Research

Below is a summary of my research in the area of computer security. Please also see my list of publications

Students Who Don’t Understand Information Flow Should be Eaten: An Experience Paper

Joint work with: Mike Jacobi, Jed Crandall

  Information flow is still relevant, from browser privacy to side-channel attacks on cryptography. However, many of the seminal ideas come from an era when multi-level secure systems were the main subject of study. Students have a hard time relating the material to today’s familiar commodity systems. We describe our experiences developing and utilizing an online version of the game Werewolves of Miller’s Hollow (a variant of Mafia). To avoid being eaten, stu- dents must exploit inference channels on a Linux system to discover “werewolves” among a population of “towns- people.” Because the werewolves must secretly discuss and vote about who they want to eat at night, they are forced to have some amount of keystroke and network activity in their remote shells at this time. In each in- stance of the game the werewolves are chosen at ran- dom from among the townspeople, creating a interest- ing dynamic where students must think about informa- tion flow from both perspectives and keep adapting their techniques and strategies throughout the semester. This game has engendered a great deal of enthusiasm among our students, and we have witnessed many inter- esting attacks that we did not anticipate. We plan to re- lease the game under an open source software license.

Link will be available after presenting it at conference.

Idle Port Scanning and Non-interference Analysis of Network Protocol Stacks Using Model Checking

Joint work with: Jed Crandall, Deepak Kapur, Jong Park

  Idle port scanning uses side-channel attacks to bounce scans off of a ``zombie'' host to stealthily scan a victim IP address or infer IP-based trust relationships between the zombie and victim. We present results from building a transition system model of a network protocol stack for an attacker, victim, and zombie, and testing this model for non-interference properties using model checking. Two new methods of idle scans resulted from our modeling effort, based on TCP RST rate limiting and SYN caches, respectively. Through experimental verification of these attacks, we show that it is possible to scan victims which the attacker is not able to route packets to, meaning that protected networks or ports closed by firewall rules can be scanned. This is not possible with the one currently known method of idle scan in the literature that is based on non-random IPIDs. For the future design of network protocols, a notion of trusted vs untrusted networks and hosts (based on existing IP-based trust relationships) will enable shared, limited resources to be divided. For a model complex enough to capture the details of each attack and where a distinction between trusted and untrusted hosts can be made, we modeled RST rate limitations and a split SYN cache structure. Non-interference for these two resources was verified with symbolic model checking and bounded model checking to depth 1000, respectively. Because each transition is roughly a packet, this demonstrates that the two respective idle scans are ameliorated by separating these resources.

For more information, see our idle scan paper can be found in this link.

The ecology of malwares

Joint work with: Jed Crandall, Stephani Forrest, Joshua Ladua, Bilal Shebaro

  The fight against malicious software (or malware, which includes everything from worms to viruses to botnets) is often viewed as an “arms race.” Conventional wisdom is that we must continually “raise the bar” for the malware creators. However, the multitude of malware has itself evolved into a complex environment, and properties not unlike those of ecological systems have begun to emerge. This may include competition between malware, facilitation, parasitism, predation, and density-dependent population regulation. Ecological principles will likely be useful for understanding the effects of these ecological interactions, for example, carrying capacity, species-time and species-area relationships, the unified neutral theory of biodiversity, and the theory of island biogeography. The emerging malware ecology can be viewed as a critical challenge to all aspects of malware defense, including collection, triage, analysis, intelligence estimates, detection, mitigation, and forensics. It can also be viewed as an opportunity. In this position paper, we argue that taking an ecological approach to malware defense will suggest new defenses. In particular, we can exploit the fact that interactions of malware with its environment, and with other malware, are neither fully predictable norfully controllable by the malware author—yet the emergent behavior will follow general ecological principles that can be exploited for malware defense.

For more information, see our papers at this link

Optimizing Fuzzy K-means for network anomaly detection using PSO

Joint work with:S. Dehghanzadeh, and M. Akbarzadeh

  Intrusion detection has become an indispensable defense line in the information security infrastructure. The existing signature-based intrusion detection mechanisms are often not sufficient in detecting many types of attacks. K-means is a popular anomaly intrusion detection method to classify unlabeled data into different categories. However, it suffers from the local convergence and high false alarms. In this paper, two soft computing techniques, fuzzy logic and swarm intelligence, are used to solve these problems. We proposed SFK-means approach which inherits the advantages of K-means, Fuzzy K-means and Swarm K-means, simultaneously we improve the deficiencies. The most advantages of our SFK-means algorithm are solving the local convergence problem in Fuzzy Kmeans and the sharp boundary problem in Swarm Kmeans. The experimental results on dataset KDDCup99 show that our proposed method can be effective in detecting various attacks.

For more information, see our papers at this link

A Fuzzy-Based Multi-criteria Scheduler for Uniform Multiprocessor Real-Time Systems

Joint work with: V. Salmani, N. Khatib-Astaneh, M. Naghibzadeh

  It has been proved that there is no optimal online scheduler for uniform parallel machines. Despite its non- optimality, EDF is an appropriate algorithm to use in such environments. However, its performance significantly drops in overloaded situations. Moreover, EDF produces a relatively large number of migrations which may prove unacceptable for use on some parallel machines. In this paper a new algorithm based on fuzzy logic for scheduling soft real-time tasks on uniform multiprocessors is presented. The performance of this algorithm is then compared with that of EDF algorithm. It is shown that our proposed approach not only demonstrates a performance close to that of EDF in non- overloaded conditions but also has supremacy over EDF in overloaded situations in many aspects. Furthermore, it imposes much less overhead on the system.

For more information, see our papers at this link