Risk, Privacy, and Security in Computer Networks

With an increasingly digitally connected society comes complexity, uncertainty, and risk. Network monitoring, incident management, and digital forensics is of increasing importance with the escalation of cybercrime and other network supported serious crimes. New laws and regulations governing electronic communications, cybercrime, and data retention are being proposed, continuously requiring new methods and tools.This thesis introduces a novel approach to real-time network risk assessment based on hidden Markov models to represent the likelihood of transitions between security states. The method measures risk as a composition of individual hosts, providing a precise, fine-grained model for assessing risk and providing decision support for incident response. The approach has been integrated with an existing framework for distributed, large-scale intrusion detection, and the results of the risk assessment are applied to prioritize the alerts produced by the intrusion detection sensors. Using this implementation, the approach is evaluated on both simulated and real-world data.Network monitoring can encompass large networks and process enormous amounts of data, and the practice and its ubiquity can represent a great threat to the privacy and confidentiality of network users. Existing measures for anonymization and pseudonymization are analyzed with respect to the trade-off of performing meaningful data analysis while protecting the identities of the users. The results demonstrate that most existing solutions for pseudonymization are vulnerable to a range of attacks. As a solution, some remedies for strengthening the schemes are proposed, and a method for unlinkable transaction pseudonyms is considered.Finally, a novel method for performing digital forensic reconstructions in a virtual security testbed is proposed. Based on a hypothesis of the security incident in question, the testbed is configured with the appropriate operating systems, services, and exploits. Attacks are formulated as event chains and replayed on the testbed. The effects of each event are analyzed in order to support or refute the hypothesis. The purpose of the approach is to facilitate reconstruction experiments in digital forensics. Two examples are given to demonstrate the approach; one overview example based on the Trojan defense and one detailed example of a multi-step attack. Although a reconstruction can neither prove a hypothesis with absolute certainty, nor exclude the correctness of other hypotheses, a standardized environment combined with event reconstruction and testing can lend credibility to an investigation and can be a valuable asset in court.

[1]  염흥렬,et al.  [서평]「Applied Cryptography」 , 1997 .

[2]  Matt Bishop A model of security monitoring , 1989, [1989 Proceedings] Fifth Annual Computer Security Applications Conference.

[3]  Markus Stadler,et al.  Cryptographic protocols for revocable privacy , 1996 .

[4]  Jesus Mena,et al.  Investigative Data Mining for Security and Criminal Detection , 2002 .

[5]  Alex Waibel,et al.  Readings in speech recognition , 1990 .

[6]  Jan Coppens Scampi - A Scaleable monitoring platform for the Internet , 2004 .

[7]  Christopher Krügel,et al.  Using Alert Verification to Identify Successful Intrusion Attempts , 2004, Prax. Inf.verarb. Kommun..

[8]  L. Bygrave Data Protection Law, Approaching Its Rationale, Logic and Limits , 2002 .

[9]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[10]  Andreas Pfitzmann,et al.  Anonymity, Unobservability, and Pseudonymity - A Proposal for Terminology , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[11]  Barak A. Pearlmutter,et al.  Detecting intrusions using system calls: alternative data models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[12]  Kjetil Haslum,et al.  Multisensor Real-time Risk Assessment using Continuous-time Hidden Markov Models , 2006, 2006 International Conference on Computational Intelligence and Security.

[13]  Donald F. Towsley,et al.  Continuous-time hidden Markov models for network performance evaluation , 2002, Perform. Evaluation.

[14]  Giovanni Vigna,et al.  Using Hidden Markov Models to Evaluate the Risks of Intrusions , 2006, RAID.

[15]  Stefan Axelsson,et al.  Intrusion Detection Systems: A Survey and Taxonomy , 2002 .

[16]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[17]  Evangelos P. Markatos,et al.  A Generic Anonymization Framework for Network Traffic , 2006, 2006 IEEE International Conference on Communications.

[18]  Ashish Gehani,et al.  RheoStat: Real-Time Risk Management , 2004, RAID.

[19]  P. Baran,et al.  On Distributed Communications Networks , 1964 .

[20]  David Chaum,et al.  The dining cryptographers problem: Unconditional sender and recipient untraceability , 1988, Journal of Cryptology.

[21]  Eric Moulines,et al.  Inference in Hidden Markov Models (Springer Series in Statistics) , 2005 .

[22]  André Årnes,et al.  Non-expanding Transaction Specific Pseudonymization for IP Traffic Monitoring , 2005, CANS.

[23]  Dengguo Feng,et al.  Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD , 2004, IACR Cryptol. ePrint Arch..

[24]  Herbert Bos,et al.  SafeCard: A Gigabit IPS on the Network Card , 2006, RAID.

[25]  Vice President,et al.  Trapping and Tracking Hackers: Collective Security for Survival in the Internet Age , 2000 .

[26]  Kishor S. Trivedi,et al.  Characterizing intrusion tolerant systems using a state transition model , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[27]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[28]  Franco Taroni,et al.  Statistics and the Evaluation of Evidence for Forensic Scientists , 2004 .

[29]  Jesse C. Rabek,et al.  LARIAT: Lincoln adaptable real-time information assurance testbed , 2002, Proceedings, IEEE Aerospace Conference.

[30]  Ivan Visconti,et al.  An Efficient and Usable Multi-show Non-transferable Anonymous Credential System , 2004, Financial Cryptography.

[31]  Dirk Ourston,et al.  Applications of hidden Markov models to detecting multi-stage network attacks , 2003, 36th Annual Hawaii International Conference on System Sciences, 2003. Proceedings of the.

[32]  Karl N. Levitt,et al.  Automated analysis for digital forensic science: semantic integrity checking , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[33]  Biswanath Mukherjee,et al.  DIDS (distributed intrusion detection system)—motivation, architecture, and an early prototype , 1997 .

[34]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[35]  Jeff Dike,et al.  User-mode Linux , 2006, Annual Linux Showcase & Conference.

[36]  William H. Sanders,et al.  Probabilistic validation of an intrusion-tolerant replication system , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[37]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[38]  Ahmed Patel,et al.  Finite state machine approach to digital event reconstruction , 2004, Digit. Investig..

[39]  Paul F. Syverson,et al.  Onion routing , 1999, CACM.

[40]  Jean-François Raymond,et al.  Traffic Analysis: Protocols, Attacks, Design Issues, and Open Problems , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[41]  Vern Paxson,et al.  A high-level programming environment for packet trace anonymization and transformation , 2003, SIGCOMM '03.

[42]  T. Wolf,et al.  An IXA-Based Network Measurement Node , 2004 .

[43]  John A. Miller,et al.  JSIM: A Java-based simulation and animation environment , 1997, Proceedings of 1997 SCS Simulation Multiconference.

[44]  Giovanni Vigna,et al.  Designing a Web of Highly-Configurable Intrusion Detection Sensors , 2001, Recent Advances in Intrusion Detection.

[45]  William Yurcik,et al.  Network Log Anonymization: Application of Crypto-PAn to Cisco Netflows , 2004 .

[46]  Jan Camenisch,et al.  An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation , 2001, IACR Cryptol. ePrint Arch..

[47]  Mike Hibler,et al.  An integrated experimental environment for distributed systems and networks , 2002, OPSR.

[48]  Eugene H. Spafford,et al.  An Event-Based Digital Forensic Investigation Framework , 2004 .

[49]  Stephan Neuhaus,et al.  Isolating Intrusions by Automatic Experiments , 2006, NDSS.

[50]  Amit Sahai,et al.  Pseudonym Systems , 1999, Selected Areas in Cryptography.

[51]  Vasant Honavar,et al.  Lightweight agents for intrusion detection , 2003, J. Syst. Softw..

[52]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[53]  Michael I. Jordan,et al.  Computer Intrusion Detection and Network Monitoring: A Statistical Viewpoint , 2001 .

[54]  D. B. Davis,et al.  Sun Microsystems Inc. , 1993 .

[55]  Christopher Krügel,et al.  Alert Verification Determining the Success of Intrusion Attempts , 2004, DIMVA.

[56]  Helen J. Wang,et al.  Virtual Playgrounds for Worm Behavior Investigation , 2005, RAID.

[57]  Joachim Biskup,et al.  On Pseudonymization of Audit Data for Intrusion Detection , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[58]  Kai Rannenberg,et al.  Pseudonymous audit for privacy enhanced intrusion detection , 1997, SEC.

[59]  Guofei Gu,et al.  HoneyStat: Local Worm Detection Using Honeypots , 2004, RAID.

[60]  Alfonso Valdes,et al.  A Mission-Impact-Based Approach to INFOSEC Alarm Correlation , 2002, RAID.

[61]  Lawrence R. Rabiner,et al.  A tutorial on hidden Markov models and selected applications in speech recognition , 1989, Proc. IEEE.

[62]  Salvatore J. Stolfo,et al.  Data Mining Approaches for Intrusion Detection , 1998, USENIX Security Symposium.

[63]  Debin Gao,et al.  Behavioral Distance Measurement Using Hidden Markov Models , 2006, RAID.

[64]  David A. Bandel User-Mode Linux: user-mode-linux.sourceforge.net , 2004 .

[65]  Peter G. Neumann,et al.  EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.

[66]  Ethem Alpaydin,et al.  Introduction to machine learning , 2004, Adaptive computation and machine learning.

[67]  Evangelos P. Markatos,et al.  An active splitter architecture for intrusion detection and prevention , 2006, IEEE Transactions on Dependable and Secure Computing.

[68]  Dario V. Forte Using tcpdump and Sanitize for System Security , 2001, login Usenix Mag..

[69]  Udo W. Pooch,et al.  A Methodology for Using Intelligent Agents to provide Automated Intrusion Response , 2000 .

[70]  Kjetil Haslum,et al.  Real-time Risk Assessment with Network Sensors and Hidden Markov Models , 2006 .

[71]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[72]  Sheldon M. Ross Introduction to Probability Models. , 1995 .

[73]  M.E. Hellman,et al.  Privacy and authentication: An introduction to cryptography , 1979, Proceedings of the IEEE.

[74]  Michael C. Tanner,et al.  Automated diagnosis for computer forensics , 2002 .

[75]  Christopher Krügel,et al.  Polymorphic Worm Detection Using Structural Information of Executables , 2005, RAID.

[76]  Sushil Jajodia,et al.  Applications of Data Mining in Computer Security , 2002, Advances in Information Security.

[77]  Markus Peuhkuri A method to compress and anonymize packet traces , 2001, IMW '01.

[78]  Eugene H. Spafford,et al.  An architecture for intrusion detection using autonomous agents , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[79]  Giovanni Vigna,et al.  Digital Forensic Reconstruction and the Virtual Security Testbed ViSe , 2006, DIMVA.

[80]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .

[81]  Mostafa H. Ammar,et al.  On the design and performance of prefix-preserving IP traffic trace anonymization , 2001, IMW '01.

[82]  Shelby Evans,et al.  Risk-based Systems Security Engineering: Stopping Attacks with Intention , 2004, IEEE Secur. Priv..

[83]  Richard Bejtlich,et al.  The Tao of Network Security Monitoring: Beyond Intrusion Detection , 2004 .

[84]  Ketil Stølen,et al.  The CORAS Framework for a Model-Based Risk Management Process , 2002, SAFECOMP.

[85]  Stephen A. Goulet,et al.  LLSIM: network simulation for correlation and response testing , 2003, IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003..

[86]  Svein J. Knapskog,et al.  Real-Time Risk Assessment with Network Sensors and Intrusion Detection Systems , 2005, CIS.

[87]  Mark E. J. Newman,et al.  Technological Networks and the Spread of Computer Viruses , 2004, Science.

[88]  Rick Grehan Performance comparisons , 1993 .

[89]  Donald F. Towsley,et al.  The monitoring and early detection of Internet worms , 2005, IEEE/ACM Transactions on Networking.

[90]  Megan Carney,et al.  The Trojan Made Me Do It: A First Step in Statistical Based Computer Forensics Event Reconstruction , 2004, Int. J. Digit. EVid..

[91]  George M. Mohay,et al.  Automated recognition of event scenarios for digital forensics , 2006, SAC '06.