Information Assurance and Security

Download Report

Transcript Information Assurance and Security 

Information Assurance and Security
MS
I
Eugene Spafford
Professor
Department of Computer Sciences
Purdue University
Outline
MS
I
Security at Purdue, COAST/CERIAS
 Resources, Sponsors
 Ongoing Research Projects
 Proposed QoS Research

2
Information Security At Purdue
MS
I
Information Security started in 1979
 Many courses offered (grad, undergrad)
 COAST (1992-97)
 CERIAS (1998)

• University-wide
• Multidisciplinary
3
Center Resources
MS
I







32 Sun Workstations
2 Sun Enterprise Servers
9 MacOS Platforms
FORE ATM cloud
• 40 host adapters
• 2 BX200
• 4 FORErunners
3 486/586 PCs w/Win 95
4 Pentium Pro BSDI/Linux
12 Pentium II WinNT







5 HP Printers
2 Tektronix Color Printers
3 Cisco Routers
• 7507 Enterprise router
3 Sunscreen firewalls
2 PrivateNet firewalls
1 Firewall-1 firewall
2 Pentium laptops
Assorted other dedicated
hardware & software
4
On-Going Projects–Brief Synopses
MS
I

Intrusion Detection
• AAFID agent-based system
• Characterizing Misuse

Audit Analysis
• Audit content
• Audit representation & compression

Firewalls and Network Protection
• Firewall evaluation lab
• Firewall structure

Vulnerability Testing
5
On-Going Projects (1)
MS
I

Vulnerability Database
• Data Mining
• Taxonomical Work
• Software Testing

Archive Development
• Organization and Protection
• Archival document entry
Secure outsourcing
 Watermarking

6
On-Going Projects (2)
MS
I
ATM Security
 Network vulnerability analysis
 Database & Multimedia security
 Use of information-based terrorism
 Attack traceback analysis
 Privacy ethics & protections
 Best practices survey

7
Current Sponsors
MS
I


Founding Sponsors
• Lilly Endowment
Tier I Sponsors
• Andersen Consulting
• AT&T Labs/GeoPlex
• Cisco Systems
• GE Laboratories
• Global Integrity Corp.
• Hewlett-Packard Corp.
• Intel Corporation
• Microsoft
• MITRE
• Schlumberger
• Sun Microsystems
• Trident Data Systems
• Tripwire Security Systems
• TRW


Tier II Sponsors
• Axent
Other Donors
• Addison-Wesley
• INITA
• L3 Communications
• O’Reilly & Associates
• RiskWatch
• Tektronix
8
Potential Sponsors
MS
I
Boeing
 Citicorp
 Compaq
 Department of Energy/LANL/Sandia
 Motorola
 NIST
 Swiss Bank Corporation

9
Security QoS
MS
I

Security services
• E.g., audit, intrusion detection, …

Many levels of service
• Multiple ``alarm levels’’ in an ID system
• Multiple levels of audit

Costly in terms of network & storage
resources
• Low (high) security levels cause small (large)
footprints
• Impact on system usability/availability
– E.g., firewall blocks UDP packets

Security requirements differ across the
network
10
Research Issues in Security QoS
MS
I

How does user …
• … specify security QoS ?
• … negotiate security QoS ?

What granularity (host ? subnet ? )
• Varies with security service considered

Connections with DB QoS and network QoS
• Compete for same resources
• Benefit from same techniques

… and many more in the following examples
•
•
•
•
Intrusion detection
Audit trail service
Profiling service
Secure multimedia document service
11
Intrusion Detection Service (1)
MS
I
Experimental testbed: Existing AAFID
prototype
 Already supports multiple levels of
security

12
Intrusion Detection Service (2)
MS
I

More research questions
• How to handle levels of security that vary across a
network
• The interface between security-level regions
– Where ``low’’ meets ``high’’
• What network QoS requirements should the
AAFID agents make ?
– Different types of agents
• What network QoS requirements should AAFID
monitors make ?
• What DB QoS requirements should the AAFID
entities make on the audit trail DB ?
13
QoS Tradeoffs
MS
I

Footprint on network vs. level of security
• Economic model
• Cost-benefit analyses
• Characterize ``best’’ operating points

Similar tradeoff for which security
services to provide
• Same research issues as above

Functionality vs. security
14
Audit Service
MS
I


Gives ability to know ``what happened’’
Various levels of audit
• From ``Store all events’’ to ``store nothing’’
• Quality of audit required affects resources, hence system
usability and availability

Requirements can vary
• From application to application
• From host to host
• From subnet to subnet

DB techniques for audit data
• Audit data is massive (compression issues)
• Special nature of data and how it is used (``ephemeral
records’’)
• Special queries (searching for attack patterns)
15
User Profiling Service
MS
I

Profile of user
• For active email (IBM Almaden), active DB
• For statistical ID (IDES, NIDES and related systems)

Levels of quality (of profile)
• Extensive and accurate implies a higher expense

Quality requirements are highly variable
• E.g., active DB can do with lower quality profile than MD
system

Profiling technology
• Similar to statistical approach to intrusion detection
– Notion of ``normal’’ user (or network, or DB) behavior
– Difficult! (Curse of dimensionality, dependence, …)
• User profile is itself stored in special DB
– How fast should profile evolve? (Drawbacks to both extremes) 16
Other Security Services
MS
I






Scanning
• Related to ID but intense & limited in time (ID is
continuous)
Multimedia document services
• Timestamping, tamper-resistance, watermarking,
…
Cryptographic protocol support
PKI
… etc
Each service has its own QoS requirements/tradeoffs
17
Other Contributions
MS
I



CERIAS Outreach
• Technology transfer to sponsors
• Workshops and Conferences
• Continuing Ed offerings
CERIAS K-12
• Full-time coordinator
• Working with State Education Dept.
CERIAS Archive Delivery
• Full-time Webmaster
• Major archive & dissemination
18