John M. Zachary

Protecting mobile code in the world

Proposed applications for mobile code systems include autonomous shopping agents, autonomic systems, distributed sensor network applications, and interstellar space networks. I argue the case for mobile code systems as the next-generation distributed programming paradigm and discuss the security problems that must be addressed before this vision is practically realizable. The security discussion will focus on protecting mobile code programs that execute in the wild from malicious actions by remote hosts.

Conversation exchange dynamics for real-time network monitoring and anomaly detection

We present a model for real-time network monitoring and anomaly detection that provides a holistic view of network conversation exchanges. We argue that monitoring and anomaly detection are necessary mechanisms for ensuring secure and dependable network computing infrastructure. The model for network traffic exchange is based on a modified Ehrenfest urn model. The motivation for the model is heavily influenced by the success of statistical physics to provide macrostate descriptions of physical systems when the exact microstate parameters of each element in the system precludes understanding from first principles. The conversation exchange dynamics model for real-time network monitoring and anomaly detection is formally described. The model induces a unique real-time visualization capability for network monitoring and detection of anomalous events. An implementation of the model and visualization capability is presented along with laboratory tests and successful detection of real world events, including a Code Red worm attack.

Bidirectional mobile code trust management using tamper resistant hardware

Trust management in a networked environment consists of authentication and integrity checking. In a mobile computing environment, both remote hosts and mobile code are suspect. We present a model that addresses trust negotiation between the remote host and the mobile code simultaneously. Our model uses tamper resistant hardware, public key cryptography, and one-way hash functions.

A decentralized approach to secure management of nodes in distributed sensor networks

Distributed sensor networks are a promising technology for surveillance and reconnaissance in many applications, such as next generation C4ISR and the digital battlefield. The dearth of effective security mechanisms are a main obstacle to the acceptance of distributed sensor networks. As research pushes sensor nodes to be smaller and ubiquitous, security issues become paramount. Security in sensor networks needs to be considered during the early phases of development. This paper describes a decentralized solution to the problem of securely checking node membership in ad hoc sensor networks. This method does not require each node to maintain a membership list, does not require communication between the base station and verifying node, and it efficiently handles dynamic membership events (node leaves and joins). It is based on the concept of quasi-commutative hash functions, also called one-way accumulators. The paper analyzes resource requirements and suggests new ways to optimize the use of one-way accumulators while maintaining security in sensor node applications.

Real-Time Representation of Network Traffic Behavior for Enhanced Security

This paper presents a model for real-time network monitoring and anomaly detection that provides a holistic view of network conversation exchanges. We argue that monitoring and anomaly detection are necessary mechanisms for ensuring secure and dependable network computing infrastructure. The model for network traffic exchange is based on a modified Ehrenfest urn model and combines statistical physics and queuing theory to provide macrostate descriptions of complex networked systems when the exact microstate parameters of each element in the system precludes global understanding from first principles. The conversation exchange dynamics model for real-time network monitoring and anomaly detection is formally presented in this context as a system-driven data reduction model. The model induces a unique real-time visualization capability for network monitoring and detection of anomalous events. An implementation of the model and visualization capability is presented along with laboratory tests and successful detection of computer network attacks

A Novel Approach to Accentuating Anomalous Events in Complex Network Systems

We consider the computer network as a complex, interacting system and present a novel approach to representing anomalous events that occur within the network. This approach is essentially a form of intelligent data reduction that facilitates scalable monitoring of large systems. Specifically, we develop macrostate descriptions of complex networked systems in situations where exact microstate parameters of each element in the system preclude global understanding from first principles. This aids in identifying violations of network policy such as network attacks and misconfigurations. This approach has been verified in several environments. Example responses from network attacks simulated in the laboratory including those contained in the DARPA Lincoln Lab IDS test data as well as from operational network traffic are presented. These results suggest that our approach presents a unique perspective on anomalies in computer network traffic.

A model of conversation exchange dynamics for detection of epidemic-style network attacks

Epidemic-style network attacks, such as worms, have increased in frequency over the past several years as computer networks have grown in bandwidth and scope. Mechanisms to contain these types of attacks depend on rapid and effective detection of their existence, which corresponds to anomalous network traffic behavior. These behaviors are typically associated with denial of service, probing, and buffer overflow attacks. We present a model called conversation exchange dynamics (CED) and analyze its ability to detect network anomalies by observing anomalous packets amongst traffic generated in a controlled test environment. We present configuration issues and show the successful ability of this model to detect anomalous packets and even network attacks that exhibit behavior pathologies similar to network worms.

Differentiating network conversation flow for intrusion detection and diagnostics

We present a novel approach to detecting anomalous network events. Specifically, a method for characterizing and displaying the flow of conversations across a distributed system with a high number of interacting entities is discussed and analyzed. Results from simulated laboratory experiments as well as observations from operational network traffic are presented. These results suggest that our approach presents a unique perspective on anomalies in computer network traffic. Additionally, this approach produces a normal statistic that could viably be analyzed with ML/MSE estimators.

Modeling Traffic Flow Using Conversation Exchange Dynamics for Identifying Network Attacks

We present a novel approach to identifying anomalous network events Specifically, a method for characterizing and displaying the flow of conversations across a distributed system with a high number of interacting entities is discussed and analyzed. Results from from attacks contained in the DARPA Lincoln Lab IDS test data and from operational network traffic are presented. These results suggest that our approach presents a unique perspective on anomalies in computer network traffic.