Brett C. Tjaden

Detecting network intrusions via a statistical analysis of network packet characteristics

With the growing threat of abuse of network resources, it becomes increasingly important to be able to detect malformed packets on a network and estimate the damage they fan cause. In this paper, we collect and analyze all of the IP and TCP packets seen on a network that either violate existing standards or should not appear in modern internets. Our goal is to determine what these suspicions packets mean and evaluate what proportion of such packets can cause actual damage. Thus, we divide unusual packets obtained during our experiments into several categories depending on the severity of their consequences, including indirect consequences as a result of information gathering, and show the results. The traces analyzed were gathered at Ohio Universitys main Internet link, providing a massive amount of statistical data.

Accommodating QoS Prediction in an Adaptive Resource Management Framework

Resource management for dynamic, distributed real-time systems requires handling of unknown arrival rates for data and events; additional desiderata include: accommodation of heterogeneous resources, high resource utilization, and guarantees of real-time quality-of-service (QoS). This paper describes the techniques employed by a resource manager that addresses these issues. The specific contributions of this paper are: QoS monitoring and resource usage profiling; prediction of real-time QoS (via interpolation and extrapolation of execution times) for heterogeneous resource platforms and dynamic real-time environments; and resource contention analysis.

Identifying a Shared Mental Model Among Incident Responders

Typically, there is a direct correlation between the time to resolve an incident and the damage sustained by an organization, with faster resolution of the incident resulting in less damage to the organization. Therefore, improving coordination between organizations experiencing the same or related incidents allows faster resolution and hence less damage to each organization. Coordination, however, means more than simply communicating during an incident - effective communication is critical. In this paper we explore how effective communication might be improved by the development of a mental model internalized by the groups technical staff prior to an incident. In this paper, we present the results of an exercise we conducted to determine whether an ad-hoc group of incident responders share a schema for decision making, and, if not, what some of the decision criteria (questions) and types of values (answers) might be that would allow the creation of a shared mental model for incident response.

Training students to administer and defend computer networks and systems

The security of computer systems, networks, and the Internet is becoming more critical by the day. Attacks on corporations, banks, schools, and government and international agencies are becoming more and more frequent, and the amount of damage that results is also rising rapidly. Despite these facts, few educational institutions offer courses that teach students the practical knowledge and skills needed to administer and defend computer networks and systems. We describe a semester-long Secure Operations course, which offers a unique laboratory experience that makes each student fully responsible for the configuration, administration, defense, and secure operation of his/her own Internet-based server on a 24/7 basis for the entire semester.

Monitoring network QoS in a dynamic real-time system

This paper presents our design and tests of a realtime network monitoring program for DeSiDeRaTa, an existing resource management system. This monitor will assist DeSiDeRaTa in maintaining an acceptable Quality of Service (QoS) for groups of real-time applications by reporting the communication delays caused by inadequate network bandwidth. The network monitoring application we developed uses SNMP and network topology information gleaned from the DeSiDeRaTa application specification files. Network bandwidth utilization of each real-time communication path is computed, and experiments have been run to demonstrate the accuracy of these measurements.

A worldwide, web-based study of the attitudes of college freshmen toward computing

We propose to initiate a worldwide survey of colleges and universities to re-evaluate attitudes of students toward computing courses. In 1985, a study of college freshmen was conducted to determine their attitudes toward introductory computer science courses [10]. At that time, access to and experience with computers was not the norm for the typical student about to enter the university. The 1985 study found that females, as well as students with no computer experience, reported the most negative encounters with computing. We intend to expand the original study, delving into whether or not the programming language learned, compiler and operating system used, peer and parental attitudes, as well as other factors, influence a students attitude toward computing. We are particularly interested in examining these attitudes from the standpoint of women and minorities, those who are still least likely to have prior, in-depth computer experience. Additionally, with the ease of communication due to email and the internet, we believe it is of interest to computing educators worldwide to participate in such a study. We will provide a survey instrument, a set of World Wide Web tools, and a database. Faculty and their classes from around the world will be encouraged to participate. Each institution will be able to immediately compare the profile of their students with those of other schools. We will provide search capabilities on several key fields in order to facilitate participant data analysis. We foresee the results of our survey generating a dialogue among educators and possibly changing the direction of and/or way in which computer science is taught.

Network Load Monitoring in Distributed Systems

Monitoring the performance of a network by which a real-time distributed system is connected is very important. If the system is adaptive or dynamic, the resource manager can use this information to create or use new processes. We may be interested to determine how much load a host is placing on the network, or what the network load index is. In this paper, a simple technique for evaluating the current load of network is proposed. If a computer is connected to several networks, then we can get the load index of that host for each network. We can also measure the load index of the network applied by all the hosts. The dynamic resource manager of DeSiDeRaTa should use this technique to achieve its requirements. We have verified the technique with two benchmarks - LoadSim and DynBench.

Improving the Efficiency of Capture-Resistant Biometric Authentication Based on Set Intersection

Traditional biometric authentication systems store biometric reference templates in cleartext on an authentication server, making them vulnerable to theft. Fuzzy extractors allow an authentication server to store biometric verification data that are resistant to capture. It is hard to recover the reference templates from these biometric verification data, thus increasing the privacy of the reference templates. In this paper, we improve the efficiency of a set intersection-based fuzzy extractor in two ways. First, we speed up the computation of verifying a biometric sample under some parameter combinations through integrating a Reed-Solomon decoding algorithm. Second, we propose a new function to improve the storage efficiency of the fuzzy extractor. A prototype implementation is developed to validate our improvements and it shows that our first improvement could speed up computation as many as 2.29 times 106 times.

Communication among incident responders — A study

Responding to some future incident might require significant cooperation by multiple teams or organizations within an incident response community. To study the effectiveness of that cooperation, the Carnegie Mellon® Software Engineering Institute (SEI) conducted a study using a group of volunteer, autonomous incident response organizations. These organizations completed special SEI-designed tasks that required them to work together. The study identified three factors as likely to help or hinder the cooperation of incident responders: being prepared, being organized, and following incident response best practices. This technical note describes those factors and offers recommendations for implementing each one.