SHI(EL)DS: A Novel Hardware-based Security Backplane to Enhance Security with Minimal Impact to System Operation

Computer security continues to increase in importance both in the commercial world and within the Air Force. Dedicated hardware for security purposes presents and enhances a number of security capabilities. Hardware enhances both the security of the security system and the quality and trustworthiness of the information being gathered by the security monitors. Hardware reduces avenues of attack on the security system and ensures the trustworthiness of information only through proper design and placement. Without careful system design, security hardware leaves itself vulnerable to many attacks that it is capable of defending against. Our SHI(EL)DS architecture combines these insights into a comprehensive, modular hardware security backplane architecture. This architecture provides many of the capabilities required by the Cybercraft deployment platform. Most importantly, it makes significant progress towards establishing a root of trust for this platform. Progressing the development of the Cybercraft initiative advances the capabilities of the Air Force’s ability to operate in and defend cyberspace

Master of Science in Computing

thesisCurrent Intrusion Detection Systems (IDS) in a typical enterprise or campus network are limited by having a number of static monitoring points and static IDS resources deployed. The monitoring points are typically deployed using hardware optical taps or span ports which are directly fed into the IDS. The IDS system is a compute resource requiring dedicated-server-grade hardware, and these are statically configured when installing the network for an enterprise or campus. We designed a framework for making a distributed elastic Intrusion Detection System (IDS) for a Software Defined Network (SDN) capable network, called Distributed Elastic Intrusion DeTECTion (DEIDtect). We combine the flexibility of SDN and the elastic resource usage of a cloud infrastructure with a DEIDtect orchestrating controller to achieve an elastic IDS framework. DEIDtect enables simple and more dynamic management of IDS systems. The flexibility of our approach also enables new IDS use cases and deployment strategies

BIOLOGICAL INSPIRED INTRUSION PREVENTION AND SELF-HEALING SYSTEM FOR CRITICAL SERVICES NETWORK

With the explosive development of the critical services network systems and Internet, the need for networks security systems have become even critical with the enlargement of information technology in everyday life. Intrusion Prevention System (IPS) provides an in-line mechanism focus on identifying and blocking malicious network activity in real time. This thesis presents new intrusion prevention and self-healing system (SH) for critical services network security. The design features of the proposed system are inspired by the human immune system, integrated with pattern recognition nonlinear classification algorithm and machine learning. Firstly, the current intrusions preventions systems, biological innate and adaptive immune systems, autonomic computing and self-healing mechanisms are studied and analyzed. The importance of intrusion prevention system recommends that artificial immune systems (AIS) should incorporate abstraction models from innate, adaptive immune system, pattern recognition, machine learning and self-healing mechanisms to present autonomous IPS system with fast and high accurate detection and prevention performance and survivability for critical services network system. Secondly, specification language, system design, mathematical and computational models for IPS and SH system are established, which are based upon nonlinear classification, prevention predictability trust, analysis, self-adaptation and self-healing algorithms. Finally, the validation of the system carried out by simulation tests, measuring, benchmarking and comparative studies. New benchmarking metrics for detection capabilities, prevention predictability trust and self-healing reliability are introduced as contributions for the IPS and SH system measuring and validation. Using the software system, design theories, AIS features, new nonlinear classification algorithm, and self-healing system show how the use of presented systems can ensure safety for critical services networks and heal the damage caused by intrusion. This autonomous system improves the performance of the current intrusion prevention system and carries on system continuity by using self-healing mechanism

Detecting Problematic Execution Patterns Through Automatic Kernel Trace Analysis

RÉSUMÉ Les processeurs multicoeurs, les systèmes distribués et la virtualisation deviennent de plus en plus répandus, rendant ainsi le débogage des systèmes en production plus difficile, surtout quand les problèmes rencontrés ne sont pas facilement reproductibles. Cette complexité architecturale a introduit une nouvelle gamme de problèmes potentiels qu’on devrait pouvoir détecter à l’aide de nouvelles méthodologies efficaces et extensibles. En effet, en traçant le noyau d’un système d’exploitation, on est capable d’identifier les goulots d’étranglement, les failles de sécurité, les bogues de programmation ainsi que d’autres genres de comportements indésirables. Le traçage consiste à collecter les événements pertinents se produisant sur un système en production, tout en ayant un impact minimal sur la performance ainsi que sur le flot normal d’exécution. La trace générée est typiquement inspectée en différé, n’introduisant aucun impact sur le système tracé. Ce travail présente une nouvelle approche basée sur les automates pour la modélisation de patrons de comportements problématiques sous forme d’une ou plusieurs machines à états finis exécutables. Ces patrons sont ensuite introduits dans un analyseur qui vérifie leur existence simultanément et efficacement dans des traces de plusieurs giga-octets. L’analyseur fournit une interface de programmation offrant des services essentiels aux automates. Les patrons implémentés touchent à différents domaines incluant la sécurité, le test de logiciels et l’analyse de performance. Les résultats de l’analyse fournissent suffisamment d’information pour identifier précisément la source du problème ce qui nous a permis d’identifier une séquence de code dans le noyau Linux pouvant générer un inter-blocage. La performance de l’analyseur est linéaire par rapport à la taille de la trace. Les autres facteurs affectant sa performance sont discutés. En outre, la comparaison entre la performance de l’analyseur par rapport à celle d’une approche dédiée, suggère que le surcoût de l’utilisation des machines à états pour l’exécution et non seulement pour la modélisavi tion, est acceptable surtout lors d’une analyse différée. La solution implémentée est facilement parallélisable et pourrait bien s’appliquer à des analyses en-ligne. Le mémoire se conclut par une liste de suggestions d’optimisations possibles pouvant encore améliorer la performance de l’analyseur.----------ABSTRACT As multi-core processors, distributed systems and virtualization are gaining a larger share in the market, debugging production systems has become a more challenging task, especially when the occurring problems are not easily reproducible. The new architectural complexity introduced a large number of potential problems that need to be detected on live systems with adequate, efficient and scalable methodologies. By tracing the kernel of an operating system, performance bottlnecks, malicious activities, programming bugs and other kinds of problematic behavior could be accurately detected. Tracing consists in monitoring and logging relevant events occurring on live systems with a minimal performance impact and interference with the flow of execution. The generated trace is typically inspected remotely with no overhead on the system whatsoever. This work presents an automata-based approach for modeling patterns of undesired behavior using executable Finite State Machines. They are fed into an offline analyzer which efficiently and simultaneously checks for their occurrences even in traces of several gigabytes. The analyzer provides an Application Programming Interface offering essential services to the Finite State Machines. To our knowledge, this is the first attempt that relies on describing problematic patterns for kernel trace analysis. The implemented patterns touch on several fields including security, software testing and performance debugging. The analysis results provide enough information to precisely identify the source of the problem. This was helpful to identify a suspicious code sequence in the Linux kernel that could generate a deadlock. The analyzer achieves a linear performance with respect to the trace size. The remaining factors impacting its performance are also discussed. The performance of the automatabased approach is compared with that of a dedicated implementation suggesting that the overhead of using Finite State Machines for execution and not just for modeling is acceptable especially in post-mortem analysis. The implemented solution is highly parallelizable and may be ported for online pattern viii matching. The thesis concludes by suggesting a list of possible optimizations that would further improve the analyzer’s performance

Reports to the President

A compilation of annual reports for the 1988-1989 academic year, including a report from the President of the Massachusetts Institute of Technology, as well as reports from the academic and administrative units of the Institute. The reports outline the year's goals, accomplishments, honors and awards, and future plans

Advancing User Authentication and Access Management

In order for online systems to transact business or exchange other sensitive information, there must be an environment where the parties involved can verify that the other is who they claim to be. Authentication mechanisms provide this verification process, thereby, improving confidence in the confidentiality and integrity of communications. However, attackers can exploit this trust if they are able to successfully impersonate a legitimate user and gain access to the system with all the rights and privileges of that user. One particularly difficult class of attacks of this sort involves an attacker inserting themselves between the end user and the system they are communicating with. This man-in-the-middle (MITM) scenario affords the attacker access to passwords, transaction details and other sensitive information, which they may then modify or use to suit their purposes resulting in identity theft, information compromise and misappropriation of funds via electronic transfer, among other scenarios. Current solutions are able to mitigate some of this risk, but more work is needed here given the difficulty in detecting MITM attacks. This thesis deals generally with the subject of identity and access management with a specific focus in the area of authentication within an IT system. The research described here provide new approaches to user-centric and transaction-centric authentication as well as capabilities to improve support for the broader authentication system. The first category of user-centric improvements involves mechanisms which: - leverage a communications side channel so that the user can know with greater certainty that the website they are interacting with is the one they intend, - allow a service provider to detect a MITM by determining the user’s geographical location is consistent across multiple channels, - allow for the detection of a MITM through an out of band voice prompt presented to the user and - improve confidence that a user is who they claim to be by dynamically verifying that they are geographically where they are expected to be even when traveling. The second category of transaction-centric improvements involves mechanisms which leverage out of band communications to verify transaction details have not been tampered with through: - a voice call in which transaction amounts, accounts, etc. are read aloud to the user for confirmation and - a specially constructed QR code which contains these details and can be verified with a purpose-built mobile app. The third category of broader authentication system support mechanisms which: - detect a MITM attack by recognizing changes in login traffic patterns, - detect rogue domain name service providers which might attempt to redirect traffic to attacker websites, - allow for non-disruptive, secure migration of users across authentication systems and - allow for a secure means to regain access to a mobile device for which the passcode has been lost. This research consists of a body of published works, most of which have taken the form of patent filings, which have been peer reviewed and granted by the US Patent and Trademark Office

Distributed Instrusion Prevention in Active and Extensible Networks

Abstract. The proliferation of computer viruses and Internet worms has had a major impact on the Internet Community. Cleanup and control of malicious software (malware) has become a key problem for network administrators. Effective techniques are now needed to protect networks against outbreaks of malware. Wire-speed firewalls have been widely deployed to limit the flow of traffic from untrusted domains. But these devices weakness resides in a limited ability to protect networks from infected machines on otherwise trusted networks. Progressive network administrators have been using an Intrusion Prevention System (IPS) to actively block the flow of malicious traffic. New types of active and extensible network systems that use both microprocessors and reconfigurable logic can perform wire-speed services in order to protect networks against computer virus and Internet worm propagation. This paper discusses a scalable system that makes use of automated worm detection and intrusion prevention to stop the spread of computer viruses and Internet worms using extensible hardware components distributed throughout a network. The contribution of this work is to present how to manage and configure large numbers of distributed and extensible IPSs.