Paul D. Williams

An artificial immune system architecture for computer security applications

With increased global interconnectivity and reliance on e-commerce, network services and Internet communication, computer security has become a necessity. Organizations must protect their systems from intrusion and computer virus attacks. Such protection must detect anomalous patterns by exploiting known signatures while monitoring normal computer programs and network usage for abnormalities. Current anti-virus and network intrusion detection (ID) solutions can become overwhelmed by the burden of capturing and classifying new viral strains and intrusion patterns. To overcome this problem, a self-adaptive distributed agent-based defense immune system based on biological strategies is developed within a hierarchical layered architecture. A prototype interactive system is designed, implemented in Java and tested. The results validate the use of a distributed-agent biological system approach toward the computer security problems of virus elimination and ID.

CDIS: Towards a Computer Immune System for Detecting Network Intrusions

Intrusion/misuse detection is the top information assurance priority of both the national interagency INFOSEC Research Council and the Office of the Assistant Secretary of Defense. Traditional IDSs are effective at detecting known attacks; however, developing truly proactive defensive systems remains an open problem. This research investigates the feasibility of using evolutionary search techniques, in the context of a computer immune system, to detect computer network intrusions, with particular emphasis on developing techniques for catching new attacks. The system provided very low false-negative and false-positive error rates during initial experimentation.

Using Relocatable Bitstreams for Fault Tolerance

The regular structure and addressing scheme for the Virtex-IIfamily of field programmable gate arrays (FPGAs) allows the relocation of partial bitstreams through direct bitstream manipulation. Our bitstream translation program relocates modules on an FPGA by changing the partial bitstream of the module. To take advantage of relocatable modules, three fault tolerant circuit designs are developed and tested. While operating through a fault, these designs provide support for efficient and transparent replacement of the faulty module with a relocated fault-free module. The architecture of the FPGA and static logic significantly constrain the placement of relocatable modules, especially when a microprocessor is placed on the FPGA.

The computer defense immune system: current and future research in intrusion detection

The Computer Defense Immune System is an artificial immune system for detecting computer viruses and network intrusions. This paper discusses the system architecture, presents current research and results in enhancing the system, and discusses planned future research topics that will be used to improve the systems capabilities.

A Qualia Framework for Awareness in Cyberspace

As the newest mission area for the US Air Force, cyberspace is getting a lot of attention, and rightfully so. Every person, system, and device that communicates via the use of electronics and the electromagnetic spectrum is a part of this fascinating domain. Cyberspace is not new...it has been around for many years. However, our understanding of how this domain can be exploited has increased dramatically in recent years. As users and managers of cyberspace, we need to know what is happening in this domain. More importantly, we must know how to defend our cyber resources, exploit an adversarys use of the domain, and hold the adversarys operations at risk if need be. All of this requires cyberspace awareness. This is not your grandfathers awareness (one-size-fits-all data overload), but awareness based upon what is relevant to each individual at any level of the command hierarchy, presented in a useable form. The objective is to attain universal situational awareness, defined as awareness across all media and including all the hierarchy.

An artificial immune system-inspired multiobjective evolutionary algorithm with application to the detection of distributed computer network intrusions

Contemporary signature-based intrusion detection systems are reactive in nature and are storage-limited. Their operation depends upon identifying an instance of an intrusion or virus and encoding it into a signature that is stored in its anomaly database, providing a window of vulnerability to computer systems during this time. Further, the maximum size of an Internet Protocol-based message requires a huge database in order to maintain possible signature combinations. To tighten this response cycle within storage constraints, this paper presents an innovative artificial immune system (AIS) integrated with a multiobjective evolutionary algorithm (MOEA). This new distributed intrusion detection system (IDS) design is intended to measure the vector of tradeoff solutions among detectors with regard to two independent objectives: best classification fitness and multiobjective hypervolume size. AIS antibody detectors promiscuously monitor network traffic for exact and variant abnormal system events based on only the detectors own data structure and the application domain truth set. Applied to the MIT-DARPA 1999 insider intrusion detection data set, this new software engineered AIS-MOEA IDS called jREMISA correctly classifies normal and abnormal events at a relative high statistical level which is directly attributed to finding the proper detector affinity threshold.

A Hardware-based Architecture to Support Flexible Real-Time Parallel Intrusion Detection

Providing security in todays complex computing systems is a daunting task. As systems (of systems) grow both increasingly pervasive and complex, defending them from attack or mischance at the systems of systems level becomes ever more challenging. We propose moving some security monitoring tasks from software to hardware which will allow real time detection of intrusions and errors. Our flexible architecture uses re configurable logic (such as field programmable gate arrays (FPGAs)) and operates in parallel with a general purpose computing environment. To that end, new hardware primitives are proposed that allow for gathering and monitoring the state of the main processor transparently (that is, the main processor is unaware of the monitoring) in real time. The result is a decrease in workload for the main processor while enhancing security. The monitoring primitives are tightly coupled with the monitored software, and can readily and automatically respond to changes in system characteristics such as new software applications or devices. By focusing on specific system components, including their interface with other system components, we believe we can enhance system of system security in ways not readily achievable using conventional, system-wide monitoring techniques.

Voice and video capacity of a secure IEEE 802.11g wireless network

This paper describes an empirical evaluation of the ability of an IEEE 802.11g network to transport audio and video as well as compare audio quality in the presence and absence of an access point within an office environment using standard off-the-shelf hardware and default device configurations. The impact of securing the audio stream with WPA (WiFi Protected Access) on the perceived quality is also examined. Following the ITU-T P.800 recommendation, thirty-six human subjects assess audio and video quality using a Mean Opinion Score (MOS) on a wireless multimedia system. Experimental data suggest that securing the voice traffic has no significant effect on the quality of the audio signal received. Furthermore, an 18.4% improvement in the perceived quality of the audio signal can be achieved by routing the audio and video traffic through an access point instead of allowing the audio and video traffic to flow directly between two arbitrary nodes within a wireless local area network. Furthermore, increasing the number of conversations reduces the perceived quality of the audio signal by 23.5% and the video signal by 16.8%. Disabling video increases the perceived audio quality by 38.9%. This paper shows that the usable capacity, based on signal quality, of a standard IEEE 802.11g wireless multimedia system deployed in an office environment is two audio-only conversations or one audio/one video connection on the wireless network.

Software cannot protect software: an argument for dedicated hardware in security and a categorization of the trustworthiness of information

There are many current classifications and taxonomies relatingto computer security. One missing classification is the Trustworthinessof Information being received by the security system, which wedefine. This new classification along with Timeliness of Detection andSecurity level of the Security System present motivation for hardware-based security solutions. Including hardware is not an automatic solutionto the limitations of software solutions. Advantages are only gained fromhardware through design that ensures at least First-hand Information,dedicated monitors, explicit hardware communication, dedicated storage,and dedicated security processors.

Cyberspace Policy For Critical Infrastructures

The first step in preparing any battlespace is to define the domain for attack and maneuver. The various military service components have directed authority to focus their efforts in specific domains of operations (e.g., naval operations are mainly in the maritime domain). However, cyberspace operations pose challenges because they span multiple operational domains. This paper focuses on U.S. cyberspace policy related to defending and exploiting critical infrastructure assets. Also, it examines the issues involved in delineating responsibility for U.S. defensive and offensive operations related to critical infrastructures.