We develop a method for matching dynamic histories of program executions of two program versions. The matches produced can be useful in many applications including software piracy detection and several debugging scenarios. Unlike some static approaches for matching program versions, our approach does not require access to source code of the two program versions because dynamic histories can be collected by running instrumented versions of program binaries. We base our matching algorithm on comparison of rich program execution histories which include: control flow taken, values produced, addresses referenced, as well as data dependences exercised. In developing a matching algorithm we had two goals: producing an accurate match and producing it quickly. By using rich execution history, we are able to compare the program versions across many behavioral dimensions. The result is a fast and highly precise matching algorithm. Our algorithm first uses individual histories of instructions to identify multiple potential matches and then it refines the set of matches by matching the data dependence structure established by the matching instructions. To test our algorithm we attempted matching of execution histories of unoptimized and optimized program versions. Our results show that our algorithm produces highly accurate matches which are highly effective when used in comparison checking approach to debugging optimized code.

To detect and investigate self-propagating worm attacks against networked servers, the following capabilities are desirable: (1) raising timely alerts to trigger a worm investigation, (2) determining the break-in point of a worm, i.e. the vulnerable service from which the worm infiltrates the victim, and (3) identifying all contaminations inflicted by the worm during its residence in the victim. In this paper, we argue that the worm break-in provenance information has not been exploited in achieving these capabilities and thus propose process coloring, a new approach that preserves worm break-in provenance information and propagates it along operating system level information flows. More specifically, process coloring assigns a “color”, a unique system-wide identifier, to each remotely-accessible server process. The color will be either inherited by spawned child processes or diffused transitively through process actions. Process coloring achieves three new capabilities: color-based worm warning generation, break-in point identification, and log file partitioning. The virtualization-based implementation enables more tamper- resistant log collection, storage, and real-time monitoring. Beyond the overhead introduced by virtualization, process coloring only incurs very small additional system overhead. Experiments with real-world worms demonstrate the advantages of processing coloring over non-provenance-preserving tools.

It is desirable to be able to gather more forensically valuable audit data from computing systems than is currently done or possible. This is useful for the reconstruction of events that took place on the system for the purpose of digital forensic investigations. In this paper, we propose a mechanism that allows arbitrary meta-information bound to principals on a system to be propagated based on causality influenced by information flow. We further discuss how to implement such a mechanism for the FreeBSD operating system and present a proof-of-concept implementation that has little overhead compared to the system without label propagation.

Several digital forensic frameworks have been proposed, yet no conclusions have been reached about which are more appropriate. This is partly because each framework may work well for different types of investigations, but it hasn’t been shown if any are sufficient for all types of investigations. To address this problem, this work uses a model based on the history of a computer to define categories and classes of analysis techniques. The model is more lower-level than existing frameworks and the categories and classes of analysis techniques that are defined support the existing higher-level frameworks. Therefore, they can be used to more clearly compare the frameworks. Proofs can be given to show the completeness of the analysis techniques and therefore the completeness of the frame-works can also be addressed.

Most past and present intrusion detection systems architectures assume a uniprocessor environment or do not explicitly make use of multiple processors when they exist. Yet, especially in the server world, multiple processor machines are commonplace; and with the advent of technologies such as Intel and ANID’s multi-core or Hyperthreading technologies, commodity computers are likely to have multiple processors.

This research explores how explicitly dividing the system into production and security components and running the components in parallel on different processors can improve the effectiveness of the security system. The production component contains all user tasks and most of the operating system while the security component contains security monitoring and validating tasks and the parts of the O/S that pertain to security. We demonstrate that under some circumstances this architecture allows intrusion detection systems to use monitoring models with higher fidelity, particularly with regard to the timeliness of detection, and will also increase system robustness in the face of some types of attacks.

Empirical results with a prototype co-processing intrusion detection system (Cu-PIDS) architecture support the feasibility of this approach. The construction of the prototype allowed us to demonstrate the implementation costs of the architecture are reasonable. Experimentation using fine-grained protection of real-world applications resulted in about a fifteen percent slowdown white demonstrating CuPIDS’ ability to quickly detect and respond to illegitimate behavior.

Voting with assurance seems to be an obvious, simple concept. A registered voter should be able to cast his or her ballot with the confidence that the vote will be counted as cast. Traditionally, paper ballots have seemed like a simple, comfortable voting solution. However, paper ballots in some forms can be easily manipulated, result in ambiguous interpretations (e.g., “hanging chads”), are sometimes error-prone, and do not provide a quick tally. In our technology-saturated society, we want results right away, and it would seem that technology could speed up vote counting and make it more accurate. Computers are being integrated into every aspect of our lives, so why can’t they work for voting, too? If we can use computers to control airplanes, factories, and ATM machines, we should certainly be able to use them in voting!

The first computer virus was created 25 years ago, but there is no end in sight to malicious software.

We propose a coverage algorithm for mobile sensors to achieve a coverage that will match - over the long term and as quantified by an RMSE metric - a given threat profile.

The project aims to design, realize, evaluate, and deploy a detection, identification, and tracking sensor cyber network (DITSCN) for chemical and radiational plumes. The current focus is on building a system of radiation sensors inter-connected by wireless links for detecting the presence of radioactive materials, identifying the radiation source, and tracking their propagation over time.

Protecting networks from computer security attacks is an important concern of computer security. Within this, intrusion prevention and intrusion detection systems have been the subject of much study and have been covered in several excellent survey papers. However, the actions that need to follow the steps of prevention and detection, namely response, have received less attention from researchers or practitioners. It was traditionally thought of as an offline process,  with humans in the loop, such as system administrators performing forensics by going through the system logs and determining which services or components need to be recovered. Our systems today have reached a level of complexity and the attacks directed at them a level of sophistication that manual responses are no longer adequate. So far there has been limited work in autonomous intrusion response systems, especially work that provides rigorous analysis or generalizable system building techniques. The work that exists has not been surveyed previously.  In this survey paper, we lay out the design challenges in building autonomous intrusion response systems. Then we provide a classification of existing work on the topic into four categories

In this paper, we develop concepts of network coverage by a set of mobile sensors for given areas of interest, possibly under deadline constraints. our analytical results characterize the fundamental statistic properties of AOI coverage when sensors move according to an enhanced random waypoint model. Extensive experimental results are reported to verify and illustrate the analytical results.