Henry L. Owen

HoneyStat: Local Worm Detection Using Honeypots

Worm detection systems have traditionally used global strategies and focused on scan rates. The noise associated with this approach requires statistical techniques and large data sets (e.g., 220 monitored machines) to yield timely alerts and avoid false positives. Worm detection techniques for smaller local networks have not been fully explored.

The use of Honeynets to detect exploited systems across large enterprise networks

Computer networks connected to the Internet continue to be compromised and exploited by hackers. This is in spite of the fact that many networks run some type of security mechanism at their connection to the Internet. Large enterprise networks, such as the network for a major university, are very inviting targets to hackers who are looking to exploit networks. Large enterprise networks may consist of many machines running numerous operating systems. These networks normally have enormous storage capabilities and high speed/high bandwidth connections to the Internet. Due to the requirements for academic freedom, system administrators are restricted in what requirements they can place on users on these networks. The high bandwidth usages on these networks make it very difficult to identify malicious traffic within the enterprise network. We propose that a Honeynet can be used to assist the system administrator in identifying malicious traffic on the enterprise network. By its very nature, a Honeynet has no production value and should not be generating or receiving any traffic. Thus, any traffic to or from the Honeynet is suspicious in nature. Traffic from the enterprise network to a machine on the Honeynet may indicate a compromised enterprise system.

Wireless intrusion detection and response

A prototype implementation of a wireless intrusion detection and active response system is described. An off the shelf wireless access point was modified by downloading a new Linux operating system with nonstandard wireless access point functionality in order to implement a wireless intrusion detection system that has the ability to actively respond to identified threats. An overview of the characteristics and functionality required in a wireless intrusion detection system is presented along with a review and comparison of existing wireless intrusion detection systems and functionalities. Implemented functionality and capabilities of our prototyped system are presented along with conclusions as to what is necessary to implement a more desirable and capable wireless intrusion detection system.

Review: Wireless sensor networks for rehabilitation applications: Challenges and opportunities

Rehabilitation supervision has emerged as a new application of wireless sensor networks (WSN), with unique communication, signal processing and hardware design requirements. It is a broad and complex interdisciplinary research area on which more than one hundred papers have been published by several research communities (electronics, bio-mechanical, control and computer science). In this paper, we present WSN for rehabilitation supervision with a focus on key scientific and technical challenges that have been solved as well as interdisciplinary challenges that are still open. We thoroughly review existing projects conducted by several research communities involved in this exciting field. Furthermore, we discuss the open research issues and give directions for future research works. Our aim is to gather information that encourage engineers, clinicians and computer scientists to work together in this field to tackle the arising challenges. We believe that bridging researchers with different scientific backgrounds could have a significant impact on the development of WSN for rehabilitation and could improve the way rehabilitation is provided today.

Real-time and forensic network data analysis using animated and coordinated visualization

Rapidly detecting and classifying malicious activity contained within network traffic is a challenging problem exacerbated by large datasets and functionally limited manual analysis tools. Even on a small network, manual analysis of network traffic is inefficient and extremely time consuming. Current machine processing techniques, while fast, suffer from an unacceptable percentage of false positives and false negatives. To complement both manual and automated analysis of network traffic, we applied information visualization techniques to appropriately and effectively bring the human into the analytic loop. This paper describes the implementation and lessons learned from the creation of a novel network traffic visualization system capable of both realtime and forensic data analysis. Combining the strength of link analysis using parallel coordinate plots with the time-sequence animation of scatter plots, we examine a 2D and 3D coordinated display that provides insight into both legitimate and malicious network activity. Our results indicate that analysts can rapidly examine network traffic and detect anomalies far more quickly than with manual tools.

Intrusion detection testing and benchmarking methodologies

The ad-hoc methodology that is prevalent in todays testing and evaluation of network intrusion detection algorithms and systems makes it difficult to compare different algorithms and approaches. After conducting a survey of the literature on the methods and techniques being used, it can be seen that a new approach that incorporates an open source testing methodology and environment would benefit the information assurance community. After summarizing the literature and presenting several example test and evaluation environments that have been used in the past, we propose a new open source evaluation environment and methodology for use by researchers and developers of new intrusion detection and denial of service detection and prevention algorithms and methodologies.

Dynamic resource scheduling schemes for W-CDMA systems

W-CDMA is the strongest candidate for the air interface technology of third-generation wireless communication systems. Dynamic resource scheduling is proposed as a framework that will provide QoS provisioning for multimedia traffic in W-CDMA systems. The DRS framework monitors the traffic variations and adjusts the transmission powers of users in an optimal manner to accommodate different service classes efficiently. Variable and optimal power allocation is suggested to provision error requirements and maximize capacity, while prioritized queuing is introduced to provision delay bounds. A family of DRS algorithms has been devised along these dimensions for obtaining different levels of QoS. The DRS schemes are discussed in terms of queuing and bandwidth allocation with an emphasis on their impact on delay QoS.

M-MPLS: Micromobility-enabled multiprotocol label switching

This paper presents the integration of multiprotocol label switching with hierarchical mobile IPv6. The resulting micromobility-based MPLS (M-MPLS) is defined in two modes of operation: overlay and integrated. In an overlay framework MPLS and HMIP operate on their respective layers without having common processes, tables, or signaling. In an integrated framework, related functions are merged. The overall goal of an integrated framework is to facilitate efficient and reliable network operations while simultaneously optimizing network utilization and system performance.

Using honeynets to protect large enterprise networks

Network administrators use several methods to protect their network. Installing a honeynet within large enterprise networks provides an additional security tool. Honeynets complement the use of firewalls and IDS and help overcome some of the shortcomings inherent in those systems. In addition, honeynets can also serve as platforms for conducting computer security research and education.

Countering security information overload through alert and packet visualization

This article presents a framework for designing network security visualization systems as well as results from the end-to-end design and implementation of two highly interactive systems. In this article, we provide multiple contributions: we present the results of our survey of security professionals, the design framework, and lessons learned from the design of our systems as well as an evaluation of their effectiveness. Our results indicate that both systems effectively present significantly more information when compared to traditional textual approaches. We believe that the interactive, graphical techniques that we present will have broad applications in other domains seeking to deal with information overload.