Stochastic Tools for Network Intrusion Detection

With the rapid development of Internet and the sharp increase of network crime, network security has become very important and received a lot of attention. We model security issues as stochastic systems. This allows us to find weaknesses in existing security systems and propose new solutions. Exploring the vulnerabilities of existing security tools can prevent cyber-attacks from taking advantages of the system weaknesses. We propose a hybrid network security scheme including intrusion detection systems (IDSs) and honeypots scattered throughout the network. This combines the advantages of two security technologies. A honeypot is an activity-based network security system, which could be the logical supplement of the passive detection policies used by IDSs. This integration forces us to balance security performance versus cost by scheduling device activities for the proposed system. By formulating the scheduling problem as a decentralized partially observable Markov decision process (DEC-POMDP), decisions are made in a distributed manner at each device without requiring centralized control. The partially observable Markov decision process (POMDP) is a useful choice for controlling stochastic systems. As a combination of two Markov models, POMDPs combine the strength of hidden Markov Model (HMM) (capturing dynamics that depend on unobserved states) and that of Markov decision process (MDP) (taking the decision aspect into account). Decision making under uncertainty is used in many parts of business and science.We use here for security tools.We adopt a high-quality approximation solution for finite-space POMDPs with the average cost criterion, and their extension to DEC-POMDPs. We show how this tool could be used to design a network security framework.Comment: Accepted by International Symposium on Sensor Networks, Systems and Security (2017

Inherited variation in immune genes and pathways and glioblastoma risk

To determine whether inherited variations in immune function single-nucleotide polymorphisms (SNPs), genes or pathways affect glioblastoma risk, we analyzed data from recent genome-wide association studies in conjunction with predefined immune function genes and pathways. Gene and pathway analyses were conducted on two independent data sets using 6629 SNPs in 911 genes on 17 immune pathways from 525 glioblastoma cases and 602 controls from the University of California, San Francisco (UCSF) and a subset of 6029 SNPs in 893 genes from 531 cases and 1782 controls from MD Anderson (MDA). To further assess consistency of SNP-level associations, we also compared data from the UK (266 cases and 2482 controls) and the Mayo Clinic (114 cases and 111 controls). Although three correlated epidermal growth factor receptor (EGFR) SNPs were consistently associated with glioblastoma in all four data sets (Mantel–Haenzel P values = 1 × 10−5 to 4 × 10−3), independent replication is required as genome-wide significance was not attained. In gene-level analyses, eight immune function genes were significantly (minP < 0.05) associated with glioblastoma; the IL-2RA (CD25) cytokine gene had the smallest minP values in both UCSF (minP = 0.01) and MDA (minP = 0.001) data sets. The IL-2RA receptor is found on the surface of regulatory T cells potentially contributing to immunosuppression characteristic of the glioblastoma microenvironment. In pathway correlation analyses, cytokine signaling and adhesion–extravasation–migration pathways showed similar associations with glioblastoma risk in both MDA and UCSF data sets. Our findings represent the first systematic description of immune genes and pathways that characterize glioblastoma risk

Characterization of regulatory T cells in urban newborns

© 2009 Ly et al; licensee BioMed Central Ltd. This is an Open Access article distributed under the terms of the Creative Commons Attribution Licens

Regulatory T Cells Expanded from Hiv-1-Infected Individuals Maintain Phenotype, Tcr Repertoire and Suppressive Capacity

While modulation of regulatory T cell (Treg) function and adoptive Treg transfer are being explored as therapeutic modalities in the context of autoimmune diseases, transplantation and cancer, their role in HIV-1 pathogenesis remains less well defined. Controversy persists regarding their beneficial or detrimental effects in HIV-1 disease, which warrants further detailed exploration. Our objectives were to investigate if functional CD4+ Tregs can be isolated and expanded from HIV-1-infected individuals for experimental or potential future therapeutic use and to determine phenotype and suppressive capacity of expanded Tregs from HIV-1 positive blood and tissue. Tregs and conventional T cell controls were isolated from blood and gut-associated lymphoid tissue of individuals with HIV-1 infection and healthy donors using flow-based cell-sorting. The phenotype of expanded Tregs was assessed by flow-cytometry and quantitative PCR. T-cell receptor ß-chain (TCR-β) repertoire diversity was investigated by deep sequencing. Flow-based T-cell proliferation and chromium release cytotoxicity assays were used to determine Treg suppressive function. Tregs from HIV-1 positive individuals, including infants, were successfully expanded from PBMC and GALT. Expanded Tregs expressed high levels of FOXP3, CTLA4, CD39 and HELIOS and exhibited a highly demethylated TSDR (Treg-specific demethylated region), characteristic of Treg lineage. The TCRß repertoire was maintained following Treg expansion and expanded Tregs remained highly suppressive in vitro. Our data demonstrate that Tregs can be expanded from blood and tissue compartments of HIV-1+ donors with preservation of Treg phenotype, function and TCR repertoire. These results are highly relevant for the investigation of potential future therapeutic use, as currently investigated for other disease states and hold great promise for detailed studies on the role of Tregs in HIV-1 infection.Elizabeth Glaser Pediatric AIDS Foundation (Pediatric HIV Vaccine Program Award MV-00-9-900-1429-0-00)Massachusetts General Hospital. Executive Committee on Research (MGH/ECOR Physician Scientist Development Award)National Institutes of Health (U.S.) (NIH NIAID (KO8 AI074405))National Institutes of Health (U.S.) (NIH NIAID AI074405-03S1)Massachusetts General Hospital (William F. Milton Fund)Harvard University. Center for AIDS Research (CFAR Scholar Award)Massachusetts General Hospital. Center for the Study Inflammatory Bowel Disease (P30DK043351)Harvard University. Center for AIDS Research (NIH funded program (5P30AI060354-09

Use of alternate coreceptors on primary cells by two HIV-1 isolates

AbstractTwo HIV-1 isolates (CM4 and CM9) able to use alternate HIV-1 coreceptors on transfected cell lines were tested for their sensitivity to inhibitors of HIV-1 entry on primary cells. CM4 was able to use CCR5 and Bob/GPR15 efficiently in transfected cells. The R5 isolate grew in Δ32/Δ32 CCR5 PBMC in the absence or presence of AMD3100, a CXCR4-specific inhibitor, indicating that it uses a receptor other than CCR5 or CXCR4 on primary cells. It was insensitive to the CCR5 entry inhibitors RANTES and PRO140, but was partially inhibited by vMIP-1, a chemokine that binds CCR3, CCR8, GPR15 and CXCR6. The coreceptor used by this isolate on primary cells is currently unknown. CM9 used CCR5, CXCR4, Bob/GPR15, CXCR6, CCR3, and CCR8 on transfected cells and was able to replicate in the absence or presence of AMD3100 in Δ32/Δ32 CCR5 PBMC. It was insensitive to eotaxin, vMIP-1 and I309 when tested individually, but was inhibited completely when vMIP-1 or I309 was combined with AMD3100. Both I309 and vMIP-1 bind CCR8, strongly suggesting that this isolate can use CCR8 on primary cells. Collectively, these data suggest that some HIV-1 isolates can use alternate coreceptors on primary cells, which may have implications for strategies that aim to block viral entry

Injective Trapdoor Functions via Derandomization: How Strong is Rudich’s Black-Box Barrier?

We present a cryptographic primitive $\mathcal{P}$ satisfying the following properties: -- Rudich\u27s seminal impossibility result (PhD thesis \u2788) shows that $\mathcal{P}$ cannot be used in a black-box manner to construct an injective one-way function. -- $\mathcal{P}$ can be used in a non-black-box manner to construct an injective one-way function assuming the existence of a hitting-set generator that fools deterministic circuits (such a generator is known to exist based on the worst-case assumption that \mbox{E} = \mbox{DTIME}(2^{O(n)}) has a function of deterministic circuit complexity $2^{\Omega(n)}$). -- Augmenting $\mathcal{P}$ with a trapdoor algorithm enables a non-black-box construction of an injective trapdoor function (once again, assuming the existence of a hitting-set generator that fools deterministic circuits), while Rudich\u27s impossibility result still holds. The primitive $\mathcal{P}$ and its augmented variant can be constructed based on any injective one-way function and on any injective trapdoor function, respectively, and they are thus unconditionally essential for the existence of such functions. Moreover, $\mathcal{P}$ can also be constructed based on various known primitives that are secure against related-key attacks, thus enabling to base the strong structural guarantees of injective one-way functions on the strong security guarantees of such primitives. Our application of derandomization techniques is inspired mainly by the work of Barak, Ong and Vadhan (CRYPTO \u2703), which on one hand relies on any one-way function, but on the other hand only results in a non-interactive perfectly-binding commitment scheme (offering significantly weaker structural guarantees compared to injective one-way functions), and does not seem to enable an extension to public-key primitives. The key observation underlying our approach is that Rudich\u27s impossibility result applies not only to one-way functions as the underlying primitive, but in fact to a variety of unstructured\u27\u27 primitives. We put forward a condition for identifying such primitives, and then subtly tailor the properties of our primitives such that they are both sufficiently unstructured in order to satisfy this condition, and sufficiently structured in order to yield injective one-way and trapdoor functions. This circumvents the basic approach underlying Rudich\u27s long-standing evidence for the difficulty of constructing injective one-way functions (and, in particular, injective trapdoor functions) based on seemingly weaker or unstructured assumptions

Cryptographic Reductions: Classification and Applications to Ideal Models

Provable security refers to the ability to give rigorous mathematical proofs towards the security of a cryptographic construction; in some sense one of the best possible security guarantees one can attain. These proofs are most often given through so-called reductions to a simpler construction or to some well-studied number-theoretic assumption. This thesis deals with two aspects of such reductions. First, since a reduction may be difficult to obtain, many reductions for widely-used signature and encryption schemes are conducted in a model that idealizes some underlying building block of the scheme, for example by replacing a hash function with a truly random function. With these reductions in idealized models, it is difficult to compare requirements of cryptographic schemes because the idealization introduces all desired properties simultaneously and it is inexplicit which ones are used and to what extent. This complicates practical considerations when choosing from multiple candidate constructions for the same task. We develop a novel mechanism to relate schemes proven in idealized models. In this thesis, we present a reductionist paradigm that allows meaningful comparisons of constructions in idealized models with respect to the idealized part. Some of the idealized constructions considered here are the well-known compression-function constructions from blockciphers by Preneel, Govaerts, and Vandewalle (PGV; CRYPTO, 1993), and the twin ElGamal encryption scheme by Cash, Kiltz, and Shoup (Journal of Cryptology, 2009). Our main results show that the random oracle of the twin ElGamal encryption scheme reduces to the random oracle of the regular ElGamal encryption scheme, the PGV constructions fall into two groups, and the so-called double-block-length constructions reduce to one of the PGV constructions with respect to their ideal cipher. We can thus conclude that the PGV constructions are essentially equivalent within their respective groups and that double-block-length constructions are strictly superior, not only because of their increased key length. Similarly, the regular ElGamal scheme can be replaced by the twin ElGamal scheme (keeping in mind the reduction's tightness), even though the proofs are in an idealized model. These latter results greatly help designers and implementers of practical cryptographic constructions to select the better of two (or more) seemingly equivalent options. Ideal-model reducibility as a comparison tool is applicable to any two constructions whose proof is in an idealized model. The second aspect of reductions we study in this thesis relates to the absence of reductions. Sometimes, insurmountable obstacles in finding a reduction result in a proof that reductions of some kind cannot exists at all. In that case, it is particularly important to carefully understand what the non-existent reductions look like---since, perhaps, a slightly different reduction is feasible. We develop means that allow us to better understand existing reductions in the literature. This thesis presents a new framework, akin to the one by Reingold, Trevisan, and Vadhan (TCC, 2004), for classifying reductions in a more fine-grained and more systematic way. The new framework clarifies the role of efficiency of adversaries and primitives within reductions, covers meta-reduction separations, and provides new insights on the power of relativizing reductions. Consequently, a classification within the new framework clearly points out avenues to circumvent existing impossibility results and enables an assessment of their strength. The generality of the framework permits classification of a large body of existing reductions, but it is easily extensible to include further properties

Simon\u27s Circuit

Simon mentions in his seminal result separating collision-resistant hash functions from one-way permutations (EUROCRYPT \u2798), that the wrong strategy to sample collisions can be exploited to invert the permutation. He, however, does not spell out a concrete circuit that demonstrates this. In this short note, we describe and analyze one such circuit