|
 |
|
Presentations - Gondwana: Towards
Quantitative Security Metrics
Understanding
Network Traffic through Lightweight Hierarchical Clustering
- Speaker: Anil Somayaji
(Assistant Professor, Carleton University)
- Date and time: January 31, 2008, 11:30 AM - 12:20
PM
- Location: École Polytechnique de
Montréal (Pavillon Lassonde, L-4812)
(The talk was videoconferenced at Dalhousie University)
- Abstract:
Modern computer networks are extremely difficult
to understand. Complex protocols, massive traffic volumes, and
adversarial relationships together produce systems that even experts
struggle to comprehend. System administrators, however, need to monitor
their networks in order to diagnose problems, detect security
violations, and make plans for future upgrades. To aid in such
work, we have been studying the question of how to produce a
"high-level" view of network traffic that reflects the dynamic patterns
of real usage.
One promising strategy is that of unsupervised clustering. By
providing larger-scale aggregates for analysis, unsupervised clustering
approaches can greatly aid in the identification of new applications,
attacks, and other changes in network usage patterns. The
computational complexity of standard clustering algorithms, however,
make them unsuitable for real-time analysis of networks.
ADHIC is a new algorithm we've developed for clustering network
traffic. ADHIC does not rely upon prior knowledge of protocol
structures; instead, packet similarity is determined through
comparisons of substrings within packets at distinguishing
offsets. ADHIC produces a hierarchical decomposition of network
traffic incrementally and at wire speeds. Potential applications of
ADHIC include network performance analysis, real-time alerts of flash
crowds, and dynamic DoS-resistant bandwidth management.
NetADHICT, our implementation of ADHIC, is licensed under the GNU GPL
and is available for download from http://www.ccsl.carleton.ca/software.
A Broad Empirical Study of IT
Security Practitioners
- Speakers: Kosta Beznosov (Assistant Professor,
University of British Columbia) &
Pooya Jaferian (Ph.D. Student, University of British Columbia)
- Date and time: February 21, 2008, 1:30 - 3:00 PM
- Location: École Polytechnique de
Montréal (Pavillon Principal, B-529)
(The talk was videoconferenced at Dalhousie University)
- Abstract:
Security of information technology (IT) has
become a critical issue for organizations as they must protect their
information assets from unauthorized access and quickly resume business
activities after a security breach. In order for technological
solutions to provide effective support to IT security practitioners,
tool developers need to understand better not only the technical, but
also the human and organizational dimensions of IT security. To date,
there is little empirical evidence about how human, organizational, and
technological factors impact the processes of managing IT security.
Moreover, little is known about the responsibilities and roles of
security practitioners or the effectiveness of their tools and security
management practices. The Human, Organization, and Technology Centred
Improvement of IT Security Administration (HOT Admin) research project
is working to fill this gap.
We use qualitative methods to study experiences of IT security
practitioners along several themes including: unique characteristics of
IT security vs. general IT, the challenges the security professionals
face within the organization, their activities and interactions, what
makes them to err, and the impact of the organizational security
management models that structure their work. We present preliminary
results for each theme, as well as the implications of these results on
tool development and research.
Host and Subnet Behaviours:
Visualization for Measurement and Insight
- Speaker: John Mc Hugh (Professor, Dalhousie
University)
- Date and time: March 5, 2008
- Location: University of Victoria
(The talk was videoconferenced at École Polytechnique de
Montréal)
- Abstract:
A few years ago, I was fortunate enough to have access
to netflow border data from the boundaries between a very large (but
segmented) network and the internet as a whole. This is effectively a
very large network telescope. One of the interesting things about data
of this sort is that it is possible to work at scales that range from
single digit percentages of the IPv4 address space to individual hosts.
In optical terms, this is equivalent to having a zoom lens with about a
100 million to one zoom ratio looking inward and a 4 billion to one
ratio looking outward (but the outward sky is partly cloudy, so we only
see sources that shine through the openings). More recently, my
students and I have been analyzing data from smaller networks and we
have had the good fortune to look at a small network that has had an
interesting set of compromises. From our previous work, we have
hypothesized that certain types of visualizations would be useful in
understanding the behaviors of individual hosts, as well as subnetworks
and have been developing some tools that aid in this understanding. In
addition, we also discovered evidence of an emergent phenomenon that
can only be seen at the full aperture of the outward looking telescope.
In this talk, I will discuss the relationship between our
visualizations and the measurements that they enable. While, in
principle, it would be possible to achieve these results without the
visual component, we claim that using the visualizations helps to
direct the quantitative measurements and analyses and improves the
efficiency and effectiveness of the analyst.
Tradeoffs in Retrofitting Security:
An Experience Report
- Speaker: Mark Miller (Research scientist,
Google Research)
- Date and time: April 3, 2008 - 15h Eastern Time
- Location: École Polytechnique de
Montréal (Pavillon Principal, B-529)
(The talk was videoconferenced at
Dalhousie University and
University of Victoria)
- Abstract:
In 1973, John Reynold's and James Morris' Gedanken
Language retrofit object-capability security into an Algol-like base
language. Today, there are active projects retrofitting Java,
Javascript, Python, Mozart/Oz, OCaml, Perl, and Pict. These represent a
variety of approaches, with different tradeoffs regarding legacy
compatibility, safety, and expressivity. In this talk I propose a
taxonomy of these approaches, and discuss some of the lessons learned
to date. I will also demo CapDesk, a proof of concept of a virus-safe
desktop, applying object-capability principles at the user interface
level.
Covertly tracking malfeasance on
the Net: challenges, pitfalls, and new threats
- Speaker: Fabian Monrose (Associate Professor,
Johns Hopkins
University)
- Date and time: April 10, 2008 - 11h30 Eastern Time
- Location: École Polytechnique de
Montréal (Pavillon Principal, B-529)
(The talk was videoconferenced at
Dalhousie University and
University of Victoria)
- Abstract:
While the academic community has long acknowledged the
existence of
various forms of malware, relatively little is known about the
distributed platforms being used to support illicit activities on the
Web. For instance, even today, botnet prevalence remains somewhat of a
mystery. In this talk, I will present our efforts to better understand
several aspects of the malware problem by using a multifaceted and
distributed measurement platform that we deployed over the last one
and a half years. In particular, I will discuss techniques we applied
in order to infiltrate and covertly track several hundred (IRC)
botnets. Our results highlight challenges and limitations with current
practices to curtail the botnet problem, and uncover a number of
frustrating issues with determining botnet membership. Time
permitting, I will also highlight our ongoing efforts to study an
emerging---and more troubling---threat, namely, the use of ``drive-by
downloads'' as a mechanism for infecting vulnerable hosts. Our
analysis of billions of URLs shows that drive-by downloads pose a
significant threat to the health of the Internet.
|
