Carol Taylor

The MILS architecture for high-assurance embedded systems

High-assurance systems require a level of rigor, in both design and analysis, not typical of conventional systems. This paper provides an overview of the Multiple Independent Levels of Security and Safety (MILS) approach to high-assurance system design for security and safety critical embedded systems. MILS enables the development of a system using manageable units, each of which can be analysed separately, avoiding costly analysis required of more conventional designs. MILS is particularly well suited to embedded systems that must provide guaranteed safety or security properties.

Challenging the anomaly detection paradigm: a provocative discussion

In 1987, Dorothy Denning published the seminal paper on anomaly detection as applied to intrusion detection on a single system. Her paper sparked a new paradigm in intrusion detection research with the notion that malicious behavior could be distinguished from normal system use. Since that time, a great deal of anomaly detection research based on Dennings original premise has occurred. However, Dennings assumptions about anomalies that originate on a single host have been applied essentially unaltered to networks. In this paper we question the application of Dennings work to network based anomaly detection, along with other assumptions commonly made in network-based detection research. We examine the assumptions underlying selected studies of network anomaly detection and discuss these assumptions in the context of the results from studies of network traffic patterns. The purpose of questioning the old paradigm of anomaly detection as a strategy for network intrusion detection is to reconfirm the paradigm as sound or begin the process of replacing it with a new paradigm in light of changes in the operating environment.

NATE: N etwork Analysis of A nomalous T raffic E vents, a low-cost approach

A new approach to network intrusion detection is needed to solve the monitoring problems of high volume network data and the time constraints for Intrusion Detection System (IDS) management. Most current network IDSs have not been specifically designed for high speed traffic or low maintenance. We propose a solution to these problems which we call NATE, Network Analysis of Anomalous Traffic Events. Our approach features minimal network traffic measurement, an anomaly-based detection method, and a limited attack scope. NATE is similar to other lightweight approaches in its simplified design, but our approach, being anomaly based, should be more efficient in both operation and maintenance than other lightweight approaches. We present the method and perform an empirical test using MIT Lincoln Labs data.

A multi-layered approach to security in high assurance systems

Past efforts at designing and implementing ultra high assurance systems for government security and safety have centered on the concept of a monolithic security kernel responsible for a system-wide security policy. This approach leads to inflexible, overly complex operating systems that are too large to evaluate at the highest assurance levels (e.g., Common Criteria EAL 5 and above). We describe a new multi-layered approach to the design and verification of embedded trustworthy systems that is currently being used in the implementation of real time, embedded applications. The framework supports multiple levels of safety and multiple levels of security, based on the principle of creating separate layers of responsibility and control, with each layer responsible for enforcing its own security policy.

An empirical analysis of NATE: Network Analysis of Anomalous Traffic Events

This paper presents results of an empirical analysis of NATE (Network Analysis of Anomalous Traffic Events), a lightweight, anomaly based intrusion detection tool. Previous work was based on the simulated Lincoln Labs data set. Here, we show that NATE can operate under the constraints of real data inconsistencies. In addition, new TCP sampling and distance methods are presented. Differences between real and simulated data are discussed in the course of the analysis.

Forensics Education: Assessment and Measures of Excellence

In this paper we assess current academic and certificate based education and training programs in digital forensics education. Strong interest in the digital forensics field has led to a proliferation of education options in both academia and professional training programs. Yet, few studies have attempted to define quality attributes or measures of excellence for these programs. This study defines a set of excellence measures for academic programs seeking to teach digital forensics distilled from existing training documents, author experience and other studies. The expectation is that this first attempt to define program excellence will generate discussion and stimulate others in the forensics community to add their own measures of excellence in addition to critiquing ours. We also describe other needed components for digital forensics education in order for the field to move forward

Managing Uncertainty in Security Risk Model Forecasts with RAPSA/MC

This report describes an information security risk assessment process that accommodates uncertainty and can be applied to deployed systems as well as systems under development. An example is given for a critical infrastructure but the technique is applicable to other networks. RAPSA/MC extends the Risk Analysis and Probabilistic Survivability Assessment (RAPSA) systems-level process model with a Monte-Carlo (MC) technique capturing the uncertainty in expert estimates and illustrating its resulting impact on the model’s forecast. The forecast is presented as a probability density function enabling the security analyst to more effectively communicate security risks to financial decision makers. This approach may be particularly useful for visualizing the risk of an extreme event such as an unlikely but catastrophic exploit.

Diversity: the biological perspective position statement

Maintaining some minimum level of biological diversity is critical for the proper functioning of global ecosystems. While there are still many unknowns about the relationships between species within an ecosystem, a number of processes are known to affect diversity. Specifically, predator/prey relationships, competition and extinction plus spatial and temporal disturbances influence the number and distribution of species. Currently, most computer diversity strategies are implemented without any attempt to model the processes that influence diversity. We believe that a broader mapping of diversity concepts which include these processes will present a more complete view of computer security dynamics and perhaps suggest novel defensive approaches.