Computer Security and Cryptography Seminar:
September 2004 Events

The most commonly used intrusion detection system (IDS) performance metrics are detection rate and false alarm rate. From a usability point of view, a very important measurement is Bayesian detection rate, which indicates how likely there is an intrusion when the IDS outputs an alert. It depends on detection rate, false alarm rate, and base rate, which is the prior probability of intrusion. Typically, an anomaly detection system has a low Bayesian detection rate because it has a non-zero false alarm rate and the base rate is very low.

We argue that we need better system architecture to improve Bayesian detection rate. The main objective is to increase the base rate of data stream analyzed by complex detection modules. The general principle is to use layered architecture.

One approach is to use a cascade of successively more complex detection modules. We show that base rate increases from one layer to the next. In many cases, the overall false alarm rate of the cascade can be very low. We describe a worm detection system with cascade architecture. In DSC, the lower layer module identifies hosts with "infection-like" behavior and the higher layer module detects anomalous outgoing connection behavior of these hosts. Our (limited) experiments showed that DSC can detect fast scanning worms with zero false positive rate and thus 100% Bayesian detection rate.

Another approach is to deploy multiple simple or low-level sensors and correlate the observations or alerts from these sensors. HoneyStat is a worm detection system with such architecture. In HoneyStat, each low-level sensor detects "interesting" events in a honey pot. The correlation module uses logistic analysis on the event data to detect worms. We show that by deploying sufficient number of low-level sensors, HoneyStat can reliably detect worms.

 Cookies will be served at 3:30 PM in 2310 CS.

Attacks against Internet routing are increasing in number and severity. A central limitation of the current network infrastructure is the absence of meaningful origin authentication: there is no way to validate if an entity using an address has the right to do so. This vulnerability is not only a conduit for malicious behavior, but indirectly allows seemingly inconsequential misconfigurations to disrupt large portions of the Internet. This talk discusses the semantics, design, and costs of origin authentication in interdomain routing. A formalization of address usage and delegation is presented and broad classes of cryptographic proof systems appropriate for origin authentication are considered.

The costs of origin authentication are largely determined by the form and stability of the served address space. However, prior to this work, little was known about the relevant characteristics of address use on the Internet. Developed from collected interdomain routing data and presented in this talk, our approximate delegation hierarchy shows that current IP address delegation is dense and relatively static. One notable result shows that as few as 16 entities are the source of 80% of the delegation on the Internet. We further show via simulation that these features can be exploited to efficiently implement Internet-scale origin authentication. The talk is concluded with a an overview of several ongoing efforts in routing security.

 Cookies will be served at 1:30 PM in 2310 CS.