conference proceedings

2nd
2nd Annual
Annual Symposium
Symposium on
on
Information
Information Assurance
Assurance

Academic
Academic Track
Track of
of 10
10thth Annual
Annual NYS
NYS Cyber
Cyber Security
Security Conference
Conference
Empire
Empire State
State Plaza
Plaza Albany,
Albany, NY,NY, USA
USA
June
June 6-7,
6-7, 2007
2007
 Proceedings of the 2nd Annual Symposium on Information Assurance
Academic track of the 10th Annual 2007 NYS Cyber Security Conference
June 6-7, 2007, New York, USA.

Symposium Chairs
Sanjay Goel
Director of Research, NYS Center for Information Forensics and Assurance (CIFA)
Faculty, School of Business, University at Albany, SUNY

Laura Iwan
State ISO, NYS Office of Cyber Security and Critical Infrastructure Coordination (CSCIC)

Program Committee

Alexey N. Salnikov, Moscow State University
Anil B. Somayaji, Carleton University
Bülent Yener, Rensselaer Polytechnic Institute
Carl Hunt, Institute for Defense Analyses
Chenxi Wang, Carnegie Mellon University
Dipankar Dasgupta, University of Memphis
Eliot Rich, University at Albany, SUNY
Elisa Bertino, Purdue University
George Berg, University at Albany, SUNY
Gurpreet Dhillon, Virginia Commonwealth University
Hong C. Li, Intel Corporation
H.R. Rao, University at Buffalo, SUNY
Jagdish Gangolly, University at Albany, SUNY
Katharina von Knop, Freie Universität Berlin
Martin Loeb, University of Maryland
Melissa Dark, Purdue University
Michael Sobolewski, Texas Tech University
Nasir Memon, Brooklyn Polytechnic
R. Sekar, Stony Brook University, SUNY
Raghu T. Santanam, Arizona State University
Raj Sharman, University at Buffalo, SUNY
Ronald Dodge, USMA West Point
S.S. Ravi, University at Albany, SUNY
Sarah Gordon, Symantec Corporation
Stephen F. Bush, GE Global Research Center
Shambhu Upadhyaya, University at Buffalo, SUNY

External Reviewers

Manish Gupta, University at Buffalo, SUNY

Paul Harwood, University of North Florida

Submissions Chair
Damira Pon, University at Albany, SUNY

Note of Thanks
We would like to express our appreciation to Rachel Niebour and Kwaku Essel at the University at Albany, SUNY
for their help in the creation of these proceedings as well as all of the sponsors which supported the symposium.

Symposium Sponsor All-Conference Sponsors

School of Business, University at Albany, SUNY Cenzic, Inc.
CISCO Systems, Inc.
D&D Consulting
ORACLE
SAIC
Symantec

This volume is published as a collective work. Rights to individual papers remain with the author or the author’s
employer. Permission is granted for the noncommercial reproduction of the complete work for educational research
purposes.
 conference proceedings

2nd
2nd Annual
Annual Symposium
Symposium on
on
Information
Information Assurance
Assurance

Academic
Academic Track
Track of
of 10
10thth Annual
Annual NYS
NYS Cyber
Cyber Security
Security Conference
Conference
Empire
Empire State
State Plaza
Plaza Albany,
Albany, NY,NY, USA
USA
June
June 6-7,
6-7, 2007
2007
 SYMPOSIUM ON INFORMATION ASSURANCE AGENDA
DAY 1: Wednesday, June 6 2007
REGISTRATION - Base of the Egg and VISIT EXHIBITORS – Convention Hall
(7:00am – 1:00pm)
SYMPOSIUM SESSION 1: OPENING- Mtg. Rm. 7 (8:00am – 9:00am)
Introduction to Symposium: Sanjay Goel, Symposium Chair
Opening Remarks: Jakov Crnkovic, Chair, Information Technology Management, School of
Business, University at Albany, SUNY
Keynote Address (D-1): An Academic Speculates on the Future of Intrusion Detection
Nick Weaver, International Computer Science Institute, University of California at Berkeley
CONFERENCE MORNING SESSION – Egg Swyer Theater (9:15am – 10:00am)
Live Hacking Demo: Sanjay Goel, NYS Center for Information Forensics and Assurance at
the University at Albany
CONFERENCE OPENING TALKS – Egg Swyer Theater (10:00am – 11:30am)
Welcome: Will Pelgrin, Director, CSCIC
Sponsorship Recognition: Greg Benson, Executive Director, NYS Forum
Opening Remarks: Special Guest Speaker
Introduction: Peter Bloniarz, Dean College of Computing and Information, University at
Albany, SUNY
Keynote: Honorable Greg Garcia, Assistant Secretary for Cyber Security and
Telecommunications, U.S. Department of Homeland Security
LUNCH ON YOUR OWN (11:30am – 12:45pm)
VISIT EXHIBITORS – Convention Hall
SYMPOSIUM SESSION 2: Intrusion Detection (1:00pm – 2:15pm)
Chair: Gurpreet Dhillon, Virginia Commonwealth University
Identifying Botnet Traffic on an Enterprise Network
Mary Henthorn, Information Security Officer, Arkansas

Lookahead Pairs and Full Sequences: A Tale of Two Anomaly Detection Methods
Hajime Inoue and Anil Somayaji, Carleton University
VISIT THE EXHIBITORS – Convention Hall (2:00pm – 2:30pm)
SYMPOSIUM SESSION 3: Information System Design & Risk Analysis
Chair: Shobha Chengalur-Smith, University at Albany, SUNY
Designing Information Systems Security: Interpretations from British National Health
Services Hospital
Gurpreet Dhillon, Virginia Commonwealth University

Invited Talk: The Impact of Interdependent Risk on Healthcare Information

Infrastructure Effectiveness
Insu Park, Raj Sharman, H. R. Rao, and Shambhu Upadhyaya, University at Buffalo, SUNY

ATTENDEE RECEPTION – Convention Hall (3:45pm – 5:30pm)

i
 SYMPOSIUM ON INFORMATION ASSURANCE AGENDA, CONT’D.
DAY 2: Thursday, June 7 2007
REGISTRATION - Base of the Egg and VISIT EXHIBITORS – Convention Hall
(8:00am – 1:00pm)
SYMPOSIUM SESSION 4: Keynote – Mtg. Rm. 7 (8:30am – 9:45am)
Best Paper Award Presentation: Laura Iwan, Symposium Co-Chair

Keynote Address (D-2): Understanding Multistage Attacks in the Cyberspace to Address

the Grand Challenges in Security
Shambhu Upadhyaya, University at Buffalo, SUNY
VISIT THE EXHIBITORS – Convention Hall (9:45am – 10:30am)
SYMPOSIUM SESSION 5: Wireless Sensor Network Security
(10:30am – 11:45am)
Chair: Stephen F. Bush, GE Global Research
A Secure Framework for Wireless Sensor Networks
Bruce Barnett and Daniel Sexton, General Electric Global Research

Invited Talk: Traffic Analysis Resilient MAC for Multi-Hop Wireless Networks
Nael Abu-Ghazaleh, SUNY Binghamton
LUNCH ON YOUR OWN (11:45am – 12:45pm)
VISIT EXHIBITORS – Convention Hall
SYMPOSIUM SESSION 6: Terrorism and International Crime
(12:45pm – 2:00pm)
Chair: George Berg, University at Albany, SUNY
The Impact of Transnational Criminal Internet Activity in Academic Institutions on
Public Safety and Security
Steffani Burd, Matthew Haschak, and Scott Cherkin
Igxglobal, Inc., Bowling Green State University, DealMine.com

Countering Hypermedia Seduction for Terrorist Recruiting

Katharina Von Knop, Freie Universität Berlin
VISIT THE EXHIBITORS – Convention Hall (2:00pm – 2:30pm)
SYMPOSIUM SESSION 7: Federated Security Management
(2:30pm – 3:45pm)
Chair: Jagdish Gangolly, University at Albany, SUNY
Role-based Security in a Federated File System
Max Berger and Michael Sobolewski, Texas Tech University

Security Policy Management in Federated Computing Environments

Daniela Inclezan and Michael Sobolewski Texas Tech University
CLOSING REMARKS (3:45pm – 4:00pm)
Sanjay Goel, Symposium Chair

ii
 TABLE OF CONTENTS

Session 1: Keynote Address (D-1)

An Academic Speculates on the Future of Intrusion Detection …………………………... 1
Nick Weaver

Session 2: Intrusion Detection

Identifying Botnet Traffic on an Enterprise Network …………………………………….. 2
Mary Henthorn
Lookahead Pairs and Full Sequences: A Tale of Two Anomaly Detection Methods……. 9
Hajime Inoue and Anil Somayaji

Session 3: Information System Design & Risk Analysis

Designing Information Systems Security: Interpretations from British National Health
Services Hospital …………………………………………………………………………….. 20
Gurpreet Dhillon
Invited Talk: The Impact of Interdependent Risk on Healthcare Information
Infrastructure Effectiveness ………………………………………………………………... 29
Insu Park, Raj Sharman, H. R. Rao, and Shambhu Upadhyaya

Session 4: Keynote Address (D-2)

Understanding Multistage Attacks in the Cyberspace to Address the Grand Challenges in
Security………………………………………………………………………………………... 36
Shambhu Upadhyaya

Session 5: Wireless Sensor Network Security

A Secure Framework for Wireless Sensor Networks ……………………………………… 37
Bruce Barnett and Daniel Sexton
Invited Talk: Traffic Analysis Resilient MAC for Multi-Hop Wireless Networks ……… 46
Nael Abu-Ghazaleh

SESSION 6: Terrorism and International Crime

The Impact of Transnational Criminal Internet Activity in Academic Institutions on Public
Safety and Security ………………………………………………………………………….. 47
Steffani Burd, Matthew Haschak, and Scott Cherkin
Countering Hypermedia Seduction for Terrorist Recruiting …………………………….. 55
Katharina Von Knop

SESSION 7: Federated Security Management

Role-based Security in a Federated File System …………………………………………… 56
Max Berger and Michael Sobolewski
Security Policy Management in Federated Computing Environments ………………….. 64
Daniela Inclezan and Michael Sobolewski
Author Biographies ………………………………………………………………………… 71
Index of Authors ……………………………………………………………………………. 76
iii
Keynote (D-1): An Academic Speculates on the
Future of Intrusion Detection
Nick Weaver
International Computer Science Institute, University of California at Berkeley

Academics are supposed to have a crystal ball which they have used to shape their research, in
order to help solve tomorrow's problems today. As a researcher involved in developing intrusion
detection systems, I believe the future is in system defense. This talk will begin with some
speculation about attackers, what they have been leveraging, and what they will continue to
leverage. The argument will be made that most sophisticated attackers, by hijacking user
credentials and establishing network footholds, should effectively be considered insider threats
and the problem will only get worse. The talk will finish with speculations for the future of
intrusion detection, including fine-grained control and IDS in the LAN, parallel intrusion
detection, improved authentication, and system recovery strategies.

1
 Identifying Botnet Traffic on an Enterprise Network
Mary Henthorn
University of Arkansas at Little Rock
Abstract-The efficiency and resilience of botnets is evidenced
by their continued effective distribution of spam, phishing
attempts, denial of service attacks, and fear that the most
sensitive data on our systems can be collected and delivered to
criminals. Determined botnet hunters and sophisticated
network appliances give us the ammunition to fight back. This
study describes the comparison of data available about the
behavior of botnets to the current approach to botnet
identification on a large enterprise network. Querying the
network monitoring system for evidence of known botnets that
use less common means of command and control
communication revealed that such malicious networks are
present and active in the environment. Armed with this
knowledge security analysts can now recognize additional
malware, expand their sources of current information, and
continue to advance their means of identification, containment,
and suppression of network attackers in anticipation of the
more stealthy botnets of the future.
I. INTRODUCTION
The Internet has been a marvelous tool for education,
business, and individuals because of its ubiquitous nature
and wealth of information. The release of the Morris worm
[1] in 1988 demonstrated that the Internet erases the effects
of distance and time for harmful activity as well as for
innocent users. Recent news describes the arrests of people
engaged in criminal money-making activities in two
separate cases involving the use of malicious networks of
hundreds of thousands of computers [2]. The profit motive
promises to spur more misuse of the Internet than curiosity
and the thrill of hacking have in the past.
The battle to maintain the confidentiality, integrity, and
availability of legitimate networks is challenged by
unlawful people armed with open source, well designed
malware. The Agobot system, for example, contains about
20,000 lines of C/C++ code with a modular structure that
facilitates customization [3]. A user-friendly interface
___________________________________________________________________________________________
2
makes it relatively simple for someone with limited
technical experience to use. Since the Internet has countless
systems vulnerable to attack, it is easy for a hacker to infect
and control virtual armies of computers.
Network security analysts must take advantage of all
resources available to protect their assets. Antivirus, anti-
spyware, and firewalls alone will not stop the spread of
malware on the Internet. Because the attacking software is
so easy to customize, defense systems must be continually
tuned to recognize and respond to new types of intrusions.
Information gathered by those who study the characteristics
of malicious code must be quickly incorporated into the
network tools that recognize the appearance of potentially
harmful intrusions.
This study takes a collection of information available about
the behavior of botnets and compares it to the identification
methods implemented with an enterprise network
monitoring and threat mitigation system on a large network.
It is intended that patterns of malicious Internet traffic
identified in this study will augment the existing network
defense system.
II.BACKGROUND
Botnets are networks of compromised computers or
zombies that can be directed to perform tasks according to
instructions received from an attacker. Most are some
variation of a three-layer configuration including an
attacker, command and control (C&C) nodes, and zombies.
Some botnets use IRC channels for communication (Figure
1). Other botnets make their communication traffic more
difficult to detect by using plain text or encrypted HTTP or
peer-to-peer (P2P) protocols [4,5] (Figure 2).
 Figure 1. IRC Botnets Figure 2. Botnet controlled without IRC
____________________________________________________________________________________________
The spreading mechanisms used by botnets are similar to
other worm propagation methods. Most scan networks to
locate and exploit some type of software vulnerability. A few
well known vulnerabilities account for most infections:
Microsoft-DS Service, NetBIOS Session Service, NetBIOS
Name Service, and Remote Procedure Call services. The
network traffic generated through these propagation methods
can be observed on ports 135, 137, 138 and 445 [6]. Botnets
can also make use of any number of less well known
vulnerabilities to gain entry into a system. Patching Microsoft
vulnerabilities alone will not stop the spread of botnets.
Once a computer has been compromised with a botnet
infection, a communication channel is established with a
C&C node. At that point the zombie may download
instructions and tools. Sometimes the zombie can even hide
the evidence that the machine has been infected.
Most commonly, zombies receive instructions and software
tools to deliver spam, retrieve and report passwords, perform
key logging, collect software keys, or conduct click fraud.
The least destructive activities use network bandwidth and
the CPU time of the infected zombie. Of more concern, a
botnet can stealthily capture highly sensitive data or shut
down a system with a denial of service attack.
Simulations have demonstrated that botnets can be extremely
efficient and resilient [7]. According to this study, a system
with a million nodes could deliver a large exploit to every
zombie in a matter of minutes. The same study demonstrated
that botnets could be exceptionally resilient. Random removal
of 50% of a botnet’s nodes had a minimal effect on the
connectivity of the remainder of the nodes.
Recently the motivation for Internet abusers has shifted from
curiosity to financial gain [8]. Botnets are particularly
attractive to anyone who can profit from delivering spam,
phishing attacks, or even extortion. Since botnets use
infrastructure that belongs to others, botnet masters enjoy
3
financially asymmetric systems where a very low investment
can produce a large profit.
Botnets can be instructed to install adware, collecting fixed
fees for each installation for the botnet master. Some commit
click fraud, again collecting fees for each click delivered to
sites that pay for each hit to the advertiser’s website. A
botnet’s capabilities can be so profitable that they are rented
out to “customers” who pay for its services. Some botnet
propagation methods even look for established botnets and
steal them.
To counter the threat of botnets, individuals and
organizations collect data about their behavior and develop
tools for their detection and removal. Commercial antivirus
companies track worms that infect computers and expose
them to botnet systems that can control them as zombies. The
code used for many botnets is publicly available. While the
sophisticated modular design of Agobot, for example, allows
for countless variations, still the variables and commands are
readily available to those trying to track botnets. The
Honeynet Project and Research Alliance [9] encourages the
study of botnets through malware capture and analysis. One
of their members, the German Honeynet Project, has
developed a program to capture malware by simulating
vulnerabilities.
III.PROBLEM
Because of the resiliency and efficiency of botnets, the
approaches designed to defend against attacks must go
beyond randomly dropping nodes [7]. The multi-faceted
threat posed by botnets requires a comprehensive defense
including prevention, monitoring, and reaction. Preventive
measures reduce the spread of malnets by removing
vulnerabilities. Preventive measures alone are not adequate to
stop all appearances of malnets in a network of any size.
Vulnerabilities may be exploited before they can be patched
and even educated users may fall victim to social
engineering. Reactive methods are available to stop denial of
 service attacks that produce fast bursts of attack traffic [10].
In response to this protection, developers of malnets have
learned to slow their traffic.
Botnet activity can be monitored on individual devices, local
area networks, and enterprise networks. If antivirus and anti-
spyware are kept up-to-date, they should detect the presence
of known malware including botnet worms and Trojans.
Suspicious traffic on a local area network can be dropped or
examined. Packet analysis can even identify botnet
commands if the traffic is not encrypted. Tools at the
gateways of enterprise networks can recognize behaviors
such as scanning or repeated login attempts and relate the
activities to known botnet IP addresses or ports.
Freiling and others describe disruption of malnets by using an
automated approach to analyzing IRC-based malnets [11].
Although their proposed methods of shutting down identified
command and control nodes are manual, in practice similar
methods have been automated and demonstrated to be
effective against IRC-based malnets. Identified patterns in the
traffic of IRC-based malnets can facilitate the use of systems
such as Cisco’s Monitoring, Analysis and Response System
(CS-MARS) to automatically prevent communication with
C&C nodes and to notify administrators responsible for
decontamination of infected devices.
IV.METHOD
The network to be observed is large, encompassing about
2,000 routers and 500,000 users. The infrastructure up to the
point of the routers is managed as a single entity. Even with
the control of IRC-based communication, botnets continue to
be an issue for enterprise network administrators. Security
analysts have used the CS-MARS threat mitigation system to
identify and respond to harmful activity on the network for
over a year. Because of a history of disruptive botnet activity
on this network, these analysts have been particularly mindful
of the need to disrupt IRC C&C nodes and to identify
infected machines so they can promptly be removed from the
network and cleaned.
Although IRC botnets have been reported by one analyst as
“disturbingly quiet”, undesirable activity characteristic of
zombies can still be observed. In a preliminary examination
of traffic with the CS-MARS tool, dozens of network
computers could been seen engaging in sessions with a
known click fraud site. Disruption of IRC-based botnets did
not eradicate all botnet-like behavior.
It is known that botnets communicate through protocols other
than IRC. However, it can be difficult, even in a small
network to identify HTTP traffic that carries botnet
commands. P2P activity on known ports can be monitored,
but botnets are not likely to use well known P2P ports.
4
Botnet hunters have gathered data about the behavior of these
malicious constructs in environments more conducive to
examining the full content of malicious data streams than a
large enterprise network. Rather than attempting to duplicate
their work, the methodology used in this study leverages what
they have learned together with the vast amount of traffic
available for examination on the enterprise network.
Through this study, data is gathered by direct observation of a
large network in an attempt to identify patterns in the
communication networks of the botnets that exist after IRC-
based malnets have been eliminated. Hopefully these patterns
of malicious communication will be found suitable to adopt
as CS-MARS rules effectively automating tasks of botnet
identification, containment and suppression.
This method of identifying patterns in the communication
networks of the botnets that exist after IRC-based botnets
have been controlled includes:
• Learning the capabilities of the CS-MARS system
• Studying the current implementation of CS-MARS
• Categorizing botnet behavior from related research
• Matching behaviors from research with CS-MARS
implementation
• Reviewing collected data to identify potential new
patterns
• Testing of a selection of these potential patterns as
CS-MARS queries
• Analyzing the results of the queries
V.CS-MARS
The Cisco Security Monitoring, Analysis, and Response
System Appliance is a Security Threat Mitigation (STM) tool
appropriate for use on a large enterprise network. For the
purpose of this study, an account was activated for
observation of incidents and reports generated by the system
and the running of simple queries. This global level access
provides a view of data aggregated from several local
controllers.
A. CS-MARS Capabilities
With global access to the system, network-wide traffic can be
observed through a browser interface. The Dashboard view
offers a quick look at recent incidents. Reports can be
accessed as HTML or CSV files can be downloaded for
import into Excel or a database system for further analysis.
Rules in the CS-MARS system identify undesirable patterns
of network traffic. Source and destination IP addresses and
ports can be specified. Combinations of ports and protocols
can be identified as services. Events are pre-defined
activities. These elements can be sequenced with “and”, “or”,
and “follows” conditions. Observed network activities that
violate these rules can trigger notifications or firewall actions.
B. CS-MARS Implementation
Sixty-four unique rules were available on the CS-MARS
implementation used for this study. As displayed in Figure 3,
the 64 rules in place on this CS-MARS implementation can
be roughly grouped into five categories: infection spreading
activity; attack activity; network maintenance; botnet
communication; and, other.
Infection Activity
21
9 for automating the identification of botnet activity on the
Attack Activity
Network
35 Maintenance
17 Malnet
Communication
Other
Figure 3. CS-MARS Rules
CS-MARS presents incidents as collections of data observed
when a rule is violated. Through the time of this observation
about 1,400 incidents occurred each week. Most incidents
were the result of the violation of a few rules. Incidents for
one typical week primarily resulted from mass mailing worms
and IRC-botnet activity. (Figure 4)
93 51
Mass Mailing
282 IRC Zombie
693 Traffic Increase
Scanning
Other
288
Figure 4. Incidents 3/27/2006 – 4/3/2006
The CS-MARS Dashboard as implemented on this network
displays recent incidents in an HTML format suitable for
drilling down to more detail and a summary of events and
incidents observed over the last 24 hours. The data storage
system on this network can hold about six hours worth of
data at any one time. Queries can be issued to count matches
on source or destination IP addresses, ports, and protocols.
Over 200 reports that collect more information were available
to run on demand or as scheduled tasks. Because of the
amount of data and the fact that this is a production
environment, review of regularly scheduled reports was the
best way to observe top IP and port destinations and IRC-
malnet traffic without placing any additional load on the
system.
About 50 reports were downloaded in CSV format. Reports
that recorded the 100 most active source or destination IP
addresses and ports were collected for various one hour time
periods over the several weeks of the study. Several reports
of source and destination IPs and ports involving known IRC
5
C&C nodes were also downloaded for comparison to other
botnet research.
VI.RELATED BOTNET RESEARCH
This study is concerned with the observation and control of
botnet activity at the enterprise network level. Only shallow
packet analysis will be available for analysis. Botnet hunters
who monitor local area network traffic and directly examine
infected devices assemble detailed information about the
behaviors of botnets. Knowledge of these facts is necessary
enterprise network.
A considerable amount of data is available about botnet
behavior. The Honeynet Project [9] includes alliance
organizations from around the world. Their white paper,
“Know Your Enemy: Tracking Botnets” [6], describes the
open source code of botnets, and their methods of spreading,
communicating, and delivering attacks. Companies that
provide anti-virus software and other security tools, such as
Symantec [12] and Lurhq [13], publish information about
malware. SANS’ Internet Storm Center (ISC) [14] supports
network security investigators by providing Internet traffic
statistics. Recently a moderated mailing list was established
for information sharing among the community of people
observing and trying to contain botnets [15]. One of the early
messages sent out on this list was Jose’s list of most
frequently observed ports used by botnets.
Little information is available on the Internet about botnets
that use communication methods other than IRC. Although
HTTP has been used to control network agents for some time,
Bobox is one of only a few HTTP botnets found in this
investigation. After installation the Bobox Trojan attempts to
contact a number of websites. Bobox uses DNS names
instead of IP addresses, making it easy to change the C&C
host location. Some Bobox variants have the capability of
generating DNS name variations to counter attempts to block
traffic to the known hosts.
Phatbot has well documented P2P communication capability,
although it is secondary to the more efficient IRC methods. It
uses a variation of WASTE, an open source P2P tool, but
does not make use of the WASTE encryption option.
VII.DATA ORGANIZATION
Some means of organizing the data was needed before
effectively associating the massive amout of information
available about botnets with the millions of packets moving
through the network. 100 items were selected from six
collections of data that might indicate the presence of botnets:
• Known botnet behaviors, such as port scanning [3],
[4]
• Known ports used by malnets [12], [13], [15], [16]
• DNS names used by Bobox [12]
 • Ports noted in CS-MARS reports of top destination
ports
• ISC top 10 ports 4/12/2006 [14]
• Jose’s top 10 botnet ports 3-3-06 [15]
These 100 items were compared to the CS-MARS rules,
noting behaviors, IP addresses, and ports present in the rules.
Then the 100 items were compared to CS-MARS reports
noting any port numbers that occurred in IRC Command and
Control reports. All behaviors and most other indicators were
found in the CS-MARS rules and reports, leaving only 23
ports and the list of Bobox DNS names. Each of the Bobox
DNS names was searched on DNSWatch [17] to get current
IP addresses. These IP addresses were matched to the CS-
MARS rules, confirming that none were included. None of
these ports or IP addresses would be expected to be used in
normal business activity on this network.
VIII.TESTS ON THE NETWORK
Since Bobox and Phatbot botnet systems have the ability to
handle C&C communication without IRC, all their indicators
not included in CS-MARS reports or rules were chosen for
further testing. A few other ports known to recently have
unusually high activity were also kept, resulting in the
following ten items to test:
1. Bobox servers
2. Phatbot – WASTE P2P, but alternate gnutella port
4387
3. Phatbot WASTE P2P port 1337
4. Phatbot W32.hllw.gaobot.dk port 63809
5. Phatbot 63808
6. #8 Jose’s top 10 port 7991
7. #10 Jose’s top 10 5555
8. ISC sudden traffic increase 4-9-2006 port 12757
9. ISC sudden traffic increase 4-4-2006 port 27754
10. ISC sudden traffic increase 4-4-2006 38566
Queries were run for each of these tests using the most recent
ten minutes worth of CS-MARS network data. The first set of
tests run at mid-day on a Saturday resulted in 101 matches.
As an indicator of the volume of network traffic at the time of
test, a single query of ten minutes of weekend any source to
any destination activity counted 788,493 allowed session
connections or teardowns. A second set of the same queries
was run during normal business hours on a Monday resulting
in 157 matches. A ten minute query during the hour of the
testing on Monday resulted in 2,691,139 allowed session
connections or teardowns.

Table 1. Test results

Test Source IP Destination IP Destination Port Count Count

4/15/06 4/17/06
1 204.16.170.100 Any Any 0 0
1 Any 204.16.170.100 Any 0 0
1 67.15.35.19 Any Any 0 1
1 Any 67.15.35.19 Any 0 2
1 70.57.227.130 Any Any 0 0
1 Any 70.57.227.130 Any 0 0
1 68.178.232.99 Any Any 0 1
1 Any 68.178.232.99 Any 18 23
1 70.84.177.195 Any Any 0 0
1 Any 70.84.177.195 Any 0 0
1 70.84.177.196 Any Any 0 0
1 Any 70.84.177.196 Any 0 0
1 70.84.177.197 Any Any 0 0
1 Any 70.84.177.197 Any 0 0
1 70.84.177.198 Any Any 13 8
1 Any 70.84.177.198 Any 9 4
1 209.94.121.127 Any Any 0 0
1 Any 209.94.121.127 Any 0 0
1 204.16.173.40 Any Any 0 0
1 Any 204.16.173.40 Any 0 0
2 Any Any 4387 21 28
3 Any Any 1337 26 43
4 Any Any 63809 2 4
5 Any Any 63808 1 5
6 Any Any 7991 1 0

6
 7 Any Any 5555
8 Any Any 12757
9 Any Any 27754
10 Any Any 38566
Total
A. Observations
No incidents were identified by the CS-MARS system during
the time period of the tests on either day, indicating that
current rules were not detecting the conditions specified in
the queries. No applicable reports were available to compare
to the results because none were scheduled to run on
Saturday. Reports run during the hour of the Monday tests
show no matches to the IPs or ports included in the test
queries.
It was particularly interesting that Saturday’s queries found
the known botnet C&C hosts using IP 68.178.232.99 to be a
destination port 18 times, and Monday’s queries observed it
23 times. Although it had been assumed that the traffic was
on HTTP port 80, the original queries did not specify the
destination port. On another business day morning, the IP for
this host was again verified to be 68.178.232.99 and a new
query was run. At 8:28 a.m. a query for destination IP
68.178.232.99 on any port resulted in 64 hits. Immediately
afterwards another query run testing for this destination IP
with destination port 80 returned 73 hits.
IX.Conclusions
The queries were selected to expose the presence of botnet
traffic on the network that used HTTP or P2P
communication, or other botnet communication that was not
being detected by rules or reports currently in place on the
CS-MARS system. The fact that some of these queries
matched sessions running in ten minute samples indicates
these queries are potential new patterns for identifying and
controlling botnet activity in the network.
The additional test of the probable Bobox host site for port 80
traffic is consistent with the assumption that Bobox traffic
would use HTTP rather than IRC as a communication
protocol. The observation of a higher volume of traffic to the
Bobox host at approximately 8:30 in the morning could mean
that when infected zombie computers were started they
automatically checked in with the C&C host.
All of the hosts checked for test case number 1 and the ports
chosen for the other nine tests were obtained from sources
available to network security analysts. These analysts are
successfully using CS-MARS to detect, contain, and remove
infections of IRC-based botnets. The results presented in this
study indicate botnet communication through HTTP and P2P
protocols can also be detected with the CS-MARS system.
CS-MARS rules for implementation of the patterns used in
these tests could be employed to identify compromised
7
9 12
0 5
1 21
0 0
101 157
computers on the network and block C&C nodes. As with
other incidents generated by this network’s CS-MARS
implementation, those responsible for the infected machines
can be notified and instructed in how to clean the devices and
eliminate vulnerabilities that invite re-infection. Confirmed
C&C nodes on the network can be cleaned and all
communication with any outside the network can be stopped.
When possible, the ISPs that host these C&C nodes should be
notified of the abuse.
The tests conducted in this study observed communication
patterns of one known HTTP botnet and one botnet capable
of using P2P communication. The system must be continually
updated with parameters for as many known botnets as
possible, as was done to manage IRC botnets with CS-
MARS. An ongoing botnet detection, containment, and
suppression program should include the following:
• Monitor HTTP DNS names used by botnets
• Monitor ports used by botnets
• Block botnet HTTP servers like IRC
• Generate CS-MARS incidents and respond promptly
Implementation of these measures on a large enterprise
network will reduce the resource utilization and risk of
damage from attacks caused by many of the botnets known
today. Additionally, known botnet hunters, particularly those
participating in the botnet mailing list system can be an
excellent resource for the identification of botnets and
opportunities for containment.
This study has not addressed identification of the stealthier
botnet behaviors as those advertised in a message received on
April 20, 2006 by a member of the botnet mailing list [15].
The sender of this advertisement promised those who would
buy his botnet services, bulletproof web servers and five IPs
that change every ten minutes with different ISPs.
Tomorrow’s botnets are expected to hide their activities with
encryption, in VoIP traffic, and even in proprietary protocols
such as Skype [18].
An article published in USA Today on April 24, 2006 states
that millions of PCs may be under the control of botnets [19].
Many of these compromised systems are home machines
without the protective oversight of skilled technicians.
Prevention of infection will continue to demand both prompt
elimination of software vulnerabilities through patch
management, and the reduction of the effectiveness of social
engineering through user awareness training. Identification,
containment, and suppression of botnet activity will be a
long-term and constantly evolving effort.
ACKNOWLEDGMENTS
I thank G. Allison for information about deterring IRC-based
botnets, access to the CS-MARS system, and permission to
examine network traffic.
REFERENCES
[1] H. Orman, “The Morris work: a fifteen-year perspective”, Security &
Privacy Magazine, IEEE, September-October 2003 Pages 35-43
[2] A. Bryant, “Alleged Botnet Crimes Trigger Arrests on Two
Continents”, PC World, November 4, 2005,
http://www.pcworld.com/news/article/0,aid,123436,00.asp
[3] “Botnets”, Uninformed, Volume 1, May 2005,
http://uninformed.org/index.cgi?v=1&a=4&p=14
[4] “An Inside Look at Botnets”, Paul Barford and Vinod Yegneswarn
(University of Wisconsin, Madison),
http://www.cs.wisc.edu/~pb/botnets_final.pdf
[5] N. Elton, M. Keel, “Who Owns Your Network”, 2005,
http://www.educause.edu/ir/library/pdf/SPC0568.pdf
[6] The Honeynet Project & Research Alliance, “Know Your Enemy:
Tracking Botnets”, March 13, 2005,
http://www.honeynet.org/papers/bots
[7] J. Li and T. Ehrenkranz (University of Oregon), Geoff Kuenning
(Harvey Mudd College), and Peter Rieher (UCLA), “Simulation and
Analysis on the Resiliency and Efficiency of Malnets” Proceedings of
8
the Workshop on Principles of Advanced and Distributed Simulation
(PADS’05) 1087-4097/05
[8] N. Ianelli, and Aaron Hackworth, “Botnets as a Vehicle for Online
Crime”, CERT© Coordination Center, December 1, 2005
[9] The Honeynet Project, http://www.honeynet.org
[10] Cisco, “Distributed Denial of Service Threats: Risks, Mitigation and
Best Practices”,
http://www.cisco.com/en/US/netsol/ns480/networking_solutions_white
_paper0900aecd8032499e.shtml
[11] F. C. Freiling, Thorsten Holz, and Georg Wicherski, “Botnet Tracking:
Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-
Service Attacks” Department of Computer Science Technical Report
RWTH Aachen University April 2005, http://sunsite.informatik.rwth-
aachen.de/Publications/AIB/2005/2005-07.pdf
[12] Symantec, http://www.symantec.com/index.htm
[13] Lurhq, http://www.Lurhq.com/
[14] SANS Internet Storm Center, http://isc.sans.org/
[15] Botnets mailing list,
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[16] Ports, http://www.bekkoame.ne.jp/~s_ita/port/port1-99.html
[17] DNSWatch, http://www.dnswatch.info/
[18] J. Leyden, “Botnet controls fears over IP telephony”, The Register,
January 26, 2006,
http://www.theregister.co.uk/2006/01/26/voip_botnet_control_fears/pri
nt.html
[19] B. Acohido and J. Swartz, “Malicious-software spreaders get sneakier,
more prevalent”, USA Today, Section B page 1-3 April 24, 2006
 Lookahead Pairs and Full Sequences:
A Tale of Two Anomaly Detection Methods
Hajime Inoue Anil Somayaji
School of Computer Science
Carleton University
Ottawa, Canada K1S 5B6
{hinoue, soma}@ccsl.carleton.ca
Abstract— Sequence-based analysis has been both a
widely imitated and widely criticized approach to anomaly
detection. In virtually all of the follow-up work to Forrest
et al. (1996), though, the distinction between the initially
proposed “lookahead pairs” and the follow-on “full se-
quence” analysis methods has been overlooked. We have
discovered that this oversight is significant: specifically,
here we demonstrate that, on previously published and
well-studied datasets, lookahead pairs produce significantly
fewer false positives. Although lower false positive rates
make lookahead pairs an attractive system call modeling
technique, their usefulness may be compromised by an
increased vulnerability to mimicry attacks. This threat
can be mitigated through the use of larger sequences.
Here we show that lookahead pairs produce relatively few
false alarms even with longer sequences (n > 10); we
also demonstrate a new technique, random schema masks,
which permits the use of even longer sequences. With these
new results and techniques, we conclude that the lookahead
pair method should be considered as one of the benchmark
techniques for modeling system calls.
I. I NTRODUCTION
Program-level anomaly detection has been a topic of
research in computer security for more than a decade. It
holds the promise of detecting and intercepting attacks
on network servers and applications in real-time, poten-
tially preventing system damage or disclosure of confi-
dential information—all without requiring signatures or
handwritten specifications of legal behavior. The nature
of anomaly detection, however, means that this promise
comes with significant caveats: legitimate but unusual
behavior can be flagged as anomalous (false positives),
and malicious behavior can sometimes be classified
as “normal” (false negatives). Developing methods that
achieve the appropriate balance between low false alarm
rates and high sensitivity to attacks is the key challenge
for anomaly-based intrusion detection.
The earliest and most influential program-level
anomaly detection strategy is based on monitoring se-
quences of system calls. First proposed by a group at
9
the University of New Mexico led by Stephanie Forrest
[3], and that included Somayaji, it has been studied and
criticized by many other researchers primarily on two
grounds: that it suffers from a high false positive rate
[11], and that it is susceptible to evasion by attackers
via “mimicry attacks” [18]. It has been less widely
appreciated, though, is that in the early literature on
system call sequences, two modeling methods were
proposed: the initial “lookahead pairs” [3] method and
the later “full sequence” [2], [4] method. Virtually all
of the literature on system call sequence-based intrusion
detection uses the full sequence method; the notable
exception is pH, a real-time intrusion detection and
response system [13], [12]. In this paper we argue that
the differences between these two modeling methods are
more significant than has been previously appreciated.
In particular, we have found that the lookahead pairs
method has a clear advantage in false positive (false
alarm) rates while still maintaining the ability to detect
real intrusions.
Lookahead pairs generate fewer false positives be-
cause they generalize over previously observed se-
quences; this same quality also makes the lookahead pair
method less sensitive to some attacks and more vulner-
able to mimicry attacks than the full sequence method.
We note, however, that the sensitivity of sequence-based
methods can be improved through the use of longer
sequences (but at the cost of more false positives). We
have found that lookahead pairs perform remarkably well
with longer sequences than have been typically used in
the literature (n > 10). Here we also present a new
technique, random schema masks, that makes the use
of even longer sequences feasible with both lookahead
pairs and full sequences.
The rest of this paper proceeds as follows. In Section
II, we explain the lookahead pairs and full sequence
methods in detail. Section III presents a comparison
of the two methods in terms of profile size and false
positive rates, while Section IV presents results on the
feasibility of random sequence masks. In Section V, we
give a brief overview of related work in modeling system
call sequences. Section VI discusses the limitations and
implications of this work. Section VII concludes the
paper.
II. M ODELING S YSTEM C ALLS
In this section we motivate and explain both the looka-
head pairs and full sequence methods. We also discuss
a few subtle differences between our implementation of
these algorithms and the implementations described by
Forrest et al. [3] and Hofmeyr et al. [4], respectively.
Profiles for both methods are parameterized by a sin-
gle value, the window length, referred to as w. Profiles
are generated by observing the system-call stream during
execution.
Before we present a formalization of the two learning
methods, we introduce them using an example, shown in
Figure 1. The example system call stream (Figure 1a),
consists of 11 system calls. The code it represents reads
the metadata for two files, opens them, moves the file
pointer in each, reads from each, and then closes them.
In both the simulator and in operating systems, system
calls are actually represented by integers.
We present the profile of the full sequence (FS)
method (Figure 1b), first. It uses a window length of
4. In this profile, we can see that in row 1, the first
system call sequence is fstat, with sentinel in the other
positions. Unlike in the original Forrest et al papers [3],
[4], we use sentinels to initialize the system, allowing
the system to signal anomalies at the earliest possible
moment, following the pH example [12]. The sequences
are added to the profile as they appear in the stream,
until row 9 (the last row). In row 9, the system call in
current is close, not read, because <read, lseek, open,
fstat>, already appeared in row 3. The finished profile
is a set of all unique sequences of length 4.
Generalization only occurs in the full sequences
method through the window length. Every legal se-
quence seen during anomaly detection must have been
observed during training. However, because different
code paths can share sequences, the representation allows
for “jumps” between code paths that the program text
would never allow. Such “impossible paths” of execution
potentially make it much easier for an adversary to craft
attacks that could evade detection by a sequence-based
anomaly detector [17].
The lookahead pairs (LAP) profile for the sample
data (Figure 1c) also uses a window length of 4. The
difference between the FS and LAP methods is that the
10
system calls are indexed on the current position: all rows
with the same current system call are merged. During
testing, any sequence is then allowed that contains one
of the valid system calls in the appropriate position in
the row for the current system call.
For example, consider row 1 of the LAP profile. On
the first system call of the trace, fstat, the pairs <fstat,
sentinel, sentinel, sentinel> is added to the profile. At
system call 7, instead of a new sequence being added, the
previous entry is modified to <fstat, {sentinel, close},
{sentinel, read}, {sentinel, read}>.
The LAP method allows both “impossible paths” gen-
eralization as well as substitutions. To illustrate, consider
the previous example. Legal system-call streams under
the LAP method would include <fstat, close, sentinel,
sentinel> and <fstat, close, read, sentinel>, which
do not appear in the original stream.
Now we introduce a formalization of the two methods,
adapted from Somayaji’s dissertation [12]. Let
C = alphabet of possible system calls and a sentinel
c = |C| (221 in Linux 2.4, 317 in Linux 2.6)
T = t1 , t2 , . . . , tτ |ti ∈ C (the trace)
τ = the length of T
w = the window size, 1 ≤ w ≤ τ
P = a set of patterns associated with T and w
(the profile)
For the full sequences (FS) method, the profile Pseq is
defined as:
Pseq = {hsi , si+1 , . . . , sj i : si , si+1 , . . . , sj ∈ C,
1 ≤ i, j ≤ τ,
j − i + 1 = w,
si = ti ,
si+1 = ti+1 ,
...
sj = tj }
Alternately, for the lookahead pairs method, the profile
Ppair is defined as:
Ppair = {hsi , sj il : si , sj ∈ C, 2 ≤ l ≤ w
∃p : 1 ≤ p ≤ τ − l + 1,
tp = si ,
tp+l−1 = sj }
The difference in generalization can be quantified by
comparing the total number of sequences each profile
method recognizes. The number of sequences the FS
method recognizes is simply the number of unique
sequences it saw during training. The number of se-
quences (S) the LAP recognizes must be calculated
 fstat, open, lseek, read, read, close, fstat, open, lseek, read, close

(a)

position 3 position 2 position 1 current

sentinel sentinel sentinel fstat
sentinel sentinel fstat open
fstat open lseek read
open lseek read read
lseek read read close
read read close fstat
read close fstat open
close fstat open lseek
open lseek read close

(b)

position 3 position 2 position 1 current

{sentinel, read} {sentinel, read} {sentinel, close} fstat
{sentinel, read} {sentinel, close} {fstat} open
{sentinel, close} {fstat} {open} lseek
{fstat, open} {open, lseek} {lseek, read} read
{lseek, open} {read, lseek} {read} close

(c)

Fig. 1. An example system call stream (a), the sequence profile generated from that stream (b), and the lookahead pairs profile (c). The code
represented by this system call stream does similar things with two files: It reads metadata about the file (stat), opens the file, moves the file
offset pointer, reads from the file, and closes them. Both methods are shown using a window length of 4.

combinatorially: In the experiments described in this paper, we imple-

c Y
X w c
X mented the full sequence and lookahead pairs methods as
S = F(i, j, k)
i=0 j=1 k=0
 in the early work by the UNM group. These changes,
1 if hi, kij ∈ Ppair
F(i, j, k) =
0 otherwise
The total number of sequences recognized by a profile
is simply the sum of the number of sequences recognized
with each system call in the “current” position (charac-
terized by the summation with the i index). The total for
each system call is the product of the number of system
calls that are in the profile for each position. This is
calculated by adding them together in the second sum,
and the multiplication is then carried out by the product
indexed by j. We call S the size of the profile.
Generalization in LAP is dependent on the density
of the profiles. A “sparse” profile, with few system call
in each window position set, will recognize far fewer
sequences than one with larger sets in those positions.
We examine the generalization of LAP in practice in
Section III.
where described above; however, we also added some code to
handle a few special cases that are not directly addressed
however, are in accordance with the online implemen-
tation of lookahead pairs developed for Somayaji’s pH
[13], [12].
In earlier work, sequences were not checked until
the window filled up; that is, no anomalies could be
registered until l system calls were invoked, allowing
potentially dangerous behavior. In this research we create
entries and check for anomalies after every system call.
We then enter a special, non-existing sentinel system call
in the empty positions for the first l − 1 calls.
In addition, we treat two system calls as special: fork
and execve. When a fork occurs in the system call
stream, we make a copy of the system-call sequence
at that point of execution and use it to initialize the
sequence of the new process. This makes sense because
a fork carries almost all the state of its parent process.
Also, this prevents a process from using fork to avoid
anomaly checks.

11
 With the execve call we reinitialize the sequence
window. When an execve is called, the operating
system loads a new program binary into the currently
running process, destroying most the process’s previous
state. In our simulator we continue using the current
profile. This differs slightlywith the behavior of pH,
which reinitialized the sequence window and switched
profiles based on the actual executable being launched.
Because the data files do not contain arguments, we
cannot simulate this behavior.
III. F ULL S EQUENCES VERSUS L OOKAHEAD PAIRS
We developed our own anomaly detection simulators
for the lookahead pair and full sequence models. The
UNM group never released the original simulator used in
the lookahead pairs studies. They did release the source
code used in the sequence studies (stide), but given the
changes we used in Section II, we felt it easier to write
our own simulator.
We verified our own version of full sequences against
stide. Unfortunately, stide 1.1, the version released
by UNM in 1998 [5], no longer compiles on modern
systems. We rewrote stide to use modern C++ template
mechanisms and checked that the results of stide were
similar to our own simulator in full sequence mode.1 The
results are not exact because the different behavior after
fork and execve.
Our tests are against data provided by the UNM group
[1]. We report data from four different traces:
1) lpr-mit: 1942917 training calls and 811953
testing calls (about a month of data from many
different machines).
2) named: 21 training days (6,256,177 calls); 12
testing days (2,974,395 calls).
3) sendmail: 29666817 training calls and
14833409 testing calls.
4) xlock: 11,065,759 training calls and 5,532,880
testing calls (approximately 2 days total).
We believe these are the most interesting of the data
traces available. Most of the other traces available from
UNM are either synthetic or are of less interesting
programs, such as login or ps.
On each, we attempted to divide the raw traces with
two thirds as training and one third as testing. On the
lpr, sendmail, and xlock traces we did this by
using system call counts. On the named data we divided
the trace into training and testing by using the date logs.
Note that this training/testing division is different than
that used by Warrender et al. [20].
1 stide 1.2 is now available from UNM [1].
12
Our analysis concentrates on named, because we have
complete kernel logs from that trace. Those logs allow
us to calculate false positive per day rates which are
more useful in determining anomaly IDS performance.
Such logs were either not available or not appropriate
for calculating per-day false positive rates for the other
three data sets.
Table I presents the false positive rates per system
call. We used 14 different window lengths from 2 to
128. We were not able to gather the largest data sizes
for full sequences because of the prohibitive runtime of
our full sequence analysis program when using very long
sequences.
There are two conclusions to draw from the data: 1)
results vary widely depending on the trace, and 2) looka-
head pairs have significantly smaller false positive rates
than full sequences. Our first conclusion merely confirms
the result Warrender et al. found in comparing alternative
models of system call-based anomaly intrusion detection
[20]. The second result is more interesting.
The lookahead pairs false positive rates are lower
than the full sequence rates for each of the traces.
On the named and xlock traces the differences are
dramatic. Figure 2 shows the ratios for the four traces
over the various window lengths. The lookahead pairs
false positive rates are a minimum of ten times lower,
sometimes much lower, for both named and xlock.
The ratios for lpr are more modest. We believe
insufficient training accounts for this discrepancy. It is
the smallest trace, and it is also the one whose data
comes from many different machines. A greater diversity
coupled with less training leads to higher false positive
rates for both lookahead pairs and full sequences, leading
to a smaller discrepancy in performance.
The ratios for sendmail fall in between the two
groups. This trace has the largest number of system calls,
but its behavior is atypical because of the large number
of forks. Still, the full sequences method experiences
more than twice as many anomalies as lookahead pairs
for window lengths long enough to detect attacks.
The reason behind the difference in false positives
is due to the extra generalization of the LAP method.
One can compare the two methods by looking at the
“size” of each profile—the number of unique sequences
it recognizes as normal. Table II shows the sizes of the
profiles for the LAP and FS methods for each window
sizes. For windows greater than 4 the LAP method
recognizes many magnitudes more sequences than the
FS method.
Figure 3 plots the ratios of the LAP sizes to FS
sizes for the four traces over the selected window sizes.
 lpr named sendmail xlock
Window LAP FS LAP FS LAP FS LAP FS
2 1.85E-05 0.00E+00 0.00E+00 0.00E+00 1.03E-04 0.00E+00 9.04E-08 0.00E+00
3 3.69E-05 1.85E-05 0.00E+00 0.00E+00 1.51E-04 1.03E-04 1.81E-07 9.04E-08
4 6.16E-05 4.80E-05 0.00E+00 1.34E-06 2.07E-04 2.03E-04 2.71E-07 2.17E-06
5 9.11E-05 8.01E-05 6.72E-07 4.03E-06 2.41E-04 3.24E-04 3.61E-07 4.70E-06
6 1.17E-04 1.15E-04 1.01E-06 1.88E-05 2.66E-04 4.31E-04 4.52E-07 8.59E-06
8 1.50E-04 1.47E-04 2.35E-06 3.56E-05 3.31E-04 5.39E-04 9.04E-07 1.24E-05
10 2.00E-04 2.03E-04 3.70E-06 7.36E-05 3.80E-04 7.38E-04 1.08E-06 2.03E-05
12 2.27E-04 2.92E-04 5.72E-06 1.34E-04 4.28E-04 9.79E-04 2.17E-06 3.08E-05
16 4.77E-04 4.09E-04 1.04E-05 2.14E-04 5.27E-04 1.22E-03 2.80E-06 4.15E-05
20 6.93E-04 8.72E-04 1.51E-05 5.32E-04 6.30E-04 1.83E-03 3.71E-06 6.33E-05
24 1.15E-03 1.90E-03 2.15E-05 1.21E-03 7.36E-04 2.56E-03 4.79E-06 8.25E-05
32 1.50E-03 3.28E-03 2.79E-05 2.30E-03 8.93E-04 3.46E-03 6.33E-06 1.01E-04
64 2.62E-03 NA 4.37E-05 NA 1.37E-03 NA 1.05E-05 NA
128 4.06E-03 NA 6.32E-05 NA 1.76E-03 NA 2.21E-05 NA

TABLE I
FALSE POSITIVE RATES PER SYSTEM CALL FOR THE FOUR TRACES FOR BOTH LOOKAHEAD PAIRS (LAP) AND FULL SEQUENCE (FS)
ANALYSIS METHODS .

1000
lpr
named
sendmail
xlock
Ratio of FS to LAP False Positives

100

10

1
0 5 10 15 20 25 30 35
Window Length

Fig. 2. Window length versus the ratio of the false positive rates of full sequence and lookahead pairs models for the four traces. Note the
logarithmic scale for the false positive ratios.

13
 1.00E+56
lpr
named
sendmail
xlock
1.00E+48

1.00E+40
Ratio of LAP to FS Size

1.00E+32

1.00E+24

1.00E+16

1.00E+08

1.00E+00
0 5 10 15 20 25 30 35
Window Length

Fig. 3. Window length versus the ratio of the sizes of the lookahead pairs profiles to full sequence profiles for the four traces. The graph’s
shape, due to the slow rate of growth of FS profiles, is dominated by the LAP profile growth. Note the logarithmic scale for the false positive
ratios.

lpr named sendmail xlock

Window LAP FS LAP FS LAP FS LAP FS
2 1.98E+02 1.98E+02 1.83E+02 1.83E+02 4.23E+02 4.23E+02 9.60E+01 9.60E+01
3 1.91E+03 3.40E+02 1.85E+03 3.45E+02 9.20E+03 1.20E+03 5.55E+02 1.50E+02
4 3.08E+04 4.38E+02 2.76E+04 5.16E+02 2.80E+05 2.30E+03 4.94E+03 1.97E+02
5 6.69E+05 5.25E+02 4.74E+05 7.18E+02 9.96E+06 3.63E+03 6.28E+04 2.37E+02
6 1.75E+07 6.04E+02 9.42E+06 9.58E+02 3.96E+08 5.23E+03 9.04E+05 2.72E+02
8 1.30E+10 7.72E+02 4.45E+09 1.57E+03 7.41E+11 9.16E+03 2.80E+08 3.35E+02
10 1.49E+13 9.52E+02 2.67E+12 2.44E+03 1.61E+15 1.45E+04 1.14E+11 3.87E+02
12 1.71E+16 1.15E+03 1.67E+15 3.61E+03 3.86E+18 2.12E+04 4.91E+13 4.36E+02
16 2.90E+22 1.64E+03 8.46E+20 7.36E+03 2.74E+25 3.91E+04 9.74E+18 5.30E+02
20 4.29E+28 2.20E+03 4.21E+26 1.35E+04 2.21E+32 6.34E+04 2.37E+24 6.16E+02
24 7.49E+34 2.84E+03 2.42E+32 2.26E+04 2.07E+39 9.39E+04 4.78E+29 6.97E+02
32 2.33E+47 4.31E+03 1.13E+44 4.89E+04 1.84E+53 1.67E+05 3.88E+40 8.57E+02
64 1.66E+97 NA 2.23E+91 NA 8.01E+109 NA 7.33E+83 NA
128 2.24E+199 NA 2.27E+185 NA 3.33E+223 NA 5.48E+171 NA

TABLE II
P ROFILE SIZES ( IN TERMS OF NUMBER OF REPRESENTED SEQUENCES ) FOR EACH OF THE FOUR TRACES FOR BOTH LOOKAHEAD PAIRS
(LAP) AND FULL SEQUENCE (FS) ANALYSIS METHODS .

14
 Lookahead Pairs Full Sequences
Window Anomalies FP / call ×107 FP / day Anomalies FP / call ×107 FP / day
2 0 0.00 0.00 0 0.00 0.00
3 0 0.00 0.00 4 13.45 0.34
4 0 0.00 0.00 12 40.34 1.03
5 2 6.72 0.17 56 188.27 4.79
6 3 10.09 0.26 106 356.37 9.07
8 7 23.53 0.60 219 736.28 18.75
10 11 36.98 0.94 400 1344.81 34.24
12 17 57.15 1.46 638 2144.97 54.62
16 31 104.22 2.65 1581 5315.37 135.35
20 45 151.29 3.85 3590 12069.68 307.33
24 64 215.17 5.48 6845 23013.08 585.98
32 83 279.05 7.11 17920 60247.55 1534.08
64 130 437.06 11.13
128 188 632.06 16.09

TABLE III
FALSE POSITIVE RATES FOR THE named DATA SET WITH BOTH THE LOOKAHEAD PAIRS AND FULL SEQUENCE METHODS , USING SEVERAL
SEQUENCE LENGTHS .

These are computed using the profile generated by
our simulator and the equation described in Section II.
One might expect them to match Figure 2. However,
they differ greatly. Although three of the four traces
(excluding xlock) show exponential growth, the rate of
growth of false postiives is much, slower. Also, there is
not a qualitative match. The order from greatest to least
in false positive ratios (named, xlock, sendmail, lpr)
does not match the order of profiles size ratios (xlock,
named, lpr, sendmail).
Although we can explain some of the differences in
performance, other aspects are a bit more mysterious.
For example, we find the shape of the graph in Figure 2
a bit puzzling. The lpr and named trace ratios increase
gradually as the window length increases. The xlock
ratios, though, do the opposite. Also, neither the named
nor xlock show monotonic behavior, as one might
expect by the behavior shown in Figure 3.
Table III shows the false positive rates per system call
and per day for the named trace. Comparisons with real
time for false positive rates are a better indicator than per
system call because some programs make many more
system calls than others. Also, anomalies, for the most
part, are handled by human administrators. False positive
rates given in time units provides more information
about the feasibility of using such systems in production
environments.
We can see here that for named, lookahead pairs
perform much better than full sequences, even for small
window lengths. Full sequences creates more than one
false positive per day at window lengths of four. Looka-
head pairs do not impose that burden until lengths greater
than 10. At a window length of 32, lookahead pairs
experience a false positive about once every three and a
half hours, compared with more than one a minute for
full sequences.
Although lookahead pairs show much better false
positive rates than full sequences, it is not clear that
long windows (> 10) are feasible in production systems
due to performance reasons and absolute false positive
rates. At a length of 32, the lookahead pairs false
positive rate is 14 times greater than at 6, the value used
in the original UNM simulations. Furthermore, if one
implements lookahead pairs as in the pH system [12],
each profile check is 5 times as expensive and the profile
is 5 times as large. In the next section, we investigate
one strategy for mitigating the runtime and accuracy cost
of longer windows.
IV. R ANDOM S CHEMA M ASKS
One of the key results of Tan and Maxion’s work [16]
was that the performance of stide was highly dependent
upon sequence length. Specifically, they found that some
attacks could not be detected if the window length was
too small.
Longer windows increase the sensitivity of both the
lookahead pairs and full sequences methods, while also

15
 5 7 9 8 3 9 8 4 6 3 4 8 9 7 3 4 9 7 3 8
5 9 8 3 4 9 3 3
Fig. 4. A random window schema mask.
increasing false positive rates, as is evident in Table I.
While longer windows can help detect some types of
mimicry attacks, they cannot prevent all of them: if
an attack imitates a full trace of system calls that is
actually executed during normal operation, then neither
the full sequence or lookahead pairs methods are capable
of detecting the attack. However, longer sequences do
constrain an attacker’s ability to use “impossible paths”
to evade stide.
Here we investigate a system that may combine the
ability to increase the difficulty of mimicry and “im-
possible paths” attacks while maintaining both low false
positive rates and high performance.
A. Description
The basic idea is to maintain a large window length
while ignoring some of the calls within that window.
To illustrate this, consider Figure 4. The top list of
numbers represents a window of length 20, with 5 as
the most recent system call. The lines under the system
call numbers represent window schema, the system calls
we will actually consider. Here the size of the schema is
8, with the positions 0, 2, 6, 9, 10, 12, 14, and 18 chosen.
This can then be represented as the bottom sequence.
By using schema that mask out several positions in
the system call window we create another source of
generalization. This generalization should result in fewer
false positives while potentially maintaining sufficient
sensitivity to attack-generated anomalies.
B. Results
For several window sizes and schema lengths, we
randomly generated 10 schema masks and calculated
their false positive rates. We test the new representa-
tion against only named due to the large number of
experiments required. We believe these results translate
to other programs.
Table IV gives evidence for the potential benefits of
random schema masks. The false positive rates for each
window size are dramatically lower for both lookahead
pairs and full sequences using the schema masks. There
is one interesting difference to note, however. The ex-
pectation was that the false positive rate for each schema
16
size would be similar but larger than that for that using
windows without schema masks. This holds true for
lookahead pairs but not for full sequences.
For full sequences the false positive rates are much
lower. Why is this? It must be due to the generalization
of the “holes” in the schema mask. Such holes would
also permit more “impossible paths”; this fact does not
seem to affect the algorithms ability to detect real-world
exploits. When compared against the first exploit from
Warrender et al. [20], the number of anomalies signaled
by the simulator are similar to the unmasked versions.
Therefore, it seems that using schema masks may be a
viable way to extend window sizes.
Creating schema masks seems to create a generaliza-
tion that allows attacks through. This is theoretically the
case, but without knowing the schema mask beforehand,
an attacker would have to construct an attack considering
the window length instead of the schema size. The
attacker might consider finding an attack using substitu-
tions and relying on repeated attempts to determine the
masked positions in the schema, but this would involve
several, potentially thousands, of repeated attempts, and
would likely alert administrators before it succeeded.
V. R ELATED W ORK
Forrest et al. [3] first proposed that attacks on privi-
leged program be detected by detecting unusual behav-
ior, and that unusual program behavior could be detected
by monitoring system calls. In this first paper, they also
proposed a sequence-based method for modeling system
calls that they referred to as using “lookahead pairs.”
Although lookahead pairs performed well in their initial
experiments, follow-up work from the UNM group [2],
[8], [4], [20] instead switched to the “full sequence”
method. (See Section II for a full description of these
two methods.) The command-line analysis tool stide
(sequence time-delay embedding) was made available by
the UNM group along with most of the data sets that
were used for these papers. Note that stide only im-
plemented the full sequence method, not the lookahead
pairs method.
Many other researchers have built upon this work.
Although some of this literature focuses on applying the
UNM group’s sequential analysis technique to other data
sources [7], [14], the most significant work has focused
on critiquing their approach and proposing alternatives.
Wagner and Dean [17] were the first to note that an
attacker can potentially evade detection of a sequence-
based analysis system by “mimicking” normal behavior
(i.e. by generating system call sequences present in the
targeted program’s normal profile). Tan and Maxion [16]
 Lookahead Pairs Full Sequences
Window 6 8 10 6 8 10
12 0.78 (0.27) 1.20 (0.24) 1.34 (0.11) 1.11 (0.08) 1.46 (0.17) 1.85 (0.12)
16 1.06 (0.47) 1.60 (0.39) 2.05 (0.34) 1.69 (0.29) 2.58 (0.45) 3.49 (0.45)
20 1.52 (0.48) 2.09 (0.35) 2.46 (0.42) 2.21 (0.56) 3.99 (0.75) 5.40 (0.95)
24 2.00 (0.66) 2.59 (0.49) 2.85 (0.56) 3.04 (0.66) 5.18 (1.09) 9.25 (1.51)
32 2.01 (0.37) 2.82 (0.53) 3.35 (0.35) 4.36 (1.08) 8.46 (1.68) 15.83 (4.08)
TABLE IV
P ER DAY FALSE POSITIVE AVERAGES ( AND STANDARD DEVIATIONS ) FOR LOOKAHEAD PAIRS AND FULL SEQUENCES WITH SCHEMA
MASKS . W INDOWS OF 12, 16, 20, 24, AND 32 ARE COMPARED WITH SCHEMA THAT USE 6, 8, AND 10 VALUES IN THE COMPACTED
SEQUENCE .

provided a theoretical analysis of the relationship be-
tween detection ability and sequence length for stide. In
so doing they introduced the concept of minimal foreign
sequences, which is the smallest injected sequence that
could be detected. They later followed up this work with
a full implementation of a mimicry attack on stide [15],
which was published shortly before Wagner and Soto’s
mimicry attack implementation [18]. Mimicry attacks
were recently automated by Kruegel et al. [9].
The documented limitations in stide have, in part,
inspired many others to develop alternative program
behavior modeling techniques. Alternatives such as rule-
based systems, frequency-based sequence detectors, and
hidden Markov models, were shown to not have sig-
nificant accuracy advantages relative stide, even though
such methods all require more computational overhead
[20]. Other methods, though, that incorporate additional
information such as program counter state [11], have
been shown to have lower false positives than stide.
Note that in all of this literature, the standard of
performance has been the full sequence method as
implemented by stide, not the lookahead pairs tech-
nique. For runtime performance and implementation
reasons, Somayaji chose to go with the lookahead pairs
model for pH, a system call-based real-time intrusion
detection and response system [13], [12]. Somayaji’s
dissertation [12] contained an entropy-based comparison
between lookahead pairs and full sequences showing
that lookahead pairs contained less information than full
sequences, especially for larger windows. No comparison
was performed on the basis of true and false positives.
Recently Wang, Parekh, and Stolfo [19] developed a
“randomized testing” approach to n-gram analysis as part
of their anagram network packet-based IDS. This tech-
nique is closely related to our random sequence masks;
however, they are focused on partitioning rather than
excluding data. Further, in the context of their (much
more complicated) system their randomization strategy
often increased the observed rate of false positives. An
interesting topic for future research is the evaluation
of different randomization strategies for sequence-based
anomaly detection methods in system calls, network
packets, and other domains.
VI. D ISCUSSION
This research creates many questions about the learn-
ing and generalization ability of the different models of
program behavior we have analyzed in this paper. It is
remarkable that the dramatic difference in the perfor-
mance between lookahead pairs and full sequences has
never been documented before. After some preliminary
testing, the UNM group assumed that lookahead pairs
had similar behavior to full sequences and moved to full
sequences when an implementation became available.
The work on alternative models and mimicry attacks
then simply ignored the lookahead pairs method. One
master’s thesis [10] claimed that Hofmeyr showed that
“fixed sequences give better discrimination than looka-
head pairs”. It is true that full sequences generalize
less than lookahead pairs, but it has never been shown
that they are a better model for detecting intrusions.
Section III provides evidence that lookahead pairs is a
better model for intrusion detection than full sequences.
Indeed, lookahead pairs appear to be significantly better
than any of the data models explored in the Warrender
paper [20].
Arguably, the lookahead pairs method is a bet-
ter anomaly detection method than the full sequences
method because it generalizes more. That is, multiple
entries in the full sequences model correspond to one
entry in the lookahead pairs model. There are three
sources of generalization apparent in these models: the
finite window length in all the models, the substitutions
allowed in lookahead pairs, and the masked calls within

17
the windows in the schema masks models. According to
our analysis, these generalization methods empirically
generate fewer false positives.
It is an open question what the costs and benefits are
for each kind of generalization. Much of the literature
on mimicry attacks shows that larger windows, and thus
less generalization through window length, are better for
detecting attacks. However, the larger false positive rates
incurred through less generalization have driven research
in statically generated “models” of normal behavior that
cannot incur false positives. Model-based approaches
overgeneralize in other ways, however, leading to vul-
nerabilities beyond mimicry attacks [6].
The generalization from substitutions in the looka-
head pairs model is an even more puzzling problem.
The source of the difference in the behavior between
lookahead pairs and full sequences, described by the
generalization equation in Section II, does not fully
explain the differences between the two methods. If
the false positive rates were proportional to sizes, the
LAP method would have even fewer false positives,
and would potentially be unable to detect many true
positives. However, the UNM showed that for sizes
of 6 to 10 the two techniques had similar detection
capabilities [3], [20], [12]. This is an important problem
to solve because a decade of research, both within and
outside the UNM group, has assumed that full sequences
is better than lookahead pairs. Is this truly the case for
programs beyond those studied by the UNM group?
Another question generated by this research concerns
the false positive rates for full sequences with schema
masks. Those rates are both lower than the representative
window lengths, but also lower than the schema mask
size. This is not the case for the lookahead pairs method.
Could it be that adding “holes” to the representation
allows the full sequences model to mimic the substitution
generalization that apparently gives lookahead pairs its
advantage? Further research is needed to resolve these
questions.
VII. C ONCLUSION
Given the large number of papers devoted to system
call based anomaly detection, it is remarkable that there
has never been a direct comparison between looka-
head pairs and full sequences. We have provided that
comparison in this paper. Although it was previously
assumed that full sequences were either better or similar
in performance to lookahead pairs, we have shown that
the opposite is true.
In addition, we have shown that anomaly systems
built around lookahead pairs are practical with long
18
window lengths, and that very long window lengths can
be accommodated through the use of schema masks. By
using random schema, an IDS can force an attacker to
craft attacks that assume a complete window length—a
more difficult task.
When referencing the UNM efforts, research in system
call based anomaly detection and mimicry attacks should
compare against both lookahead pairs as well as full
sequences. Our surprising results indicate that there is
significant scope for better theoretical understanding of
the program behavior.
ACKNOWLEDGMENTS
We thank the members of Carleton Computer Secu-
rity Laboratory and the anonymous reviewers for their
suggestions.
This work was supported by the Discovery grant pro-
gram from Canada’s National Sciences and Engineering
Research Council (NSERC) and MITACS.
R EFERENCES
[1] Stephanie Forrest et al. Computer immune systems—data
sets and software. http://www.cs.unm.edu/∼immsec/
systemcalls.htm, December 2006.
[2] Stephanie Forrest, Steven Hofmeyr, and Anil Somayaji. Com-
puter immunology. Communications of the ACM, 40(10):88–96,
October 1997.
[3] Stephanie Forrest, Steven A. Hofmeyr, Anil Somayaji, and
Thomas A. Longstaff. A sense of self for Unix processes. In SP
’96: Proceedings of the 1996 IEEE Symposium on Security and
Privacy, page 120, Washington, DC, USA, 1996. IEEE Computer
Society.
[4] Steven A. Hofmeyr, Stephanie Forrest, and Anil Somayaji. In-
trusion detection using sequences of system calls. Journal of
Computer Security, 6(3), 1998.
[5] Steven A. Hofmeyr and Julie Rehmeyr. Stide: Sequence time-
delay embedding, 1998.
[6] Hajime Inoue and Anil Somayaji. What happened to anomaly
detection? Technical Report TR-07-09, School of Computer
Science, Carleton University, Ottawa, Canada, March 2007.
[7] Anita Jones and Yu Lin. Application intrusion detection using
language library calls. In Proceedings of the 17th Annual Com-
puter Security Applications Conference, New Orleans, Louisiana,
December 10–14, 2001.
[8] Andrew P. Kosoresow and Steven A. Hofmeyr. Intrusion de-
tection via system call traces. IEEE Software, 14(5):35–42,
September/October 1997.
[9] Christopher Kruegel, Engin Kirda, Darren Mutz, William Robert-
son, and Giovanni Vigna. Automating mimicry attacks using
static binary analysis. In 14th Annual Usenix Security Sympo-
sium, Aug 2006.
[10] Svetlana Radosavac. Detection and classification of network
intrusions using hidden mark models. Master’s thesis, University
of Maryland, 2002.
[11] R. Sekar, M. Bendre, P. Bollineni, and D. Dhurjati. A fast
automaton-based method for detecting anomalous program be-
haviors. In Proceedings of the 2001 IEEE Symposium on Security
and Privacy, 2001.
[12] Anil Somayaji. Operating System Stability and Security through
Process Homeostasis. PhD thesis, University of New Mexico,
2002.
[13] Anil Somayaji and Stephanie Forrest. Automated response using
system-call delays. In Proceedings of the 9th USENIX Security
Symposium, Denver, CO, August 14–17, 2000.
[14] Matthew Stillerman, Carla Marceau, and Maureen Stillman.
Intrusion detection for distributed applications. Communications
of the ACM, 42(7):62–69, July 1999.
[15] K. M. C. Tan, K. S. Killourhy, and R. A. Maxion. Undermining
an anomaly-based intrusion detection system using common
exploits. In Proceedings of the Fifth International Symposium
on Recent Advances in Intrusion Detection (RAID ’02), 2002.
[16] Kymie M. C. Tan and Roy A. Maxion. “Why 6?” defining the
operational limits of stide, an anomaly-based intrusion detector.
In SP ’02: Proceedings of the 2002 IEEE Symposium on Security
and Privacy, page 188, Washington, DC, USA, 2002. IEEE
Computer Society.
[17] David Wagner and Drew Dean. Intrusion detection via static
analysis. In Proceedings of the 2001 IEEE Symposium on
Security and Privacy, pages 156–169, 2001.
[18] David Wagner and Paolo Soto. Mimicry attacks on host-based
intrusion detection systems. In CCS ’02: Proceedings of the
9th ACM conference on Computer and communications security,
pages 255–264, New York, NY, USA, 2002. ACM Press.
[19] Ke Wang, Janak J. Parekh, and Salvatore J. Stolfo. Anagram:
A content anomaly detector resistant to mimicry attack. In Pro-
ceedings of the 9th International Symposium on Recent Advances
in Intrusion Detection (RAID ’06), volume 4219 of LNCS, pages
226–248, Sep 2006.
[20] Christina Warrender, Stephanie Forrest, and Barak A. Pearlmut-
ter. Detecting intrusions using system calls: Alternative data
models. In IEEE Symposium on Security and Privacy, pages
133–145, 1999.

19
 Designing Information Systems Security:
Interpretations from a British National Health
Services Hospital
Gurpreet Dhillon, PhD
Professor of Information Systems, Virginia Commonwealth University
Abstract-When designing information systems, an issue of
major concern is that control issues are generally considered
when user requirements have been abstracted into a logical
model. Since such control measures are usually acontextual,
they generally lack catalyzing effects that were originally
claimed for them. The intent of this paper is to review the
logical form of the security measures and the manner in which
these have been implemented in a British Hospital. It
interprets the ad hoc nature of the security controls and argues
that a fuller analysis of organizational contexts is necessary in
order to develop secure environments.
I. INTRODUCTION
Facing pressures of organizational cost containment and
external competition, the British National Health Service
(NHS) is “rushing headlong” into adopting information
technology without careful planning and understanding the
security concerns. Individual hospitals are still trying to
cope with the intricacy and mystique that surrounds
computer systems. It appears that far less security is applied
to data held in computer systems than is the case for data
held in manual systems. Employees are familiar with the
security requirements of a filing cabinet but not necessarily
those of an information system [10]. In the NHS,
information systems security is generally seen as being of
interest to the IT department, and so many professionals do
not give adequate importance to these security concerns.
Even if they do, they come up with solutions that are over-
complicated. Indeed the widespread use of information
technology by the health services today has given rise to
‘security blindness’ on part of the users.
In light of such trends, IT managers hold the key to success
or failure of a hospital’s well being. In fact the very role of
an IT manager is evolving. Organizations can no longer be
interpreted in terms of technical installations and their
functionality. The focus is shifting so as to consider the
‘wholeness’ and ‘soundness’ of information systems and the
organization [8, 2]. Consequently an IT manager is taking
on role of maintaining the integrity of the organizational
infrastructure (not just the technical information systems).
Such a move would minimize the prospect of plagiarism,
fraud, corruption or loss of data, and improper use of
information systems that could affect the privacy and well
being of all concerned.
20
This paper evaluates the form of the security measures and
the means adopted to implement them within a particular
hospital setting. It argues that a fuller analysis of
organizational contexts is necessary in order to develop
secure environments. The discussion is divided into three
parts. First analyses the issue of concern with respect to
information systems in a particular hospital. Second
interprets the form and means of the security measures in
place. Third evaluates the implications for practice.
II. INFORMATION SYSTEMS IN THE HOSPITAL:
ISSUES OF CONCERN
The case under consideration looks into a new system that
has being introduced into a British NHS Hospital Trust. The
Hospital Trust is a specialist one and caters for the needs of
people with learning disabilities. The case illustrates the
relationship between the design of an IT system and the loss
in integrity of the organization and the system itself.
Consequently, the new computer-based information system
runs a high risk of misuse, abandonment, under-utilization.
The case is presented under two headings. First, the wider
contextual issues and purpose of the IT infrastructure are
discussed. Second, differing interpretations by various
stakeholders are discussed. The emphasis is to develop an
understanding of the context of the case before discussing
the form and means adopted for security.
A. Purpose of IT infrastructure
In recent years, following contextual pressures, individual
hospital trusts in the U.K. have been forced to reassess their
information needs. The most conspicuous problem was the
timely availability of information. This was particularly the
case in the NHS Trust, which is the focus of this study. A
computer-based information system was seen as a means to
fill this information gap. It was envisaged that such a system
would not only help the Trust to adapt to the macro
environment (where there was an increased pressure on the
Trusts to provide precise information on its activities), but
also to add value to the health care delivery process. With
respect to the recent changes in the health services, the
traditional health care management system had certain
shortcomings. For instance it was not possible to give due
consideration to isolated ‘encounters’ which could
subsequently be consolidated into health plans. It was also
not possible to perform audits and assess the effectiveness
of resources used. In response to such criticisms an
integrated information system has been implemented at this
NHS Trust. It incorporates care-planning functionality in
itself and also allows for case mix management and has
clinical audit functionality. Thus the system helps the Trust
to adapt better to the existing environment. Meeting the
demands of the purchasers in providing information to
assess the quality and effectiveness of services delivered
facilitates this. Such information is drawn through a process
of constant monitoring of care delivery, recording of
assessment details and measuring of outcomes (refer to
figure 1).
In implementing the integrated information system,
the Hospital Trust has regarded information technology as
Client Processing
(Hospital)
Needs Individual
Assessment Care Plan
'Unhealthy
Client'
Service Quality
Assurance
feedback
Figure 1, Health care delivery process as perceived by the hospital managers
B. Interpretations of IT infrastructure
Three professional groups characterize the Trust hospital:
clinicians, nurses and managers. The three groups represent
their own power structures in the organization. Interviews
with members of these groups revealed conflicting
ideologies (i.e. organizational and professional ideologies).
The doctors and nurses believed in the profession and its
norms more than the new goals and objectives being
enforced by the new IT infrastructure. The managers on the
other hand wanted to derive business value out of the health
care delivery process. Though the nurses and doctors agreed
with this in principle, they had their own ideas of the
manner in which this could be achieved. The doctor’s in
21
the main catalyst for change. It has relied on IT for
successful implementation of the concepts which add value
to the health care delivery process and consequently to
change the culture of the organization. Little consideration
has been given to the systems of responsibility, both formal
and informal. Thus there has been an over-reliance on the
functionality of the system to reap information technology
benefits. As a result the Trust has seen a massive
reorganization of its ways of working. The adoption of new
management, new structures and new styles of teamwork
have come to the forefront. In achieving its objectives the
management of the Trust is moving towards adopting
principles of systematic monitoring and a single line of
command and developing hybrid staff members who know
something of everyone’s job.
Service Care
Delivery &
Discharge 'Healthy
Client'
feedback
particular felt that at a clinical level the system could not be
utilized effectively. This was largely because the care-
planning module of the system was geared for ‘long-stay’
patients. The needs of these patients are very different from
those who come to the hospital for a ‘short-stay’ (this is
typically the case in psychiatric hospitals). The objective of
the information system was clearly in conflict with the
organizational policy. The National Health Service in
general and the Hospital Trust in particular were striving to
move the ‘long-stay’ patients out into the community. The
Trust was also in the process of closing two of its
constituent hospitals in the next three years. Thus the need
for an over-emphasis on long-stay patients seems
unnecessary. The managers, though agreed that patients
were being moved out into the community, were not
convinced that the computer-based information system was
solely geared for the needs of ‘long-stay’ patients. Further
investigations revealed that in fact the user requirement
analysis was flawed. The system developers had been
shortsighted in their approach and only the ‘long-stay’
wards (which were due to be closed in the very near future)
had been sampled for requirement analysis.
There is a strong likelihood that the computer-based
information system at the Hospital Trust will neither
contribute towards enhancing the productivity nor towards
the effectiveness of the organization, rather it may make the
organization highly vulnerable. This is because there is a
mis-match between the actual practices and the formally
designed information system. There are two contributing
reasons. First, since the organization represents a split
hierarchical structure (i.e. between clinicians and
managers), the informal organizational norms are very
weak, indicating the prevalence of an informal environment
where the clinical and business objectives do not support
each other. This has resulted in a remarkable difference in
roles created by the formal system and as they actually
exist. Second, though all stakeholders (doctors, nurses and
managers) agreed that ideally the system would be a boon to
the organization, there was disagreement on the manner in
which it had been developed and implemented. The
emergent organizational work practices were technology
driven; i.e. it was the computer system that was determining
the formal reporting and authority structures. Moreover, it
was also forcing unrealistic informal social groupings on to
the members of the organization. Since the key players were
unhappy with the change process, there is the risk of the
information system not being used.
III. SYSTEMS ANALYSIS WITHIN THE HOSPITAL
TRUST
Health care delivery process, although visible, is known to
most people at the service delivery level. Some of the
elements of service delivery are highly norm based while
others follow strict rule structures and are therefore
procedure oriented. Within an organization these rules and
procedures act as symbolisms producing images and
narratives about different events. An interplay of rule and
norm based structures determines the patterns of behavior in
any given context. In the previous sections we have noted
the cultural significance and the meaning content of these
rule and norm structures. This section analyses the form and
the means in which these rules have been implemented.
Ideally, the rules specified for the IT infrastructure should
adequately represent the real world of the organization [7].
If this does not happen then the computer based information
systems run a high risk of being misused. Security concerns
are therefore paramount when considering the
implementation or viability of rule structures.
22
A. Logical service specifications at the Hospital Trust
In the particular case of the information system at the
Hospital Trust, the system developers and the project team
regarded Trust activities as an input-output process.
Therefore they considered the health care process in terms
of patients coming into the hospital, being treated and then
discharged into the community (also depicted in figure 1).
This conception helped in modeling the systems
development tasks by using the Structured Systems
Analysis and Design Methodology (SSADM). The first
phase of SSADM, analysis of the current system, identified
eleven sub-systems within the hospital environment. These
sub-systems interact with each other to transform patients so
as to improve their learning skills. The eleven sub-systems
are: Admit client; Provide care; Client administration;
Resettle client; Contract management; Staff deployment and
duty roistering; Pharmacy; Monitor service quality; Provide
staff training and development; Budget management;
Manage ward. In conducting the analysis of the current
system, SSADM requires an analyst to investigate into
problems, bottlenecks or dissatisfactions amongst users.
This is an important stage since the very success of the final
product may depend upon correct requirement assessment.
The analysts for the integrated information system were
supposedly directed by the Planning Manager to key
personnel in each of the functional areas. Discussions with
different people revealed that these personnel were not
rightly placed to provide the required information to the
analysts. Two interesting issues emerge. First, either the
Planning Manager purposefully directed the analysts to
these individuals or there are doubts about his competence.
Second, the analysts (who were outside consultants) should
have taken the initiative to define the problem domain
adequately. The result of this is that though various
processes had been identified, there was no consideration
given to user reactions. A careful interpretation of such
reactions helps in the development of a rich picture and
assesses the pragmatic and semantic aspects appropriately.
The second stage of SSADM provides a logical
view of the required system. The system analysts identified
five core activities, viz.: Administer client; Provide care;
Administer trust; Resettle client; Manage staff deployment.
The logical structure was again based on the input-output
model. The underlying presumption in this case is that if the
needs of individual sub-systems are being met, then the
needs of the overall system are also being fulfilled. The
logical view of the system has problems at two levels. First,
it is based on an inadequate systems requirement, which is
an output of the first stage. Second, the control transforms
introduced in the DFDs do not represent the real operations.
The reason for this is also related to the problems in
requirement analysis. Implementation of controls at this
stage is a very sensitive issue. These become apparent once
the system is automated. Because the nature of logical
controls does not match the prevalent structures, there are
problems of incoherence. This becomes clear from the
structure of the ‘Provide Care’ sub-system of the
information system. The module is central to the health care
delivery process and its successful operation depends on the
construction of an individual care plan for each patient.
However the analysts do not consider the relatedness of
individual care plans and the organizational functions. The
formal model for developing an individual care plan is
based on the notion of choosing dishes from a hospital
menu, a concept that does not consider the needs of the
doctors. This notion is related to the ongoing conflict within
the Hospital Trust regarding whether an individual care plan
is drawn out of a ward round or vice versa. Such
discordance becomes more obvious in a hospital that
provides care to the mentally ill. Individual care plans work
well in residential wards, but the management is closing
those wards. What would be left will be the acute wards.
Consultant doctors within the Hospital Trust are of the
opinion that in this new setting primacy cannot be given to
individual care plans. Judgments about care plans are
largely dependent on ward rounds. In fact they proposed the
merger of wards rounds and care plans when considering
health care provision for acute wards. The logical model of
integrated information system simply considers the
existence of a care plan and bases the controls (error
handling routines) and security mechanisms around them.
The ‘Provide Care’ module typically is constituted of six
processes: assess needs; construct care plan; plan care
delivery; review care; monitor care; implement care. Each
of the processes gets constant input from the individual care
plans for the purpose of monitoring and control. The quality
of the logical model can well be imagined since there is an
over-reliance on individual care plans, which necessarily do
not represent the real world situation.
The second stage of SSADM also looks into the
new requirements of the users. These are then included into
the logical models. However because of requirements
analysis problems such new needs have not been met. In
one particular case the requirements of some doctors have
simply been ignored. The Hospital Trust is a center of post-
graduate training of psychiatrists. The Medical Federation,
that provides funding, had requested the consultants of the
Trust to develop an IT infrastructure to better manage the
training function. The consultants approached the project
team in this regard but the planning manager declined to
provide any system support in the short term. The
consultants could not wait for years for such a system being
developed, so they bought some custom software from a
vendor. The planning department for a number of reasons
should not have ignored such a requirement. First, since it is
a user requirement it should have been considered
adequately. This would have also prevented independent
system developmental activities at the unit or departmental
level. Second, inadequate management of the training
schemes would affect the quality of the training process,
which in turn means that funding may have been
withdrawn. This could result in loosing accreditation for the
training programs resulting in the loss of manpower. Had
the system analysts been aware of the consequences, they
23
would probably have considered this new requirement more
sympathetically.
Other stages of SSADM have had problems as well. The
final set of formalisms selected by the users also does not
represent the real environment. A feasibility study of
various options for implementation was carried out and later
presented to the users. Two interesting issues emerge. First,
the users selected do not represent the real setting of the
Hospital Trust. The ward managers involved in the study
specialize in long stay residential care and non-acute
illnesses. Consequently the focus of the information system
is skewed in that direction. Second, the residential non-
acute specialties are being relocated from hospitals to a
community setting. The requirements in the new
environment will be substantially different from what they
are at present. The system developers have not considered
this aspect. The reason is that none of the users from the
acute mental illness units have been involved in selecting
options for the system. The underlying intentions for such a
situation are more political than indiscreet. Had the system
analysts been aware, consideration would have been given
to these factors. The remaining stages of SSADM though
having been carried out adequately are insufficient because
of inconsistency problems highlighted above.
B. Logical control measures
It is a well documented fact that prior to system
development, designers should achieve a deep
understanding of the application problem domain [6,3]. In
terms of developing secure systems, it is important that
security features are considered along with the system
design process [5]. Accordingly Baskerville identifies three
distinct stages. First, the emphasis should be to produce the
right kind of security rather than implement security
correctly. If latter is the case, then security is being
considered as an after thought to systems development.
Second, either logical or transformational models should
characterize security design in itself1. Third, rather than
emphasizing cost-benefit risk analysis, the focus should be
on the usage of abstract models. Though there is a limited
effort in using these concepts, the SSADM-CRAMM2
interface offers some opportunities.
The system development team at the Hospital Trust, which
used both SSADM and CRAMM, has however failed to
capitalize of the benefits of the SSADM-CRAMM interface.
As of now CRAMM is the only risk analysis method that
has been integrated into the overall information systems
design and development. The method comprises three
1
Logical models consider the needs of a system in a data-
oriented (functional) manner. The transformational models
emphasise more on the organisational and behavioural needs.
System development for the information system at the
Hospital Trust is based on logical modeling.
2
CRAMM is the CCTA risk analysis methodology
stages, each being supported by the CRAMM software3
[11].
• Stage 1, sets up the scope and boundary of the analysis.
Owners of the data are identified and interviews
conducted.
• Stage 2, groups the organisational assets logically by
using a database of generic threats.
• Stage 3, suggests countermeasures on basis of asset
groups, risk levels etc. (see figure 2).
The main difficulty of using CRAMM is the level of
expertise expected from the analysts in carrying out stages 1
and 2 [15]. Used properly CRAMM accepts inputs from
different stages of SSADM. Stage 1 of CRAMM proposes a
set of countermeasures based on the initial system
specifications. The second review stage produces a set of
countermeasures based on the initial view of data and the
business options as conceived by the analysis and
requirements specification stages of SSADM. The third
stage identifies countermeasures on the basis of the
technical decisions taken while using SSADM. A final list
of countermeasures is generated which is later used in the
physical design of the system.
In the Hospital Trust information system, the emphasis in
generating countermeasures has been skewed towards stage
3 of CRAMM. Rather than using inputs from SSADM to
identify countermeasures at stages 1 and 2 of CRAMM the
systems developers have used the NHS Management
Executive’s documentation to identify broad categories of
threats. An important step in stage 1 of a CRAMM review is
the identification of ‘data owners’ and then conducting
qualitative interviews with them for asset evaluation. This
has not been done. Interviews were conducted only with the
Chief Executive, the Planning Manager, the IS Manager,
Director of Finance, the Administration Manager in one of
the constituent hospitals and the Medical Audit Manager. A
few members of the system user group who did participate
gave more information suitable for system development
activities rather than for asset evaluation. Moreover the
interviewees are not necessarily the ‘data owners’.
3
Of late CRAMM has been a subject of lot of criticism;
therefore CCTA has commissioned a research and
development project which culminates in the release of a
new version later in 1995.
24
Stage 1
„ Detail the current/planned system
„ Establish boundary and schedule the review
„ Data and physical asset valuation
„ Establish dependency of data assets on physical assets
„ Abbreviated threat and vulnerability assessment
„ Management review
Stage 2
„ Relate asset groups to threats
„ Threat and vulnerability assessment
„ Calculate security requirements, i.e. measures of risk
„ Management review
Stage 3
„ Countermeasure selection
„ Where relevant, examine existing countermeasures and
compare to those that are recommended
„ Use management help facilities
„ Produce recommendations
„ Management review
Figure 2, Overview of CRAMM
The notion of identifying ‘data owners’ is complex in itself.
This concept is based on the presumption that almost
“everything in existence on the earth ‘belongs’ to some
individual or organization”[9]. Therefore an owner of an
asset has authority over it and has responsibility for its
safekeeping. This assumption facilitates the implementation
of control mechanisms in a strictly hierarchical manner. The
origins of such a notion can probably be traced to the
military sector, where there is a prevalence of strict
hierarchies and it is relatively easy to delineate data into
concrete physical entities. However in a civilian
environment, identifying responsible agents may not be all
that easy. This is more so in a hospital setting which is
gradually evolving into an organismic form (i.e. it is
developing strong external relationships and weak internal
structures).
In Hospital Trust, though the analysts used CRAMM to
identify possible countermeasures so as to establish relevant
controls in the physical design phase, they did not carry out
the tasks suggested in stages 1 and 2. The complexities,
problems and shortcomings in identifying ‘data owners’ and
valuing assets are marginalized when CRAMM itself is not
used correctly.
C. Structure of the controls
The means of implementing security controls are as dubious
as the form of the controls. This becomes clear on analyzing
the existing control mechanisms at Hospital Trust’s
information system. The analysis can be performed by
looking at processes and the related modulators4. A simple
example is the process of recording someone’s fingerprint.
An impression must be left on a greasy surface, glass or
special paper before being observed by the human system.
In this case modulation concerns the manner in which a
signal is given some physical representation before being
observed. This interpretation is a two way process. Not only
can an object leave an impression (finger print - a sign) for
interpretation, but also a number of signs can be translated
into a physical object. Control is instituted through a
feedback process, the emphasis being on having a minimal
level of departure from desired performance. An adequate
control therefore is the one in which the ‘modulator’ retains
the meaning of the final outcome.
The controls in the information system can be analyzed by
looking at the characteristics of the modulation process.
Consider the Client Care module of the system. Doctors
diagnose and analyze the patients’ requirements through a
complex set of signals, even though they are observing a
single modulation process. The meaning of their final
prognosis depends heavily on the relationship with patterns
formed with other signals. The module however is ‘straight-
jacketed’ and does not allow subjective interpretations.
Typically it permits a doctor/nurse to enter the goal of the
treatment, expected outcome and the desired outcome.
Additionally there is a facility to prioritize the goals. The
controls emphasize on the efficiency of service delivery,
giving no consideration to outside influences. The controls
are implemented with the assumption that inputs and
outputs of the modulator (the rule structure of the
information system in this case) can adequately be captured
and assessed. Furthermore it is assumed that the primary
source of a given data will go in as input to the system and
that the output is a result of a convenient recording
operation. The doctor or a nurse can then see the deviations
in performance, which can subsequently be rectified. The
mechanisms are represented diagramatically in figure 3.
IV. SUMMARY
4 considerations) and the formal representations (i.e.
The basic ideas of modulation are rooted in Shannon’s
Mathematical Theory of Communication. The notion
assumes that when a message is communicated it gets
translated while moving from one medium to another. In
doing so it carries a set of patterns from one medium and
imposes them onto another.
25
feedback
Input
Goals
Expected outcomes
Modulator
Desired outcomes Output
The mechanism by means
Carrier
of which the input objects Final interpretaions
are modified in the carrier
The information
system
Other inputs
Figure 3, The control feedback loop and the emergent
concerns
If we take a real life example of a patient coming into
hospital for treatment, the simplistic control structures of the
module become obvious. An initial review of the patient
may indicate symptoms of some kind of Schizophrenic
psychosis but it may require considerable effort to pinpoint
the class of schizophrenia. Since the goal, expected outcome
and desired outcome can not be stated as clearly as the
system expects us to do, the very use of the module
becomes questionable. In terms of modulation the origins of
the problem can be traced to the influences of other signals
onto the modulator. In the particular instance of diagnosing
Heberphrenia, a class of Schizophrenic psychosis, the other
signals take the form of symptoms such as ‘shallow mood
accompanied by giggling’, ‘self absorbing smile’,
‘hypochondriacal complaints’ etc. The final interpretation of
a doctor is therefore very different from the perceived
outcomes. The system attempts to impose a strict formal
control of comparing the output to the input without
considering the complexity of the task. The existence of
such controls is very problematic and raises concerns for
security, particularly that of misinterpretation of data. This
can be a serious security concern.
The health care delivery process as conceived and
conceptualized by the managers of the Hospital Trust has
subsequently been translated into a computer-based
information system. Ideally the computer-based system
should link the understanding and expression of ideas to the
formal systems [13]. This should form the basis for generic
solutions around which specific applications can be built.
Liebenau & Backhouse [13] identify the notion of ‘usage’
and ‘reference’ as fundamental to establishing a link
between the intentions and meanings (i.e. semantic
syntactical issues). ‘Usage’ refers to the ways in which
formalisms are created and the concept of ‘reference’ links
the formalisms to actual actions. Table 1 which summarizes
the security concerns for each module of the information
system, links these to an inadequate understanding of the been achieved in the integrated information system at the
‘usage’ and ‘reference’ issues by the system analysts. Hospital Trust. Part of the problem lies with the kind of
methodology chosen for systems development, i.e. SSADM
Considering the computer based systems development
(Structured Systems Analysis and Design Methodology).
activities, the various modules of the integrated system
Although SSADM helps in mapping the requirements of the
represent the formalisms, which encompass the elements of
manual system, it is rather difficult to generate a ‘rich
health care delivery process. The actual delivery of services
picture’ of the organization. Consequently, the rules and
is related to functionality of the modules. In a good systems
procedures of the information system ignore power, politics,
development activity, the correct use of ‘usage’ and
intentionality and beliefs of different individuals and
‘reference’ concepts is very important since it allows us to
groups. The system developers lack a clear understanding of
relate meanings of our actions in the real world to actual
the ‘real world’ resulting in an inadequate system being
physical, social and legal operations. Ideally, the rules
developed which runs a high risk of under utilization or
specified for the IT infrastructure should adequately
even complete abandonment.
represent the real world of the organization [7]. This has not

Modules Issues regarding Security concerns

nature of the relationship of
formalisms (‘usage’) formalism to actions
(‘reference’)
Administer Translates the whole The module relates to Though primary concern is
Client manual operation into a the actual practices for privacy that can be
computer based one maintained by password
protection, there are however
implementation problems
Provide Care Presumes that patient Computer based classes Problem of validity of
needs can easily be do not adequately perceived actions. Because of
categorized and hence represent the ‘real such inconsistency problems
imposes predetermined world’ actions even simple control
classes of activities mechanisms run the risk of
being misused/not used
Manage Translates pharmacy Falls short of fulfilling Threats of vulnerability to
Pharmacy record maintenance the basic objective of competitors and integrity
onto the computer pharmacy costing and problems of the pharmacy
drug utilization reviews processes
Administer Formal structures of Logically the module Because this module draws
Trust this module presume would generate relevant information from ‘provide
that all other modules management care’ and ‘resettle client’
are being used information modules, its success depends
adequately on those modules
Resettle Module based on the A worrying trend The information system
Client premise: minimize because it questions the attempts to be a medical
patient stay in the significance of decision support system.
hospital managerial jobs. This Validity of such systems is
has prompted managers questionable. Raises
to reassess their problems of power and
objective conflict
Manage Staff Computerizes the No emphasis on training Excessive personnel controls
Deployment personnel aspects: and development - a real result in alienating employees
wages, salaries, duty requirement
roistering etc
Table 1, Summary of the form of the information system and related security concerns

26
V. IMPLICATIONS FOR PRACTICE
The analysis of the form and means of the security measures
indicated concerns with the design and development of
computer based information systems. Design and
development is a social process that encompasses
communication, learning and negotiation between different
stakeholders in an organization [16]. The process draws
upon structured methodologies as a means to accomplish
the design and development tasks. The methodologies
evaluate the problem domain by either taking a technical
and an objective view of the phenomena or are more
subjective in interpreting the issues. Since security design
methods are rooted deep in the systems design methods they
may in turn take a subjective or an objective orientation.
However, the question that is often asked is that do we need
a separate security design methodology or the existing
systems design methodology are sufficient? The analyses of
findings of this research indicate that indeed security can be
integrated into the existing systems analysis and design
approaches. The emphasis however should be less on the
technical, programmable aspects and more on the
requirements elicitation and specification criteria. Doing so
will produce a system that is comprehensive, correct and
complete. This is clearly illustrated in the form and means
of security measures in the Hospital Trust. Having
developed a good quality system would implicitly mean that
it has a good security design. Such beliefs form the basis of
some fundamental principles, adherence to which would
determine the integrity of the designs. These are discussed
below.
A. Principles
1. A deeper understanding of the organizational
environment should form the basis for security designs.
Since systems development and security designs relate to
shaping of new forms of identity at work, new social
structures and new value systems, an understanding of the
deep seated cultural aspects of a system would allow an
appropriate security design. However, the choice of systems
development methods and respective security designs is
often determined by the mindset of the people involved and
immediate economic and social pressures on an
organization. In this case it is worthwhile to know the
limitations and of the respective choices so that the overall
quality of the systems is maintained.
Most of the existing approaches to systems development
and security are rooted in functionalist thinking that
purports ahistoric and non contextual controls to be
implemented. The systems design in itself is based on
isolating dependent and independent variables from their
contexts. Consequently the designs and the related controls
are not situational, holistic and emergent. Other approaches
may be grounded in objective view of the world. Objectivity
by itself is not criticized here, but since the emphasis is to
institute controls by giving primacy to the mechanics of
27
socio-economic structures there is a significant element of
determinism in doing so. The most suitable approach, and the
one propounded in this paper, is contextualist in nature. Thus
in developing systems and instituting controls, primacy is
given to realism of context and theoretical and conceptual
development as the primary goal [14].
2. Good security design will lay more emphasis on
‘correctness’ during system specification. Correctness in
system specification is the key to a good security design.
However, system developers and researchers alike have had
varying degrees of success in proposing mechanisms, which
would facilitate the development of appropriate systems.
There have been attempts to take the ‘best’ aspects of
various approaches so as to extend the usefulness of the
methodologies. Avison & Fitzgerald [4] however note that
doing so may result in the whole breadth of information
systems development lacking a coherent philosophical base.
In order to specify systems that are ‘correct’, it is useful to
distinguish between the human information communication
functions and the technology platform needed to carry out
such processing. The underlying belief here being that an
organization in itself is an information system, which allows
human agents to communicate with each other resulting in
purposeful activity. In this case a system specifier should
first address the social issues related with beliefs and
expectations of different people, their culture and the value
system. Next the intentionality and communications of
various agents needs to be analyzed. Developing an
understanding of the different meanings associated with the
action follows this. Such an interpretation provides an
analyst with a deep understanding of the organizational
issues and facilitates decision making about what aspects
can best be supported by technology. There are no discrete
steps to arrive at such a decision; the process is interpretive
and contextually motivated. Understanding so gained allows
formal specification of the rules and procedures, formal
structures and logical connectivity of different modules.
These can then be translated into computer programs. The
emphasis here is on developing a sound understanding of
the deep seated pragmatic aspects of the problem domain.
The better an understanding, greater is the probability of
achieving ‘correctness’ in system specifications.
3. A secure design should not impose any controls, but
choose appropriate ones based on the real setting. The
preoccupation of most system developers with respect to
implementing controls is with ‘what ought to be, rather than
what actually is’. This flows from the assumption that there is
only one best way to organize elements of a system. In such a
situation prescriptive recommendations are made and a system
is expected to behave in a predetermined manner. In fact
control is “the use of interventions by a controller to
promote a preferred behavior of a system-being-controlled”
[1]. In that sense, a control refers to a broad range of
interventions. Such interventions relate to composition and
modification of the tasks of individuals or groups, increase Proceedings of the second SISnet Conference, 26-28 September,
IESE, Barcelona, 1994.
or decrease in the formal rules and procedures or changes in
management practices related to training and education. In [9] P. Dorey. Security management and policy, in W. Caelli, et al. (eds.),
practice controls do not always prove the desired results. Information security handbook, Stockton Press, New York, pp. 27-
74, 1991.
Therefore it’s important to evaluate the context in which a
controls will be implemented. [10] R. Dunn. Data integrity and executive information systems, Computer
Control Quarterly, 8, pp. 23-25, 1990.
With respect to systems analysis and design, a major threat
[11] B. Farquhar. One approach to risk assessment, Computer Security,
is that control issues are generally considered when user Volume: 10, Issue: 1, pp. 21-23, 1991.
requirements have been abstracted into a logical model5.
[12] H. J. Leavitt. Applied organization change in industry: structural,
Without having contextual clarity, such controls generally technical and human approaches, in W. W. Cooper, et al. (eds.), New
lack catalyzing effects that were originally claimed for perspectives in organization research, John Wiley, New York, 1964.
them. Leavitt [12], while addressing the issue of
[13] J. Liebenau and J. Backhouse. Understanding Information,
organizational change, refers to such ‘acontextual’ controls Macmillan, London, 1990.
as “one-track solutions”. These are solutions that are offered
[14] A. M. Pettigrew. Contextualist Research and the Study of
for isolated problems without considering other control
Organizational Change Processes, Proceedings of the Research
systems and their contexts. Controls therefore cannot be Methods in Information Systems, Manchester, 1985.
placed arbitrarily within the design of a system.
[15] G. Polson. Risk Analysis - a consultants perspective, Proceedings of
Implementing system security controls is context driven and the 1995 Security Colloquium, Computer Security Research Center,
should be considered as a major managerial issue. London School of Economics and Political Science, London, January
26, 1995.
In conclusion, the evaluation of form and means of security
measures in the Hospital Trust have ignored the contextual [16] G. Walsham. Interpreting information systems in organizations, John
Wiley & Sons, Chiichester, 1993
and the deep-seated pragmatic concerns. This has resulted in
dehumanizing the security design and development process.
The analysts have brought determinism to the center stage
with an endeavor to replace the non-rational qualities of
human beings with mechanistic rules of rationality. Indeed,
the vain hope has been to develop measures for the level of
security and have an objective view of the consequences.

REFERENCES
[1] J. E. Aken. On the control of complex industrial organizations,
Nijhoff, Leiden, 1978.
[2] I. O. Angell. Computer security in these uncertain times: the need for
a new approach, Proceedings of the tenth world conference on
Computer Security, Audit and Control, COMPSEC, London, UK, pp.
382-388, 1993.
[3] D. Avison and T. Wood-Harper. Information systems development
research: an exploration of ideas in practice, Computer Journal,
Volume: 34, Issue: 2, pp. 98-112, 1991
[4] D. E. Avison and G. Fitzgerald. Information Systems Development:
Methodologies, Techniques and Tools, Blackwell Scietific
Publications, Oxford, 1988.
[5] R. Baskerville. Designing information systems security, John Wiley
& Sons, New York, 1988.
[6] R. Baskerville. Information Systems Security Design Methods:
Implications for Information Systems Development, ACM
Computing Surveys, Volume: 25, Issue: 4, pp. 375-414, 1993.
[7] P. B. Checkland. Systems thinking, systems practice, John Wiley &
Sons, Chichester, 1981.
[8] G. Dhillon and J. Backhouse. The Use of Information Technology in
Organizations: Dealing with Systemic Opportunities and Risks,

5
Baskerville [5], for example, emphasises the importance of
instituting controls in the logical design phase of
conventional structured systems analysis and design
methods.

28
 The Impact of Interdependent Risk on Health
Care Information Infrastructure Effectiveness
Insu Park, Raj Sharman, H. R. Rao and Shambhu Upadhyaya
State University of New York, Buffalo, NY

disaster affects the individuals’ perception of interdependent

Abstract-This study explores how health care organizations risks.
mitigate risks due to infrastructure interdependencies using
the information systems success framework. Specifically, this This model makes a contribution to the literature on
study examines whether interdependent risks affect information infrastructure and risk management. First, by
information infrastructure effectiveness and, if so, what are the providing a detailed description of the nature of
critical factors? How are interdependent risks mitigated by
those factors across stakeholders? And how does mass disaster
interdependency risks and its underlying mitigators, it
affect the stakeholders’ perception of interdependent risks? contributes to our better understanding of perceived risks,
This study makes a contribution to the literature on which might be considered as psychological effects in
information infrastructure and risk management. This study infrastructural disasters. Second, it describes the
will offer empirical support for the proposed framework on mechanisms by which the information infrastructure can be
risk mitigation for infrastructure interdependent risks by enhanced by identifying and describing how
using an information systems success framework. Further, this interdependency risks can be mitigated. This study
study will empirically support the theorized link between the integrates sociological (e.g., computer self-efficacy),
way interdependent risks are managed and an organization’s technical (e.g., systems factors), and organizational (e.g.,
information infrastructure.
management support) fields using the information systems
success framework in order to theoretically explain the
Keywords: interdependent risks, health care
impact of perceived interdependency risks on information
information infrastructure, infrastructure
infrastructure and mitigating roles of the three fields. This
interdependency, information infrastructure
opens new avenues for identifying mitigating factors that
effectiveness.
can overcome interdependency risk perceptions by
explaining its proposed antecedents.
I. INTRODUCTION
The worst storm (October 12-13, 2006) in Buffalo's history
This paper is organized as follows. The relevant literature
left behind a heartbreaking legacy of downed trees, lost
on health care information infrastructure is discussed in
power and a double whammy of snow and flooding. The
Section 2. A conceptual model is presented in Section 3.
unprecedented mix of a warm Lake Erie and rapidly
Four propositions are also presented. The proposed
dropping air temperatures created nearly two feet of
methodology for the analysis is contained in Section 4.
extremely heavy snow that fell on thousands of trees in full
Section 5 forms the conclusion.
fall foliage. Every hospital serving the Buffalo area was at
or near capacity, with patients in beds and more coming
II. RELATED RESEARCH
through the door from Friday through Sunday in the storm's
A. Health Care information infrastructure (HII)
aftermath. Much of the impact was magnified because of
The term Information infrastructure has been widely used
the interdependence of infrastructure in terms of input and
only during the last couple of decades. According to
output of resources, geographic proximity of power
Hanseth et al. (1998) the notion of Information
structures to foliage, power lines and roads, foliage to roads,
infrastructure consists of an inter-connected collection of
etc. In particular, individuals in the public health sector
computer networks, but with a heterogeneity, size, and
might have been psychologically affected by the fear that
complexity extending beyond what exists today. They
the infrastructure might not work well. Consequently, the
define information infrastructure as “a shared, evolving,
potential impact resulting from the physical risks led them
heterogeneous and open system of IT capabilities whose
to work ineffectively.
evolution is enabled and constrained by the installed base
and the nature and content of its components and
This study explores, first, the effect of perceived
connections” [13]. On the other hand Sirkemma (2002)
interdependency risks on the information infrastructure’s
defines IT infrastructure as a combination of technology,
effectiveness, second, how health care organizations
hardware and software that provide services to a range of
mitigate perceived interdependent risks (i.e., risks resulting
applications and users, and it is usually managed by the IT-
from mutual dependency among entities) due to
group. This definition is based on the fact that IT
infrastructure interdependencies using the information
infrastructure is not just a combination of different devices
systems success framework [8], and third, how a mass

29
and components but it highlights the importance of the
human element [29]. In contrast to Information
systems/Technology, information infrastructure has no fixed
purpose to justify its existence.
On the other hand, a corporate/regional/national healthcare
information infrastructure (HII) is about bringing timely
health information to, and aiding communication among,
those making health decisions for themselves, their families,
their patients, and their communities [17]. The Centre for
health information infrastructure defines information
infrastructure as a series of technologies, products and
services that will provide the framework for an
interconnected and interoperable network to link hospitals
clinics, research institutions, community health centers,
other health related institutions, and homes1.
HII can be divided into several sub sections depending on
the area/section. For example, local or community health
information infrastructures (LHII) collect sources of clinical
information within a community or region, with many
potential economic advantages [20]. The National
Healthcare Information Infrastructure (NHII) 2 is an
initiative set forth to improve the effectiveness, efficiency,
and overall quality of health and health care in the United
States. This includes the set of technologies, standards,
applications, systems, values, and laws that support all
facets of individual health, health care, and public health
(NHII, 2004). The Public health care information
infrastructure (PHII) comprises of an intricate web of data
resources, information systems, epidemiological analysis
and investigation, standards, laws, and values. These
elements are used by public health agencies at the local,
state, and federal levels to prevent illness and promote
health3.
Information infrastructure’s general goal is to offer IT-based
shared information services to a community. Their
definition highlights two critical features. First, information
infrastructure must be open and as a result of this it must
rely on shared standards [13]. Infrastructures are open in the
sense that there is no limit on how many users, computer
systems or other technical components can be linked to it. In
addition, an infrastructure emerges as a shared resource
between heterogeneous groups of users.
B. Infrastructure Interdependency
Each of the critical infrastructure sectors is increasingly
becoming interdependent with the others. Disruptions in one
sector are likely to affect the operations of others, adversely.
Interdependent effects occur when an infrastructure
1
Centre for Health Information Infrastructure,
“HealthScape’ 95-Charting Health Information
Infrastructure”. Dec. 95
2
http://aspe.hhs.gov/sp/nhii/
3
http://content.healthaffairs.org/cgi/reprint/21/6/45.pdf
30
disruption spreads beyond itself to cause an appreciable
impact on other infrastructures, which in turn causes more
disruptive effects on the other infrastructures. When an
infrastructure system suffers an outage, it is often possible
to estimate the impact of that outage on service delivery.
These are the “directly dependent effects” of the outage. For
example, loss of telecommunications services can delay
financial service transactions and the delivery of electric
power. As a relatively new and crucial concept,
interdependency is defined as the reliance of one
infrastructure upon another or even mutual reliance of
infrastructures upon one another [27, 32]. Interdependency
effects have been observed numerous times, such as while
assessing the US western states power outage in 1996.
Rinaldi et al [27] identified six dimensions for
understanding infrastructure systems, including
infrastructure characteristics, such as spatial and
organizational scope, and the legal/regulatory framework.
The interdependency problem is further compounded by the
extensive linkage of physical infrastructure with
information technology systems. Communication and
information technologies (ICT) affect infrastructure system
design, construction, maintenance, operations, and control,
and more change appears inevitable. Potential applications
include coupled sensing, monitoring, and management
systems, distributed and remote wireless control devices,
internet-based data systems, and multimedia information
systems.
Although the coupling of physical infrastructure with
information technology promises improved reliability and
efficiency at reduced cost, there is surprisingly little
knowledge about the behavior of these coupled systems, and
thus, their potential for cataclysmic failure is high.
Experience has shown that software is fragile by nature, and
the software element of control and data acquisition systems
is usually the least robust part of an integrated system.
Interdependency is a bidirectional relationship among
infrastructures through which the state of each infrastructure
is influenced by or correlated with the state of the others. As
a simple example, the national electric power grid and
natural gas network are interdependent – natural gas fuels
many electrical generators, and elements of the natural gas
infrastructure (e.g., gas conditioning plants, compressors,
and computerized controls) require electricity to operate. A
disturbance in the electrical system can cascade to the
natural gas system, and loss of natural gas pressure can
curtail the generation of electricity. Consequently, the states
of these systems are mutually correlated. This simple case
illustrates the importance of employing a systems
perspective – an operational or security analysis of either
infrastructure would be incomplete if it did not consider
how the electric grid influenced the state of the natural gas
system and vice-versa. There are four primary classes of
interdependencies [27]: Physical, geographic, cyber and
logical.
Interdependencies have been predominantly physical and
geographic in nature. However, several factors have
increased the prevalence and importance of cyber and
logical interdependencies [24]. These include the
proliferation of information technology along with the
increased use of automated monitoring and control systems,
and the increased reliance on the open marketplace for
purchasing and selling infrastructure commodities and
services.
C. Interdependent Risks
The term ‘interdependent risk’ is derived from
‘interdependent security’ in the study of Kunreuther and
Heal [19] and Heal and Kunreuther [14]. They recently
introduced the concept of interdependent security using
game-theoretic models as a way of investigating how
interdependency affects individual choices about security
expenditures in interdependent systems. Specifically, this
framework has been applied to evaluating investments by
individuals and firms in the security of infrastructure
operations, emphasizing that any firm's risk is strongly
dependent on the operational behaviors, priorities, and
actions of others through interconnected networks or supply
chains.
As the infrastructures become more interdependent on each
other, there is a growing risk that restoration efforts or
uncertainties undertaken by one sector could adversely
affect the operations or restoration efforts of another,
thereby contributing to further service disruptions [5]. The
risk faced by one infrastructure of an organization or society
depends on the actions of others because organizations’
information infrastructure is connected to other entities – so
its efforts may be undermined by failures elsewhere.
According to this, interdependent risks in this study are
defined as the risks caused by the activities of one sector (or
infrastructure) that produce a negative impact on other
interconnected infrastructures.
Interdependent risks with respect to the information
infrastructure are closely related to risks among interrelated
critical infrastructures (external interdependent risks) or
internal components (internal interdependent risks) in an
organization. The risk faced by an individual is determined
in part by one’s own behavior (direct impacts) as well as the
behavior of others (indirect impacts). This characteristic of
interdependent risks, gives a unique, and hitherto, unnoticed
structure to the incentives for organizations to invest in
mitigation. A consequence of interdependent risks is that a
part of the cost of a failure is passed on to stakeholders.
In this study, we use two different concepts to explain the
risks arising from interdependency of infrastructures. First,
the increased interdependency combined with greater
operational complexity, has made critical infrastructures
31
particularly vulnerable to natural hazards, human error and
technical problems as well as new forms of cyber crime,
terrorism and warfare [23]. Each of these events can result
in severe service deterioration or outright infrastructure
failure [1]. External interdependent risks (EIR) are caused
by the vulnerabilities resulting from interdependency among
the extensive linkages of physical infrastructure with
information technology systems. For example, the 2001
world trade center attack showed the effect of risks of
interdependency among infrastructures [22]. Thus, EIR may
increase physical damage and are difficult to be controlled
by an organization.
On the other hand, internal interdependent risks (IIR) can be
caused by the components building an infrastructure in an
organization. For the interdependencies within an
organization, each internal infrastructure may suffer from
the disruptions of the other infrastructure. Information
infrastructure in an organization contains several
components such as, platforms, applications, technologies,
and humans. Compared to EIR, the conflicts among these
components in IIR reduce the effectiveness of an
organization’s infrastructure, and may be controlled by the
organization that includes those components. The potential
consequences of ineffective information systems to a
healthcare center depend not only on its own choice of
information infrastructure but also on the actions of other
infrastructures such as human development. To illustrate
this point, consider two infrastructures in an organization;
information and medical facility. Each infrastructure faces a
certain risk or uncertainty of a disruption that damages itself,
and also a probability that such an attack would disrupt the
activities of the other infrastructures. Therefore,
interdependent risks in an organization can have devastating
impacts on all parts of the organization. These negative
externalities are an important feature of interdependent risks
[15].
Public health
External Infrastructure
Interdependent risks
Interdependency
Physical Information
Infrastructures Infrastructure
Internal
Interdependent risks
Figure 2. Interdependent Risks
D. Information Infrastructure Effectiveness
Our conceptual framework is based on the information
systems success framework from DeLone and McLean [8].
This framework integrates two different viewpoints on
information systems i.e., the organizational and socio-
technical viewpoint. Several viewpoints have been shown to
explore information systems’ effectiveness in previous
research. For instance, Garrity and Sanders [10] show two
different ways to view IS success; organizational
perspective and socio-technical perspective. However, these
perspectives focus largely on the IS related factors, such as
information quality and systems quality as independent
factors. These factors are not related with IS but related with
the organizational climate and the individual. The principal
focus of the organizational perspective is on the quality of
the interface and the information provided by an IS to aid
the workers in accomplishing their tasks. This was criticized
for ignoring the human element. The socio-technical
perspective, however, focuses on individual needs and
assumes that the individual employee seeks monetary and
other rewards.
DeLone and McLean identify six dimensions from the
organizational and socio-technical perspectives of an IS.
They are embedded in many common current approaches to
evaluate IS effectiveness, which differ only in terms of the
dimensions chosen for measurement [2]. The concept of
information systems’ effectiveness has been widely
accepted in IS research as a principal criterion for assessing
performance resulting from the usage of information
systems [25]. Although a variety of conceptualizations have
been offered among IS researchers, a core concept of IS
effectiveness indicates that the degree of success in attaining
organizational goals or performance is triggered from the
usage of an information system [12, 26]. To measure IS
effectiveness, IS researchers have not only used diverse
constructs but also multiple measures that are able to tap
into the concept properly [8, 25, 28]. Based on the review of
previous literature, this study assesses IS effectiveness with
three factors: individual impact, user satisfaction toward IS,
and organizational impact. Such factors have been widely
accepted among IS researchers as reliable constructs [8, 25,
31].
According to DeLone and McLean [8], individual impact
refers to the positive effect of information on individual
behavior. They explained that the term, “impact,” contains
32
the indication of performance or productivity. Several items
have been used to evaluate individual impact, such as
perceived usefulness [25], net benefits [28], individual job
performance, individual productivity, ease to do, etc. In line
with individual impact, organizational impact indicates the
organizational effect of information on organizational
performance [8,12]
The final construct is user satisfaction, which refers to end-
users’ overall effective and cognitive evaluation of the level
of consumption-related fulfillment experienced with
information systems [2]. User satisfaction is the most
widely used measure of information systems success. This
is not only because it is often used as a surrogate of
management information systems effectiveness, but also
because it is related to other important variables in systems
analysis and design.
III. PROPOSITION
Following the information systems success framework, we
propose three risk-mitigating constructs: systems and
information quality, Management support, and computer
self-efficacy. This paper focuses on the proposed constructs
that mitigate internal interdependency risks rather than
specific items that compose each of these factors.
Since the proposed interdependent risk mitigators are hard
to develop, it is important to empirically assess their relative
effectiveness in mitigating perceived risks. Our results will
inform information infrastructure practitioners about
interdependent risk mitigators, and they will thus be able to
design an information infrastructure that specifically aims to
incorporate each of the proposed mitigators.
Based on the preceding statements, a research model is
proposed that aims to understand and prescribe how
interdependency risks can be mitigated (Figure 2). In this
model, infrastructure effectiveness is determined by
external/internal interdependency risks. These
interdependency risks, are mitigated by systems,
organizational, and personal factors.
 System &
Information
Mass Disaster
Quality
EIR*
Management
Support
IIR**
Computer
Self-efficacy
Interdependent
Risk Mitigators Risks perception
Figure 2. Conceptual Framework for Risk Mitigators and HII Performance
A. The Effect of Interdependent Risk (IR) on Information
Infrastructure Effectiveness in Public Health sector
As for any risk, regardless of whether resulting in an injury
to an individual or society, or whether causing damage to a
system or to any other assets, it needs to be reduced [11].
The external interdependent risks positively affect internal
interdependent risks. In a health care organization, the more
the stakeholders perceive external interdependent risks from
infrastructures, the more they perceive internal
interdependent risks. In the real context, for example, the
storm (October 12-13, 2006) had affected stakeholders both
physically and mentally and had caused a concern that
health care information infrastructure had not proved to be
efficient and effective in tackling the situation. In addition,
external and internal interdependent risks can reduce the
information infrastructure’s effectiveness. Previous research
shows that information technology or systems have been
stimulated by the discovery of a negative relationship
between IT risks and IT project success [3,16]. According to
the Jiang et al [16], behavioral and technology-related risks
can negatively affect information systems’ success directly
or indirectly. Thus, our propositions regarding the
relationship between interdependency risks and the
information infrastructure’s effectiveness are as follows,
• Proposition 1a: External interdependency risks are
positively related to internal interdependency risks
• Proposition 1b: External interdependency risks are
negatively related to HII effectiveness
• Proposition 1c: Internal interdependency risks are
negatively related to HII effectiveness
B. Internal Interdependent Risk Mitigators
One aspect of perceived risk is positively associated with
demands for risk mitigation and decision-making. Previous
33
HII Effectiveness
O rgan i z ati on
IA*** Impact
Indi vi dual
Impact
User
Satisfaction
*
EIR: Exte rnal Inte rde pe nde n t Ri sks
**
IIR: Inte rnal In te rde pe nde nt Ri sk s
***
IA: Information Assu rnace
research has found that there are significant correlations
between risk perception and precautionary behavior and
decisions to implement countermeasures aimed at risk
reduction (e.g.[9, 18, 30]). Consequently, risk perception is
expected to be positively associated with demands for risk
reduction or demands for risk mitigation.
Since perceived interdependent risks are determined by the
external and internal interconnection among infrastructures,
they can be mitigated not only by controlling the
relationship between their information infrastructure and
other infrastructures but also by enhancing the internal
components of the information infrastructure. However,
external interdependent risks are not controlled by an
organization, because those risks are caused by bidirectional
relationships between infrastructures through which the
state of each infrastructure is influenced by or correlated
with the state of the other.
To mitigate perceived IIRs, we propose three sets of factors;
information infrastructure characteristics (i.e., systems
quality, information quality which are largely based on the
information systems’ success framework), top management
support as organizational characteristics, and computer self-
efficacy as individual factor.
Based on the past studies on information and system quality,
this study adopts information and systems quality as
mitigation factors of interdependent risks. As past research
has shown [8], information and system quality can play a
role in enhancing information systems success , which is
expected to reduce the risks related to the information used.
Several studies have focused on the positive effect of top
management support on IS effectiveness. Management
support creates a positive attitude in employees towards the
use of IS [31]. In reality, many disaster recovery service
 providers agree that management support is vital for disaster
recovery planning to work [21]. Management support is
essential to identify operations which are critical for the
public sector in several situations and to provide important
information concerning significant functions [4]. Prior
research on computer self-efficacy (CSE) has suggested that
CSE plays an important role in an individual’s behavior
towards information systems. Compeau et al. [6] examined
that CSE is significantly associated with performance
expectations, personal expectations, and system usage with
a longitudinal context. This logic can be applied to mitigate
the interdependent risks caused by information
infrastructure. That is, high levels of computer self-efficacy
would reduce internal interdependent risks. This becomes a
major impetus for people to enhance their confidence levels
towards the application of IS, and this can ultimately be
linked to better performance beyond their expectations on
information infrastructure. The factors mentioned above
offer the following propositions of the present study:
• Proposition 3a: Information & system quality reduce
internal interdependency risks
• Proposition 3b: Management support reduces internal
interdependency risks
• Proposition 3c: Computer self-efficacy reduces
internal interdependency risks
C. The Moderating Effect of Information Assurance
Interdependent risks from information infrastructure
are prone to be vulnerable due to flaws in the network
security. A fundamental cause of many of risks is in the
variety of ways that individuals and/or groups can utilize
digital technologies to engage in inappropriate, criminal or
other illegal online activities (Vlasti et al. 2004).
Information assurance “protects and defends information
and information systems infrastructure by ensuring their
availability, integrity, identification and authentication,
confidentiality, and non-repudiation.” This includes
providing for the restoration of information infrastructure by
incorporating protection, detection, and reaction capabilities.
In this study, information assurance plays a moderating role
for enhancing effectiveness of information infrastructure by
reducing the impact of interdependent risks.
• Proposition 4: Information assurance moderates the
relationship between interdependent risks and
Information infrastructure effectiveness.
IV. PROPOSED RESEARCH METHODOLOGY
We propose a research design within the explained proposed
framework as a field study. The subjects must be involved
in related tasks within an information system with access to
organizational data. All the work-scales complying with this
requirement should be equally considered. Specific data
regarding the subjects’ work position and the size of the
organization should also be gathered. We anticipate the use
34
of partial least square (PLS) to analyze the data. PLS is
frequently used to test causal model.
A. Sample and Procedure
A survey method will be employed in order to test the
propositions of the paper. Surveys will be administered to
individuals embedded in health care organizations. Since all
participants would be related to the health care information
system, the authors will administer all the surveys in
multiple sites through personal visits, and all participants
will be assured of the confidentiality of responses with
anonymous participation. With regard to data analysis and
validity constraints, we consider the ideal sample size from
public health care organizations to be no less than 200
subjects,.
B. Measures
The first order risk mitigator factors can be characterized
based on the organizations and stakeholders included in the
survey. Specifically, systems factors should include systems
quality, information quality, and systems usefulness.
Management support would be measured by the items
adopted by Thong et al [31]. In addition, computer self-
efficacy would include used items developed by Compeau
and Higgins [7]. Using information assurance as a
moderator, interdependency risks will be measured by
each known item that we would develop further. Items
should include the degree of perceived availability,
confidentiality, and integrity of information infrastructure
The information infrastructure’s effectiveness is measured
by multi dimensional factors as aforementioned:
organizational impact, individual impact, user satisfaction.
Organizational impact and individual impact are derived
from DeLone and McLean [8]. In this study, we adapt four
items developed by DeLone and McLean [8]: tapping into
individual productivity, task performance, time saving on
the job, and individual effectiveness on the job related to
information infrastructure. Six items from Thong et al [31]
will be used to measure organizational impact. Since the
costs and benefits of information infrastructure attributing to
health care organizations’ performance are hard to quantify
and are not recorded in the form of objective data, these
items will be treated as perceptual measures of
organizational impact. Respondents were asked with a 7-
point scale (1, strongly disagree, to 7, strongly agree) to
indicate their perception of the degree to which the
organization’s information infrastructure systems
contributed to the organization’s impact in terms of staff
productivity, operations efficiency, and improved decision-
making. User satisfaction, on the other hand, will be
measured by the definition, which is the extent of public
sector being interdependent with other organizations.
Similar to organizational impact, public impact will be
measured by perceptions of individuals engaging in the
public health care sector. Since the effectiveness of
information infrastructure largely relies on the data in health
 care organizations, the items of organizational impact can
identify how individuals are affected by interdependency
risks.
V. CONCLUSION
This paper has proposed a framework for evaluation of
mitigators of interdependent risks and the effect of
interdependent risks on information infrastructure. This can
prove to be an important means for increasing information
infrastructure effectiveness, by identifying the potential risk
mitigators. This framework provides a basis for future
research to develop a comprehensive implementation guide
of information infrastructure effectiveness in public
healthcare sectors.
ACKNOWLEDGEMENTS
Many thanks to Deepa Velu and Radhika Raghu for help
with the manuscript.
REFERENCES
[1] P.S Anderson. "Critical Infrastructure Protection in the Information
Age," in: Networking Knowledge for Information Societies:
Institutions & Intervention, R. Mansell, Samarajiva, Rohan. and
Mahan, Amy. (Eds.) (ed.), DUP Science, Delft, 2002.
[2] N. Au, E.W.T. Ngai, and T.C.E. Cheng. "A critical review of end-user
information system satisfaction research and a new research
framework," Omega, Vol.30, No.6, p. 451, Dec 2002.
[3] H. Barki., S. Rivard, and J. Talbot. "Toward an assessment of
software development risk," Journal of Management Information
Systems, Vol.10, No.2, p.203, 1993.
[4] Blake, W.F. "Making Recovery a Priority," Security Management,
Vol.36, No.4, p.71, 1992.
[5] Committee, J.E. "SECURITY IN THE INFORMATION AGE: NEW
CHALLENGES, NEW STRATEGIES," JOINT ECONOMIC
COMMITTEE, UNITED STATES CONGRESS, Washington, D.C.,
p. Internet Address: http://www.house.gov/jec.
[6] D. Compeau, C.A. Higgins, and S. Huff. "Social cognitive theory
and individual reactions to computing technology: A longitudinal
study," MIS Quarterly, Vol.23, No.2, p.145, 1999.
[7] D.R. Compeau and C.A. Higgins. "Computer self-efficacy:
Development of a measure and initial test," MIS Quarterly, Vol.19,
No.2, p. 189, 1995.
[8] W.H. DeLone, and E.R. McLean. "Information Systems Success:
The Quest for the Dependent Variable," Information Systems
Research, Vol.3, No.1, pp. 60-95, 1992.
[9] W. Frun. "Cognitive components in risk perception," Journal of
Behavioral Decision Making, Vol.5, No.2, pp.117-132, 1992.
[10] E.J. Garrity and G.L. Sanders. Information Systems Success
Measurement Idea Group Pub, Hershey, PA, 1998.
[11] M. Gerber and R.V. Solms. "Management of risk in the information
age," Computers & Security, Vol.24, No.1, p.16, 2005.
[12] S. Hamilton, and N.L. Chervany. "Evaluating information system
effectiveness part I: comparing evaluation approaches," MIS
Quarterly, Vol.5, No.3, pp. 55-69, 1981.
[13] O. Hanseth and K. Lyytinen. "Design Theory for Managing Dynamic
Complexity in Information Infrastructures," 2005.
35
[14] G. Heal and H. Kunreuther. "IDS Models of Airline Security," The
Journal of Conflict Resolution, Vol.49, No.2, p.201, 2005.
[15] G. Heal, and H. Kunreuther. "Modeling Interdependent Risks," Risk
Management and Decision Processes Center, University of
Pennsylvania 2006.
[16] J.J. Jiang, G. Klein and R. Discenza. "Information system success as
impacted by risks and development strategies," IEEE Transactions
on Engineering Management, Vol.48, No.1, p.46, 2001..
[17] D.G. Katehakis, S. Kostomanolakis, M. Tsiknakis, and S.C. O. "An
open, component-based information infrastructure to support
integrated regional healthcare networks," International Journal of
Medical Informatics, Vol.68, pp.3-26, 2002.
[18] N.N. Kraus and P. Slovic. "Taxonomic analysis of perceived risk:
modeling the perceptions of individuals and representing local
hazard sets," Risk Analysis, Vol.8, No.3, pp. 435-455, 1988.
[19] H. Kunreuther and G. Heal. "Interdependent security," Journal of
Risk and Uncertainty, Vol.26, No.2, p.231, 2003.
[20] J. McDonald, J., J., C., and Marc Overhage, M.B., G. Schadow, L.
Blevins, P.R. Dexter, B. Mamlin and the INPC Management
Committee "The Indiana Network For Patient Care: A Working Local
Health Information Infrastructure," Health Affairs, Vol.24, No.5,
pp.1213-1220, 2005.
[21] P. Meade. "Taking the risk out of disaster recovery services," Risk
Management, Vol.40, No.2, p.20, 1993.
[22] D. Mendonca, E.E. Lee and W.A. Wallace. "Impact of the 2001
World Trade Center Attack on Critical Interdependent
Infrastructures," in: IEEE International Conference on Systems, Man
and Cybernetics, 2004.
[23] E. Nickolov "Critical Information Infrastructure Protection: Analysis,
Evaluation, and Expectations," INFORMATION & SECURITY. An
International Journal, Vol.17, pp.105-119, 2005.
[24] J. Peerenboom, "Infrastructure interdependencies: Overview of
concepts and terminology," Infrastructure Assurance Center, Argonne
National Laboratory, Argonne, IL, p.
http://www.pnwer.org/pris/peerenboom_pdf.pdf.
[25] A. Rai, S.S. Lang and R.B. Welker. "Assessing the validity of IS
success models: An empirical test and theoretical analysis,"
Information Systems Research. Vol.13, No.1, p.50, 2002.
[26] L. Raymond "Organizational Characteristics and MIS Success in the
Context of Small Business," MIS Quarterly, Vol.9, No.1, p.37, 1985.
[27] S. Rinaldi, J. Peerenboom and T. Kelly. "Identifying, Understanding,
and Analyzing Critical Infrastructure Interdependencies,” " in: IEEE
Control Systems Magazine, IEEE, , pp. 11-25, 2001.
[28] P.B. Seddon. "A respecification and extension of the DeLone and
McLean model of IS success," Information Systems Research, Vol.8,
No.3, p.240, 1997.
[29] S. Sirkemaa. "IT Infrastructure Management and Standards,"
Proceedings of the International Conference on Information
Technology: Coding and Computing, EEE Computer Society
Washington, DC, USA, 2002.
[30] Slovic, P., and Monahan, J. "Probability, danger, and coercion," Law
and Human Behavior (19:1) 1995, pp 49-65.
[31] Thong, J.Y.L., Yap, C.-S., and Raman, K.S. "Top management
support, external expertise and information systems implementation
in small businesses," Information Systems Research (7:2) 1996, p
248.
[32] US Dep. Energy, O.C.I.P. " Critical infrastructure interdependencies:
impact of the September 11 terrorist attacks on the World Trade
Center (a case study)," Rep. US Dep. Energy, Off. Crit. Infrastruct.
Prot., Washington, DC.
 Keynote (D-2): Understanding Multistage
Attacks in the Cyberspace to Address the Grand
Challenges in Security
Shambhu Upadhyaya
Center of Excellence in Information Systems Assurance Research and Education (CEISARE)
University at Buffalo - SUNY

Secure computing practices today mandate the deployment of attack detection and mitigation
tools such as firewalls, anti-virus software and intrusion detection sensors (IDS). Yet, with the
expansion of the cyberspace, computer attacks have progressively become more sophisticated
and harder to detect. One of the primary concerns today is the threat of organized cyber attacks
that are aimed at disrupting the nation’s critical infrastructures and the national security.
Consequently, researchers have shifted focus to event correlation and fusion techniques to
identify coordinated attacks. However, the techniques so developed are useful primarily from the
standpoint of forensic analysis and network hardening. Situation awareness of attacks in near
real-time can provide the benefits of possible attack mitigation and containment. Validation of
research prototypes with realistic data is also an important requirement.

The effective situation awareness of coordinated multistage attacks calls for a good
understanding of the attack model, consideration of the suitable granularity levels of event data
generated on the networks, attack semantics, and data dimensionality for effective
comprehension and visualization. In this talk, we will review the current state-of-the-art in the
disciplines, the inadequacy of current solutions to address the attacks that may be coming from
within an organization, and some proposed solutions. We will end the talk by identifying the
grand challenge problems in security and some predictions on the state of security looking
forward several years.

36
 A Secure Framework for Wireless Sensor
Networks
B. Barnett and D. Sexton
GE Global Research
Abstract—A large disadvantage to sensor networks in factory
environments is the cost of running wire, which ranges from $40
to $2000 per foot. The economical advantages of wireless sensor
networks is obvious, yet current security frameworks fail to
address the complete threat scenarios, and focus on specific
threats such as eavesdropping and unauthorized connections.
Current proposals ignore the threats of stolen devices, hardware
redeployment, and unauthorized hardware reproductions.
This paper describes the design and implementation of a
secure and power efficient sensor network, based on off-the-shelf
components such as TinyOS software, and the IEEE 802.15.4
compatible Chipcon CC2420 radio. The described protocol
conserves battery life by using the hardware-based support for
128-bit AEC-CCM encryption, and all protocol sequences
initiated by the sensors.
The authentication system is based on four pair-wise
symmetric keys. Two keys, the manufacturer and the customer
keys are installed using a serial interface. The third “bootstrap”
key is created and distributed over the 802.15.4 network,
allowing the sensor to obtain the session key, used for normal
operation.
A variation of the Needham-Schroeder protocol is used.
Session key updates, multiple session keys, device heartbeats, and
software upgrades are supported by the protocol. Six Sigma
methodologies were used to evaluate the completeness of the
threat reduction, and maximize the completeness of the overall
architecture.
This protocol was developed with funding from the
Department of Energy, and is being proposed as a standard for
manufacturing and factory sites.
Keywords—Secure, wireless, sensor, network
I. INTRODUCTION
W IRELESS sensor networks[1] offers significant
advantages in factory environments, as the cost of
running wire ranges from $40 to $2000 per foot[2]. Readily
available sensors such the tmote Sky[3] include radios with
encryption capability (e.g Chipcon CC2420[4]). However,
secure frameworks for sensor networks are lacking
robustness, as they tend to focus on a limited number of
threats[5]. A complete solution has to consider all threats, and
attempt to reduce the risk in as many as possible. It must also
Manuscript received December 31, 2006. This work was supported in part by
the U.S. Department of Energy under Contract: DE-FC36-04GO14001. This
does not constitute an endorsement by DOE of the views expressed in this
paper
37
be practical, and flexible to allow deployment in a variety of
environments.
In addition, sensor networks present additional
implementation challenges. Battery-powered sensors must
limit power consumption to be practical. They may also have
limited support hardware for encryption such as asymmetric
keys. Therefore we devices a framework based on the
encryption capabilities built with the Chipcon CC2420 radio.
A. Architecture
Our architecture is based on the requirements for a
manufacturing facility or factory. We made several
assumptions to simplify the solution. Sensors have limited
mobility (i.e. within the factory). There is a central authority
(or key distribution center) in a secured room that can be used
for device authentication. Our wireless sensors use IEEE
802.15.4 radios. Two types of routers exist – backbone routers
that connect the IP network to the 802.15.4 network, and mesh
routers that lack IP connectivity. The function of mesh routers
is to route 802.15.4 traffic. Sensors may either be mesh
routers, or leaf nodes (lacking sophisticated routing
capability). As this is a manufacturing facility, we assume off-
line authentication is not a requirement: if a central controller
is down, new devices shouldn’t be joining the network.
We also assume there are (at least) two authorities or Key
Distribution Centers (KDC)– the vendor(s) of the sensors and
routers, and the customer who buys the sensors and routers.
The identification numbers can be used to partition keys
known to the KDC’s.
We assume IP-based networks used in the factory have
been secured, as we only address the 802.15.4 wireless
communication.
B. Threat Analysis
We considered the risks to both the manufacturer of the
sensor network as well as the owner of the facility where the
network is deployed. We identified the following threats
• Rogue sensor
• Rogue routers
• Rogue central authority
• Loss of data confidentiality during manufacturing process
• Loss of data confidentiality during installation
• Loss of data confidentiality during device start-up
• Loss of data confidentiality during normal operations
• Loss of data confidentiality during software upgrade
 • Data integrity and authenticity
• Man-in-the-middle or replay attacks
• Brute force attack against sensor/router
• Denial of service attack on sensor/router
• Insider attack at vendor’s site
• Insider attack at customer's site
• Customer's sensor/router physically attacked on site while
connected to the network
• Customer's sensors/routers stolen and attacked off-site
• Vendor’s sensor/router attacked off-site for reverse
engineering
• Vendor’s sensor/router modified off-site and sold to
customer
• Sensors/routers stolen from vendor
• Device Cloning – or unauthorized reproductions
• Hardware Redeployment of sensor/router – where the
buyer of a used sensor obtains confidential information
from the former owner.
We categorized the on-site and off-site attacks as different,
because the difference in detection and response. Also note
that reverse engineering, devices with back doors, and
physical attacks are considered as threats as well.
No secure framework can eliminate all threats. However, all
of the threats must be considered to evaluate the effectiveness
of the approach.
II. SECURITY FRAMEWORK
A. Encryption support in 802.15.4 radio
802.15.4[6] packets support several MAC (Media Access
Control)-layer encryption and authentication schemes[7]. In
our prototype, we used the hardware-based AES-CCM-128
for both data-layer and MAC encryption and authentication.
The recommendations made in ZigBee[8] for the nonce and
use of CCM* instead of CCM should be followed. Our
primary goal was to obtain the best available security with
existing and readily available encryption hardware.
We used TinyOS as a development environment. Our
packet format is as follows:
Figure 1 - MAC Packet Format
TinyOS automatically updates the data sequence number in
header. In addition, we use a monotonically increasing
number for the 4-byte Frame Counter.
Data-layer encryption has the following structure.
38
Figure 2 - Data-layer encryption
The generation of the nonce value can be the same source
as the MAC-layer nonce. That is, the same monotonically
increasing value can be used. This simplifies the detection of
replay attacks by the sensor.
B. Generalized Key Installation Mechanism
We use the following terminology: Sensors S with unique
identifier IS communicate to authorities A to obtain keys K.
Encrypted messages are indicated by {.......}K.
Authentication is based on paired symmetric keys, where
only two devices use the key to authenticate each other. The
generalized key installation is based on principles used in
Needham-Schroeder[9], and Kerberos[10], shown in these
three steps.
(1) S → A: IS, N1
(2) A → S: {IS, N1, N2, KN+1} KN
(3) S → A: N2
Key KN is therefore used to install key KN+1. The sensor
verifies the key validity by checking the identification number
and nonce within the encrypted response matches. The nonces
N1, N2 are used to prevent replay attacks.
The primary threat in this approach is knowledge of KN
beforehand, or capturing traffic and obtaining the key
afterwards (forward security). Nonce predictability is an issue
for the authority A in step 3. A cryptographically strong
random number generator (RNG) is suggested to prevent this.
The nonce for the sensors is a potential problem. Trusted
timestamps and RNG’s require additional resources that may
not be available in a sensor; we therefore assume as a worst
case that sensors use a monotonically increasing number, and
authentication devices that validate these numbers remember
the last number used for each sensor.
In general, lower number keys have greater longevity, are
more valuable in controlling assets, and used less often. As
shall be described, higher number keys are used to provide
localized scope for authentication. The responsibilities on the
sensor are minimized, as it doesn’t need to know anything
about the authority that generated the key. Therefore keys can
be passed onto additional authorities.
Relays and third parties can be used to install keys, if one is
willing to accept the additional risk. Nonce N2 is used to
confirm the device received the proper key.
Nonce lifetime can be sufficient to allow for long-latency
authentication, which allows a form of off-line authentication
described later.
We also use “→” to indicate the transmission of a packet
without MAC encryption, and “⇒” to indicate MAC
encryption as a visual aid.
There are advantages to making this key installation
mechanism generalized. We originally proposed four keys for
the framework, but two additional keys allow greater
flexibility, as described below.
C. Vendor key installation
We envision a sensor manufacturing facility produces
nearly identical devices, installing a common key K0 into the
firmware, while installing a unique identification into the
device. A key installation mechanism installs a unique key K1
into the device. As K0 is known, this must be a private and
secured communication channel:
(4) S → A: IS, N1
(5) A → S: {IS, N1, N2, K1} K0
(6) S → A: N2
This key can, if the vendor desires, be used to install a
secondary vendor key K2.
Key K2 can be constructed to expire after a period of time.
The device identification and matching keys must be stored
in the vendor’s KDC, which must obviously be in a secured
room.
D. Customer Key Installation
When the customer received the sensor, and obtains the
identification, it obtains a key KV from the vendor. Depending
upon the implementation, this can be K1 or K2. There are
several mechanisms that can be used to obtain the key, such as
a CD-ROM, a web server, tear-off labels, etc. The vendor can
revoke keys based on IS in the case of stolen or cloned devices
by refusing to tell the customer the key. The vendor can verify
the identity of the device by examining N2. If KV is K2, the key
can be expired to force the customer to refresh the key. If KV
is K1, once that key is obtained the customer need not use the
vendor services to enable the sensor in the future, and the
vendor cannot revoke the key in the customer’s possession.
The customer then installs the unique-per-device site key
KS.
(7) S → A: IS, N1
(8) A → S: {IS, N1, N2, Ks} Kv
(9) S → A: N2
And can optionally install one or more end-to-end
authenticity keys, such as KA, using
(10) S → A: IS, N3
(11) A → S: {IS, N3, N4, KA} KS
(12) S → A: IS, N4
Steps (7), (8) and (9) can be performed for multiple devices
in batches, if desired, provided that the sensor doesn’t time
out. A partial form of off-line authentication could be done
with a hand-held as a proxy with partial connectivity. It must
39
first collect and relay all N1 values, relay the responses, and
collect all of the N2 values and forward them to the KDC so it
can verify the keys were installed.
We also considered key installation schemes where a third
party installs the network, has access to the KDC, and hands it
over to the customer. In this case, the customer must refresh
all of the KV keys, and then the KS keys over the network to
prevent the installer from gaining access. This requires at least
two vendor keys, as K2 must be revoked.
III. WIRELESS PROTOCOL SEQUENCES
Battery-conserving sensors may choose to “sleep” – with
their radios disabled. Therefore in our design, the sensor
initiates all wireless protocol sequences described below.
Protocol sequences typically end with a status packet from the
router to a non-routing sensor, which identifies pending
sequences. Essentially this allows non-routing sensors to sleep
for extended periods with the radio disabled. Once they wake
up, and transmit the data, the status packet tells them if they
have any additional tasks (key update, software update, etc.)
before returning to a sleep state.
A. Joining the network
A sensor joining the network for the first time needs to
locate and verify the identity of the nearest router. We assume
the router has already been authenticated for the network, and
has its own key KRouter known to the site authority, which is
shared with KDC. The router has a unique identification
number, like the sensor, here described as IR.
We use a two-phase sequence to obtain the MAC key
similar to the SPINS protocol[11]. The first sequence obtains
the bootstrap key KBootstrap.
(13) S → Broadcast:
(14) R → S: IR
(15) S → R: IS, {IS, IR, N1} KS
(16) R → A: {IR, IS, N2, {IS, IR, N1} KS} KRouter
(17) A → R: {KBootstrap, IR, IS, N2} KRouter +
{KBootstrap, IS, IR, N1} KS
(18) R → S: {KBootstrap, IS, IR, N1} KS
This sequence allows the site authority to create and install
a new bootstrap key that allows the router and sensor to
authenticate each other. Note that the message in (15) is
opaque to the router, which forwards it to the site authority for
authentication in (16). The site authority returns two
encrypted messages in (17), and the router authenticates and
forwards one of these to the sensor in (18).
Once the bootstrap key is obtained, the sensor is able to get
the MAC key, KMAC, along with an 8-bit key identification
number K#.
(19) S → R: {IS, IR, N} KBootstrap
(20) R → S: {KMAC, K#, IS, IR, N} KBootstrap
(21) S ⇒ R: {Acknowledge} KMAC
(22) R ⇒ S: {Status} KMAC
Steps 19-21 can be used to re-join a network if KMAC
expires without burdening the KDC.
As K# is 8 bits wide, the 802.15.4 radio supports up to 256
keys for MAC encryption. These keys may be shared for all
devices, and different keys can be used for broadcast and
multicast. Note that sequences (21) and (22) use MAC
encryption key KMAC.
This mechanism places a greater burden on the router than
other proposals, but it allows greater control (each KMAC could
be unique per router/sensor pair, or shared within all nodes
connected to a router). It also provides greater scalability, as
will be discussed below. Also note that routing sensors join
the network like non-routing sensors (KRouter could be KS from
the router’s perspective).
B. MAC Key Management
The 802.15.4 packet specifications support 256 different
keys and the key number K#, corresponds Key# in Figure 1.
The CC2420 only supports 2 keys in hardware, but we believe
the sensor can examine the header of the packet, determine the
key number, install the matching key into the appropriate
memory register, and then decrypt the rest of the packet in
hardware.
The status word is used to indicate pending actions for the
sensor. This may include the number of keys pending, number
of valid keys, and time until the current key expires. Therefore
the sensor can repeat sequences 19-22 to obtain additional
keys.
The router keeps track of the keys known to each sensor.
This allows the router to change keys once it knows that all of
the sensors have obtained the new key. It also allows the
router to partition the knowledge of the subordinate sensors,
allowing it to quickly exclude a compromised sensor.
At the end of each sequence, the sensor will examine the
status packet, and decide if it needs to perform additional
actions. One of these is to ask for a new MAC key. This
sequence is as follows:
(23) S → R: {IS, IR, N } KBootstrap
(24) R → S: {KMAC, K#, IS, IR, N } KBootstrap
(25) S ⇒ R: {Acknowledge} KMAC
(26) R ⇒ S: {Status} KMAC
Sequences (23) and (23) could also use MAC encryption as
well for increased security.
The router can pre-load several keys in advance, and keep
track of which sensors know which key numbers. This allows
the router to smoothly switch to a new MAC key by selecting
one known to all devices. It can purposely exclude or isolate
devices by category if it needs to. Key changes can be
synchronized by clock as well, with the status telling the
sensor the time till the next key change. As the 8-bit key
number is disclosed in the packet header, a device can
potentially switch between keys on a packet-by-packet basis,
allowing a smooth transition from one key to the next without
dropping MAC-layer encryption.
If a device discovers it no longer has a valid MAC key, it
can fall back to (19) or even (13) to obtain the key. We
believe that allowing this to happen at the router layer offloads
40
the KDC, and enhances scalability.
C. Alarm
While the network is in operation, devices can be physically
attacked. Preventing these attacks is difficult [12][13]. We
added an alarm mechanism, assuming the device might have
some way to detect intrusion attacks, either physical or over
the network (i.e. brute force, replay, etc.):
(27) S ⇒ R: {Alarm} KMAC
(28) R ⇒ S: {Status} KMAC
A device that detects physical attacks and sends an alert can
allow the router and site authority to react in a series of
escalations; first by changing any shared KMAC. The KDC or
router can then revoke the KBootstrap key of any compromised
sensor and temporarily prevent any new key from being
issued. Finally the sensor’s KS key can be revoked if the
device is stolen or redeployed.
D. Heartbeat
Another concern is an attacker who can physically
compromise a device without detection, while the device is
connected to the network, and obtain shared KMAC keys.
We use a heartbeat function to detect unavailable or
missing devices.
(29) S ⇒ R: {IS, IR, N1} KMAC
(30) R ⇒ S: {{IS, IR, N1, N2} KBootstrap}KMAC
(31) S ⇒ R: {IS, IR, N2} KMAC
(32) R ⇒ S: {Status} KMAC
This allows the sensor and router to authenticate each other.
Routers can summarize the information and pass it up to the
site authority.
The response to a missing device can escalate in time, as
mentioned earlier. Keys can be changed, temporarily
prevented from re-issuing, and finally revoked if the decision
is made that the device is lost. This functionality could be
implemented by a central authority, but by localizing this to
the router increases scalability.
Offloading the responsibilities of a central KDC onto a
router, with tasks such as network re-joining, key updates and
heartbeats, increases the scalability of the network.
E. End-to-End Authentication
Up to this point, the framework provides link-to-link
authentication. However, a trusted but compromised router
could modify data en route.
In addition, some may wish to have the ability for intrusion
detection devices to log and inspect packet contents, and
optionally decrypt data.
To allow this, we propose end-to-end authenticity key KA as
installed in 10-12. A sensor could use this to sign an/or
encrypt data in addition to MAC-encryption. Any device that
knew this key could authenticate/decrypt the data, but be
unable to join the network or obtain the MAC-layer key used
for that link. Routers could forward these packets to logging
devices.
 The key installation protocol could be used over-the-air to
update/replace the end-to-end authenticity key, while giving
the old key to intrusion detection devices. These devices
should be prevented from capturing the packets where keys
are updated.
F. Software Update
TinyOS provides a way to update software with the Deluge
extension. However, the existing mechanism provides no way
to verify the authenticity of the software.
We propose that the firmware be transmitted using MAC
encryption, and hash of the firmware H, along with the
revision identification IREV, be signed by Ks:
(33) R⇒ S: {{H, IREV}KS}KMAC
IV. KEY REVOCATION
In general, the vendor creates KV, and the customer site
authority creates the other keys. Optionally the router may
create KMAC for efficiency reasons.
The keys can be revoked under conditions listed in Table 1.
Note that if a key is revoked, the key in the table above it must
be used to obtain another key.
Table 1 - Key Revocation Conditions
Key Revocation Condition
KV • Unauthorized reproduction of device
• Large shipment of devices stolen
• Key expired (if using two vendor keys)
KS • Device stolen, missing, or compromised
• Device sold or redeployed
KBootstrap • Key expired
• Device under attack
KMAC • Key expired/updated
• Unauthorized device on network
KA • Device expired/updated
• Key exported for analysis
The vendor could also revoke individual keys if desired, in
high-security situations. A more practical approach is to
simply let the vendor key expire, which would limit the
deployment of stolen devices.
V. THREAT ANALYSIS
We used a 6-Sigma methodology[14] to evaluate the
framework. It is a Failure Mode Effect Analysis (FMEA),
adapted for risk assessments. Three values are multiplied
together to calculate a Risk Prioritization Number (RPN):
Likelihood, Severity and Detectability. Each value ranges
from 1 to 10, with higher numbers being worse. In this
41
example, the values are shown in Tables 2-4. The group must
first reach consensus of the meanings of the values.
Each threat is subjectively compared to other threats, as
long as all parties agree to the values. Individual values for
single threats aren’t significant. Instead, threats are given
values when compared to other threats. The advantage of this
method is not in absolute values, but in determining which
risks are more frequent, detectable, and dangerous than other
threats. This technique is practical, as it provides a simple
methodology to consider all threats, and workable, as it makes
no attempts to be universally objective. Sample values are
given in tables 2, 3 and 4. The vendor and the customer will
normally have separate tables and values; we combined them
for this paper to simplify the analysis.
We have filled in the values of a theoretical factory that is
using wireless sensors. We subjectively compare an unsecured
wireless framework to the framework described in this paper.
The results are shown in Table 5.
Note that for an unsecured system, using a merged
vendor/customer view, the greatest threats are: (1) device
cloning, (2) loss of data confidentiality during normal
operations, (3) stolen/black market devices, and (4) data
integrity. Using the proposed framework, note that nearly
every threat is reduced, and the total risk is reduced from 4737
to 1948 – a reduction of 58.88%. The average threat is
reduced from 225.57 to 92.76 in this example.
With the new framework, some individual values may
increase. In particular, the severity of loss of data
confidentiality during manufacturing increases, as the keys
may be compromised. Also note that some threats are not
addressed in the framework – such as the risk of an insider at
the customer’s site.
VI. DISCUSSION OF IMPLEMENTATION
The Chipcon device efficiently handles encryption in
hardware. Encrypting packets at the link level using CCM-128
increases transmission time approximately 500 µsecs in some
of the tests we have tried.
In our prototype, the source address and packet type were
not encrypted to simplify debugging. However, they should be
encrypted for increased security, and the cost of increased
debugging complexity. In particular, if the attacker cannot
distinguish packets that accomplish a key update, they would
need to retain more packets in the event that an older key is
obtained.
We realized that the Chipcon CC2420 had a problem
receiving both unencrypted and encrypted packets. If we
expect the next packet to be plaintext, and an encrypted packet
arrives, the hardware cannot decode the packet. To address
this, we always transmit encrypted packets. We emulate
unencrypted packets by encrypting these packets using a key
known to all devices. We don’t consider this a security
feature, but an implementation detail. Future radios may not
have this limitation.
We implemented a prototype based on a preliminary
version of this framework, with the 4 essential keys described.
This paper describes a more flexible and adaptive approach, as promoted by ISA’s SP100 working group.[15] Other
based on our experience, and based on requirement applications may also find this framework useful.
discussions with several vendors.
This paper recommends several implementation details.
However, in the case where cost and convenience is more
important that security, certain security protection
mechanisms can be eliminated. We propose that both MAC
layer and data-layer encryption be used for maximum security.
Therefore the data is encrypted twice. A single encryption step
could be used to extend battery life. In the case of low-cost
and low-security sensors, a single vendor key could be shared
across several devices. This provides no protection from
cloned devices, but that’s a decision the vendor can make.
Different sites can determine the number of KMAC keys to
use. One site can use a single shared key, a second can use
one for each router, and a third can use unique keys for every
link.
The number of keys necessary to remember is proportional
to the importance of a device in the infrastructure. Assuming
the 4-key mechanism (KV, KS, KBootstrap, KMAC), an end-node
sensor would need to know 2+2N keys, where N is the number
of mesh routers it talks to. A mesh router, with N peer routers,
and M leaf nodes, would need to know up to 2+2N+2M keys.
Because of the limitations in the 802.15.4 frame, each router is
limited to 256 different MAC-layer keys. The KDC has the
greatest burden, by needing to know all of the keys. The worst
case would be unique KMAC keys, with every device able to
communicate with every other device. However, in practical
terms, this is rarely needed.

VII. CONCLUSIONS
We feel that for environments found in factories, this
framework is practical, flexible, and scalable. The encryption
technology is based on pairwise symmetric keys, allowing
low-cost deployment in embedded systems. We built a
prototype using this technology, to validate the concepts.
Using two KDC’s allows vendors and customers to protect
their assets, without burdening the device with knowledge
about different authorities. Three or more KDC’s are possible
as well. The use of multiple keys in a one-way chain provides
flexibility in deployment, installation and revocation of keys.
We can conceive a tree-structure of chains for asset control.
The framework provides multiple ways to revoke and
redeploy devices without compromising a network. It also
allows for quick detection and key revocation for devices
under active attacks. Complex situations, such as allowing
hand-offs to third parties once the keys have been established,
are also allowed, as well as protection from device cloning.
Use of 6-Sigma methodology allowed us to consider a
comprehensive threat assessment, as well as provided a
mechanism to subjectively evaluate the effectiveness of the
design.
We believe this is suitable for a wide range of requirements,
and consider it suitable as a standard for wireless automation,

42
Table 2 - Likelihood Values Table 4 - Severity Values
Probability of Proposed Severity of
Proposed Failure Rate Value Effect Value
Security failure Effect
Very High: Hazardous without Major loss of life. 10
Failure is almost warning Permanent financial impact
inevitable Several times a day 10 Hazardous with Widespread abuse. Crisis. 9
Daily 9 warning Large financial impact
High: Repeated Very High Loss of large 8
failures Weekly 8 customers/accounts
7 High Significant loss of value 7
Moderate: Moderate Notable loss of value 6
Occasional Low Minor loss of value 5
failures Monthly 6 Very Low Very minor loss of value 4
Yearly 5 Minor Loss of single customer 3
4 Very Minor Inconvenient 2
Low: Relatively None No effect 1
few failures Once every 10 years 3
Once every 100 Years 2
Remote: Failure is
unlikely Once every 1000 years 1

Table 3- Detection Values

Likelihood of Detection by
Detection Value
Design Control
Absolute Design control cannot 10
Uncertainty detect potential
cause/mechanism and
subsequent failure mode
Very Remote Very remote chance 9
Remote Remote chance 8
Very Low Very low chance 7
Low Low chance 6
Moderate Moderate chance 5
Moderately High Low chance 4
High High chance 3
Very High Very high chance 2
Almost Certain Design control will detect 1
failure

43
Table 5 - Failure Mode Effect Analysis

Relative
Current Architecture Proposed Architecture Reduction in
Threat Risk (%)
L D S RPN L D S RPN
Rogue sensor 6 5 7 210 6 1 7 42 80.0
Rogue routers 6 5 7 210 6 1 7 42 80.0
Rogue central authority 3 2 8 48 3 1 8 24 50.0
Loss of data confidentiality during
manufacturing process 6 8 3 144 3 7 5 105 27.1
Loss of data confidentiality during
installation 6 8 3 144 3 8 3 72 50.0
Loss of data confidentiality during device
start-up 6 8 3 144 2 8 3 48 66.7
Loss of data confidentiality during normal
operations 9 8 8 576 2 8 8 128 77.8
Loss of data confidentiality during software
upgrade 4 8 6 192 2 8 6 96 50.0
Data integrity and authenticity 9 4 9 324 2 2 9 36 88.9
Man-in-the-middle attacks 5 6 3 90 2 2 3 12 86.7
Brute force attack against sensor/router 5 6 6 180 5 5 6 150 16.7
Denial of service attack on sensor/router 6 5 6 180 6 3 6 108 40.0
Insider attack at vendor’s site 4 7 3 84 4 7 2 56 33.3
Insider attack at customer's site 5 7 6 210 5 7 6 210 0.0
Customer's sensor/router physically attacked
on site while connected to the network 4 4 6 96 4 3 3 36 62.5
Customer's sensors/routers stolen and
attacked off-site 6 5 4 120 6 3 3 54 55.0
Vendor’s sensor/router attacked off-site for
reverse engineering 7 10 3 210 9 10 2 180 14.3
Vendor’s sensor/router modified off-site and
sold to customer 4 8 9 288 3 8 9 216 25.0
Sensors/routers stolen from vendor 8 9 7 504 8 9 3 216 57.1
Device Cloning – or unauthorized
reproductions 8 9 9 648 8 3 3 72 88.9
Hardware Redeployment of sensor/router 5 9 3 135 5 3 3 45 66.7
Total 4737 1948 58.9
Max Value 21000 21000
Average Threat Value 225.57 92.76
Overall 22.56% 9.28%

REFERENCES
ACKNOWLEDGMENT
[1] Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci, 2002.
We would like to acknowledge the assistance of Rene Wireless sensor net- Rensselaer Polytechnic Institute
Struik and Darryl Parisien of Certicom for their assistance. [2] Wireless Sensors: Where Are the 800-Pound Gorillas?”, Frost &
Ron Olson implemented the framework on the TinyOS Sullivan, 2 Jan 2003 | Industrial Automation
[3] http://www.moteiv.com/
platform, and Ping Liu also provided assistance in the project
[4] Chipcon CC2420 Data Sheet
management. http://www.chipcon.com/files/CC2420_Data_Sheet_1_4.pdf
[5] S. A. Camtepe and B.. Yener “Key Distribution Mechanisms for
Wireless Sensor Networks: a Survey”

44
[6] IEEE 802 Part 15.4: Wireless Medium Access Control (MAC) and
Physical Layer (PHY) Specifications for Low-Rate Wireless Personal
Area Networks (LR-WPANs). Available:
http://standards.ieee.org/getieee802/download/802.15.4-2003.pdf
[7] N. Sastry, D. Wagner, “Security Considerations for IEEE 802.15.4
Networks”in Proceedings of the 2004 ACM workshop on Wireless
security, Philadelphia, PA, USA 2004
[8] Zigbee alliance. http://www.zigbee.org
[9] R. Needham and M. Schroeder. “Using Encryption for Authentication in
Large Networks of Computers”. Communications of the ACM, 21(12),
December 1978.
[10] J.G.. Steiner, C. Neuman, and J. I. Schiller. Kerberos: “An
Authentication Service for Open Network Systems”. jan 1988.
[11] A. Perrig,, R. Szewczyk,., V. Wen, D. Culler, D. Tygar, “SPINS:
Security Protocols for Sensor Networks” Proceedings of Seventh Annual
International Conference on Mobile Computing and Networks
MOBICOM 2001, July 2001.
[12] R. Anderson, M. Kuhn, “Tamper Resistance a Cautionary Note”
Proceedings of the Second Usenix Workshop on Electronic Commerce
(1996)
[13] Alexander Becher, Zinaida Benenson, Maximillian Dornseif:
Tampering with Motes: Real-World Attacks on Sensor Networks.
3rd International Conference on Security in Pervasive Computing (SPC),
April 2006, York, UK. http://pi1.informatik.uni-
mannheim.de/publications/pdf/tampering-with-motes-real-world-attacks-
on-wireless-sensor-networks
[14] B. Barnett “A Practical Top-down Threat Assessment using 6-Sigma
Methodology” GE Technical Report 2004
[15] ISA-SP100, Wireless Systems for Automation www.isa.org/isasp100/

45
 Invited Talk: Traffic Analysis Resilient MAC
for Multi-Hop Wireless Networks
Nael Abu-Ghazaleh
Binghamton University, SUNY

Traffic analysis attacks in multi-hop wireless networks can extract valuable information about
the data as well as expose the structure of the network opening it up to focused attacks on critical
nodes. For example, jamming data sinks in a sensor network can cripple the network. We
propose a new approach for ensuring traffic resilience in multi-hop wireless networks. Each
node broadcasts the data that it has to transmit according to a fixed transmission schedule that is
independent of the traffic being generated, making the network immune to time correlation
analysis. The transmission pattern is identical at all nodes, with the exception of a possible time
shift, removing spatial and temporal correlation of transmissions to data or to network structure.
The scheme takes advantage of the omni-directional nature of wireless transmission: data for all
neighbors are sent in one encrypted packet. Each neighbor then decides which subset of the data
in a packet to forward onwards using a routing protocol whose details are orthogonal to the
proposed scheme. We analyze the performance of the basic scheme, exploring the tradeoffs in
terms of frequency of transmission and packet size. We also explore improvements to the
scheme, including adapting the traffic pattern and using multi-path routing to take advantage of
the available capacity in underutilized portions of the network.

46
Transnational Criminal Internet Activity in Academic
Institutions: Assessing the Issues and Developing
Solutions for Policy and Practice
Steffani Burd, Ph.D., Matthew Haschak, Scott Cherkin
Information Security in Academic Institutions (ISAI)
225 East 85th Street, Suite 301
New York, NY 10028 USA
Abstract- Transnational criminal activity conducted via the
Internet is an emerging area of concern for public safety and
security. Incidents include identity theft, denial-of-service
attacks, fraud and infiltration of government and private
organizations. Increasingly, these incidents are propagated by
computers infected by malicious software, creating a thriving
black market for organized criminals, foreign nationals and
terrorists. Adverse consequences include compromised private
data and intellectual property, substantial financial losses,
funding of criminal and terrorist activities, and potential
compromise of critical infrastructure and national security.
As targets in private and government sectors improve
protection of their information assets and infrastructure,
perpetrators are shifting to softer targets. America’s colleges
and universities are particularly attractive due to their
relatively open networks, significant computing power, diverse
users, abundant private information and intellectual property,
and links to government, military and research institutions.
While academia’s networks are generally considered more
vulnerable to transnational criminal Internet activity than
other sectors, little research has addressed this issue.
The purpose of this article is three-fold. First, it describes
unique characteristics of academic institutions that provide
opportunities for transnational criminal Internet activity
(e.g., the tension between culture and security, diverse users
and access methods, sensitive information, and high-risk
activities on academia’s networks). Second, it addresses the
potential impact of transnational criminal Internet activity in
academic institutions, including compromised private data,
financial losses, and potential attacks on U.S. critical
infrastructure. Third, this article describes how changes in
policy, use of information from a variety of sources, and
application of empirical data and a proposed ‘roadmap’ may
help combat this emerging threat to public safety and security.
I. INTRODUCTION
Transnational criminal activity conducted via the Internet
is an emerging area of concern for public safety and
security. Incidents include identity theft, denial-of-service
attacks, fraud and infiltration of government and private
organizations. Increasingly, these incidents are propagated
by computers infected by malicious software, creating a
thriving black market for organized criminals, foreign
nationals and terrorists. Adverse consequences include
compromised private data and intellectual property,
47
substantial financial losses, funding of criminal and terrorist
activities, and potential compromise of critical infrastructure
and national security.
As targets in private and government sectors improve
protection of their information assets and infrastructure,
perpetrators are shifting to softer targets. America’s
colleges and universities are particularly attractive due to
their relatively open networks, significant computing power,
diverse users, abundant private information and intellectual
property, and links to government, military and research
institutions. Although academia’s networks are generally
considered more vulnerable to transnational criminal
Internet activity than other sectors, few data-based
recommendations for policy and practice have been
developed to date.
II. INFORMATION SECURITY IN ACADEMIC INSTITUTIONS
“College and university systems are a natural target for
hackers. "They are large systems, often include public-use
labs, and so the identity of a computer cracker can often be
easily concealed within the system" [1]. Due to the unique
characteristics described below, academic institutions may
be disproportionately vulnerable to transnational criminal
activity.
Tension between culture and security. Inherent tension
exists between the academic culture and security
requirements. In the private sector, company policy dictates
that computers and intellectual property belong to the
organization, and employees typically sign a form
acknowledging this policy, thereby accepting limited
functionality. The culture of academia, conversely, is built
on openness, free speech, learning, information sharing and
experimentation. Any attempt to limit this culture may be
met with a backlash from students, faculty, staff, and
university executives.
Diverse users and access methods. In an academic
environment, the network is accessed by many users with
different ideas, responsibilities, and access methods. Users
include students and faculty on-campus (residence halls,
classes, computer centers), students and faculty off-campus
(remote access, sharing access), and IT staff and systems
administrators (onsite and remote administration). Systems
administrators face an extraordinarily un-standardized
network environment. For example, students in residence
halls are typically first- and second-year students with a
turnover rate of 50% per year [2].
Sensitive information. Universities house private
information about faculty and students including social
security number, date of birth, credit card details, driver’s
license number, financial and information, and grades. In
addition, academic institutions have been at the forefront of
research and development efforts for most technology
innovations in the country. In some cases, this intellectual
property is strictly governed by security policies with the
federal government, as they share information with the
Defense Department (DoD), Department of Homeland
Security (DHS) and Defense Advanced Research Projects
Agency (DARPA). Nonetheless, huge gaps endanger the
security of personal and intellectual information.
High-risk activities on academia’s networks. A critical
attribute of information security in academic institutions is
the high-risk activities on academic institutions’ networks,
including peer-to-peer (P2P) networking, instant messaging
(IM), and e-learning. Innovations in sharing information
have created some of the most severe security and privacy
vulnerabilities, and universities are particularly at risk due to
their open cultures. The ramifications of this openness are
detailed by the House of Representatives Committee on
Government Reform, in which the committee discovered that
via Kazaa, private information residing on users computers
was readily available, including completed 1040s, military
records, a living will, personal inbox, and the narcotics
inventory on a Naval ship [3].
Inadequate sponsorship and resources. Academic
institutions face a variety of challenges in maintaining
information security at their institutions. According to a
several-year study of information security in academic
institutions [4], the two most widely cited high-impact
challenges relate specifically to the academic environment:
privacy concerns and academic freedom. Additionally, as
illustrated in Fig. 1 below, of the top ten high-impact
challenges, roughly two-thirds related directly to cultural
issues, such as executive-level support of initiatives,
executive-level awareness of issues, resistance to security
measures, and insufficient awareness of information security
issues. This dearth of support and awareness is clearly
reflected in inadequate resource allocation. For example,
according to this study and also illustrated in Fig. 1 below,
over half of the survey participants do not employ a full-time
Information Security Officer or person with similar
responsibility and over half have zero full-time staff
48
Fig. 1. Top 10 challenges and number of full-time information security staff
members dedicated to information security. Further, over
half of these participants indicated that the consequences for
violating their institution’s policy over the past 12 months
are either inconsistent or nonexistent.
Increasing vulnerability of academic sector. The gap
between academia and other sectors will continue to widen
in the future, unless remediating actions are taken. The
private and government sectors are improving their
information security posture in response to laws and
regulations such as Sarbanes Oxley (SOX), Health
Insurance Portability Accountability Act (HIPAA), and
Federal Information Security Management Act (FISMA).
While some divisions of academic institutions may be
impacted, no overall mandates are driving improvements
academic institutions. Perpetrators of transnational criminal
activity, such as organized and petty criminals, hackers,
terrorists and experimenters are bound to exploit this
emerging gap and the associated opportunity to execute
their illicit Internet activities.
III. TRANSNATIONAL CRIMINAL ACTIVITY IN ACADEMIC
INSTITUTIONS
America’s colleges and universities experience a broad
range of information security incidents, as described briefly
in the following paragraphs.
A. Types of Incidents in Academic Institutions
Hacking. Hacking has become a serious problem on
university networks and may originate from “inside”
(e.g., students, staff, or faculty) or the “outside” (e.g.,
hackers, terrorists, organized criminals). Those with
malicious intent can exploit academic institutions’
vulnerabilities with little risk of detection. In an empirical
assessment of two academic institutions’ network activity
[4], approximately 2 million attack attempts violating their
information security policy were identified in just four
months. Approximately half of these attempted attacks
involved international entities. Specifically, as illustrated in
Fig. 2 below, of the 1,760,083 inbound attack attempts, 176
countries were associated with 88% of these attempts. Of
the 82,777 outbound attack attempts, 89 countries were
involved in 88% of these attempts.
 TABLE 2:
ACADEMIC INSTITUTIONS’ REPORTED BREACHES OVER PAST SIX-MONTHS

Date Made Organization Number

Public
Aug. 1, 2006 Wichita State University 2,000
Aug. 1, 2006 Wichita State University 40
Aug. 15, 2006 University of Kentucky 630
Aug. 15, 2006 University of Kentucky 80
Aug. 26, 2006 University of South Carolina 6,000
Sept. 1, 2006 Virginia Commonwealth University 2,100
Sept. 8, 2006 University of Minnesota 13,084
Sept. 20, 2006 Berry College (via consultant) 2,093
Sept. 22, 2006 Purdue University College of Science 2,482
Fig. 2. Countries associated with inbound and outbound attack attempts Sept. 22, 2006 University of Colorado-Boulder 1,372
Sept. 29, 2006 University of Iowa 14,500
Sept. ??, 2006 Adams State College 184
Espionage. Espionage and information gathering also
Oct. 12, 2006 University of Texas at Arlington 2,500
occurs via academic institutions. The recent Stakkato Oct. 19, 2006 University of Minnesota / Spain 200
incident, in which several academic and research Nov. 1, 2006 U.S. Army Cadet Command 4,600
institutions, military entities and NASA were breached by a Nov. 3, 2006 University of Virginia 632
Swedish teenager [5] demonstrates the vulnerabilities of Nov. 17, 2006 Jefferson College of Health Sciences 143
academic institutions and critical infrastructure. Academic Dec. 5, 2006 Nassau Community College 21,000
Dec. 9, 2006 Virginia Commonwealth University 561
institutions may be particularly vulnerable to these Dec. 12, 2006 University of California - Los Angeles 800,000
activities. Student organizations supporting extremist Dec. 12, 2006 University of Texas – Dallas 6,000
agendas are increasing apace, particularly in Europe and the Dec. 15, 2006 University of Colorado – Boulder 17,500
U.S. Table 1 below presents examples of incidents obtained Dec. 19, 2006 Mississippi State University 2,400
from just one participant’s log files on a Sunday evening Dec. 22, 2006 Texas Woman's University 15,000
Dec. 27, 2006 Montana State University 259
from the Higher Education Network Analysis (HENA) tool.
Jan. 11, 2007 University of Idaho 70,000
While tracking transnational criminal activity was not in the
study’s scope, a significant number of perpetrators were
Director of a large public university stated, “We have
identified probing the HENA platform.
botnets all over campus, and I’m not sure anyone wants to
Botnets. Because of their open nature, academic
know that’s really the case,” [7].
networks may be disproportionately vulnerable to bot
Data compromise. Academic institutions may also
infections. In “What You Need To Know About Botnets!”
serve as an effective gateway to sensitive targets with which
[6], the Multi-State Information Sharing Analysis Center
they share information, including government and critical
(MS-ISAC) provided three examples of botnet infections
infrastructure entities. Terrorist, organized criminal, and
and noted that all three botnet controllers were traced back
espionage groups have opportunity to exploit these
to universities. In one case, an infected computer had 7,200
weaknesses and cause harm with attacks ranging from
connections to other compromised computers worldwide.
distributed-denial-of-service attacks to viruses with
The student who owned the infected machine, which was
damaging payloads. Indeed, incidents involving the
acting as a zombie botnet controller, had no idea the
compromise of personal data from academic institutions are
computer was infected. In a subsequent webcast by the MS-
widespread. For example, Table 2 below lists private data
ISAC in conjunction with the Department of Homeland
compromises reported in just the past six months [8]:
Security’s US-CERT, three groups were identified as most
vulnerable to botnets: 1) universities and schools; 2) home
B. Impact on Public Safety, Policy and Practice
broadband users; and 3) the mobile workforce. As an IT
Increasingly frequent and severe incidents are occurring
TABLE 1. in academic institutions, highlighting that they may not be
ONE STUDY PARTICIPANT’S LOG FILES OF ESPIONAGE-RELATED ATTEMPTS adequately prepared to defend against attacks or detect
Incident Source attacks emanating from their own networks. Because
An attempt from China to access An account in Beijing, China – network security is only as strong as the weakest link in the
a Trojan program CNCGROUP Heilongjiang chain, it is incumbent on policy makers to identify and
province network.
An attempt from Canada to An account in Halifax, Canada –
quantify the risks, help prevent incidents, and mitigate their
exploit a Microsoft database in Andara High Speed Internet c/o impact after occurrence. Below is a list of potential
the university Halifax Cablevision LTC impacts of transnational criminal activity in academic
An attempt from Vietnam to An account in Hanoi, Vietnam -- institutions on public safety, policy and practice.
exploit a buffer overflow in the Vietnam Posts and Compromised private data. As indicated in the
popular sendmail mail server Telecommunications Corp
(VNPT) previous section, incidents involving the theft of data
Multiple attempts from Korea to An account in Seoul, Korea - belonging to students, applicants, faculty, and staff are
gain access to university’s Network Management Center increasing at an alarming rate. For example, the names,
system. Probably following a SSNs, birth dates, home addresses, and contact information
buffer overflow attack

49
of 800,000 individuals at the University of California Los
Angeles (including current and former students, current and
former faculty and staff, parents of financial aid applicants,
and student applicants) were compromised when hackers
gained access to a database in December 2006 [9]. Personal
information for 70,000 alumni, donors, employees, and
students from the University of Idaho were reported
compromised when three desktop computers were stolen
from the Advancement Services Office, and 331,000
individuals may have been exposed [10]. This brings the
total breaches reported by colleges and universities in less
than six months to 985,360 – almost 10% of quantified
breaches across all sectors. This percentage is particularly
staggering when one considers the volume of records
routinely handled by other sectors such as banking and
finance, healthcare and the government.
Financial losses. A more gradual, but certainly crippling,
effect on public safety and security arises from financial
losses incurred. For example, the international organization
Shadowcrew traded in over 1.7 million stolen credit card
numbers and incurred over $4 million total losses before it
was closed down in October 2004 [11]. According to the
FTC, the economy absorbed $52 billion in losses resulting
from goods and services purchased with fraudulently
obtained personal identification in 2004 [12]. All together,
9.3 million people suffering from identity theft in 2004,
requiring an average of 28 hours of work to rectify the
situation [13]. Beyond fraud and identity theft, financial
losses result from destruction from worms and viruses.
Again, this issue is of particular concerns for academic
institutions: an informal survey of nineteen research
universities shows that each spent an average of $299,579
during a five-week period undo the havoc wrought by the
Blaster worm. Of the universities surveyed, Stanford
University spent the most: $806,000 to repair 6,000
computers and 18,420 hours to rebuild machines [14].
Attack on the U.S. critical infrastructure. Perhaps the
most frightening incident in which networks’ vulnerabilities
can be exploited is a distributed-denial-of-service-attack
(DDOS) on the U.S. critical infrastructure, in which
university computers unwittingly serve as zombies.
Elements of this type of attack have already occurred many
times. In October 2002, a DDOS attack was executed on
the thirteen “root servers” which provide the basis for
almost all Internet communication globally. Fortunately,
safeguards built in to the system prevented slowdowns and
outages, but a more prolonged or extensive attack could
have caused serious damage [15]. The DDOS attack on
Microsoft (February 2004) demonstrates speed and
effectiveness of this method. The compromise of 911
systems (November 2003) demonstrates the catastrophic
effect on public safety. On May 5, 2006, 20-year-old
Christopher Maxwell pled guilty to launching a bot network
attack that compromised computers at a Seattle hospital and
several universities using 13,000 distributed computers to
earn about $100,000 [16].
50
IV. RECOMMENDATIONS FOR POLICY AND PRACTICE
As transnational criminal activity via the Internet
burgeons and perpetrators move from better-protected
private and government entities to softer targets, academic
institutions may represent a disproportionate vulnerability to
public safety. This concern is compounded by the
increasing inter-connectedness with government, military,
private sector, and critical infrastructure entities. Since
peer-to-peer file-sharing programs became popular in the
late 1990s, college campuses have been perceived as a Wild
West of profligate bandwidth use and lax security—a
perfect digital haven for cybercriminals and ideal incubator
for transnational criminal activities. These concerns need
to be addressed with data-based recommendations for policy
and practice. Following is a brief review of current policy
and practice, with recommendations for addressing the
issues facing academic institutions and, ultimately, public
safety and security.
A. Policy
Transnational cybercrime policy. Transnational
cybercrime policy is currently fragmented internationally,
due to differing governments’ understanding of the threats,
conflicting laws within sovereign countries, and the
necessity of a coordinated global effort. For example, the
Convention to the Senate submitted by President Bush
November 17, 2003 has faced a number of challenges. “The
United States and the Commission clearly agree on many of
the key principles . . .However, we believe that additional
discussion is needed before we can reach broad international
consensus on other core issues” [17]. The G-8’s
“Recommendations for Enhancing the Legal Framework to
Prevent Terrorist Attacks” [18] laid out a call to the
international community to join together to fight
transnational crime and terrorism. Although these
recommendations provide quality thought leadership, they
face significant challenges in practice due to fragmented
international laws. Until effective transnational cybercrime
policy is established and implemented, academic institutions
must rely upon U.S.-based policy and their own methods of
protecting information assets and associated infrastructure.
U.S. Policy, Laws and Regulations. The U.S.
government is actively addressing cybercrime and privacy
issues through strategies, laws and regulations at the federal,
state and local levels. For example, the President’s National
Strategy to Secure Cyberspace [19] Actions and
Recommendations 1-7 encourage corporations to participate
in industry-wide Information Sharing Analysis Centers
(ISACs) that share information on technology security
threats and best practices. Colleges and universities are also
encouraged to consider establishing: 1) one or more ISACs
to deal with cyber attacks and vulnerabilities; and 2) an on-
call point-of-contact to Internet service providers and law
enforcement officials, in the event that the institution’s
networks are discovered to be launching cyber attacks.
Federal laws and regulations are also actively addressing
cybercrime through Sarbanes-Oxley, the Gramm-Leach
Bliley Act, Health Insurance Portability Accountability Act,
and Payment Card Industry Data Security Standards. Sate-
level laws, such as California’s SB1386, are also markedly
improving accountability for reporting potential breaches.
However, these policies, laws and regulations do not
specifically address academic institutions.
Without legal or regulatory pressures upon the
institutions, accountability at the senior executive and board
of director levels will continue to founder and critical
resources will not be provided. Further, as other sectors
improve their protection, the potential for transnational
criminal Internet activity in America’s colleges and
universities will continue to increase at a marked pace.
B. Practice
Organizations. The U.S. government has been creating
organizations to detect and prevent cybercrime as well as
developing robust research and thought leadership that is
disseminated through the country. The Multi-State
Information Sharing Analysis Center (MS-ISAC) is a focal
point for gathering information on cyber threats to critical
infrastructure among all 50 US States. It has also
highlighted the potentially disproportionate vulnerability
that academic institutions pose in facilitating cybercriminal
activity such as botnets. The REN-ISAC (Research and
Education Networking Information Sharing and Analysis),
one of the ISACs established to address critical
infrastructure protection, focuses on analysis, dissemination
and early warning systems. The Justice Department’s
Computer Crime and Intellectual Property Section (CCIPS)
is responsible for implementing the Department's national
strategies in combating computer and intellectual property
crimes worldwide. The Computer Crime Initiative
(www.cybercrime.gov) is a comprehensive program
designed to combat electronic penetrations, data theft, and
cyberattacks on critical information systems. CCIPS
prevents, investigates, and prosecutes computer crimes by
working with other government agencies, the private sector,
academic institutions, and foreign counterparts.
Cybersecurity in academic institutions is also addressed
by non-government organizations. ECAR, the Educause
Center for Applied Research, conducts high-quality studies
that explore issues of academic institutions. Several
research studies, particularly “Information Technology
Security: Governance, strategy, and practice in higher
education” [21] provide excellent insight into cybersecurity
issues of academic institutions. The EDUCAUSE/Internet2
Security Task Force is accomplishing great strides in
developing next generation networking standards and
protocols that embed security (i.e. IPv6).
A critical and, to date, under-utilized recommendation for
improving information security in academic institutions is to
leverage the funding through organizations such as the
National Science Foundation. Using a method similar to
51
that employed by the National Security Agency in
establishing and accrediting its NIETP program, the NSF
could require a demonstrated baseline level of information
security prior to granting funding for research.
C. Next Steps: A Roadmap for Improving Information
Security in Academic Institutions
A number of data-based and focused activities, or a
“roadmap”, may by implemented to reduce the frequency
and impact of information security incidents in academic
institutions. This roadmap provides practical
recommendations and is based on a risk management
approach, which ensures the institution’s most critical
information assets and associated systems are adequately
protected. This approach maximizes both resource
allocation and protection of information assets and systems.
Six inter-related steps are recommended for participants in
achieving a baseline level of information security:
1. Locate and classify information assets;
2. Build awareness and executive-level support;
3. Tighten security policy;
4. Establish mandatory training;
5. Automate and institute processes; and
6. Empirically assess activity.
Each of these steps, as illustrated in Fig. 3 below, is
described in the following paragraphs.
Recommendation #1: Classify Information Assets.
Asset classification involves locating information assets and
their associated systems, then classsifying them as high,
moderate, or low impact with respect to the impact of
maintaining their confidentiality, integrity, and availability.
This step is important in the academic setting, where
resources are limited and valuable data and systems may be
scattered throughout multiple departments, campuses, states,
and even countries. Asset classification helps the
information security professional focus resources and ensure
the institution’s most critical information assets and systems
have adequate protection. Locating and classifying
information assets and associated systems may be an
overwhelming task in academia’s decentralized
environment, but it is a critical step to improving protection
of the institution’s information and infrastructure.
#1: Classify
Information Assets
#6: Empirically #2:Build Awareness
Assess Activity & Executive Support
#5: Automate & #3: Tighten
Institute Processes Policy
#4: Establish
Mandatory Training
Fig. 3. Six steps in recommended information security roadmap
 Classifying information assets and associated systems Recommendation #3: Tighten Policy. Astraightforward,
involves three steps: consistently enforced information security policy ensures
1. Locate and identify information assets and associated end users are aware of – and act in accordance with – the
systems; institution’s desired rules and practices. A policy that is
2. Classify their impact as high, moderate, or low with realistic, enforceable, and measurable provides end users
regard to maintaining confidentiality, integrity, and with a clear understanding of which activities they should
availability; and should not conduct. Consequences for violating this
3. Document these assets to build senior administration’s policy that are meaningul and consistently enforced provide
awareness and to identify appropriate information incentive for end users’ compliance. Tightening the policy
security controls. is particularly effective in when implemented conjuntion
Outcomes of adopting a risk management approach with informing end users of of critical information assets
include: 1) information assets and their associated systems and systems, boosting awareness of key issues, and
are located and identified; 2) an initial classification of these conducting training on addressing these issues. Developing,
assets has been completed; and 3) the first cut at an ratifying, distributing, and enforcing the information
information asset database has been created. security policy is a complex task in the academic
environment. Academia’s unique characteristics (e.g.,
Recommendation #2: Build Awareness and
culture of openness and academic freedom, a variety of
Executive-Level Support. Information security is relevant
powerful stakeholders with divergent perspectics, long lead-
to the institution’s diverse end users – including faculty,
time requirements for change, high end user turnover,
students, staff, affiliates and senior administration – for
varying views on appropriate disciplining for students,
different reasons. However, the overarching goals of
faculty, staff and senior administration) make tightening the
building awareness for all of these end users are simply that;
information security policy particularly difficult.
a) they are aware of how they may affect information
Four steps are involved in this recommendation:
security;
1. Develop and ratify the information security policy -- at
b) they know how to respond if they suspect an incident;
senior administration level.
and c) information security professionals within the
2. Obtain agreement on consequences for violating the
institutions have sufficient support to accomplish their
information security policy (address consequences
objectives. Building awareness of information security
regarding both frequency and severity of violations)
can be a difficult activity in the academic environment with
3. Require all end users – faculty, senior administrators,
high student turnover, both full-time and part-time end
staff, students, affiliates – to read and agree to the
users, multiple campuses, and a range of access methods.
information security policy and its consequences prior to
Building executive-level support of information security can
granting access to the network.
be particularly difficult, as it is often perceived as a threat to
4. Obtain agreement from all endusers every semester prior
the culture of openness and academic freedom and a source
to granting access to the network.
of cost and tension. This difficulty is compounded by the
Outcomes of tightening the information security policy
current lack of accountability for breaches and
include: 1) the policy is agreed upon at the senior
compromises.
administrative level; 2) the policy is documented; 3) faculty,
Building awareness and executive-level support involves
students, staff, affiliates and senior administration are
four steps:
provided with and agree to the policy and its consequences.
1. Obtain senior administration’s support by educating them
Recommendation #4: Establish Mandatory Training.
on key issues and ramifications;
Mandatory training ensures that end users are aware of the
2. Ensure faculty understands the integrity of their research
security risks associated with their activities and they are
and reputation may be on the line;
sufficiently trained to carry out these activities without
3. Collaborate with staff to ensure how their roles may
posing a threat to the institution’s information security.
impact information security is addressed;
Training end users in how to appropriately handle
4. Teach students simple methods to improve infosecurity
information and associated systems is critical to achieving
and provide outlets for experimentation.
results from other activities, such as boosting awareness,
Outcomes of this recommendation include: 1) increasing
tightening policy, using institutionalized practices, and
senior-level support and securing an appointed champion (if
assessing outcomes. End users need to know which
not full-time staff member) for information security; 2)
activities are appropriate and also how to conduct these
increasing faculty awareness of the potential benefits to
activities. Ensuring that end users are aware of – and
securing their research and data and thereby, hopefully,
sufficiently skilled to act upon – the desired behaviors is a
reducing their resistance to security measures; 3) further
difficult task in academic institutions. Challenges such as
improving staff awareness and practices; and 4) increasing
high end user turnover, diverse access methods, divergent
students’ understanding of ramifications of their actions for
computer usage goals, and high-risk activities are
the entire campus’s security.
exacerbated by the culture of openness and experimentation.

52
 An efficient and effective mandatory training program
involves five steps:
1. Identify baseline training requirements for all end users
(e.g., basic network usage, simple secure practices
installing and maintaining antivirus and antispymare
software,) and obtain senior administration’s buy-in to
these training requirements.
2. Design a simple, short overview session for all end users
(including faculty and senior administration) that is a
requirement for accessing the network.
3. Develop role-based training according to end users’
activities and relationships to the institution’s
information assets and associated systems.
4. Develop a refresher/update course for end users that have
completed the overview session; this should be required
every semester for access to the network.
5. Ensure mandatory training is completed by every end user
prior to accessing the network and that refresher/update
training is completed every semester.
Outcomes of establishing mandatory training are: 1) end
users know basic steps to improve information security; 2)
end users know basic steps of what not to do regarding
information security; 3) end users are aware of the
consequences of compromising information security; 4) end
users are aware of who to call if they suspect a compromise
Recommendation #5: Automate and Institutionalize
Processes. Information security processes that protect the
confidentiality, integrity, and availability of the institution’s
information and systems may involve management,
operational, and/or procedural actvities. Appropriately
automated and institutionalized processes streamline key
information security activities, define end users’ required
behavior, and address issues in a standardized and timely
manner. Automating and institutionalizing processes in
academia can be very difficult. In the decentralized
environment, processes may not be aligned at an
institutional level because each academic and administrative
department, division, or campus has developed its own
processes over time. End users access the system via
multiple access methods, often using their own computers,
many of which are differently configured.
Four steps are involved in automating and
institutionalizing processes:
1. Identify key processes for achieving the institution’s desired
baseline level of information security.
2. Inform senior administration of the issues and their
repercussions and, using a collaborative process, develop
a prioritized list of policies to automate/institutionalize
with rough timeframes.
3. Identify required resources (e.g., financial, staffing,
consulting, hardware, software) and sources of
information, using best practice when possible.
4. Ensure ongoing communication and progress reporting to
senior administration and end users.
Outcomes of the activities involved in automating and
institutionalizing processes include: 1) a prioritized list of
53
processes to be automated and/or institutionalized - which
has support from senior administration; 2) targeted sources
of information and best practice to maximize effectiveness
and minimize extra work or re-work; 3) a roll-out plan
based on prioritized the list and necessary resources (e.g.,
financial, staffing, hardware or software requirements).
Recommendation #6: Empirically Assess Activity.
Empirically assessing activity involves evaluating the
institutions information security controls, processes, and
outcomes to determine their effectiveness and methods for
improvement. Empirical assessments that clearly indicate
remediation actions for the controls, processes, or outcomes
are particularly useful. Given the variety of stakeholders,
end users, access methods, computers, and networks,
academic institutions often have the opportunity to integrate
disparate assessments from across the decentralized
structure to develop a holistic view of the institution.
Five steps are involved in empirically assessing activity:
1. Prioritize the most important controls, processes, and
measures to be assessed, based on asset classification.
2. Determine the gap between current and desired
assessments.
3. Identify how to close the gaps by reviewing current
policies and practices, comparing to targets, conducting
peer benchmarking, and developing a remediation plan.
4. Follow up and compare metrics annually. Report
outcomes of these comparisons to senior administration
and end users.
5. Refine the process to achieve continuous improvement.
The environment and institution are dynamic, so the
controls, processes and outcomes must be continually re-
evaluated.
Outcomes of empirically assessing activity include: 1)
prioritized list of controls, processes and measures to be
assessed; 2) plans for how to close the gaps between current
and desired measurement activities; 3) an ongoing,
meaningful, actionable assessment of activities and their
impact on the institution’s information security.
D. Future Research.
Policy development at transnational, national, state, local
and university levels should be informed by objective,
independent data demonstrating the critical issues and their
ramifications. Empirical assessment of actual activity,
coupled with data-based recommendations for policy and
practice, is needed to spur development of policy and
practice for these various stakeholders in the public’s safety
and security. Future research should focus on the following
areas:
Empirically assess transnational criminal activity in
academic institutions. Meaningful empirical assessment
of transnational criminal activity in academic institutions is
based on two elements: 1) measuring types and levels of
transnational criminal activity in academic institutions and
2) measuring types and levels of transnational criminal
activity in other organizations (e.g., private sector,
government). Once transnational criminal activity for REFERENCES
academia and other organizations outside academia have
been empirically assessed, a data-driven assessment of [1] M. Delio, “College: A cracker’s best friend,” Wired News, February
28, 2001.
whether academic institutions are disproportionately [2] S. Burd and S. Cherkin, “The Impact of Information Security in
vulnerable to transnational crime can be derived. Academic Institutions on Public Safety and Security,” Presentation to
Develop cost-effective, efficient tools to detect and the ASIS International Organization in New York City, June 6, 2005.
prevent different types of transnational crime. A variety [3] House of Representatives Committee on Government Reform,
“Committee staff test using Kazaa file-sharing program,” April 2003.
of tools to detect and prevent specific components of [4] S. Burd, “Impact of Information Security in Academic Institutions on
transnational criminal activity are currently being developed Public Safety and Security: Assessing the Impact and Developing
by researchers. However, they have not been integrated for Solutions for Policy and Practice,” National Institute of Justice Grant
a holistic perspective of transnational criminal activity. NCJ 215953), October 2006. www.ncjrs.gov/pdffiles1/
nij/grants/215953.pdf
Establish collaboration between at-risk institutions to [5] D.Sieberg, “Report: Hacker infiltrated government computers,”
identify and prevent transnational crime. Once tools to CNN.com, May 10, 2005. http://www.cnn.com/
detect specific components of transnational criminal activity 2005/TECH/05/10/govt.computer.hacker/
are developed, collaboration amongst at-risk academic [6] MS-ISAC. “What You Need To Know About Botnets!,” Webcast,
Nov 2004. http://whitepapers.silicon.com/0,39024759,60125590p-
institutions can be established. This collaboration, both 39001181q,00.htm
within countries and across national borders, can be [7] G. Goth, “Higher-Ed Networks Begin Circling the Wagons," IEEE
accomplished via ad hoc cooperation and multinational task Distributed Systems Online, (6:12), December, 2005.
forces. However, due care must be taken to ensure – http://csdl2.computer.org/persagen/DLAbsToc.jsp?resourcePath=
/dl/mags/ds/&toc=comp/mags/ds/2005/12/oztoc.xml
particularly with academic institutions – to ensure the [8] Privacy Rights Clearinghouse, “A Chronology of Data Breaches,”
freedoms of science, research and teaching. January 17, 2006. www.privacyrights.org
[9] E. Chickowski, “UCLA notifies 800,000 of personal data hack,” SC
V. CONCLUSION Magazine, December 12, 2006. www.scmagazine.com/
us/news/article/609452/
[10] S. Dininny, “University of Idaho issues data-theft alert,” The Seattle
In conclusion, as illicit activity via the Internet accelerates Times, January 12, 2007. www.seattletimes.nwsource.com/
and perpetrators move from better-protected private and html/localnews/2003521525_idtheft12e.html
[11] J. McCormick and D. Gage, “Shadowcrew: Web Mobs,” Baseline,
government entities to softer targets, academic institutions March 7, 2005. www.baselinemag.com/
face a barrage of attacks (e.g., data theft, malicious software article2/0,1397,1774393,00.asp
infections, compromise of network services, infiltration of [12] United States Office of the Attorney General, “ChoicePoint To Notify
other entities). Adverse impacts of information security Vermont Consumers Affected by Security Breach,” February 24,
2005. http://www.atg.state.vt.us/display.php?pubsec=4&curdoc=881
incidents include compromised private data and intellectual [13] United States Senate, “Statement of Senatory Patrick Leahy,” April
property, substantial financial losses, and potential threats to 2005. www.senate.gov/~leahy/press/200504/041305.html
critical infrastructure, public safety and national security. [14] A. Foster, “Colleges brace for the next worm,” The Chronicle of
Although academia’s networks are generally considered Higher Education: Information Technology, vol. 50, Issue 28, Page
A29. March 19, 2004.
more vulnerable to transnational criminal Internet activity [15] Anonymous, “Net suffers biggest DDoS attack,” FairfaxDigital,
than other sectors, few data-based recommendations for October 23 2002. http://www.smh.com.au/
policy and practice have been developed to date. It is articles/2002/10/23/1034561535264.html
recommended that, while effective transnational cybercrime [16] United States Department of Justice, “California Man Pleads Guilty
in "Botnet" Attack That Impacted Seattle Hospital and Defense
and relevant U.S.-based laws and regulations are being Department.” May 4, 2006. http://www.usdoj.gov/
developed, academic institutions implement a five-step criminal/cybercrime/maxwellPlea.htm
roadmap for proactively establishing a baseline level of [17] United States White House, “Message to the Senate of the United
information security. All of our systems are connected and States,” November 17, 2003. www.whitehouse.gov/news/releases/
2003/11/20031117-11.html
problems in one sector directly affect others. Unless we [18] Council of Europe ETS No. 185, “Convention on Cybercrime,”
diagnose the unique vulnerabilities that exist in higher November 23, 2001.
education and realign how those networks interoperate and [19] United States White House, “National Strategy to Secure
share information securely, our systems will remain Cyberspace,” 2003. http://www.whitehouse.gov/pcipb
[20] Institute for Security Technology Studies, “Law Enforcement Tools
insecure and public safety and homeland security may suffer and Technologies for Investigating Cyber Attacks: Gap Analysis
as a result. Report,” 2004.
[21] J.B. Caruso, “Information Technology Security: Governance,
Strategy, and Practice in Higher Education,” Educause, September
2003. http://www.educause.edu/ir/library/pdf/ERS0305/ekf0305.pdf
http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm

54
 Countering Hypermedia Seduction
for Terrorist Recruiting
Katharina von Knop
Freie Universität Berlin

Terrorist groups use the Internet to drive every aspect of their business: Psychological
Warfare, Data Mining, Fund-Raising, Recruitment and Mobilization, Planning &
Coordination and Internet Indoctrination. Radicalization of individuals is a group
dynamic process often activated or boosted by radical Islamic websites. Terrorism and
anti-terrorism are based on narratives and which story is able to persuade the majority
of people will win. I argue that the West is loosing the war on terrorism because our
story is not persuasive enough and that we do not use the gateway of mass persuasion,
the internet effectively enough. Fighting radical terrorist groups, it will take more than
firepower to win the battle of ideas which has to be fought in the digital battlefield. The
terrorist infrastructure and their believe system has be attacked on air, web and ground.

The goal of this paper is an analysis of possible tactics tailored for countering Islamist
narratives in the Internet and to emphasize elements of strategy for countering Islamist
narratives. The first part will provide a tactical analysis discussing methods of
neutralization of terrorist websites and chat-rooms and the second part will discus the
Web as a Counter-propaganda tool. The basis of the findings has been a broad analysis
of political internet campaigns.

55
 Group-based Security in a Federated File System
Max Berger
Texas Tech University
max@berger.name
Abstract— The SILENUS federated file system was developed
by the SORCER research group at Texas Tech University. The
distributed file system with its dynamic nature does not require
any configuration by the end users and system administrators.
Managing security in a metacomputing system is a new
challenge. It must be ensured that every user has a valid
authentication and authorization to view, modify, and create
files in the system spread across many heterogeneous computers
that to individual requestor, it looks and acts like a single
computer. User management is a must be on a metacomputing
system and scale well. Existing user credential databases must
be incorporated as secure data services if present.
In this paper a new scalable authentication model for federated
file systems is described. In this model users authenticate to an
authentication service for their identity and a group manager
service for their collaborative groups membership. The group
manager service provides an authorization token that can be
used to invoke service-oriented functionality of the federated file
system. The group manager service uses existing user credential
databases as its back-end. There may be any number of group
manager services on the network with different user administra-
tion domains to provide desirable scalability. Multiple replicated
group manager services for the same user base can provide for
increased reliability. A scaled-down replica called nomadic group
manager service provides support for disconnected operations.
It contains the necessary credentials for a single user to use the
system while being disconnected from the main network.
I. I NTRODUCTION
Under the sponsorship of the National Institute for Stan-
dards and Technology (NIST) the Federated Intelligent Prod-
uct Environment (FIPER) ([1], [2], [3]) was developed (1999-
2003) as one of the first service-to-service (S2S) grid comput-
ing environments. The Service-Oriented Computing Environ-
ment (SORCER) ([4], [5]) builds on the top of FIPER to in-
troduce a federated metacomputing environment with all basic
services necessary to support service-oriented programming. It
provides an integrated solution for metacomputing systems.
Building on the OO paradigm is the service-object oriented
(SOO) paradigm, in which the objects are distributed, or more
precisely they are remote (network) objects and play some
predefined roles. A service provider is an object that accepts
remote messages, called exertions, from service requestors to
execute an elementary item of work (statement) – a service
task, or a composite item of work (procedure) – a service job.
Any exertion becomes a SOO program that is dynamically
bound to all relevant and currently available service providers
on the network. This collection of providers dynamically
participating in this federated remote invocation is called an
exertion federation. This federation is also called a virtual
metacomputer as federating services are located on multiple
56
Michael Sobolewski
Texas Tech University
sobol@cs.ttu.edu
physical compute nodes held together by a SOO infrastructure
so that, to the individual requestor, it looks and acts like a
single computer.
The SORCER environment provides the means to create
interactive SOO programs and execute them without writing a
line of source code. Service jobs and tasks can be created using
interactive user interfaces downloaded directly from service
providers. Using these interfaces the user can execute and
monitor the execution of exertions in the SOO metacomputer.
The exertions can be persisted for later reuse. This feature
allows the user quickly to create new applications or programs
on the fly in terms of existing exertions.
The SILENUS federated file system was designed and
developed to provide data access for SOO programs. The
SILENUS system itself is a collection of service providers
that use the SORCER framework for communication. In this
paper a relevant security framework is described to allow the
exertion federation for a secure collaborative data access.
Since services are connected dynamically in an S2S environ-
ment, service security has become more difficult to implement
and maintain than in a static computer network. In addition,
new levels of service access (directly through interfaces and
indirectly via common service(Exertion):Exertion invocations,
by any faceless service peers) are providing new opportu-
nities for unauthorized interaction and security breaches. A
good security framework will have to address the following
attributes: [6] [7]
• identification and authentication,
• authorization,
• resource control and containment,
• confidentiality and integrity,
• non-repudiation, and
• auditing.
In addition to the security framework, the following security
measures are also recommended:
• educate uses about service security concerns and policies;
• implement a break-in detection plan to detail when to
look at audit information and specify what an auditor
provider would look for;
• implement a recovery plan detailing how to recover from
a break-in.
SORCER originally provided a simple File Store Service
(FSS). It supports filtering out information from remote files,
thus reducing the amount of data transfers between providers.
However, it is provided as a service with a centralized database
and as such not a true metacomputing application. [8]
 To improve reliability and performance, file replication
services where added to SORCER. These services allowed for
the replication of file data on different nodes in the data grid.
This greatly reduced data access time. [9]
SILENUS completes the step from a traditional client-server
file-system to a network-centric system. Instead of storing data
on one particular node or in a particular service, it is the
federation of several federated services that provide the file
system. Data is no longer stored in a single service. It is split
up into different services for file content, file metadata, and
management data. SILENUS provides a true data grid solution
to complete SORCER’s metacomputing grid. [10] [11]
This service oriented file system needs at least the following
security functionality: identification, authentication, authoriza-
tion, and confidentiality. Users need to be identified with
a name or account. They need to be authenticated through
a password or a unique artifact, such as a smart card or
fingerprint. The authorization will then determine what types
of activities are permitted. Data stored in the SILENUS system
must be kept private while being transmitted over an open
network and stored on insecure nodes.
Authentication is the process of determining the authenticity
of a message or user. It can be used to verify the identity of
a user, service requestor and provider, or that a message has
not been tempered with. Authentication can be implemented
using different approaches, in particular: message digests,
message authentication codes (MACs), and digital signatures.
The latter approach is very valuable to SOO metacomputing
as it provides both a guarantee of the source of the data
and proof that the data has not been tampered with. This
approach allows the efficient use of digital certificates. A
digital certificate is essentially a signed statement by the X
party that the Y party’s public key belongs in fact to Y. The
Public Key Infrastructure (PKI) and its simpler version (SPKI)
are essentially systems for managing public-key cryptography
used for the proposed security in the SILENUS file system.
In particular service requestors and providers are identified by
X.509 digital certificates. While these certificates are usually
called “public key certificates”, this paper also uses the term
“identity certificate” or “identity” for short to emphasize their
use to securely identify an entity in a metacomputing system.
The classic security concept is for the client node to
authenticate directly to the node that provides the service. This
approach works well in a traditional client/server environment.
However, in a large distributed environment this would re-
quire the user credentials to be replicated among all service
providers. Obviously this is an administrative challenge. It is
also not very secure, as credentials may be intercepted or read
by local administrators and users in the network.
A better approach uses tokens issued by an authentication
service. Instead of authenticating directly with the service
provider, a user will authenticate with one central server - a key
distribution center (KDC). This server holds the keys for all the
users and services in the network. The server will then issue a
token to the user. This token can be used to authenticate with
services providers, which will verify the token authenticity
57
Fig. 1. Security model with key distribution center (KDC). A KDC is a
trusted service that knows the keys for all the nodes. If a new service is
deployed on the network, this service and the KDC need to be configured
with a key for the new node.
with the issuing authentication server. This approach is used
by Kerberos [12]. It works very well for smaller distributed
applications. In this solution, the issuing server has to be
accessed from all participating services. It will therefore not
scale well. Requiring a central server to be accessible creates
problems with organizational firewalls, which restrict the use
of this model. Figure 1 illustrates this key distribution center
case.
A problem with most existing security concepts is that
they do not allow existing authentication and user databases
to be re-used. Every system has its own user and password
database. Most systems can import users from other systems,
but importing passwords is very often a problem. Passwords
are usually stored in some specific encrypted formats and can-
not be used across other authentication system. The presented
solution allows adapting applications to different credential
providers.
Special credential mechanisms such as fingerprint scanners
and smart cards are hardly ever supported. In a few cases, some
applications such as a user login are adapted for these devices.
However, the keys stored on such a system could be used for
all kinds of services. Smart cards have been used successfully
to authenticate users with services in SORCER. [13]
Existing systems, such as TLS [14], are targeted towards
the direct communication between two partners. In a federated
system, however, requests may be sent through intermediate
services instead of being sent directly. Most existing remote
file systems are based on such end-to-end authentication and
encryption mechanisms.
The more advanced distributed file systems AFS [15] and
Coda [16] are based on the Kerberos authentication mecha-
nisms. Kerberos is currently the most widely used solution
for authentication in distributed applications, but has some of
the shortcomings described above.
What is needed is a scalable and flexible security system
for the metacomputer that makes use of existing credentials.
It should support different administrative domains, but still
provide one but flexible unique privacy and authentication
mechanism.
In this paper we describe such an approach for the SORCER
environment in general and for the SILENUS file system
in particular. First, requirements for federated computing
are identified. Then, existing authentication and identification
mechanisms are investigated. Next, a new service called
“Authentication Adapter” is introduced. A novel service for
managing user groups, called “Group Management Service”
is also presented. Then, a service called “Nomadic Group
Management Service” is introduced to support disconnected
operations. All identification and group management services
can be discovered dynamically and clients can federate with
them transparently with no a priori knowledge about their
location. The collaborative protocol for such authentication-
authorization federation is investigated. The presented group
management system is scalable and reliable as needed dynam-
ically federating identification and group management services
can be provisioned autonomically [17].
II. R EQUIREMENTS
To provide the scalable and flexible security system the
following two assumption are made:
1) In a large-scale system it is more important to recognize
returning users than to recognize specific users. It is not
important which identity a user has as long as the user
has the same identity when connecting again. Using this
assumption a user could provide own credentials. As
long as it is ensured that the credentials are kept secure,
the user can always be uniquely identified.
2) In a metacomputing system all sharing is from one user
to another. The user becomes an administrator when
sharing files with another one. Thus, user identities and
group identities have to be simple and uniform not
around administrative domains but around users.
III. BACKGROUND
Allowing the user to provide own credentials can lead to
an explosion of user accounts or certificates. Therefore a
user account has to be verifiable by a trusted source. This
is commonly referred to as a trusted third party model.
In a trusted third party model a user authenticates with
an authentication service. The authentication service will then
provide verification that a given user is who she or he claims
to be. The service provider can then verify that the user is
authenticated by this authentication service. The authentication
services itself are certified by a certificate authority (CA).
The list of third parties should be small and change seldom.
This information will have to be configured on every service
provider. It should change as little as possible. Every change
would require additional administration.
A trusted third party can be any service that provides a user
base. It could be an LDAP server, a Windows domain server,
a Kerberos server, or a trusted party signing public keys. It
is only required that the server can verify users. In SORCER
this is implemented with X.509 certificates using keystore and
truststore services. [18] These certificates are also used with
TLS (SSL) security protocol to make a secure authenticated
58
connection between two parties: service requestor and service
provider.
A. Asymmetric cryptography
Asymmetric cryptography uses a pair of matching private
and public keys. The private key can be used to sign a
message. Knowing the public key, another entity can verify
that a certain message was indeed signed using the matching
private key. The authenticity of a public key can be verified
through configuration and such a key is called a trusted key.
This allows a private and public key-pair to be used to define
unique identities in the network.
To be secure in a network environment, the private key must
never leave the node it is stored on. All messages and identities
to be signed must be sent to the network node containing the
private key and signed locally. The identity of the user or host
requesting the digital signature must be verified before creating
the signature.
B. Public Key Infrastructure (PKI)
The basic trusted third party model requires the service
provider to be able to talk to the authentication service directly.
This is undesirable, and very often not possible. It also does
not define how the credentials are passed to and verified by
the service provider.
A standard for credentials needs to be defined. That standard
should be common, and should allow verification without
talking back to the original service. One of the commonly used
standards is provided by an X.509 public key certificate. Such
a certificate is defined as the public key of a user, together with
some other information signed by a third party’s private key.
That third party is known as the certificate authority (CA).
Public Key infrastructure (PKI) is essentially a system for
managing public-key cryptography. [19] [20] PKI is an attempt
to integrate a number of protocols and standards into a more
unified system that provides secure services.
User credentials can be any type of unique user identifica-
tion and related information. The most common authentication
uses a username and a secret password. This type of authen-
tication requires no special hardware on the user’s host. If
special hardware is present, a more sophisticated mechanism
can be used.
Usually PKI authentication is done by a service requestor
using its private key to perform a cryptographic operation on a
nonce the service provider supplies, and then transmitting the
result to the service provider. The provider checks the result
using the requestor’s public key. In that case a private key
has to be persisted by the requestor. In the presented approach
having permanent private keys stored by the user is avoided
and delegated to the authentication service. We assume that
the requestor can create a temporary private/public key pair if
needed, for example to establish SSL secure communication
channel. In that case the requestor’s public key can be signed
by the authentication service that will authenticate the user
with his username / password.
 In PKI there are usually multiple certificate authorities. A
global CA is used to sign the identity of other lower-level
CAs. In our approach, each authentication service is a sub-
CA signing user keys thus creating a certificate chaining. The
signature on the user key can then be used to verify that it
was signed by a certain authentication service. The identity
of the authentication service can be verified by checking if
its certificate is signed by the global CA. Key management
is reduced since on the provider side, only the identity of
the global CA needs to be configured. A private key for
each authentication service must be created and signed by the
global CA. There are usually less authentication services than
requestors, which also reduces the key management overhead.
Thus the authentication provider has to satisfy the following
two requirements:
1) The provider has to provide a public key, which is
certified by a trusted global CA.
2) The provider also has to be able to sign small messages,
such as public keys providing an identity.
The actual private key will never have to leave the authenti-
cation service. A service provider accessed by a requestor can
then verify the requestor’s public key identity with its own
trust-store containing a public key of the global CA. Figure 2
illustrates authentication with the global CA and the described
authentication service.
The PKI provides support for identities. An identity consists
of unique service identification and a user or entity identifica-
tion that is unique on this service. The service can guarantee
that it knows the user under this name. Each service in the
SORCER network has a unique provider-id. This id is used
for the identification of the service. Group and entity ids are
text strings, such as “admin”.
C. Simple Public Key Infrastructure (SPKI)
The purpose of the Simple Public Infrastructure (SPKI)
is to communicate permissions from a keyholder to another.
SPKI’s primary objective is to provide a service provider with
the evidence that the holder of a public key is ultimately
authorized for a request signed by its matching private key.
This approach contrasts with PKI efforts that attempt to bind
keys to identities, and leave authorization to be handled by
mapping requestor’s identity to authorization. Thus, using PKI,
if you know a name for a service requestor you know its
identity, then you might know whether it is authorized to
do or have something they request. This assumption is true
in small SOO environments. That world no longer exists
in environments SORCER is designed for. Any certificate
mechanisms based on global names (e.g., X.509) fail to scale
well. In the Simple Distributed Security Infrastructure (SDSI),
an identifier is valid only locally to the service requestor who
creates it but the underlying raw public key is valid globally.
In SPKI, an authorization grant is made only locally. If the
authorization grant is needed to someone beyond a given
locality, then that grant should be delegated through a chain
of local relationships. [21] [22] [23]
59
SPKI has two types of certificates: name certificates, which
define local names, and authorization certificates, which confer
authorization on a key or a name. SPKI name certificates are
comparable to X.509 and are used for example as identity
certificates for users, services, and groups.
In SPKI, a service requestor creates its own local identity
consisting of a private and public key. The public key is then
sent to an authentication service, along with the username and
password. The authentication service verifies the password and
then signs the public key. The signed key is then sent back to
the requestor. When a request is made, the request is signed
with the local identity. This local identity is passed along
with the request and other credentials. The provider can then
examine the local identity to verify that the local identity is
signed by the authentication service. The provider can chain
the verification and verify that the authentication service is
vouched by the global CA, which it trusts, which then makes
a local identity trusted. Figure 3 illustrates the SPKI-based
authentication process. Figure 4 shows the keys, certificates
and configuration on the involved services.
IV. AUTHENTICATION A DAPTER
To provide support for existing user databases that are not
based on X.509 an authentication adapter service is needed.
This adapter service provides the required services and uses
the existing authentication service as its back-end. It will have
to be run on a secure system.
Unlike existing authentication services, such as Kerberos,
these adapters allow to use any user base as a backend. It is
not required to keep multiple different accounts for the same
user.
The adapter service checks the user credentials against an
existing user database. The user database may be a Unix
passwd file, an NT Domain, or any other system that can
authorize users with given credentials. If the credentials match
the ones in the user database, then the identity of the user is
assumed to be correct. His or her local SPKI identification
will be signed.
There may be multiple authentication adapters to provide
for scalability. Each authentication adapter should authenticate
against a specific user database backend. The authentication
backend identifier is part of the user id since a user with
the same username on different authentication systems may
or may not be the same user. The drawback of this solution
is that a user that has accounts on multiple systems will also
have multiple accounts in the SORCER system.
It is important that the adapter service is able to create new
keys for users that have not yet authenticated themselves with
this service. If a new user authenticates him/herself, a new pair
of private/public key must be created. The public key must be
automatically signed by the adapter. The adapter certificate
is listed as a trusted third party public key in the SORCER
truststores. Figure 5 gives an example of the authentication
process using an authentication adapter service.
Fig. 2. Authentication with PKI certificates. Each service provider is responsible for knowing its own private key. All the public keys are accessible from
one common truststore.

Fig. 3. Authentication with self generated identification (SPKI name certificates) signed using an authentication service using PKI. The service requestor
generates a temporary identity consisting of a private and public key. The public key is then sent to the authentication service, along with credentials. The
authentication service provides a certificate stating that the tempid belongs to the user.

Private Key A (Local Id) Provider-Id 1234

Certificate [max@1234 has key A]B Private Key B
Certificate [1234 has key B]C
(a) Requestor (b) AuthenticationService
Private Key C Configuration C is trusted
(c) Global CA (d) Provider

Fig. 4. Keys, certificates, and configuration stored on different hosts for SPKI. The certificates here are shown after all authentications occurred.

V. U SER G ROUPS provider called “Group Manager Service” (GMS) provider is

The system described so far provides support for individual
users. It describes the security mechanisms found in existing
systems. However, it lacks support for groups of users and
different roles they might play. An extra step is needed to
support user groups and roles. A group is a set of users that
share some common security privileges. A role is a named list
or group of privileges that are collected together and granted to
users or other roles. Belonging to a group or assuming a role
is the same in the context of a file system. If a user belongs
to the group of administrators he or she may assume the role
of an administrator. To support user groups, a new service
introduced.
A. Group Manager Service (GMS) Provider
The group manager service (GMS) provider defines a
mapping from users to groups. Given a user identity, the
GMS provider will supply credentials for all groups this user
belongs to. There may be multiple GMS providers managed
by different administrators.
The GMS provider manages group identities and creates
new group identities per user requests. It is a combination
of a group service provider and the authentication service.

60

Fig. 5. An authentication adapter service. The adapter connects to a legacy
authentication system to verify the existing credentials of requestor. If this
is the first time for a requestor to authenticate the adapter creates a new
identity in its keystore. It then uses this permanent identity to sign a requestor
temporary identity and sends it back to the requestor.
The process is therefore similar to the presented already
authentication with authentication services. A user authen-
ticates her- or himself with an authentication service. This
authentication service will verify the user’s identity. Using the
identity provided by the authentication service, the user then
authenticates with a GMS provider for group membership.
The GMS provider contains a database of group identities
with a mapping of users to managed groups. A group name is
defined by a proper group name and the unique id of the GMS
provider itself. The GMS provider verifies the authenticity of
the user and if she or he belongs to the requested group. The
GMS provider will then confirm the group membership of
the user by creating a signed certificate for the local group
identity of the service requestor. The certificate is signed with
the private key of the trusted GMS provider.
The mapping from users to their containing groups must be
created by an administrator. This might seem to contradict the
requirement of a scalable security framework. However, there
may be any number of group manager services, which can
be managed by different administrators. A local workgroup
may therefore run their own GMS with their own groups, so
this approach still scales well. Another approach would be
to allow every user to create their own groups. This can be
limited by granting permissions to subset of users and groups.
Allowing every user to create own permissions may lead to
manageability issues and will have to be further investigated.
Please note that requestors creates their own identity and
group identity. Both identities are certified by a trusted au-
thentication and GMS provider correspondingly. The user can
play a role as identified by the user id or group id. While user
61
certificates are unique, there will be multiple corresponding
certificates to the same group id. This differs from the original
PKI approach, where a certificate for a specific distinguished
name (id) is unique. Here the same group name associated with
different local group keys still can be related to the same GMS
group. In the presented case, a group-based service request is
signed with the private group key that users holds only, along
with the group membership certificate containing a matching
and trusted (vouched by its GMS) public key.
The requestor can obtain certificates for the original user
identity and related group identities. Each certificate (public
key) is valid for one user id or one group id. The user may
select which key to use as a role when requesting a service
from a provider. The request will have to be signed with the
matching private key and sent to the provider along with the
related certificates. The provider can then verify the requestor
identity or group membership of the requestor. Figure 6 gives
an example of group manager behavior. Figure 7 illustrates the
keys, certificates, and configurations for the involved services.
It is important to realize that groups with the same name
may exist on multiple GMS providers. Thus, a certificate
group name is the combination of the proper group name
and the id of the GMS provider that vouches for its managed
group. This leads to a synchronization problem in the case
of replicated GMS providers. Each replicated GMS provider
keeps an updated replica of all the groups defined by its master
GMS provider. Thus, all replicated GMS providers of the same
type certify the groups with the same GMS id so that the group
id looks always identical to any service provider independently
what GMS replica is used.
The SILENUS file system currently has support for Unix-
like permissions with read, write, and execute bits for users,
groups, and everyone else. File access permissions are man-
aged by SILENUS metadata store services. The permissions
bits itself are readable for everyone. The SILENUS requestor
retrieves the permission bits from the SILENUS file system.
It checks if it has the appropriate user identity. If not, it
checks which access group a file belongs to. The access
group contains the group name and the identity of the GMS
provider used. Using this information, the requestor can find
and connect to the relevant GMS provider for this particular
access group and try to authenticate there. If the user is part
of the access group, the GMS provider will provide the group
certificate, which the requestor can then use to access a file
from the SILENUS file system.
Using multiple and replicated group manager services pro-
vides for scalable and reliable administration. A smaller part
of a larger organization, such as a department at a university,
may provide their own group manager service and its replicas.
The credentials from this group manager service can be used
to authenticate access to local resources, such as departmental
file storage or lab access.
Splitting up of security credentials to be managed by authen-
tication services and group manager services provides support
for a modular and flexible solution. Users can have centrally
managed accounts, but their privileges may be controlled by
Fig. 6. Authentication via group manager service. The requestor creates a local identity for the user. It then authenticates with an authentication service.
The authentication service provides a certificate stating that the local user id is valid for this user. The requestor then creates a local group identity. With the
userid certificate the requestor authenticates with a group manager service. The GMS provider can furnish a certificate stating that this local group id if valid
for the requested group. The requested group certificate is signed with the private key of the GMS provider. The group (role) certificate can then be used to
request a service from any provider enforcing group permissions, for example accessing files in the SILENUS file system.

Private Keys D (Local UserId) Provider-Id 1234

E (Local GroupId) Private Key B
Certificate [max@1234 has key D]B Certificate [1234 has key B]C
Certificate [admin@5678 has key E]F
(a) Requestor (b) AuthenticationService

Provider-Id 5678 Private Key C

Private Key F (d) Global CA
Certificate [5678 has key D]C
Configuration C is trusted
Configuration max@1234 ∈ admin
(c) GMS provider (e) Provider

Fig. 7. Keys, certificates, and configurations stored on different hosts for use with a GMS provider. The certificates here are shown after all authentication
occurred. The group request to the GMS is signed with the requestor’s key D. The request to any service provider is signed with either key D (the userid is
selected as a role) or with key E (the groupid is selected as a role).

individual departments of the organization. Management for
departmental groups can be delegated to local administrators
without giving them full access to underlying resources.
B. Nomadic GMS
The group manager service may be replicated to different
nodes with subset of its group database. Since the GMS has
a copy of its group database, it may only be replicated in
to nodes that are trustworthy. In most cases, servers in the
locally managed department of organization are trustworthy,
and sometimes client hosts, if their users do not have local
administration rights. Replicating a GMS gives the usual
benefits of replication, such as reliability and scalability.
To support disconnected operation, a subset of the group
database existing on a particular remote GMS may be copied
in runtime to the user’s host as the volatile (no persistent
storage). A user may need to use her credentials while not
connected to the network, to access data stored on a local
nomadic system, such as a laptop. To provide access, a subset
of the groups may be copied onto the user’s machine. This
is supported by the nomadic GMS. The nomadic GMS can
replicate only the groups that are relevant to a particular user
and in volatile state. The user can then access these credentials
locally, providing support for disconnected operation.
VI. C ONCLUSION
Security is often very well implemented in small, closed
systems. Users have to remember passwords for each and ev-
ery account they have. The new system proposed in this paper
solves group authentication by introducing a scalable service-
oriented security system. In this model users authenticate to an
authentication service for their identity and a group manager
service for their collaborative groups membership.
Providing authentication services by leveraging existing
authentication services allows for reuse of existing accounts.
Unlike other systems, no migration of user data is necessary.

62
Any existing authentication system may be reused.
The system is scalable and reliable as needed dynamically
collaborating identification and group manger services can
be provisioned autonomically. There may be any required
number of authentication and group manager services. They
may provide authentication services for a small or a large
network. Decoupling groups from accounts makes the system
manageable with a large number of users and groups.
The presented authentication model is also not centralized,
so diversifies and eliminates identification and authorizations
bottlenecks and potential single-point failures. It is up to the
individual service provider which authentication services to
accept. Different departments of the same organization may
accept different credentials, or they may all accept the same
credentials.
The presented security model requires a service provider
to keep track of the permissions for individual users and/or
group. This is sufficient for a file system such as the SILENUS
file system. For a more general service-oriented solution
the permission model needs to be provided by a separate
authorization service. An authorization service in SORCER is
currently under development that will capture more complex
permission structures for a general set of services.
The model described in this document fulfills all require-
ments for a truly scalable, manageable, distributed security
model for federated file systems required in metacomputing
environments like SORCER.
[12] B. C. N. J. G. Steiner and J. I. Schiller, “Kerberos: An authentication
service for open network systems,” in Winter 1988 USENIX
Conference. Dallas, TX: USENIX Association, 1988, pp. 191–201.
[Online]. Available: http://julmara.ce.chalmers.se/Security/usenix.PS.gz
[13] S. Bhatla, “Smart card authentication and authorization framework
(SCAF),” Master’s thesis, Texas Tech University, Lubbock, TX, May
2005.
[14] T. Dierks and E. Rescorla, “The Transport Layer Security (TLS)
Protocol Version 1.1,” RFC 4346 (Proposed Standard), Apr. 2006,
updated by RFCs 4366, 4680, 4681. [Online]. Available: http:
//www.ietf.org/rfc/rfc4346.txt
[15] OpenAFS Group, Apr. 2007, retrieved from http://www.openafs.org.
[16] M. Satyanarayanan, “Coda: A highly available file system
for a distributed workstation environment,” July 15 1999.
[Online]. Available: http://citeseer.ist.psu.edu/239688.html;http://www.
cs.cmu.edu/afs/cs/project/coda/Web/docdir/wwos2.pdf
[17] Rio, “Project Computing Rio,” Mar. 2007, https://rio.dev.java.net/.
[18] A. Rai, “Intrinsic security in the SORCER grid,” Master’s thesis, Texas
Tech University, Lubbock, TX, Dec. 2004.
[19] R. Housley, W. Ford, W. Polk, and D. Solo, “Internet X.509 Public
Key Infrastructure Certificate and CRL Profile,” RFC 2459 (Proposed
Standard), Jan. 1999, obsoleted by RFC 3280. [Online]. Available:
http://www.ietf.org/rfc/rfc2459.txt
[20] R. Housley, W. Polk, W. Ford, and D. Solo, “Internet X.509 Public
Key Infrastructure Certificate and Certificate Revocation List (CRL)
Profile,” RFC 3280 (Proposed Standard), Apr. 2002, updated by RFCs
4325, 4630. [Online]. Available: http://www.ietf.org/rfc/rfc3280.txt
[21] C. Ellison and S. Dohrmann, “Public-key support for group collabora-
tion,” ACM Trans. Inf. Syst. Secur., vol. 6, no. 4, pp. 547–565, 2003.
[22] S. Ajmani, “How to resolve sdsi names without closure,” 2002.
[Online]. Available: citeseer.ist.psu.edu/ajmani02how.html
[23] C. Ellison, B. Frantz, B. Lampson, R. Rivest, B. Thomas, and
T. Ylonen, “SPKI Certificate Theory,” RFC 2693 (Experimental), Sept.
1999. [Online]. Available: http://www.ietf.org/rfc/rfc2693.txt
[24] Next Generation Concurrent Engineering, ISPE. Omnipress, 2005.

R EFERENCES
[1] M. Sobolewski, “Federated P2P services in CE environments,” in
Advances in Concurrent Engineering. A.A. Balkema Publishers, 2002,
pp. 13–22.
[2] ——, “FIPER: The federated S2S environment,” in JavaOne, Sun’s
2002 Worldwide Java Developer Conference, San Francisco, 2002,
http://sorcer.cs.ttu.edu/publications/papers/2420.pdf.
[3] R. Kolonay and M. Sobolewski, “Grid interactive service-oriented pro-
gramming environment,” in Concurrent Engineering: The Worldwide
Engineering Grid. Tsinghua Press and Springer Verlag, 2004, pp. 97–
102.
[4] S. Soorianarayanan and M. Sobolewski, “Monitoring federated services
in CE,” in Concurrent Engineering: The Worldwide Engineering Grid.
Tsinghua Press and Springer Verlag, 2004, pp. 89–95.
[5] SORCER, “Laboratory for Service-Oriented Computing Environment,”
Mar. 2007, http://sorcer.cs.ttu.edu/.
[6] C. Kaufman, R. Perlman, and M. Speciner, Network Security: Private
Communication in a Public World (2nd Edition). Prentice Hall PTR,
2002.
[7] L. Gong, G. Ellison, and M. Dageforde, Inside Java 2 Platform Security:
Architecture, API Design, and Implementation (2nd Edition). Prentice
Hall PTR, 2003.
[8] M. Sobolewski, S. Soorianarayanan, and R.-K. Malladi-Venkata,
“Service-oriented file sharing,” in CIIT conference (Communications,
Internet and Information Technology). Scottsdale, AZ: ACTA Press,
Nov. 2003, pp. 633–639.
[9] V. Khurana, M. Berger, and M. Sobolewski, “A federated grid en-
vironment with replication services,” in Next Generation Concurrent
Engineering, ISPE. Omnipress, 2005.
[10] M. Berger and M. Sobolewski, “Silenus - a federated service-oriented
approach to distributed file systems,” in Next Generation Concurrent
Engineering, ISPE. Omnipress, 2005.
[11] M. Berger, “SILENUS – a service oriented approach to distributed
file systems,” PhD Dissertation, Texas Tech University, Department of
Computer Science, Dec. 2006.

63
 Security Policy Management in
Federated Computing Environments
Daniela Inclezan and Michael Sobolewski
Texas Tech University

Abstract- The default Java implementation for security collaboration with presented policy services that enforce
policies based on policy files doesn’t comply with the specific security permissions on all the federating providers.
needs of metacomputing environments. Managing a large The paper is organized as follows. Section 2 provides a
number of policy files for all Java runtime systems in the background review of service oriented architectures with a
metacomputing system doesn’t scale. This paper presents a
related discussion on authorization in SOO federated
federated approach for security policy management in Java-
based metacomputing systems. Security policies are stored in a environments; Section 3 describes the presented policy
policy base, which is managed by its policy service provider management methodology; Section 4 presents the design
(Policer). The policy base and its Policer are replicated and the issues of required solution in SORCER; Section 5 provides
replicated policy bases are synchronized with each other in concluding remarks.
order to avoid a single point of failure. Any bootstrapping
service provider gets its security policy dynamically from any II.BACKGROUND REVIEW
available Policer in the network. The proposed solution
ensures uniform policy-based authorization for all the services A. Service Object Oriented Computing
in the SORCER metacomputing environment through the use
of the dynamic policy management methodology. Various definitions of a Service-Oriented Architecture
(SOA) leave a lot of room for interpretation. In general
I. INTRODUCTION terms, SOA is a software architecture using loosely coupled
software services that integrates them into a distributed
Built on the object-oriented paradigm is the Service computing system by means of service-oriented
Object Oriented (SOO) paradigm, in which the objects are programming. Service providers in the SOA environment
distributed, or more precisely they are remote (network) are made available as independent service components that
objects and play some predefined roles. A service provider can be accessed without a priori knowledge of their
is an object that accepts remote messages, called exertions, underlying platform or implementation. While the client-
from service requestors to execute an elementary item of server architecture separates a client from a server, SOA
work (network instruction) – a service task, or a composite introduces a third component, a service registry
item of work (network procedure) – a service job.
The exertion becomes an SOO program that is
dynamically bound to all relevant and currently available
service providers on the network. This collection of
providers dynamically participating in this federated remote
invocation is called an exertion federation. This federation
is also called a virtual metacomputer as federating services
executing hierarchically nested exertions are located on
multiple physical compute nodes held together by an SOO
infrastructure so that, to the individual requestor submitting
the exertion, it looks and acts like a single computer.
The SORCER environment [11,12,13,14] provides the
means to create interactive SOO programs and execute them
without writing a line of source code [13]. Exertions can be
created using interactive user interfaces downloaded
directly from service providers. Using these interfaces the
user can execute and monitor the execution of exertions in Figure 1. Service-Oriented Architectures
the SOO metacomputer. The exertions can be persisted for We can distinguish the service object-oriented
later reuse. This feature allows the user quickly to create architectures (SOOA), where providers, requestors, and
new applications or programs on the fly in terms of existing proxies are network objects, from service protocol oriented
tasks and jobs. architectures (SPOA), where a communication protocol is
In this paper a security policy management system is fixed and known beforehand by the provider and requestor.
described to allow the exertion federation for a secure Based on that protocol and a service description obtained

64
from the service registry, the requestor can bind to the
service provider by creating a proxy used for remote
communication over the fixed protocol. In SPOA a service
is usually identified by a name. If a service provider
registers its service description by name, the requestors
have to know the name of the service beforehand.
In SOOA, a proxy—an object implementing the same
service interfaces as its service provider—is registered with
the registries and it is always ready for use by requestors.
Thus, in SOOA, the service provider publishes the proxy as
the active surrogate object with a codebase annotation, e.g.,
URLs to the code defining proxy behavior (RMI and Jini
ERI), as illustrated in Figure 1. In SPOA, by contrast, a
passive service description is registered (e.g., an XML
document in WSDL for Web/Globus services, or an
interface description in IDL for CORBA); the requestor
then has to generate the proxy (a stub forwarding calls to a
provider) based on a service description and the fixed
communication protocol (e.g., SOAP in Web/Globus
services, IIOP in Corba). This is referred to as a bind
operation. The binding operation is not needed in SOOA
since the requestor holds the active surrogate object
obtained from the registry.
Web services and Globus services cannot change the
communication protocol between requestors and providers
while the SOOA approach is protocol neutral. In SOOA,
how an object proxy communicates with a provider is
established by the contract between the provider and its
published proxy and defined by the provider
implementation. The proxy’s requestor does not need to
know who implements the interface or how it is
implemented. So-called smart proxies (Jini ERI) grant
access to local and remote resources; they can also
communicate with multiple providers on the network
regardless of who originally registered the proxy. Thus,
separate providers on the network can implement different
parts of the smart proxy interface. Communication
protocols may also vary, and a single smart proxy can also
talk over multiple protocols including application specific
protocols.
Crucial to the success of SOOA is interface
standardization. Services are identified by interfaces
(service types); the exact identity of the service provider is
not crucial to the architecture. As long as services adhere to
a given set of rules (common interfaces), they can
collaborate to execute published operations, provided the
requestor is authorized to do so.
Let’s emphasize the major distinction between SOOA
and SPOA: in SOOA, a proxy is created and always owned
by the service provider, but in SPOA, the requestor creates
and owns a proxy which has to meet the requirements of the
protocol that the provider and requestor agreed upon a
priori. Thus, in SPOA the protocol is always a generic one,
reduced to a common denominator—one size fits all—that
leads to inefficient network communication in some cases.
65
In SPOA, each provider can decide on the most efficient
protocol(s) needed for a particular distributed application.
Service providers in SOOA can be considered as
independent network objects finding each other via a
service registry and communicating through message
passing. A collection of these object sending and receiving
messages—the only way these objects communicate with
one another—looks very much like a service object-
oriented distributed system.
Do you remember the eight fallacies of network
computing? [18] We cannot just take an object-oriented
program developed without distribution in mind and make it
a distributed system, ignoring the unpredictable network
behavior. The challenge related to authorization
enforcement in metacomputing environments is based
exactly on this dynamic nature of the environment. Security
permissions cannot be specified and then granted to service
providers in relation to code location since code location is
generally not known to requestors a priori and can change
dynamically (see Figure 1). Therefore static permissions
based on code location must be replaced by dynamic
permissions.
B. Default Authorization With Policy Files
The default implementation for security policy
management in a Java runtime system relies on policy
configuration files. These files have a simple hierarchical
syntax composed of grant statements, each of which can be
associated with a code base, a set of principals (optionally)
and a set of permissions. A grant statement as a whole
specifies the security permissions allowed to code
downloaded from the code base—a static location—on the
local Java runtime system. When a set of principals is
included, the permissions are granted only to the entities
corresponding to those principals. Since policy files have
such a simple syntax and are saved in plaintext, they can be
created manually using a text editor. Another option is to
use the graphical utility called Policy Tool [16]. By default
there is only one system policy file and one (optional) user
policy file [15]. In order to enforce checking of the
permissions stored in policy files, the security manager
must be enabled at runtime. It ensures that a static Policy
object is instantiated and populated based on the
information coming from the system and user’s policy files.
Such an approach is sufficient in the vast majority of
cases, but being a default implementation, it may not be
adequate for special types of applications. Policy files have
a well-known syntax, are saved in plaintext and the location
where they are stored is commonly known [7]. This means
that even unauthenticated and unauthorized personnel can
make harmful changes to their content when the policy file
write access is not set correctly. Thus, policy files can create
a breach in the security of a system and do not represent an
adequately secure solution for applications that require high
level security.
 As well, policy objects created from policy files are
static objects and changes made to the policy files are not
reflected by the Java runtime system unless it is restarted. In
this case, the default implementation with policy files shows
a lack of flexibility that might be essential for some
distributed applications.
Furthermore, as permissions are defined in policy files
based on static code source, this approach is not compatible
with code mobility and the dynamic nature of federated
computing environments.
C. Authorization in Jini
Jini services [8], which employ the SOO paradigm, also
use policy files to handle security permissions. In this case
though, the policy object is dynamically created when the
service is discovered [8]. Since permissions cannot be
granted based on code location, they are constructed based
on what is called protection domains. A protection domain
is defined by principals forming a subject (who is executing
the code), code source and class loader (the object
responsible for loading classes). When granting permissions
in Jini the code source is actually not so important.
Permissions are granted to a combination of context class
loader for the current thread (Figure 2) and subject on
whose behalf the thread is running.
Figure 2. Thread context class loader
The policy object created at bootstrapping for service
providers in Jini is an instance of the AggregatePolicy-
Provider class, which supports the association of sub-
policies with context class loaders (Figure 3). The sub-
policy associated with the current context class loader or
any of its parents is the active policy. If no such policy is
found, then the fallback sub-policy (initialGlobalPolicy)
becomes the active one.
66
Figure 3. Service provider policy in Jini
The class loader used to load the service provider’s
classes is associated with the split_service_policy, which is
an instance of the LoaderSplitPolicyProvider. The
split_service_policy helps dividing the permission queries
in queries involving the service provider’s specific classes,
and other permission queries. Based on this division, a
different policy will be used for each of the two cases.
Whenever there is a permission query that involves code
belonging to the service provider’s loaded classes, the
service_policy, which was created based on information
coming from a service provider specific policy file, is used.
For permission queries for code coming from other classes,
the initialGlobalPolicy is used.
Therefore, the Jini approach is to wrap policies into an
aggregated policy in order to enforce different permissions
depending on the class loader that is used. The code source
doesn’t need to be known when permissions are specified.
On the other hand, policy files are used for service provider
related permission storage.
Relying on policy files to enforce authorization on Jini
services can cause a scalability problem. For example, if the
same service is deployed on hundreds of hosts and later on
some modification to the policy file is required, this change
will need to be manually replicated on all related hosts. This
can be not only time consuming and error-prone but as well
difficult to perform in a quick and correct manner.
In federated computing environments in general, the
scalability and security problems raised by enforcing
authorization with policy files still exist. On top of that,
there is another issue regarding the rigid syntax of policy
files [7]. A security policy management based on roles may
be needed for metacomputing systems, but it cannot
currently be represented in a policy file. A more flexible
syntax is required for such environments.
III.SECURITY POLICY MANAGEMENT
METHODOLOGY
In the federated computing environments that use policy
files to handle authorization, a large number of policy files
reside on hosts. For each service provider that has registered
with the service registry there is one policy file (see Figure
4). This means that on the whole federated environment
there can be hundreds of policy files to manage. Modifying
all these files and especially keeping the policy files
synchronized is definitely cumbersome and, not secure
enough either.
Figure 4. Default approach for authorization
The solution to these security and scalability problems in
the federated computing environment is to centrally manage
the security policies. In order to do that we propose to store
all the security permission information in a central base
managed by a special service provider (Policer). Having all
the permissions stored in the central base eases the
management and updating operations, since they are
performed in one place only, not on all the hosts. On the
other hand, having all the security policy information stored
in a single place can generate the one-point failure. This can
be avoided by replicating the Policer and its policy base in
the federated computing environment. The policy bases of
all the active policers must be synchronized. Thus, when a
policer bootstraps, it contacts any other active policer and
synchronizes its policy base to that of the active policer.
Any policer (master or slave) is able to provide the
security policy object to a requesting service provider. At
service bootstrapping, every service provider contacts
dynamically an active policer and asks for its policy object.
After mutual authentication between the bootstrapping
service provider and the contacted policer, the policer
retrieves the security policy information for the
bootstrapping service provider from the policy base. It then
creates a policy object, populates it with the security
information retrieved from the policy base and passes this
policy object to the service provider. On its side, the
bootstrapping service provider reinforces all permissions
contained in the received policy object.
While most systems treat authorization in a static way,
the approach presented here is dynamic: authorization
information can be obtained by the service providers from
any policer, running on any host. In fact, the location where
the contacted policer is running is unknown to the
bootstrapping service provider. The location isn’t static
either, it can change over time since a policer can go down
and be replaced by some other policer started on a different
67
host. The policer is dynamically discovered by the service
provider trying to obtain its authorization information
through the use of the service registry. The service registry
has the policer’s proxy, which was obtained during the
policer registration phase. This proxy is passed to the
bootstrapping service provider, which needs to verify
whether it is secure to use the policer proxy or not. Both the
data and the code of the policer proxy are verified in this
stage. Only after proxy verification the communication with
the policer is enabled.
The security information stored in policer’s bases can be
modified by an authenticated and authorized administrator
through the administrative user agent (see Figure 5). This is
a graphical interface that allows the administrator to
modify, insert and delete security policies in the policy
base. If all policers would provide the administrative user
agent, this could create problems in the case of concurrent
modifications in multiple policers. The same security policy
should be present in all policy bases at all times for the
same service provider. But, for example, if at the same time
two different authorized administrators make conflicting
changes on the same security policy, then the policers
would not know which one of the two modifications is the
correct one, the one to persist in the policy base.
Figure 5. Proposed solution
This concurrency problem is solved currently by
allowing only one of the active replicated policers in the
environment to provide the user agent at all times. If the
active policer enabling policy administration (Admin-
Policer) suddenly becomes inactive, a new AdminPolicer is
elected from the group of already active policers. This
master-slave approach (where the master is the
AdminPolicer and the slaves are all the other policers)
simplifies the synchronization of the policy bases.
Whenever the AdminPolicer receives a modification from
an authorized administrator through the user agent, it
notifies all other active policers about the current update.
Through this mechanism all active slave policers
continually maintain their policy bases synchronized with
that of the AdminPolicer. This also implies that two policers
must be active in the environment all the time: the master
policer and a slave policer that can take over the role of the
master whenever the current master becomes inactive.
Any change made by an authorized administrator to the
security policy of a service provider is immediately
enforced on all active service providers of that policy type.
The AdminPolicer receiving the change through its user
agent is responsible for notifying all the corresponding
active service providers of the policy modification and for
passing the new policy object on to them. The service
providers receiving the modified policy object dynamically
reinforce the new security policy on their side. The major
components of the security policy management
methodology and the interactions between them are
presented in Figure 6.
Figure 6. Major components and interaction diagram
In the case of disconnected operations a strict policy
object containing the minimal set of permissions that would
allow normal functioning should be available to any service
provider. Therefore, when the bootstrapping service
provider fails to contact any of the policers due to
intermittent lack of connectivity, the provider gets the
default minimal policy object and reinforces it on itself. The
provider will try to get its proper policy from any available
policer later.
The federated policy management system is protected
against outside intrusions by its own security solution.
Administrators are authenticated and authorized before
being allowed to access the administrative user agent and
make any modifications to the existing policy base.
Confidentiality and integrity is enforced on all remote
communication channels. The actual schema of the policy
base is hidden to the administrators and all other users.
IV.DESIGN OF THE POLICY MANAGEMENT SYSTEM
A. Policy base
The policy base is represented by a relational database,
which for now mimics the structure of a policy file (see
Figure 7). Later on, the database schema can be easily
68
modified to reflect any additional needs of a federated
computing environment, for example role management.
The main table of the schema is Policy. This contains all
the information needed to identify a service provider’s
security policy and to distinguish between different security
policies stored in the database: service ID, service provider
name, main published interface, location, host where the
service is running and user directory where the service was
started. A combination of these attributes is passed by the
bootstrapping service provider to an active policer and is
used by the contacted policer to retrieve the right security
policy from the database (step 1 in the interaction diagram
in Figure 6).
Figure 7. Policy database schema
The information that would otherwise appear in a grant
statement in a policy file is stored in the Grant table. The
User table stores information about the (optional)
principals. The Permission table contains records similar to
the permission statements of a policy file. All the strings
that would appear repeatedly in different tables or records
(such as class names, target names, etc.) are stored in the
Map table. The association tables Grants, Permissions and
Principals allow for a flexibility and reusability of records.
B. Administrative user agents
Only authenticated and authorized administrators are
allowed to get the administrative user agent (steps 2, 2.1,
and 2.1.1, Figure 6). There are different solutions for
personnel authentication and authorization. The simplest
one is based on login and password verification against
security information stored on a policer. A more secure and
advanced solution would require the use of smart cards,
case in which keys are stored on the actual smart card only.
A third solution worth considering would be the Kerberos
protocol, which provides strong authentication by using
secret-key cryptography [4, 6] and never passing the actual
password through the network. In order to confer more
flexibility to the environment, the best solution is to have all
these approaches implemented and let the client select the
suitable one for him.
The graphical interface of the Policy Tool utility [16] is
used as a Service UI [17] model for the administrative user
agent. But, in order to comply with the specific needs of the
database schema focused on federated metacomputing,
some major changes have been made to the GUI inspired by
Policy Tool. Fields identifying the service provider to
which the edited policy belongs are added on the policy
editing window: service ID, service provider name,
implemented interface, etc. The first window to appear is a
window listing all policies in the database. The changes to
the policy information are persisted in the policy base by
the AdminPolicer instead into a file.
C. Policer replication and synchronization
The RIO framework [9] is used for policer provisioning
in order to ensure that at least two active policers exist in
the environment at all times. In case the master policer fails,
a protocol for the election of the new master is applied: the
remaining active slave policers send a message to the other
active policers requiring to be elected as the new master.
The first slave policer sending this message becomes the
new master.
The databases of all active policers must contain the
latest security policy information at all times. The
synchronization of the databases of active policers is
managed by the master policer. It remembers all the active
slave policers in a continuously updated structure and
notifies all the policers in this structure of any policy
modification coming from an administrator (step 2.1.1.1,
Figure 6). The synchronization of bootstrapping policers
(step 3, Figure 6) relies on the order of database events
rather than on an unreliable real time clock. The
bootstrapping policer compares its latest event number with
that of an active policer’s to know how much behind it is.
Then, either the modified records are updated or, if too
many changes have occurred in the meantime, the whole
database is copied from the active policer to the
bootstrapping policer.
D. Policy reinforcement on service providers
The policy object coming from a contacted policer can
be either statically or dynamically reinforced on the
bootstrapping service provider (steps 1.1 and 2.1.1.1.2.1,
Figure 6). A dynamic enforcement would imply adding the
new policy object under the umbrella of the existing
AggregatePolicyProvider object. In this case, the new
policy object passed by the policer would add a new layer
of restrictions on top of those already existing.
V.CONCLUSIONS
Using policy files for authorization in Java-based
metacomputing environments doesn’t scale well. A scalable
solution for security policy management in federated
metacomputing environments is proposed here. It has the
advantage of flexible database management of all security
policies that say what system resources can be accessed, in
what fashion, and under what circumstances. Thus, it
provides for uniform authentication, authorization, and
access control for all federating service providers.
69
Confidentiality and integrity of policy information is
guaranteed by securing all network communication
channels. Consistency of policy data is ensured by policy
base synchronization mechanisms. A friendly user agent is
provided for the administrators to create and update policy
information persisted in the database and then synchronized
with other policer databases. Replication and autonomic
provisioning of policers prevents service unavailability
from occurring.
The presented methodology is designed especially for
federated computing environments characterized by code
mobility. Permissions are not defined with respect to the
code source, but in relation to the entity running the code
and the class used to load the code. The location of the
security policy service provider (policer) is not fixed and is
not known before hand to the other service providers. The
service providers discover an active policer dynamically,
through the use of the service registry.
This scalable methodology can be similarly applied to
other aspects of security in metacomputing environments,
for example federated authentication. A KeyStorer service
provider persisting keys in a database can be designed
following the same approach.
REFERENCES
[1] Diehl and Associates, Inc., “Mckoi SQL Database”, 2005. Retrieved
December 27, 2006, from http://mckoi.com/database/
[2] L. Gong, Inside Java 2 Platform Security: Architecture, API Design,
and Implementation, Prentice Hall PTR, 2nd edition, 2003.
[3] J. Grams, and D. Somerfield, Professional Java Security, Wrox Press,
Birmingham, UK, 2001.
[4] Ch. Kaufman, R. Perlman, and M. Speciner, Network Security:
Private Communication in a Public World, Second Edition, Prentice
Hall PTR, 2 edition, 2002
[5] J.F. Koopmann, “Embedded Database Primer”, 2005. Retrieved
December 27, 2006, from: http://www.dbazine.com/ ofinterest /oi-
articles/ koopmann5
[6] Massachusetts Institute of Technology, “Kerberos: The Network
Authentication Protocol”, 2003. Retrieved December 27, 2006, from
http://web.mit.edu/Kerberos/
[7] T. Neward, “When “java.policy” Just Isn’t Good Enough”, 2001.
Retrieved December 28, 2006 from: www.javageeks.com
/Papers/JavaPolicy/ JavaPolicy.pdf
[8] J. Newmarch, A Programmer’s Guide to Jini Technology, Apress,
Berkley, CA, 2000.
[9] Project Rio, A Dynamic Service Architecture for Distributed
Applications. Retrieved December 27, 2006, from
https://rio.dev.java.net/
[10] Red Hat Middleware, “Hibernate: Relational Persistence for Java and
.NET”, 2006. Retrieved December 27, 2006, from
http://www.hibernate .org
[11] M. Sobolewski, Federated P2P services in CE Environments,
Advances in Concurrent Engineering, A.A. Balkema Publishers,
2002, pp. 13–22.
[12] M. Sobolewski, FIPER: The Federated S2S Environment, JavaOne,
Sun’s 2002 Worldwide Java Developer Conference, 2002. Retrieved
 December 27, 2006,
from http://sorcer.cs.ttu.edu/publications/papers/2420.pdf
[13] M. Sobolewski, R. Kolonay, Federated Grid Computing with
Interactive Service-oriented Programming, International Journal of
Concurrent Engineering: Research & Applications, Vol. 14, No 1.,
pp. 55-66, 2006
[14] SORCER, Laboratory for Service-Oriented
Computing Environment, Retrieved December 27, 2006,
from http://sorcer.cs.ttu.edu.
[15] Sun Microsystems, Inc., “Default Policy Implementation and Policy
File Syntax”, 2002. Retrieved
December 27, 2006, from http://java.sun.com/j2se/1.4.2/docs/guide/se
curity/PolicyFiles.html
[16] Sun Microsystems, Inc., “Policy Tool – Policy File Creation and
Management Tool”, 2001. Retrieved
December 27, 2006, from http://java.sun.com/j2se/1.3/docs/tooldocs/
win32/policytool.html
[17] The ServiceUI Project, Retrieved March 15,
2007, from http://www.artima.com/jini/serviceui/index.html
[18] Fallcies of Distributed Computing. Retrieved March 15,
2007, from :http://en.wikipedia.org/wiki/Fallacies_of_Distributed_Co
mputing.

70
 AUTHOR BIOGRAPHIES

Nael Abu-Ghazaleh
Computer Science Department, Binghamton University, SUNY
nael@cs.binghamton.edu

Dr. Abu-Ghazaleh joined the Computer Science department in 1998. He received his M.S. and Ph.D.
degrees in Computer Engineering from the University of Cincinnati in 1994 and 1997 respectively. He
has a B.Sc. in Electrical Engineering from the University of Jordan. His research interests are in mobile
computing and networking, sensor networks, parallel and distributed systems and high performance
computing.

Bruce Barnett, Ph.D.

General Electric Global Research
BarnettBr@crd.ge.com

Bruce Barnett graduated from RPI in 1975. He has been a part of General Electric (GE) for over 20
years and is currently a Computer Scientist doing research at GE Global Research. His research covers
traffic analysis, expert systems, real-time video multicast, and security systems and has several
publications in these areas.

Max Berger, Ph.D.

Computer Science, Texas Tech University
max@berger.name

Maximilian Berger has just finished the doctorate in Computer Science at Texas Tech University. He
studied Computer Science at the Technische Universität München where he graduated with a Diploma
in Computer Science in 2003. Then he came to the TTU and joined the SORCER research group. His
main research interest is in distributed systems in particular metacomputing and service-oriented
environments. He is currently moving back to Europe to continue his academic career in distributed
systems.

Steffani Burd, Ph.D.

igxglobal, Inc.
sburd@infosecurityresearch.org

Steffani is an expert in applying analytics to security issues in the private and public sectors. She is a
Threat Mitigation Consultant for igxglobal, Inc. and was previously the Executive Director of the
Information Security in Academic Institutions research project funded by the National Institute of
Justice. Related activities include New York Police Department (NYPD) auxiliary police officer,
incident commander for Citizens Emergency Response Team (CERT), and Director of Research for the
LI Metro InfraGard Alliance. Relevant education includes Columbia University (Ph.D. 1998), and
University of Chicago (B.A. 1988).

71
Scott Cherkin
DealMine

Mr. Scott Cherkin has been at the forefront of introducing emerging technologies and interactive
marketing solutions to Fortune 500 companies for over ten years. Since 2001, he has applied his
strategic marketing and business development skills to vendors specializing in secure information
sharing and critical infrastructure protection for the Defense Department, Intelligence Community, and
other Homeland Security organizations. Mr. Cherkin's current focus includes consulting to Internet
start-ups and the founding of DealMine.com. He is also an active member of the NY Metro InfraGard
Alliance and the OSD-sponsored Cross Domain Solutions Working Group (CDSWG) and a graduate of
Pennsylvania State University.

Gurpreet Dhillon, Ph.D.

Virginia Commonwealth University
gdhillon@vcu.edu

Gurpreet is a Professor of IS in the School of Business, Virginia Commonwealth University, Richmond,

USA. He holds a Ph.D. from the London School of Economics and Political Science, UK. His research
interests include management of information security, ethical and legal implications of information
technology. His research has been published in several journals including Information Systems
Research, Information & Management, Communications of the ACM, Computers & Security, European
Journal of Information Systems, Information Systems Journal, and International Journal of Information
Management among others. Gurpreet has just finished his sixth book Principles of Information System
Security: text and cases (John Wiley). He is also the Editor in Chief of the Journal of Information
System Security, is the North American Regional Editor of the International Journal of Information
Management and sits on the editorial board of MISQ Executive.

Matthew Haschak
Bowling Green State University
haschak@bgsu.edu

Mr. Haschak is an Information Security Analyst at Bowling Green State University and the former
President, and current Vice President of the Toledo InfraGard Members Alliance. He was a Technical
Advisor as an Academic Institutions Specialist for the NIJ grant funded project researching Information
Security in Academic Institutions. Additionally, Mr. Haschak is a CISSP, has a Masters in Business
Administration and has worked in both the private and public sector as an Information Security Analyst
over the past nine years.

Mary Henthorn
University of Arkansas at Little Rock, Donaghey College of Information Science and Systems
Engineering, Computer Science Graduate Program
State of Arkansas, Office of Information Technology, State Security Office
Mary.henthorn@mail.state.ar.us

Mary Henthorn is completing her master’s degree in computer science at the University of Arkansas at
Little Rock, as well as serving as a Senior Technology Analyst for the State Security Office. Since 1969
she has held positions in applications development, IT management, research and analysis for state and

72
federal agencies. She holds GIAC and Public Management certifications and is an active member of the
MS-ISAC and InfraGard Members Alliance.

Daniela Inclezan
Member, SORCER Laboratory
Computer Science, Texas Tech University
Daniela.inclezan@ttu.edu

Daniela Inclezan is a doctoral student at Texas Tech University and a member of the SORCER
laboratory at the Computer Science Department, TTU. She currently is working on her master thesis
with the title: “Security Policy Management in Federated Systems” under the supervision of Dr. Michael
Sobolewski. After graduating the Technical University of Cluj-Napoca, Romania in 2004, she worked as
a web-based application programmer for one year.

Hajime Inoue, Ph.D.

Postdoctoral Fellow, Carleton Computer Security Lab
Computer Scinece, Careleton University
hinoue@ccsl.carleton.ca

Hajime (Jim) Inoue is a postdoctoral fellow at Carleton University. He received his doctoral degree from
the University of New Mexico. His dissertation was titled, "Anomaly Detection in Dynamic Execution
Environments”. His research interests include: Anomaly Detection, Program Behavior, Program
Language Design and Implementation, Garbage Collection, and Compilers.

Insu Park
School of Management, State University of New York at Buffalo
Insupark@buffalo.edu

Insu Park is a Ph.D. candidate in Management Science & Systems at the University at Buffalo. He was
awarded the Joseph A. Alutto Fellowship from the University in 2006. His research interests include:
Behavioral Decision-Making, Implications of Information Assurance, Behavioral Impacts of
Information Security on Public and Private Sector, Internet Marketing Strategy, Impacts of Individual
Factors on IS Implementation/Effectiveness in Organizations, and E-government. He has journal
publications in Decision Support Systems, the Journal of Information System Security, and IEEE
Transactions on System, Man, and Cybernetics. Prior to becoming a Ph.D. student, he worked as a
consultant in IBS Consulting Company in Seoul, Korea.

Daniel Sexton, Ph.D.

GE Global Research

As a project manager working for GE’s Global research department, Mr. Sexton has been leading and
participating in research projects in wireless communications and wireless sensor system development.
He is current leading a project for the Department of Energy to develop wireless sensors and networks
for use in industrial environments. Mr. Sexton has 25 years of experience in industrial automation,
controls and communications. He holds 25 granted US patents in both the communications and
automation technologies. He is a leader in the ISA SP100 activity to define wireless systems for
industry, and is a member of the advisory board of Center for Automation Technologies and Systems at

73
Rensselaer Polytechnic Institute. He holds a Bachelors (1978) and Masters degree (1982) in Electrical
Engineering from Virginia Tech and is a member of IEEE.

H. Raghav Rao
School of Management, State University of New York at Buffalo
mgmtrao@buffalo.edu

Dr. Rao has a Ph.D from Purdue University, an M.B.A from Delhi University, and a B.Tech. from the
Indian Institute of Technology. His interests are in the areas of management information systems,
decision support systems, and expert systems and information assurance. He has chaired sessions at
international conferences and presented numerous papers. He has authored or co-authored more than
100 technical papers, of which more than 60 are published in archival journals. His work has received
best paper and best paper runner up awards at AMCIS and ICIS. Dr. Rao has received funding for his
research from the National Science Foundation, the Department of Defense and the Canadian Embassy
and he has received the University's prestigious Teaching Fellowship. He has also received the Fulbright
fellowship in 2004. He is a co-editor of a special issue of The Annals of Operations Research, the
Communications of ACM, associate editor of Decision Support Systems, Information Systems Research,
and IEEE Transactions in Systems, Man and Cybernetics, and co-Editor- in -Chief of Information
Systems Frontiers.

Raj Sharman
School of Management, State University of New York at Buffalo
rsharman@buffalo.edu

Dr. Raj Sharman is an assistant professor in the School of Management at the State University of New
York, Buffalo, New York. He received his Bachelors degree in Engineering and Masters Degree in
Management from the Indian Institute of Technology, Bombay, India. He also received a Masters in
Industrial Engineering, and a Doctoral degree in Computer Science from Louisiana State University. His
research interests are in the areas of Information Assurance, Disaster Management, and Internet
Technologies. He is a recipient of several grants, both internal and external grants in the area of
Information Security. His publications appear in peer reviewed journals and international conferences in
both the Information Systems and the Computer Science disciplines. Dr. Sharman serves as an associate
editor for the Journal of Information Systems Security.

Michael Sobolewski, Ph.D.

Director, SORCER Laboratory
Computer Science, Texas Tech University
sobol@cs.ttu.edu

Dr. M. Sobolewski is a Professor of Computer Science at Texas Tech University since September 2002.
He teaches courses related to distributed computing: network security, advanced network programming,
P2P, and mobile computing. He is a director of the SORCER laboratory at Computer Science
Department, TTU. The laboratory research is focused on service-oriented computing systems. Before, he
worked with General Electric Global Research Center as a Senior Computer Scientist since August
1994. From 1999 he has worked on service-grid computing systems and developed a service-based
programming methodology for the FIPER/NIST (Federated Intelligent Product Environment) project.
While at GE GRC, he was a FIPER chief architect and lead developer. In the period of 1997-2000 he
lead and developed web-based computing framework (GApp/DARPA) and demonstrated 17 successful

74
applications for various GE businesses including a document management system for the family of F110
engines – GE Aircraft Engines, a Web-EMPIS system - GE engineering specification system, an
Engineering Calculator - GE Plastics. He led GE’s successful CAMnet/DARPA project (1995-1996),
developing tools and methodology to deliver manufacturing and engineering services via the World
Wide Web. Also, in 1996 he led a successful Lockheed Martin EDN Toolkit project that provides
enablers to built Web-based workbooks and record books. From November 1989 until February 1994 he
was invited to work on DICE program at Concurrent Engineering Center (CERC), West Virginia
University, where he developed a knowledge-based environment for concurrent engineering (DICEtalk)
based on his novel percept knowledge representation scheme, a Motif-based generic application, a GUI
client for information sharing system, and a GUI interface for medical informatics system (ARTEMIS).

Anil Somayaji
Director, Carleton Computer Security Lab
Computer Science, Carleton University
soma@ccsl.carleton.ca

Dr. Somayaji received his BS degree in mathematics from the Massachusetts Institute of Technology in
1994 and the PhD degree in computer science in 2002 from the University of New Mexico. He is an
assistant professor in the School of Computer Science at Carleton University. His research interests
include computer security, operating systems, complex adaptive systems, and artificial life.

Shambhu Upadhyaya
Director, Center of Excellence in Information Systems Assurance Research and Education
Computer Science and Engineering, State University of New York at Buffalo
shambhu@cse.buffalo.edu

Dr. Shambhu J. Upadhyaya is an Associate Professor of Computer Science and Engineering at the State
University of New York at Buffalo where he directs the Center of Excellence in Information Systems
Assurance Research and Education (CEISARE), designated by the National Security Agency. Prior to
July 1998, he was a faculty member at the Electrical and Computer Engineering department. His
research interests are information assurance, computer security, fault diagnosis, fault tolerant computing,
and VLSI Testing. He has authored or coauthored more than 150 articles in refereed journals and
conferences in these areas. His current projects involve insider threat modeling, intrusion detection,
security in wireless networks, and protection against Internet attacks. His research has been supported by
the National Science Foundation, Rome Laboratory, the U.S. Air Force Office of Scientific Research,
National Security Agency, IBM, and Cisco.

Nicholas C. Weaver
International Computer Science Institute, University of California at Berkeley
nweaver@icsi.berkeley.edu

Dr. Weaver received his Ph.D. in Computer Science from the University of California at Berkeley in
2003. In 1995, he received his B.S degree in Astrophysics and Computer Science at the same school.
Prior to becoming a researcher at the International Computer Science Institute, he worked in Lawrence
Berkeley Labs and Silicon Defense. His current research focuses on high-speed worms and related
threats. Dr. Weaver first grew interested in this field based on observing the possibility of a Warhol
Worm, which could infect every potential host in 15 minutes. Similarly, he is interested in single points
of ownership on the Internet as well as security implications of Brilliant Digital and automatic updaters.

75
 INDEX OF AUTHORS

Abu-Ghazaleh, Nael p. 46 Park, Insu p. 29

Barnett, Bruce p. 37 Rao, H. Raghav p. 29
Max Berger p. 56 Sexton, Daniel p. 37
Burd, Steffani p. 47 Sharman, Raj p. 29
Cherkin, Scott p. 47 Sobolewski, Michael p. 56, 64
Dhillon, Gurpreet p. 20 Somayaji, Anil p. 9
Haschak, Matthew p. 47 Upadhyaya, Shambhu p. 29, 36
Henthorn, Mary p. 2 Von Knop, Katharina p. 55
Inclezan, Daniela p. 64 Weaver, Nicholas C. p. 1
Inoue, Hajime p. 9

76