Event reconstruction plays a critical role in solving physical crimes by explaining why a piece of physical evidence has certain characteristics. With digital crimes, the current focus has been on the recognition and identification of digital evidence using an object’s characteristics, but not on the identification of the events that caused the characteristics. This paper examines digital event reconstruction and proposes a process model and procedure that can be used for a digital crime scene. The model has been designed so that it can apply to physical crime scenes, can support the unique aspects of a digital crime scene, and can be implemented in software to automate part of the process. We also examine the differences between physical event reconstruction and digital event reconstruction.

Many different access control policies and models have been developed to suit a variety of goals; these include Role-Based Access Control, One-directional Information Flow, Chinese Wall, Clark-Wilson, N-person Control, and DAC, in addition to more informal ad hoc policies.  While each of these policies has a particular area of strength, the notational differences between these policies are substantial.  As a result it is difficult to combine them, both in making formal statements about systems which are based on differing models and in using more than one access control policy model within a given system.  Thus, there is a need for a unifying formalism which is general enough to encompass a range of these policies and models.  In this paper, we propose an open security architecture called Policy Machine (PM) that would meet this need.  We also provide examples showing how the PM specifies and enforces access control polices.

In this paper, we present a framework for digital forensics that includes an investigation process model based on physical crime scene procedures. In this model, each digital device is considered a digital crime scene, which is included in the physical crime scene where it is located. The investigation includes the preservation of the system, the search for digital evidence, and the reconstruction of digital events. The focus of the investigation is on the reconstruction of events using evidence so that hypotheses can be developed and tested. This paper also includes definitions and descriptions of the basic and core concepts that the framework uses.

Early systems for networked intrusion detection (or, more generally, intrusion or misuse management) required either a centralized architecture or a centralized decision-making point, even when the data gathering was distributed.  More recently, researchers have developed far more decentralized intrusion detection systems using a variety of techniques.  Such systems often rely upon data sharing between sites which do not have a common administrator and therefore cooperation will be required in order to detect and respond to security incidents.  It has therefore become important to address cooperation and data sharing in a formal manner.  In this paper, we discuss the detection of distributed attacks across cooperating enterprises.  We begin by defining relationships between cooperative hosts, then use the take-grant model to identify both when a host could identify a widespread attack and when that host is at increased risk due to data sharing.  We further refine our definition of potential indentification using access, integrity, and cooperation policies which limit sharing.  Finally, we include a breif description of both a simple Prolog model encorporating data sharing policies and a prototype cooperative intrusion detection system.

Attacks and misuses of computer systems are major concerns in today’s network-based world.  We present information visualization techniques based on a glyph metaphor for visually representing textual log information.

In this paper, we present a comprehensive approach for privacy preserving access control based on the notion of purpose. Purpose information associated with a given data element specifies the intended use of the data element, and our model allows multiple purposes to be associated with each data element. A key feature of our model is that it also supports explicit prohibitions, thus allowing privacy officers to specify that some data should not be used for certain purposes. Another important issue addressed in this paper is the granularity of data labeling, that is, the units of data with which purposes can be associated. We address this issue in the context of relational databases and propose four different labeling schemes, each providing a different granularity. In the paper we also propose an approach to representing purpose information, which results in very low storage overhead, and we exploit query modification techniques to support data access control based on purpose information.

Denial of Service (DoS) attacks are a serious threat for the Internet.  DoS attacks can consume memory, CPU, and network resources and damage or shut down the operation of the resource under attack (victim).  The quality of service (QoS) enabled networks, which offer different levels of service, are vulnerable to QoS attacks as well as DoS attacks.  The aim of a QoS attack is to steal network resources, e.g., bandwidth, or to degrade the service perceived by users.  We present a classisificaton and a brief explanation of the approaches used to deal with the DoS and QoS attacks.  Futhermore, we propose network monitoring techniques to detect service violations and to infer DoS attacks.  Finally, a quantitative comparison among all schemes is conducted, in which, we highlight the merits of each scheme and estimate the overhead (both processing and communication) introduced by it.  The comparison provides guideliness for selecting the appropriate scheme, or a combination of schemes, based on the requirements and how much overhead can be tolerated.

This dissertation investigates two research problems: (a) designing ad hoc routing protocols that monitor network conditions, select routes to satisfy routing requirements, and adapt to network topology, traffic load, and congestion; (b) building an integrated infrastructure for heterogeneous wireless networks with movable base stations and developing techniques for network management, routing, and security.

The experimental study of ad hoc routing protocols shows that the on-demand approach outperforms the proactive approach in less stressful situations, while the later one is more scalable with respect to the network size. Mobility and congestion are the primary reasons for the packet loss for the on-demand and proactive approaches respectively. Self-adjusting congestion avoidance (SAGA) routing protocol integrates the channel spatial reuse with the multi-hop routing to reduce congestion. Using the intermediate delay as the routing metric enables SAGA to bypass hot spots where contention is intense. An estimate of the transmission delay is derived based on local information available at a host. Comparison of SAGA with AODV, DSR, and DSDV shows that SAGA introduces the lowest end-to-end delay. It outperforms DSDV in the measured metrics. SAGA can sustain heavier traffic load and offers higher peak throughput than AODV and DSR. It is shown that considerations of congestion and the intermediate delay can enhance the routing performance significantly.

Hierarchical mobile wireless network is proposed to support wireless networks with movable base stations. Mobile hosts are organized into hierarchical groups. An efficient group membership management protocol is designed to support mobile hosts roaming among different groups. Segmented membership-based group routing protocol takes advantage of the hierarchical structure and membership information to reduce overhead. A secure packet forwarding algorithm is designed to protect the network infrastructure. The roaming support algorithm cooperates with the proposed mutual authentication protocol to secure both the foreign group and the mobile host. The evaluation shows that the computation overhead of the secure packet forwarding is less than 2% of the CPU time, and that of the secure roaming support ranges from 0.2% to 5% of the CPU time depending on the number of hosts and their motion. This justifies the feasibility of the security mechanisms.

The key findings for 2004 are: Electronic attack, computer crime, computer access misuse and abuse trends, and Readiness to protect and manage the security of IT systems.