Gregory B. White

Cooperating security managers: a peer-based intrusion detection system

The need for increased security measures in computer systems and networks is apparent through the frequent media accounts of computer system and network intrusions. One attempt at increasing security measures is in the area of intrusion detection packages. These packages use a variety of means to detect intrusive activities and have been applied to both individual computer systems and networks. Cooperating security managers (CSM) is one such package. Applied to a network, CSM is designed to perform intrusion detection and reporting functions in a distributed environment without requiring a designated central site or server to perform the analysis of network audit data. In addition, it is designed to handle intrusions as opposed to simply detecting and reporting on them, resulting in a comprehensive approach to individual system and network intrusions. Tests of the initial prototype have shown the cooperative methodology to perform favourably.

e-Government and Cyber Security: The Role of Cyber Security Exercises

e-Government operations are increasing with citizen demand for timely and cost effective services. Security associated with individual systems is similar to many e-commerce solutions. The span of control of e-government and its impact across a community defines a system that is more than a sum of just single systems. To test security issues across the entire system requires a new method of analysis, a community based cyber security exercise. Results from recent community based exercises have provided insight into opportunities for improvement and has demonstrated the value of these events. Information gained from community based exercises permits local governmental entities to better prepare their e-government systems to serve their citizens needs. Although some actions discovered in the exercise may be difficult and resource intensive, numerous low-hanging fruit opportunities for improvement can be discovered and used to improve e-government systems.

Analysis and detection of malicious data exfiltration in web traffic

Data stealing botnets pose a great risk to the security of networks and the privacy of their users. Most of these botnets use the web as a medium for communication, making them difficult to detect given that web traffic constitutes about 70% of Internet traffic. In addition, they use obfuscation techniques, primarily encryption, to hide their communications and data exfiltration attempts making current botnet detection techniques that depend on content inspection ineffective. In this paper, we present an analysis of the data stealing behaviors of one of the most notorious data stealing botnets, Zeus. In addition, we propose a classification algorithm to identify malicious data stealing attempts within web traffic. Our classifier uses entropy and byte frequency distribution of HTTP POST request contents as features. Our evaluation of the classifier shows high accuracy and high efficiency making it applicable at network perimeter monitoring devices and web proxies.

A collaborative information sharing framework for Community Cyber Security

As the reliance of communities on critical cyber infrastructures is growing, they are becoming more vulnerable to cyber attacks. The Community Cyber Security Maturity Model (CCSMM) was proposed to help communities establish viable and sustainable cyber security programs. Information Sharing is an important part of the CCSMM but there are significant aspects to be explored. Collaborative information sharing helps a community detect potential risks and prevent cyber attacks at an early stage. It also facilitates incident response as well as preparedness activities in communities. In this paper we discuss the necessity of information sharing and provide guidance on the types of information needing to be shared. We define threat alert levels of community cyber security and discuss how different levels affect information sharing. We propose a collaborative information sharing framework that aims to improve community cyber security. Finally, we discuss practical issues and areas for further research.

Moral intensity and ethical decision-making: a contextual extension

This paper explores the role of an individuals perception of situation-specific issues on decision-making in ethical situations. It does so by examining the influence of moral intensity on a persons perceptions of an ethical problem, and subsequent intentions. Moral intensity (Jones, 1991) is an issue-contingent model of ethical decision-making based on the supposition that situations vary in terms of the moral imperative present in that situation. An individuals decision is guided by his or her assessment of six different components that collectively comprise the moral intensity of the situation. The relationship between the components of moral intensity and the decision-making process is tested through the use of scenarios that present IS-related ethical situations. The results indicate that moral intensity plays a significant role in shaping the perceptions and intentions of individuals faced with IS-related ethical situations. The conclusion drawn from this is that, consistent with prior research, the decision-making process is influenced by an individuals perception of situation-specific issues; that is, the moral intensity of the situation.

The Community Cyber Security Maturity Model

Reports of cyber security breaches are common in the media and security events have affected millions. Even with a greater awareness of cyber security, the problem has not decreased as sectors increase their dependence on critical cyber infrastructures. States and communities have joined the growing list of organizations trying to establish viable and sustainable cyber security programs to prepare for cyber events when they inevitably occur. The Community Cyber Security Maturity Model (CCSMM)1 was developed to assist in the development of programs by providing three important mechanisms: a “yardstick” to determine current cyber security posture and maturity, a “roadmap” to help improve security posture, and a common point of reference for individuals to share experiences and lessons learned. This paper discusses the development of the model and describes initial results in states and communities adopting it. The paper also discusses what remains to be accomplished and areas for further research.

A peer-based hardware protocol for intrusion detection systems

A number of intrusion detection systems have been developed to detect intrusive activity on individual hosts and networks. These systems rely almost exclusively on a software approach to intrusion detection analysis and response. In addition, the network systems developed apply a centralized approach to the detection of intrusive activity. The problems introduced by thes approach are twofold. First the centralization of these functions becomes untenable as the size of the network increases. However, the introduction of intermediate security systems increases the number of potential targets and introduces communication delays which are unacceptable for high bandwidth data transfers. Second, and more importantly, the combination of centralization and software implementation as an approach to network intrusion detection introduces a dangerous vulnerability. As intruders gain access to the system, they target the security software itself and the centralization ensures the compromise of the entire network. The solution to these problems is a hardware implementation of a decentralized approach to intrusion detection. This paper describes the hardware platform necessary to implement such a system. It also proposes an intrusion detection protocol which would be used by this hardware to communicate relevant intrusive activity events between heterogeneous systems connected in a network or internetwork. This work is based on the Cooperating Security Managers; a peer-based approach to intrusion detection developed at Texas A&M University.

Problems with DCE security services

Distributed computing is receiving an ever increasing amount of interest and with it come many challenges, not the least of which is how to maintain system and network security. Issues relating to user authentication, access authorization, and communication security must be addressed when multiple, heterogeneous systems are connected. While these issues have been addressed in OSFs DCE, several problems remain. This paper describes some of these problems.

A Taxonomy of Cyber Events Affecting Communities

Communities, whose reliance on critical cyber infrastructures is growing, are threatened by a wide range of cyber events that can adversely affect these systems and networks. The development of computer security taxonomies to classify computer and network vulnerabilities and attacks has led to a greater insight into the causes, effects, mitigation, and remediation of cyber attacks. In developing these taxonomies researchers are better able to understand and address the many different attacks that can occur. No current taxonomy, however, has been developed that takes into account the community aspects of cyber attacks or other cyber events affecting communities. We present a new taxonomy that considers the motivation, methodology, and effects of cyber events that can affect communities. We include a discussion on how our taxonomy is useful to e-government, industry, and security researchers.

The appropriate use of force-on-force cyberexercises

Over time, network threats change, so a computer network defense system must be periodically tested to assess its true ability. Within the computer network arena, organizations are using cyberexercises to test reactions to security attacks and penetrations. Cyberexercises take a variety of forms; one of the most popular pits an attacking red team against network, system, and security administrators. Red teams are a popular way to test an organizations security posture, but proceeding too quickly with this kind of exercise can be counterproductive. Examining network security from a comprehensive organizational viewpoint raises several interesting questions: When are red teams and technical exercises appropriate? What aspects of network security do these types of exercises test? What alternative cyberexercises might be more suitable?.