By Topic

Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004.

10-11 June 2004

Filter Results

Displaying Results 1 - 25 of 79
  • Dimension reduction using feature extraction methods for real-time misuse detection systems

    Publication Year: 2004, Page(s):195 - 202
    Cited by:  Papers (13)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (1207 KB) | HTML iconHTML

    We present a novel signed gain in information (GI) measure for quantitative evaluation of gain or loss in information due to dimension reduction using feature extraction in misuse detection applications. GI is defined in terms of sensitivity mismatch measure (Φ) and specificity mismatch measure (⊗). 'Φ' quantifies information gain or loss in feature-extracted data as the change in d... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Determining the strength of a decoy system: a paradox of deception and solicitation

    Publication Year: 2004, Page(s):138 - 145
    Cited by:  Patents (1)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (1144 KB) | HTML iconHTML

    This paper examines the effectiveness of two shallow decoys, Deception Toolkit (DTK) and Honeyd. A series of attacks, ranging in complexity, were used to examine how these systems interact with key anomalies differently than actual services do. Analysis of these tests shows that shallow decoys not only have difficulty with normal Web traffic, but they also show significant deviation from normal We... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • The Trusted Computing Exemplar project

    Publication Year: 2004, Page(s):109 - 115
    Cited by:  Papers (8)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (1155 KB) | HTML iconHTML

    We describe the Trusted Computing Exemplar project, which is producing an openly distributed worked example of how high assurance trusted computing components can be built. The TCX project encompasses four related activities: creation of a prototype framework for rapid high assurance system development; development of a reference-implementation trusted computing component; evaluation of the compon... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Developing forensic computing tools and techniques within a holistic framework: an Australian approach

    Publication Year: 2004, Page(s):394 - 400
    Cited by:  Papers (2)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (1119 KB) | HTML iconHTML

    This paper details work-in-progress in the development of conceptual framework within which to position diverse approaches to forensic computing investigations. From this framework a suite of forensic computing tools and investigative procedures to aid police and intelligence investigators in the cyber-policing of e-crime and cyber-terrorism are being produced. These tools aid in the detection of ... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Towards a trusted immutable kernel extension (TIKE) for self-healing systems: a virtual machine approach

    Publication Year: 2004, Page(s):444 - 446
    Cited by:  Papers (4)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (844 KB) | HTML iconHTML

    The conventional method to restore a compromised system is to wipe the system clean, install from known good media, and patch with the latest updates: a costly, restrictive, and inefficient method. An alternative method is to monitor the host and restore trust if a compromise occurs. When this method is automated, the system is said to be self-healing. One critical requirement of a self-healing sy... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Windows NT one-class masquerade detection

    Publication Year: 2004, Page(s):82 - 87
    Cited by:  Papers (1)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (1036 KB) | HTML iconHTML

    Previous research has mainly studied UNIX system command line users, while here we investigate Windows system users, utilizing real network data. This work primarily focuses on one-class support vector machine (SVM) masquerade detection. One-class training requires only the user's own legitimate sessions to build up the user's profile. The one-class approach offers significant ease of management o... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Architecture of the reconnaissance intrusion detection system (RIDS)

    Publication Year: 2004, Page(s):187 - 194
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (1134 KB) | HTML iconHTML

    This paper describes the architecture and provides early test results of the reconnaissance intrusion detection system (RIDS) prototype. RIDS is a session oriented, statistical tool, that relies on training to mold the parameters of its algorithms, capable of detecting even distributed stealthy reconnaissance attacks. It consists of two main functional modules or stages: the reconnaissance activit... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Dynamic document reclassification for preventing insider abuse

    Publication Year: 2004, Page(s):218 - 225
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (1120 KB) | HTML iconHTML

    Digital documents in an organization are usually classified into static secrecy levels such as top-secret, secret, confidential and unclassified. Factors such as changes in the user hierarchy and addition of new projects generally require a change in a document's importance. Enforcing such changes in relative importance (RI) of documents protect the privileged documents from insider abuse. In this... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • UML extensions for honeypots in the ISTS Distributed Honeypot Project

    Publication Year: 2004, Page(s):130 - 137
    Cited by:  Papers (1)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (1142 KB) | HTML iconHTML

    A distributed honeypot system is a collection of honeypots distributed throughout the Internet that send their data to a central analysis point. In such a system, the need for automation, flexibility, and transparency in data control, data capture, and honeypot cleanup is more readily satisfied with virtual machine technology than with native installations. The Distributed Honeypot Project at Dart... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Modeling critical infrastructure requirements

    Publication Year: 2004, Page(s):101 - 108
    Cited by:  Papers (4)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (1249 KB) | HTML iconHTML

    Critical infrastructures in industrialized nations form a highly interdependent network that must be protected against both intrinsic defects and active attacks. This requires local as well as joint situational awareness based on current, accurate, and semantically unambiguous data as well as simulations, particularly of attack scenarios, necessitating in turn automated information sharing measure... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A secure logging scheme for Forensic Computing

    Publication Year: 2004, Page(s):386 - 393
    Cited by:  Papers (4)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (1084 KB) | HTML iconHTML

    In this paper, we propose a secure logging scheme for Forensic Computing. Forensic Computing is the process conducted to identify the method of an attack and intruders in the case of system compromise. In Forensic Computing, trustworthy logs admissible for court are needed. Moreover, since the log contains various confidential information, the confidentiality of the log must be preserved. Our sche... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Adding the fourth "R" [CERT's model for computer security strategies]

    Publication Year: 2004, Page(s):442 - 443
    Cited by:  Papers (1)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (807 KB) | HTML iconHTML

    In the emerging discipline of survivability, defined as the "ability of a system to fulfil its mission, in a timely manner, in the presence of attacks, failures and accidents", the CERT Coordination Center has implicitly institutionalized the concept of a never-ending, escalating computer security arms race. While previous point solutions - such as PKIs, VPNs and firewalls - focused on blocking at... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Protocol anomaly detection and verification

    Publication Year: 2004, Page(s):74 - 81
    Cited by:  Papers (1)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (1139 KB) | HTML iconHTML

    'How to distinguish protocol anomalies from network traffic?' 'How to normalize protocol usage against misuse problem based on the same protocol specification?' and 'How to detect and verify protocol anomalies in realtime?', we seek to answer these questions. In order to solve these questions, we have normalized layer-3 and layer-4 protocol usage, and we have designed a packet verifier with a pack... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • The new criteria for covert channels auditing

    Publication Year: 2004, Page(s):183 - 186
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (890 KB) | HTML iconHTML

    A new concept, the weight difference of covert channel, was represented firstly, which means the security level span that sensitive information transmits via a certain covert channel. Based on it, the new criteria for covert channels auditing was given. Not as TCSEC only use the bandwidth to evaluate the threat of covert channels, this criteria integrated the weight difference, bandwidth, working ... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Fuzzy dependency and its applications in damage assessment and recovery

    Publication Year: 2004, Page(s):350 - 357
    Cited by:  Papers (2)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (1141 KB) | HTML iconHTML

    Fuzzy dependency in a database delineates a loose dependency relationship between two sets of attributes. It describes logical relationships among attributes in a database relation and those relationships can't be fully specified by functional dependencies, which focus on database schema and data organization. This characteristic of the database schema can be used to perform damage assessment and ... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Markov chains in network intrusion detection

    Publication Year: 2004, Page(s):432 - 433
    Cited by:  Papers (4)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (837 KB) | HTML iconHTML

    Connectivity of computers around the world has escalated the importance of computer security. Intrusion detection adds another dimension to computer security. When prevention methods fail, intrusion detection systems recognize attacks as they occur. This research concentrates on network packets and examines the data in the TCP and IP headers. Markov chains are used to describe the normal transitio... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Honeypot forensics

    Publication Year: 2004, Page(s):22 - 29
    Cited by:  Papers (5)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (1227 KB) | HTML iconHTML

    The deployment of low-interaction honeypots used mainly as deception tools has become more and more common these days. Another interesting but more resource and time consuming playground is made available thanks to high interaction honeypots where a blackhat can connect to the system and download, install and execute his own tools in a less constrained environment. Once caught in the honeypot, the... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • SILT: integrated logging management for security-enhanced Linux

    Publication Year: 2004, Page(s):298 - 305
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (1171 KB) | HTML iconHTML

    Security-enhanced Linux offers a robust mandatory access control protection scheme that enhances standard Unix-based permissions, and allows for greater overall system security. While a wide array of configuration tools are currently available, system administration of SELinux is still cumbersome. One area that could ease some of the configuration burdens is kernel event logging, specifically for ... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Towards the specification of access control policies on multiple operating systems

    Publication Year: 2004, Page(s):210 - 217
    Cited by:  Papers (1)  |  Patents (1)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (1222 KB) | HTML iconHTML

    In the past, operating systems tended to lack well-defined access control policy specification languages and syntax. For example, a UNIX operating system that is based on the discretionary access control (DAC) paradigm has decentralized security policies based on technology that has been developed over the years. With such policies, it is difficult to identify the permissions given to each user, a... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • NoSEBrEaK - attacking honeynets

    Publication Year: 2004, Page(s):123 - 129
    Cited by:  Papers (11)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (1152 KB) | HTML iconHTML

    It is usually assumed that honeynets are hard to detect and that attempts to detect or disable them can be unconditionally monitored. We scrutinize this assumption and demonstrate a method how a host in a honeynet can be completely controlled by an attacker without any substantial logging taking place. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Designing an information security system

    Publication Year: 2004, Page(s):449 - 450
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (806 KB) | HTML iconHTML

    This paper describes a methodology for designing an information security system. The paper focuses on the initial stages of information system security engineering (ISSE), the upfront analysis and engineering necessary for designing security into the system. The methodology follows a system engineering process for designing security for a system through needs analysis and requirements generation. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • LSB steganalysis using support vector regression

    Publication Year: 2004, Page(s):95 - 100
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (960 KB) | HTML iconHTML

    We describe a method of detecting the existence of messages, which are randomly scattered in the least significant bits (LSB) of both 24-bit RGB color and 8-bit grayscale images. The method is based on gathering and inspecting a set of image relevant features from the pixel groups of the stego-image, whose similarities and correlations change with different ratios of LSB embedding. The proposed de... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Classification of computer attacks using a self-organizing map

    Publication Year: 2004, Page(s):365 - 369
    Cited by:  Papers (2)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (1000 KB) | HTML iconHTML

    As computer technology evolves and the threat of computer crimes increases, the apprehension and preemption of such violations become more and more difficult and challenging. To date, it appears that completely preventing breaches of security is unrealistic. Therefore, we must try to detect and classify these intrusions as they occur so that immediate actions may be taken to repair the damage and ... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Attack attribution in non-cooperative networks

    Publication Year: 2004, Page(s):436 - 437
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (835 KB) | HTML iconHTML

    This paper reports on preliminary research concepts in attack attribution that have been developed in Cs3's project being conducted for advanced research and development activity (ARDA). The ARDA BAA identified 4 levels of attribution: level 1: attribution to the specific hosts involved in the attack; level 2: attribution to the primary controlling host; level 3: attribution to the actual human ac... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Overview of a high assurance architecture for distributed multilevel security

    Publication Year: 2004, Page(s):38 - 45
    Cited by:  Papers (4)  |  Patents (1)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (1242 KB) | HTML iconHTML

    A high assurance architecture is described for the protection of distributed multilevel secure computing environments from malicious code and other attacks. Component security services and mechanisms extend and interoperate with commodity PCs, commodity client software, applications, trusted components, and legacy single level networks, providing new capabilities for composing secure, distributed ... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.