Security
Security is the property of a system and measures taken such that it protects itself from unauthorised access or change, subject to policy. Security properties include AAA (auditability, authorisability, authenticity), confidentiality, and nonrepudiability. Security shares with dependability the properties of availability and integrity.
Links
Bruce Schneier Blog
Risks Digest
Glossaries and Definitions
[CNSS-4009-2006 .]
National Information Assurance (IA) Glossary,
CNSS Instruction 4009,
Committee on National Security Systems,
U.S. National Security Agency (NSA), Ft. Meade MD, June 2006
ResiliNets Keywords: Security, information assurance, definitions
Notes: Supercedes NSTISSC Instruction 4009, National Information Security (INFOSEC) Glossary
[NIST-IR-7298 .]
Glossary of Key Information Security Terms,
NIST IR 7298,
U.S. National Institute of Standards and Technology (NIST), April 2006
ResiliNets Keywords: Security, information assurance, definitions
Notes:
[IEC-terminology]
IEC Glossary,
IEC,
International Electrotechnical Commission (IEC)
ResiliNets Keywords: Security, information assurance, definitions
Notes:
[NIST-Publications]
NIST Special Publications,
NIST URL,
U.S. National Institute of Standards and Technology (NIST))
ResiliNets Keywords: Security, information assurance, definitions
Notes:
[Shirey-2007]
Robert W. Shirey,
Internet Security Glossary,
Internet Engineering Task Force RFC 4949, informational, FYI 0036,
August 2007
ResiliNets Keywords: Security, informations assurance, definitions, Internet
Abstract: “This Glossary provides definitions, abbreviations, and explanations of terminology for information system security. The 334 pages of entries offer recommendations to improve the comprehensibility of written material that is generated in the Internet Standards Process (RFC 2026). The recommendations follow the principles that such writing should (a) use the same term or definition whenever the same concept is mentioned; (b) use terms in their plainest, dictionary sense; (c) use terms that are already well-established in open publications; and (d) avoid terms that either favor a particular vendor or favor a particular technology or mechanism over other, competing techniques that already exist or could be developed.”
Notes: Definitions of security terms in the Internet context and for the use in RFCs.
[X.800-1991]
Security Architecture for Open Systems Interconnection for CCITT Applications,
Recommendation X.800,
ITU-T, Geneva, March 1991
Keywords: data communication networks: open systems interconnection (OSI); security, structure and applications
ResiliNets Keywords: Security, informations assurance, definitions, OSI
Notes: Definitions of security terms and description of security services in the OSI context and for the use in international standards.
[Science of Cyber-Security [http://www.ittc.ku.edu/resilinets/internal/readings/JSR-10-102.pdf . ]
JASON
Science of Cyber-Security,
JASON Defense Advisory Panel Reports,
JSR-10-102, November 2010
Abstract: "JASON was requested by the DoD to examine the theory and practice of cyber-security, and evaluate whether there are underlying fundamental principles that would make it possible to adopt a more scientific approach, identify what is needed in creating a science of cyber-security, and recommend specific ways in which scientific methods can be applied. Our study identified several sub-fields of computer science that are specifically relevant and also provides some recommendations on further developing the science of cyber-security."
ResiliNets Keywords: Security
Keywords:
Surveys and Tutorials
[Browne-1972 (doi) .]
P.S. Browne
“Computer security: a survey”,
ACM SIGMIS Database, vol.4, #3, Fall 1972, pp. 1–12
ResiliNets Keywords: list
Keywords:
Abstract: “”
Notes: Early security survey with a large amount of references
[Saltzer-Schroeder-1975 .]
J.H. Saltzer, M.D. Schroeder
“The Protection of Information in Computer Systems”,
Proceedings of the IEEE, vol.63, #9, Sep. 1975, pp. 1278–1308
ResiliNets Keywords: list
Keywords: Security.
Abstract: “This tutorial paper explores the mechanics of protecting computer-stored information from unauthorized use or modification. It concentrates on those architectural structures-whether hardware or software-that are necessary to support information protection. The paper develops in three main sections. Section I describes desired functions, design principles, and examples of elementary protection and authentication mechanisms. Any reader familiar with computers should find the first section to be reasonably accessible. Section II requires some familiarity with descriptor-based computer architecture. It examines in depth the principles of modern protection architectures and the relation between capability systems and access control list systems, and ends with a brief analysts of protected subsystems and protected objects. The reader who is dismayed by either the prerequisites or the level of detail in the second section may wish to skip to Section III, which reviews the state of the art and current research projects and provides suggestions for further reading. ”
Notes: One of the early tutorials. It has a glosary of terms.
[Landwehr-2001 (doi) .]
Carl E. Landwehr
“Computer Security ”,
Springer International Journal of Information Security, vol.1, #1, Aug. 2001, pp. 3–13
ResiliNets Keywords: security survey
Keywords: Computer security, Vulnerability, Security principles, Security policy, Security mechanisms
Abstract: “A strong factor in the early development of computers was security – the computations that motivated their development, such as decrypting intercepted messages, generating gunnery tables, and developing weapons, had military applications. But the computers themselves were so big and so few that they were relatively easy to protect simply by limiting physical access to them to their programmers and operators. Today, computers have shrunk so that a web server can be hidden in a matchbox and have become so common that few people can give an accurate count of the number they have in their homes and automobiles, much less the number they use in the course of a day. Computers constantly communicate with one another; an isolated computer is crippled. The meaning and implications of “computer security” have changed over the years as well. This paper reviews major concepts and principles of computer security as it stands today. It strives not to delve deeply into specific technical areas such as operating system security, access control, network security, intrusion detection, and so on, but to paint the topic with a broad brush.”
Notes: importance and relevance to ResiliNets
[Littlewood-Strigini-2004 (doi) .]
Bev Littlewood and Lorenzo Strigini
“Redundancy and Diversity in Security”,
LNCS, vol.3193/2004, #1, 2004, pp. 423–438
ResiliNets Keywords: security
Keywords:
Abstract: “Redundancy and diversity are commonly applied principles for fault tolerance against accidental faults. Their use in security, which is attracting increasing interest, is less general and less of an accepted principle. In particular, redundancy without diversity is often argued to be useless against systematic attack, and diversity to be of dubious value. This paper discusses their roles and limits, and to what extent lessons from research on their use for reliability can be applied to security, in areas such as intrusion detection. We take a probabilistic approach to the problem, and argue its validity for security. We then discuss the various roles of redundancy and diversity for security, and show that some basic insights from probabilistic modelling in reliability and safety indeed apply to examples of design for security. We discuss the factors affecting the efficacy of redundancy and diversity, the role of “independence” between layers of defense, and some of the trade-offs facing designers.”
Notes: importance and relevance to ResiliNets
Security Metrics
[Bellovin-2006 (doi) .]
S. M. Bellovin
“On the Brittleness of Software and the Infeasibility of Security Metrics ”,
IEEE Security and Privacy, vol.04, #4, July/Aug. 2006, p. 96
ResiliNets Keywords: Security metrics
Keywords: security, software, defense systems, defense
Abstract: "How secure is a computer system? Bridges have a load limit, but it isn't determined (as "Calvin and Hobbes" would have it) by building an identical bridge and running trucks over it until it collapses. In a more relevant vein, safes are rated for how long they'll resist attack under given circumstances. Can we do the same for software? "
Notes: This paper argues that the security metrics are infeasible.
[Savola-2007 (doi) .]
R. Savola
“Towards a Security Metrics Taxonomy for the Information and Communication Technology Industry
”,
The 23rd Digital Avionics Systems Conference, 2004. (DASC 2004),
Salt Lake City, Utah, 2004 pp. 8.E.2 - 81-19
ResiliNets Keywords: security metrics taxonomy
Keywords: security metrics, taxonomy, information security
Abstract: "To obtain evidence of the security of different products or organizations, systematic approaches to measuring security are needed. We introduce a high abstraction level taxonomy to support the development of feasible security metrics, along with a survey of the emerging security metrics from the academic, governmental and industrial perspectives. With our taxonomy, we strive to bridge the gap between information security management and ICT products, and services security engineering. We believe that if common metrics approaches between different security disciplines can be found, this will advance our holistic understanding and capabilities, both in security management and engineering. Our taxonomy is based on comparing earlier taxonomy approaches and analyzing types of security metrics. Based on the survey, a discussion of future research directions is given in order to prompt advances in the field. "
Notes:
[Vaughn-Henning-Siraj-2003 (doi) .]
R.B. Vaughn, R. Henning, A. Siraj
“Information assurance measures and metrics - state of practice and proposed taxonomy
”,
36th Annual Hawaii International Conference on System Sciences (HICSS'03),
Hawaii, USA, 2003 pp. 1-10
ResiliNets Keywords: security metrics taxonomy
Keywords:
Abstract: "The term "assurance" has been used for decades in trusted system development as an expression of confidence that one has in the strength of mechanisms or countermeasures. One of the unsolved problems of security engineering is the adoption of measures or metrics that can reliably depict the assurance associated with a specific hardware and software system. This paper reports on a recent attempt to focus requirements in this area by examining those currently in use. It then suggests a categorization of Information Assurance (IA) metrics that may be tailored to an organization’s needs 1. We believe that the provision of security mechanisms in systems is a subset of the systems engineering discipline having a large software-engineering correlation. There is general agreement that no single system metric or any "one-prefect" set of IA metrics applies across all systems or audiences. The set most useful for an organization largely depends on their IA goals, their technical, organizational and operational needs, and the financial, personnel, and technical resources that are available. "
Notes:
[sp800-55-2003 . ]
National Institute of Standards and Technology
Security Metrics Guide for Information Technology Systems
,
Special Publication 800-55,
sp-800-55, July 2003
Abstract: "This Special Report provides information on the security metrics."
ResiliNets Keywords: Security metrics
Keywords:
Early Work on Security
[[Shannon-1949] .]
C.E. Shannon
“Communication Theory of Secrecy Systems”,
Bell System Technical Journal, vol.28, #4, 1949, pp. 656–715
ResiliNets Keywords: list
Keywords: Security.
Abstract: “”
Notes: First mathematical modeling of cryptology
[Baran-1964 .]
P. Baran
“On Distributed Communications: IX. Security, Secrecy, and Tamper-Free Considerations”,
RAND Memorandum, August 1964
ResiliNets Keywords: list
Keywords: Security.
Abstract: “One in a series of eleven Memoranda detailing the Distributed Adaptive Message Block Network, a proposed digital data communications system based on a distributed network concept. It considers the security aspects of such a system, in which secrecy is of great importance. Present security concepts are based on an implied assumption that any "cleared" person must be trusted and that any "uncleared" person is a potential spy. Further, information is either classified or not. From time to time one wonders if these binary attitudes are really a valid basis on which to predicate a military communications systems. This Memorandum, in which the underlying concepts and resulting safeguards to be built into the network are described, is written on the basis of fully anticipating the existance of spies within our ostensibly secure communications secrecy protection structure; hence, our primary interest is in raising the price of espied information to an excessive level. ”
Notes: First publication about network security
[Doyle-2001 (doi) .]
R. Doyle
“The US Navy's first online crypto system”,
IEEE Annals of the History of Computing, vol.23, #1, Jan-March 2001, pp. 17–21
ResiliNets Keywords: list
Keywords: History.
Abstract: “Describes how, in 1950, four officers and four enlisted men were ordered to a school at the Naval Research Laboratory (NRL) in Washington, DC, USA, where they were to learn about a system that would automatically and instantaneously encrypt and decrypt facsimile transmissions over long-distance high-frequency radio paths. Initially, the project was called Facsimile Applique´ Equipment, but later it was known as the AFSAX 500 Program”
Notes: importance and relevance to ResiliNets
Attacks
[Landwehr-Bull-McDermott-Choi-1994 (doi) .]
C.E. Landwehr, A.R. Bull, J.P. McDermott, W.S. Choi
“A taxonomy of computer program security flaws”,
ACM Computing Surveys, vol.26, #3, Sep. 1994, pp. 211-254
ResiliNets Keywords: Taxonomy of Security Flaws
Keywords: error/defect classification, security flaw, taxonomy
Abstract: “An organized record of actual flaws can be useful to computer system designers, programmers, analysts, administrators, and users. This survey provides a taxonomy for computer program security flaws, with an Appendix that documents 50 actual security flaws. These flaws have all been described previously in the open literature, but in widely separated places. For those new to the field of computer security, they provide a good introduction to the characteristics of security flaws and how they can arise. Because these flaws were not randomly selected from a valid statistical sample of such flaws, we make no strong claims concerning the likely distribution of actual security flaws within the taxonomy. However, this method of organizing security flaw data can help those who have custody of more representative samples to organize them and to focus their efforts to remove and, eventually, to prevent the introduction of security flaws. ”
Notes: This paper gives a good overview of computer security flaws.
[Qu-Jayaprakash-Hariri-Raghavendra-2002 .]
G. Qu, J. Rudraraju, R. Modukuri, S. Hariri, and C.S. Raghavendra
“A Framework for Network Vulnerability Analysis”,
Proceedings of the 1st IASTED International Conference on Communications, Internet, Information Technology (CT2002),
St. Thomas, Virgin Islands, USA, 2002 pp. 289--298
ResiliNets Keywords: vulnerability, metrics
Keywords: Network Vulnerability, Vulnerability Index, Vulnerability Metrics
Abstract: "With increasing faults and attacks on the Internet infrastructure, there is an urgent need to develop techniques to analyze network and service vulnerability under organized fault attacks. Network vulnerability refers to the impact of attacks and faults on network and system behaviors. An accurate vulnerability analysis requires a deep understanding of failure modes and effects on each of the network components and the knowledge of how these components are inter-related at each point in time to various applications in a networked system. In this paper we present an agent based network vulnerability analysis framework and show how our framework can be used to analyze and quantify the system vulnerability under a Distributed Denial of Service (DDOS) attack scenario.... "
Notes:
[Hariri-Qu-Dharmagadda-Ramkishore-Raghavendra-2003 (doi) .]
S. Hariri, G. Qu, T. Dharmagadda, R. Modukuri, and C.S. Raghavendra
“Impact Analysis of Faults and Attacks in Large-Scale Networks”,
IEEE Security and Privacy, vol.01, #5, October 2003, pp. 49-54
ResiliNets Keywords: vulnerability, metrics
Keywords:
Abstract: "Monitoring and quantifying component behavior is key to, making networks reliable and robust. The agent-based architecture presented here continuously monitors network vulnerability metrics providing new ways to measure the impact of faults and attacks."
Notes:
[Mirkovic-Reiher-2004 (doi) .]
Jelena Mirkovic and Peter Reiher,
“A Taxonomy of DDoS Attack and DDoS Defense Mechanisms”,
SIGCOMM Computer Communication Review, vol.34, #2, p. 39–53; 2004
Abstract: “Distributed denial-of-service (DDoS) is a rapidly growing problem. The multitude and variety of both the attacks and the defense approaches is overwhelming. This paper presents two taxonomies for classifying attacks and defenses, and thus provides researchers with a better understanding of the problem and the current solution space. The attack classification criteria was selected to highlight commonalities and important features of attack strategies, that define challenges and dictate the design of countermeasures. The defense taxonomy classifies the body of existing DDoS defenses based on their design decisions; it then shows how these decisions dictate the advantages and deficiencies of proposed solutions.”
ResiliNets Keywords: Challenge
Notes:
[Igure-Williams-2008 (doi) .]
Vinay M. Igure, and Ronald D. Williams,
“Taxonomies of Attacks and Vulnerabilities in Computer Systems”,
Communications Surveys & Tutorials, IEEE, vol.10 iss.1, 1st qtr. 2008 pp. 6-19
Abstract: “Security assessment of a system is a difficult problem. Most of the current efforts in security assessment involve searching for known vulnerabilities. Finding unknown vulnerabilities still largely remains a subjective process. The process can be improved by understanding the characteristics and nature of known vulnerabilities. The knowledge thus gained can be organized into a suitable taxonomy, which can then be used as a framework for systematically examining new systems for similar but as yet unknown vulnerabilities. There have been many attempts at producing such taxonomies. This article provides a comprehensive survey of the important work done on developing taxonomies of attacks and vulnerabilities in computer systems. This survey covers work done in security related taxonomies from 1974 until 2006. Apart from providing a state-of-the-art survey of taxonomies, we also analyze their effectiveness for use in a security assessment process. Finally, we summarize the important properties of various taxonomies to provide a framework for organizing information about known attacks and vulnerabilities into a taxonomy that would benefit the security assessment process.”
ResiliNets Keywords:
Notes:
[Chakrabarti-Manimaran-2002 (doi) .]
Anirban Chakrabarti and G. Manimaran,
“Internet Infrastructure Security: A Taxonomy”,
IEEE Network, vol.16, #6, Nov./Dec. 2002, pp. 13-21
ResiliNets Keywords:
Keywords: DNS hacking; Internet infrastructure security; cyber terrorism; denial-of-service attacks; dependable infrastructure; packet mistreatment; routing table poisoning; secure protocols; threat situation; Internet; computer crime; protocols; telecommunication security;
Abstract: “The pervasive and ubiquitous nature of the Internet coupled with growing concerns about cyber terrorism demand immediate solutions for securing the Internet infrastructure. So far, the research in Internet security primarily focused on. securing the information rather than securing the infrastructure itself. Given the prevailing threat situation, there is a compelling need to develop architectures, algorithms, and protocols to realize a dependable Internet infrastructure. In order to achieve this goal, the first and foremost step is to develop a comprehensive understanding of the security threats and existing solutions. This article attempts to fulfill this important step by providing a taxonomy of security attacks, which are classified into four main categories: DNS hacking, routing table poisoning, packet mistreatment, and denial-of-service attacks. The article discusses the existing solutions for each of these categories, and also outlines a methodology for developing secure protocols.”
Notes:
[Cai-Lee-Gong-Towsley-2011 (doi) .]
Yan Cai, Patrick P.C. Lee, Weibo Gong, Don Towsley,
“Analysis of traffic correlation attacks on router queues”,
Computer Networks, vol.55, #3, Feb. 2011, pp. 734-747
ResiliNets Keywords:
Keywords: Correlation attack, Correlation attack, Fluid model, Performance evaluation
Abstract: “Traffic burstiness is known to be undesirable for a router as it increases the router’s queue length and hence the queueing delays of data flows. This poses a security problem in which an attacker intentionally introduces traffic burstiness into routers. We consider a correlation attack, whose fundamental characteristic is to correlate multiple attack flows to generate synchronized small attack bursts, in an attempt to aggregate the bursts into a large burst at a target router. In this paper, we develop an analytical, fluid-based framework that models how the correlation attack disrupts router queues and how it can be mitigated. Using Poisson Counter Stochastic Differential Equations (PCSDEs), our framework captures the dynamics of a router queue for special cases and gives the closed-form average router queue length as a function of the inter flow correlation. To mitigate the correlation attack, we apply our analytical framework to model different pacing schemes including Markov ON–OFF pacing and rate limiting, which are respectively designed to break down the inter-flow correlation and suppress the peak rates of bursts. We verify that our fluid models conform to packet-level ns2 simulation results. ”
Notes:
Intrusion Detection Systems
Misuse-based Intrusion Detection
[Roesch-1999]
M. Roesch,
“Snort - Lightweight Intrusion Detection for Networks”,
Proceedings of the 13th USENIX conference on System administration (LISA),
Seattle, Washington, USA, November 1999, pp. 229-238
ResiliNets Keywords: signature-based network intrusion detection
Abstract: "Network intrusion detection systems (NIDS) are an important part of any network security architecture. They provide a layer of defense which monitors network traffic for predefined suspicious activity or patterns, and alert system administrators when potential hostile traffic is detected. Commercial NIDS have many differences, but Information Systems departments must face the commonalities that they share such as significant system footprint, complex deployment and high monetary cost. Snort was designed to address these issues."
Notes: An open-source signature-based network intrusion detection system
[Paxson-1999]
V. Paxson,
“Bro: A System for Detecting Network Intruders in Real-Time”,
Computer Networks, vol. 31, (23-24), December 1999, pp. 2435-2463
ResiliNets Keywords: signature-based intrusion detection
Abstract: "We describe Bro, a stand-alone system for detecting network intruders in real-time by passively monitoring a network link over which the intruder's traffic transits. We give an overview of the system's design, which emphasizes high-speed (FDDI-rate) monitoring, real-time notification, clear separation between mechanism and policy, and extensibility. To achieve these ends, Bro is divided into an ``event engine that reduces a kernel-filtered network traffic stream into a series of higher-level events, and a ``policy script interpreter that interprets event handlers written in a specialized language used to express a site's security policy. Event handlers can update state information, synthesize new events, record information to disk, and generate real-time notifications via syslog. We also discuss a number of attacks that attempt to subvert passive monitoring systems and defenses against these, and give particulars of how Bro analyzes the six applications integrated into it so far: Finger, FTP, Portmapper, Ident, Telnet and Rlogin. The system is publicly available in source code form."
Notes: The best paper to read to get an overview of Bro, which is a very cleanly designed (and consequently easy to understand) network intrusion detection system.
[Dreger-Kreibich-Paxson-Sommer-2005]
Holger Dreger, Christian Keibich, Vern Paxson, Robin Sommer,
“Enhancing the Accuracy of Network-based Intrusion Detection with Host-based Context”,
Proceedings of the Conference on
Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) 2005,
Vienna, Austria, July 2005.
ResiliNets Keywords: signature-based intrusion detection
Abstract: "In the recent past, both network- and host-based approaches to intrusion detection have received much attention in the network security community. No approach, taken exclusively, provides a satisfactory solution: network-based systems are prone to evasion, while hostbased solutions suffer from scalability and maintenance problems. In this paper we present an integrated approach, leveraging the best of both worlds: we preserve the advantages of network-based detection, but alleviate its weaknesses by improving the accuracy of the traffic analysis with specific host-based context. Our framework preserves a separation of policy from mechanism, is highly configurable and more flexible than sensor/manager-based architectures, and imposes a low overhead on the involved end hosts. We include a case study of our approach for a notoriously hard problem for purely network-based systems: the correct processing of HTTP requests."
Notes: A nice paper on providing host-based context to Bro (a network-based intrusion detection system.) The paper nicely describes the motivation for including host-based context when carrying out network-based intrusion detection.
[Sommer-Paxson-2003 (doi)]
R. Sommer, V. Paxson,
“Enhancing Byte-Level Network Intrusion Detection Signatures with Context”,
Proceedings of the 10th ACM conference on Computer and Communications Security (CCS),
Washington D.C., USA, 2003, pp. 262-271
Keywords: Bro, Network Intrusion Detection, Pattern Matching, Security, Signatures, Snort, Evaluation
Abstract: "Many network intrusion detection systems (NIDS) use byte sequences as signatures to detect malicious activity. While being highly efficient, they tend to suffer from a high false-positive rate. We develop the concept of contextual signatures as an improvement of string-based signature-matching. Rather than matching fixed strings in isolation, we augment the matching process with additional context. When designing an efficient signature engine for the NIDS bro, we provide low-level context by using regular expressions for matching, and high-level context by taking advantage of the semantic information made available by bro's protocol analysis and scripting language. Therewith, we greatly enhance the signature's expressiveness and hence the ability to reduce false positives. We present several examples such as matching requests with replies, using knowledge of the environment, defining dependencies between signatures to model step-wise attacks, and recognizing exploit scans.To leverage existing efforts, we convert the comprehensive signature set of the popular freeware NIDS snort into bro's language. While this does not provide us with improved signatures by itself, we reap an established base to build upon. Consequently, we evaluate our work by comparing to snort, discussing in the process several general problems of comparing different NIDSs."
Notes: Signature-based IDSs can generate high numbers of false positives. This paper describes how signatures can be extended using additional context, such as connection state and regular expressions, to improve intrusion detection accuracy. This is done using Bro.
Anomaly-based Intrusion Detection
[Lunt-Tamaru-Gilham-Jagannathan-Jalali-Neumann-Javitz-Valdes-Garvey-1992]
Fred Gilham, Peter Neumann, Alfonso Valdes, Teresa F. Lunt, Ann Tamaru, R. Jagannathan, Caveh Jalali, Harold S. Javitz & Thomas D. Garvey,
“A Real-time Intrusion-Detection Expert System (IDES) - Final Technical Report”,
Technical Report,
Computer Science Laboratory, SRI International, Menlo Park, CA, February 1992
ResiliNets Keywords: anomaly-based intrusion detection
Abstract: "SRI International has designed and developed a real-time intrusion-detection expert system (IDES). IDES is a stand-alone system that observes user behavior on one or more monitored computer systems and flags suspicious events. IDES monitors the activities of individual users, groups, remote hosts and entire systems, and detects suspected security violations, by both insiders and outsiders, as they occur. IDES adaptively learns users’ behavior patterns over time and detects behavior that deviates from these patterns. IDES also has a rule-based component that can be used to encode information about known system vulnerabilities and intrusion scenarios. Integrating the two approaches makes IDES a comprehensive system for detecting intrusions as well as misuse by authorized users. IDES has been enhanced to run under GLU, a platform supporting distributed, parallel computation; GLU enhances configuration flexibility and system fault tolerance. This final report is a deliverable item for work supported by the U.S. Navy, SPAWAR, which funded SRI through U.S. Government Contract No. N00039-89-C-0050."
Notes: One of the seminal works on anomaly-based intrusion detection.
[Sekar-Gupta-Frullo-Shanbhag-Tiwari-Yhang-Zhou-2002 (doi)]
R. Sekar, A. Gupta, J. Frullo, T. Shanbhag, A. Tiwari, H. Yang, S. Zhou,
“Specification-based Anomaly Detection: A New Approach for Detecting Network Intrusions”,
Proceedings of the 9th ACM conference on Computer and Communications Security (CCS) 2002,
Washington, DC, USA, 2002, pp. 265 - 274
ResiliNets Keywords: anomaly-based intrusion detection
Keywords: Intrusion detection, anomaly detection, network monitoring
Abstract: "Unlike signature or misuse based intrusion detection techniques, anomaly detection is capable of detecting novel attacks. However, the use of anomaly detection in practice is hampered by a high rate of false alarms. Specification-based techniques have been shown to produce a low rate of false alarms, but are not as effective as anomaly detection in detecting novel attacks, especially when it comes to network probing and denial-of-service attacks. This paper presents a new approach that combines specification-based and anomaly-based intrusion detection, mitigating the weaknesses of the two approaches while magnifying their strengths. Our approach begins with state-machine specifications of network protocols, and augments these state machines with information about statistics that need to be maintained to detect anomalies. We present a specification language in which all of this information can be captured in a succinct manner. We demonstrate the effectiveness of the approach on the 1999 Lincoln Labs intrusion detection evaluation data, where we are able to detect all of the probing and denial-of-service attacks with a low rate of false alarms (less than 10 per day). Whereas feature selection was a crucial step that required a great deal of expertise and insight in the case of previous anomaly detection approaches, we show that the use of protocol specifications in our approach simplifies this problem. Moreover, the machine learning component of our approach is robust enough to operate without human supervision, and fast enough that no sampling techniques need to be employed. As further evidence of effectiveness, we present results of applying our approach to detect stealthy email viruses in an intranet environment."
Notes: There are two main approaches to intrusion detection -- anomaly and signature-based detection. Anomaly detection-based techniques are typified with high false positive rates. This paper describes an approach to anomaly detection where the feature space that is monitored is constrained by a specification of normal behaviour (using EFSA), which is annotated with learnt probabilistic normal behaviour. One of the suggested benefits of this approach to intrusion detection is fewer false positives than standard anomaly detection approaches.
[Zhang-Lee-Huang-2003 (doi)]
Y. Zhang, W. Lee, Y. Huang,
“Intrusion detection techniques for mobile wireless networks”,
ACM/Kluwer Wireless Networks Journal, vol.9, #5, September 2003, pp. 545 - 556
ResiliNets Keywords: anomaly-based intrusion detection
Keywords: Intrusion detection, intrusion response, cooperative detection, anomaly detection, mobile ad-hoc networks
Abstract: "The rapid proliferation of wireless networks and mobile computing applications has changed the landscape of network security. The traditional way of protecting networks with firewalls and encryption software is no longer sufficient and effective. We need to search for new architecture and mechanisms to protect the wireless networks and mobile computing application. In this paper, we examine the vulnerabilities of wireless networks and argue that we must include intrusion detection in the security architecture for mobile computing environment. We have developed such an architecture and evaluated a key mechanism in this architecture, anomaly detection for mobile ad-hoc network, through simulation experiments."
Notes: Interesting paper that discusses network intrusion detection in mobile ad-hoc networks. The argument for doing intrusion detection in these types of networks is reasonably well argued with some example attacks presented. An example is shown where device mobility information (from GPS, for example) is used as a way to detect anomalous behaviour. Using this kind of context (in addition to just network traffic events) is interesting Also, there are elements of cooperative detection presented, which differs from most of the traditional approaches to intrusion detection.
Security Mechanisms
[[Metz-1999] (doi) .]
C. Metz
“AAA protocols: authentication, authorization, and accounting for the Internet”,
IEEE Internet Computing, vol.3, #6, Nov/Dec. 1999, pp. 75-79
ResiliNets Keywords: AAA
Keywords: Internet, authorisation, message authentication, protocols
Abstract: “Internet service providers (ISPs) offering dial-up access and purveyors of enterprise networks supporting telecommuters face some difficult challenges. Ever-increasing residential dialup subscribers demand available modem (or ISDN) ports, or threaten to take their business elsewhere. To meet this demand, ISPs (dial providers) are deploying a large number of-complex, port-dense network access servers (NAS) to handle thousands of individual dial-up connections. At the same time, the miniaturization of stationary office essentials, such as the laptop computer and cellular telephone, has coupled with the need for maximum customer face time to create a workforce in perpetual motion. These “road warriors” require secure and reliable access to email and Web resources from hotels, airports, and virtual offices around the world. But dial providers must do more than simply offer an available modem port at the other end of a telephone call. They must protect against theft-of-service attacks by unscrupulous individuals with excess free time; they must verify subscribers' levels of access authorization; and for cost recovery, billing, and resource planning purposes, they may need to meter the connection time to the network. Furthermore, to provide maximum coverage to a growing roaming and mobile subscriber base, they may choose to pool their NAS resources while retaining control over their subscribers' access, usage, and billing information. All these services require coordination between the various administrative systems supported by the dial providers in partnership with each other.”
Notes:
[Voydock-Kent-1983 (doi) .]
V.L. Voydock, S.T. Kent
“Security Mechanisms in High-Level Network Protocols”,
ACM Computing Surveys, vol.15, #3, June 1983, pp. 135-171
ResiliNets Keywords: AAA
Keywords: Security mechanisms
Abstract: “The implications of adding security mechanisms to high-level network protocols operating in an open-system environment are analyzed. First the threats to security that may arise in such an environment are described, and then a set of goals for communications security measures is established. This is followed by a brief description of the two basic approaches to communications security, link-oriented measures and end-to-end measures, which concludes that end-to-end measures are more appropriate in an open-system environment. Next, relevant properties of data encryption--the fundamental technique on which all communications security mechanisms are based--are discussed. The remainder of the paper describes how end-to-end measures can be used to achieve each of the security goals previously established.”
Notes:
[Stephens-2004 .]
B. Stephens
“Security architecture for aeronautical networks”,
The 23rd Digital Avionics Systems Conference (DASC 2004),
Salt Lake City, Utah, 2004 pp. 8.E.2 - 81-19 Vol.2
ResiliNets Keywords:
Keywords: IP networks, air traffic, aircraft communication, filters, message authentication, protocols, public key cryptography, quality of service, telecommunication security, virtual private networks
Abstract: “Aeronautical networking must fulfill the security objectives of air traffic service providers, operators and passengers. The overall objective is to protect communication, information and infrastructure from attack. This work provides an overview of security mechanisms and technologies and presents a security architecture suitable for the future IP-based aeronautical networks. Application of cryptographic and non-cryptographic security technologies is presented. The differences between and benefits of network and application security are explored. Cryptographic security examines IPsec, VPNs, SSL and the security scheme developed for the ATN. Cryptographic security mechanisms include shared secret and public key systems that provide for authentication, integrity, confidentiality and non-repudiation. The algorithms and key strengths that are suitable for aeronautical networking are presented. Non-cryptographic mechanisms for aeronautical networks are examined, including stateless and stateful packet filters, application level security proxies and circuit level gateways. A reference security model is presented that provides for the protection of communication between the networks of different security levels in aeronautical networking. Air-ground security based on elliptic curve cryptography is presented using the lessons learned from the design of the ATN. A public key infrastructure for key distribution that scales to the size of the global aeronautical community is examined. Intrinsic and management protocol security is covered including routing, security, quality of service, mobility, multicast, voice over IP, and SNMP. Finally, This work investigates defense in depth security, which provides a robust solution involving multiple levels of security, both network and application security and both cryptographic and non-cryptographic security mechanisms.”
Notes:
Trust
[Neumann-2006 (doi) .]
P.G. Neumann
“System and Network Trustworthiness in Perspective”,
Proceedings of the 13th ACM conference on Computer and communications security, Virginia, USA, Oct. - Nov. 2006, pp. 1-5
ResiliNets Keywords: Past failures, Trustworthiness
Keywords: assurance, computer systems, networks, reliability, risks, security, survivability, threats, trustworthiness, vulnerabilities
Abstract: “Characteristic problem areas experienced in the past are considered here, as well as some of the challenges that must be confronted in trying to achieve greater trustworthiness in computer systems and networks and in the overall environments in which they must operate. Some system development recommendations for the future are also discussed. ”
Notes: The paper gives some examples of Internet's total failure in the early 1980 ARPANET, and 1990 AT&T long-lines collapse. It is kind of verification of our VD. Some references can provide deeper insight into past failures.
BGP
[Huston-Rossi-Armitage-2011 .]
G. Huston, M. Rossi, G. Armitage
“Securing BGP - A Literature Survey”,
IEEE Communications Surveys and Tutorials , vol.13, no.2, pp.199-222, Second Quarter 2011
ResiliNets Keywords: Inter-domain Resilience, Security, BGP survey
Keywords: BGP , BGP security , Computer Network Protocols , Inter-domain routing security , routing
Abstract: “The Border Gateway Protocol (BGP) is the Internet's inter-domain routing protocol. One of the major concerns related to BGP is its lack of effective security measures, and as a result the routing infrastructure of the Internet is vulnerable to various forms of attack. This paper examines the Internet's routing architecture and the design of BGP in particular, and surveys the work to date on securing BGP. To date no proposal has been seen as offering a combination of adequate security functions, suitable performance overheads and deployable support infrastructure. Some open questions on the next steps in the study of BGP security are posed.”
Notes:
[Nicholes-Mukherjee-2009 .]
M. Nicholes, B. Mukherjee
“A survey of security techniques for the border gateway protocol (BGP)”,
IEEE Communications Surveys and Tutorials , vol.11, no.1, pp.52-65, First Quarter 2009
ResiliNets Keywords: Inter-domain Resilience, Security, BGP survey
Keywords: Internet, Border Gateway Protocol (BGP), BGP routing, BGP security, survey
Abstract: “Web surfing is an example (and popular) Internet application where users desire services provided by servers that exist somewhere in the Internet. To provide the service, data must be routed between the user's system and the server. Local network routing (relative to the user) can not provide a complete route for the data. In the core Internet, a portion of the network controlled by a single administrative authority, called an autonomous system (AS), provides local network support and also exchanges routing information with other ASes using the border gateway protocol (BGP). Through the BGP route exchange, a complete route for the data is created. Security at this level in the Internet is challenging due to the lack of a single administration point and because there are numerous ASes which interact with one another using complex peering policies. This work reviews recent techniques to secure BGP. These security techniques are categorized as follows: 1) cryptographic/attestation, 2) database, 3) overlay/group protocols, 4) penalty, and 5) data-plane testing. The techniques are reviewed at a high level in a tutorial format, and shortcomings of the techniques are summarized as well. The depth of coverage for particular published works is intentionally kept minimal, so that the reader can quickly grasp the techniques. This survey provides a basis for evaluation of the techniques to understand coverage of published works as well as to determine the best avenues for future research.”
Notes:
