Stuart E. Schechter

Fast Detection of Scanning Worm Infections

Worm detection and response systems must act quickly to identify and quarantine scanning worms, as when left unchecked such worms have been able to infect the majority of vulnerable hosts on the Internet in a matter of minutes [9]. We present a hybrid approach to detecting scanning worms that integrates significant improvements we have made to two existing techniques: sequential hypothesis testing and connection rate limiting. Our results show that this two-pronged approach successfully restricts the number of scans that a worm can complete, is highly effective, and has a low false alarm rate.

Using path profiles to predict HTTP requests

Abstract Webmasters often use the following rule of thumb to ensure that HTTP server performance does not degrade when traffic is its heaviest — provide twice the server capacity required to handle your sites average load. As a result the server will spend half of its CPU cycles idle during normal operation. These cycles could be used to reduce the latency of a significant subset of HTTP transactions handled by the server. In this paper we introduce the use of path profiles for describing HTTP request behavior and describe an algorithm for efficiently creating these profiles. We then show that we can predict request behavior using path profiles with high enough probability to justify generating dynamic content before the client requests it. If requests are correctly predicted and pre-generated by the server, the end user will witness significantly lower latencies for these requests.

How Much Security Is Enough to Stop a Thief

We address the question of how much security is required to protect a packaged system, installed in a large number of organizations, from thieves who would exploit a single vulnerability to attack multiple installations. While our work is motivated by the need to help organizations make decisions about how to defend themselves, we also show how they can better protect themselves by helping to protect each other.

Anonymous Authentication of Membership in Dynamic Groups

We present a series of protocols for authenticating an individuals membership in a group without revealing that individuals identity and without restricting how the membership of the group may be changed. In systems using these protocols a single message to the authenticator may be used by an individual to replace her lost key or by a trusted third party to add and remove members of the group. Applications in electronic commerce and communication can thus use these protocols to provide anonymous authentication while accommodating frequent changes in membership. We build these protocols on top of a new primitive: the verifiably common secret encoding. We show a construction for this primitive, the security of which is based on the existence of public-key cryptosystems capable of securely encoding multiple messages containing the same plaintext. Because the size of our construct grows linearly with the number of members in the group, we describe techniques for partitioning groups to improve performance.

Trusted Computing, Peer-to-Peer Distribution, and The Economics of Pirated Entertainment

To thwart piracy the entertainment industry must keep distribution costs high, reduce the size of distribution networks, and (if possible) raise the cost of extracting content. However, if ‘trusted computing’ mechanisms deliver on their promises, large peer-to-peer distribution networks will be more robust against attack and trading in pirated entertainment will become safer, more reliable, and thus cheaper. Since it will always be possible for some individuals to extract content from the media on which it is stored, future entertainment may be more vulnerable to piracy than before the introduction of ‘trusted computing’ technologies.

Access for sale: a new class of worm

The damage inflicted by viruses and worms has been limited by the risks that come with the more lucrative payloads. The problem facing authors of self-reproducing malware is that monetizing each intrusion requires the author to risk communication with the infected system. Malware authors looking to minimize risk and maximize loot have been better off carefully targeting trojan horses at a few systems at a time. However, this could change if malware authors could infect a large number of systems using a worm and sell access to infected systems to other black hats. We introduce a new type of worm that enables this division of labor, installing a back door on each infected system that opens only when presented a system-specific ticket generated by the worms author. The risk to the worms author is minimized because he need not communicate with the infected systems. This new class of attack could increase the incentives to write malware and create a market for such specialized skills. In addition to describing this new threat, we propose a number of approaches for defending against it.

How to Buy Better Testing Using Competition to Get the Most Security and Robustness for Your Dollar

Without good testing, systems cannot be made secure or robust. Without metrics for the quality and security of system components, no guarantees can be made about the systems they are used to construct. This paper describes how firms can make the testing process faster and more cost effective while simultaneously providing a reliable metric of quality as one of the outputs of the process. This is accomplished via a market for defect reports, in which testers maximize profits by minimizing the cost of finding defects. The power of competition is harnessed to ensure that testers are paid a fair price for the defects they discover, thereby aligning their incentives with those of the firm developing the system. The price to find, demonstrate, and report a defect that is set by the market serves as the measure of quality.