Prasad Rao

Fast exact and heuristic methods for role minimization problems

We describe several new bottom-up approaches to problems in role engineering for Role-Based Access Control (RBAC). The salient problems are all NP-complete, even to approximate, yet we find that in instances that arise in practice these problems can be solved in minutes. We first consider role minimization, the process of finding a smallest collection of roles that can be used to implement a pre-existing user-to-permission relation. We introduce fast graph reductions that allow recovery of the solution from the solution to a problem on a smaller input graph. For our test cases, these reductions either solve the problem, or reduce the problem enough that we find the optimum solution with a (worst-case) exponential method. We introduce lower bounds that are sharp for seven of nine test cases and are within 3.4% on the other two. We introduce and test a new polynomial-time approximation that on average yields 2% more roles than the optimum. We next consider the related problem of minimizing the number of connections between roles and users or permissions, and we develop effective heuristic methods for this problem as well. Finally, we propose methods for several related problems.

Detecting Malicious Domains via Graph Inference

Enterprises routinely collect terabytes of security relevant data, e.g., network logs and application logs, for several reasons such as cheaper storage, forensic analysis, and regulatory compliance. Analyzing these big data sets to identify actionable security information and hence to improve enterprise security, however, is a relatively unexplored area. In this paper, we introduce a system to detect malicious domains accessed by an enterprise’s hosts from the enterprise’s HTTP proxy logs. Specifically, we model the detection problem as a graph inference problemwe construct a host-domain graph from proxy logs, seed the graph with minimal ground truth information, and then use belief propagation to estimate the marginal probability of a domain being malicious. Our experiments on data collected at a global enterprise show that our approach scales well, achieves high detection rates with low false positive rates, and identifies previously unknown malicious domains when compared with state-of-the-art systems. Since malware infections inside an enterprise spread primarily via malware domain accesses, our approach can be used to detect and prevent malware infections.

Scalable, accountable privacy management for large organizations

Accountability is emerging as an important theme within the regulatory privacy community. For global corporations, demonstrating accountability is no easy task due to the potentially large number of projects that have privacy sensitive aspects, privacy oversight being a mostly manual process and privacy staff typically being small. So how can a company present proof points that its projects comply with its privacy promises and obligations? In this paper we address this problem by introducing a technology-based solution for scalable, accountable privacy management across an organization. We present an Accountability Model Tool (AMT) that addresses the problem of capturing data about business processes in order to determine their privacy compliance. AMT utilizes an intelligent questionnaire with good completeness properties and is based on an augmented rule engine.

Authenticating a mobile device's location using voice signatures

Providers of location-based services seek new methods to authenticate the location of their clients. We propose a novel infrastructure-based solution that provides spontaneous and transaction-oriented mobile device location authentication via an integrated 802.11× wireless access point and 3G femtocell access system. By simply making a voice call while remotely monitoring femtocell activity, a calling party can verify a (co-operating) called partys location even when the participants have no pre-existing relationship. We show how such a traffic signature can be reliably detected even in the presence of heavy cross-traffic introduced by other femtocell users. We describe how the verification proceeds without revealing details of the authentication - or even the parties involved - to the location provider.

Fast submatch extraction using OBDDs

Network-based intrusion detection systems (NIDS) commonly use pattern languages to identify packets of interest. Similarly, security information and event management (SIEM) systems rely on pattern languages for real-time analysis of security alerts and event logs. Both NIDS and SIEM systems use pattern languages extended from regular expressions. One such extension, the submatch construct, allows the extraction of substrings from a string matching a pattern. Existing solutions for submatch extraction are based on non-deterministic finite automata (NFAs) or recursive backtracking. NFA-based algorithms are time-inefficient. Recursive backtracking algorithms perform poorly on pathological inputs generated by algorithmic complexity attacks. We propose a new approach for submatch extraction that uses ordered binary decision diagrams (OBDDs) to represent and operate pattern matching. Our evaluation using patterns from the Snort HTTP rule set and a commercial SIEM system shows that our approach achieves its ideal performance when patterns are combined. In the best case, our approach is faster than RE2 and PCRE by one to two orders of magnitude.

Analyzing end-to-end network reachability

Network security administrators cannot always accurately tell which end-to-end accesses are permitted within their network, and which ones are not. The problem is that every access is determined by the configurations of multiple, separately administered, components. As configurations evolve, a small change in one configuration file can have widespread impact on the end-to-end accesses. Short of exhaustive testing, which is impractical, there are no good solutions to analyze end-to-end flows from network configurations. This paper presents a general technique to analyze all the end-to-end accesses from the configuration files of network routers, switches and firewalls. We efficiently analyze certain state-dependent filter rules. Our goal is to help network security engineers and operators quickly determine configuration errors that may cause unexpected behavior such as unwanted accesses or unreachable services. Our technique can be also be used as part of the change management process, to help prevent network misconfiguration.

On Computing Enterprise IT Risk Metrics

Assessing the vulnerability of large heterogeneous systems is crucial to IT operational decisions such as prioritizing the deployment of security patches and enhanced monitoring. These assessments are based on various criteria, including (i) the NIST National Vulnerability Database which reports tens of thousands of vulnerabilities on individual components, with several thousand added every year, and (ii) the specifics of the enterprise IT infrastructure which includes many components.

Efficient Submatch Extraction for Practical Regular Expressions

A capturing group is a syntax used in modern regular expression implementations to specify a subexpression of a regular expression. Given a string that matches the regular expression, submatch extraction is the process of extracting the substrings corresponding to those subexpressions. Greedy and reluctant closures are variants on the standard closure operator that impact how submatches are extracted. The state of the art and practice in submatch extraction are automata based approaches and backtracking algorithms. In theory, the number of states in an automata-based approach can be exponential in n, the size of the regular expression, and the running time of backtracking algorithms can be exponential in l, the length of the string. In this paper, we present an O(lc) runtime automata based algorithm for extracting submatches from a string that matches a regular expression, where c > 0 is the number of capturing groups. The previous fastest automata based algorithm was O(nlc). Both our approach and the previous fastest one require worst-case exponential compile time. But in practice, the worst case behavior rarely occurs, so achieving a practical speed-up against state-of-the-art methods is of significant interest. Our experimental results show that, for a large set of regular expressions used in practice, our algorithm is approximately twice as fast as Java’s backtracking based regular expression library and approximately twenty times faster than the RE2 regular expression engine.