Browsing by Author "Locasto, Michael"
Now showing 1 - 7 of 7
Results Per Page
Sort Options
- ItemOpen AccessAnomaly detection in edge networks(2012-08-01) Iqbal, Faisal; Williamson, Carey; Locasto, MichaelAnomalies are unusual and unexpected events in the network that do not conform to the normal network activity. Accurate and agile anomaly identification is critical for reliable operation of the network. However, identifying complex anomalies within voluminous and diverse network traffic is a challenging task. This problem is further complicated when anomaly detection techniques designed for backbone networks are deployed in edge networks, producing low accuracy and many false alarms. This thesis reports the anomaly detection performance of three techniques in a large edge network. I enhance two backbone network techniques, BasisDetect and PCA, to work in edge networks. I also develop Gradient, a simple gradient-based multi-resolution anomaly detection technique, that performs efficiently in practice. The experiments are performed on a dataset spanning 23 months with periods of high and low network activity. The diverse sets of hosts in the network included servers, wireless devices, and residential users. I assess the detection performance using several metrics, including detection accuracy, robustness, and sensitivity to training sets and traffic volumes. I also analyze the impact of configuration parameters on the performance of anomaly detection techniques. My results show that both BasisDetect and Gradient generally perform with high accuracy in edge networks. BasisDetect lacks robustness over a long period of time but this deficiency can be addressed with periodic retraining. PCA, however, has low detection accuracy and generates many false alarms.
- ItemOpen AccessBabel: A Secure Computer is a Polyglot(2012-06-13T22:23:58Z) Aycock, John; Castro, Daniel Medeiros Nunes de; Locasto, Michael; Jarabek, ChrisWhy should a user’s computer be trusted at all? We propose a new model of the computer, Babel, that makes a user’s computer appear as it normally would, but is actually untrusted to the point where it cannot run the code installed on it. Each computer, each process, speaks a different language, and a translator on the network is needed to allow a user’s computer to execute code. This has enormous implications. The user gets continuous protection, and multiple kinds of protection, with no need for security updates or patches. At the same time, the user effectively has an adjustable control that they can set based on their risk assessment and need for privacy. Babel can work perfectly well alongside existing systems, and opens new markets for security.
- ItemOpen AccessBuilding Babel - Towards a Security System through Co-dependency and Diversity(2015-12-24) de Castro, Daniel Medeiros Nunes; Aycock, John Daniel; Williamson, Carey; Locasto, Michael; Far, Behrouz; Miller, JamesA common misconception in computer security is that a computer is able to evaluate whether or not it is compromised. However, if we consider a compromised system, the evaluation is not reliable, thus meaningless. By reducing the set of trusted software components to a minimum size, allowing feasible verification of security, and by having the evaluation of any other software happening physically apart from the computer in question, we could avoid contamination of the evaluation process. This research project called “Babel” consists of an innovative approach for computer security. We envision a system where, from the user’s viewpoint, everything seems exactly the same, but the computer is unable, by itself, to execute any installed software. Babel requires a third party to incrementally translate all or part of a program, thus allowing the program to be executed. We call this requirement for an external party “secure co-dependency”. Babel assumes that the computer and each program running on this computer speak a different language. We imagine these different languages as instructions for different processors, which can be implemented as virtual machines (VMs). The computer needs to communicate to an external interpreter to execute any program. This interpreter not only translates code instructions but it also performs security checks. Inspired by the idea of software diversity, we use different languages among processes to enforce co-dependency. Additionally, software diversity makes it harder for adversaries (malicious software or external attackers) to infect or disrupt program execution. Babel consists of two main, separate systems: a client with the operating system where users run their programs; and a server, responsible for translation and for security checks. Babel components consist basically of a flexible VM (where we can define different instruction sets and registers for each instance) and a communication module. On the server side, the main components of Babel are a translator (or interpreter), which initially provides a VM specification and later on translates the programs to that VM, and a security checker responsible for detecting malicious activity. This dissertation documents our experiences and successes developing a proof-of-concept of Babel.
- ItemOpen AccessClassifying the Data Semantics of Patches(2013-09-04) Locasto, Michael; Gonzalez, RobinPatching software remains a key defensive technique for mitigating flaws and vulnerabilities. Patches, however, entail complications that are hard to predict. Patches can be incomplete or incorrect, thereby not fully addressing the targeted flaw or introducing new bugs and unintended behavior. System administrators and owners are often at a loss to assess the risk that applying a patch might carry. Without a lengthy evaluation, they cannot predict how the patch will behave in or affect their environment. Such obstacles often prevent the use of hot patching or dynamic software updating. One major obstacle to hot patching arises from the desynchronization of existing data with the patch’s new code semantics. This paper adopts a machine learning approach to assist this kind of prediction: whether the patch contains elements that are likely to cause problems if the patch is applied to the running system. We drive this automated assessment (based on a Support Vector Machine) via an analysis of the control and data modification operations in the patch. Our SVM classifies a set of 25 unlabeled patches with 92% accuracy. As a baseline, it also classifies its testing set of 50 patches (blindly, without labels) with 84% accuracy.
- ItemOpen AccessDPL: A Data Patching Language(2014-02-05) Gonzalez, Robin; Locasto, MichaelPatching applications remains one of the most effective techniques for defending against exploitation of vulnerabilities and is a basic defensive mechanisms against attacks. However, it entails unwanted complications for the user, such as restarting the application after it gets patched. Restarting the application influences the user to stop updating applications and operating systems, making out of date software that presents an attractive target for exploitation. Even though many authors address this issue by proposing frameworks and tools for applying these patches {\it on the fly}, most modern systems and applications do not implement this technique. One of the biggest challenges for mainstreaming this technique is the fact that patches not only change source code but also the state or semantics of the application. This thesis proposes a mechanism that aids the activity of hot patching applications by updating its data semantics while dynamically applying a patch. More precisely, the mechanism updates the data structures of an application according to what a patch entails by making sure that the application's state is updated according to the new semantics introduced by the patch. For this, we present a proof of concept of a framework that is capable of patching the data semantics (i.e., data structure modifications according to a security patch) of an application. This thesis explores the question of what makes a patch feasible for hot--patching according to how it modifies the semantics of an application. We also study the application of machine learning algorithms to predict patches that were considered to be feasible for hot--patching based on an empirical study. We also explain the design and implementation of a proof of concept capable of hot--patching data structures of applications. As in many other scientific studies, we found that there is a subset of patches that we are not able to use for hot--patching because of the operations they are introducing. By studying this subset of patches, we learned that certain data operations introduce changes in the control flow that can create conflicts when hot--patching. We explain what type of operations defined a patch to be infeasible -- according to our heuristics -- and we hot--patched the statements that we found to be feasible. Our system is capable of hot--patching different types of data structures according to the aforementioned feasible operations with a very low performance overhead. At the end, we present the evaluation and results of our investigation. We learned that 13 out of 75 security patches that modify data structures are not feasible to implement using our heuristics, making them difficult to update because of the semantics the patch introduces. On the other hand, we found 38 out of 75 security patches feasible to implement by using our set of data operations and the remaining 24 were not modifying data semantics. In conclusion, we found that, if patch developers are aware of the type of statements that introduce conflicts when hot--patching, they could make hot--patching a feasible activity.
- ItemOpen AccessKernel-assisted Pattern Analysis of Memory Events(2015-06-26) Laing, Sarah; Locasto, Michael; Aycock, JohnMemory interception is used to create a record of a program's execution. Filtering the intercepted memory events enables one to find patterns in the memory accesses of a target program, patterns that can be used to find errors or vulnerabilities in the program. We present Cage, a kernel-level mechanism for intercepting and filtering the memory events of a user-level process. Cage uses a technique that generates a page fault for every instruction level memory access. The filtering component of Cage extends and uses the Berkeley Packet Filter infrastructure to filter memory events that have been intercepted. In the page fault handler, information related to the memory event is composed into a packet-like format and exported over a specialized memory network device. Standard network packet capture tools such as Wireshark can be used to capture from the memory network device to retrieve the information about each memory event.
- ItemOpen AccessThe Impact of Ethical Regulation and Developer Reputation Scoring on Information Security Professionalism Practice(2016-01-05) Chukuka, Benedict; Locasto, Michael; Aycock, John; Hagen, GregoryWe consider the forces of ethical regulation and developer licensing in a software liability attribution regime as two factors that may influence the information security discipline. We conduct investigations that serve to provide insight into how these forces may play out in a regulatory environment of the future. Our first investigation entails a broad survey of ethical policies governing information security courses, and thus, the student trainee experience. We demonstrate the feasibility of fusing current divergent ethical policies into a standard policy on information security. Accordingly, we derive an ethical policy prototype that is based on the common elements of 329 different ethical policies. In our second investigation, we demonstrate a model for determining security reputation scores for individual software developers based on historical introduction of security bugs into source code. We employ information on 1,119 security bugs to compute developer reputation scores across 9 open source software development projects.