Research Projects
Network Security Vulnerability via Large Scale Simulation (Joint work with Dr. Riley and Dr. Abler)
Virtually every system connected to the Internet today has been the target of malicious or unsolicited activity at some point in time. These activities can be as harmless as a simple exploratory ICMP messages to discover where hosts reside, to complete destruction of services requiring a time-consuming and disruptive system restart. A large group of hackers are continually developing and launching new and innovative techniques to exploit security weaknesses in existing systems. Other groups of individuals and companies are at the same time developing techniques to detect and defend against these attacks, in an effort to reduce or eliminate disruptions due this activity. These defensive methods are collectively known as Intrusion Detection (ID) systems.
The effectiveness of intrusion detection systems is difficult to measure for a variety of reasons. Commercial vendors of intrusion detection systems can easily demonstrate the effectiveness of their product using pre-recorded scripts that generate network traffic simulating various attacks. Researchers developing new and innovative defensive measures can also demonstrate the effectiveness of their techniques under a variety of conditions. However, once deployed, the intrusion detection system must work properly in the presence of a large amount of legitimate traffic as well as the malicious and erroneous traffic. The mix of legitimate and malicious traffic, frequency of attacks, duration of attacks, number of end-systems participating in the attacks, and network bandwidth available to the attackers all have substantial effect on the success (or failure) of an intrusion detection system.
In this research, we are designing and implementing a large-scale network simulation framework that will allow researchers in the network security arena to generate scenarios of simulated network behavior using a wide variety of parameters. Our simulation framework will be capable of generating network activity with any mix of legitimate traffic, malicious traffic, network bandwidth, network size, number of attackers, type of attacks, and type of defensive techniques, just to name a few. Building on our previously developed parallel and distributed simulation methods, the framework will support simulated models of hundreds of thousands of end systems and routers. Using our models, researchers can measure and evaluate the effectiveness of security measures under a virtually unlimited set of conditions.
Large Scale Network Simulation of Security and Survivability (Joint work with Dr. Riley and Dr. Blough)
The Internet routing infrastructure and domain name infrastructure are huge and highly dynamic systems. Understanding and predicting the functionality and behavior of these systems is highly complex. As is true in many cases, detailed modeling and simulation of complex systems can help in understanding their behavior, both in a predictive mode and in a reactive environment. With a high quality simulation model of such a system, one can predict the affect of proposed changes, and can understand causes of prior failures. Further, one can model disruptive actions in the simulated environment without affecting deployed systems. Such an understanding of cause and affect in these systems is critical to the long--term stability of the Internet infrastructure. The security and continued functioning of the Internet will be greatly influenced by the success or failure of implementing more secure and more robust BGP and DNS. Simulation of these BGP and DNS infrastructures is critical to the process of implementing more secure and more robust protocols. In the proposed research, we perform Internet-scale simulations of these infrastructures in order to better understand their vulnerabilities, quantitatively evaluate the damage caused to them by various types of attacks, and develop enhancements that provide substantially more robust network infrastructures.
Network Security Visualization (Joint work with Dr. Ahamad, Dr. Stasko, Dr. Copeland, Greg Conti, Jeff Gribschaw)
Security has become the pivotal part in network operations. The state of the art is automated intrusion detection systems that raise alarms to be evaluated by a human analyst. However, being machine-based, those systems always have to cope with the trade-off of overlooking hostile activity (false-negatives) to raising alarms because of benign activity (false-positives). On a huge network, the number of the latter becomes so extensive that an in-depth evaluation by the operator is not possible.
Through visualization, the human can be kept closer in the loop and the extensive bandwidth capabilities of the human visual system can be leveraged. A human will inherently detect different visual signatures and anomalies. Historically, such fields as machine vision and machine learning have shown that tasks in which a machine stands out are typically entirely different from those a human excels in. Thus, we believe that human-enhanced visual network intrusion systems working symbiotically with classical machine-based systems will enable network operators to both be more aware of the state of the network and detect attacks on the network infrastructure more precisely and timely. The Internet has become one of the world’s critical infrastructures. However, the large amounts of data transmitted over typical networked systems render it hard to spot malicious activities by illegitimate adversaries—posing a challenge equivalent to “finding the needle in the haystack.” Relevant data in the information assurance domain can be gathered from a large amount of heterogeneous, diverse, and distributed sources including packet capture data, firewall logs, data from network management systems, network performance systems, and anti-virus systems. As of now, there is neither an efficient way to access and gather all this data in a unified fashion nor a methodology that allows browsing and analyzing this vast amount of information in a timely manner. A powerful and as yet predominately untapped means to achieve this goal is to use visualization to allow human analysts both undirected (getting a general overview about occurrences on the network) as well as directed (displaying and analyzing information regarding a specific incident) processing of the data. Our constant battle with information overload during daily analysis activities with our Georgia Institute of Technology Honeynet and our extensive two-year archive of malicious traffic collected on that honeynet setup motivated us to investigate more human-centric, scalable techniques for the analysis of security data sets.
Intrusion Recovery Systems (with Julian Grizzard)
We are investigating integrated intrusion recovery systems (IRS). The notion of an intrusion recovery system follows naturally from the notions of intrusion detection systems (IDS) and intrusion prevention systems (IPS). The goal of an intrusion recovery system is detect intrusions after they have occurred and to take recoverable actions to mitigate the attackers intrusions. By a vertically integrated IRS, we propose a four tier system for each Virtual Machine running beside the operating system we are protecting as described below:
 | VM coupler- The VM Coupler is considered the lowest tier component. It will aggregate and correlate events from all higher tier components and itself. It will use this information to interact directly with a Service Provider in order to provide updates for the trust algorithms. This component will be completely isolated from the VM for which it is responsible. Finally, this component will provide secure storage for any higher level components. |
| Network component- The network component will be the second tier monitor. It will use existing network based intrusion detection techniques and alert the VM Coupler with any alerts. It will also be able to control raw network flows and log network traffic. |
| In-kernel component - The third tier component will be the in-kernel component, which exists at the kernel space level inside the VM. The purpose of this component is to realize better inspection of the kernel structures by having full access to kernel functions. The in-kernel component will be verified for correct operation by the VM Coupler. |
| User component - The fourth tier component will exist at the user space level inside the VM. The purpose of this component will be to have access to user space resources and verify the integrity of the user space components in the system including any persistent state. |
The recovery techniques that we propose build on existing techniques, which use VM check pointing and rollback, and more novel techniques in which the full extent of the compromise is understood. In a worst case scenario, it may be desirable to completely roll back to a previous VM configuration that is known to be good. This would be one option for our proposed system. There are, however, problems with this solution. One problem is that whatever state that was processed since the last checkpoint is lost. Another problem is that the original security hole might be present in the restored version. Finally, there may be more optimal methods for recovery in which only the compromised portion of the machine is repaired so that the recovery process is executed more efficiently. Therefore, we propose new methods to recover from compromises that address these problems. Below we outline some of the details of our proposed approach for recovery.
| Known Good State - Our proposed methods of recovery rely on the notion of known good state. At system initialization time, a database of known good state is built. It is assumed that the state is good at initialization time, although security holes may exist but are unknown. Further, the proposed system will have a means to update the known good state database when trustworthy updates are applied. Based on the known good state, each of the four tiers of the IRS system can verify state throughout the different layers in the system. The IRS system will use hashing and binary diffs for verification and repair when necessary. |
| Entry Point Detection and Removal - One of the most important aspects of the IRS is to patch the original point of entry. We propose to build on the work of backtracker, which logs system level events and their dependencies. These system level events can be correlated with the detection point to backtrack to the point of entry. In order to repair this point of entry, several possibilities exist. One possibility is to disable the service until an administrator provides a secure update. Another approach is to build dynamic rules for the service that only disable service activities that would result in an unauthorized intrusion. |
| Backdoor Detection and Removal - Not only is it important to repair any state that has been altered, but is also important to remove any backdoors that have been installed. We intend to build on our work of classifying backdoors to develop methods for removal. Specifically, these backdoors often overwrite legitimate call tables or system binaries, which can be rolled back. Further any threads executing this malicious code can be killed. Finally, it may be possible to track installation of backdoors by tracking system events and graphing dependencies to show paths that relate to the intrusion. |
| Service Migration - In the event that a compromise has occurred, any services that are currently running on the VM should be migrated to another VM and any future service requests should be rerouted until the services offered by that VM can be restored. |
| Virtual Machine Restoration - In the event that the system has reached an irreparable state or a state that is beyond a threshold of byte by byte repair, the system will also support the ability to completely restore the VM. |
| Service Testing - Ensuring the service provided by each VM is functioning correctly is an important goal. As a method for verifying the service, a testing mechanism can be coupled with each service. This mechanism would serve as a self-testing mechanism to ensure service has successfully been restored after repairing the machine. |
| Logging - A natural mechanism that fails out of the proposed architecture is secure logging. In the event that a compromise has occurred, the details, time, and repair action can all be securely logged in the VM coupler. |
| Adaptation - One important piece of the proposed architecture is that it should be a highly adaptive system. Under normal circumstances, the secure middleware should minimize system resource taxing. Only minimal checks will be performed during normal operation that can guarantee a given level of security. This will be customizable for each service, as certain services may be willing to trade more CPU cycles in order to maintain a higher assurance of security. However, once an alert has been generated from the minimal system, the subsystems that can track more information should engage so that a near full understanding of the compromise can be ascertained. |