Research Problems in Information Assurance

Talk for the second year DPS students

Li-Chiou Chen Seidenberg School of Computer Science and Information SystemsPace University03/15/08

© Li-Chiou Chen, CSIS, Pace 2

Agenda

Past research projects in Internet-based attacks

Ongoing research projects in security usability & web security

Student research projects

© Li-Chiou Chen, CSIS, Pace 3

Interdisciplinary study in information assurance

Technology domain:Security Technology

Problem domain:Social, Economical and Policy Issues

Research Methodology:Computational Modeling

© Li-Chiou Chen, CSIS, Pace 4

Countermeasures for the propagation of computer viruses

Problem: What anti-virus strategy works better to slow down the propagation of a new computer virus

Method: Simulate the spread of computer viruses and countermeasures

using agent-based simulation Run on 4 different theoretical network topology and 2 different

empirical network topology Compare five different strategies Propose a new one – Countermeasure competing (CMC)

Past project - Computer viruses

© Li-Chiou Chen, CSIS, Pace 5

Results and further research issues Results - countermeasure propagation network is

more effective than others when this network has a few highly connected nodes like P2P

networks the rate of countermeasure propagation is faster than

the rate of virus infection

Further research How about zero-day worms? The same model can be used to discussed the diffusion

of ideas, the diffusion of disease, etc

Past project - Computer viruses

© Li-Chiou Chen, CSIS, Pace 6

Distributed denial-of-service (DDOS) attacks and defenses

Campus Network

NAP Network provider 2 Network provider 1

Content Provider Network (Victim: www.yahoo.com)

Access point

End User Premise (Attack source 2)

Access point

Private Peering Point

Access point

End User Premise (Attack source 1)

Internet Access Provider’s Network

Past project - Distributed denial of service

A research framework for DDOS problems

© Li-Chiou Chen, CSIS, Pace 7

Characterization of DDOS Defenses A Computational Tool for Simulating Attacks and Defenses

An Analysis on the Impact of Technology Uncertainty

An Analysis on Cooperation

An Analysis on the Economic Incentives

What are the technological

variables?

What is the impact of the technological variables on performance efficiency?

What are the economic incentives

of network providers?

What is the impact of cooperation on the

economic incentives?

The Provision of DDOS Defenses

Past project - Distributed denial of service

© Li-Chiou Chen, CSIS, Pace 8

Further research problems

Defenses for attacks against infrastructures, such as routers and DNS servers

Assessment of risk attitude of subscribers and providers E.g., the premium that a subscriber would like to pay in order to

avoid the risk of DDOS attacks

Procedures for determining a liability assignment

Past project - Distributed denial of service

© Li-Chiou Chen, CSIS, Pace 9

Security usability of banking web sites

What is usability?

Problems: Phishing: users can distinguish legitimate web sites from

phishing web sites a security usability problem of web interface design What is the status quo? What can we improve from here?

Ongoing project – Security Usability

How do you distinguish legitimate web sites from fake ones

© Li-Chiou Chen, CSIS, Pace 10Ongoing project – Security Usability

Banking web site survey

Top 100 banks from FDIC (Federal Deposit Insurance Corporation) Institution Directory Database

Examine the login page of each online banking web site Three types of information

Security indicators: HTTPS, lockpad, security seal Security certificate: common name, organization name, SSL version,

cipher, validity Site security information: security guide, phishing info, lock next to

login

Tools: Openssl library, awk, Linux shell programs

© Li-Chiou Chen, CSIS, Pace 11Ongoing project – Security Usability

Confusing login interfaces

Company web site redirect to a secure server with a login page

SSL is negotiated after users enter user name and password

Popup windows for login The little secure lock next to login screen has a

different meaning in different sites Some have no links, some link to security information,

some change the interface to show security indicators, some connects to 3rd party certification

© Li-Chiou Chen, CSIS, Pace 12Ongoing project – Security Usability

Preliminary Results

Number Percentage of total

servers surveyed

Banking Secure Servers Surveyed 80

Login page without certificate padlock and https 19 24%

Popup window used for login 3 4%

Invalid certificate 1 1%

Bank name is inconsistent with subject name 11 14%

outsourcing 6 8%

bank holding company name 5 6%

© Li-Chiou Chen, CSIS, Pace 13Ongoing project – Security Usability

Cipher exchanged is not always the most secure one

© Li-Chiou Chen, CSIS, Pace 14

Cipher Suite Number of Servers

Percentage of the total

server surveyed

AES256-SHA 13 16%

DES-CBC3-SHA 4 5%

DHE-RSA-AES256-SHA 6 8%

RC4-MD5 51 64%

RC4-SHA 6 8%

Total 80 100%

Ongoing project – Security Usability

Long validation period might give certificate longer period to be exploited

Validity duration Number Percentage

< 2 years 56 70%

< 3 years but >=2 years 20 25%

>=3 years 4 (3 of them are between 3-4

years and one is 5 years)

5%

Total 80 100%

© Li-Chiou Chen, CSIS, Pace 15Ongoing project – Security Usability

Implications Invalid security certificates: should not be there; defy anti-phishing tools Establish SSL connection after user enters username and password: no way to

verify security indicator before login Inconsistent domain name with brand name: 3rd party secure servers; using domain

name checking strategy fails Confusing security indicators: multiple indicators, etc Confusing security information : consumers do not know which one to follow or

look at Confusing login visual interface design: popup windows; may suffer visual

deception attack Industry common practice do not echo the best available technology: vulnerability

with the older versions

© Li-Chiou Chen, CSIS, Pace 16Ongoing project – Security Usability

Further research problems

Align consumer trust and security on the web

Security usability scanner

Solve phishing problems from risk management perspectives, where should government put money and resources? Risk identification, reduction, or mitigation

© Li-Chiou Chen, CSIS, Pace 17Ongoing project – Security Usability

© Li-Chiou Chen, CSIS, Pace 18

Student Research Projects

Joseph Acampora –MS in IS XML-DNR: A Bandwidth-Saving Technique for

Distributed Intrusion Detection Systems Yosef Lehrman – MS in IT

Client-side solutions for phishing prevention Konrad Koenig

Analyzing access control policies of banking data using Secure UML

Alex Tsekhansky - DPS Byzantine fault tolerant DNS for networks with limited PKI

infrastructure

Student projects