Shyhtsun Felix Wu

IPSec/VPN Security Policy: Correctness, Conflict Detection, and Resolution

IPSec (Internet Security Protocol Suite) functions will be executed correctly only if its policies are correctly specified and configured. Manual IPSec policy configuration is inefficient and error-prone. An erroneous policy could lead to communication blockade or serious security breach. In addition, even if policies are specified correctly in each domain, the diversified regional security policy enforcement can create significant problems for end-to-end communication because of interaction among policies in different domains. A policy management system is, therefore, demanded to systematically manage and verify various IPSec policies in order to ensure an end-to-end security service. This paper contributes to the development of an IPSec policy management system in two aspects. First, we defined a high-level security requirement, which not only is an essential component to automate the policy specification process of transforming from security requirements to specific IPSec policies but also can be used as criteria to detect conflicts among IPSec policies, i.e. policies are correct only if they satisfy all requirements. Second, we developed mechanisms to detect and resolve conflicts among IPSec policies in both intradomain and inter-domain environment.

Design and implementation of a scalable intrusion detection system for the protection of network infrastructure

This paper presents the design, implementation, and experimentation of the JiNao intrusion detection system (IDS) which focuses on the protection of the network routing infrastructure. We used the open shortest path first (OSPF) routing protocol as an implementation example to illustrate our IDS design. However, the system architecture is generic enough that the JiNao IDS can be used for protecting other protocols. The system features attack prevention and intrusion detection with tightly integrated network management components. The prevention module functions like a firewall which consists of a small set of rules. Both misuse (protocol analysis) and anomaly (statistical based) approaches are implemented as detection mechanisms in order to handle both known and unknown attacks. Four OSPF attacks (i.e., MaxSeq, MaxAge, Seq++, and LSID attacks) have been developed for evaluating JiNaos detecting capability. Furthermore, an SNMP based network management interface has been designed and implemented such that the JiNao IDS can be easily integrated with existing network management systems.

Analysis of user keyword similarity in online social networks

How do two people become friends? What role does homophily play in bringing two people closer to help them forge friendship? Is the similarity between two friends different from the similarity between any two people? How does the similarity between a friend of a friend compare to similarity between direct friends? In this work, our goal is to answer these questions. We study the relationship between semantic similarity of user profile entries and the social network topology. A user profile in an on-line social network is characterized by its profile entries. The entries are termed as user keywords. We develop a model to relate keywords based on their semantic relationship and define similarity functions to quantify the similarity between a pair of users. First, we present a ‘forest model’ to categorize keywords across multiple categorization trees and define the notion of distance between keywords. Second, we use the keyword distance to define similarity functions between a pair of users. Third, we analyze a set of Facebook data according to the model to determine the effect of homophily in on-line social networks. Based on our evaluations, we conclude that direct friends are more similar than any other user pair. However, the more striking observation is that except for direct friends, similarities between users are approximately equal, irrespective of the topological distance between them.

DECIDUOUS: decentralized source identification for network-based intrusions

DECIDUOUS is a security management framework for identifying the sources of network-based intrusions. The first key concept in DECIDUOUS is dynamic security associations, which efficiently and collectively provide location information for attack sources. DECIDUOUS is built on top of the IETFs IPSEC/ISAKMP infrastructure, and it does not introduce any new network protocol for source identification in a single administrative domain. It defines a collaborative protocol for inter-domain attack source identification. The second key concept in DECIDUOUS is the management information integration of the intrusion detection system (IDS) and attack source identification system (ASIS) across different protocol layers. For example, in DECIDUOUS, it is possible for a network-layer security control protocol (e.g., IPSEC) to collaborate with an application-layer intrusion detection system module (e.g., IDS for the SNMP engine). In this paper, we present the motivations, design, and prototype implementation of the DECIDUOUS framework.

An experimental study of insider attacks for OSPF routing protocol

It is critical to protect the network infrastructure (e.g., network routing and management protocols) against security intrusions, yet dealing with insider attacks are probably one of the most challenging research problems in network security. We study the security threats, especially internal/insider threats, for the standardized routing protocol OSPF. In OSPF, a group of routers collaborate, exchange routing information, and forward packets for each other. If one (and maybe more than one) router is evil or compromised, how can this router damage the whole network? In this paper, we analyze OSPF and identify its strengths and weakness under various insider attacks. Furthermore, to confirm our analysis, we have implemented and experimented one attack, the max sequence number attack, on our OSPF routing testbed. Our attack is very successful against two independently developed router products as it will block routing updates for 60 minutes by simply injecting one bad OSPF protocol data unit.

Preventing denial of service attacks on quality of service

Capabilities are being added to IP networks to support quality of service (QoS) guarantees. These guarantees are needed for many applications, such as voice and video transmission, real-time control, etc. Little attention has been paid to making these capabilities secure; in their present form, they are vulnerable to attack. The ARQoS project is examining these vulnerabilities, and ways to prevent denial-of-service attacks on QoS capabilities. In this paper, we describe two important parts of the project. The first part is the application of a pricing paradigm to resource allocation. User acquisition of network resources must be authorized, and the relative amount of resources that can be requested is carefully controlled. We present a distributed method of pricing which is highly flexible and responsive to changing conditions. Experimental results illustrate its effectiveness. The second part is the detection of TCP dropping attacks by compromised routers. The detection occurs at the end system and does not require any cooperation from the network. We have enhanced a method of statistically analyzing traffic patterns to detect dropping attacks. The method has been implemented and tested over the Internet, and results are presented.

Securing QoS threats to RSVP messages and their countermeasures

In this paper, we study one type of DoQoNS (denial of quality of network service) attacks: attacks directly on the resource reservation and setup protocol. Particularly, we have studied and analyzed the RSVP protocol. Two contributions are: first, we performed a security analysis on RSVP which demonstrates the key vulnerabilities of its distributed resource reservation and setup process. Second, we proposed a new secure RSVP protocol, SDS/CD (selective digital signature with conflict detection), which combines the strength of attack prevention and intrusion detection. SDS/CD resolves a fundamental issue in network security: how to protect the integrity, in an end-to-end fashion, of a target object that is mutable along the route path. As a result, we will show that SDS/CD can deal with many insider attacks that can not be handled by the current IETF/RSVP security solution: hop-by-hop authentication.

Statistical anomaly detection for link-state routing protocols

The JiNao project at MCNC/NCSU focuses on detecting intrusions, especially insider attacks, against the OSPF (open shortest path first) routing protocol. This paper presents the implementation and experiments of JiNaos statistical intrusion detection module. Our implementation is based upon the algorithm developed in SRIs NIDES (next-generation intrusion detection expert system) project. Some modifications and improvements to NIDES/STAT are made for a more effective implementation in our environment. Also, three OSPF insider attacks (e.g., maxseq, maxage, and seq++ attacks) have been developed for evaluating the efficacy of detecting capability. The experiments were conducted on two different network routing testbeds. The results indicate that the proposed statistical mechanism is very effective in detecting these routing protocol attacks.

Bands: an inter-domain Internet security policy management system for IPSec/VPN

IPSec/VPN is widely deployed for users to remotely access their corporate data. IPSec policies must be correctly set up for VPN to provide anticipated protection. Manual policy setup is unscalable, inefficient and error-prone. Automated policy generation to comply with and enforce high-level security policies is desired but difficult, especially in an inter-domain environment when a VPN traverses multiple domains. This paper presents a distributed framework and protocol, BANDS, for inter-domain policy negotiation and generation. The BANDS architecture consists of two phases: AS (autonomous system) route path discovery and an inter-domain collaborative protocol for policy negotiation among the autonomous systems discovered in the first phase. Each AS conceptually has one security requirement server responsible for the task of inter-domain policy negotiation. Following this two-step process in BANDS, a set of distributed security policies (for the implementation of policy enforcement) is automatically negotiated/generated based on decentralized and predefined security requirements.

On the Concept of Trust in Online Social Networks

Online Social Networks (OSNs), such as Facebook, Twitter, and Myspace, provide new and interesting ways to communicate, share, and meet on the Internet. On the one hand, these features have arguably made many of the OSNs quite popular among the general population but the growth of these networks has raised issues and concerns related to trust, privacy and security. On the other hand, some would argue that the true potential of OSNs has yet to be unleashed. The mainstream media have uncovered a rising number of potential and occurring problems, including: incomprehensible security settings, unlawful spreading of private or copyrighted information, the occurrence of threats and so on. We present a set of approaches designed to improve the trustworthiness of OSNs. Each approach is described and related to ongoing research projects and to views expressed about trust by surveyed OSN users. Finally, we present some interesting pointers to future work.