust negotiation is an approach to authorization for open systems, i.e., systems where resources are shared across organizational boundaries. Automated trust negotiation enables open computing by assigning an access control policy to each resource that is to be made accessible to "outsiders"; an attempt to access the resource triggers a trust negotiation, consisting of the iterative, bilateral disclosure of digital credentials and related information. In our recent work in applying the TrustBuilder system for trust negotiation to real-world systems, we have encountered the need to make trust negotiation facilities available to legacy peers, which has led to the development of the Traust system. We have also encountered the need to include helpful third parties in the negotiation process, such as credential wallets, remote authorization servers, and brokers. PeerTrust2 is our effort to design a language that allows us to reason about trust negotiations involving helpful third parties, while supporting exposure control, delegation, proof hints, declarations of purpose, sensitive policies, and other potentially useful aspects of access control. In this talk, I will demonstrate Traust and describe its internal design, and then describe PeerTrust2.

Mohamed Shehab, "Watermarking Relational Databases"

Wed, 13 Apr 2005 07:30:00 PDT

Proving ownership rights on outsourced relational databases is a crucial issue in today internet-based application environment and in many content distribution applications. In this talk, we will present mechanisms for proof of ownership based on the secure embedding of a robust imperceptible watermark in relational data. We will discuss the available watermark embedding and decoding techniques. Furthermore, we will provide a comparison between these techniques based on several dimensions such as applicability, efficiency, and security.

Brian Carrier, "Defining a Digital Forensic Investigation"

Wed, 06 Apr 2005 07:30:00 PDT

Digital investigations have occurred in some form or another for many years, yet there is no scientific model of the process. After all, there are multiple ways and sequences in which evidence may be found. An investigator does not necessarily need a model to solve a case, but a scientific model is useful for developing investigation tools and technology because it allows us to define requirements and identify what areas need more attention. Further, there are guidelines for entering technical evidence into a U.S. court that may require the technical procedure to be published and have known error rates. In this talk, I will present an overview of existing process models that an investigator can use. I will then present our initial findings on a more scientific model that is based on how digital evidence is created and will show how it can be applied to the process models used by practitioners. Our event-based model allows us to more clearly define requirements for investigation tools, which will help in the development and testing process.

Helen J. Wang, "Vulnerability-Driven Network Filters for Preventing Known Vulnerability Attacks"

Wed, 30 Mar 2005 07:30:00 PST

Software patching has not been an effective first-line defense preventing large-scale worm attacks, even when patches had long been available for their corresponding vulnerabilities. Generally, people have been reluctant to patch their systems immediately, because patches are perceived to be unreliable and disruptive to apply. To address this problem, we propose a first-line worm defense in the network stack, using shields -- vulnerability-specific, exploit-generic network filters installed in end systems once a vulnerability is discovered, and before the patch is applied. These filters examine the incoming or outgoing traffic of vulnerable applications, and drop or correct traffic that exploits vulnerabilities. Shields are less disruptive to install and uninstall, easier to test for bad side effects, and hence more reliable than traditional software patches. Further, shields are resilient to polymorphic or metamorphic variations of exploits In the Shield project, we're showing that this concept is feasible by implementing a prototype Shield framework that filters traffic at the transport layer. We have designed a safe and restrictive language to describe vulnerabilities as partial state machines of the vulnerable application. The expressiveness of the language has been verified by encoding the signatures of a number of known vulnerabilities. Our evaluation provides evidence of Shield's low false positive rate and impact on application throughput. An examination of a sample set of known vulnerabilities suggests that Shield could be used to prevent exploitation of a substantial fraction of the most dangerous ones.

Dr. Kate Cherry and Dr. Wendy Hamilton, "Lockheed Martin"

Tue, 22 Mar 2005 21:00:00 PST

Lockheed Martin realizes that their newly hired college graduates are an investment in Lockheed Martin's future. As a result the Company looks out for their new college hires. Dr Cherry will talk about several programs dedicated to enhancing the work experience of newly hired and vested college graduates. For instance, one program focuses on new technical graduates right out of college. Another program focuses on new graduates already thinking about a management track. A third program focuses on college graduates that have been around 3-5 years and are serious about focusing on a leadership role. Finally, Dr. Hamilton and Dr. Cherry will dish out relevant insights they gained as they forged ahead in their careers in the corporate world.

David Evans, "Where"

Wed, 09 Mar 2005 07:30:00 PST

Instruction Set Randomization (ISR) has been proposed as a promising defense against code injection attacks. It defuses all standard code injection attacks since the attacker does not know the instruction set of the target machine. A motivated attacker, however, may be able to circumvent ISR by determining the randomization key. In this talk, I will describe a remote attack for determining an ISR key using an incremental guessing strategy and present a method for injecting a worm in an ISR-protected network. The attack is plausible under a variety of realistic conditions and can infect an ISR-protected server in under 6 minutes. Our results provide insights into properties necessary for ISR implementations to be secure and suggest ways to improve to ISR designs. I will speculate on more general architectures for using diversity that can avoid the need to keep secrets from potential attacker that is inherent in previous diversity-based defenses such as ISR and memory address randomization.

Florian Buchholz, "Using process labels to obtain forensic and traceback information"

Wed, 02 Mar 2005 07:30:00 PST

Much of the research in computer security, especially in digital forensics and intrusion detection, is concerned with retrieving and analyzing the information that is present on a system. In my talk I will analyze what kind of information is actually desired by a forensic investigator and examine if these needs can be fulfilled by today's operating systems. Some of the desired information is currently not present in many systems and I will make suggestions on how to supply more relevant audit data on a system and increase its quality. The second part of my talk will focus on two particular difficult categories of information that a forensic investigator might desire: user influence and origin information. I will present a model that allows a system to bind arbitrary information in the form of labels to its principals and then propagate the labels as information is exchanged among them. I will demonstrate the usefulness of the model with various case studies and discuss a proof-of-concept implementation. While my work is motivated and aimed primarily at digital forensic investigations, it has applications in other areas of computer science, in particular network traceback, intrusion detection, and access control.

Jintai Ding, "Perturbation of Multivariable Public-key Cryptosystems"

Wed, 23 Feb 2005 07:30:00 PST

Public key cryptography is an indispensable part of most modern communication systems. However, quantum computers can break cryptosystems like RSA, which are based on

Wenke Lee, "Architectural Considerations for Anomaly Detection"

Wed, 09 Feb 2005 07:30:00 PST

The most commonly used intrusion detection system (IDS) performance metrics are detection rate and false alarm rate. From a usability point of view, a very important measurement is Bayesian detection rate, which indicates how likely there is an intrusion when the IDS outputs an alert. It depends on detection rate, false alarm rate, and base rate (the prior probability of intrusion). Typically, an anomaly detection system has a low Bayesian detection rate because it has a non-zero false alarm rate and the base rate in the target environment is very low. We argue that we need better system architecture to improve Bayesian detection rate. The main objective is to increase the base rate of data stream analyzed by complex detection modules. The general principle is to use layered architecture. One approach is to use a cascade of successively more complex detection modules. We show that base rate increases from one layer to the next. In many cases, the overall false alarm rate of the cascade can be very low. We describe a worm detection system with cascade architecture. In DSC, the lower layer module identifies hosts with

Vitaly Shmatikov, "Obfuscated Databases: Definitions and Constructions"

Wed, 02 Feb 2005 07:30:00 PST

I will present some new definitions and constructions for privacy in large databases. In contrast to conventional privacy mechanisms that aim to prevent any access to individual records, our techniques are designed to prevent indiscriminate harvesting of information while enabling some forms of legitimate access. We start with a simple construction for an obfuscated database that is provably indistinguishable from a black-box lookup oracle (in the random oracle model). Some attributes of the database are designated as "key," the rest as "data." The database behaves as a lookup oracle if, for any record, it is infeasible to extract the data fields without specifying the key fields, yet, given the values of the key fields, it is easy to retrieve the corresponding data fields. We then generalize our constructions to a larger class of queries, and achieve a privacy property we call "group privacy." It ensures that users can retrieve individual records or small subsets of records from the database by identifying them precisely. The database is obfuscated in such a way that queries returning a large subset of records are computationally infeasible. This is joint work with Arvind Narayanan.

Keith Frikken, "Hidden Access Control Policies with Hidden Credentials"

Wed, 19 Jan 2005 07:30:00 PST

In an open environment such as the Internet, the decision to collaborate with a stranger (e.g., by granting access to a resource) is often based on the characteristics (rather than the identity) of the requester, via digital credentials: Access is granted if Alice's credentials satisfy Bob's access policy. The literature contains many scenarios in which it is desirable to carry out such trust negotiations in a privacy-preserving manner, i.e., so as minimize the disclosure of credentials and/or of access policies. Elegant solutions were proposed for achieving various degrees of privacy-preservation through minimal disclosure. We present efficient protocols that protect both sensitive credentials and sensitive policies. That is, Alice gets the resource only if she satisfies the policy, Bob does not learn anything about Alice's credentials (not even whether Alice gained access or not), and Alice learns neither Bob's policy structure nor which credentials caused her to gain access.

Cristina Nita-Rotaru, "Survivable routing in wireless ad hoc networks"

Wed, 12 Jan 2005 07:30:00 PST

In an ad hoc wireless network nodes not in direct range communicate via intermediate nodes. Thus, a significant concern is the ability to route in the presence of Byzantine failures which include nodes that drop, fabricate, modify, replay, or mis-route packets in an attempt to disrupt the routing service. In this talk we will present ODSBR, our on-demand Byzantine resilient routing protocol for ad hoc wireless networks. The protocol relies on an adaptive probing technique that detects a malicious link after $log n$ faults have occurred, where $n$ is the length of the path. Problematic links are avoided by using a weight-based mechanism that multiplicatively increases their weights and by using an on-demand route discovery protocol that finds a least weight path to the destination. Our protocol bounds the amount of damage that an attacker or a group of colluding attackers can cause to the network. We demonstrate through simulation the effectiveness of ODSBR, in mitigating Byzantine attacks. Our analysis of the impact of these attacks versus the adversary's effort gives insights into their relative strengths, their interaction and their importance when designing secure routing protocols. Finally, we show how the technique used by ODSBR can be applied to hybrid wireless networks consisting of cellular and ad hoc 802.11 wireless networks.

Dennis Fetterly, "Using Statistical Analysis to Locate Spam Web Pages"

Wed, 08 Dec 2004 13:30:00 PST

Commercial web sites are more dependant than ever on being placed prominently within the result pages returned by a search engine to be successful. "Spam" web pages are web pages that are created for the sole purpose of misleading search engines and misdirecting traffic to target sites. Certain classes of spam pages, in particular those that are machine-generated, diverge in some of their properties from the properties of web pages in general. As a result, these pages can be identified through statistical analysis. We have examined a variety of such properties, including linkage structure, page content, and page evolution, and have found that outliers in the statistical distributions of these properties are predominantly caused by web spam. Joint work with Mark Manasse and Marc Najork.

William Winsborough, "Attribute-Based Access Control"

Wed, 01 Dec 2004 13:30:00 PST

Basing authorization on attributes of the resource requester provides flexibility and scalability that is essential in the context of large distributed systems. Logic programming provides an convenient, expressive, and well-understood framework in which to work with authorization policy. This talk will summarize an attribute-based authorization framework built on logic programming: RT, a family of Role-based Trust-management languages. It will then discuss efficient and effective evaluation of RT policies that are stored in a distributed manner. After discussing these basics, the talk will consider the problem of assessing authorization policies with respect to the vulnerability of resource owners to a variety of security risks to which they are exposed by delegations to other principals, risks such as undesired authorizations and unavailability of critical resources. We will consider several such properties of RT policies, many of which we will see can be decided efficiently. For other properties, we will see that the complexity depends on the subset of RT in which the policy is expressed. This part of the talk will conclude by discussing some prospects for continued research in this area. Finally, the talk will visit the problem of using attribute credentials to obtain access when the credentials and their contents may themselves be private. Trust negotiation, a simple approach to this problem, will be introduced, as well as an intuitive and useful security property formalizing the protection of private credentials. This research was funded by DARPA and the NSF.

Indrakshi Ray, "An Anonymous Fair-Exchange E-Commerce Protocol"

Wed, 17 Nov 2004 13:30:00 PST

Many business transactions over the Internet involve the exchange of digital products between two parties -- electronic mails, digital audio and video, electronic contract signing and digital signatures, to name a few. Often these transactions occur between players that do not always have identifiable place of doing business and hence do not trust each other. Consequently, there exists ample scope for any of the parties involved, to misbehave and gain advantage over the other party. To overcome this problem researchers have proposed protocols that ensure fairness, that is, no party can gain an advantage even if the party misbehaves. Most works in this area focus on gathering evidence during the protocol execution that is used later, in case of a dispute. The actual handling of the dispute is done manually, after the protocol execution, and is outside the scope of the protocol. However, in an electronic commerce environment, where the merchants and customers may disappear quickly, such "after-the-fact" protection may be inadequate.In this work we propose an e-commerce protocol for trading digital products over the Internet. The novel features of our protocol include: (1) ensuring fair exchange, (2) not requiring manual dispute resolution in case of unfair behavior by any party, (3) assuring each party that the item he is about to receive is indeed the correct one, (4) not requiring the active involvement of a trusted third party unless a problem occurs, and (5) ensuring anonymity for the customer.

James Joshi, "GTRBAC: A Generalized Temporal Role Based Access Control Model"

Wed, 10 Nov 2004 13:30:00 PST

A key issue in computer system security is to protect information against unauthorized access. Emerging workflow-based applications in healthcare, manufacturing, the financial sector, and e-commerce inherently have complex, time-based access control requirements. To address the diverse security needs of these applications, a Role Based Access Control (RBAC) approach can be used as a viable alternative to traditional discretionary and mandatory access control approaches. The key features of RBAC include policy neutrality, support for least privilege, and efficient access control management. However, existing RBAC approaches do not address the growing need for supporting time-based access control requirements for these applications. In this talk, I will present a Generalized Temporal Role Based Access Control (GTRBAC) model that combines the key features of the RBAC model with a powerful temporal framework. The proposed GTRBAC model allows specification of a comprehensive set of time-based access control policies, including temporal constraints on role enabling, user-role and role-permission assignments, and role activations. The model provides an event-based mechanism for providing context based access control, as well as expressing dynamic access control policies, which are crucial for developing secure workflow-based enterprise applications. I will discuss various design guidelines for managing complexity of policy specification as well as an XML-based GTRBAC policy specification language.

Abe Singer, "Towards Mining Syslog Data"

Wed, 03 Nov 2004 13:30:00 PST

Syslog is the primary source of information about intrusion-related activity on a Unix system. Searching for known messages and patterns in syslog data is easy to do, and many tools are available for doing so. However, information and patterns that are not already "known" -- those that have not been seen or derived already, may provide even more information about attacks and intrusions. Data mining techniques can help us discover and analyze that information, but, the general lack of structure in syslog data makes it impossible to apply these techniques directly to the data. To address the problem, we are researching methods of generating patterns from an archive of system logs which can uniquely identify syslog messages by the variant and invariant elements of the messages. Once syslog messages can be uniquely identified, data mining techniques for use in intrusion detection or forensic analysis will be far more useful.

Ari Takanen, "Robustness testing - black-box testing for software security"

Wed, 27 Oct 2004 13:30:00 PDT

The robustness testing method is based on systematic creation of a very large number of communication protocol messages containing exceptional data elements and structures simulating malicious attacks or corrupted traffic. The method provides a proactive way of assessing software robustness and security. Robustness here is defined as the ability of software to tolerate exceptional input and stressful environment conditions. A piece of software which is not robust fails when facing such circumstances. In the worst case, a malicious intruder can take advantage of robustness shortcomings to deny service from authentic users or to compromise the system running the piece of software. As part of one robustness testing usage scenario, namely security assessment, also the communication process from security vulnerability discovery to vulnerability elimination will be explored. This research was originally initiated in PROTOS project at the University of Oulu, Finland.

Dan Thomsen, "Information Flow Analysis in Security Enhanced Linux"

Wed, 13 Oct 2004 13:30:00 PDT

Most people now realize that computer security is hard. However, many people do not realize that creating a correct security policy is hard. Creating an accurate security policy is on the order of complexity of developing software in general. In particular how can you show the policy is correct?The focus of this seminar is to look at tools and techniques for showing that the mandatory security policy based on type enforcement meets its objectives. The approach breaks down the security policy objectives so that they can be studied in terms of information flows. The policies are specified for the Security Enhanced Linux type enforcement mechanism. Type enforcement and mandatory access control will also be discussed.

Gail-Joon Ahn, "Secure Information Sharing within a Collaborative Environment"

Wed, 15 Sep 2004 13:30:00 PDT

The Internet is uniquely and strategically positioned to address the needs of a growing segment of population in a very cost-effective way. It provides tremendous connectivity and immense information sharing capability which the organizations can use for their competitive advantage. Several organizations have transited from their old and disparate business models based on ink and paper to a new, consolidated ones based on digital information on the Internet. However, information sharing on the Internet usually occurs in broad, highly dynamic network-based environments, and formally accessing the resources in a secure manner poses a difficult challenge. Balancing the competing goals of collaboration and security is difficult because interaction in collaborative systems is targeted towards making people, information, and resources available to all who need it, whereas information security seeks to ensure the integrity of these elements while providing it only to those with proper authorization. As organizations implement information strategies that call for sharing access to resources in the networked environment, mechanisms must be provided to protect the resources from adversaries.This talk addresses the issue of how to advocate selective information sharing in collaborative systems through access control schemes while minimizing the risks of unauthorized access proposing a delegation framework. It also introduces a systematic approach to specify delegation and revocation policies using a set of rules. The feasibility of the proposed framework is also discussed through policy specification, enforcement, and a proof-of-concept implementation.

Jason Crampton, "Administrative Scope and Role-Based Administration"

Wed, 08 Sep 2004 13:30:00 PDT

Role-based access control (RBAC) has received considerable attention in recent years, resulting in several important theoretical models and increasing use in commercial products. Nevertheless, role-based administration, the use of role-based techniques to control RBAC systems, has been less widely studied. We will consider the problem of controlling the propagation of authorization information in computer systems in general, and in role-based systems in particular. We will then introduce the concept of administrative scope, an intuitive notion corresponding to the set of role(s) that can be controlled by a given role, and demonstrate how this can be used as the fundamental unit in the development of a family of administrative models for RBAC systems. We compare the characteristics of these models with the well-known ARBAC97 administrative model. We conclude by discussing how administrative scope can be used to provide an administrative framework for more complex RBAC models.