This chapter presents the results of several efforts over the last few years to develop and propose a method to handle these unstructured computer security incident records (text files).  Specifically, this chapter presents a tool designed to help individuals and organizations record, understand and share computer security incident information.  We call the tool the common language for computer security incident information.

Remote access to distributed hyper-linked information proves to be one of the killer applications for computer networks. More and more content in current inter and intra nets is available as hyper-data, a form easing its distribution and semantic organization.
  In the framework of the Internet’s Web-Portals and Pay-Sites, mechanisms for login based on username and password enable the dynamic customization as well as partial protection of the content. In other applications (e.g. commercial intra-nets) various similar schemes of authentication are deployed.
  Nevertheless, stolen passwords are an easy avenue to identity theft, in both public and commercial data networks. Once a perpetrator enters a system, assuming an authorized user’s identity, the task of actually detecting this intrusion becomes non-trivial and is often ignored completely.
  Thus, in addition to the initial authentication step we propose a runtime intrusion detection mechanism, required to maintain a virtually continuous user authentication process and detect identity theft and password misuses.
  The current paper focuses on designing a pervasive intrusion detection method for hyper-data systems, based on training on and analyzing of access patterns to hyper-linked data, aiming at detecting intruders and raising a red flag at the content provider’s side. Our solution is based on a new technique, on-the-fly adaptive training for normality on streams of data access patterns. This enables runtime intrusion detection through analysis of correlations between current patterns and the adaptive past-knowledge. Such a method is to be used in conjunction with current username-password protection schemes.

We introduce the motivation behind our solution , discuss the novel detection and training metrics and propose a real-life deployment design. We implement the main algorithm and perform experiments for assessing its intrusion detection ability, with very encouraging results. We also discuss the deployment of our method for detecting automatic spam-bot accesses.

Many network applications depend on the security of the domain name system (DNS).  Attacks on DNS can cause denial of service and entity authentication to fail.  In our approach, we use formal specifications to characterize DNS clients and DNS name servers, and to define a security goal: A name server should only use DNS data that is consistent with data from name servers that manage the corresponding domains (i.e., authoritative name servers).  To enforce the security goal, we formally specify a DNS wrapper that examines the incoming and outgoing DNS messages of a name server to detect messages that could cause violations of the security goal, cooperates with the corresponding authoritative name servers to diagnose those messages, and drops the messages that are identified as threats.  Based on the wrapper specification, we implemented a wrapper prototype and evaluated its performance.  Our experiments show that the wrapper incurrs reasonable overhead and is effective against DNS attacks such as cache poisoning and certain spoofing attacks.

Daniels, Thomas E., Ph.D., Purdue University, December, 2002. Reference Models for the Concealment and Observation of Origin Identity in Store-and-Forward Networks. Major Professor: Eugene H. Spafford.

Past work on determining the origin of network traffc has been done in a case- specific manner. This has resulted in a number of specific works while yielding little general understanding of the mechanisms used for expression, concealment, and observation of origin identity.

This dissertation addresses this state of affairs by presenting a reference model of how the originator identity of network data elements are concealed and observed. The result is a model that is useful for representing origin concealment and identification scenarios and reasoning about their properties. From the model, we have determined several mutually sucient conditions for passively determining the origin of traffic. Based on these conditions, we have developed two new origin identification algorithms for constrained network topologies.

Unfortunate recent events clarified the absolute requirement for a unified, concerted, scientifically proven strategy for combating forms of actual or potential cyber-terrorism. In this paper we present related solutions based on some of our ongoing and proposed future research in the broader areas of data and system security.

More specifically we focus on preventive techniques for content and system security. In the framework of content security we discuss document tamper-proofing, watermarking and generic information hiding detection, essential tools required in the combat against attacks in the current distributed, heterogeneous, networked world.

System security issues address new intrusion detection mechanisms using biometrics as well as new concepts such as “data access patterns”, in the framework of structured content and “network breath” in the case of secure computer networks.

Finally we present our research in the area of secure multi-party cooperation, an essential component in any inter-party contingency interaction scenario where trust issues might prevent complete cooperation. In the end we introduce some of the main conclusions and propose immediate-future research and focus points.

We study the economic aspects of P2P systems. We present a cost-profit analysis of a media streaming service deployed over a peer-to-peer (P2P)  infrastructure.  We consider the limited capacity as well as the heterogeneity of peers in the analysis.  The analysis shows that with the appropriate incentives for participating peers, the service provider achieves more profit.  In addition, the analysis shows how the service provider can maximize its revenue by controlling the amount of incentives offered to peers.

By comparing   the economics of P2P and conventional client/server media streaming architectures,  we show that with a relatively small initial investment,  the P2P architecture can realize a large-scale media streaming service.

Many media watermarking techniques require the use of a secret key to detect/decode the watermark in/from the marked object. Court proofs of ownership are strongly related to the ability of the rights holder (i.e. Alice) to convince a judge (i.e. Jared) or a jury of the safety of the encoding/decoding key in the frame of the considered watermarking algorithm.
  Multimedia Watermarking algorithms operate often in high bandwidth, noisy domains, that empower defendant (i.e. evil Mallory) court time claims of exhaustive key-space searches for matching keys. In other words, Mallory’s position claims that Alice cannot prove her associated rights over the disputed content as the actual data domain in case allowed her to “try” different keys until one of them made the watermark magically “appear” in the (allegedly) un-marked object.
  Watermarking algorithms in general and in the media framework in particular, would thus benefit from an intrinsic component of the security assessment step, namely a solution offering the ability to fight exactly such claims.
  One mechanism for securing this ability is to precommit to the watermarking key, at any time {\em before} watermark embedding. Precommitting to secrets in the framework of watermarking presents a whole new set of challenges, derived from the particularities of the domain.
  The main contribution of this paper is to define the main problem behind it and offer a solution to key precommitment in watermarking, solution augmented by a practical, illustrative example of an actual key precommitment method.
  Given any watermarking scheme our solution increases its ability to “convince” that the associated watermark is not embedded through some post-facto matching key choice (or even fortuitously), and was in fact deliberately inserted.
  In some sense we are providing a mechanism for the “amplification of convinceability” of any watermarking algorithm. That is, if the watermarked object makes it to court then its watermark proof is dramatically more convincing, and in particular immune to claims of matching key searches.

Thus, we introduce the main motivation behind precommitment to keys in the process of watermarking and present an algorithm for key precommitment, analyzing its integration as part of any existing watermarking application.
  Our solution, while relying on new (e.g. tolerant hashing) and existing concepts (e.g. key-space size reduction, watermark randomization) ties them together to produce a drastic (i.e. to virtually 0) reduction of the probability of success in the case of random key-space searches for matching keys, thus making a convincing counter-point to claims as the one above.
  We analyze trade-offs and present some alternative ideas for key precommitment. We discuss properties of the presented scheme as well as some other envisioned solutions.

It is desirable to hold network attackers accountable for their actions in both criminal investigatoins and information warfare situations.  Currently, attackers are able to hide their location effectively by creating a chain of connections through a series of hosts.  This method is effective because current host audit systems do not maintain enough information to allow association of incoming and outgoing network connections.  In this paper, we introduce an inexpensive method that allows both on-line and forensic matching of incoming and outgoing network traffic.  Our methd associates origin information with each process in the system process table, and enhances the audit information by logging the origin and destination of network sockets.  We present implementation results and show that our methos can effecively record origin information abou the common cases of stepping stone connections and denial of service zombies, and describe the limitations of our approach.

As e-commerce and virtual communities fundamentally change the way Americans do business and build relationships, how can people be assured of safety in unfamiliar cyberspaces? This essay focuses on online auction site eBay to understand how eBay has successfully attracted millions of users in spite of perceived risks and uncertainties. It argues that eBay is, in fact, a community (of commerce), and that the rhetorical construction of “community” on the site provides a foundation for trust between users. Based on trust theory, this essay isolates eBay’s “community trust” model as consisting of seven elements that work together to give users reasons to trust and to be trustworthy. Finally, the essay examines recent changes to eBay’s system, suggesting that so-called improvements for control might actually weaken the “community trust” system already in place—a warning to other sites that might imitate eBay’s community approach.

Network Intrusion Detection Systems today are used to detect when the network they are defending is being attacked from the outside.  Consequently, IDSs primarily watch traffic coming into the protected network.  This paper reverses this paradigm and explores the implications of monitoring traffic that is leaving the network; thus detecting when the protected network is being used to launch or relay attacks.  While the infrastructure and mechanics of this type of monitoring are similar to those used in existing intrusion detection techniques, there are a number of benefits and advantages.  The benefits include increasing the overall safety of the network, policy enforcement, and limiting liability.  Outbound monitoring also has an advantage in that certain attacks can be detected that are otherwise undetectable when entering the targeted network.  Further, there is also greater reactive power, both manual and automated, to a detected attack.  This paper examines these issues and others to conclude that outbound misuse detection should be a fundamental component of a network security infrastructure.

Given two strings T = a 1 : : :a n and P = b 1 : : :b m over an alphabet , the problem of testing whether P occurs as a subsequence of T is trivially solved in linear time. It is also known that a simple O ( n log j j) time preprocessing of T makes it easy to decide subsequently for any P and in at most j P j log j j character comparisons, whether P is a subsequence of T . These problems become more complicated if one asks instead whether P occurs as a subsequence of some substring Y of T of bounded length. This paper presents an automaton built on the textstring T and capable of identifying all distinct minimal substrings Y of X having P as a subsequence. By a substring Y being minimal with respect to P , it is meant that P is not a subsequence of any proper substring of Y . For every minimal substring Y , the automaton recognizes the occurrence of P having lexicographically smallest sequence of symbol positions in Y . It is not di cult to realize such an automaton in time and space O ( n 2
) for a text of n characters. One result of this paper consists of bringing those bounds down to linear or O ( n log n ), respectively, depending on whether the alphabet is bounded or of arbitrary size, thereby matching the respective complexities of o -line exact string searching. Having built the automaton, the search for all lexicographically earliest occurrences of P in X is carried out in time O ( n + P m
i=1 rocc i   i   log n   log j j), where rocc i is the number of distinct minimal substrings of T having b 1 : : :b i as a subsequence. All log factors appearing in the above bounds can be further reduced to log log by resort to known integer-handling data structures.