Jeffrey Undercoffer

Modeling Computer Attacks: An Ontology for Intrusion Detection

We state the benefits of transitioning from taxonomies to ontologies and ontology specification languages, which are able to simultaneously serve as recognition, reporting and correlation languages. We have produced an ontology specifying a model of computer attack using the DARPA Agent Markup Language+Ontology Inference Layer, a descriptive logic language. The ontology’s logic is implemented using DAMLJessKB. We compare and contrast the IETF’s IDMEF, an emerging standard that uses XML to define its data model, with a data model constructed using DAML+OIL. In our research we focus on low level kernel attributes at the process, system and network levels, to serve as those taxonomic characteristics. We illustrate the benefits of utilizing an ontology by presenting use case scenarios within a distributed intrusion detection system.

Fuzzy clustering for intrusion detection

The newly formed Department of Homeland Security has been mandated to reduce Americas vulnerability to terrorism. In addition to being charged with physical protection, this newly formed department is also responsible for protecting the nations critical infrastructure. Protecting computer systems from intrusions is an important aspect of securing the nations infrastructure. We are exploring how fuzzy data mining and concepts introduced by the semantic Web can operate in synergy to perform distributed intrusion detection. The underlying premise of our intrusion detection model is to describe attacks as instances of an ontology using a semantically rich language, reason over them and subsequently classify them as instances of an attack of a specific type. However, before an abnormality can be specified as an instance of the ontology, it first needs to be detected. Hence, our intrusion detection model is two phased, where the first phase uses data mining techniques to analyze low level data streams that capture process, system and network states and to detect anomalous behavior. The second phase reasons over instances of anomalous behavior specified according to our ontology. This paper focuses on the initial phase of our model: outlier detection within low level data streams. Accordingly, we present the preliminary results of the use of fuzzy clustering to detect anomalies within low level kernel data streams.

A secure infrastructure for service discovery and access in pervasive computing

Security is paramount to the success of pervasive computing environments. The system presented in this paper provides a communications and security infrastructure that goes far in advancing the goal of anywhere-anytime computing. Our work securely enables clients to access and utilize services in heterogeneous networks. We provide a service registration and discovery mechanism implemented through a hierarchy of service management. The system is built upon a simplified Public Key Infrastructure that provides for authentication, non-repudiation, anti-playback, and access control. Smartcards are used as secure containers for digital certificates. The system is implemented in Java and we use Extensible Markup Language as the sole medium for communications and data exchange. Currently, we are solely dependent on a base set of access rights for our distributed trust model however, we are expanding the model to include the delegation of rights based upon a predefined policy. In our proposed expansion, instead of exclusively relying on predefined access rights, we have developed a flexible representation of trust information, in Prolog, that can model permissions, obligations, entitlements, and prohibitions. In this paper, we present the implementation of our system and describe the modifications to the design that are required to further enhance distributed trust. Our implementation is applicable to any distributed service infrastructure, whether the infrastructure is wired, mobile, or ad hoc.

On intrusion detection and response for mobile ad hoc networks

We present network intrusion detection (ID) mechanisms that rely upon packet snooping to detect aberrant behavior in mobile ad hoc networks. Our extensions, which are applicable to several mobile, ad hoc routing protocols, offer two response mechanisms, passive - to singularly determine if a node is intrusive and act to protect itself from attacks, or active - to collaboratively determine if a node, is intrusive and act to protect all of the nodes of an ad hoc cluster. We have implemented our extensions using the GloMoSim simulator and detail their efficacy under a variety of operational conditions.

Secure sensor networks for perimeter protection

Sensor networks have been identified as being useful in a variety of domains to include the battlefield and perimeter defense. We motivate the security problems that sensor networks face by developing a scenario representative of a large application class where these networks would be used in the future. We identify threats to this application class and propose a new lightweight security model that operates in the base station mode of sensor communication, where the security model is mindful of the resource constraints of sensor networks. Our application class requires mitigation against traffic analysis, hence we do not use any routing mechanisms, relying solely on broadcasts of end-to-end encrypted packets. Our model extends the broadcast range of the base station model by utilizing nodes adjacent to the base station as an intermediary hop. Additionally, our model detects and corrects some classes of aberrant node behavior. We have simulated our model and present simulation results.

Security for wireless sensor networks

This chapter identifies the vulnerabilities associated with the operational paradigms currently employed by Wireless Sensor Networks. A survey of current WSN security research is presented. The security issues of Mobile Ad-Hoc Networks and infrastructure supported wireless networks are briefly compared and contrasted to the security concerns of Wireless Sensor Networks. A framework for implementing security in WSNs, which identifies the security measures necessary to mitigate the identified vulnerabilities is defined.

Hidden processes: the implication for intrusion detection

We introduce a novel class of intrusion: the hidden process, a type of intrusion that will not be detected by an intrusion detection system operating under the assumption that the underlying computing architecture is functioning as specified. A hidden process executes in a manner that is unobservable by many of the operating systems accounting and reporting functions. We present a mechanism to hide processes. Additionally, we show how a hidden process may communicate with an external entity by piggybacking onto a legitimate network connection. We have implemented a mechanism that detects hidden processes and make recommendations calling for the separation of critical operating system functions from more general operating system functions.

Using DAML+OIL to classify intrusive behaviours

We have produced an ontology specifying a model of computer attack. Our ontology is based upon an analysis of over 4000 classes of computer intrusions and their corresponding attack strategies and is categorised according to system component targeted, means of attack, consequence of attack and location of attacker. We argue that any taxonomic characteristics used to define a computer attack be limited in scope to those features that are observable and measurable at the target of the attack. We present our model as a target-centric ontology that is to be refined and expanded over time. We state the benefits of forgoing dependence upon taxonomies in favour of ontologies for the classification of computer attacks and intrusions. We have specified our ontology using the DARPA Agent Markup LanguagepOntology Inference Layer and have prototyped it using DAMLJessKB. We present our model as a target-centric ontology and illustrate the benefits of utilising an ontology in lieu of a taxonomy, by presenting a use-case scenario of a distributed intrusion detection system.