uccsResearch4a

Download Report

Transcript uccsResearch4a 

UCCS Network/System Security Research
C. Edward Chow
Xiaobo Joe Zhou
Yu Cai
Ganesh Godavari
Department of Computer Science
University of Colorado at Colorado Springs
Some of the research projects are sponsored by the Air Force Research Laboratory, under agreement number F49620-03-1-0207. It was sponsored by
NISSC Summer/Fall2003 grants.
Part of these results are supported by a generous gift from Fujitsu for Internet research.
Pfleeger Visit 4/13/2004
1
UCCS Network/System Security
Outline of the Talk
Overview of Network/System Security Research Projects at
Network/System Lab
 Secure Collective Internet Defense (SCOLD): an Intrusion Tolerance
System.
 Autonomous Anti-DDoS (A2D2: )Integrated enhanced Snort IDS
with multi-level adaptive rate limiting firewall
 Secure Groupware for First Responders (SGFR): Integrated Group
Rekeying (Keystone) with Instant Massaging (Jabber) on MANET
 Secure Access Mobile Ad Hoc Network (SMANET): Implemented
PEAP module on freeRadius server, compared PEAP with TTLS
 First Responder Sensor Network (FRSN): Track Fire Fighters with
Crossbow Mote-based Sensor Network.
 Improving System Performance by QoS Regulations with Adaptive
Resource Management under Cyber Threats
 Intelligence/Information Fusion
 Secure Information Sharing
Pfleeger Visit 4/13/2004
2
UCCS Network/System Security
UCCS Network/System Research Lab

Director: Dr. C. Edward Chow (Network/Protocol)
 Assistant Professor: Dr. Xiaobo Zhou (Distributed Systems; QoS)
 Graduate students:
















John Bicknell/Steve McCaughey/Anders Hansmat: Distributed Network
Restoration/Network Survivability
Hekki Julkunen: Dynamic Packet Filter
Chandra Prakash: High Available Linux kernel-based Content Switch
Ganesh Godavari: Linux based Secure Web Switch
Angela Cearns: Autonomous Anti-DDoS (A2D2) Testbed
Longhua Li: IXP-based Content Switch
David Wikinson: Secure DNS (update/query) with multiple indirect routing entries
Nirmala Bulusu: Secure Wireless Access; PEAP vs. TTLS; enhance freeRadius server
with PEAP module
(the above graduated)
Yu Cai (Ph.D. research assistant): Proxy Server Based Multipath Routing; Secure
Collective Internet Defense; Information Fusion;
Ganesh Godavari: (Ph.D. research assistant): Content Switching Rule Conflict Detection;
Secure Groupware; First Responder Sensor Network; Secure Information Sharing
Frank Watson: enhanced TCP with multiple routes (User Mode Linux)
Paul Fong: Wireless AODV Routing for sensor networks
Murthy Andukuri/Jing Wu: iSCSI/VPN/MPLS Secure QoS Storage Network.
Patricia Ferrao/Merlin Vincent: Web-based Collaborative System
Sarah Jelinek: Enterprise Intrusion Detection and Response System (A2D2V2).
Pfleeger Visit 4/13/2004
3
UCCS Network/System Security
UCCS Network Lab Equipment

Gigabit fiber connection to UCCS backbone
 Switch/Firewall/Wireless AP:
 HP 4000 switch; 4 Linksys/Dlink Switches; 5 Intel 24 ports Fast
Ethernet switch.
 Sonicwall Pro 300 Firewall; 6 Intel VPN Firewall
 8 Intel 7112 SSL accelerators; 4 7820 XML directors donated by Intel.
 Cisco 1200 Aironet Dual Band Access Point and 350 client PC/PCI
cards (both 802.11a and 802.11b cards).
 Intel IXP12EB network processor evaluation board
 Servers: Two Dell PowerEdge Servers.
 Workstations/PCs:
 8 Dell PCs (3Ghz-500Mhz); 12 HP PCs (500-233Mhz)
 2 laptop PCs with Aironet 350 for mobile wireless
 1 IPAQ3875 PDA
 OS: Linux Redhat 9, Fedora; Window XP/2000/2003
Pfleeger Visit 4/13/2004
4
UCCS Network/System Security
Intrusion Related Research Areas



Intrusion Prevention
 General Security Policy
 Ingress/Egress Filtering
Intrusion Detection
 Honey pot
 Host-based IDS Tripwire
 Anomaly Detection
 Misuse Detection
Intrusion Response
 Identification/Traceback/Pushback
 Intrusion
Pfleeger Visit 4/13/2004
Tolerance
5
UCCS Network/System Security
Wouldn’t it be Nice to Have Alternate Routes?
net-a.mil
A
A
net-b.mil
A ... A
...
DNS1
R
net-c.mil
A
R
R
R3
DDoS Attack Traffic
Client Traffic
Victim
Pfleeger Visit 4/13/2004
A ... A
DNS3
DNS2
R
DNS
A
...
R2
R1
How to reroute clients
traffic through R1-R3?
Multi-homing
Alternate
Gateways
6
UCCS Network/System Security
Implement Alternate Routes
net-a.mil
A
A
net-b.mil
A ... A
...
DNS1
R
net-c.mil
A
A
A ... A
...
DNS3
DNS2
R
R
Need to Inform Clients or
Client DNS servers!
DNS
R
R3
DDoS Attack Traffic
Client Traffic
Victim
Pfleeger Visit 4/13/2004
R2
Alternate
Gateways
7
R1
But how to tell which Clients
are not compromised?
How to hide
IP addresses of
Alternate Gateways?
UCCS Network/System Security
Possible Solution for Alternate Routes
net-a.mil
A
A
net-b.mil
A ... A
...
DNS1
R
net-c.mil
A
A
A ... A
...
DNS3
DNS2
R
R
New route via Proxy3 to R3
Proxy2
Proxy1
Proxy3
Attack msgs blocked by IDS
Blocked by IDS
block
R
R2
R1
R3
Victim
Sends Reroute Command
with DNS/IP Addr. Of
Proxy and Victim
Distress Call
Pfleeger Visit 4/13/2004
8
UCCS Network/System Security
net-b.mil
net-a.mil
net-c.mil
...
A
A
A
...
...
A
SCOLD
Phase1
Victim
Pfleeger Visit 4/13/2004
A
Proxy3
Proxy1
Attack Traffic
Client Traffic
...
R
Proxy2
block
A
DNS3
R
R1
A
DNS2
DNS1
R
A
block
R
2
R
R3
Reroute
Coordinator
1. IDS detects intrusion
Blocks Attack Traffic
Sends distress call to Reroute Coordinator
9
UCCS Network/System Security
net-b.mil
net-a.mil
net-c.mil
...
A
A
A
...
...
A
SCOLD
Phase 2
A
A
DNS3
R
R
Proxy2
Proxy3
2. Sends Reroute Command with
(DNS Name, IP Addr. Of victim,
Proxy Server(s)) to DNS
Proxy1
block
R1
...
A
DNS2
DNS1
R
A
R
2
R
R3
Reroute
Coordinator
1. IDS detects intrusion
Blocks Attack Traffic
Sends distress call to Reroute Coordinator
Attack Traffic
Client Traffic
Victim
Pfleeger Visit 4/13/2004
10
UCCS Network/System Security
net-b.mil
net-a.mil
net-c.mil
...
A
A
A
...
...
A
3. New route via
Proxy1 to R1
R
A
...
A
DNS3
DNS2
R
R
Proxy2
Proxy3
Proxy1
block
R1
A
3. New route via
Proxy3 to R3
3. New route via
Proxy2 to R2
DNS1
SCOLD
Phase3
A
R
2
R
Attack Traffic
Client Traffic
R3
2. Sends Reroute Command with
(DNS Name, IP Addr. Of victim,
Proxy Server(s)) to DNS
Reroute
Coordinator
Victim
Pfleeger Visit 4/13/2004
11
UCCS Network/System Security
net-b.mil
net-a.mil
net-c.mil
...
A
A
A
...
...
A
3. New route via
Proxy1 to R1
R
...
A
R
Proxy2
Proxy3
Proxy1
block
R1
A
DNS3
DNS2
R
4a. Attack traffic
detected by IDS
blocked by Firewall
A
3. New route via
Proxy3 to R3
3. New route via
Proxy2 to R2
DNS1
SCOLD
Phase4
A
R
2
R
Attack Traffic
Client Traffic
R3
4. Attack traffic
detected by IDS
blocked by Firewall
Reroute
Coordinator
Victim
Pfleeger Visit 4/13/2004
12
UCCS Network/System Security
SCOLD Secure DNS Update
with New Indirect DNS Entries
Client
Domain
Modified
Bind9
Trusted Domain
WAN
DMZ
Modified
Bind9
proxy2
Modified
Client
Resolve
Library
New DNS Entries:
IP Tunnel
(target.targetnet.com, 133.41.96.7, ALT 203.55.57.102)
Pfleeger Visit 4/13/2004
203.55.57.103
185.11.16.49
13
A set of alternate proxy servers
for indirect
routes
UCCS Network/System Security
SCOLD Indirect Routing
IP tunnel
Pfleeger Visit 4/13/2004
IP tunnel
14
UCCS Network/System Security
SCOLD Indirect Routing with Client
running SCOLD client daemon
IP tunnel
Pfleeger Visit 4/13/2004
IP tunnel
15
UCCS Network/System Security
Performance of SCOLD v0.1

Table 1: Ping Response Time (on 3 hop route)
No DDoS attack
direct route
DDoS attack
direct route
0.49 ms

No DDoS attack
indirect route
225 ms
DDoS attack
indirect route
0.65 ms
0.65 ms
Table 2: SCOLD FTP/HTTP download Test (from client to target)
No DDoS attack,
Doc FTP
HTTP
direct route
100k
Size 0.11 s 3.8 s
250k 0.28 s 11.3 s
500k 0.65 s 30.8 s
1000k 1.16 s 62.5 s
2000k 2.34 s 121 s
Pfleeger Visit 4/13/2004
DDoS attack,
FTP
HTTP
direct route
8.6 s
9.1 s
19.5 s 13.3 s
39 s
59 s
86 s
106 s
167 s 232 s
16
No DDoS attack,
FTP
HTTP
indirect route
0.14 s 4.6 s
0.31 s 11.6 s
0.66 s 31.1 s
1.15 s 59 s
2.34 s 122 s
with DDoS attack
FTP
HTTP
indirect route
0.14 s 4.6 s
0.31 s 11.6 s
0.67 s 31.1 s
1.15 s 59 s
2.34 s 123 s
UCCS Network/System Security
Secure Collective Defense

Main IdeaExplore secure alternate paths for clients to come in; Utilize geographically
separated proxy servers.

Goal:


Provide secure alternate routes

Hide IP addresses of alternate gateways
Techniques:

Multiple Path (Indirect) Routing

Enhanced Secure DNS extension: how to inform client DNS servers to add new DNS
entries with alternate routes (Not your normal DNS name/IP address mapping entry).

Utilize a consortium of Proxy servers with IDS that hides the IP address of alternate
gateways.

Partition clients to come in at different proxy servers.
 can help identify the origin of spoofed attacks!

How clients use the new multiple path indirect DNS entries and route traffic through
proxy servers?
 Use Sock protocol, modify resolver library
Pfleeger Visit 4/13/2004
17
UCCS Network/System Security
Current SCOLD Project Results




Proposed new DNS entries for intrusion tolerance, containing
multiple proxy servers info for establishing indirect routes.
Modified Bind9 DNS server to accept secure DNS updates and to
serve queries with new indirect DNS entries.
Developed new secure DNS update utility to securely update target
zone file in the new enhanced Bind9 DNS server.
Implemented new secure indirect routing protocol
 to allow client DNS to query target DNS during DDoS attack.
 to allow client to communicate with target server through proxy
server and alternate gateway.
Pfleeger Visit 4/13/2004
18
UCCS Network/System Security
Benefits of Secure Collective Defense



Security
 When attacked, users switch to different routes dynamically
 Urgent/critical packets sent over multiple routes simultaneously
 Encrypted content sent over multiple routes
 Information on DDoS attacks used to isolate source of attacks
Reliability:
 Users can choose most reliable route dynamically
 Packet content spread over multiple routes
 Use redundant transmission or error correction to reduce PLR
Performance:
 Multiple indirect routes provide additional bandwidth
 Can be used for dynamic bandwidth provisioning
Pfleeger Visit 4/13/2004
19
UCCS Network/System Security
Organic Networking





IDC3(data backup)
One possible approach:
Dynamic provisioning of
backup resource
multiple paths (direct and
IDC2(BtoB/C portal) IDC1(inB portal)
indirect routes)
Operation
Operation
Use secure DNS update to
resource
resource
inform the clients
BtoC BtoB Sharing inB inB
Use secure indirect routing for
establishing alternate routes.
VPN-CUG VPN-CUG
The Internet
Coordinate the selection of
VPN
proxy servers for clients.
Critical for supporting wide
area IDC system
Headquarters
Consumer
Pfleeger Visit 4/13/2004
20
enterprise
UCCS Network/System Security
Branch
A2D2: Autonomous Anti DDoS

Main Idea  Integrate enhanced IDS with adaptive firewall
for autonomous intrusion defense.

Goal:


Automate adaptive intrusion handling triggered by
enhanced intrusion detection

Investigate the impact of various intrusion types on QoS
Techniques:

Enhanced Snort Plug-in with subnet spoofing detection

Adaptive rate limiting firewall with user defined threshold
and intrusion history.
Pfleeger Visit 4/13/2004
21
UCCS Network/System Security
Pfleeger Visit 4/13/2004
22
UCCS Network/System Security
A2D2 Multi-Level
Adaptive Rate
Limiting For
Anti-DDos Defense
Pfleeger Visit 4/13/2004
23
UCCS Network/System Security
A2D2 Results – Non-stop Attack

Packets Received: 8,039

Retransmission Request:
2,592
 Retransmission Received:
35
 Lost: 2,557

Connection
Timed-out
QoS Experienced at A2D2 Client
Pfleeger Visit 4/13/2004
24
UCCS Network/System Security
A2D2 Results – UDP Attack
Mitigation: Firewall Policy

Packets Received: 23,407

Retransmission Request: 0
 Retransmission Received: 0
 Lost: 0
QoS Experienced at A2D2 Client
Pfleeger Visit 4/13/2004
25
UCCS Network/System Security
A2D2 Results – ICMP Attack
Mitigation: Firewall Policy

Packets Received: 7,127

Retransmission Request:
2,105
 Retransmission Received:
4
 Lost: 2,101

Connection
Timed-out
QoS Experienced at A2D2 Client
Pfleeger Visit 4/13/2004
26
UCCS Network/System Security
A2D2 Results – ICMP Attack
Mitigation: Firewall Policy & CBQ

Packets Received: 23,438

Retransmission Request: 0
 Retransmission Received: 0
 Lost: 0
QoS Experienced at A2D2 Client
Pfleeger Visit 4/13/2004
27
UCCS Network/System Security
A2D2 Results – TCP Attack
Mitigation: Policy+CBQ

Packets Received: 22,179

Retransmission Request:
4,090
 Retransmission Received:
2,641
 Lost: 1,449

Screen Quality Impact
QoS Experienced at A2D2 Client
Pfleeger Visit 4/13/2004
28
UCCS Network/System Security
A2D2 Results – TCP Attack
Mitigation: Policy+CBQ+Rate

Packets Received: 23,444

Retransmission Request:
49 – 1,376
 Retransmission Received:
40 – 776
 Lost: 9 – 600
QoS Experienced at A2D2 Client
Pfleeger Visit 4/13/2004
29
UCCS Network/System Security
Autonomous Anti-DDoS
 Organic Security System?
Enhanced
IDS
+IDIP Application Layer
Snort
Alerts
Cooperative Traceback
Cooperative Detection
Net Restructuring
Intrusion Pushback
Notification
To IDIP
Discovery
IDIP Discovery Coordinator
Coordinator
Local IDS Response
Multi-Level Adaptive
Rate Limiting
Firewall
Traceback
Msg Sent
(iptables)
Security Policy
Internet
Traffic
IDIP
Neighbor
Class-Based
Queuing
(CBQ)
Multi-Level
Rate Limiting
eth0
eth1
Rates Dependent
on Traffic Type
Firewall
IDIP Neighbor
Pfleeger Visit 4/13/2004
30
UCCS Network/System Security
SGFR: Secure Groupware for First
Responder

Main Idea  design a framework for enhancing security of groupware
packages such as instant messenger and video monitoring/conferencing tool.


Goal:
 Investigate proper interface between group rekeying system and
groupware.
 Develop secure instant messaging system with remote group file download
and remote display.
 Experiment the prototype software on PDA with mobile ad hoc network.
 Integrate with stress level and tool usage effectiveness evaluation
This is a joint project with Dr. Chip Benight of psychology department at UCCS.

Techniques:

Scalable group key management (Keystone from UT Austin)

Efficient groupware (Jabber Instant Messaging System)

Mobile Ad Hoc Network (NIST)
Pfleeger Visit 4/13/2004
31
UCCS Network/System Security
SGFR Features
Psychology Evaluation
Stress Level Tracking
Effectiveness of Tool Usage
(Keyboard/Mouse Event Tracking,
History of Commands, Mistakes,
Popup Quiz?)
Security Enhanced Groupware
Instant messenger
(JabberX)
Group Key Managment
Secure Group
Rekeying system
(Keystone)
Pfleeger Visit 4/13/2004
Group Communication Server
Instant Messaging Server
(Jabber)
32
UCCS Network/System Security
SGFR System Architecture
SGFR
Group Key Server
SGFR Client
SGFR
Instant Messenger
Server
Group key distribution
SGFR Client
SGFR Client
Pfleeger Visit 4/13/2004
33
Registration/authentication
Sign-in create/join chat
groups
Encrypt/Decrypt msgs
using group key
UCCS Network/System Security
SGFR System Operation
JabberX
client
Jabber Server
Control
Manager
Application
Data
Rekey messages
Multicast/
Unicast
Registration
Requests
Rekey messages
Registrar
Pfleeger Visit 4/13/2004
JabberX
Client
Data
Broadcast
JabberX
Client
Key
Server
34
UCCS Network/System Security
Associate JabberX client with
Keyserver and Jabber server






Users login to the Jabber server
If login successful, the client registers with the
Keyserver by presenting digital certificate.
When a user creates/joins a group, the Keyserver
issues a group key to the client.
When a user leaves the group, the Keyserver
generates a new group key for the remaining members
of the group.
Group key can be refreshed periodically.
Group key are used to encrypt data and authenticate the
group.
Pfleeger Visit 4/13/2004
35
UCCS Network/System Security
First group key
assigned to group
Second group key
assigned to group
When a member
joined
Output of the Keystone Server
Pfleeger Visit 4/13/2004
User ganesh joining group g1
User ayen joining group g1
36
UCCS Network/System Security
Packet captured by Ethereal Packet Sniffer
Encrypted “Hello”
Surrounded by <body>tag
Output of the Jabber server running on a machine
Pfleeger Visit 4/13/2004
37
UCCS Network/System Security
Testing Results
IBM Thinkpad Intel Pentium III 800MHz Server; IPAQ PDA StrongArm200MHz; Linux 2.4
Kernel; 802.11b Ad hoc Mode with NIST driver
Table 1 time taken for client registration group join, group leave
Runs
Client Registration Time
(ms)
Group Join Time (ms)
Group Leave Time (ms)
1
279.62
233.46
135.54
2
249.28
652.74
126.78
3
253.93
706.04
769.08
4
259.46
118.15
434.12
Avg/Run
260.57
427.59
366.38
Table 2 time taken for file transfer
Pfleeger Visit 4/13/2004
File size
Time Taken (ms)
8.5K
35302.47
25K
105986.05
60K
305934.53
195K
1007949.38
38
UCCS Network/System Security
Conclusion


A secure group communication software package SGFR v.0 was
developed.
 Use Digital Certificate to authenticate client access.
 Group keys are distributed when members join/leave or based
on some time period.
 Group key is used to encrypted the messages.
 Enhanced Jabber-based text chat with remote file download and
remote display.
 Lesson1: Fire fighters do not like stylus input and they carry
heavy load!!
 Lesson2: Fire fighter don’t care security; Police do!!
Ported the SGFR v.0 to run on handheld devices include iPAQ PDA
running Linux and Sony PalmTop with 802.11b mobile ad hoc
network.
Pfleeger Visit 4/13/2004
39
UCCS Network/System Security
Secure Wireless Access Control

Goal:
 Compare performance of two proposed wireless
authentication protocols, PEAP vs. TTLS.
 Develop a PEAP module for freeRadius server on
Linux.

Techniques/Tools used:

Xsupplicant, Window XP

freeRadius, Win 2003 server

OpenSSL
Pfleeger Visit 4/13/2004
40
UCCS Network/System Security
UCCS Secure Wireless Access Testbed
RADIUS
Client
Pfleeger Visit 4/13/2004
41
UCCS Network/System Security
Client/Server Machine Configurations
Machine Spec
IP Address
OS
Software
wiper.uccs.edu
1.8 Ghz, 1 GB RAM
RADIUS Server and
DHCP server
128.192.61.132
RedHat 9.0
Running Linux
2.2.20-19.9
kernel
FreeRadius
Modified
CVS snapshot
radiusd09.03.03.tar.gz
willow.uccs.edu
Access Point
Cisco Aironet 1200
128.192.61.130
RedHat 9.0
Running Linux
2.2.20-19.9
kernel
Cisco 1200 series
Software
Toshiba – 366 Mhz,
512 MB
Wireless Client
Using Cisco Aironet
350 PC Card
Dynamic IP
address
128.192.61.144
to
128.98.61.152
RedHat 6.2
running Linux
2.2.20-19.9
kernel
Open1x
Xsupplicant
Version 9.0
Hobbit – 1 Ghz Dell
Optiplex, 512 MB
Wireless Client
Using Cisco Aironet
350 PCI Card
Dynamic IP
address
128.192.61.144
to
128.98.61.152
Windows XP-SP1
And RedHat 9.0
Running Linux
2.2.20.9 kernel
Open1x
Xsupplicant for
Linux and built in
Service Pack for
XP
Pfleeger Visit 4/13/2004
42
UCCS Network/System Security
PEAP vs. TTLS
on Toshiba machine
Time in msec
PEAP vs TTLS
[Toshiba - 366.604mhz]
1500
1400
1300
1200
1100
1000
900
800
700
600
500
TTLS
PEAP
1
2
3
4
5
6
7
8
9
10 11 12 13 14 15
No. of Runs
Average
Pfleeger Visit 4/13/2004
Variance
43
PEAP
TTLS
1046
949
8142
UCCS Network/System Security
12060
PEAP vs. TTLS
Average Performance
PEAP-TTLS Average Performances over varying Distances
1500
Average-Time/ msec
1400
1300
1200
PEAP
TTLS
1100
1000
900
800
DIST1
DIST2
DIST3
DIST4
DIST5
Distance Range
Pfleeger Visit 4/13/2004
44
UCCS Network/System Security
Conclusion

Developed a Radius Server on Linux that supports both PEAP and TTLS.

PEAP is relatively more influenced by Client’s processor speeds, distance
range and network transient nature as compared to TTLS.

Although the higher performance shown by TTLS over PEAP is negligible,
it is worth noting that TTLS was outperforming PEAP on an average by
10% in all the tests.

The enhanced Radius Server can serve both Windows and Linux clients.
Pfleeger Visit 4/13/2004
45
UCCS Network/System Security
First Responder Sensor Network
Goal: How wireless sensor network can assist first
responders.
Status:
Created a wireless sensor testbed with Crossbow
Professional Mote Kits and Intel stargate gateway
devices.
Current Tasks:
 Investigate how to deploy sensor networks (preplanned/dynamically deployed).
 Develop algorithms for tracking first responders using
wireless sensors.
 Security in SMANET+FRSN.
Pfleeger Visit 4/13/2004
46
UCCS Network/System Security
Scenario 1:
Preplanned Wireless Sensors


Building is surveyed and deployed with wireless sensors and include floor plan info
in the gateway device.
When there is fire, first responders can tap into the secure wireless sensor network
to find the condition of the building and over with the floor plan picture.
Pfleeger Visit 4/13/2004
47
UCCS Network/System Security
Scenario 2:
Dynamically Deploy Sensors

Fire Fighter drops the wireless sensors along the route in.
 If sensors detects temperature increase or location movement!!, they relay the
date through multiple hop wireless sensor network to both the team inside and
the team outside.
Pfleeger Visit 4/13/2004
48
UCCS Network/System Security
Secure Access to Sensor Network




Terrorist may access the sensors and information on the
gateway.
Need authentication for secure access.
Need encryption for avoid sniffing by terrorist.
Need redundancy for fault tolerance and verifying the
sensor results.
Pfleeger Visit 4/13/2004
49
UCCS Network/System Security
Improving System Performance by
QoS Regulations with Adaptive
Resource Management under Cyber
Threats
Xiaobo Joe Zhou
Pfleeger Visit 4/13/2004
50
UCCS Network/System Security
Information Fusion

Project Goal:
 Intelligence/information fusion among multiple
agencies. Starting with federal/state/city agencies
extend it to including those from Canada, the United
States, and Mexico.
 How to exchange, verify, correlate intelligence
information for decision support,
 How to allocate resources and coordinate sensors in
different agencies for a set of tasks with different
priority
Pfleeger Visit 4/13/2004
51
UCCS Network/System Security
Related Works


Multilayered Video
 Deliver Multimedia Streams with Flexible QoS via a Multicast
DAG, Jiong Yang, UIUC, ICDCS 03
 Source-adaptive multilayered multicast algorithms for realtime video distribution, Brett Vickers, IEEE/ACM
Transactions on Networking 2000
 An End-to-End Adaptation Protocol for Layered Video
Multicast Using Optimal Rate Allocation, Ya-Qin Zhang,
IEEE Transaction on Multimedia 2004
QoS and multipath
 Admission Control and Dynamic Adaptation for a
Proportional-Delay DiffServ-Enabled Web Server, Sam C. M.
Lee, John C. S. Lui, David K. Y. Yau, SIGMETRICS 2002
 Parallel Access For Mirror Sites in the Internet, Pablo
Rodriguez, et al., Infocom 1999
Pfleeger Visit 4/13/2004
52
UCCS Network/System Security
Research Direction



Data Fusion Operations
 Artificial Neural Network for merging results from multiple
classifiers
 Negotiation/Coordination Protocol [Idian, CIDF, IDMEF, IDIP]
 Specific test cases: distributed intrusion detection,
compromised node detection, tracking with sensors.
Data transmission in data fusion
 Techniques for guaranteeing the quality of service for the
prioritized sensor information fusion/delivery
 Multilayered video encoding and distribution  multilayered
information data classification and transportation
 Feedback control mechanism
Comment? Other important research topics/directions?
Pfleeger Visit 4/13/2004
53
UCCS Network/System Security
Secure Information Sharing

Project Goal:
 Secure Intelligence/information sharing among
multiple agencies/organizations
 How to exchange, verify information and provide
security and non repudiation
 How to share information between different agencies
and protect against misuse of authority during
information sharing
Pfleeger Visit 4/13/2004
54
UCCS Network/System Security
Related Works

NIST standard on Role Based Access Control
 An Internet Attribute Certificate Profile for
Authorization – RFC 3281
 IETF Working Group on Public Key Infrastructure
(X.509)
 Privilege and Role Management Infrastructure
Standards Validation
http://www.permis.org/
 Akenti Distributed Access Control
http://www-itg.lbl.gov/
Pfleeger Visit 4/13/2004
55
UCCS Network/System Security
Research Direction



Data Sharing Operations
 Access control mechanism for sharing information
 Mandatory, Discretionary, and Role Based Access Control
Mechanisms
 Specific test cases: File Distribution, Directory Access
Control, secure instant messaging for group communications
Attribute Certificate profile for Authorization
 Provide non repudiation and Role Based Access Control
 Easy to Manage than certificates -- Short life span than
certificates
 Provide resource access for short duration; tighter control,
misuse avoidance, and increased responsibility
Comment? Other important research topics/directions?
Pfleeger Visit 4/13/2004
56
UCCS Network/System Security
Summary



We have innovated ideas on intrusion tolerance
We have developed expertise in
 Secure DNS system Organic Networking?
 Secure multiple path indirect routing Organic Networking?
 Autonomous security system with Enhanced IDS+Firewall
Organic Security?
 Secure wireless access and MANET
 Group key management
 Secure groupware
 Wireless sensor network for first responders
 Content switching
 Network restoration
 QoS (proportional differential services)
Developing expertise in information fusion/sharing.
Pfleeger Visit 4/13/2004
57
UCCS Network/System Security