Anyi Liu

A fragile watermarking scheme for detecting malicious modifications of database relations

Nowadays, with more and more data publicly available on the Internet, it is increasingly important to ensure the integrity of these data. The traditional solution is to use a digital signature scheme. However, a digital signature can only detect whether the entire data set has been modified; it cannot localize and characterize the modifications. In this paper, a novel fragile watermarking scheme is proposed to detect malicious modifications of database relations. In the proposed scheme, all tuples in a database relation are first securely divided into groups; watermarks are embedded and verified group by group independently. The embedded watermarks cannot only detect but also localize, and even characterize, the modifications made to the database. In the worst case, the modifications can be narrowed down to tuples in a group. Rigorous analysis shows that the modifications can be detected and localized with high probability, which is also demonstrated by our experimental results.

An efficient and unified approach to correlating, hypothesizing, and predicting intrusion alerts

To defend against a multi-step network intrusion, its progress needs to be monitored and predicted in real-time. For this purpose, isolated alerts must be correlated into attack scenarios as soon as the alerts arrive. Such efficient correlation of alerts demands an in-memory index to be built on received alerts. However, the finite memory implies that only a limited number of alerts inside a sliding window can be considered for correlation. Knowing this fact, an attacker can prevent two attack steps from both falling into the sliding window by either passively delaying the second step or actively invoking bogus alerts between the two steps. In either case, the correlation effort is defeated. In this paper, we first address the above issue with a novel queue graph (QG) approach. Instead of explicitly correlating a new alert to all the old ones that prepare for it, the approach only correlates the new alert to the latest copy of each type of alerts. The correlation with other alerts is kept implicit using the temporal order between alerts. Consequently, the approach has a quadratic (in the number of alert types) memory requirement, and it can correlate two alerts that are arbitrarily far away (namely, an infinitely large sliding window with a quadratic memory requirement). Our second contribution is a unified method based on the QG approach that can correlate received alerts, hypothesize missing alerts, and predict future alerts all at the same time. Empirical results show that our method can fulfill those tasks faster than an IDS can report alerts. The method is thus a promising solution for administrators to monitor and predict the progress of an intrusion, and thus to take appropriate countermeasures in a timely manner.

Attacker behavior analysis in multi-stage attack detection system

Today’s internet world is facing attacks from different types of attackers who launch is multistage attack. Besides discovering, visualizing, and predicting multi-stage attacks, a method to understand and profile behaviors of attackers is important to protect network security. We use the Hidden Markov Model (HMM) to analyze and predict the attacker behavior based on what was learned from observed alerts and intrusions. We use data mining to process alerts to generate input for the HMM to calculate the required probability distribution. Our system is able to stream real-time Snort alerts and predict intrusions based on our learned rules. Our system is able to automatically discover patterns in multistage attack, classify attackers based on their behavior pattern. By doing this, our system can effectively predict behavior and attackers and assess danger level of different groups of attackers.

Real-Time Detection of Covert Channels in Highly Virtualized Environments

Despite extensive research, covert channels are a principal threat to information security. Covert channels employ specially-crafted content or timing characteristics to transmit internal information to external attackers. Most techniques for detecting covert channels model legitimate network traffic. However, such an approach may not be applicable in dynamic virtualized environments because traffic for modeling normal activities may not be available.

Real-Time Covert Timing Channel Detection in Networked Virtual Environments

Despite extensive research on malware and Trojan horses, covert channels are still among the top computer security threats. These attacks, which are launched using specially-crafted content or by manipulating timing characteristics, transmit sensitive information to adversaries while remaining undetected. Current detection approaches typically analyze deviations from legitimate network traffic statistics. These approaches, however, are not applicable to highly dynamic, noisy environments, such as cloud computing environments, because they rely heavily on historical traffic and tedious model training. To address these challenges, we present a real-time, wavelet-based approach for detecting covert timing channels. The novelty of the approach comes from leveraging a secure virtual machine to mimic a vulnerable virtual machine. A key advantage is that the detection approach does not require historical traffic data. Experimental results demonstrate that the approach exhibits good overall performance, including a high detection rate and a low false positive rate.

Teaching mobile computing and mobile security

Due to the popularity of mobile devices, it is important to teach mobile computing and security to students in colleges and universities. This paper describes eight course modules on mobile computing and security we developed that could be integrated into a computer science curriculum. These course modules were presented at a faculty workshop. Workshop evaluation includes a survey questionnaire and reflective narratives from participants. The workshop evaluation results are discussed in this paper. The course modules can be adopted by instructors teaching mobile application development, cyber security or other related courses.