Upload
orly
View
55
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Imad H. Elhajj American University of Beirut Electrical and Computer Engineering [email protected] ITU-T Study Group 17 February 2012. Cyber Security Research at AUB. Macro. Macro. Micro. Nano. Nano. Play. Offices & Lab. AUB (Founded in 1866). Electrical and Computer Engineering. - PowerPoint PPT Presentation
Citation preview
AUB Department of Electrical and Computer Engineering
Imad H. Elhajj American University of Beirut
Electrical and Computer [email protected]
ITU-T Study Group 17February 2012
Cyber Security Research at AUB
AUB Department of Electrical and Computer Engineering
Macro
AUB Department of Electrical and Computer Engineering
Macro
AUB Department of Electrical and Computer Engineering
Micro
AUB Department of Electrical and Computer Engineering
Nano
AUB Department of Electrical and Computer Engineering
Nano
AUB Department of Electrical and Computer Engineering
Offices & Lab
Play
AUB Department of Electrical and Computer Engineering
AUB (Founded in 1866)
AUB Department of Electrical and Computer Engineering
Electrical and Computer Engineering
AUB 7,500 students 73-acre Campus
ECE 620 Undergraduate students 50 Graduate students 26 Full-time faculty members Opportunities for graduate students and
collaboration
AUB Department of Electrical and Computer Engineering
Security Group At AUB
Dr. Ayman Kayssi Dr. Ali Chehab Dr. Imad Elhajj 3 PhD Students 12 MS Students 10 Undergraduate Students
AUB Department of Electrical and Computer Engineering
Areas of Research
Wireless mobile networks Energy aware Internet Industrial Cloud Misc: VANETs, RFID, wireless sensor
networks, body sensor networks
AUB Department of Electrical and Computer Engineering
Research Relevance to ITU-T SG17 Questions
QUESTIONS TITLEQ 1/17 Telecommunications systems security project Q 4/17 Cybersecurity Q 6/17 Security aspects of ubiquitous telecommunication
services Q 7/17 Secure application services Q 8/17 Service oriented architecture security
Q 10/17 Identity management architecture and mechanisms Q 11/17 Directory services, Directory systems, and public-
key/attribute certificates
AUB Department of Electrical and Computer Engineering
Wireless Mobile Network Security
AUB Department of Electrical and Computer Engineering
Wireless Signaling: Vulnerabilities, Detection and Mitigation
TELUS corporation funded research
AUB Department of Electrical and Computer Engineering
Signaling
AUB Department of Electrical and Computer Engineering
Signaling Research
1) Developing a detection algorithm for unusual signaling activities originating from a wireless device
2) Devising granular mitigation techniques3) Effects of signaling on the backbone
AUB Department of Electrical and Computer Engineering
Energy Aware
AUB Department of Electrical and Computer Engineering
Security Using Mobile Devices
• Security functions are energy consuming• Human perception limitations reduce security
requirements• “the quick brown fox jumped over the lazy
dog” requires 44 bytes of storage capacity in textual format
• Same sentence requires 3000 bytes of data when it is spoken and encoded by G.729 encoder
AUB Department of Electrical and Computer Engineering
Audio Experiment
AUB Department of Electrical and Computer Engineering
G.711
0 10 20 30 40 50 60 700
0.05
0.1
0.15
0.2
0.25
E3VoIP2 N=15 Average N=15 SRTP
Packets
mill
isec
onds
AUB Department of Electrical and Computer Engineering
Internet Security
AUB Department of Electrical and Computer Engineering
IP Spoofing Detection
Round Trip Time to Improve Hop Count Filtering
AUB Department of Electrical and Computer Engineering
Thwarting Cache Poisoning Attacks in DNS
Decrease the success probability of DNS spoofing and cache poisoning by preventing man-in-the-middle attacks
Provide a backward compatible and simple security solution with low computation and communication overhead
Target the different DNS query interaction models Employ an efficient Identity-Based Encryption key
management scheme that relieves the different DNS interacting entities from the burden and complexities of traditional public-key infrastructures
AUB Department of Electrical and Computer Engineering
Secure Delay-Tolerant Communications in the Presence of Oppressive Governments
Develop a secure delay-tolerant network system – Enable citizens to communicate freely in an
environment where public communication methods, are intercepted and used by the authorities to monitor civilian activities.
The proposed system is composed of several disconnected zones – Data marshals between private key generators and
normal nodes in different zones – Uses mobile gateway nodes that carry messages
between the different zones
AUB Department of Electrical and Computer Engineering
PKG3
CELL3
Mobile Gateway
Data Broadcast
CELL2
PKG2
PKG1
CELL1
Mobile Gateway
Data Broadcast
DTN Network Model
AUB Department of Electrical and Computer Engineering
Industrial Security
AUB Department of Electrical and Computer Engineering
Automation and BMS
Stuxnet PLC and SCADA vulnerabilities BMS vulnerabilities Industrial IDS
AUB Department of Electrical and Computer Engineering
Security in Cloud Computing
AUB Department of Electrical and Computer Engineering
Hardware-based Security for Ensuring Data Privacy in the Cloud
• A set of hardware-based security mechanisms for ensuring the privacy, integrity, and legal compliance of customer data as it is stored and processed in the cloud.
• Leverage the tamper-proof capabilities of cryptographic coprocessors to establish a secure execution domain in the computing cloud that is physically and logically protected from unauthorized access.
• Provide a privacy feedback protocol to inform users of the different privacy operations applied on their data and to make them aware of any data leaks or risks that may jeopardize the confidentiality of their sensitive information.
AUB Department of Electrical and Computer Engineering
CSP Cloud Customer
Virtual Machine
Cloud Service Provider (CSP) Physical Hardware Trusted Third Party (TTP)
Virtual Machine using a Crypto Coprocessor
TTP
Services Layer
Storage Facility
Crypto Coprocessor
Privacy categorized data and software
Output results and privacy feedback
Configured Crypto
PasS system and interaction model
AUB Department of Electrical and Computer Engineering
Reputation as a Service
• RaaS is a secure and accountable reputation system for ranking service providers in cloud computing architectures.
• Secure audit logging provides a reputation reporting system whose results and recommendations can be published as a service and verified by trusted third parties or by the cloud service providers themselves.
• Ranking criteria:– Performance– Quality of service measures– Security– Pricing
• RaaS provides verifiable and accountable compliance with service-level agreements and regulatory policies
• RaaS is implemented in a real cloud computing architecture using the VMware vSphere 4 cloud operating system.– Imposes minimal overhead on the overall system performance
AUB Department of Electrical and Computer Engineering
(1)
(3)
(2)
(6)
(9)
(11)
Cloud Provider
ApplicationServers
Cloud Customer
(1) Resource Query + Authentication Info. (2) Authenticate Query and Set t1
(3) Resource Query (4) Fetch Data from Cloud Storage (5) Requested Resource Data (6) Send Hash(Resource Data) (7) Set t2, Verify Hash (8) Authorization Signal (9) Send Resource Data to Customer (10) Send Hash(Resource Data) (11) Validate commitment hash (12) Generate Secure Log Entry
(8)
(10)
(4)
(5)
Cloud Storage Facility
(12)
(7)
The Bulk Data Fetch Protocol
AUB Department of Electrical and Computer Engineering
SNUAGE
• Platform-as-a-service security framework for building secure and scalable multi-layered services based on the cloud computing model.
• SNUAGE ensures the authenticity, integrity, and confidentiality of data communication over the network links by creating a set of security associations between the data-bound components on the presentation layer and their respective data sources on the data persistence layer.
• Implementation using Java and deployed and tested in a real cloud computing infrastructure using the Google App Engine service platform.
AUB Department of Electrical and Computer Engineering
BGP-Inspired Autonomic Service Routing for the Cloud
• ServBGP: a service routing protocol for managing service collaboration among cloud providers in cloud computing.
• Based on the policy-driven design of the well-known BGP Internet routing
• Autonomously manage the different aspects of service interaction and collaboration among service providers from service discovery and advertisement to service consumption and revocation.
• ServBGP routing decision engine is planned to operate by processing cost-bidding and QoS advertisement messages from the different cloud providers.
• Implemented on Google, Amazon, and Microsoft clouds
AUB Department of Electrical and Computer Engineering
CSP1
CSP2
CSP3
CSP6
CSP7
CSP4
CSP5
Cloud Customer
Service RequestIn
Service RequestOut
Service Router
SIB
RR
ServBGP Information Base
ServBGP Service Advertisment
Cloud Service Provider (CSP)
Service Router
Reputation Repository (RR)
Service Reputation Scores
ServBGP System Architecture
AUB Department of Electrical and Computer Engineering
Mobile Cloud Computing
Set of policy-driven security protocols for ensuring the confidentiality and integrity of enterprise data in mobile cloud computing environments.
Offloading the intensive asymmetric key agreement mechanisms from the mobile
Designing a customizable policy-based security architecture that considers the sensitivity of cloud data to provide multi-level and fine-grained data protection methodologies that suit the energy-limited mobile devices and the low-bandwidth wireless networks characterizing current mobile cloud computing models.
The system is implemented in a real cloud computing environment and the savings in terms of energy consumption and execution time are analyzed.
AUB Department of Electrical and Computer Engineering
VANETs, RFID, wireless sensor networks, body sensor networks
AUB Department of Electrical and Computer Engineering
Keyless Authentication of Position and Velocity for VANETs
AUB Department of Electrical and Computer Engineering
A Privacy-Preserving Trust Model for VANETs
A trust-based privacy-preserving model for VANETs. The model is unique in its ability to protect privacy
while maintaining accurate reputation-based trust. We use the notion of groups in order to make the
VANET users anonymous within their groups and yet identifiable and accountable to their group managers.
The use of groups simplifies the task of building reputation and calculating trust in the received messages in order to provide better and more confident decisions.
Simulations verify correctness and reliability
AUB Department of Electrical and Computer Engineering
A PUF-Based Ultra-Lightweight Mutual-Authentication RFID Protocol
A novel approach to achieve mutual authentication for ultra-lightweight tags is proposed using Physically Unclonable Functions (PUFs).
Provide robust security properties as well as good performance for limited tags
AUB Department of Electrical and Computer Engineering
TRACE: A Centralized Trust and Competence-Based Energy-Efficient Routing Scheme for Wireless Sensor Networks
Protect wireless sensor networks from various attacks and misbehaving nodes.
TRACE identifies different types of bad nodes that can affect the correct routing operation and the reliability of the message delivery to the sink base station.
Sink BS processes and validates the information received from the sensor nodes and calculates the maliciousness, competence, and cooperation levels of each node.
The sink BS calculates trust values for each. TRACE accounts for the energy requirements of the severely-
constrained network nodes by detecting and isolating the bad nodes while eliminating the power-consuming reputation inquiries and computations required by each node in a distributed approach.
AUB Department of Electrical and Computer Engineering
A Decentralized Energy-Aware Key Management Scheme for Wireless Sensor Networks
• WSN nodes are limited in terms of processing capabilities and battery life. – Encryption is usually avoided and the readings are sent in the clear. – Lightweight encryption techniques are proposed to overcome the limitations
of sensor nodes. • Identity-based encryption (IBE) that uses elliptic curve cryptography (ECC) seems to
be very promising in terms of energy efficiency. • We propose a novel decentralized IBE-based key management
scheme that reduces the energy by using multiple base stations.• The keys are pre-distributed in the WSN and refreshed at specific time
intervals. • The system ensures confidentiality of the messages and the
availability of WSN service even when multiple nodes and base stations are compromised, at a significant reduction in overall system energy.
AUB Department of Electrical and Computer Engineering
Security and Privacy in Body Sensor Networks
Study two main challenges in the body sensor network security and privacy context– Achieving the correct balance between the complexity
of the protocol security operations employed and the energy consumption they incur
– Attaining the right tradeoff between privacy and safety by utilizing the patient’s vital signals and other context-related information to minimize the amount of private data released
We present a blueprint body sensor network security framework
AUB Department of Electrical and Computer Engineering
Base Station
BSN Controller
Hospital Servers
Internet/Intranet
Wireless Link
Wired Link
Body Sensor Node
Typical Body Sensor Network Architecture
AUB Department of Electrical and Computer Engineering
Courses
AUB Department of Electrical and Computer Engineering
Graduate Courses Offered
Cryptography and Computer Security Internet Security Wireless Security Information Security Management Network and Computer Security
Laboratory
AUB Department of Electrical and Computer Engineering
Laboratory Description
This laboratory addresses advanced network and computer security topics. Experiments include the execution of attacks, the setup of intrusion detection and prevention, securing computers and wired and wireless networks, and digital forensics.
AUB Department of Electrical and Computer Engineering
Topics Covered
• Section 1 — Networking Basics - How do networks work?– Lab 1: Security Lab Setup and Networking Basics
• Section 2 — Vulnerabilities and Threats - How can networks be compromised?– Lab 2: Scanning and Enumerating the Network for Targets and Address Spoofing– Lab 3: Denial of Service Attacks and Network Applications Exploits– Lab 4: Malware Analysis and Botnets– Lab 5: Escalating Privilege – Sniffing, Keylogging, Password Cracking and Man in the
Middle Attacks– Lab 6: Security in Wireless Systems
• Section 3 — Prevention - How do we prevent harm to the networks?– Lab 7: Firewalls– Lab 8: Hardening the Host Computer and Securing Network Communications
• Section 4 — Detection and Response – How do we detect and respond to attacks?– Lab 9: Preparing for and Detecting Attacks– Lab 10: Identify and Mitigate Network Attacks– Lab 11: Digital Forensics
AUB Department of Electrical and Computer Engineering
Lab Overall Diagram
AUB Department of Electrical and Computer Engineering
Lab Group Diagram
AUB Department of Electrical and Computer Engineering
Cabinets
Juniper IPS
AUB Department of Electrical and Computer Engineering
Photos
AUB Department of Electrical and Computer Engineering
Photos
AUB Department of Electrical and Computer Engineering
Potential Uses
Customized training for industry Testing and benchmarking of equipment Vendor demonstrations Lab could potentially be virtualized to
duplicate at low cost
AUB Department of Electrical and Computer Engineering
ITU Resolutions Relevant to AUB Collaboration
ITU Plenipotentiary Resolution 130: Strengthening the role of ITU in building confidence and security in the use of information and communication technologies (Guadalajara, 2010)
ITU WTDC Resolution 45: Mechanisms for enhancing cooperation on cybersecurity, including combating spam (Hyderabad, 2010)
ITU WTDC Resolution 69: Creation of national computer incident response teams, particularly for developing countries, and cooperation between them (Hyderabad, 2010)
ITU WTSA Resolution 58: Encourage the creation of national computer incident response teams, particularly for developing countries (Johannesburg, 2008)
UN Resolutions 57/239 (2002) and 58/199 (2004): Creation of a global culture of cybersecurity and the protection of critical information infrastructures
AUB Department of Electrical and Computer Engineering
Potential Collaboration
Research projects Test lab for ITU-T standards conformance Contributions to standards (ITU-T SG17).
Several of the questions for Study Group 17 are areas of research at AUB
Organizing events (workshops, seminars) Capacity building and Awareness Help establish CERT (AUB Member of the
PAN Arab Cyber Security Observatory)