Scheduled System Maintenance:
Some services will be unavailable Sunday, March 29th through Monday, March 30th. We apologize for the inconvenience.
By Topic

Computer Security Applications Conference, 2003. Proceedings. 19th Annual

Date 8-12 Dec. 2003

Filter Results

Displaying Results 1 - 25 of 45
  • Scalable and efficient PKI for inter-organizational communication

    Publication Year: 2003 , Page(s): 308 - 318
    Cited by:  Papers (1)  |  Patents (1)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (311 KB) |  | HTML iconHTML  

    We propose an efficient and flexible system for a secure and authentic data exchange in a multiinstitutional environment, where the institutions maintain different databases and provide secure and limited access services to employees of other institutions. The main motivation for building such a system was to organize efficient cooperative use of state registers, in order to increase the efficiency and quality of public services in Estonia. In order to meet high security requirements, several contemporary measures are integrated (using digital signatures, distributing certificate information by means of DNS protocol and linking log files with cryptographic checksums). We give rationale for the design decisions made in the implementation process and conclude with the current state of public use of the resulting infrastructure. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Protecting personal data: can IT security management standards help?

    Publication Year: 2003 , Page(s): 266 - 275
    Cited by:  Papers (1)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (273 KB) |  | HTML iconHTML  

    Compelled to improve information security by the introduction of personal data protection legislation, organizations worldwide are adopting standardized security management guidelines to inform their internal processes. We analyze whether existing security management standards support process requirements for personal data management, drawing from experience with security policies in private organizations and through an analysis of current European and US legislation. Various aspects of personal data management not commonly addressed by security standards are identified, and a number of generally applicable enhancements are proposed to one common standard, IS17799. The appropriateness of including data protection guidelines in security standards is discussed, showing how these enhancements could simplify the definition of personal data management procedures in organizations. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Making secure TCP connections resistant to server failures

    Publication Year: 2003 , Page(s): 197 - 206
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (271 KB) |  | HTML iconHTML  

    Methods are presented to increase resiliency to server failures by migrating long running, secure TCP-based connections to backup servers, thus mitigating damage from servers disabled by attacks or accidental failures. The failover mechanism described is completely transparent to the client. Using these techniques, simple, practical systems can be built that can be retrofitted into the existing infrastructure, i.e. without requiring changes either to the TCP/IP protocol, or to the client system. The end result is a drop-in method of adding significant robustness to secure network connections such as those using the secure shell protocol (SSH). As there is a large installed universe of TCP-based user agent software, it will be some time before widespread adoption takes place of other approaches designed to withstand these kind of service failures; our methods provide an immediate way to enhance reliability, and thus resistance to attack, without having to wait for clients to upgrade software at their end. The practical viability of our approach is demonstrated by providing details of a system we have built that satisfies these requirements. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • An intrusion-tolerant password authentication system

    Publication Year: 2003 , Page(s): 110 - 118
    Cited by:  Papers (2)  |  Patents (1)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (344 KB) |  | HTML iconHTML  

    In a password-based authentication system, to authenticate a user, a server typically stores password verification data (PVD), which is a value derived from the user's password using publicly known functions. For those users whose passwords fall within an attacker's dictionary, their PVDs, if stolen (for example, through server compromise), allows the attacker to mount off-line dictionary attacks. We describe a password authentication system that can tolerate server compromises. The described system uses multiple (say n) servers to share password verification data and never reconstructs the shared PVD during user authentications. Only a threshold number (say t, t≤n) of these servers are required for a user authentication and compromising up to (t-1) of these servers will not allow an attacker to mount off-line dictionary attacks, even if a user's password falls within the attacker's dictionary. The described system can still function if some of the servers are unavailable. We give the system architecture and implementation details. Our experimental results show that the described system works well. The given system can be used to build intrusion-tolerant applications. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Attack signature matching and discovery in systems employing heterogeneous IDS

    Publication Year: 2003 , Page(s): 245 - 254
    Cited by:  Papers (1)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (307 KB) |  | HTML iconHTML  

    Over the past decade, intrusion detection systems (IDS) have improved steadily in the efficiency and effectiveness with which they detect intrusive activity. This is particularly true with signature-based IDS due to progress with intrusion analysis and intrusion signature specification. At the same time system complexity, overall numbers of bugs and security vulnerabilities have been on the increase. This has led to the recognition that in order to operate over the entire attack space, multiple heterogeneous IDS must be used, which need to interoperate with one another, and possibly also with other components of system security. We describe our research into developing algorithms for attack signature matching for detecting multistage attacks manifested by alerts from heterogeneous IDS. It describes also the testing and preliminary results of that research, and the administrator interface used to analyze the alerts produced by the tests and the results of signature matching. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Design, implementation and test of an email virus throttle

    Publication Year: 2003 , Page(s): 76 - 85
    Cited by:  Papers (6)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (384 KB) |  | HTML iconHTML  

    We present an approach to preventing the damage caused by viruses that travel via email. The approach prevents an infected machine spreading the virus further. This directly addresses the two ways that viruses cause damage: less machines spreading the virus will reduce the number of machines infected and reduce the traffic generated by the virus. The approach relies on the observation that normal entailing behaviour is quite different from the behaviour of a spreading virus, with the virus sending messages at a much higher rate, to different addresses. To limit propagation a rate-limiter or virus throttle is described that does not affect normal traffic, but quickly slows and stops viral traffic. We include an analysis of normal emailing behaviour, and details of the throttle design. In addition an implementation is described and tested with real viruses, showing that the approach is practical. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A policy validation framework for enterprise authorization specification

    Publication Year: 2003 , Page(s): 319 - 328
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (243 KB) |  | HTML iconHTML  

    The validation of enterprise authorization specification for conformance to enterprise security policies requires an out-of-band framework in many situations since the enforcing access control mechanism does not provide this feature. We describe one such framework. The framework uses XML to encode the enterprise authorization specification, XML schema to specify the underlying access control model (which in our case is the role-based access control model (RBAC)) and Schematron language to encode the policy constraints. The conformance of the XML-encoded enterprise authorization specification to the structure of the RBAC model (specified through XML schema) as well as the policy constraints (specified through Schematron) are verified through a Schematron validator tool. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Experimenting with a policy-based HIDS based on an information flow control model

    Publication Year: 2003 , Page(s): 364 - 373
    Cited by:  Papers (3)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (4855 KB)  

    In 2002 we proposed a model for policy-based intrusion detection, based on information flow control. In the present paper, we show its applicability and effectiveness on a standard OS. We present results of two set of experiments, one carried out in a completely controlled environment, the other on an operational server with real network traffic. Our results show that the model fulfills its goals and serves as a successful runtime policy-based intrusion detector. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • An IP traceback technique against denial-of-service attacks

    Publication Year: 2003 , Page(s): 96 - 104
    Cited by:  Papers (2)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (277 KB) |  | HTML iconHTML  

    Reflector attack [Vern Paxson (2001)] belongs to one of the most serious types of denial-of-service (DoS) attacks, which can hardly be traced by contemporary traceback techniques, since the marked information written by any routers between the attacker and the reflectors will be lost in the replied packets from the reflectors. We propose a reflective algebraic marking scheme for tracing DoS and DDoS attacks, as well as reflector attacks. The proposed marking scheme contains three algorithms, namely the marking, reflection and reconstruction algorithms, which have been well tested through extensive simulation experiments. The results show that the marking scheme can achieve a high performance in tracing the sources of the potential attack packets. In addition, it produces negligible false positives; whereas other current methods usually produce a certain amount of false positives. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Poly2 paradigm: a secure network service architecture

    Publication Year: 2003 , Page(s): 342 - 351
    Cited by:  Papers (2)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (295 KB) |  | HTML iconHTML  

    General-purpose operating systems provide a rich computing environment both to the user and the attacker. The declining cost of hardware and the growing security concerns of software necessitate a revalidation of the many assumptions made in network service architectures. Enforcing sound design principles while retaining usability and flexibility is key to practical security. Poly2 is an approach to build a hardened framework for network services from commodity hardware and software. Guided by well-known security design principles such as least common mechanism and economy of mechanism, and driven by goals such as psychological acceptability and immediate usability, Poly2 provides a secure platform for network services. It also serves as a testbed for several security-related research areas such as intrusion detection, forensics, and high availability. This paper discusses the overall design and philosophy of Poly2, presents an initial implementation, and outlines future work. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Honeypots: catching the insider threat

    Publication Year: 2003 , Page(s): 170 - 179
    Cited by:  Papers (22)  |  Patents (4)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (425 KB) |  | HTML iconHTML  

    In the past several years there has been extensive research into honeypot technologies, primarily for detection and information gathering against external threats. However, little research has been done for one of the most dangerous threats, the advance insider, the trusted individual who knows our internal organization. These individuals are not after our systems, they are after our information. We discuss how honeypot technologies can be used to detect, identify, and gather information on these specific threats. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Collaborative intrusion detection system (CIDS): a framework for accurate and efficient IDS

    Publication Year: 2003 , Page(s): 234 - 244
    Cited by:  Papers (13)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (338 KB) |  | HTML iconHTML  

    We present the design and implementation of a collaborative intrusion detection system (CIDS) for accurate and efficient intrusion detection in a distributed system. CIDS employs multiple specialized detectors at the different layers - network, kernel and application - and a manager based framework for aggregating the alarms from the different detectors to provide a combined alarm for an intrusion. The premise is that a carefully designed and configured CIDS can increase the accuracy of detection compared to individual detectors, without a substantial degradation in performance. In order to validate the premise, we present the design and implementation of a CIDS which employs Snort, Libsafe, and a new kernel level IDS called Sysmon. The manager has a graph-based and a Bayesian network based aggregation method for combining the alarms to finally come up with a decision about the intrusion. The system is evaluated using a Web-based electronic store front application and under three different classes of attacks - buffer overflow, flooding and script-based attacks. The results show performance degradations compared to no detection of 3.9% and 6.3% under normal workload and a buffer overflow attack respectively. The experiments to evaluate the accuracy of the system show that the normal workload generates false alarms for Snort and the elementary detectors produce missed alarms. CIDS does not flag the false alarm and reduces the incidence of missed alarms to 1 of the 7 cases. CIDS can also be used to measure the propagation time of an intrusion which is useful in choosing an appropriate response strategy. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Practical random number generation in software

    Publication Year: 2003 , Page(s): 129 - 140
    Cited by:  Papers (2)  |  Patents (1)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (291 KB) |  | HTML iconHTML  

    There is a large gap between the theory and practice for random number generation. For example, on most operating systems, using /dev/random to generate a 256-bit AES key is highly likely to produce a key with no more than 160 bits of security. We propose solutions to many of the issues that real software-based random number infrastructures have encountered. Particularly, we demonstrate that universal hash functions are a theoretically appealing and efficient mechanism for accumulating entropy, we show how to deal with forking processes without using a two-phase commit, we explore better metrics for estimating entropy and argue that systems should provide both computational security and information theoretic security through separate interfaces. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Security design in online games

    Publication Year: 2003 , Page(s): 286 - 295
    Cited by:  Papers (4)  |  Patents (2)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (261 KB) |  | HTML iconHTML  

    The emergence of online games has fundamentally changed security requirements for computer games, which previously were largely concerned with copy protection. We examine how new security requirements impact the design of online games by using online bridge, a simple client-server game, as our case study. We argue that security is emerging as an inherent design issue for online games, after graphics and artificial intelligence, which have become important issues of the design of most games for decades. The most important new security concern in online game design is fairness enforcement, and most security mechanisms all contribute to a single objective, namely, making the play fair for each user. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Bayesian event classification for intrusion detection

    Publication Year: 2003 , Page(s): 14 - 23
    Cited by:  Papers (20)  |  Patents (1)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (459 KB) |  | HTML iconHTML  

    Intrusion detection systems (IDSs) attempt to identify attacks by comparing collected data to predefined signatures known to be malicious (misuse-based IDSs) or to a model of legal behavior (anomaly-based IDSs). Anomaly-based approaches have the advantage of being able to detect previously unknown attacks, but they suffer from the difficulty of building robust models of acceptable behavior, which may result in a large number of false alarms. Almost all current anomaly-based intrusion detection systems classify an input event as normal or anomalous by analyzing its features, utilizing a number of different models. A decision for an input event is made by aggregating the results of all employed models. We have identified two reasons for the large number of false alarms, caused by incorrect classification of events in current systems. One is the simplistic aggregation of model outputs in the decision phase. Often, only the sum of the model results is calculated and compared to a threshold. The other reason is the lack of integration of additional information into the decision process. This additional information can be related to the models, such as the confidence in a model's output, or can be extracted from external sources. To mitigate these shortcomings, we propose an event classification scheme that is based on Bayesian networks. Bayesian networks improve the aggregation of different model outputs and allow one to seamlessly incorporate additional information. Experimental results show that the accuracy of the event classification process is significantly improved using our proposed approach. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Security analysis of the SAML single sign-on browser/artifact profile

    Publication Year: 2003 , Page(s): 298 - 307
    Cited by:  Papers (3)  |  Patents (2)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (264 KB) |  | HTML iconHTML  

    Many influential industrial players are currently pursuing the development of new protocols for federated identity management. The security assertion markup language (SAML) is an important standardized example of this new protocol class and will be widely used in business-to-business scenarios to reduce user-management costs. SAML utilizes a constraint-based specification that is a popular design technique of this protocol class. It does not include a general security analysis, but provides an attack-by-attack list of countermeasures as security consideration. We present a security analysis of the SAML single sign-on browser/artifact profile, which is the first one for such a protocol standard. Our analysis of the protocol design reveals several flaws in the specification that can lead to vulnerable implementations. To demonstrate their impact, we exploit some of these flaws to mount attacks on the protocol. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A failure to learn from the past

    Publication Year: 2003 , Page(s): 217 - 231
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (280 KB) |  | HTML iconHTML  

    On the evening of 2 November 1988, someone "infected" the Internet with a worm program. That program exploited flaws in utility programs in systems based on BSD-derived versions of UNIX. The flaws allowed the program to break into those machines and copy itself, thus infecting those systems. This program eventually spread to thousands of machines, and disrupted normal activities and Internet connectivity for many days. It was the first major network-wide attack on computer systems, and thus was a matter of considerable interest. We provide a brief chronology of both the spread and eradication of the program, a presentation about how the program worked, and details of the aftermath. That is followed by discussion of some observations of what has happened in the years since that incident. The discussion supports the title-that the community has failed to learn from the past. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Efficient minimum-cost network hardening via exploit dependency graphs

    Publication Year: 2003 , Page(s): 86 - 95
    Cited by:  Papers (31)  |  Patents (3)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (353 KB) |  | HTML iconHTML  

    In-depth analysis of network security vulnerability must consider attacker exploits not just in isolation, but also in combination. The general approach to this problem is to compute attack paths (combinations of exploits), from which one can decide whether a given set of network hardening measures guarantees the safety of given critical resources. We go beyond attack paths to compute actual sets of hardening measures (assignments of initial network conditions) that guarantee the safety of given critical resources. Moreover, for given costs associated with individual hardening measures, we compute assignments that minimize overall cost. By doing our minimization at the level of initial conditions rather than exploits, we resolve hardening irrelevancies and redundancies in a way that cannot be done through previously proposed exploit-level approaches. Also, we use an efficient exploit-dependency representation based on monotonic logic that has polynomial complexity, as opposed to many previous attack graph representations having exponential complexity. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • MLS-PCA: a high assurance security architecture for future avionics

    Publication Year: 2003 , Page(s): 2 - 12
    Cited by:  Papers (2)  |  Patents (1)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (281 KB) |  | HTML iconHTML  

    DOD Joint Vision 2020 (JV2020) is the integrated multiservice planning document for conduct among coalition forces of future warfare. It requires the confluence of a number of key avionics technical developments: integrating the network-centric battlefield, management of hundred thousands of distributed processors, high assurance multilevel security (MLS) in the battlefield, and low cost high assurance engineering. We describe the results of a study and modeling of a new security architecture, (MLS-PCA), that yields a practical solution for JV2020 based upon DARPA polymorphic computing architecture (PCA) advances, and a new distributed process-level encryption scheme. We define a functional model and a verified formal specification of MLS-PCA, for high assurance, with the constraints PCA software and hardware morphware must support. Also, we show a viable mapping of the MLS-PCA model to the PCA hardware. MLS-PCA is designed to support upwards of 500,000 CPUs predicted by Moore's law to be available circa 2020. To test such speculation, we conclude with a description of an in-progress proof-of-concept implementation of MLS-PCA using a 100-node grid computing system and an MLS distributed targeting application. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Isolated program execution: an application transparent approach for executing untrusted programs

    Publication Year: 2003 , Page(s): 182 - 191
    Cited by:  Papers (17)  |  Patents (22)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (351 KB) |  | HTML iconHTML  

    We present a new approach for safe execution of untrusted programs by isolating their effects from the rest of the system. Isolation is achieved by intercepting file operations made by untrusted processes, and redirecting any change operations to a "modification cache" that is invisible to other processes in the system. File read operations performed by the untrusted process are also correspondingly modified, so that the process has a consistent view of system state that incorporates the contents of the file system as well as the modification cache. On termination of the untrusted process, its user is presented with a concise summary of the files modified by the process. Additionally, the user can inspect these files using various software utilities (e.g., helper applications to view multimedia files) to determine if the modifications are acceptable. The user then has the option to commit these modifications, or simply discard them. Essentially, our approach provides "play" and "rewind" buttons for running untrusted software. Key benefits of our approach are that it requires no changes to the untrusted programs (to be isolated) or the underlying operating system; it cannot be subverted by malicious programs; and it achieves these benefits with acceptable runtime overheads. We describe a prototype implementation of this system for Linux called Alcatraz and discuss its performance and effectiveness. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • S-ARP: a secure address resolution protocol

    Publication Year: 2003 , Page(s): 66 - 74
    Cited by:  Papers (15)  |  Patents (7)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (341 KB) |  | HTML iconHTML  

    Tapping into the communication between two hosts on a LAN has become quite simple thanks to tools that can be downloaded from the Internet. Such tools use the address resolution protocol (ARP) poisoning technique, which relies on hosts caching reply messages even though the corresponding requests were never sent. Since no message authentication is provided, any host of the LAN can forge a message containing malicious information. We present a secure version of ARP that provides protection against ARP poisoning. Each host has a public/private key pair certified by a local trusted party on the LAN, which acts as a certification authority. Messages are digitally signed by the sender, thus preventing the injection of spurious and/or spoofed information. As a proof of concept, the proposed solution was implemented on a Linux box. Performance measurements show that PKI based strong authentication is feasible to secure even low level protocols, as long as the overhead for key validity verification is kept small. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Goalkeeper: close-in interface protection

    Publication Year: 2003 , Page(s): 334 - 341
    Cited by:  Papers (1)  |  Patents (1)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (242 KB) |  | HTML iconHTML  

    This paper discusses a potential security issue in common operating system and application environments regarding dynamically attached devices and device interfaces. A set of countermeasures for the identified threats is described along with the integration of countermeasures into a policy-based security infrastructure; finally, an implementation of the countermeasure in the form of a policy enforcement module integrated into the kernel of the Microsoft Windows 2000/XP family of operating systems is described. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Themes and highlights of the new Security Paradigms Workshop 2003

    Publication Year: 2003 , Page(s): 330 - 331
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (211 KB)  

    First Page of the Article
    View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • PSOS revisited

    Publication Year: 2003 , Page(s): 208 - 216
    Cited by:  Papers (2)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (255 KB) |  | HTML iconHTML  

    We provide a retrospective view of the design of SRI's Provably Secure Operating System (PSOS), a formally specified tagged-capability hierarchical system architecture. It examines PSOS in the light of what has happened in computer system developments since 1980, and assesses the relevance of the PSOS concepts in that light. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Modelling contexts in the Or-BAC model

    Publication Year: 2003 , Page(s): 416 - 425
    Cited by:  Papers (10)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (330 KB) |  | HTML iconHTML  

    As computer infrastructures become more complex, security models must provide means to handle more flexible and dynamic requirements. In the organization based access control (Or-BAC) model, it is possible to express such requirements using the notion of context. In Or-BAC, each privilege (permission or obligation or prohibition) only applies in a given context. A context is viewed as an extra condition that must be satisfied to activate a given privilege. We present a taxonomy of different types of context and investigate the data the information system must manage in order to deal with these different contexts. We then explain how to model them in the Or-BAC model. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.