Network Security

Improving the Security of a Science DMZ (NSF, 2016 - 2020)

On a science DMZ, large amounts of data is moved -- more than can be analyzed for security issues, in contrast to data on a conventional network. So, usually when a connection starts, the initial data is sampled and analyzed without blocking the connection. If the analysis shows it is not within policy (ie, malicious), a filter rule is added to the router to drop packets in that connection. Our proposal is to sample not just at the beginning, but at various times while the connection is active; that way, we could gain more insight into the connection and in particular if something malicious starts *during* the connection, we have a chance to detect it and either drop the connection or take some other appropriate action. In order to be able to sample network flows as many times as possible without impacting either the throughput of the flow or the effectiveness of the security analysis being done by intrusion detection mechanisms, a key question is how to reduce the time needed for the analysis. Our approach is to examine how to speed up intrusion detection systems by using GPUs in order to do a quicker analysis. One obvious question is what to do when suspicious flows are identified. We will examine both technical and procedural methods; our focus will be on slowing down the flow to where it can be analyzed thoroughly, and then if indeed malicious, provide information to the CISO's office to enable them to take action. If the flow is not malicious (ie, a false positive, confirmed by the more detailed analysis), the rate reduction will cease. Throughout, we will work closely with the campus IT organization, especially the networking and security groups, to obtain the best possible results, and to ensure we do not interfere with production work.

Scaling the Performance of Network Security Applications Using Massively Parallel Processing Array (MPPA) Architectures (NSF, 2010 - 2014)

A wide variety of network security application (malware detection, rule-based network intrusion detection, covert channel detection, etc.) require packet inspection and processing. The processing is required not only on individual packets but also on sequences of packets and across flows to detect security policy breaches and attacks. Performing these functions at very high network line rates (10 Gbps now and soon scaling up to 40 to 100 Gbps) is critical to safeguarding enterprise networks. Solutions based on the use of Field Programmable Gate Arrays (FPGA’s) and/or multi-core CPUs have limitations with regards to performance, flexibility, power, and programmability. In this research project, we propose to investigate the applicability of MPPA (Massively Parallel Processing Array) architectures to scale packet processing and analysis tasks to meet the security challenges presented by next generation high-speed networks. MPPA based parallel processing devices have a number of advantages that make them particularly attractive for parallelizing stream-based data-intensive computation. For example, they use a large number of low clock rate processors, which allows them to provide significant computing capability while consuming relatively little power. Furthermore, these devices provide a processor interconnection topology that guarantees bounded communication delays between processors. Additionally, since the interconnection network is programmable, it enables optimizing the parallel implementation of algorithms by programming the interconnection to match the parallelism in the algorithm. Finally, the MPPA devices provide high-level language support that can make programming these devices much easier than FPGA based systems.

Timing Channels (NSF)

Covert channels exploit open overt communication as the carrier to transmit secret messages. The plethora of Internet traffic offers an ideal high bandwidth carrier for covert communication. A specific type of a covert channel is a covert timing channel (CTC) in which, when the Internet traffic is used as a medium, the sender encodes a message by manipulating the transmission time of packets produced by legitimate applications. The receiver observes the arrival times of the packets and using a shared code-book decodes the message. The focus of this research project is on such covert timing channels (CTCs). There are two main requirements in the design of CTCs. One is robustness and the other is security. The robustness requirement stems from the fact that the covert channel established between two hosts must be able to tolerate packet loss, delay, and jitter introduced by both the network and by an active adversary employing timing jammers. The security requirement originates from the goal that a passive adversary should neither be able to detect the CTC nor decode the covert message. Undetectibilty implies that the inter-packet delays of the covert traffic mimic, and ideally match, the inter-packet delay distribution of the overt traffic. The primary goal of this research is to build upon the current work, and design and implement robust and secure CTCs for overt traffic generated by real applications.

Collaborative Research: CRI: A Testbed for Research and Development of Secure IP Multimedia Communication Services (NSF, 2008 - 2010)

This is funded by National Science Foundation. The main site at University of North Texas at Denton. A Test-bed to Study Security Issues in IP Telephony (funded by NSF) : Over the past few years, there has been rapid development and deployment of new strategic services using the IP protocol, including Voice-over-IP (VoIP), peer-to-peer, and IP-based media distribution (IPTV). These services ride on private and public IP networks and share their network with other services, such as web traffic. These new services are being aggressively deployed and it is estimated that in a few years most enterprises and residences will be transitioning from a circuit-switched to VoIP services. For example, the Department of Defense (DoD) and the Navy have announced the deployment of 400,000 and 300,000 IP phones, respectively. Similarly, Bank of America, American Airlines, and Ford Motor Company have announced plans for migration. It is envisioned that interactive multimedia and broadcast video services will be reusing the infrastructure that is being deployed for VoIP. The new services require security, robustness, and quality of service beyond those needed for email, web access and the like. Mobility adds another dimension of complexity to these new services. With the increasing penetration of the new services, the IP-based multimedia communications service will become a critical infrastructure. The goal of this infrastructure acquisition project is to create a testbed for supporting experiments that can be used for research, development and testing of inter-domain security, QoS mechanisms for new services such as voice, multimedia, and video. In addition, we plan to experiment with next-generation emergency calling for VoIP systems.

A Security Architecture for IP Telephony (NSF, 2004-2007)

IP telephony is a complex application involving multiple layers of the protocols stack and interactions among multiple network devices. The complexity is exacerbated by two additional factors ñ 1) the requirement that IP telephony interoperate with the Public Switched Telephone Network (PSTN) and 2) the requirement that IP telephony functions with existing network middle-boxes such as network address translators (NATs) and firewalls. These complexities introduce vulnerabilities that are prone to both known and perhaps, new forms of attacks. The goals of this proposed focused research are 1) to perform a comprehensive vulnerability analysis of IP telephony and 2) to design a security architecture to counter various types of denial-of-service (DoS) attacks in IP telephony.

People

*Current participant are in bold

Ross Gegan (PhD Student)

Brian Perry (PhD Student)

Somdutta Bose (PhD Student)

Ming Zhu (PhD Student)

Matt Bishop (Professor, UCDavis)

Sean Piesert (Staff Scientist, LBL)

Dipak Ghosal (Professor, UCDavis)

Weiwei Liu (Visitor, Nanjing University of Science and Technology, China)

Arnab Kumar Biswas (Visitor, Indian Institute of Science, Bangalore, India)

Shishir Nagaraja (University of Birmingham)

Rennie Archibald (PhD Student)

Cherita Corbett (SRI)

Tracy Liu (PhD Student)

S Felix Wu (Professor, UCDavis)

Brennan Reynolds (MS Student)

Publications

  1. Ross Gegan, Christina Mao, Dipak Ghosal, Matt Bishop, Sean Peisert, Anomaly Detection for Science DMZs Using System Performance Data, International Conference on Computing, Networking and Communications (ICNC 2020), Big Island, Hawaii, USA, February 17-20, 2020.
  2. Anab Kumar Biswas, Dipak Ghosal, and Shishir Nagaraja, A Survey of Timing Channels and Countermeasures, ACM Computing Surveys (CSUR) Surveys, Volume 50 Issue 1, April 2017.
  3. Rennie Archibald and Dipak Ghosal, Design and performance evaluation of a covert timing channel, Security and Communication Networks 9, no. 8 (2016): 755-770.
  4. Weiwei Liu, Guangjie Liu, Jiangtao Zhai, Yuewei Dai, and Dipak Ghosal, Designing Analog Fountain Timing Channels: Undetectability, Robustness and Model-Adaptation, IEEE Transactions on Information Forensics and Security, 2015, 11(4), 677-690.
  5. Ross Gegan, Rennie Archibald, Matthew Farrens, Dipak Ghosal, Performance Analysis of Real-Time Covert Timing Channel Detection using a Parallel System, 9th International Conference on Network and System Security, November 3-5, 2015, New York City, USA
  6. Rennie Archibald and Dipak Ghosal, Design and Analysis of a Model-Based Covert Timing Channel for Skype Traffic, 2015 IEEE Conference on Communications and Network Security (CNS) - IEEE CNS 2015, Florence, Italy, September/October 2015
  7. Rennie Archibald, Dipak Ghosal, A comparative analysis of detection metrics for covert timing channels, Computers & Security, May 2014.
  8. Matthias Kirchner, Dipak Ghosal: Information Hiding - 14th International Conference, IH 2012, Berkeley, CA, USA, May 15-18, 2012, Revised Selected Papers. Lecture Notes in Computer Science 7692, Springer 2013, ISBN 978-3-642-36372-6
  9. Rennie Archibald and Dipak Ghosal, A Covert Timing Channel Based on Fountain Codes, IEEE TrustCom, ACS Workshop, Liverpool, June, 2012.
  10. Rennie Archibald, Cherita Corbett, Yali Liu, and Dipak Ghosal, Diambiguating HTTP: Classifying Web Applications, In IWCMC-Traffic Analysis and Classification, July 2011, Istanbul, Turkey.
  11. Yali Liu, Dipak Ghosal, Biswanath Mukherjee and Ahmad-Reza Sadeghi. Video Streaming Forensic - Content Identification with Traffic Snooping, 13th Information Security Conference (ISC 2010), Boca-Raton, Florida, October 25-28, 2010.
  12. Y. Liu, F. Armknecht, D. Ghosal, S. Katzenbeisser, A. Sadeghi, S. Schulz, Robust and Undetectable Covert Timing Channels for i.i.d. Traffic, 12th Information Hiding Conferences (IH10), 2010.
  13. Blake C. Mason, Cherita Corbett, and Dipak Ghosal, Evaluation of a Massively Parallel Architecture for Network Security Applications, in Proceedings 2010 18th Euromicro International Conference on Parallel, Distributed and Network-Based Processing (PDP), Pisa, 17-19 Feb. 2010
  14. Yali Liu, Dipak Ghosal, Biswanath Mukherjee and Ahmad-Reza Sadeghi. Video Streaming Forensic - Content Identification with Traffic Snooping, 13th Information Security Conference (ISC 2010), Boca-Raton, Florida, October 25-28, 2010
  15. Y. Liu, F. Armknecht, D. Ghosal, S. Katzenbeisser, A. Sadeghi, S. Schulz, Robust and Undetectable Covert Timing Channels for i.i.d. Traffic, 12th Information Hiding Conferences (IH10), 2010.
  16. Yali Liu, Frederik Armknecht, Dipak Ghosal, Stefan Katzenbeisser, Ahmad-Reza Sadeghi, Steffen Schulz, Hide and Seek in Time - Robust Covert Timing Channels, 14th European Symposium on Research in Computer Security Saint Malo, France | September 21-25, 2009
  17. Yali Liu, Frederik Armknecht, Dipak Ghosal, Stefan Katzenbeisser, Ahmad-Reza Sadeghi, Steffen Schulz, Hide and Seek in Time - Robust Covert Timing Channels, 14th European Symposium on Research in Computer Security Saint Malo, France | September 21-25, 2009.
  18. Y. Liu, K. Chiang, C. Corbett, R. Archibald, B. Mukherjee, and D. Ghosal, A Novel Audio Steganalysis Based on High-Order Statistics of a Distortion Measure with Hausdorff Distance. Information Security Conference (ISC) 2008, pp. 487-501
  19. Y. Liu, C. Corbett, K. Chiang, R. Archibald, B. Mukherjee, D. Ghosal, Detecting Sensitive Data Exfiltration by an Insider Attack, Proc. the 4th Annual Workshop on Cyber Security and Information Intelligence Research (CSIIRW '08), pp. 1-3, New York, 2008.
  20. Securing Voice over IP, Special Issue in IEEE Networks Magazine. Co-edited by Ram Dantu, Henning Schulzerinne, and Dipak Ghosal
  21. B. Reynolds and D. Ghosal, Secure IP Telephony using Multi-Layer Protection, The 10th Annual Network and Distributed System Security Symposium, San Diego, California, February 2003.
  22. B. Reynolds and D. Ghosal. STEM: Secure Telephony Enabled Middlebox. IEEE Communications Magazine Special Issue on Security in Telecommunication Networks. October 2002.