Pratyusa K. Manadhata

An Attack Surface Metric

Measurement of software security is a long-standing challenge to the research community. At the same time, practical security metrics and measurements are essential for secure software development. Hence, the need for metrics is more pressing now due to a growing demand for secure software. In this paper, we propose using a software systems attack surface measurement as an indicator of the systems security. We formalize the notion of a systems attack surface and introduce an attack surface metric to measure the attack surface in a systematic manner. Our measurement method is agnostic to a software systems implementation language and is applicable to systems of all sizes; we demonstrate our method by measuring the attack surfaces of small desktop applications and large enterprise systems implemented in C and Java. We conducted three exploratory empirical studies to validate our method. Software developers can mitigate their softwares security risk by measuring and reducing their softwares attack surfaces. Our attack surface reduction approach complements the software industrys traditional code quality improvement approach for security risk mitigation and is useful in multiple phases of the software development lifecycle. Our collaboration with SAP demonstrates the use of our metric in the software development process.

Big Data Analytics for Security

Big data is changing the landscape of security tools for network monitoring, security information and event management, and forensics; however, in the eternal arms race of attack and defense, security researchers must keep exploring novel ways to mitigate and contain sophisticated attackers.

Measuring the attack surfaces of two FTP daemons

Software consumers often need to choose between different software that provide the same functionality. Today, security is a quality that many consumers, especially system administrators, care about and will use in choosing one soft- ware system over another. An attack surface metric is a security metric for comparing the relative security of similar software systems [7]. The measure of a systems attack surface is an indicator of the systems security: given two systems, we compare their attack surface measurements to decide whether one is more secure than another along each of the following three dimensions: methods, channels, and data. In this paper, we use the attack surface metric to measure the attack surfaces of two open source FTP daemons: ProFTPD 1.2.10 and Wu-FTPD 2.6.2. Our measurements show that ProFTPD is more secure along the method dimension, ProFTPD is as secure as Wu-FTPD along the channel dimension, and Wu-FTPD is more secure along the data dimension. We also demonstrate how software consumers can use the attack surface metric in making a choice between the two FTP daemons.

A Formal Model for a System’s Attack Surface

Practical software security metrics and measurements are essential for secure software development. In this chapter, we introduce the measure of a software system’s attack surface as an indicator of the system’s security. The larger the attack surface, the more insecure the system. We formalize the notion of a system’s attack surface using an I/O automata model of the system and introduce an attack surface metric to measure the attack surface in a systematic manner. Our metric is agnostic to a software system’s implementation language and is applicable to systems of all sizes. Software developers can use the metric in multiple phases of the software development process to improve software security. Similarly, software consumers can use the metric in their decision making process to compare alternative software.

The Operational Role of Security Information and Event Management Systems

An integral part of an enterprise computer security incident response team (CSIRT), the security operations center (SOC) is a centralized unit tasked with real-time monitoring and identification of security incidents. Security information and event management (SIEM) systems are an important tool used in SOCs; they collect security events from many diverse sources in enterprise networks, normalize the events to a common format, store the normalized events for forensic analysis, and correlate the events to identify malicious activities in real time. In this article, the authors discuss the critical role SIEM systems play SOCs, highlight the current operational challenges in effectively using SIEM systems, and describe future technical challenges that SIEM systems must overcome to remain relevant.

Detecting Malicious Domains via Graph Inference

Enterprises routinely collect terabytes of security relevant data, e.g., network logs and application logs, for several reasons such as cheaper storage, forensic analysis, and regulatory compliance. Analyzing these big data sets to identify actionable security information and hence to improve enterprise security, however, is a relatively unexplored area. In this paper, we introduce a system to detect malicious domains accessed by an enterprise’s hosts from the enterprise’s HTTP proxy logs. Specifically, we model the detection problem as a graph inference problemwe construct a host-domain graph from proxy logs, seed the graph with minimal ground truth information, and then use belief propagation to estimate the marginal probability of a domain being malicious. Our experiments on data collected at a global enterprise show that our approach scales well, achieves high detection rates with low false positive rates, and identifies previously unknown malicious domains when compared with state-of-the-art systems. Since malware infections inside an enterprise spread primarily via malware domain accesses, our approach can be used to detect and prevent malware infections.

Game Theoretic Approaches to Attack Surface Shifting

A software system’s attack surface is the set of ways in which the system can be attacked. In our prior work, we introduced an attack surface measurement and reduction method to mitigate a software system’s security risk (Manadhata, An attack surface metric, Ph.D. thesis, Carnegie Mellon University, 2008; Manadhata and Wing, IEEE Trans. Softw. Eng. 37:371–386, 2011). In this paper, we explore the use of attack surface shifting in the moving target defense approach. We formalize the notion of shifting the attack surface and introduce a method to quantify the shift. We cast the moving target defense approach as a security-usability trade-off and introduce a two-player stochastic game model to determine an optimal moving target defense strategy. A system’s defender can use our game theoretic approach to optimally shift and reduce the system’s attack surface.

Authenticating a mobile device's location using voice signatures

Providers of location-based services seek new methods to authenticate the location of their clients. We propose a novel infrastructure-based solution that provides spontaneous and transaction-oriented mobile device location authentication via an integrated 802.11× wireless access point and 3G femtocell access system. By simply making a voice call while remotely monitoring femtocell activity, a calling party can verify a (co-operating) called partys location even when the participants have no pre-existing relationship. We show how such a traffic signature can be reliably detected even in the presence of heavy cross-traffic introduced by other femtocell users. We describe how the verification proceeds without revealing details of the authentication - or even the parties involved - to the location provider.

Traffic Signature-based Mobile Device Location Authentication

Spontaneous and robust mobile device location authentication can be realized by supplementing existing 802.11x access points (AP) with small cells. We show that by transferring network traffic to a mobile computing device associated with a femtocell while remotely monitoring its ingress traffic activity, any internet-connected sender can verify the cooperating receivers location. We describe a prototype non-cryptographic location authentication system we constructed, and explain how to design both voice and data transmissions with distinct, discernible traffic signatures. Using both analytical modeling and empirical results from our implementation, we demonstrate that these signatures can be reliably detected even in the presence of heavy cross-traffic introduced by other femtocell users.

Fast submatch extraction using OBDDs

Network-based intrusion detection systems (NIDS) commonly use pattern languages to identify packets of interest. Similarly, security information and event management (SIEM) systems rely on pattern languages for real-time analysis of security alerts and event logs. Both NIDS and SIEM systems use pattern languages extended from regular expressions. One such extension, the submatch construct, allows the extraction of substrings from a string matching a pattern. Existing solutions for submatch extraction are based on non-deterministic finite automata (NFAs) or recursive backtracking. NFA-based algorithms are time-inefficient. Recursive backtracking algorithms perform poorly on pathological inputs generated by algorithmic complexity attacks. We propose a new approach for submatch extraction that uses ordered binary decision diagrams (OBDDs) to represent and operate pattern matching. Our evaluation using patterns from the Snort HTTP rule set and a commercial SIEM system shows that our approach achieves its ideal performance when patterns are combined. In the best case, our approach is faster than RE2 and PCRE by one to two orders of magnitude.