Information Assurance and Security

MS
I
Eugene Spafford
Professor
Department of Computer Sciences
Purdue University
 Outline
MS
I 
Security at Purdue, COAST/CERIAS
 Resources, Sponsors
 Ongoing Research Projects
 Proposed QoS Research

2
 Information Security At Purdue
MS
I 
Information Security started in 1979
 Many courses offered (grad, undergrad)
 COAST (1992-97)
 CERIAS (1998)
• University-wide
• Multidisciplinary

3
 Center Resources
MS
I  32 Sun Workstations
 2 Sun Enterprise Servers
 9 MacOS Platforms
 FORE ATM cloud
• 40 host adapters
• 2 BX200
• 4 FORErunners
 3 486/586 PCs w/Win 95
 4 Pentium Pro BSDI/Linux
 12 Pentium II WinNT
 5 HP Printers
 2 Tektronix Color Printers
 3 Cisco Routers
• 7507 Enterprise router
 3 Sunscreen firewalls
 2 PrivateNet firewalls
 1 Firewall-1 firewall
 2 Pentium laptops
Assorted other dedicated
hardware & software
4
 On-Going Projects–Brief Synopses
MS
I  Intrusion Detection
• AAFID agent-based system
• Characterizing Misuse
 Audit Analysis
• Audit content
• Audit representation & compression
 Firewalls and Network Protection
• Firewall evaluation lab
• Firewall structure
 Vulnerability Testing

5
 On-Going Projects (1)
MS
I  Vulnerability Database
• Data Mining
• Taxonomical Work
• Software Testing
 Archive Development
• Organization and Protection
• Archival document entry
 Secure outsourcing
 Watermarking

6
 On-Going Projects (2)
MS
I 
ATM Security
 Network vulnerability analysis
 Database & Multimedia security
 Use of information-based terrorism
 Attack traceback analysis
 Privacy ethics & protections
 Best practices survey
7
 Current Sponsors
MS Founding Sponsors
I

• Lilly Endowment  Tier II Sponsors
 Tier I Sponsors • Axent
• Andersen Consulting  Other Donors
• AT&T Labs/GeoPlex
• Addison-Wesley
• Cisco Systems
• GE Laboratories • INITA
• Global Integrity Corp. • L3 Communications
• Hewlett-Packard Corp. • O’Reilly & Associates
• Intel Corporation
• RiskWatch
• Microsoft
• MITRE • Tektronix
• Schlumberger
• Sun Microsystems
• Trident Data Systems
• Tripwire Security Systems
• TRW

8
 Potential Sponsors
MS
I 
Boeing
 Citicorp
 Compaq
 Department of Energy/LANL/Sandia
 Motorola
 NIST
 Swiss Bank Corporation
9
 Security QoS
MS
I  Security services
• E.g., audit, intrusion detection, …
 Many levels of service
• Multiple ``alarm levels’’ in an ID system
• Multiple levels of audit
 Costly in terms of network & storage resources
• Low (high) security levels cause small (large)
footprints
• Impact on system usability/availability
– E.g., firewall blocks UDP packets
 Security requirements differ across the network

10
 Research Issues in Security QoS
MS
I  How does user …
• … specify security QoS ?
• … negotiate security QoS ?
 What granularity (host ? subnet ? )
• Varies with security service considered
 Connections with DB QoS and network QoS
• Compete for same resources
• Benefit from same techniques
 … and many more in the following examples
• Intrusion detection
• Audit trail service
• Profiling service
• Secure multimedia document service

11
 Intrusion Detection Service (1)
MS
I 
Experimental testbed: Existing AAFID
prototype
 Already supports multiple levels of
security

12
 Intrusion Detection Service (2)
MS
I  More research questions
• How to handle levels of security that vary across a network
• The interface between security-level regions
– Where ``low’’ meets ``high’’
• What network QoS requirements should the AAFID agents
make ?
– Different types of agents
• What network QoS requirements should AAFID monitors
make ?
• What DB QoS requirements should the AAFID entities
make on the audit trail DB ?

13
 QoS Tradeoffs
MS
I  Footprint on network vs. level of security
• Economic model
• Cost-benefit analyses
• Characterize ``best’’ operating points
 Similar tradeoff for which security services
to provide
• Same research issues as above
 Functionality vs. security

14
 Audit Service
MS
I  Gives ability to know ``what happened’’
 Various levels of audit
• From ``Store all events’’ to ``store nothing’’
• Quality of audit required affects resources, hence system usability
and availability
 Requirements can vary
• From application to application
• From host to host
• From subnet to subnet
 DB techniques for audit data
• Audit data is massive (compression issues)
• Special nature of data and how it is used (``ephemeral records’’)
• Special queries (searching for attack patterns)

15
 User Profiling Service
MS
I  Profile of user
• For active email (IBM Almaden), active DB
• For statistical ID (IDES, NIDES and related systems)
 Levels of quality (of profile)
• Extensive and accurate implies a higher expense
 Quality requirements are highly variable
• E.g., active DB can do with lower quality profile than MD system
 Profiling technology
• Similar to statistical approach to intrusion detection
– Notion of ``normal’’ user (or network, or DB) behavior
– Difficult! (Curse of dimensionality, dependence, …)
• User profile is itself stored in special DB
– How fast should profile evolve? (Drawbacks to both extremes)

16
 Other Security Services
MS
I  Scanning
• Related to ID but intense & limited in time (ID is
continuous)
 Multimedia document services
• Timestamping, tamper-resistance, watermarking, …
 Cryptographic protocol support
 PKI
 … etc
 Each service has its own QoS requirements/tradeoffs

17
 Other Contributions
MS
I  CERIAS Outreach
• Technology transfer to sponsors
• Workshops and Conferences
• Continuing Ed offerings
 CERIAS K-12
• Full-time coordinator
• Working with State Education Dept.
 CERIAS Archive Delivery
• Full-time Webmaster
• Major archive & dissemination

18