Professional Documents
Culture Documents
MS
I
Eugene Spafford
Professor
Department of Computer Sciences
Purdue University
Outline
MS
I
Security at Purdue, COAST/CERIAS
Resources, Sponsors
Ongoing Research Projects
Proposed QoS Research
2
Information Security At Purdue
MS
I
Information Security started in 1979
Many courses offered (grad, undergrad)
COAST (1992-97)
CERIAS (1998)
• University-wide
• Multidisciplinary
3
Center Resources
MS
I 32 Sun Workstations 5 HP Printers
2 Sun Enterprise Servers 2 Tektronix Color Printers
9 MacOS Platforms 3 Cisco Routers
FORE ATM cloud • 7507 Enterprise router
• 40 host adapters 3 Sunscreen firewalls
• 2 BX200 2 PrivateNet firewalls
• 4 FORErunners 1 Firewall-1 firewall
3 486/586 PCs w/Win 95 2 Pentium laptops
4 Pentium Pro BSDI/Linux
12 Pentium II WinNT Assorted other dedicated
hardware & software
4
On-Going Projects–Brief Synopses
MS
I Intrusion Detection
• AAFID agent-based system
• Characterizing Misuse
Audit Analysis
• Audit content
• Audit representation & compression
Firewalls and Network Protection
• Firewall evaluation lab
• Firewall structure
Vulnerability Testing
5
On-Going Projects (1)
MS
I Vulnerability Database
• Data Mining
• Taxonomical Work
• Software Testing
Archive Development
• Organization and Protection
• Archival document entry
Secure outsourcing
Watermarking
6
On-Going Projects (2)
MS
I
ATM Security
Network vulnerability analysis
Database & Multimedia security
Use of information-based terrorism
Attack traceback analysis
Privacy ethics & protections
Best practices survey
7
Current Sponsors
MS Founding Sponsors
I
• Lilly Endowment Tier II Sponsors
Tier I Sponsors • Axent
• Andersen Consulting Other Donors
• AT&T Labs/GeoPlex
• Addison-Wesley
• Cisco Systems
• GE Laboratories • INITA
• Global Integrity Corp. • L3 Communications
• Hewlett-Packard Corp. • O’Reilly & Associates
• Intel Corporation
• RiskWatch
• Microsoft
• MITRE • Tektronix
• Schlumberger
• Sun Microsystems
• Trident Data Systems
• Tripwire Security Systems
• TRW
8
Potential Sponsors
MS
I
Boeing
Citicorp
Compaq
Department of Energy/LANL/Sandia
Motorola
NIST
Swiss Bank Corporation
9
Security QoS
MS
I Security services
• E.g., audit, intrusion detection, …
Many levels of service
• Multiple ``alarm levels’’ in an ID system
• Multiple levels of audit
Costly in terms of network & storage resources
• Low (high) security levels cause small (large)
footprints
• Impact on system usability/availability
– E.g., firewall blocks UDP packets
Security requirements differ across the network
10
Research Issues in Security QoS
MS
I How does user …
• … specify security QoS ?
• … negotiate security QoS ?
What granularity (host ? subnet ? )
• Varies with security service considered
Connections with DB QoS and network QoS
• Compete for same resources
• Benefit from same techniques
… and many more in the following examples
• Intrusion detection
• Audit trail service
• Profiling service
• Secure multimedia document service
11
Intrusion Detection Service (1)
MS
I
Experimental testbed: Existing AAFID
prototype
Already supports multiple levels of
security
12
Intrusion Detection Service (2)
MS
I More research questions
• How to handle levels of security that vary across a network
• The interface between security-level regions
– Where ``low’’ meets ``high’’
• What network QoS requirements should the AAFID agents
make ?
– Different types of agents
• What network QoS requirements should AAFID monitors
make ?
• What DB QoS requirements should the AAFID entities
make on the audit trail DB ?
13
QoS Tradeoffs
MS
I Footprint on network vs. level of security
• Economic model
• Cost-benefit analyses
• Characterize ``best’’ operating points
Similar tradeoff for which security services
to provide
• Same research issues as above
Functionality vs. security
14
Audit Service
MS
I Gives ability to know ``what happened’’
Various levels of audit
• From ``Store all events’’ to ``store nothing’’
• Quality of audit required affects resources, hence system usability
and availability
Requirements can vary
• From application to application
• From host to host
• From subnet to subnet
DB techniques for audit data
• Audit data is massive (compression issues)
• Special nature of data and how it is used (``ephemeral records’’)
• Special queries (searching for attack patterns)
15
User Profiling Service
MS
I Profile of user
• For active email (IBM Almaden), active DB
• For statistical ID (IDES, NIDES and related systems)
Levels of quality (of profile)
• Extensive and accurate implies a higher expense
Quality requirements are highly variable
• E.g., active DB can do with lower quality profile than MD system
Profiling technology
• Similar to statistical approach to intrusion detection
– Notion of ``normal’’ user (or network, or DB) behavior
– Difficult! (Curse of dimensionality, dependence, …)
• User profile is itself stored in special DB
– How fast should profile evolve? (Drawbacks to both extremes)
16
Other Security Services
MS
I Scanning
• Related to ID but intense & limited in time (ID is
continuous)
Multimedia document services
• Timestamping, tamper-resistance, watermarking, …
Cryptographic protocol support
PKI
… etc
Each service has its own QoS requirements/tradeoffs
17
Other Contributions
MS
I CERIAS Outreach
• Technology transfer to sponsors
• Workshops and Conferences
• Continuing Ed offerings
CERIAS K-12
• Full-time coordinator
• Working with State Education Dept.
CERIAS Archive Delivery
• Full-time Webmaster
• Major archive & dissemination
18