-
Toward Trusted Sharing of Network Packet Traces Using Anonymization: Single-Field Privacy/Analysis Tradeoffs
Authors:
William Yurcik,
Clay Woolam,
Greg Hellings,
Latifur Khan,
Bhavani Thuraisingham
Abstract:
Network data needs to be shared for distributed security analysis. Anonymization of network data for sharing sets up a fundamental tradeoff between privacy protection versus security analysis capability. This privacy/analysis tradeoff has been acknowledged by many researchers but this is the first paper to provide empirical measurements to characterize the privacy/analysis tradeoff for an enterp…
▽ More
Network data needs to be shared for distributed security analysis. Anonymization of network data for sharing sets up a fundamental tradeoff between privacy protection versus security analysis capability. This privacy/analysis tradeoff has been acknowledged by many researchers but this is the first paper to provide empirical measurements to characterize the privacy/analysis tradeoff for an enterprise dataset. Specifically we perform anonymization options on single-fields within network packet traces and then make measurements using intrusion detection system alarms as a proxy for security analysis capability. Our results show: (1) two fields have a zero sum tradeoff (more privacy lessens security analysis and vice versa) and (2) eight fields have a more complex tradeoff (that is not zero sum) in which both privacy and analysis can both be simultaneously accomplished.
△ Less
Submitted 26 October, 2007; v1 submitted 22 October, 2007;
originally announced October 2007.
-
Security Assessment of E-Tax Filing Websites
Authors:
Aashish Sharma,
William Yurcik
Abstract:
Technical security is only part of E-Commerce security operations; human usability and security perception play major and sometimes dominating factors. For instance, slick websites with impressive security icons but no real technical security are often perceived by users to be trustworthy (and thus more profitable) than plain vanilla websites that use powerful encryption for transmission and ser…
▽ More
Technical security is only part of E-Commerce security operations; human usability and security perception play major and sometimes dominating factors. For instance, slick websites with impressive security icons but no real technical security are often perceived by users to be trustworthy (and thus more profitable) than plain vanilla websites that use powerful encryption for transmission and server protection. We study one important type of E-Commerce transaction website, E-Tax Filing, that is exposed to large populations. We assess a large number of international (5), Federal (USA), and state E-Tax filing websites (38) for both technical security protection and human perception of security. As a result of this assessment, we identify security best practices across these E-Tax Filing websites and recommend additional security techniques that have not been found in current use by E-Tax Filing websites.
△ Less
Submitted 6 August, 2006;
originally announced August 2006.
-
UCLog+ : A Security Data Management System for Correlating Alerts, Incidents, and Raw Data From Remote Logs
Authors:
William Yurcik,
Cristina Abad,
Ragib Hasan,
Moazzam Saleem,
Shyama Sridharan
Abstract:
Source data for computer network security analysis takes different forms (alerts, incidents, logs) and each source may be voluminous. Due to the challenge this presents for data management, this has often lead to security stovepipe operations which focus primarily on a small number of data sources for analysis with little or no automated correlation between data sources (although correlation may…
▽ More
Source data for computer network security analysis takes different forms (alerts, incidents, logs) and each source may be voluminous. Due to the challenge this presents for data management, this has often lead to security stovepipe operations which focus primarily on a small number of data sources for analysis with little or no automated correlation between data sources (although correlation may be done manually). We seek to address this systemic problem.
In previous work we developed a unified correlated logging system (UCLog) that automatically processes alerts from different devices. We take this work one step further by presenting the architecture and applications of UCLog+ which adds the new capability to correlate between alerts and incidents and raw data located on remote logs. UCLog+ can be used for forensic analysis including queries and report generation but more importantly it can be used for near-real-time situational awareness of attack patterns in progress. The system, implemented with open source tools, can also be a repository for secure information sharing by different organizations.
△ Less
Submitted 25 July, 2006;
originally announced July 2006.
-
NVision-PA: A Tool for Visual Analysis of Command Behavior Based on Process Accounting Logs (with a Case Study in HPC Cluster Security)
Authors:
Charis Ermopoulos,
William Yurcik
Abstract:
In the UNIX/Linux environment the kernel can log every command process created by every user with process accounting. Thus process accounting logs have many potential uses, particularly the monitoring and forensic investigation of security events. Previous work successfully leveraged the use of process accounting logs to identify a difficult to detect and damaging intrusion against high performa…
▽ More
In the UNIX/Linux environment the kernel can log every command process created by every user with process accounting. Thus process accounting logs have many potential uses, particularly the monitoring and forensic investigation of security events. Previous work successfully leveraged the use of process accounting logs to identify a difficult to detect and damaging intrusion against high performance computing (HPC) clusters, masquerade attacks, where intruders masquerade as legitimate users with purloined authentication credentials. While masqueraders on HPC clusters were found to be identifiable with a high accuracy (greater than 90%), this accuracy is still not high enough for HPC production environments where greater than 99% accuracy is needed.
This paper incrementally advances the goal of more accurately identifying masqueraders on HPC clusters by seeking to identify features within command sets that distinguish masqueraders. To accomplish this goal, we created NVision-PA, a software tool that produces text and graphic statistical summaries describing input processing accounting logs. We report NVision-PA results describing two different process accounting logs; one from Internet usage and one from HPC cluster usage. These results identify the distinguishing features of Internet users (as proxies for masqueraders) posing as clusters users. This research is both a promising next step toward creating a real-time masquerade detection sensor for production HPC clusters as well as providing another tool for system administrators to use for statistically monitoring and managing legitimate workloads (as indicated by command usage) in HPC environments.
△ Less
Submitted 20 June, 2006;
originally announced June 2006.
-
Using SMART for Customized Monitoring of Windows Services
Authors:
Gregory A. Pluta,
Larry Brumbaugh,
William Yurcik
Abstract:
We focus on examining and working with an important category of computer software called Services, which are provided as a part of newer Microsoft Windows operating systems. A typical Windows user transparently utilizes many of these services but is frequently unaware of their existence. Since some services have the potential to create significant problems when they are executing, it is importan…
▽ More
We focus on examining and working with an important category of computer software called Services, which are provided as a part of newer Microsoft Windows operating systems. A typical Windows user transparently utilizes many of these services but is frequently unaware of their existence. Since some services have the potential to create significant problems when they are executing, it is important for a system administrator to identify which services are running on the network, the types of processing done by each service, and any interrelationships among the various services. This information can then be used to improve the overall integrity of both the individual computer where a questionable service is running and in aggregate an entire network of computers.
NCSA has developed an application called SMART (Services Monitoring And Reporting Tool) that can be used to identify and display all services currently running in the network. A commercial program called Hyena remotely monitors the services on all computers attached to the network and exports this information to SMART. SMART produces various outputs that the system administrator can analyze and then determine appropriate actions to take. In particular, SMART provides a color coordinated user interface to quickly identify and classify both potentially hazardous services and also unknown services.
△ Less
Submitted 29 March, 2006;
originally announced March 2006.
-
SCRUB-PA: A Multi-Level Multi-Dimensional Anonymization Tool for Process Accounting
Authors:
Katherine Luo,
Yifan Li,
Charis Ermopoulos,
William Yurcik,
Adam Slagell
Abstract:
In the UNIX/Linux environment the kernel can log every command process created by every user using process accounting. This data has many potential uses, including the investigation of security incidents. However, process accounting data is also sensitive since it contains private user information. Consequently, security system administrators have been hindered from sharing these logs. Given tha…
▽ More
In the UNIX/Linux environment the kernel can log every command process created by every user using process accounting. This data has many potential uses, including the investigation of security incidents. However, process accounting data is also sensitive since it contains private user information. Consequently, security system administrators have been hindered from sharing these logs. Given that many interesting security applications could use process accounting data, it would be useful to have a tool that could protect private user information in the logs. For this reason we introduce SCRUB-PA, a tool that uses multi-level multi-dimensional anonymization on process accounting log files in order to provide different levels of privacy protection. It is our goal that SCRUB-PA will promote the sharing of process accounting logs while preserving privacy.
△ Less
Submitted 17 January, 2006;
originally announced January 2006.
-
The Evolution of Cyberinsurance
Authors:
Ruperto P. Majuca,
William Yurcik,
Jay P. Kesan
Abstract:
Cyberinsurance is a powerful tool to align market incentives toward improving Internet security. We trace the evolution of cyberinsurance from traditional insurance policies to early cyber-risk insurance policies to current comprehensive cyberinsurance products. We find that increasing Internet security risk in combination with the need for compliance with recent corporate legislation has contri…
▽ More
Cyberinsurance is a powerful tool to align market incentives toward improving Internet security. We trace the evolution of cyberinsurance from traditional insurance policies to early cyber-risk insurance policies to current comprehensive cyberinsurance products. We find that increasing Internet security risk in combination with the need for compliance with recent corporate legislation has contributed significantly to the demand for cyberinsurance. Cyberinsurance policies have become more comprehensive as insurers better understand the risk landscape and specific business needs. More specifically, cyberinsurers are addressing what used to be considered insurmountable problems (e.g., adverse selection/asymmetric information, moral hazard, etc.) that could lead to a failure of this market solution. Although some implementation issues remain, we suggest the future development of cyberinsurance will resolve these issues as evidenced by insurance solutions in other risk domains.
△ Less
Submitted 6 January, 2006;
originally announced January 2006.
-
Defining a Comprehensive Threat Model for High Performance Computational Clusters
Authors:
Dmitry Mogilevsky,
Adam Lee,
William Yurcik
Abstract:
Over the past decade, high performance computational (HPC) clusters have become mainstream in academic and industrial settings as accessible means of computation. Throughout their proliferation, HPC security has been a secondary concern to performance. It is evident, however, that ensuring HPC security presents different challenges than the ones faced when dealing with traditional networks. To d…
▽ More
Over the past decade, high performance computational (HPC) clusters have become mainstream in academic and industrial settings as accessible means of computation. Throughout their proliferation, HPC security has been a secondary concern to performance. It is evident, however, that ensuring HPC security presents different challenges than the ones faced when dealing with traditional networks. To design suitable security measures for high performance computing, it is necessary to first realize the threats faced by such an environment. This task can be accomplished by the means of constructing a comprehensive threat model. To our knowledge, no such threat model exists with regards to Cluster Computing. In this paper, we explore the unique challenges of securing HPCs and propose a threat model based on the classical Confidentiality, Integrity and Availability security principles.
△ Less
Submitted 16 October, 2005;
originally announced October 2005.
-
Leveraging Social-Network Infrastructure to Improve Peer-to-Peer Overlay Performance: Results from Orkut
Authors:
Zahid Anwar,
William Yurcik,
Vivek Pandey,
Asim Shankar,
Indranil Gupta,
Roy H. Campbell
Abstract:
Application-level peer-to-peer (P2P) network overlays are an emerging paradigm that facilitates decentralization and flexibility in the scalable deployment of applications such as group communication, content delivery, and data sharing. However the construction of the overlay graph topology optimized for low latency, low link and node stress and lookup performance is still an open problem. We pr…
▽ More
Application-level peer-to-peer (P2P) network overlays are an emerging paradigm that facilitates decentralization and flexibility in the scalable deployment of applications such as group communication, content delivery, and data sharing. However the construction of the overlay graph topology optimized for low latency, low link and node stress and lookup performance is still an open problem. We present a design of an overlay constructed on top of a social network and show that it gives a sizable improvement in lookups, average round-trip delay and scalability as opposed to other overlay topologies. We build our overlay on top of the topology of a popular real-world social network namely Orkut. We show Orkuts suitability for our purposes by evaluating the clustering behavior of its graph structure and the socializing pattern of its members.
△ Less
Submitted 28 September, 2005;
originally announced September 2005.
-
A Game Theoretic Economics Framework to understanding Information Security Oursourcing Market
Authors:
Wen Ding,
William Yurcik
Abstract:
On information security outsourcing market, an important reason that firms do not want to let outside firms(usually called MSSPs-Managed Security Service Providers) to take care of their security need is that they worry about service quality MSSPs provide because they cannot monitor effort of the MSSPs. Since MSSPs action is unobservable to buyers, MSSPs can lower cost by working less hard than…
▽ More
On information security outsourcing market, an important reason that firms do not want to let outside firms(usually called MSSPs-Managed Security Service Providers) to take care of their security need is that they worry about service quality MSSPs provide because they cannot monitor effort of the MSSPs. Since MSSPs action is unobservable to buyers, MSSPs can lower cost by working less hard than required in the contract and get higher profit. In the asymmetric information literature, this possible secret shirking behavior is termed as moral hazard problem. This paper considers a game theoretic economic framework to show that under information asymmetry, an optimal contract can be designed so that MSSPs will stick to their promised effort level. We also show that the optimal contract should be performance-based, i.e., payment to MSSP should base on performance of MSSP's security service period by period. For comparison, we also showed that if the moral hazard problem does not exist, the optimal contract does not depend on MSSP's performance. A contract that specifies constant payment to MSSP will be optimal. Besides these, we show that for no matter under perfect information scenario or imperfect information scenario, the higher the transaction cost is, the lower payment to MSSPs will be.
△ Less
Submitted 10 June, 2005;
originally announced June 2005.
-
A Distributed Economics-based Infrastructure for Utility Computing
Authors:
Michael Treaster,
Nadir Kiyanclar,
Gregory A. Koenig,
William Yurcik
Abstract:
Existing attempts at utility computing revolve around two approaches. The first consists of proprietary solutions involving renting time on dedicated utility computing machines. The second requires the use of heavy, monolithic applications that are difficult to deploy, maintain, and use.
We propose a distributed, community-oriented approach to utility computing. Our approach provides an infras…
▽ More
Existing attempts at utility computing revolve around two approaches. The first consists of proprietary solutions involving renting time on dedicated utility computing machines. The second requires the use of heavy, monolithic applications that are difficult to deploy, maintain, and use.
We propose a distributed, community-oriented approach to utility computing. Our approach provides an infrastructure built on Web Services in which modular components are combined to create a seemingly simple, yet powerful system. The community-oriented nature generates an economic environment which results in fair transactions between consumers and providers of computing cycles while simultaneously encouraging improvements in the infrastructure of the computational grid itself.
△ Less
Submitted 31 December, 2004;
originally announced December 2004.
-
Sharing Computer Network Logs for Security and Privacy: A Motivation for New Methodologies of Anonymization
Authors:
Adam J. Slagell,
William Yurcik
Abstract:
Logs are one of the most fundamental resources to any security professional. It is widely recognized by the government and industry that it is both beneficial and desirable to share logs for the purpose of security research. However, the sharing is not happening or not to the degree or magnitude that is desired. Organizations are reluctant to share logs because of the risk of exposing sensitive…
▽ More
Logs are one of the most fundamental resources to any security professional. It is widely recognized by the government and industry that it is both beneficial and desirable to share logs for the purpose of security research. However, the sharing is not happening or not to the degree or magnitude that is desired. Organizations are reluctant to share logs because of the risk of exposing sensitive information to potential attackers. We believe this reluctance remains high because current anonymization techniques are weak and one-size-fits-all--or better put, one size tries to fit all. We must develop standards and make anonymization available at varying levels, striking a balance between privacy and utility. Organizations have different needs and trust other organizations to different degrees. They must be able to map multiple anonymization levels with defined risks to the trust levels they share with (would-be) receivers. It is not until there are industry standards for multiple levels of anonymization that we will be able to move forward and achieve the goal of widespread sharing of logs for security researchers.
△ Less
Submitted 3 September, 2004;
originally announced September 2004.
-
Internet Attacks: A Policy Framework for Rules of Engagement
Authors:
William Yurcik,
David Doss
Abstract:
Information technology is redefining national security and the use of force by state and nonstate actors. The use of force over the Internet warrants analysis given recent terrorist attacks. At the same time that information technology empowers states and their commercial enterprises, information technology makes infrastructures supported by computer systems increasingly accessible, interdepende…
▽ More
Information technology is redefining national security and the use of force by state and nonstate actors. The use of force over the Internet warrants analysis given recent terrorist attacks. At the same time that information technology empowers states and their commercial enterprises, information technology makes infrastructures supported by computer systems increasingly accessible, interdependent, and more vulnerable to malicious attack. The Computer Security Institute and the FBI jointly estimate that financial losses attributed to malicious attack amounted to $378 million in 2000. International Law clearly permits a state to respond in self-defense when attacked by another state through the Internet, however, such attacks may not always rise to the scope, duration, and intensity threshold of an armed attack that may justify a use of force in self-defense.
This paper presents a policy framework to analyze the rules of engagement for Internet attacks. We describe the state of Internet security, incentives for asymmetric warfare, and the development of international law for conflict management and armed conflict. We focus on options for future rules of engagement specific to Information Warfare.
We conclude with four policy recommendations for Internet attack rules of engagement: (1) the U.S. should pursue international definitions of "force" and "armed attack" in the Information Warfare context; (2) the U.S. should pursue international cooperation for the joint investigation and prosecution of Internet attacks; (3) the U.S. must balance offensive opportunities against defensive vulnerabilities; and (4) the U.S. should prepare strategic plans now rather than making policy decisions in real-time during an Internet attack.
△ Less
Submitted 24 September, 2001;
originally announced September 2001.
