{"title":"An intelligent detection and response strategy to false positives and network attacks","authors":"E. Hooper","doi":"10.1007/11760146_101","DOIUrl":"https://doi.org/10.1007/11760146_101","url":null,"abstract":"","PeriodicalId":156960,"journal":{"name":"Fourth IEEE International Workshop on Information Assurance (IWIA'06)","volume":"72 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-05-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126346933","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Satellite communications parameters - carrier to noise ratio, bandwidth, power, and frequency - were recorded for approximately 500 satellite communication carriers continuously, over a period of 16 months. These carriers support communications for military operations in the current Iraq war. Communications outages during this period were logged and the reason for outage was determined. Some outages caused by electromagnetic interference are shown to have characteristics that would be expected if these carriers were being subjected to a hostile denial of service attack
{"title":"Jamming commercial satellite communications during wartime an empirical study","authors":"H. Rausch","doi":"10.1109/IWIA.2006.15","DOIUrl":"https://doi.org/10.1109/IWIA.2006.15","url":null,"abstract":"Satellite communications parameters - carrier to noise ratio, bandwidth, power, and frequency - were recorded for approximately 500 satellite communication carriers continuously, over a period of 16 months. These carriers support communications for military operations in the current Iraq war. Communications outages during this period were logged and the reason for outage was determined. Some outages caused by electromagnetic interference are shown to have characteristics that would be expected if these carriers were being subjected to a hostile denial of service attack","PeriodicalId":156960,"journal":{"name":"Fourth IEEE International Workshop on Information Assurance (IWIA'06)","volume":"4 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-04-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128361599","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Zero-day attacks, new (anomalous) attacks exploiting previously unknown system vulnerabilities, are a serious threat. Defending against them is no easy task, however. Having identified "degree of system knowledge" as one difference between legitimate and illegitimate users, theorists have drawn on information theory as a basis for intrusion detection. In particular, Kolmogorov complexity (K) has been used successfully. In this work, we consider information distance (Observed_K - Expected_K) as a method of detecting system scans. Observed_K is computed directly, Expected_K is taken from compression tests shared herein. Results are encouraging. Observed scan traffic has an information distance at least an order of magnitude greater than the threshold value we determined for normal Internet traffic. With 320 KB packet blocks, separation between distributions appears to exceed 4sigma
{"title":"An application of information theory to intrusion detection","authors":"E. Eiland, L. Liebrock","doi":"10.1109/IWIA.2006.3","DOIUrl":"https://doi.org/10.1109/IWIA.2006.3","url":null,"abstract":"Zero-day attacks, new (anomalous) attacks exploiting previously unknown system vulnerabilities, are a serious threat. Defending against them is no easy task, however. Having identified \"degree of system knowledge\" as one difference between legitimate and illegitimate users, theorists have drawn on information theory as a basis for intrusion detection. In particular, Kolmogorov complexity (K) has been used successfully. In this work, we consider information distance (Observed_K - Expected_K) as a method of detecting system scans. Observed_K is computed directly, Expected_K is taken from compression tests shared herein. Results are encouraging. Observed scan traffic has an information distance at least an order of magnitude greater than the threshold value we determined for normal Internet traffic. With 320 KB packet blocks, separation between distributions appears to exceed 4sigma","PeriodicalId":156960,"journal":{"name":"Fourth IEEE International Workshop on Information Assurance (IWIA'06)","volume":"145 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-04-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117075623","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
N. Aschenbruck, M. Frank, P. Martini, J. Tölle, Roland Legat, Heinz-Dieter Richmann
Nowadays, voice over IP (VoIP) telephony networks are connected to classic public switched telephony networks (PSTNs). Emergency calls from VoIP peers to PSTN public service answering points (PSAPs) are possible. Through the connection of IP networks and PSTNs the PSAP may be a victim of new, more powerful denial of service (DoS) attacks. This paper describes the present and future architecture of a PSAP. Based on measurements at a PSAP the challenge of attack detection at the PSAP is revealed. Furthermore, first solutions are pointed out and evaluated
{"title":"Present and future challenges concerning DoS-attacks against PSAPs in VoIP networks","authors":"N. Aschenbruck, M. Frank, P. Martini, J. Tölle, Roland Legat, Heinz-Dieter Richmann","doi":"10.1109/IWIA.2006.19","DOIUrl":"https://doi.org/10.1109/IWIA.2006.19","url":null,"abstract":"Nowadays, voice over IP (VoIP) telephony networks are connected to classic public switched telephony networks (PSTNs). Emergency calls from VoIP peers to PSTN public service answering points (PSAPs) are possible. Through the connection of IP networks and PSTNs the PSAP may be a victim of new, more powerful denial of service (DoS) attacks. This paper describes the present and future architecture of a PSAP. Based on measurements at a PSAP the challenge of attack detection at the PSAP is revealed. Furthermore, first solutions are pointed out and evaluated","PeriodicalId":156960,"journal":{"name":"Fourth IEEE International Workshop on Information Assurance (IWIA'06)","volume":"11 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-04-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121992184","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The recent outbreaks of extremely fast spreading worms highlight the inadequacy of the current patching approach. Intrusion prevention systems (IPSs) that automatically generate and apply protection to client systems have been proposed as a solution. Despite all the effort in this area, the design of IPSs remains a difficult, ad hoc process. In this paper, we propose the LAIDS/LIDS framework for systematic design of IPS. A major advantage of our framework is that IPSs designed in this framework have a very simple countermeasure-generation process. To better illustrate our idea, we have implemented a prototype IPS, the Lazy Shepherding IPS, based on our framework. Evaluation shows that the prototype is effective against all tested attacks, and incurs an overhead of less than 3% when it is configured to defend against a large number of attacks. Our prototype also avoids a lot of practical problems faced by many other IPSs
{"title":"The LAIDS/LIDS framework for systematic IPS design","authors":"S. Chung, A. Mok","doi":"10.1109/IWIA.2006.21","DOIUrl":"https://doi.org/10.1109/IWIA.2006.21","url":null,"abstract":"The recent outbreaks of extremely fast spreading worms highlight the inadequacy of the current patching approach. Intrusion prevention systems (IPSs) that automatically generate and apply protection to client systems have been proposed as a solution. Despite all the effort in this area, the design of IPSs remains a difficult, ad hoc process. In this paper, we propose the LAIDS/LIDS framework for systematic design of IPS. A major advantage of our framework is that IPSs designed in this framework have a very simple countermeasure-generation process. To better illustrate our idea, we have implemented a prototype IPS, the Lazy Shepherding IPS, based on our framework. Evaluation shows that the prototype is effective against all tested attacks, and incurs an overhead of less than 3% when it is configured to defend against a large number of attacks. Our prototype also avoids a lot of practical problems faced by many other IPSs","PeriodicalId":156960,"journal":{"name":"Fourth IEEE International Workshop on Information Assurance (IWIA'06)","volume":"18 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-04-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116752675","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Honeypots are highly valued for their detective function. However, suitable detection models use in honeypot system have not been fully explored. We present HonIDS, a honeypot system for detecting malicious hosts and intruders in local network. HonIDS is characterized by its layered structure and is enhanced by two detection models: TFRPP (times, frequency, range, port risk, average payload length) model and Bayes model. The basic idea of these models is that although it is hard to directly judge whether one interaction with the honeypots is an attack or malicious activity, it is possible to identify intruders by analyzing the plentiful and global events of honeypots in a given period of time. The TFRPP model gives the honeypot system the ability to assess different risks, by assigning dubiety scores to the hosts who visited honeypots. The Bayes detection model can detect some main types of attacks by classification. The results of our evaluation experiments indicate that TFRPP model and Bayes model are effective and suitable for honeypot system
{"title":"HonIDS: enhancing honeypot system with intrusion detection models","authors":"Yong Tang, Huaping Hu, Xicheng Lu, Jie Wang","doi":"10.1109/IWIA.2006.14","DOIUrl":"https://doi.org/10.1109/IWIA.2006.14","url":null,"abstract":"Honeypots are highly valued for their detective function. However, suitable detection models use in honeypot system have not been fully explored. We present HonIDS, a honeypot system for detecting malicious hosts and intruders in local network. HonIDS is characterized by its layered structure and is enhanced by two detection models: TFRPP (times, frequency, range, port risk, average payload length) model and Bayes model. The basic idea of these models is that although it is hard to directly judge whether one interaction with the honeypots is an attack or malicious activity, it is possible to identify intruders by analyzing the plentiful and global events of honeypots in a given period of time. The TFRPP model gives the honeypot system the ability to assess different risks, by assigning dubiety scores to the hosts who visited honeypots. The Bayes detection model can detect some main types of attacks by classification. The results of our evaluation experiments indicate that TFRPP model and Bayes model are effective and suitable for honeypot system","PeriodicalId":156960,"journal":{"name":"Fourth IEEE International Workshop on Information Assurance (IWIA'06)","volume":"34 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-04-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133986261","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Low level access controls must provide efficient mechanisms for allowing or denying operations and hence are typically based on the access matrix. However, when combining the goals of efficiency along with the support for least privilege and higher level authorization properties (such as information flow confidentiality), the resulting access controls become tedious to encode. Compositional high level specifications can be much more succinct. When combined with administrative controls, they can be robust in changing what is authorized in a controlled manner. Such specifications offer the promise of being easier to configure and understand, and in fact can be automatically analyzed for authorization properties. However, there remains the issue of how to generate the low level access control configuration from the high level specification. In this paper, we describe a factoring algorithm to algorithmically translate a high level specification of information flow authorization properties into low level access controls. In addition, several optimizations are given which dramatically reduce the size of the access control configuration generated
{"title":"Factoring high level information flow specifications into low level access controls","authors":"Kevin Kahley, M. Radhakrishnan, Jon A. Solworth","doi":"10.1109/IWIA.2006.8","DOIUrl":"https://doi.org/10.1109/IWIA.2006.8","url":null,"abstract":"Low level access controls must provide efficient mechanisms for allowing or denying operations and hence are typically based on the access matrix. However, when combining the goals of efficiency along with the support for least privilege and higher level authorization properties (such as information flow confidentiality), the resulting access controls become tedious to encode. Compositional high level specifications can be much more succinct. When combined with administrative controls, they can be robust in changing what is authorized in a controlled manner. Such specifications offer the promise of being easier to configure and understand, and in fact can be automatically analyzed for authorization properties. However, there remains the issue of how to generate the low level access control configuration from the high level specification. In this paper, we describe a factoring algorithm to algorithmically translate a high level specification of information flow authorization properties into low level access controls. In addition, several optimizations are given which dramatically reduce the size of the access control configuration generated","PeriodicalId":156960,"journal":{"name":"Fourth IEEE International Workshop on Information Assurance (IWIA'06)","volume":"26 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-04-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126263768","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This paper describes some experiences with using the Common Criteria for Information Security Evaluation as the basis for a design methodology when designing secure systems. As an example, the design process for a point-of-sale (POS) system is described
{"title":"Designing a secure point-of-sale system","authors":"A. Pedersen, Anders Hedegaard, Robin Sharp","doi":"10.1109/IWIA.2006.6","DOIUrl":"https://doi.org/10.1109/IWIA.2006.6","url":null,"abstract":"This paper describes some experiences with using the Common Criteria for Information Security Evaluation as the basis for a design methodology when designing secure systems. As an example, the design process for a point-of-sale (POS) system is described","PeriodicalId":156960,"journal":{"name":"Fourth IEEE International Workshop on Information Assurance (IWIA'06)","volume":"30 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-04-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127078703","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The development of a Common Criteria Protection Profile for high robustness separation kernels requires explicit modifications of several common criteria requirements as well as extrapolation from existing (e.g., medium robustness) guidance and decisions. The draft U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness (SKPP) is intended to be applicable to a class of products (the target of evaluation, or TOE) that includes, but is not limited to, real time and embedded systems. This paper describes certain SKPP concepts and requirements and provides underlying motivations and rationale for their inclusion in the SKPP. Primary areas of focus are the security requirements regarding information flow, dynamic configuration, and the application of the principle of least privilege to restrict actions of active entities
{"title":"High robustness requirements in a Common Criteria protection profile","authors":"Thuy D. Nguyen, T. Levin, C. Irvine","doi":"10.1109/IWIA.2006.13","DOIUrl":"https://doi.org/10.1109/IWIA.2006.13","url":null,"abstract":"The development of a Common Criteria Protection Profile for high robustness separation kernels requires explicit modifications of several common criteria requirements as well as extrapolation from existing (e.g., medium robustness) guidance and decisions. The draft U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness (SKPP) is intended to be applicable to a class of products (the target of evaluation, or TOE) that includes, but is not limited to, real time and embedded systems. This paper describes certain SKPP concepts and requirements and provides underlying motivations and rationale for their inclusion in the SKPP. Primary areas of focus are the security requirements regarding information flow, dynamic configuration, and the application of the principle of least privilege to restrict actions of active entities","PeriodicalId":156960,"journal":{"name":"Fourth IEEE International Workshop on Information Assurance (IWIA'06)","volume":"11 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-04-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125832736","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We present a new model to conduct security evaluation of remote assets with dedicated profiles. An alternative approach to risk management in information assurance (IA) and a related protocol for remote evaluation of information assets is presented here. Application of this protocol ensures long-term risk management, hence efficient proactive lifecycle protection of critical information systems. Due to its generic and interoperable structure based on the modern Web technologies, the protocol can be applied to risk assessment and evaluation of a multitude type of systems. The protocol consists of a secure communication architecture associated with each asset a security profile, and software services and agents that communicate over the Internet and other open networks. The secure communication architecture uses a secure exchange protocol incorporating the fast elliptic curve cryptography. Interoperable, continuous, inexpensive, time- and location-neutral, and minimum resource usage are some of its advantages. With this new notion, we also aim at inspiring developers and researchers to develop value-added security evaluation tools, techniques and procedures
{"title":"A remote IT security evaluation scheme: a proactive approach to risk management","authors":"Suleyman Kondakci","doi":"10.1109/IWIA.2006.1","DOIUrl":"https://doi.org/10.1109/IWIA.2006.1","url":null,"abstract":"We present a new model to conduct security evaluation of remote assets with dedicated profiles. An alternative approach to risk management in information assurance (IA) and a related protocol for remote evaluation of information assets is presented here. Application of this protocol ensures long-term risk management, hence efficient proactive lifecycle protection of critical information systems. Due to its generic and interoperable structure based on the modern Web technologies, the protocol can be applied to risk assessment and evaluation of a multitude type of systems. The protocol consists of a secure communication architecture associated with each asset a security profile, and software services and agents that communicate over the Internet and other open networks. The secure communication architecture uses a secure exchange protocol incorporating the fast elliptic curve cryptography. Interoperable, continuous, inexpensive, time- and location-neutral, and minimum resource usage are some of its advantages. With this new notion, we also aim at inspiring developers and researchers to develop value-added security evaluation tools, techniques and procedures","PeriodicalId":156960,"journal":{"name":"Fourth IEEE International Workshop on Information Assurance (IWIA'06)","volume":"199 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-04-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133281621","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: