William Yurcik

NVisionIP: netflow visualizations of system state for security situational awareness

The number of attacks against large computer systems is currently growing at a rapid pace. Despite the best efforts of security analysts, large organizations are having trouble keeping on top of the current state of their networks. In this paper, we describe a tool called NVisionIP that is designed to increase the security analysts situational awareness. As humans are inherently visual beings, NVisionIP uses a graphical representation of a class-B network to allow analysts to quickly visualize the current state of their network. We present an overview of NVisionIP along with a discussion of various types of security-related scenarios that it can be used to detect.

VisFlowConnect: netflow visualizations of link relationships for security situational awareness

We present a visualization design to enhance the ability of an administrator to detect and investigate anomalous traffic between a local network and external domains. Central to the design is a parallel axes view which displays NetFlow records as links between two machines or domains while employing a variety of visual cues to assist the user. We describe several filtering options that can be employed to hide uninteresting or innocuous traffic such that the user can focus his or her attention on the more unusual network flows. This design is implemented in the form of VisFlowConnect, a prototype application which we used to study the effectiveness of our visualization approach. Using VisFlowConnect, we were able to discover a variety of interesting network traffic patterns. Some of these were harmless, normal behavior, but some were malicious attacks against machines on the network.

Log correlation for intrusion detection: a proof of concept

Intrusion detection is an important part of networked-systems security protection. Although commercial products exist, finding intrusions has proven to be a difficult task with limitations under current techniques. Therefore, improved techniques are needed. We argue the need for correlating data among different logs to improve intrusion detection systems accuracy. We show how different attacks are reflected in different logs and argue that some attacks are not evident when a single log is analyzed. We present experimental results using anomaly detection for the virus Yaha. Through the use of data mining tools (RIPPER) and correlation among logs we improve the effectiveness of an intrusion detection system while reducing false positives.

Teaching computer organization/architecture with limited resources using simulators

As the complexity and variety of computer system hardware increases, its suitability as a pedagogical tool in computer organization/architecture courses diminishes. As a consequence, many instructors are turning to simulators as teaching aids, often using valuable teaching/research time to construct them. Many of these simulators have been made freely available on the Internet, providing a useful and time-saving resource for other instructors. However, finding the right simulator for a particular course or topic can itself be a time-consuming process. The goal of this paper is to provide an easy-to-use survey of free and Internet-accessible computer system simulators as a resource for all instructors of computer organization and computer architecture courses.

A survey of peer-to-peer storage techniques for distributed file systems

The popularity of distributed file systems continues to grow. Reasons they are preferred over traditional centralized file systems include fault tolerance, availability, scalability and performance. In addition, peer-to-peer (P2P) system concepts and scalable functions are being incorporated into the domain of file systems. This survey paper explores the design paradigms and important issues that relate to such systems and discusses the various research activities in the field of distributed peerto-peer file systems.

Sharing computer network logs for security and privacy: a motivation for new methodologies of anonymization

Logs are one of the most fundamental resources to any security professional. It is widely recognized by the government and industry that it is both beneficial and desirable to share logs for the purpose of security research. However, the sharing is not happening or not to the degree or magnitude that is desired. Organizations are reluctant to share logs because of the risk from exposing sensitive information to potential attackers. In this paper we survey current attempts at sharing logs and current log anonymization tools. We further define the problem and describe a roadmap to solve the issues that have to date inhibited large scale log sharing.

Toward a threat model for storage systems

The growing number of storage security breaches as well as the need to adhere to government regulations is driving the need for greater storage protection. However, there is the lack of a comprehensive process to designing storage protection solutions. Designing protection for storage systems is best done by utilizing proactive system engineering rather than reacting with ad hoc countermeasures to the latest attack du jour. The purpose of threat modeling is to organize system threats and vulnerabilities into general classes to be addressed with known storage protection techniques. Although there has been prior work on threat modeling primarily for software applications, to our knowledge this is the first attempt at domain-specific threat modeling for storage systems. We discuss protection challenges unique to storage systems and propose two different processes to creating a threat model for storage systems: one based on classical security principles Confidentiality, Integrity, Availability, Authentication, or CIAA) and another based on the Data Lifecycle Model. It is our hope that this initial work will start a discussion on how to better design and implement storage protection solutions against storage threats.

Reputation and Dispute in eBay Transactions

This study presents a conceptual framework for determining what factors affect the likelihood of disputes in e-commerce. It hypothesizes that disputes decrease as seller and buyer reputation and experience increase, and further that the likelihood of disputes is contingent on product price, payment method, and amount of information about the product. The empirical model is tested using five goods and services. The results indicate that reputation mechanisms deter the undesirable behavior that can lead to disputes, that experienced users are less likely to be involved in disputes than inexperienced ones, that consumer-to-consumer transactions are more likely to result in disputes than transactions between businesses, and that transactions in services are more likely to result in disputes than those in goods. The implications for auction sites include the possibility for tracking disputes and improving reputation mechanisms by incorporating information about product types, payment methods, and prices.

A survey and comparison of end-system overlay multicast solutions suitable for network-centric warfare

Multicasting at the IP layer has not been widely adopted due to a combination of technical and non-technical issues. End-system multicast (also called application-layer multicast) is an attractive alternative to IP layer multicast for reasons of user management (set-up and control) and attack avoidance. Sessions can be established on demand such that there are no static points of failure to target in advance. In end-system multicast, an overlay network is built on top of available network services and packets are multicasted at the application layer. The overlay is organized such that each end host participating in a multicast communication re-sendsmulticasted messages to some of its peers, but not all of them. Thus end-system multicast allows users to manage multicast sessions under varying network conditions without being dependent on specific network conditions or specific network equipment maintaining multicast state information. In this paper we describe a variety of proposed end-system multicast solutions and classify them according to characteristics such as overlay building technique, management, and scalability. Comparing these characteristics across different end-system multicast solutions is a step toward understanding which solutions are appropriate for different battlespace requirements and where further research is needed.

Distributed expertise for teaching computer organization & architecture

This report presents preliminary results from our project on creating distributed expertise for teaching computer organization & architecture course(s) in the undergraduate computer science curriculum. We present the details of an online survey designed to gather information from faculty on the current state of teaching this course. The survey also tries to identify specific areas of need for creating distributed expertise as reported by various faculty. We also present several resources that have been identified that are available for use by faculty teaching the course(s). This report represents a mid-point of an ongoing two-year study. Following a discussion of the currently identified needs, we discuss ways to address them and conclude the report with a plan of action that will follow in the next phase of the project.