Matt Bishop

What is computer security

Computer and network security, or cybersecurity, are critical issues. But merely protecting the systems that hold data about citizens, corporations, and government agencies it is not enough. The infrastructure of networks, routers, domain name servers, and switches that glue these systems together must not fail, or computers will no longer be able to communicate accurately or reliably. Given the magnitude of securing cyberspace, a reflection on what we are trying to do seems in order. Several questions arise, such as what exactly the infrastructure is, what threats it must be secured against, and how protection can be provided on a cost-effective basis. But underlying all these questions is how to define a secure system. What is security? Having it is obviously good; everyone says so. But few people define it exactly, or even nebulously. This column tries to place cybersecurity in perspective, because it is, of course, central to countries, organizations, and even home users now and in the future.

Modeling network intrusion detection alerts for correlation

Signature-based network intrusion-detection systems (NIDSs) often report a massive number of simple alerts of low-level security-related events. Many of these alerts are logically involved in a single multi-stage intrusion incident and a security officer often wants to analyze the complete incident instead of each individual simple alert. This paper proposes a well-structured model that abstracts the logical relation between the alerts in order to support automatic correlation of those alerts involved in the same intrusion. The basic building block of the model is a logical formula called a capability. We use capability to abstract consistently and precisely all levels of accesses obtained by the attacker in each step of a multistage intrusion. We then derive inference rules to define logical relations between different capabilities. Based on the model and the inference rules, we have developed several novel alert correlation algorithms and implemented a prototype alert correlator. The experimental results of the correlator using several intrusion datasets demonstrate that the approach is effective in both alert fusion and alert correlation and has the ability to correlate alerts of complex multistage intrusions. In several instances, the alert correlator successfully correlated more than two thousand Snort alerts involved in massive scanning incidents. It also helped us find two multistage intrusions that were missed in auditing by the security officers.

Storm Clouds Rising: Security Challenges for IaaS Cloud Computing

Securing our digital assets has become increasingly challenging as our reliance on rapidly evolving technologies continues to grow. The security perimeter in computing has changed from a well-defined boundary that was relatively easy to identify and defend, to an elastic boundary that is constantly changing and for which the threats are constantly evolving. This paper investigates the complex security challenges that are introduced by the trend towards Infrastructure as a Service (IaaS)-based cloud computing. While not exhaustive, it identifies some technological and legal issues and concerns from the perspectives of identified stakeholders, and suggests some future directions for security research and development to help advance the security posture of this technology.

Virtual Machine Introspection: Observation or Interference?

As virtualization becomes increasingly mainstream, virtual machine introspection techniques and tools are evolving to monitor VM behavior. A survey of existing approaches highlights key requirements, which are addressed by a new tool suite for the Xen VM monitoring system.

Property-based testing: a new approach to testing for assurance

The goal of software testing analysis is to validate that an implementation satisfies its specifications. Many errors in software are caused by generalizable flaws in the source code. Property-based testing assures that a given program is free of specified generic flaws. Property-based testing uses property specifications and a data-flow analysis of the program to guide evaluation of test executions for correctness and completeness.

Defining the insider threat

Many diverse groups have studied the insider threat problem, including government organizations such as the Secret Service, federally-funded research organizations such as RAND and CERT, and university researchers. In addition, many industry participants are interested in the problem, such as those in the financial sector. However, despite this interest, no consistent definition of an insider has emerged.

The transfer of information and authority in a protection system

In the context of a capability-based protection system, the term “transfer” is used (here) to refer to the situation where a user receives information when he does not initially have a direct “right” to it. Two transfer methods are identified: <italic>de jure</italic> transfer refers to the case when the user acquires the direct authority to read the information; <italic>de facto</italic> transfer refers to the case when the user acquires the information (usually in the form of a copy and with the assistance of others), without necessarily being able to get the direct authority to read the information. The Take-Grant Protection Model, which already models <italic>de jure</italic> transfers, is extended with four rewriting rules to model <italic>de facto</italic> transfer. The configurations under which <italic>de facto</italic> transfer can arise are characterized. Considerable motivational discussion is included.

Digital Forensics: Defining a Research Agenda

While many fields have well-defined research agendas, evolution of the field of digital forensics has been largely driven by practitioners in the field. As a result, the majority of the tools and practice have been developed in response to a diverse set of specific threats or scenarios, rather than as the result of a research and development plan. In June, 2008 a group of digital forensics researchers, educators and practitioners met as a working group at the Colloquium for Information Systems Security Education (CISSE 2008) to brainstorm ideas for the development of a research, education, and outreach agenda for Digital Forensics. This paper outlines some of the ideas generated and new research categories and areas identified at this meeting, as well as a plan for future development of a formalized research agenda.

Cyber defense technology networking and evaluation

Creating an experimental infrastructure for developing next-generation information security technologies.

Analysis of Computer Intrusions Using Sequences of Function Calls

This paper demonstrates the value of analyzing sequences of function calls for forensic analysis. Although this approach has been used for intrusion detection (that is, determining that a system has been attacked), its value in isolating the cause and effects of the attack has not previously been shown. We also look for not only the presence of unexpected events but also the absence of expected events. We tested these techniques using reconstructed exploits in su, ssh, and lpr, as well as proof-of-concept code, and, in all cases, were able to detect the anomaly and the nature of the vulnerability.