In this paper we introduce a system called Crowds for protecting users’ anonymity on the world-wide-web.  Crowds, named for the notion of “blending into a crowd”, operates by grouping users into a large and geographically diverse group (crowd) that collectively issues requests on behalf of its members.  Web servers are unable to learn the true source of a request because it is equally likely to have originated from any member of the crowd, and even collaborating crowd members cannot distinguish the originator of a request form a member who is merely forwarding the request on behalf of another.  We describe the design, implementation, security, performance, and scalability of our system.  Our security analysis introduces degrees of anonymity as an important tool for describing and proving anonymity properties.

The first and only print publication devoted solely to the subject of the pf packet filter used in OpenBSD, FreeBSD, and NetBSD operating systems.

Written by Jacek Artymiak, a frequent contributor to ONLamp.com, Building Firewalls with OpenBSD and PF is the first and only print publication devoted solely to the subject of the pf packet filter used in OpenBSD, FreeBSD, and NetBSD operating systems. Topics covered include: firewall design, ruleset syntax, packet normalization (scrubbing), packet redirection (masquerading), packet filtering, bandwidth management (ALTQ), load balancing, and more.

Today’s world of increasingly dynamic computing environments naturally results in more and more data being available as fast streams. Applications such as stock market analysis, environmental sensing, web clicks and intrusion detection are just a few of the examples where valuable data is streamed to its consumer.  Often, streaming information is offered on the basis of a non-exclusive, single-use customer license. One major concern, especially given the digital nature of the valuable stream, is the ability to easily record and potentially “re-play” parts of it in the future. If there is value associated with such future re-plays, it could constitute enough incentive for a malicious customer (Mallory) to duplicate segments of such recorded data, subsequently re-selling them for profit. Being able to protect against such infringements becomes a necessity.

In this paper we introduce the issue of rights protection for streaming data through watermarking. This is a novel problem with many associated challenges including: the inability to perform multiple-pass random accesses to the entire data set, the requirement to be fast enough to keep up with the incoming stream rate, to survive instances of extreme sparse sampling and summarizations, while at the same time keeping data alterations within allowable bounds.  We propose a solution and analyze its resilience to various types of attacks as well as some of the important expected domain-specific transforms, such as sampling and summarization. We implement a proof of concept software (wms.*) for the proposed solution and perform experiments on real sensor data to assess these resilience levels in practice. Our method proves to be well suited for this new domain. For example, we can recover an over 97% confidence watermark from a sampled (e.g. less than 8%) stream.  Similarly, our encoding ensures survival to stream summarization (e.g. 20%) and random alteration attacks with very high confidence levels, often above 99%.

In this paper we propose and evaluate new graphical password schemes that exdploit features of graphical input displays to achieve better security than textbased passwords.  Graphical in put devices enable the user to decouple the position of inputs from the temporal order in which those inputs occur, and we show that this decoupling can be used to generate password schemes with substantially larger password spaces.  In order to evaluate the security of one of our schemes, we devise a novel way to capture a subset of the “memorable” passwords that , we believe, is itself a contribution.  In this work we are primarily motivated be devices such as personal digital assistants (PDAs) that offer graphical input capabilities wia a stylus, and we describel our prototype inplementation of one of our password schemes on such a PDA, namely the Palm Pilot.

Access control in enterprises is a key research area in the realm of Computer Security because of the unique needs of the target enterprise. As the enterprise typically has large user and resource pools, administering the access control based on any framework could in itself be a daunting task. This work presents X-GTRBAC Admin, an administration model that aims at enabling policy administration within a large enterprise. In particular, it simplifies the process of user-to-role and permission-to-role assignments, and thus allows decentralization of the policy administration tasks. Secondly, it also allows for specifying the domain of authority of the system administrators, and hence provides mechanism to distribute the administrative authority over multiple domains within the enterprise. The paper also illustrates the applicability of the administrative concepts presented in our framework for enterprise-wide access control.

We present RTML version 1, a Role-based Trust-management Markup Language, which is an XML-based data representation of the RT framework. RTML extends the original design of RT, adding the following features: new data types to encode permissions involving structured resources and ranges, restrictive inheritance of roles for flexible refinement of permissions, and notions of identity roles and identity-based roles to address the issue of enforcing Separation of Duty policies when a physical user holds multiple keys.

RTML enables the deployment of the RT framework. Compared with systems like SPKI/SDSI and KeyNote, it has the following distinguishing features. RTML is designed with a logic-based semantics foundation. RTML directly addresses the issue of vocabulary agreement and uses strongly typed credentials, help reducing potential errors in writing credentials and unintended interactions among credentials. RTML supports more flexible delegation, including the ability to delegate to principals that have certain properties and to control the scope of a delegation. RTML also supports Separation of Duty in a more expressive way.

An implementation of the title program is described.  It was used to factor many integers with up to 135 digits. Our program is much faster than the (non-hypercube) multiple polynomial quadratic sieve with two large primes.

This report summarizes a Workshop Breakout Session on trust, privacy, and security moderated by B. Bhargava, and held at the NSF IDM Workshop in Seattle, Washington, September 14 - 16, 2003.

In this paper, we present the design and implementation of a Collaborative Intrusion Detection System (CIDS) for accurate and efficient intrusion detection in a distributed system. CIDS employs multiple specialized detectors at the different layers

Distributed e-commerce systems are suitable targets for malicious attacks because of the potential financial impact. Intrusion detection in such systems has been an active area of research. Once an intrusion is detected, it is important to contain the effect of the intrusion to some parts of the system while allowing the other parts to continue to provide service. It is also important to take preventive or reactive response to reduce the likelihood of the system being compromised through a future attack. In this paper, we present the design and implementation of an Adaptive Intrusion Tolerant System, ADEPTS, for automatically containing and responding to intrusions in a distributed e-commerce system. We use a directed acyclic graph (DAG) of intrusion goals as the underlying representation in the system. In an I-DAG, the nodes are sub-goals of an attack and to reach a particular node, goals corresponding to its child nodes have to be achieved first. We assume an intrusion detection framework which provides alerts to ADEPTS. In response, a parallel algorithm is executed to compute the likelihood that one or more goals in the DAG have been achieved. Next, a response measure computation algorithm is executed to determine the appropriate response action. There is also a feedback mechanism which estimates the success or failure of a deployed response and uses that in adjusting the system weights to guide future choices. ADEPTS is implemented on a distributed e-commerce system that comprises services including, web server, application server, database server, directory server. Alerts are simulated corresponding to different attack types, the algorithms executed and response actions deployed. The experiments bring out the latency of the infrastructure, and the effectiveness in dealing with failed responses through escalation compared to statically mapped Intrusion Response Systems (IRS).

In addition to basic security services such as confidentiality, integrity and data source authentication, a secure group communication system should also provide authentication of participants and access control to group resources. While considerable research has been conducted on providing confidentiality and integrity for group communication, less work focused on group access control services. In the context of group communication, specifying and enforcing access control becomes more challenging because of the dynamic and distributed nature of groups and the fault tolerance issues (i.e. withstanding process faults and network partitions).

In this paper we analyze the requirements access control mechanisms must fulfill in the context of group communication and define a framework for supporting fine-grained access control in client-server group communication systems. Our framework combines role-based access control mechanisms with environment parameters (time, IP address, etc.) to provide policy support for a wide range of applications with very different requirements. While policy is defined by the application, its efficient enforcement is provided by the group communication system. %We discuss how such a framework addresses the unique needs %of group communication systems and can be supported and %enforced in an efficient manner in Spread, a publicly available %group communication system.

The current study was a pilot study and attempted to add to the growing body of knowledge regarding inherent issues in computer forensics. The study consisted of an Internet based survey that asked respondents to identify the top five issues in computer forensics.  60 respondents answered the survey using a free form text field. The results indicated that education/training and certification were the most reported issue (18%) and lack of funding was the least reported (4%).  These findings are consistent with a similar law enforcement community study (Stambaugh et al., 2001).  The findings emphasize the fragmented nature of the computer forensics discipline. Currently there is a lack of a national framework for curricula and training development, and no gold standard for professional certification. The findings further support the criticism that there is a disproportional focus on the applied aspects of computer forensics, at the expense of the development of fundamental theories. Further implications of the findings are discussed as well as suggestions for future research in the area.

In this paper, a process model for digital investigations is defined using the theories and techniques from the physical investigation world.  While digital investigations have recently become more common, physical investigations have existed for thousands of years and the experience from them can be applied to the digital world.  This paper introduces the notion of a digital crime scene with its own witnesses, evidence, and events that can be investigated using the same model as a physical crime scene.  The proposed model integrates the physical crime scene investigation with the digital crime scene investigation to identify a person who is responsible for the digital activity.  The proposed model applies to both law enforcement and corporate investigations.

The Platform for Privacy Preferences (P3P), developed by the W3C, is a major effort to improve online privacy.  It provides a language for websites to encode their data-collection and data-use practices in a machine-readable form.  The W3C also designed a P3P preference language, APPEL, to allow users to specify their privacy preferences. Although P3P has received broad attention, adoption has been slow.  A key reason for this slow adoption is the lack of a formal semantics. Without a formal semantics, a P3P policy may be semantically inconsistent and may be interpreted and represented differently by different user agents. Additionally, APPEL is both complex and error-prone.

In this paper, we redress these problems by adopting a semantics-based approach. We propose a relational formal semantics for P3P policies, which precisely model the relationships between different components of P3P statements (i.e., purposes, recipients and retentions) during online information collection. Based on this semantics, we present SemPref, a simple, efficient and expressive semantics-based preference language. Unlike previously proposed preference languages, SemPref queries the meaning of a privacy policy rather than its syntactical representation. The proposed formal semantics and preference language are an important step towards improving P3P and making it more comprehensible to enterprises and individual users, and ultimately accelerating the large-scale adoption of P3P across the Internet.