Information Assurance And Security

1. MS
I
Information Assurance and Security
Eugene Spafford
Professor
Department of Computer Sciences
Purdue University

2. MS
I
2
Outline
 Security at Purdue, COAST/CERIAS
 Resources, Sponsors
 Ongoing Research Projects
 Proposed QoS Research

3. MS
I
3
Information Security At Purdue
 Information Security started in 1979
 Many courses offered (grad, undergrad)
 COAST (1992-97)
 CERIAS (1998)
• University-wide
• Multidisciplinary

4. MS
I
4
Center Resources
 32 Sun Workstations
 2 Sun Enterprise Servers
 9 MacOS Platforms
 FORE ATM cloud
• 40 host adapters
• 2 BX200
• 4 FORErunners
 3 486/586 PCs w/Win 95
 4 Pentium Pro BSDI/Linux
 12 Pentium II WinNT
 5 HP Printers
 2 Tektronix Color Printers
 3 Cisco Routers
• 7507 Enterprise router
 3 Sunscreen firewalls
 2 PrivateNet firewalls
 1 Firewall-1 firewall
 2 Pentium laptops
Assorted other dedicated
hardware & software

5. MS
I
5
On-Going Projects–Brief Synopses
 Intrusion Detection
• AAFID agent-based system
• Characterizing Misuse
 Audit Analysis
• Audit content
• Audit representation & compression
 Firewalls and Network Protection
• Firewall evaluation lab
• Firewall structure
 Vulnerability Testing

6. MS
I
6
On-Going Projects (1)
 Vulnerability Database
• Data Mining
• Taxonomical Work
• Software Testing
 Archive Development
• Organization and Protection
• Archival document entry
 Secure outsourcing
 Watermarking

7. MS
I
7
On-Going Projects (2)
 ATM Security
 Network vulnerability analysis
 Database & Multimedia security
 Use of information-based terrorism
 Attack traceback analysis
 Privacy ethics & protections
 Best practices survey

8. MS
I
8
Current Sponsors
 Founding Sponsors
• Lilly Endowment
 Tier I Sponsors
• Andersen Consulting
• AT&T Labs/GeoPlex
• Cisco Systems
• GE Laboratories
• Global Integrity Corp.
• Hewlett-Packard Corp.
• Intel Corporation
• Microsoft
• MITRE
• Schlumberger
• Sun Microsystems
• Trident Data Systems
• Tripwire Security Systems
• TRW
 Tier II Sponsors
• Axent
 Other Donors
• Addison-Wesley
• INITA
• L3 Communications
• O’Reilly & Associates
• RiskWatch
• Tektronix

9. MS
I
9
Potential Sponsors
 Boeing
 Citicorp
 Compaq
 Department of Energy/LANL/Sandia
 Motorola
 NIST
 Swiss Bank Corporation

10. MS
I
10
Security QoS
 Security services
• E.g., audit, intrusion detection, …
 Many levels of service
• Multiple ``alarm levels’’ in an ID system
• Multiple levels of audit
 Costly in terms of network & storage
resources
• Low (high) security levels cause small (large)
footprints
• Impact on system usability/availability
– E.g., firewall blocks UDP packets
 Security requirements differ across the
network

11. MS
I
11
Research Issues in Security QoS
 How does user …
• … specify security QoS ?
• … negotiate security QoS ?
 What granularity (host ? subnet ? )
• Varies with security service considered
 Connections with DB QoS and network QoS
• Compete for same resources
• Benefit from same techniques
 … and many more in the following examples
• Intrusion detection
• Audit trail service
• Profiling service
• Secure multimedia document service

12. MS
I
12
Intrusion Detection Service (1)
 Experimental testbed: Existing AAFID
prototype
 Already supports multiple levels of
security

13. MS
I
13
Intrusion Detection Service (2)
 More research questions
• How to handle levels of security that vary across a
network
• The interface between security-level regions
– Where ``low’’ meets ``high’’
• What network QoS requirements should the
AAFID agents make ?
– Different types of agents
• What network QoS requirements should AAFID
monitors make ?
• What DB QoS requirements should the AAFID
entities make on the audit trail DB ?

14. MS
I
14
QoS Tradeoffs
 Footprint on network vs. level of security
• Economic model
• Cost-benefit analyses
• Characterize ``best’’ operating points
 Similar tradeoff for which security
services to provide
• Same research issues as above
 Functionality vs. security

15. MS
I
15
Audit Service
 Gives ability to know ``what happened’’
 Various levels of audit
• From ``Store all events’’ to ``store nothing’’
• Quality of audit required affects resources, hence system
usability and availability
 Requirements can vary
• From application to application
• From host to host
• From subnet to subnet
 DB techniques for audit data
• Audit data is massive (compression issues)
• Special nature of data and how it is used (``ephemeral
records’’)
• Special queries (searching for attack patterns)

16. MS
I
16
User Profiling Service
 Profile of user
• For active email (IBM Almaden), active DB
• For statistical ID (IDES, NIDES and related systems)
 Levels of quality (of profile)
• Extensive and accurate implies a higher expense
 Quality requirements are highly variable
• E.g., active DB can do with lower quality profile than MD
system
 Profiling technology
• Similar to statistical approach to intrusion detection
– Notion of ``normal’’ user (or network, or DB) behavior
– Difficult! (Curse of dimensionality, dependence, …)
• User profile is itself stored in special DB
– How fast should profile evolve? (Drawbacks to both extremes)

17. MS
I
17
Other Security Services
 Scanning
• Related to ID but intense & limited in time (ID is
continuous)
 Multimedia document services
• Timestamping, tamper-resistance, watermarking,
…
 Cryptographic protocol support
 PKI
 … etc
 Each service has its own QoS requirements/tradeoffs

18. MS
I
18
Other Contributions
 CERIAS Outreach
• Technology transfer to sponsors
• Workshops and Conferences
• Continuing Ed offerings
 CERIAS K-12
• Full-time coordinator
• Working with State Education Dept.
 CERIAS Archive Delivery
• Full-time Webmaster
• Major archive & dissemination