Chiou 1 Transmission Electron Microscopy of Mineralogy_070806
Research Problems in Information Assurance Talk for the second year DPS students Li-Chiou Chen...
-
Upload
naomi-carroll -
Category
Documents
-
view
216 -
download
0
Transcript of Research Problems in Information Assurance Talk for the second year DPS students Li-Chiou Chen...
Research Problems in Information Assurance
Talk for the second year DPS students
Li-Chiou Chen Seidenberg School of Computer Science and Information SystemsPace University03/15/08
© Li-Chiou Chen, CSIS, Pace 2
Agenda
Past research projects in Internet-based attacks
Ongoing research projects in security usability & web security
Student research projects
© Li-Chiou Chen, CSIS, Pace 3
Interdisciplinary study in information assurance
Technology domain:Security Technology
Problem domain:Social, Economical and Policy Issues
Research Methodology:Computational Modeling
© Li-Chiou Chen, CSIS, Pace 4
Countermeasures for the propagation of computer viruses
Problem: What anti-virus strategy works better to slow down the propagation of a new computer virus
Method: Simulate the spread of computer viruses and countermeasures
using agent-based simulation Run on 4 different theoretical network topology and 2 different
empirical network topology Compare five different strategies Propose a new one – Countermeasure competing (CMC)
Past project - Computer viruses
© Li-Chiou Chen, CSIS, Pace 5
Results and further research issues Results - countermeasure propagation network is
more effective than others when this network has a few highly connected nodes like P2P
networks the rate of countermeasure propagation is faster than
the rate of virus infection
Further research How about zero-day worms? The same model can be used to discussed the diffusion
of ideas, the diffusion of disease, etc
Past project - Computer viruses
© Li-Chiou Chen, CSIS, Pace 6
Distributed denial-of-service (DDOS) attacks and defenses
Campus Network
NAP Network provider 2 Network provider 1
Content Provider Network (Victim: www.yahoo.com)
Access point
End User Premise (Attack source 2)
Access point
Private Peering Point
Access point
End User Premise (Attack source 1)
Internet Access Provider’s Network
Past project - Distributed denial of service
A research framework for DDOS problems
© Li-Chiou Chen, CSIS, Pace 7
Characterization of DDOS Defenses A Computational Tool for Simulating Attacks and Defenses
An Analysis on the Impact of Technology Uncertainty
An Analysis on Cooperation
An Analysis on the Economic Incentives
What are the technological
variables?
What is the impact of the technological variables on performance efficiency?
What are the economic incentives
of network providers?
What is the impact of cooperation on the
economic incentives?
The Provision of DDOS Defenses
Past project - Distributed denial of service
© Li-Chiou Chen, CSIS, Pace 8
Further research problems
Defenses for attacks against infrastructures, such as routers and DNS servers
Assessment of risk attitude of subscribers and providers E.g., the premium that a subscriber would like to pay in order to
avoid the risk of DDOS attacks
Procedures for determining a liability assignment
Past project - Distributed denial of service
© Li-Chiou Chen, CSIS, Pace 9
Security usability of banking web sites
What is usability?
Problems: Phishing: users can distinguish legitimate web sites from
phishing web sites a security usability problem of web interface design What is the status quo? What can we improve from here?
Ongoing project – Security Usability
How do you distinguish legitimate web sites from fake ones
© Li-Chiou Chen, CSIS, Pace 10Ongoing project – Security Usability
Banking web site survey
Top 100 banks from FDIC (Federal Deposit Insurance Corporation) Institution Directory Database
Examine the login page of each online banking web site Three types of information
Security indicators: HTTPS, lockpad, security seal Security certificate: common name, organization name, SSL version,
cipher, validity Site security information: security guide, phishing info, lock next to
login
Tools: Openssl library, awk, Linux shell programs
© Li-Chiou Chen, CSIS, Pace 11Ongoing project – Security Usability
Confusing login interfaces
Company web site redirect to a secure server with a login page
SSL is negotiated after users enter user name and password
Popup windows for login The little secure lock next to login screen has a
different meaning in different sites Some have no links, some link to security information,
some change the interface to show security indicators, some connects to 3rd party certification
© Li-Chiou Chen, CSIS, Pace 12Ongoing project – Security Usability
Preliminary Results
Number Percentage of total
servers surveyed
Banking Secure Servers Surveyed 80
Login page without certificate padlock and https 19 24%
Popup window used for login 3 4%
Invalid certificate 1 1%
Bank name is inconsistent with subject name 11 14%
outsourcing 6 8%
bank holding company name 5 6%
© Li-Chiou Chen, CSIS, Pace 13Ongoing project – Security Usability
Cipher exchanged is not always the most secure one
© Li-Chiou Chen, CSIS, Pace 14
Cipher Suite Number of Servers
Percentage of the total
server surveyed
AES256-SHA 13 16%
DES-CBC3-SHA 4 5%
DHE-RSA-AES256-SHA 6 8%
RC4-MD5 51 64%
RC4-SHA 6 8%
Total 80 100%
Ongoing project – Security Usability
Long validation period might give certificate longer period to be exploited
Validity duration Number Percentage
< 2 years 56 70%
< 3 years but >=2 years 20 25%
>=3 years 4 (3 of them are between 3-4
years and one is 5 years)
5%
Total 80 100%
© Li-Chiou Chen, CSIS, Pace 15Ongoing project – Security Usability
Implications Invalid security certificates: should not be there; defy anti-phishing tools Establish SSL connection after user enters username and password: no way to
verify security indicator before login Inconsistent domain name with brand name: 3rd party secure servers; using domain
name checking strategy fails Confusing security indicators: multiple indicators, etc Confusing security information : consumers do not know which one to follow or
look at Confusing login visual interface design: popup windows; may suffer visual
deception attack Industry common practice do not echo the best available technology: vulnerability
with the older versions
© Li-Chiou Chen, CSIS, Pace 16Ongoing project – Security Usability
Further research problems
Align consumer trust and security on the web
Security usability scanner
Solve phishing problems from risk management perspectives, where should government put money and resources? Risk identification, reduction, or mitigation
© Li-Chiou Chen, CSIS, Pace 17Ongoing project – Security Usability
© Li-Chiou Chen, CSIS, Pace 18
Student Research Projects
Joseph Acampora –MS in IS XML-DNR: A Bandwidth-Saving Technique for
Distributed Intrusion Detection Systems Yosef Lehrman – MS in IT
Client-side solutions for phishing prevention Konrad Koenig
Analyzing access control policies of banking data using Secure UML
Alex Tsekhansky - DPS Byzantine fault tolerant DNS for networks with limited PKI
infrastructure
Student projects