Security Issues in
Computers, Networks, and Sensors
With increased use of heterogeneous networks of wired and wireless computers
and sensors, security issues become far more complex. Rensselaer researchers
are working on solutions to a range of security issues involving intrusions
into secure areas, attacks on individual computers, and attacks on networks.
Detecting Unauthorized
Computer Users
Rensselaer
researchers have created several systems for unmasking attackers:
Data Mining
Mohammed Zaki, assistant
professor of computer science, has developed ADMIT (Anomaly-based Data
Mining for Intrusions), which detects unauthorized users, including those
who have successfully navigated passwords and other barriers and have
begun to use the system. Using data mining techniques, Dr. Zaki’s system
builds a user profile based on the computer user’s normal patterns of
commands such as “copy” or “delete.” The ADMIT system also takes into
account “drift” in user behavior, changes that develop naturally over a
period of time. Once the training phase is completed, ADMIT warns the
network administrator if clusters of commands on a specific computer are
deviating from the normal use pattern. While a single alarm may not be
unusual, a series of alarms in quick succession notifies the administrator
to check on the user. In tests, ADMIT has been 80 percent accurate in
detecting intruders with only a 15 percent false positive rate.
Mathematical Models
Boleslaw Szymanski,
professor of computer science and founding director of the Center for
Pervasive Computing and Networking at Rensselaer, uses several other
approaches to detect attacks on individual computers. To detect an
intrusion in which an attacker gains unauthorized access to a valid user’s
account and acts disruptively, Dr. Szymanski uses probabilistic state
finite automata (PSFA), mathematical models of computations augmented with
probabilities. They detect anomalies, or variations from the norm. The
system stores information about the normal user’s frequent commands and
the normal order in which they occur, and regularly updates the user’s
profile. PSFAs have proven very successful in detecting unusual behavior.
Dr. Szymanski also uses a system based on the string matching algorithms
developed in bioinformatics for matching DNA sequences. Instead of looking
at strands of DNA, the system analyzes 100 command sequences, aligning the
current session on a specific computer with the user’s signature, seeking
gaps and mismatches.
The Conceptor In another project, Dr. Szymanski uses the Conceptor,
a networked group of processors that use inputs from sensors in a
dynamically changing environment to build a coherent view of that
environment. In an application known as COMMAND (Conceptor Misuse and
Masquerading Nonuser Detection), the Conceptor creates concepts of the
user’s typical behavior and gives a warning when there is too much input
that does not map into the user’s normal concepts.
Network Attacks
Dr. Szymanski’s
team is investigating two methods of detecting network attacks.
DOORS In
previous research, he developed DOORS (Distributed Object Oriented
Repository Simulation), a distributed network monitoring tool that sends
out JAVA-based mobile agents to collect network data with high reliability
and low overhead. The team is adapting that system to collect data that
can be used to recognize and react to attacks such as denial of service,
in which networks are flooded with large numbers of messages from numerous
sources, causing them to crash. Based on a neural network, the system
learns to analyze network traffic and recognize attacks.
Recognizing
the Signature Dr. Szymanski uses time dependent finite automata, a
type of mathematical model, to recognize the “signature” of certain
attacks in real-time so damage can be prevented. Because the system
considers not only specific events but also the time intervals between
events, it is highly accurate in recognizing the attacks it has been
programmed to detect.
Secure Software
Software for
real-time, distributed, mobile applications is subject to a variety of
attacks, and a combination of methods is needed for protection.
David Musser, professor of
computer science, is known for his work on generic software libraries. He
is now looking at ways to develop libraries of security-enhanced generic
components. In some current schemes, proof-carrying code is used, and new
code that comes from an untrusted source or by way of an insecure network
is not accepted until the proofs it carries are checked. Musser suggests
that generic code-carrying proofs can be sent, in which the code is only
implicitly present in the form of the proofs but can be easily extracted
at the consumer end after the proofs are checked. This requires less
memory on the user’s end, an especially important advantage in the case of
embedded systems with tight memory constraints. The use of generic
programming greatly simplifies programming and amortizes costs.
Video Protection Against
Intruders
Vera Kettnaker, assistant
professor of computer science at Rensselaer, develops mathematical models
for analyzing video data. Using stochastic models (mathematical models of
time-varying processes based on probability), she is developing a system to
monitor high-security rooms and detect intruders or suspicious behavior by
employees. Security cameras monitor the room, and the images are then
computer processed to detect unusual behavior. Unlike other systems, her
methods place a time stamp on all activities. Computer models of all
employees’ behavior include specific information about their usual movements
and the time these actions take place. (Cleaning employees, for example, may
legitimately enter at night, while other employees are normally seen only
during their work shifts.) If unusual activities are detected, an alarm can
alert security personnel to investigate. Kettnaker has received an NSF
CAREER Award to develop a similar system to detect health emergencies of
senior citizens in their homes.
Network of Sensors:
Adapting Security Level to Battery Power
A group of Rensselaer Researchers led by
Bulent Yener,
associate professor of computer science, is looking at the specific security
problems presented by an ad hoc wireless network with limited battery power,
such as a group of tiny observation sensors deployed by the military. Yener,
Boleslaw Szymanski, and
Tong Zhang, assistant professor of electrical, computer,
and systems engineering (ECSE), are designing an on-line controller that can
adapt and make intelligent decisions about the level of security that will
be provided as battery power diminishes.
Security Gaps at the
Border
The worldwide Internet is actually a group of networks, and messages that
travel around the world must move smoothly from network to network. The
Border Gateway Protocol (BGP), which regulates passage of messages from one
network to another, contains security gaps, according to
Biplab Sikdar, ECSE assistant
professor. He leads a Rensselaer group that is working to understand these
gaps and to design a security system for each potential attack scenario. His
group is seeking ways to optimize the way BGP processes messages and is
building models of possible attacks in the form of “trees,” a basic method
of arranging and storing data.
Contacts: