If we limit the contact rate of worm traffic, can we alleviate and ultimately contain Internet worms? This paper sets out to answer this question. Specifically, we are interested in analyzing different deployment strategies of rate control mechanisms and the effect thereof on suppressing the spread of worm code. We use both analytical models and simulation experiments. We find that rate control at individual hosts or edge routers yields a slowdown that is linear in the number of hosts (or routers) with the rate limiting filters. Limiting contact rate at the backbone routers, however, is substantially more effective - it renders a slowdown comparable to deploying rate-limiting filters at every individual host that is covered. This result holds true even when susceptible and infected hosts are patched and immunized dynamically. To provide context for our analysis, we examine real traffic traces obtained from a campus-computing network. We observe that rate throttling could be enforced with minimal impact on legitimate communications. Two worms observed in the traces, however, would be significantly slowed down.

A mix is a communication proxy that attempts to hide the correspondence between its incoming and outgoing messages. Timing attacks are a significant challenge for mix-based systems that wish to support interactive, low-latency applications. However, the potency of these attacks has not been studied carefully. In this paper, we investigate timing analysis attacks on low-latency mix systems and clarify the threat they pose. We propose a novel technique, defensive dropping, to thwart timing attacks. Through simulations and analysis, we show that defensive dropping can be effective against attackers who employ timing analysis.

The 802.11 standard specifies mechanisms for channel access, data delivery, authentication and privacy for wireless communication. The standard makes no provisions for faulty, selfish or malicious behavior assuming that nodes always act according to the specifications of the protocol. Thus, nodes running defective protocol implementations, misconfigured, or compromised can potentially cause significant disruption in the network.  In this paper we present an analysis of channel access denial of service attacks against 802.11b. We demonstrate the attacks through simulation and analyze them by considering the effect of multiple attackers, their relative positioning and the influence of the choice of high level protocols.  In addition, we identify and describe new attacks against the beacon-based synchronization mechanism used for channel access and by the power saving mode in 802.11a, b, and g. We provide simulation results that demonstrate their feasibility and analyze them considering the attacker’s effort versus the induced damage and effect on other protocols and services. Finally, we propose and discuss mitigation techniques for all the above attacks, demonstrating the efficacy of several of them through simulations.

Information Technology has become integral to organizations

This research studies and designs techniques for coordinated network monitoring, traffic conditioning, and flow control as integral components of the edge routers in a network domain. The enhanced edge routers yield secure network domains, and achieve better performance in terms of high data throughput, low delay, and low loss rates. The potential performance gain from the proposed techniques is critical for the current and emerging network services such as multimedia applications. Using simulation, we evaluate the edge router for data intensive applications such as FTP and delay sensitive applications such as Telnet and Web. The contributions of this thesis can be summarized as follows:

In automated trust negotiation (ATN), two parties exchange digitally signed credentials that contain attribute information to establish trust and make access control decisions.  Because the information in question is often sensitive, credentials are protected according to access control policies.  In traditional ATN, credentials are transmitted either in their entirety or not at all. This approach can at times fail unnecessarily, either because a cyclic dependency makes neither negotiator willing to reveal her credential before her opponent, because the opponent must be authorized for all attributes packaged together in a credential to receive any of them, or because it is necessary to fully disclose the attributes, rather than merely proving they satisfy some predicate (such as being over 21 years of age).  Recently, several cryptographic credential schemes and associated protocols have been developed to address these and other problems.  However, they can be used only as fragments of an ATN process.  This paper introduces a framework for ATN in which the diverse credential schemes and protocols can be combined, integrated, and used as needed.  A policy language is introduced that enables negotiators to specify authorization requirements that must be met by an opponent to receive various amounts of information about certified attributes and the credentials that contain it.  The language also supports the use of uncertified attributes, allowing them to be required as part of policy satisfaction, and to place their (automatic) disclosure under policy control.

This work focuses on ontological efforts to support information security applications

Secure multi-party protocols make the computation of answers and decisions that depend on multiple parties’ private data possible, without revealing anything about the private inputs (other than what unavoidably can be deduced from the outputs).  There are general results showing that any probabilistic polynomial time function can be computed in this framework in an asymptotically efficient manner, using circuit-simulation techniques. There is a frequent belief that these general circuit-simulation techniques are not practical compared to custom-built (i.e., problem-specific) solutions, unless the function being computed has a naturally circuit-like formulation. This paper carries out a quantitative empirical evaluation of this belief, for a problem that would apparently benefit from a custom-built protocol (forecasting using time series techniques). Our findings are somewhat surprising in the following aspects. First, the custom-built solution does not overcome the general circuit-simulation solution on a local network until the problem size becomes quite large. Second, relaxing (even slightly) the requirement that, instead of ``nothing’‘, the protocols reveal ``little’’ makes possible dramatic performance improvements over the solutions for the more strict requirement (whether they are custom-built or based on general circuit simulations). Third, other aspects (such as, e.g., system resources available) play a significant role in evaluation of a computational model. This paper describes the subtle implementation issues involved with this evaluation, presents its results, and talks about the lessons learned that should be valuable in future deployments of this kind of technology.

Digital watermarking is the practice of inserting a signal, known as the watermark, into an original signal in an imperceptible manner. The watermark encodes or represents information that can protect the watermarked signal, typically identifying the owner (source) or the intended recipient (destination) of the signal. The embedded watermark may be detected by using a watermark detector, which enables an application to react to the presence (or absence) of the watermark in a signal. However, the watermarked signal may be processed, or attacked, prior to watermark detection. Attacks may remove the embedded watermark or make the watermark more difficult to detect. One type of attack that has received considerable attention is synchronization attacks. A synchronization attack confuses the watermark detector by re-positioning the embedded watermark. Most watermark detectors will fail to detect the watermark embedded in the attacked signal unless the position of the watermark can be identified. This is a significant vulnerability in robust watermark detection. The process of identifying the position of the watermark is known as watermark detector synchronization. A new framework is developed for temporal synchronization in blind symmetric video watermarking. Embedding and detection models are proposed that encompass the behavior of many video watermarking techniques. These models demonstrate that synchronization is challenging when the watermark lacks redundancy, but also that efficient synchronization can be achieved by designing the watermark with temporal redundancy. The temporal synchronization models are adapted to spatial synchronization in still image watermarks. For spatial synchronization, redundancy is obtained by constructing a watermark which induces a pattern in the auto-correlation. Experimental results support the theoretical foundations for both temporal and spatial synchronization. In addition, earlier exploration in watermarking led to the development of a semifragile watermarking technique for image authentication. The semi-fragile technique is capable of detecting significant alterations to the watermarked image, but is tolerant to lossy JPEG compression and other, more subtle alterations. This earlier work is not related to watermark synchronization.

This dissertation presents an analysis of the features of network traffic commonly used in network-based anomaly detection systems. It is an examination designed to identify how the selection of a particular protocol attribute affects performance. It presents a guide for making judicious selections of features for building network-based anomaly detection models.

We introduce a protocol analysis methodology called Inter-flow versus Intra-flow Analysis (IVIA) for partitioning protocol attributes based on operational behavior. The method aids in the construction of flow models and identifies the protocol attributes that contribute to model accuracy, and those that are likely to generate false positive alerts, when used as features for network anomaly detection models.

We introduce a set of data preprocessing operations that transform these previously identified ``noisy’’ attributes into useful features for anomaly detection. We refer to these as behavioral features. The derivation of this new class of features from observed measurements is both possible and feasible without undue computational effort, and can therefore keep pace with network traffic.

Empirical results using unsupervised learning show that models based on behavioral features can achieve higher classification accuracies with markedly lower false positive rates than their traditional packet header feature counterparts. Behavioral features are also used in the context of supervised learning to build classifiers of server application flow behavior.