CERIAS - Center for Education and Research in Information Assurance and Security

Skip Navigation
Purdue University
Center for Education and Research in Information Assurance and Security

Reports and Papers Archive

Browse All Papers »       Submit A Paper »

Packet Filter Performance Monitor (Anti-DDoS Algorithm for Hybrid Topologies)

CERIAS TR 2016-4
Ibrahim M. Waziri, Jr.
Download: PDF

DDoS attacks are increasingly becoming a major problem. According to Arbor Networks, the largest DDoS attack reported by a respondent in 2015 was 500 Gbps. Hacker News stated that the largest DDoS attack as of March 2016 was over 600 Gbps, and the attack targeted the entire BBC website.

With this increasing frequency and threat, and the average DDoS attack duration at about 16 hours, we know for certain that DDoS attacks will not be going away anytime soon. Commercial companies are not effectively providing mitigation techniques against these attacks, considering that major corporations face the same challenges. Current security appliances are not strong enough to handle the overwhelming traffic that accompanies current DDoS attacks. There is also a limited research on solutions to mitigate DDoS attacks. Therefore, there is a need for a means of mitigating DDoS attacks in order to minimize downtime. One possible solution is for organizations to implement their own architectures that are meant to mitigate DDoS attacks.

In this dissertation, we presented and implemented an architecture that utilizes an activity monitor to change the states of firewalls based on their performance in a hybrid network. Both firewalls are connected inline. The monitor is mirrored to monitor the firewall states. The monitor reroutes traffic when one of the firewalls becomes overwhelmed due to a HTTP DDoS flooding attack. The monitor connects to the API of both firewalls. The communication between the firewalls and monitor is encrypted using AES, based on PyCrypto python implementation.

This dissertation is structured in three parts. The first part found the weakness of the hardware firewall and determined its threshold based on spike and endurance tests. This was achieved by flooding the hardware firewall with HTTP packets until the firewall became overwhelmed and unresponsive. The second part implements the same test as the first but targeted towards the virtual firewall. The same parameters, test factors, and determinants were used; however, a different load tester was utilized. The final part was the implementation and design of the firewall performance monitor.

The main goal of the dissertation is to minimize downtime when network firewalls are overwhelmed as a result of a DDoS attack.

Added 2016-08-02

Modeling Deception In Information Security As A Hypergame – A Primer

CERIAS TR 2016-5
Christopher Gutierrez, Mohammed Almeshekah, Eugene Spafford, Saurabh Bagchi, Jeff Avery, Paul Wood
Download: PDF

Hypergames are a branch of game theory used to model and analyze game theoretic conflicts between multiple players who may have misconceptions of the other players’ actions or preferences. They have been used to model military conflicts such as the Allied invasion of Normandy in 1945 [1], the fall of France in WWII [2], and the Cuban missile crisis [3]. Unlike traditional game theory models, hypergames give us the ability to model misperceptions that result from the use of deception, mimicry, and misinformation. In the security world, there is little work that shows how to use deception in a principled manner as a strategic defensive mechanism in computing systems. In this paper, we present how hypergames model deception in computer security conflicts. We discuss how hypergames can be used to model the interaction between adversaries and system defenders. We discuss a specific example of modeling a system where an insider adversary wishes to steal some confidential data from an enterprise and a security administrator is protecting the system. We show the advantages of incorporating deception as a defense mechanism.

[1] M. A. Takahashi, N. M. Fraser, and K. W. Hipel. A Procedure for Analyzing Hypergames. European Journal of Operational Research, 18:111–122, 1984

[2] P. G. Bennett and M. R. Dando. Complex Strategic Analysis: A Hypergame Study of the Fall of France. Journal of the Operational Research Society, 30(1):23–32, 1979.

[3] N. Fraser and K. Hipel. Conflict analysis: Models and Resolutions. North-Holland Series in System Science and Engineering. North-Holland, 1984.

Added 2016-07-25

Knowledge Modeling of Phishing Emails

CERIAS TR 2016-3
Courtney Falk
Download: PDF

This dissertation investigates whether or not malicious phishing emails are detected better when a meaningful representation of the email bodies is available.  The natural language processing theory of Ontological Semantics Technology is used for its ability to model the knowledge representation present in the email messages.  Known good and phishing emails were analyzed and their meaning representations fed into machine learning binary classifiers.  Unigram language models of the same emails were used as a baseline for comparing the performance of the meaningful data.  The end results show how a binary classifier trained on meaningful data is better at detecting phishing emails than a unigram language model binary classifier at least using some of the selected machine learning algorithms.

Added 2016-07-13

Gap Analysis Identifying the Current State of Information Security within Organizations Working with Victims of Violence

CERIAS TR 2016-2
Dr. Kelley Misata
Download: PDF

Around the world, domestic violence, human trafficking, and stalking affect millions of lives every day. According to a report published by the Center for Disease Control and Prevention in January 2015, every minute 20 people fall victim to physical violence perpetrated by an intimate partner in the United States (US). As offenders use advancements in technology to perpetuate abuse and isolate victims, the scale of services provided by crisis organizations must rise to meet the demand while keeping a close eye on potential digital security vulnerabilities. It has been reported in general media and research that phishing emails, social engineering attacks, denial of service attacks, and other data breaches are gaining popularity and affecting business environments of all sizes and in any sector, including organizations dedicated to working with victims of violence.

To address this, an exploratory research study to identify the current state of information security within the US-based non-profit crisis organizations was conducted. This study identified the gaps between a theoretical maximum level of information security and the observed level of information security in organizations working with victims of violence inspired by a recognized and respected framework, National Institute of Standards and Technology (NIST) Cybersecurity Framework. This research establishes the critical foundation for researchers, security professionals, technology companies, and crisis organizations to develop assessment tools, technology solutions, training curriculum, awareness programs, and other strategic initiatives specific to crisis organizations and other non-profit organizations to aid them in improving information security for themselves and the victims they serve.

Added 2016-07-11

The Ethics of Hacking Back

CERIAS TR 2016-01
Corey T. Holzer, James E. Lerums
Download: PDF

Cyber breaches are increasing in frequency and scope on a regular basis. The targeted systems include both commercial and governmental networks. As the threat of these breaches rises, the public sector and private industry seek solutions that stop to the ones responsible for the attacks. While all would agree that organizations have the right to protect their networks from these cyber-attacks, the options for defending networks are not quite as clear. Few would question that a passive defense (i.e. the filtering of traffic, rejecting packets based on the source, etc.) is well within the realm of options open to a defender. What active defensive measures are ethically available to the defenders when passive options fail to stop a persistent threat is not as clear.  This paper outlines the two (law enforcement and military) ethical frameworks commonly applied by cyber security professionals when considering the option of a cyber counter-offensive or “hacking back.” This examination includes current applicable literature in the fields of information security, international law, and information assurance ethics.

Added 2016-07-01

Semantic Detection of Phishing Email

Courtney Falk
Download: PDF

This work investigates whether or not the semantic representation of an email’s content is more useful than the surface features of the text in classifying an email as a phishing attack email or not.  A series of experiments were conducted using machine learning binary classifiers to measure the performance of the competing approaches.  The conclusion is that semantic information is just as good if not better in every case than text surface features.

Added 2016-04-20

Digital Forensics in Law Enforcement: A Needs Based Analysis of Indiana Agencies

CERIAS TR 2015-18
Teri A. Cummins Flory
Download: PDF

Cyber crime is a growing problem, with the impact to both businesses and individuals increasing exponentially, but the ability of law enforcement agencies to investigate and successfully prosecute criminals for these crimes is unclear. Many national needs assessments were conducted in the late 1990’s and early 2000’s by the Department of Justice (DOJ) and the National Institute of Justice (NIJ), which all indicated that state and local law enforcement did not have the training, tools, or staff to effectively conduct digital investigations (Institute for Security and Technology Studies [ISTS], 2002; NIJ, 2004). Additionally, there have been some studies conducted at the state level, however, to date, none have been conducted in Indiana (Gogolin & Jones, 2010). A quick search of the Internet located multiple training opportunities and publications that are available at no cost to state and local law enforcement, but it is not clear how many agencies use these resources (“State, Local, & Tribal” for FLETC, n.d.; https://www.ncfi. usss.gov). This study provided a current and localized assessment of the ability of Indiana law enforcement agencies to effectively investigate when a crime that involves digital evidence is alleged to have occurred, the availability of training for both law enforcement officers and prosecuting attorneys, and the ability of prosecuting attorneys to pursue and vii obtain convictions in cases involving digital evidence. Through an analysis of the survey responses by Indiana law enforcement agencies and prosecutors’ offices, it is evident that Indiana agencies have improved their ability to investigate crimes with digital evidence, with more than half with employees on staff who have attended a digital forensic training course within the past five years. However, a large majority of the agencies still perceive their abilities to investigate crimes with digital evidence in the mid-range or lower. The results support the recommendation that a comprehensive resource guide needs to be made available that the agencies can use to locate experts, obtain assistance with standard operating procedures, learn about free training courses, and find funding opportunities to increase their capabilities in investigating crimes involving digital evidence.

Added 2016-01-20

The Impact of Mobile Network Forensics Evidence on the Criminal Case Processing Performance in Macedonia: An Institutional Analysis Study

CERIAS TR 2015-17
Filipo Sharevski
Download: PDF

The purpose of this study was to explore the contribution of the localization data, network-management data, and content-of-communication data in the case processing performance in Macedonia. The mobile network forensics evidence was analyzed respective to the impact of the mobile network data variety, the mobile network data volume, and the forensic processing on the case disposition time. The results from this study indicate that the case disposition time is negatively correlated with the network- management data volume and positively correlated with the content-of-communication data volume. The relevance of the network-management data was recognized in the highly granular service behavior profile developed using larger number of records, while the relevance of the content-of-communication data was recognized in the substantial number of excerpts of intercepted communication. The results also reveal a difference in the case processing time for the cases where there is only localization or network- management data versus when they are combined with the content-of-communication data.

Added 2016-01-15

An Approach to Near Field Data Selection in Radio Frequency Identification

CERIAS TR 2015-16
Robert D. Winkworth
Download: PDF

Personal identification is needed in many civil activities, and the common identification cards, such as a driver’s license, have become the standard document de facto. Radio frequency identification has complicated this matter. Unlike their printed predecessors, contemporary RFID cards lack a practical way for users to control access to their individual fields of data. This leaves them more available to unauthorized parties, and more prone to abuse. Here, then was undertaken a means to test a novel RFID card technology that allows overlays to be used for reliable, reversible data access settings. Similar to other proposed switching mechanisms, it offers advantages that may greatly improve outcomes. RFID use is increasing in identity documents such as drivers’ licenses and passports, and with it concern over the theft of personal information, which can enable unauthorized tracking or fraud. Effort put into designing a strong foundation technology now may allow for widespread development on them later. In this dissertation, such a technology was designed and constructed, to drive the central thesis that selective detuning could serve as a feasible, reliable mechanism. The concept had been illustrated effective in limiting access to all fields simultaneously before, and was here effective in limiting access to specific fields selectively. A novel card was produced in familiar dimensions, with an intuitive interface by which users may conceal the visible print of the card to conceal the wireless emissions it allows. A discussion was included of similar technologies, involving capacitive switching, that could further improve the outcomes if such a product were put to large-scale commercial fabrication. xvi The card prototype was put to a battery of laboratory tests to measure the degree of independence between data fields and the reliability of the switching mechanism when used under realistically variable coverage, demonstrating statistically consistent performance in both. The success rate of RFID card read operations, which are already greater than 99.9%, were exceeded by the success rate of selection using the featured technology. With controls in place for the most influential factors related to card readability (namely the distance from the reader antennas and the orientation of the card antenna with respect to them), the card was shown to completely resist data acquisition from unauthorized fields while allowing unimpeded access to authorized fields, even after thousands of varied attempts. The effect was proven to be temporary and reversible. User intervention allowed for the switching to occur in a matter of seconds by sliding a conductive sleeve or applying tape to regions of the card. Strategies for widespread implementation were discussed, emphasizing factors that included cost, durability, size, simplicity, and familiarity, all of which arise in card management decisions for common state and national identification such as a driver’s license. The relationship between the card and external database systems was detailed, as no such identification document could function in isolation. A practical solution involving it will include details of how multiple fields will be written to the card and separated sufficiently in external databases so as to allow for user-directed selection of data field disclosure. Opportunities for implementation in corporate and academic environments were discussed, along with the ways in which this technology could invite further investigation.

Added 2015-11-20

ErsatzPasswords: Ending Password Cracking and Detecting Password Leakage

Mohammed H. Almeshekah, Christopher N. Gutierrez, Mikhail J. Atallah and Eugene H. Spafford

In this work we present a simple, yet effective and practical, scheme to improve the security of stored password hashes, rendering their cracking detectable and insuperable at the same time. We utilize a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server to prevent off-site password discovery, and a deception mechanism to alert us if such an action is attempted. Our scheme can be easily integrated with legacy systems without the need of any additional servers, changing the structure of the hashed password file or any client modifications. When using the scheme the structure of the hashed passwords file, etc/shadow or etc/master.passwd, will appear no different than in the traditional scheme. However, when an attacker exfiltrates the hashed passwords file and tries to crack it, the only passwords he will get are the ersatzpasswords — the “fake passwords”. When an attempt to login using these ersatzpasswords is detected an alarm will be triggered in the system. Even with an adversary who knows about the scheme, cracking cannot be launched without physical ac- cess to the authentication server. The scheme also includes a secure backup mechanism in the event of a failure of the hardware dependent function. We discuss our implementation and provide some discussion in comparison to the traditional authentication scheme.

Added 2015-09-29

NFS Version 3 Design and Implementation

Brian Pawlowski, Chet Jusczak, Peter staubach, Carl Smith, Diane Lebel, David Hitz

This paper describes a new version of the Network File System (NFS) that supports access to files larger than 4GB and increases sequential write throughput seven fold when compared to unaccelerated NFS Version 2. NFS Version 3 maintains the stateless server design and simple crash recovery of NFS Version 2, and the philosophy of building a distributed file service from cooperating protocols. We describe the protocol and its implementation, and provide initial performance measurements. We then describe the implementation effort. Finally, we contrast this work with other distributed file systems and discuss future revisions of NFS.

Added 2015-09-11

The RC5 Encryption Algorithm

Ronald L. Rivest
Added 2015-09-11

Origin Tracking

Vandeursen, A; Klint, P; Tip, F

The notion of an ‘origin’ is introduced in the framework of conditional, not necessarily orthogonal, term rewriting systems. Origins are relations between subterms of intermediate terms which occur during rewriting, and subterms of the initial term. Original tracking is a method for incrementally computing origins during rewriting. Origins are a generalization of the well known concept of residuals (also called descendants). A formal definition of origins is given and a method for implementing them is presented. Origin tracking is a highly versatile technique when applied to the prototyping of algebraic specifications of programing languages. For example, origin tracking allows program execution to be visualized in a semi-automatic way, given an algebraic specification of the dynamic semantics of the programming language. Furthermore, various notions of breakpoints for generic debuggers can be defined without difficulty. Given a specification of the static semantics of a programming language, origin tracking enables, once an error (such as type-incompatability) has been detected, the position of the error in the source program to be inferred automatically.

Added 2015-09-11

DisARM: Mitigating Buffer Overflow Attacks on Embedded Devices

CERIAS TR 2015-15
Javid Habibi, Ajay Panicker, Aditi Gupta, and Elisa Bertino
Download: PDF

Security of embedded devices today is a critical requirement for the Internet of Things (IoT) as these devices will access sensitive information such as social security numbers and health records. This makes these devices a lucrative target for attacks exploiting vulnerabilities to inject malicious code or reuse existing code to alter the execution of their software. Existing defense techniques have major drawbacks such as requiring source code or symbolic debugging information, and high overhead, limiting their applicability. In this paper we propose a novel defense technique, DisARM, that protects against both code-injection and code-reuse based buffer overflow attacks by breaking the ability for attackers to manipulate the return address of a function. Our approach operates on arbitrary executable binaries and thus does not require compiler support. In addition it does not require user interactions and can thus be automatically applied. Our experimental results show that our approach incurs low overhead and significantly increases the level of security against both code-injection and code-reuse based attacks.

Added 2015-09-09