Pub Date : 2006-06-21DOI: 10.1109/IAW.2006.1652089
A.R. Choudhary
In this paper we have presented a new concept: the compound identity measure. In essence, the compound identity combines the user identity with the contextual information under which the user acts. The measure of the compound identity is a weighted combination of the user related entities and the context related entities. This numeric measure is a variable depending upon what entities are included and with what relative weightings. This variability can be a function of the real-time SA/COP data, thus allowing it to dynamically respond to the operational events, in the near real-time. We have defined the concept, described the detailed methods to evaluate the concept into a measure, pointed out the enabling technologies, and illustrated the scheme with an example. We have also pointed out how to use the compound identity measure in a policy-based decision engine, and various areas of its application. The concept is currently being prototyped in our laboratory to support VoIP capabilities in IPv6 networks
{"title":"Compound Identity Measure: A New Concept for Information Assurance","authors":"A.R. Choudhary","doi":"10.1109/IAW.2006.1652089","DOIUrl":"https://doi.org/10.1109/IAW.2006.1652089","url":null,"abstract":"In this paper we have presented a new concept: the compound identity measure. In essence, the compound identity combines the user identity with the contextual information under which the user acts. The measure of the compound identity is a weighted combination of the user related entities and the context related entities. This numeric measure is a variable depending upon what entities are included and with what relative weightings. This variability can be a function of the real-time SA/COP data, thus allowing it to dynamically respond to the operational events, in the near real-time. We have defined the concept, described the detailed methods to evaluate the concept into a measure, pointed out the enabling technologies, and illustrated the scheme with an example. We have also pointed out how to use the compound identity measure in a policy-based decision engine, and various areas of its application. The concept is currently being prototyped in our laboratory to support VoIP capabilities in IPv6 networks","PeriodicalId":326306,"journal":{"name":"2006 IEEE Information Assurance Workshop","volume":"81 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-06-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115310706","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-06-21DOI: 10.1109/IAW.2006.1652070
C. DeCusatis
The need for improved security has been widely recognized in the information technology industry, particularly for enterprise storage area networks (SANs). However, until recently there has been relatively little development of threat models which specifically address the unique requirements of these networks. In this paper, we present a method for quantifying risk, justifying security upgrade costs, and proactively assessing threats to an enterprise-class SAN. The threat model suggests that a centralized approach to security management based on the host processor may be more effective than a distributed approach based on the edge of the network. Examples of enterprise server security features developed to address these threats are discussed, along with performance results on host-based encryption and a roadmap for future security enhancements
{"title":"Developing a Threat Model for Enterprise Storage Area Networks","authors":"C. DeCusatis","doi":"10.1109/IAW.2006.1652070","DOIUrl":"https://doi.org/10.1109/IAW.2006.1652070","url":null,"abstract":"The need for improved security has been widely recognized in the information technology industry, particularly for enterprise storage area networks (SANs). However, until recently there has been relatively little development of threat models which specifically address the unique requirements of these networks. In this paper, we present a method for quantifying risk, justifying security upgrade costs, and proactively assessing threats to an enterprise-class SAN. The threat model suggests that a centralized approach to security management based on the host processor may be more effective than a distributed approach based on the edge of the network. Examples of enterprise server security features developed to address these threats are discussed, along with performance results on host-based encryption and a roadmap for future security enhancements","PeriodicalId":326306,"journal":{"name":"2006 IEEE Information Assurance Workshop","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-06-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114154430","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-06-21DOI: 10.1109/IAW.2006.1652098
Jianwei Zhuge, Xinhui Han, Yu Chen, Zhiyuan Ye, Wei Zou
Honeynet data analysis has become a core requirement of honeynet technology. However, current honeynet data analysis mechanisms are still unable to provide security analysts enough capacities of comprehend the captured data quickly, in particular, there is no work done on behavior level correlation analysis. Towards providing high level attack scenario graphs, in this paper, we propose a honeynet data correlation analysis model and method. Based on a network attack and defense knowledge base and network environment perceiving mechanism, our proposed honeynet data correlation analysis method can recognize the attacker/s plan from a large volume of captured data and consequently reconstruct attack scenarios. Two proof-of-concept experiments on Scan of the Month 27 dataset and in-the-wild botnet scenarios are presented to show the effectiveness of our method
{"title":"Towards High Level Attack Scenario Graph through Honeynet Data Correlation Analysis","authors":"Jianwei Zhuge, Xinhui Han, Yu Chen, Zhiyuan Ye, Wei Zou","doi":"10.1109/IAW.2006.1652098","DOIUrl":"https://doi.org/10.1109/IAW.2006.1652098","url":null,"abstract":"Honeynet data analysis has become a core requirement of honeynet technology. However, current honeynet data analysis mechanisms are still unable to provide security analysts enough capacities of comprehend the captured data quickly, in particular, there is no work done on behavior level correlation analysis. Towards providing high level attack scenario graphs, in this paper, we propose a honeynet data correlation analysis model and method. Based on a network attack and defense knowledge base and network environment perceiving mechanism, our proposed honeynet data correlation analysis method can recognize the attacker/s plan from a large volume of captured data and consequently reconstruct attack scenarios. Two proof-of-concept experiments on Scan of the Month 27 dataset and in-the-wild botnet scenarios are presented to show the effectiveness of our method","PeriodicalId":326306,"journal":{"name":"2006 IEEE Information Assurance Workshop","volume":"12 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-06-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129818920","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-06-21DOI: 10.1109/IAW.2006.1652071
L. DeLooze
Information assurance includes the monitoring and controlling of the various aspects of an organization's computer security systems. This paper outlines various approaches to define the measures or metrics that can be used to reliably describe the organization's current IA posture and introduces the use of the balanced scorecard for computer security. The balanced scorecard is most commonly used to monitor and control business elements by looking at them from four important perspectives: customer, financial, internal processes, and innovation and growth. This paper proposes a comparable approach for managing computer security by looking at security mechanisms from the perspectives of the users, owners, regulators, and system administrators
{"title":"Creating a Balanced Scorecard for Computer Security","authors":"L. DeLooze","doi":"10.1109/IAW.2006.1652071","DOIUrl":"https://doi.org/10.1109/IAW.2006.1652071","url":null,"abstract":"Information assurance includes the monitoring and controlling of the various aspects of an organization's computer security systems. This paper outlines various approaches to define the measures or metrics that can be used to reliably describe the organization's current IA posture and introduces the use of the balanced scorecard for computer security. The balanced scorecard is most commonly used to monitor and control business elements by looking at them from four important perspectives: customer, financial, internal processes, and innovation and growth. This paper proposes a comparable approach for managing computer security by looking at security mechanisms from the perspectives of the users, owners, regulators, and system administrators","PeriodicalId":326306,"journal":{"name":"2006 IEEE Information Assurance Workshop","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-06-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129644135","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-06-21DOI: 10.1109/IAW.2006.1652106
E. Balas, G. Travis, C. Viecco
In this paper we investigate the performance limits of system call based monitoring tools using the Linux version of Sebek as a focal point. We quantify the amount of uninteresting data that it collects and illustrate the problems that this creates: detection of Sebek, amount of work to analyze data, and data privacy. To mitigate these problems we propose a dynamic filtering technique. Finally we evaluate the performance of an implementation of this technique
{"title":"A Dynamic Filtering Technique for Sebek System Monitoring","authors":"E. Balas, G. Travis, C. Viecco","doi":"10.1109/IAW.2006.1652106","DOIUrl":"https://doi.org/10.1109/IAW.2006.1652106","url":null,"abstract":"In this paper we investigate the performance limits of system call based monitoring tools using the Linux version of Sebek as a focal point. We quantify the amount of uninteresting data that it collects and illustrate the problems that this creates: detection of Sebek, amount of work to analyze data, and data privacy. To mitigate these problems we propose a dynamic filtering technique. Finally we evaluate the performance of an implementation of this technique","PeriodicalId":326306,"journal":{"name":"2006 IEEE Information Assurance Workshop","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-06-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130561248","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-06-21DOI: 10.1109/IAW.2006.1652092
Benny Wong, M. Locasto, A. Keromytis
Collaborative security is a promising solution to many types of security problems. Organizations and individuals often have a limited amount of resources to detect and respond to the threat of automated attacks. Enabling them to take advantage of the resources of their peers by sharing information related to such threats is a major step towards automating defense systems. In particular, comment spam posted on blogs as a way for attackers to do search engine optimization (SEO) is a major annoyance. Many measures have been proposed to thwart such spam, but all such measures are currently enacted and operate within one administrative domain. We propose and implement a system for cross-domain information sharing to improve the quality and speed of defense against such spam
{"title":"PalProtect: A Collaborative Security Approach to Comment Spam","authors":"Benny Wong, M. Locasto, A. Keromytis","doi":"10.1109/IAW.2006.1652092","DOIUrl":"https://doi.org/10.1109/IAW.2006.1652092","url":null,"abstract":"Collaborative security is a promising solution to many types of security problems. Organizations and individuals often have a limited amount of resources to detect and respond to the threat of automated attacks. Enabling them to take advantage of the resources of their peers by sharing information related to such threats is a major step towards automating defense systems. In particular, comment spam posted on blogs as a way for attackers to do search engine optimization (SEO) is a major annoyance. Many measures have been proposed to thwart such spam, but all such measures are currently enacted and operate within one administrative domain. We propose and implement a system for cross-domain information sharing to improve the quality and speed of defense against such spam","PeriodicalId":326306,"journal":{"name":"2006 IEEE Information Assurance Workshop","volume":"35 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-06-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127686710","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-06-21DOI: 10.1109/IAW.2006.1652084
L. DeLooze
Self-organized maps (SOM) use an unsupervised learning technique to independently organize a set of input patterns into various classes. In this paper, we use an ensemble of SOMs to identify computer attacks and characterize them appropriately using the major classes of computer attacks (denial of service, probe, user-to-root and remote-to-local). The procedure produces a set of confidence levels for each connection as a way to describe the connection's behavior
{"title":"Attack Characterization and Intrusion Detection using an Ensemble of Self-Organizing Maps","authors":"L. DeLooze","doi":"10.1109/IAW.2006.1652084","DOIUrl":"https://doi.org/10.1109/IAW.2006.1652084","url":null,"abstract":"Self-organized maps (SOM) use an unsupervised learning technique to independently organize a set of input patterns into various classes. In this paper, we use an ensemble of SOMs to identify computer attacks and characterize them appropriately using the major classes of computer attacks (denial of service, probe, user-to-root and remote-to-local). The procedure produces a set of confidence levels for each connection as a way to describe the connection's behavior","PeriodicalId":326306,"journal":{"name":"2006 IEEE Information Assurance Workshop","volume":"48 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-06-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130817658","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-06-21DOI: 10.1109/IAW.2006.1652088
Martin Karresand, N. Shahmehri
Rapidly gaining information superiority is vital when fighting an enemy, but current computer forensics tools, which require file headers or a working file system to function, do not enable us to quickly map out the contents of corrupted hard disks or other fragmented storage media found at crime scenes. The lack of proper tools slows down the hunt for information, which would otherwise help in gaining the upper hand against IT based perpetrators. To address this problem, this paper presents an algorithm which allows categorization of data fragments based solely on their structure, without the need for any meta data. The algorithm is based on measuring the rate of change of the byte contents of digital media and extends the byte frequency distribution based Oscar method presented in an earlier paper. The evaluation of the new method shows a detection rate of 99.2 %, without generating any false positives, when used to scan for JPEG data. The slowest implementation of the algorithm scans a 72.2 MB file in approximately 2.5 seconds and scales linearly
{"title":"File Type Identification of Data Fragments by Their Binary Structure","authors":"Martin Karresand, N. Shahmehri","doi":"10.1109/IAW.2006.1652088","DOIUrl":"https://doi.org/10.1109/IAW.2006.1652088","url":null,"abstract":"Rapidly gaining information superiority is vital when fighting an enemy, but current computer forensics tools, which require file headers or a working file system to function, do not enable us to quickly map out the contents of corrupted hard disks or other fragmented storage media found at crime scenes. The lack of proper tools slows down the hunt for information, which would otherwise help in gaining the upper hand against IT based perpetrators. To address this problem, this paper presents an algorithm which allows categorization of data fragments based solely on their structure, without the need for any meta data. The algorithm is based on measuring the rate of change of the byte contents of digital media and extends the byte frequency distribution based Oscar method presented in an earlier paper. The evaluation of the new method shows a detection rate of 99.2 %, without generating any false positives, when used to scan for JPEG data. The slowest implementation of the algorithm scans a 72.2 MB file in approximately 2.5 seconds and scales linearly","PeriodicalId":326306,"journal":{"name":"2006 IEEE Information Assurance Workshop","volume":"42 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-06-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128895250","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-06-21DOI: 10.1109/IAW.2006.1652095
Sheldon Teerlink, R. Erbacher
Computer forensics is the preservation, analysis, and interpretation of computer data. It is a crucial tool in the arsenal of law enforcement investigators, national security analysts, and corporate computer emergency response teams. There is a need for software that aids investigators in locating data on hard drives left by persons committing illegal activities. Analysts use forensic techniques to analyze insider attacks on organizations and recover data hidden or deleted by disgruntled employees or attackers. Advanced software tools are needed to reduce the tedious efforts of forensic examiners, especially when searching large hard drives. This paper discusses the background, algorithms, fundamentals, and techniques intrinsic to the visual analysis of typical computer forensic data. In terms of the visualization technique itself we discuss a visualization techniques to represent file statistics such as file size, last access date, creation date, last modification date, owner, number of i-nodes for fragmentation, and file type. The user interface to this software allows file searching, pattern matching, and the display of file contents
{"title":"Foundations for Visual Forensic Analysis","authors":"Sheldon Teerlink, R. Erbacher","doi":"10.1109/IAW.2006.1652095","DOIUrl":"https://doi.org/10.1109/IAW.2006.1652095","url":null,"abstract":"Computer forensics is the preservation, analysis, and interpretation of computer data. It is a crucial tool in the arsenal of law enforcement investigators, national security analysts, and corporate computer emergency response teams. There is a need for software that aids investigators in locating data on hard drives left by persons committing illegal activities. Analysts use forensic techniques to analyze insider attacks on organizations and recover data hidden or deleted by disgruntled employees or attackers. Advanced software tools are needed to reduce the tedious efforts of forensic examiners, especially when searching large hard drives. This paper discusses the background, algorithms, fundamentals, and techniques intrinsic to the visual analysis of typical computer forensic data. In terms of the visualization technique itself we discuss a visualization techniques to represent file statistics such as file size, last access date, creation date, last modification date, owner, number of i-nodes for fragmentation, and file type. The user interface to this software allows file searching, pattern matching, and the display of file contents","PeriodicalId":326306,"journal":{"name":"2006 IEEE Information Assurance Workshop","volume":"180 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-06-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116325237","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-06-21DOI: 10.1109/IAW.2006.1652090
S. Al-Fedaghi
This paper demonstrates that there exists a ground for building personal information theory through the exploration of several notions such as personal information privacy, security, sharing, and mining. It introduces a methodology for developing a conceptualization of these notions in the personal information context. To illustrate unique techniques that can be applied only to personal information, we develop a general model for sharing personal information. A protection strategy, based on separating non-personal information from its proprietors, is introduced and applied to personal information
{"title":"Aspects of Personal Information Theory","authors":"S. Al-Fedaghi","doi":"10.1109/IAW.2006.1652090","DOIUrl":"https://doi.org/10.1109/IAW.2006.1652090","url":null,"abstract":"This paper demonstrates that there exists a ground for building personal information theory through the exploration of several notions such as personal information privacy, security, sharing, and mining. It introduces a methodology for developing a conceptualization of these notions in the personal information context. To illustrate unique techniques that can be applied only to personal information, we develop a general model for sharing personal information. A protection strategy, based on separating non-personal information from its proprietors, is introduced and applied to personal information","PeriodicalId":326306,"journal":{"name":"2006 IEEE Information Assurance Workshop","volume":"41 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-06-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128702383","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: