David John Zage

Addressing insider threat using “where you are” as fourth factor authentication

Current physical and cybersecurity systems have been relying on traditional three factor authentication to mitigate the threats posed by insider attacks. Typically, systems use one or two of the following factors to authenticate end-users: what you know (e.g., password), what you have (e.g., RSA ID), or what you are (e.g., fingerprint). Systems based on these factors have the following limitations: 1) access is typically bound to a single authentication occurrence leading to remote vulnerabilities, 2) the factors have little impact against persistent insider threats, and 3) many of the authentication systems violate system design principles such as user psychological acceptability by inconveniencing the end-users. In order to mitigate the identified limitations, we propose the usage of “where you are” as a complementary factor that can significantly improve both cybersecurity and physical security. Having accurate location tracking as a new factor for authentication: 1) provides continuous identification tracking and continuous mediation of access to resources, 2) requires remote threats to acquire a physical presence, 3) allows for the enforcement of cybersecurity and physical security policies in real-time through automation, and 4) provides enhanced security without inconveniencing the end-users. Using the strength of location as an authentication factor, this paper specifies design requirements that must be present in an insider-threat Prevention System (iTPS) that is capable of actively monitoring malicious insider behaviors. iTPS has the potential to radically change the physical protection systems and cybersecurity landscape by providing practitioners with the first-of-its-kind tool for real-time insider-threat prevention capabilities. iTPS is particularly suited to address the safety and security needs of critical infrastructure, nuclear facilities, and emergency response situations.

Improving supply chain security using big data

Previous attempts at supply chain risk management are often non-technical and rely heavily on policies/procedures to provide security assurances. This is particularity worrisome as there are vast volumes of data that must be analyzed and data continues to grow at unprecedented rates. In order to mitigate these issues and minimize the amount of manual inspection required, we propose the development of mathematically-based automated screening methods that can be incorporated into supply chain risk management. In particular, we look at methods for identifying deception and deceptive practices that may be present in the supply chain. We examine two classes of constraints faced by deceivers, cognitive/computational limitations and strategic tradeoffs, which can be used to developed graph-based metrics to represent entity behavior. By using these metrics with novel machine learning algorithms, we can robustly detect deceptive behavior and identify potential supply chain issues.

Using linkography to understand cyberattacks

In the realm of cyber security, recent events have demonstrated the need for a significant change in the philosophies guiding the identification and mitigation of attacks. The unprecedented increase in the quantity and sophistication of cyber attacks in the past year alone has proven the inadequacy of current defensive philosophies that do not assume continuous compromise. This has given rise to new perspectives on cyber defense where, instead of total prevention, threat intelligence is the crucial tool allowing the mitigation of cyber threats. This paper formalizes a new framework for obtaining threat intelligence from an active cyber attack and demonstrates the realization of this framework in the software tool, LinkShop. Specifically, using the behavioral analysis technique known as linkography, our framework allows cyber defenders to, in an automated fashion, quantitatively capture both general and nuanced patterns in attackers behavior - pushing capabilities for generating threat intelligence far beyond what is currently possible with rudimentary indicators of compromise and into the realm of capability needed to combat future cyber attackers. Furthermore, this paper shows in detail how such knowledge can be achieved by using LinkShop on actual cyber event data and lays a foundation for further scientific investigation into cyber attacker behavior.

Ephemeral Biometrics: What are they and what do they solve?

For critical infrastructure facilities, mitigation techniques for insider threats are primarily non-technical in nature and rely heavily on policies/procedures. Traditional access control measures (access cards, biometrics, PIN numbers, etc.) are built on a philosophy of trust that enables those with appropriate permissions to access facilities without additional monitoring or restrictions. Systems based on these measures have three main limitations: 1) access is typically bound to a single authentication occurrence; 2) the authentication factors have little impact against human (insider) threats to security systems; and 3) many of the authentication systems inconvenience end-users. In order to mitigate the aforementioned deficiencies, we propose utilizing the concept of Ephemeral Biometrics to construct strong, persistent authentication protocols.

Harnessing many-core processors for scalable, highly efficient, and adaptable firewall solutions

Many-core processors have become the mainstay of todays computing systems. This fact and their ease of accessibility is now broadening the horizons of computational advances. In this work, we demonstrate the use of many-core processing platforms to provide scalable, efficient, and easily configurable firewall implementations on many-core processors. Our work has made possible, to the best of our knowledge, a first-known pipelined and scalable implementation of a stateful firewall on many-core processors. We discuss the results of our work and highlight areas for future considerations and improvements. Although this work focuses on the firewall as an exemplar network protection tool, the ideas developed apply to other network processing applications like network intrusion detection systems.

Utilizing linear subspaces to improve cloud security

Cloud computing is quickly becoming the infrastructure of choice for hosting data and software solutions for many individuals, businesses, and governmental organizations. While such systems may provide increased flexibility and utility, efficient and easily-managed cloud storage solutions that ensure data confidentiality are needed to maintain this trend. In this work, we propose an algebraic-based encoding solution to provide data confidentiality. Additionally, through the use of the various algebraic subspaces present in the coding process, we are able to verify basic Service Level Agreement (SLA) guarantees. We demonstrate the feasibility of our solution through implementations and deployments on test systems.

Physically Unclonable Digital ID

The Center for Strategic and International Studies estimates the annual cost from cyber crime to be more than

Secure distributed membership tests via secret sharing: How to hide your hostile hosts: Harnessing shamir secret sharing

400 billion. Most notable is the recent digital identity thefts that compromised millions of accounts. These attacks emphasize the security problems of using clonable static information. One possible solution is the use of a physical device known as a Physically Unclonable Function (PUF). PUFs can be used to create encryption keys, generate random numbers, or authenticate devices. While the concept shows promise, current PUF implementations are inherently problematic: inconsistent behavior, expensive, susceptible to modeling attacks, and permanent. Therefore, we propose a new solution by which an unclonable, dynamic digital identity is created between two communication endpoints such as mobile devices. This Physically Unclonable Digital ID (PUDID) is created by injecting a data scrambling PUF device at the data origin point that corresponds to a unique and matching descrambler/hardware authentication at the receiving end. This device is designed using macroscopic, intentional anomalies, making them inexpensive to produce. PUDID is resistant to cryptanalysis due to the separation of the challenge response pair and a series of hash functions. PUDID is also unique in that by combining the PUF device identity with a dynamic human identity, we can create true two-factor authentication. We also propose an alternative solution that eliminates the need for a PUF mechanism altogether by combining tamper resistant capabilities with a series of hash functions. This tamper resistant device, referred to as a Quasi-PUDID (Q-PUDID), modifies input data, using a black-box mechanism, in an unpredictable way. By mimicking PUF attributes, Q-PUDID is able to avoid traditional PUF challenges thereby providing high-performing physical identity assurance with or without a low performing PUF mechanism. Three different application scenarios with mobile devices for PUDID and Q-PUDID have been analyzed to show their unique advantages over traditional PUFs and outline the potential for placement in a host of applications.

EMBERS: EpheMeral biometrically enhanced real-time location System

Data security and availability for operational use are frequently seen as conflicting goals. Research on searchable encryption and homomorphic encryption are a start, but they typically build from encryption methods that, at best, provide protections based on problems assumed to be computationally hard. By contrast, data encoding methods such as secret sharing provide information-theoretic data protections. Archives that distribute data using secret sharing can provide data protections that are resilient to malicious insiders, compromised systems, and untrusted components. In this paper, we create the Serial Interpolation Filter, a method for storing and interacting with sets of data that are secured and distributed using secret sharing. We provide the ability to operate over set-oriented data distributed across multiple repositories without exposing the original data. Furthermore, we demonstrate the security of our method under various attacker models and provide protocol extensions to handle colluding attackers. The Serial Interpolation Filter provides information-theoretic protections from a single attacker and computationally hard protections from colluding attackers.

Investigating the effectiveness of many-core network processors for high performance cyber protection systems. Part I, FY2011.

In nuclear facilities, having efficient accountability of critical assets, personnel locations, and activities is essential for productive, safe, and secure operations. Such accountability tracked through standard manual procedures is highly inefficient and prone to human error. The ability to actively and autonomously monitor both personnel and critical assets can significantly enhance security and safety operations while removing significant levels of human reliability issues and reducing insider threat concerns. A Real-Time Location System (RTLS) encompasses several technologies that use wireless signals to determine the precise location of tagged critical assets or personnel. RTLS systems include tags that either transmit or receive signals at regular intervals, location sensors/beacons that receive/transmit signals, and a location appliance that collects and correlates the data. Combined with ephemeral biometrics (EB) to validate the live-state of a user, an ephemeral biometrically-enhanced RTLS (EMBERS) can eliminate time-consuming manual searches and audits by providing precise location data. If critical assets or people leave a defined secured area, EMBERS can automatically trigger an alert and function as an access control mechanism and/or ingress/egress monitoring tool. Three different EMBERS application scenarios for safety and security have been analyzed and the heuristic results of this study are outlined in this paper along with areas of technological improvements and innovations that can be made if EMBERS is to be used as safety and security tool.