Computing systems continue to be plagued by malicious corruption of instructions and data.  Buffer overflows, in particular, are often employed to disrupt the control flow of vulnerable processes. Existing methods of protection against these attacks operate by detecting corruption after it has taken place or by ensuring that if corruption has taken place, it cannot be used to hijack a process’ control flow. These methods thus still allow the corruption of control data to occur but rather than being subverted, the process may terminate or take some other defined error. Few methods have attempted to prevent the corruption of control data, and those that have only focused on preventing the corruption of the return address.

We propose the use of multiple memory segments to support multiple stacks, heaps, .bss, and .data sections per process with the goal of segregating control and non-control data. By segregating these different forms of data, we can prevent the corruption of control data by overflow and address manipulation of memory allocated for non-control data. We show that the creation of these additional data segments per process can be implemented through modifications to the compiler.

Alert and event correlation is a process in which the alerts produced by one or more intrusion detection systems and events generated from different systems and security tools are analyzed and correlated to provide a more succinct and high-level view of occurring or attempted intrusions. Current correlation techniques improve the intrusion detection results and reduce the huge number of alerts in a summarized report, but still have some limitations such as a high false detection rate; missing alerts in a multi-step attack correlation; alert verifications are still limited; Zero Day attacks still have low rates of detection; Low and Slow attacks and Advanced Persistent Threats (APTs) cannot be detected; and some attacks have evasion techniques against IDSs. Finally, current correlation systems do not enable the integration of correlations from multiple information sources and are limited to only operate in IDS alerts. Agents and multi- agent systems have been widely used in IDSs because of their advantages.

The thesis purpose is to prove the possibility of improving both IDS Accuracy and IDS Completeness through reducing either False Positive or False Negative alerts using correlation between different available information sources in the system and network environment. The dissertation presents a modular framework for a Distributed Agent Correlation Model (DACM) for intrusion detection alerts and events in computer networks. The framework supports the integration of multiple correlation techniques and enables easy implementation of new components.

The framework introduces a multi-agent distributed model in a hierarchical organization; correlates alerts from the IDS with attack signatures from information security tools and either system or application log files as other sources of information. Correlation between multiple sources of information reduces both false negative and false positive alerts, enhancing intrusion detection accuracy and completeness. Each local agent aggregates/correlates events from its source according to a specific pattern matching. The integration of these correlation agents together forms a complete integrated correlation system.

The model has been implemented and tested using a set of datasets. Agent’s proposed models and algorithms have been implemented, analyzed, and evaluated to measure detection and correlation rates and reduction of false positive and false negative alerts.

In conclusion, DACM enhances both the accuracy and completeness of intrusion detection. DACM is flexible, upgradable, and platform independent. It decreases the audit load and the time cost required to obtain effective situational understanding; increases the coverage of the attack space and forensics; and improves the ability to distinguish the serious attack from the less important ones or identify the kind of needed reaction. DACM can also be used to enhance the early detection capability of APT. Finally, DACM can be used as a real time system with minor modifications. We think that this is a promising approach successfully combining correlation techniques with agent technology in intrusion detection systems in order to provide higher security for computer networks and internet services.

The smart power grid promises to improve efficiency and reliability of power delivery.  This report introduces the logical components, associated technologies, security protocols, and network designs of the system.  Undermining the potential benefits are security threats, and those threats related to cyber security are described in this report. Concentrating on the design of the smart meter and its communication links, this report describes the ZigBee technology and implementation, and the communication between the smart meter and the collector node, with emphasis on security attributes.  It was observed that many of the secure features are based on keys that must be maintained; therefore, secure key management techniques become the basis to securing the entire grid.  The descriptions of current key management techniques are delineated, highlighting their weaknesses.  Finally some initial research directions are outlined.

Cyber Physical Systems (CPS) are complex systems that operate in a dynamic environment where security characteristics of contexts are unique, and uniform access to secure resources anywhere anytime to mobile entities poses daunting challenges. To capture context parameters such as location and time in an access control policy for CPS, we propose a Generalized Spatio- Temporal RBAC (GST-RBAC) model. In this model spatial and temporal constraints are defined for role enabling, user-role assignment, role-permission assignment, role activation, separation of duty and role hierarchy. The inclusion of multiple types of constraints exposes the need of composing a policy which is verifiable for consistency. The second contribution in this paper is GST-RBAC policy specification and verification framework using light weight formal modeling language, Alloy. The analysis assists in consistency verification leading to conflict free composition of the actual policy for implementation for CPS.

Maximizing data usage and minimizing privacy risk are two conflicting goals. Organizations always hide the owners’ identities and then apply a set of transformations on their data before releasing it. While determining the best set of transformations has been the focus of extensive work in database community, most of this work suffered from one or two of the following major problems: scalability and privacy guarantee. To the best of our knowledge, none of the proposed scalable anonymization techniques provides privacy guarantees supported with well-formulated theoretical foundation. Differential privacy provides a theoretical formulation for privacy that ensures that the system behaves essentially the same way, regardless of whether any individual, or small group of individuals, are included in the database. In this paper, we address both scalability and privacy risk of data anonymization. We propose a scalable algorithm that meets differential privacy when applying a specific random sampling. The contribution of the paper is three-fold: (1) We prove that determining the optimal transformations is an NP-hard problem and propose a heuristic approximation based on genetic algorithms, (2) we propose a personalized anonymization technique based on Lagrangian formulation and prove that it could be solved in polynomial time, and (3) we prove that a variant of the proposed Lagrangian technique with specific sampling satisfies differential privacy. Through experimental studies we compare our proposed algorithm with other anonymization schemes in terms of both time and privacy risk. We show that the proposed algorithm is scalable. Moreover, we compare the performance of the proposed approximate algorithm with the optimal algorithm and show that the sacrifice in risk is outweighed by the gain in e±ciency.

As computing environments become both mobile and pervasive, the need for robust and flexible access control systems comes to the fore. Instead of relying simply on identity-based mechanisms or multi-level classifications, modern information systems must incorporate contextual factors into the access control decision. Examples of these factors include the user’s location at the time of the request, the unique instance of the hardware device, and the history of previous accesses.

Designing and implementing such contextual access control mechanisms requires addressing a number of interesting challenges. First, one must be able to determine when the required policy conditions are satisfied. For instance, in the realm of spatially aware access control, the system must be able to validate user’s claims to a particular location at a given time. Next, contextual mechanisms must be able to detect and react to changes in the environmental conditions, such as when a connection becomes disrupted.  Finally, the integrity of the execution environment must be ensured, despite the complexity of modern computing systems.

To address these challenges, we have examined the creation of trusted enforcement mechanisms that are built on a combination of secure hardware, cryptographic protocols, virtual machine monitors, and randomized execution environments. We have developed a number of prototypes using NFC, PUFs, VMMs, and a microkernel OS to demonstrate the feasibility of our approaches to a number of contextual settings. Our experimental evaluation and security analyses demonstrate that robust mechanisms can be deployed for a minimal amount of computational expense.

As mobile computing devices are becoming increasingly dominant in enterprise and government organizations, the need for fine-grained access control in these environments continues to grow.  Specifically, advanced forms of access control can be deployed to ensure authorized users can access sensitive resources only when in trusted locations. One technique that has been proposed is to augment role-based access control (RBAC) with spatial constraints.  In such a system, an authorized user must be in a designated location in order to exercise the privileges associated with a role. In this work, we extend spatially aware RBAC systems by defining the notion of proximity-based RBAC. In our approach, access control decisions are not based solely on the requesting user’s location. Instead, we also consider the location of other users in the system.  For instance, a policy in a government application could prevent access to a sensitive document if any civilians are present.  We introduce our spatial model and the notion of proximity constraints. We define the syntax and semantics for the Prox-RBAC language, which can be used to specify these policy constraints.  We introduce our enforcement architecture, including the protocols and algorithms for enforcing Prox-RBAC policies, and give a proof of functional correctness. Finally, we describe our work toward a Prox-RBAC prototype and present an informal security analysis.

In a distributed computing environment, remote devices must often be granted access to sensitive information. In such settings, it is desirable to restrict access only to known, trusted devices. While approaches based on public key infrastructure and trusted hardware can be used in many cases, there are settings for which these solutions are not practical. In this work, we define physically restricted access control to reflect the practice of binding access to devices based on their intrinsic properties. Our approach is based on the application of physically unclonable functions. We define and formally analyze protocols enforcing this policy, and present experimental results observed from developing a prototype implementation. Our results show that non-deterministic physical properties of devices can be used as a reliable authentication and access control factor.

Proposed models for spatially-aware extensions of role-based access control (RBAC) combine the administrative and security advantages of RBAC with the dynamic nature of mobile and pervasive computing systems. However, implementing systems that enforce these models poses a number of challenges. As a solution, we propose an architecture for designing such a system. The architecture is based on an enhanced RBAC model that supports location-based access control policies by incorporating spatial constraints.

Enforcing spatially-aware RBAC policies in a mobile environment requires addressing several challenges. First, one must guarantee the integrity of a user’s location during an access request. We adopt a proximity-based solution using Near-Field Communication (NFC) technology. The next challenge is to verify the user’s position continuously satisfies the location constraints. To capture these policy restrictions, we incorporate elements of the UCONABC usage control model in our architecture.In this work, we also propose a number of protocols, describe our prototype implementation, report the performance of our prototype, and evaluate the security guarantees.

The Internet has witnessed explosive growth over the last few decades, steadily evolving into a worldwide communication medium capable of supporting myriads of applications. While several efforts have been undertaken to improve the reliability of best-effort Internet communication, their adoption has been virtually nonexistent due to the lack of incentive for change and the presence of heterogeneous networks not controlled by a single entity. Moreover, the Internet structure is rapidly evolving into a flatter one composed of large organizations or clouds which hampers any efforts of retrofitting the existing Internet.

In this dissertation, we study two of the most important components of the Internet infrastructure, namely Routing and Domain Name System (DNS). We aim to find predictability in Internet routing, specifically the existence of Internet routes to prefixes, collection of IP addresses. We hypothesize that the Internet under Border Gateway Protocol (BGP), the de-facto interdomain routing protocol, while seemingly unpredictable, has a structure whereby prefix similarity can be exploited to successfully predict availability of Internet routes and route failures. We build data mining based prediction models using real-world routing data and find that this is indeed the case and the future availability of a prefix can be predicted by observing it for a limited time period and using the learned models. We also formulate BGP molecules which are the set of Internet prefixes that have similar propensity to become unreachable from portions of the Internet, i.e. to fail. We use these molecules in four failure prediction schemes, among which a hybrid scheme achieves 91% predictability of failures with 99.3% coverage of prefixes in the Internet.

We study how DNS as an Internet infrastructure has evolved by investigating cloud-based DNS, which is the result of moving DNS services to the cloud. We perform a case-study of a recently launched cloud-based DNS, namely Google external DNS. A novel technique for geolocating data centers of cloud providers is developed and used to show that a query to Google DNS may not be redirected to the geographically closest Google data center. We also study Akamai-hosted content retrieval through cloud-based DNS and find that the client perceives worse performance as compared to the use of local DNS to retrieve content. The reasons for this poor performance are investigated and we explore the design space of methods for cloud-based DNS systems to be used by clients retrieving content. Client-side, cloud-side, and hybrid approaches are presented and compared, with the goal of achieving the best client-perceived performance. Our work yields valuable insight into Akamai’s DNS system, revealing previously unknown features.

Finally, we present our vision of the evolution of the current Internet to the future cloud-based Internet, while specifying the lightning or interaction among clouds. We posit that while the cloud offers several advantages for hosting services, blindly using the cloud for every service can cause poor performance. Instead, a carefully balanced approach can usher a smooth transition from current Internet systems to the cloud-based Internet of tomorrow.

In the last decade, there have been radical changes in both the nature of the mechanisms used for Internet content distribution, and the type of content delivered. On the one hand, Peer-to-Peer (P2P) based content distribution has matured. On the other hand, there has been a tremendous growth in video traffic. The goal of this thesis is to characterize these emerging trends in content distribution and understand their implications for Internet Service Providers (ISP) and users. Such characterization is critical given the predominance of P2P and video traffic in the Internet today and can enable further evolution of content delivery systems in ways that benefit both providers and users.

In this thesis, we make the following contributions: (i) We develop novel methodologies to identify undesirable behavior of P2P systems, and expose the prevalence of such behavior; (ii) We characterize private P2P communities, and discuss the implications of our findings on recent research on localization of P2P traffic within an ISP; (iii) We shed light into the factors that govern the data-center selection for video delivery in geographically distributed settings by characterizing YouTube, the most popular video distribution network in the Internet.

A common thread underlying these contributions, and a distinguishing highlight of this thesis is the analysis of terabytes of traffic traces collected from the edge of multiple ISP and Campus networks located in different countries.

Configuring access control policies in mobile devices can be quite tedious and unintuitive for users. Software designers attempt to address this problem by setting up default policy configurations. But such global defaults may not be sensible for all users.  Modern smartphones are capable of sensing a variety of information about the surrounding environment like Bluetooth devices, WiFi access points, temperature, ambient light, sound and location coordinates. We claim that profiling this type of contextual information can be used to infer the familiarity and safety of a context and aid in access control decisions. We propose a context profiling framework and describe device locking as an example application where the locking timeout and unlocking method are dynamically decided based on the perceived safety of current context.  We report on using datasets from a large scale smartphone data collection campaign to select parameters for the context profiling framework.  We also describe a prototype implementation on a smartphone platform.