Douglas S. Reeves

Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays

Network based intruders seldom attack directly from their own hosts, but rather stage their attacks through intermediate stepping stones to conceal their identity and origin. To identify attackers behind stepping stones, it is necessary to be able to correlate connections through stepping stones, even if those connections are encrypted or perturbed by the intruder to prevent traceability.The timing-based approach is the most capable and promising current method for correlating encrypted connections. However, previous timing-based approaches are vulnerable to packet timing perturbations introduced by the attacker at stepping stones. In this paper, we propose a novel watermark-based correlation scheme that is designed specifically to be robust against timing perturbations. The watermark is introduced by slightly adjusting the timing of selected packets of the flow. By utilizing redundancy techniques, we have developed a robust watermark correlation framework that reveals a rather surprising result on the inherent limits of independent and identically distributed (iid) random timing perturbations over sufficiently long flows. We also identify the tradeoffs between timing perturbation characteristics and achievable correlation effectiveness. Experiments show that the new method performs significantly better than existing, passive, timing-based correlation in the presence of random packet timing perturbations.

Reasoning about complementary intrusion evidence

This paper presents techniques to integrate and reason about complementary intrusion evidence such as alerts generated by intrusion detection systems (IDSs) and reports by system monitoring or vulnerability scanning tools. To facilitate the modeling of intrusion evidence, this paper classifies intrusion evidence into either event-based evidence or state-based evidence. Event-based evidence refers to observations (or detections) of intrusive actions (e.g., IDS alerts), while state-based evidence refers to observations of the effects of intrusions on system states. Based on the interdependency between event-based and state-based evidence, this paper develops techniques to automatically integrate complementary evidence into Bayesian networks, and reason about uncertain or unknown intrusion evidence based on verified evidence. The experimental results in this paper demonstrate the potential of the proposed techniques. In particular, additional observations by system monitoring or vulnerability scanning tools can potentially reduce the false alert rate and increase the confidence in alerts corresponding to successful attacks.

Explicit proactive handoff with motion prediction for mobile IP

Mobile IP has been widely accepted, but lacks a fast handoff mechanism. In this paper, we introduce an explicit proactive handoff scheme with motion prediction. Since each user has patterns of movement, a mobile node predicts its future motion and explicitly notifies its old foreign agent which subnet it is likely to handoff to. During a handoff, the old foreign agent duplicates and forwards packets to the predicted subnets. With our scheme, network-layer handoff latency can be reduced to the level of link-layer handoff latency, and the number of packets lost during handoffs is also minimized. With a real network activity trace, we demonstrate that this scheme is able to predict motion accurately, with only a small overhead in bandwidth consumption and computation.

Storage-Efficient Stateless Group Key Revocation

Secure group communication relies on secure and robust distribution of group keys. A stateless group key distribution scheme is an ideal candidate when the communication channel is unreliable. Several stateless group key distribution schemes have been proposed. However, these schemes require all users store a certain number of auxiliary keys. The number of such keys increases as the group size grows. As a result, it is quite challenging to use these schemes when the users in a relatively large group have memory constraints. Thus, it is desirable to develop new schemes that can reduce the memory requirement. This paper introduces two novel stateless group key revocation schemes named key-chain tree (KCT) and layered key-chain tree (LKCT), which combine one-way key chains with a logical key tree. These schemes reduce the user storage requirements by trading off it with communication and computation costs. Specifically, these schemes can revoke any R users from a user group of size N by sending a key update message with at most 4R keys, while only requiring each user to store 2log N keys.

Improving Robustness of PGP Keyrings by Conflict Detection

Secure authentication frequently depends on the correct recognition of a user’s public key. When there is no certificate authority, this key is obtained from other users using a web of trust. If users can be malicious, trusting the key information they provide is risky. Previous work has suggested the use of redundancy to improve the trustworthiness of user-provided key information. In this paper, we address two issues not previously considered. First, we solve the problem of users who claim multiple, false identities, or who possess multiple keys. Secondly, we show that conflicting certificate information can be exploited to improve trustworthiness. Our methods are demonstrated on both real and synthetic PGP keyrings, and their performance is discussed.

T-Chain: A General Incentive Scheme for Cooperative Computing

In this paper, we propose a simple, distributed, but highly efficient fairness-enforcing incentive mechanism for cooperative computing. The proposed incentive scheme, called Triangle Chaining (T-Chain), enforces reciprocity to minimize the exploitable aspects of other schemes that allow free-riding. In T-Chain, symmetric key cryptography provides the basis for a lightweight, almost-fair exchange protocol, which is coupled with a pay-it-forward mechanism. This combination increases the opportunity for multi-lateral exchanges and further maximizes the resource utilization of participants, each of whom is assumed to operate solely for his or her own benefit. T-Chain also provides barrier-free entry to newcomers with flexible resource allocation, providing them with immediate benefits, and therefore is suitable for dynamic environments with high churn (i.e., Turnover). TChain is distributed and simple to implement, as no trusted third party is required to monitor or enforce the scheme, nor is there any reliance on reputation information or tokens.

Arav: monitoring a cloud's virtual routers

Virtual Routers (VRs) are increasingly common in cloud environments. VRs route traffic between network segments and support network services. Routers, including VRs, have been the target of several recent high-profile attacks, emphasizing the need for more security measures, including security monitoring. However, existing agent-based monitoring systems are incompatible with a VRs temporary nature, stripped-down operating system, and placement in the cloud. As a result, VRs are often not monitored, leading to undetected security incidents. This paper proposes a new security monitoring design that leverages virtualization instead of in-guest agents. Its hypervisor-based system, Arav, scrutinizes VRs by novel application of Virtual Machine Introspection (VMI) breakpoint injection. Arav monitored and addressed security-related events in two common VRs, pfSense and VyOS, and detected four attacks against two popular VR services, Quagga and OpenVPN. Aravs performance overhead is negligible, less than 0.63%, demonstrating VMIs utility in monitoring virtual machines unsuitable for traditional security monitoring.

Computer-Aided Human Centric Cyber Situation Awareness

In this chapter, we provide an overview of Cyber Situational Awareness, an emerging research area in the broad field of cyber security, and discuss, at least at a high level, how to gain Cyber Situation Awareness. Our discussion focuses on answering the following questions: What is Cyber Situation Awareness? Why is research needed? What are the current research objectives and inspiring scientific principles? Why should one take a multidisciplinary approach? How could one take an end-to-end holistic approach? What are the future research directions?

Traceback and Anonymity

This brief systematically examines the trackback problem and its interaction with low-latency anonymous communication. First, it provides an overview of the common techniques a network-based attack may use to hide its origin and identity. Then the authors explore the MIX-based anonymity and the building blocks of low-latency anonymous communication. Later chapters offer a comprehensive study of the timing attacks on low-latency anonymous communication, and analyze the fundamental limitations of low-latency anonymous communication from the perspective of timing-based covert channel. Suitable for professionals and researchers, Traceback and Anonymity is a close look at a key aspect of cyber security studies. Advanced-level students interested in cyber security techniques or networking will also find the content valuable.