To build survivable information systems (i.e., systems that continue to provide their services in spite of coordinated attacks), it is necessary to detect and isolate intrusions before they impact system performance or functionality.  Previous research in this area has focused primarily on detecting intrusions after the fact, rather than preventing them in the first place.  We have developed a new approach based on specifying intended program behaviors using patterns over sequences of system calls.  The pattern can also capture conditions on the values of system-call arguments.  At runtime, we intercept the system calls made by processes, compare them against specifications, and disallow (or otherwise modify) those calls that deviate from specifications.  Since our approach is capable of modifying a system call before it is delivered to the operating system kernel, it is capable of reacting before any damage-causing system call is executed by a process under attack.  We present our specification language and illustrate its use by developing a specification for the ftp server.  Observe that in our approach, every system call is intercepted and subject to potentially expensive operations for matching against many patterns that specify normal/abnormal behavior.  Thus , minimizing the overheads incurred for pattern-matching is critical for the viability of our approach.  We solve this problem by developing a new, low-overhead algorithm for matching runtime behaviors against specifications.  A salient feature of our algorithm is that its runtime is almost independent of the number of patterns.  In most cases, it uses a constant amount of time per system call intercepted, and uses a constant amount of storage, both independent of either the size or number of patterns.  These benefits make our algorithm useful for many other intrusion detection methods that employ pattern-matching.  We describe our algorithm, and evaluate its performance through experiments.

A temporal RBAC (TRBAC) model has recently been proposed that addresses the temporal aspects of roles and trigger-based role enabling. However, it is limited to constraints on enabling of roles only. We propose a Generalized Temporal Role Based Access Control model (GTRBAC) that is capable of expressing a wider range of temporal constraints. GTRBAC is capable of expressing periodic as well as duration constraints on roles, user-role assignments and role-permission assignments. In GTRBAC, temporal constraints on role enablings and role activations can be separately specified. A user-activated role can further be restricted to various activation constraints such as cardinality constraint or maximum active duration constraint within a specified interval. The GTRBAC model extends the syntactic structure of TRBAC model and its event and trigger expressions subsume those of TRBAC.

Analysis methods for cryptographic protocols have often focused on information leakage rather than on seeing whether a protocol meets its goals.  Many protocols, however, fall far short of meeting their goals, sometimes for quite subtle reasons

A Generalized Temporal Role Based Access Control (GTRBAC) model that captures an exhaustive set of temporal constraint needs for access control has recently been proposed. GTRBAC

A TCP forwarder is a network node that establishes and forwards data between a pair of TCP connections.  For example, a firewall that places a proxy between a TCP connection to an external host and a TCP connection to an internal host - for the purpose of implementing access control to a resource on the internal host - is an example of a TCP forwarder.

Contemporary computer networks are heterogeneous; even a single network consists of many kinds of processors and communications channels.  But few programming tools embrace, or even acknowledge, this complexity.  New methods and approaches are required if next-generation networks are to be configured, administered and utilized to their full potentials…

This paper discusses the Address Resolution Protocol (ARP) and the problem of cache poisoning.  ARP cache poisoning is the malicious act, by a host in a LAN, of introducing a spurious IP address to MAC (Ethernet) address mapping in another host\‘s ARP cache…

Onion Routing provides anonymous connections that are strongly resistant to both eavesdropping and traffic analysis.  Unmodified Internet applications can use these anonymous connections by means of proxies…

Protection of software code against illegitimate modifications by its users is a pressing issue to many software developers. Many software-based mechanisms for protecting program code are too weak (e.g., they have single points of failure) or too expensive to apply (e.g., they in-  cur heavy runtime performance penalty to the protected programs). In this paper, we present and explore a methodology that we believe can protect program integrity in a more tamper-resilient and manner. Our approach is based on a distributed scheme, in which protection and tamper-resistance of program code is achieved, not by a single security module, but by a network of (smaller) security units that work together in the program. These security units, or guards, can be programmed to do certain tasks (checksumming the program code is one example) and a network of them can reinforce the protection of each other by creating mutual-protection. We have implemented a system for automating the process of installing guards into Win32 executables. 1 Experimental results show that memory space and run-time performance impacts incurred by guards can be kept very low (as explained later in the paper).

This work introduces a new approach to code safety.  We present Naccio, a system architecture that allows a large class of safety policies to be expressed in a general and platform-independent way…