Converged Security Visualization Tool (COVER-VT)

The amount of data that floods today’s networks is well beyond what security analysts can manage by textual means alone. In an effort to solve this problem, researchers have explored different methods of visualizing network security threats. There is little debate that humans can perceive more information visually than textually. The problem is that the majority of visualization tools in practice or proposed do not take efficient visualization techniques into consideration. As a result, it is difficult to get a high-level view of the network that facilitates rapid isolation of network attacks. We propose the Converged Security Visualization Tool (Cover-VT) to solve the efficient visualization problem. Cover-VT was designed to provide analysts with a high-level view of network threats using geographic information systems. The tool allows for rapid identification of threats by minimizing the cognitive obstacles to efficient threat location. Cover-VT includes the capability to drill-down on a node of interest for additional details and even filter out unwanted data. Cover-VT was designed with usability in mind, making it easy to comprehend while assisting the analyst in rapid threat identification. Many different security tools make up a security analyst’s tool kit. Cover-VT was developed as an effective security visualization system that integrates existing security tools and network security systems.

 

Geotemporal Tracking of IPv6 Addresses

Due to an exponentially larger address space than the Internet Protocol version 4 (IPv4), the Internet Protocol version 6 (IPv6) uses new methods to assign network addresses to Internet nodes. Stateless Address AutoConfiguration creates an address using a static value derived from the Media Access Control (MAC) address of a network interface as host portion, or Interface Identifier (IID). The Dynamic Host Configuration Protocol version 6 uses a client-server model to manage network addresses, providing stateful address configuration. While DHCPv6 can be configured to assign randomly distributed addresses, the DHCPv6 Unique Identifier (DUID) was designed to remain static for clients as they move between different DHCPv6 subnets and networks. Both the IID and DUID are static values which are publicly exposed, creating a privacy and security threat for users and nodes.

The static IID and DUID allow attackers to violate unsuspecting IPv6 users' privacy and security with ease. These static identifiers make geographic tracking and network traffic correlation over multiple sessions simple. Also, different classes of computer and network attacks, such as system-specific attacks and Denial of Service (DoS) attacks, are easier to successfully employ due to these identifiers. This research identifies and tests the validity of the privacy and security threat of static IID and DUID. Solutions which mitigate or eliminate the threat posed by static identifiers in IPv6 are identified.

 

Battery-Based Intrustion Detection Systems

This research comprises the collected efforts of two dissertations. It explores alternative intrusion detection methods in an effort to better understand computer networking threats, especially to mobile devices. Early efforts sought to develop a methodology, develop and build a net-centric system, and then further explore a non-traditional intrusion detection system approach. The system relies on host-based software to collect smart battery data to sense instantaneous current characteristics of anomalous network activity directed against small mobile devices. Instantaneous current changes were examined on mobile devices during representative attacks to determine unique attack traces and recognizable signatures. Building upon this research the second dissertation has led to the implementation of the Battery-Sensing Intrusion Protection System (B-SIPS) for client detection capabilities for small mobile devices, a server-based Correlation Intrusion Detection Engine (CIDE) for attack correlation with Snort’s network-based IDS, device power profiling, graph views, security administrator alert notification, and a database for robust data storage. Additionally, the server-based CIDE provides the interface and filtering tools for a security administrator to further mine a database and conduct forensic analysis. Models were employed to examine smart battery characteristics and to determine the theoretical intrustion detection limits and capabilities of B-SIPS. This work expands today’s research knowledge towards a more robust multilayered network defense by creating a novel design and methodology for employing mobile computing devices as a first line of defense to improve overall network security.

 

Denial-of-Sleep Vulnerabilities in Wireless Sensor Network MAC Protocols

As wireless sensor platforms become less expensive and more powerful, the promise of their wide-spread use for everything from health monitoring to military sensing continues to increase. Like other networks, sensor networks are vulnerable to malicious attack; however, the hardware simplicity of these devices makes defense mechanisms designed for traditional networks infeasible. This work explores the denial-of-sleep attack, in which a sensor node’s power supply is targeted. Attacks of this type can reduce sensor lifetime from years to days and can have a devastating impact on a sensor network. This work identifies vulnerabilities in state-of-the-art sensor network medium access control (MAC) protocols that leave them susceptible to denial-of-sleep attacks. It then classifies these attacks in terms of an attacker’s knowledge of the MAC layer protocol and ability to bypass authentication and encryption protocols. This research goes on to introduce a suite of mechanisms designed to detect and mitigate the effects of denial-of-sleep attacks on sensor networks. The Clustered Anti Sleep-Deprivations for Sensor Networks, or Caisson, suite includes a lightweight, platform-independent anti-replay mechanism, an adaptive rate-limiter and a jamming detection and mitigation mechanism. These tools are designed to be applied selectively or in concert to defend against denial-of-sleep attacks depending on the specific vulnerabilities in the MAC protocol used in a particular sensor network deployment.
 

 

Network Anomaly Detection with Incomplete Audit Data

With the ever increasing deployment and usage of gigabit networks, traditional anomaly detection based intrusion detection systems have not scaled accordingly. Most systems deployed assume the availability of complete and clean data for the purpose of intrusion detection. Factors like noise, mobility of the nodes, and the large volume of data make it difficult to build a normal traffic profile of the network to compare against. We have implemented an adaptive sampling scheme that intelligently samples incoming network data to reduce the volume of traffic sampled while maintaining its intrinsic characteristics. A fast flow aggregation scheme leveraging Bloom filters was employed at the data pre-processing stage to further reduce the response time of the anomaly detection scheme. An expectation maximization algorithm based anomaly detection scheme was proposed that utilizes the sampled data to detect intrusions in the incoming network traffic.
 

 

Thwarting Network Stealth Worms through Biological Epidemiology

This research developed a system to provide early identification and effective control of network stealth worms in digital networks through techniques based on biological epidemiology. Worms comprise a class of self-propagating code that spread over network connections by exploiting security vulnerabilities. Network stealth worms exacerbate the threat posed by traditional worms by using clandestine methods disguise their presence on the network. Biological epidemiology was shown to support the real-time detection, characterization, and containment of network stealth worms. Epidemiology describes an area of study in biology that seeks to understand and control disease. Mathematical modeling led to the development of a mechanism for digital networks to identify worm infection behavior and characterize worms. This information can be used to control their spread, and led to a scalable, fault-tolerant strategy that dramatically enhanced the survival rate of network hosts under attack by a stealth worm.

 

Energy-efficient Wireless Sensor Network MAC Protocol

This research investigates energy-efficient medium access control (MAC) protocols designed to extend both the lifetime and range fo wireless sensor networks. These networks are deployed in remote locations with limited processor capabilities, memory capacities, and battery supplies. The purpose of this research is to develop a new medium access control protocol which performs both cluster management and inter-network gateway functions in an energy-efficient manner. This new protocol, Gateway MAC (GMAC), improves on existing sensor MAC protocols by creating opportunities to place the sensor platforms into power-saving modes and also by establishing a traffic rhythm which extends sleep duration and minimizes power mode transition costs. Additionally, this research develops a radio power management (RPM) algorithm to provide a new mechanism for all WSN MAC protocols to optimize sleep transition decisions. Finally, to extend access to sensor data in remote locations, this research also validates a wireless distribution system which integrates sensor networks, mobile ad hoc networks (MANET), and the Internet.

 

Testing Software for the Presence of Vulnerabilities

This research presents a framework for deriving verification and validation strategies to assess the security of a software application by testing it for the presence of vulnerabilities. This framework can be used to assess the security of any software application that executes above the level of the operating system. If affords a novel approach which consists of testing if the software application permits violation of constraints imposed by computer system resources. A vulnerability exists if a constraint can be violated. The framework is composed of three components: (1) a taxonomy of vulnerabilities in the form of violable constraints and assumptions; (2) an object model, which is a collection of potentially vulnerable process objects that can be present in a software application; and (3) a verification and validation strategies component which combines information from the other components and provides approaches for testing software applications for the presence of vulnerabilities.

 

Classification and Analysis of Computer Attacks

The majority of attacks made upon modern computers have been successful due to the exploitation of the same weaknesses that have plagued systems for years. Industry has not learned from these mistakes; new protocols and systems are not designed with security in mind, it is typically considered as an afterthought. The security design process is based upon assumptions that are now obsolete or irrelevant. In addition, fundamental errors in design and implementation repeatedly lead to failures. This research presents a comprehensive analysis of the types of attacks that are being leveled against computer systems in order to facilitate the design of secure protocols. Existing lists, charts, and taxonomies of host and network attacks over the last thirty years are examined and combined, revealing common denominators shared among them. These common denominators as well as new information are assimilated to produce a broadly applicable taxonomy consisting of improper conditions.