Network monitoring is indispensable for maintaining and managing networks efficiently. With increasing network traffic in the ISP, enterprise and cloud environments, it is challenging to provide low overhead monitoring services without sacrificing accuracy. In this dissertation, we present techniques to enable measurement systems and services to have (1) high measurement accuracy, and (2) low measurement overhead. In the context of active measurements, shared active measurement services have been proposed to provide a common and safe environment to conduct measurements. By adapting to user measurement requests, we present solutions to (1) selectively use inference mechanisms, and (2) schedule active measurements in a non-interfering manner. These techniques reduce the measurement overhead costs and improve the accuracy for an active measurement service.^ In the context of passive flow based measurements systems, this dissertation introduces Pegasus, a monitoring system that leverages co-located compute and storage devices to support aggregation queries. Using Pegasus, we present IFA (Iterative Feedback Aggregator), a technique to accurately detect global icebergs and network anomalies at a low communication cost. Finally, we present ALE (Approximate Latency Estimator), a scalable and low-overhead technique to estimate TCP round trip times at high data rates for troubleshooting network performance problems.^

One of the major challenges that network researchers and operators face today is the lack of reliable and scalable network testbeds. Since it is often infeasible to perform experiments directly on a production network or build analytical models for complex systems, researchers often resort to simulation or downscaled testbed experiments. However, designing a downscaled experiment that can faithfully represent a large-scale experiment is often challenging. The results of a non-representative experiment can be misleading and unexpected bugs may not be discovered until the Internet protocol or application is deployed into an operational network. In this work, we present two solutions to enable large-scale network experiments. Our first solution, flow-based scenario partitioning (FSP), is a platform-independent mechanism to partition a large network experiment into a set of small experiments that are sequentially executed. Each of the small experiments can be conducted on a given number of experimental nodes, e.g., the available machines on a testbed. Results from the small experiments approximate the results that would have been obtained from the original large experiment. Experimental results from several simulation and testbed experiments demonstrate that our techniques approximate performance characteristics, even with closed-loop traffic and congested links. Our second solution, EasyScale, aims to bridge the current gap between emulation testbed users and large-scale security experiments possibly using multiple scaling techniques. EasyScale is a new framework for easily configuring a large-scale network security experiment on an emulation testbed. Multiple scaling techniques, such as full and OS-level virtualization techniques, can be used for different parts of the input experimental topology in order to balance scalability and fidelity. The EasyScale resource allocation scheme considers user-specified fidelity requirements. Additional resources are allocated to the experiment components that are considered to be highly important, in order to increase the experimental fidelity. Our results from distributed denial of service and worm attack experiments demonstrate that EasyScale can easily allocate testbed resources to the critical components in an experiment, lowering the barrier for testbed users to conduct high fidelity yet scalable network security experiments.^

Access control mechanisms protect sensitive information from unauthorized users. However, when sensitive information is shared and a Privacy Protection Mechanism (PPM) is not in place, an authorized insider can still compromise the privacy of a person leading to identity disclosure. A PPM can use suppression and generalization to anonymize and satisfy privacy requirements, e.g., k-anonymity and l-diversity. However, the protection of privacy is achieved at the cost of precision of authorized information. In this thesis, we propose an accuracy-constrained privacy-preserving access control framework for static relational data and data streams. The access control policies define selection predicates available to roles and the associated imprecision bound. The PPM has to satisfy the privacy requirement along with the imprecision bound for each selection predicate. We prove the hardness of problem, propose heuristics for anonymization algorithms and show empirically that the proposed approach satisfies imprecision bounds for more queries than the current state of the art. We also formulate the problem of predicate role mining for extraction of authorized selection predicates and propose an approximate algorithm. The access control for stream data allows roles access to tuples satisfying an authorized predicate sliding window query. The generalization introduces imprecision in the authorized view of stream. This imprecision can be reduced by delaying the publishing of stream data. However, the delay in sharing the stream tuples to access control can lead to false negatives. The challenge is to optimize the time duration for which the data is held by PPM so that the imprecision bound for maximum number of queries are met. We present the hardness results, provide an anonymization algorithm, and conduct experimental evaluation of the proposed algorithm.^

Access control policies in healthcare domain define permissions for users to access different medical records. Role Based Access Control (RBAC) helps to restrict medical records to users in a certain role but sensitive information in medical records can still be compromised by authorized insiders. The disclosure of sensitive medical information can create embarrassing situation for a patient or even cause discrimination based on medical ailment. The threat is from users who are not treating the patient but have access to medical records. We propose selective combination of policies where sensitive records are only available to primary doctor under Discretionary Access Control (DAC) and he may share it for consultation after permission from patient. This helps not only better compliance of principle of least privilege but also helps to mitigate the threat of authorized insiders disclosing sensitive patient information. We use Policy Machine (PM) proposed by National Institute of Standards and Technology (NIST) to combine policies and develop a flexible healthcare access control policy which has benefits of context awareness and discretionary access. We have implemented temporal constraints for RBAC in PM and after combination of Generalized Temporal Role Based Access Control (GTRBAC) and DAC, an example healthcare scenario has been established. ^

As the convergence between our physical and digital worlds continues at a rapid pace, much of our information is becoming available online. In this paper we develop a novel taxonomy of methods and techniques that can be used to protect digital information. We discuss how information has been protected and show how we can structure our methods to achieve better results. We explore complex relationships among protection techniques ranging from denial and isolation, to degradation and obfuscation, through negative information and deception, ending with adversary attribution and counter-operations. We present analysis of these relationships and discuss how can they be applied at different scales within organizations. We also identify some of the areas that are worth further investigation. We map these protection techniques against the cyber kill-chain model and discuss some findings.

Moreover, we identify the use of deceptive information as a useful protection method that can significantly enhance the security of systems. We posit how the well-known Kerckhoffs’s principle has been misinterpreted to drive the security community away from deception-based mechanisms. We examine advantages these techniques can have when protecting our information in addition to traditional methods of hiding and hardening. We show that by intelligently introducing deceptive information in information systems, we not only lead attackers astray, but also give organizations the ability to detect leakage; create doubt and uncertainty in any leaked data; add risk at the adversaries’ side to using the leaked information; and significantly enhance our abilities to attribute adversaries. We discuss how to overcome some of the challenges that hinder the adoption of deception-based techniques and present some recent work, our own contribution, and some promising directions for future research.

Due to resource constraints, unattended operating environment, and communication phenomena, Wireless Sensor Networks (WSNs) are susceptible to operational failures and security attacks. However, WSNs must be able to continuously provide their services despite anomalies or attacks and to effectively recover from attacks. In this paper, we propose Kinesis - the first systematic approach to a security incident response and prevention system for WSNs. We take a declarative approach to support the specification of the response policies, based on which Kinesis selects the response actions. The system is distributed in nature, dynamic in actions depending on the context, quick and effective in response, and secure. We implement Kinesis in TinyOS. Testbed experiments and extensive TOSSIM simulations show that the system successfully counteracts anomalies/attacks and behaves consistently under various attack scenarios and rates.

Today’s large datasets are a major hindrance on digital investigations and have led to a substantial backlog of media that must be examined. While this media sits idle, its relevant investigation must sit idle inducing investigative time lag. This study created a client/server application architecture that operated on an existing pool of internally networked Windows 7 machines. This distributed digital forensic approach helps to address scalability concerns with other approaches while also being financially feasible. Text search runtimes and match counts were evaluated using several scenarios including a 100 GB image with prefabricated data. When compared to FTK 4.1, a 125 times speed up was experienced in the best case while a three times speed up was experienced in the worst case. These rapid search times nearly irrationalize the need to utilize long indexing processes to analyze digital evidence allowing for faster digital investigations.

The movement of people and goods around the world is certainly no easy task and is heavily reliant on the intricate maneuvering of systems, processes, people and more than ever, technology. These systems to move the shipment of goods and transportation of people are critical to the world economy; particularly to the over 315 million people living in the United States. The importance of shipping and transportation infrastructure to the United States is reflected in the inclusion of this infrastructure on the Cyber Infrastructure and Key Resources (CIKR) list created and maintained by the United States federal government. According to the Bureau of Transportation from 2009, this multi-trillion dollar industry consists of maritime, aviation, and ground transportation systems including road and railways; all of which are at the core of transportation operations. The world’s growing reliance on advanced information technology has introduced opportunities for cyber attacks that exploit vulnerabilities in the information technology enabled systems. This report analyzes documented cyber attacks on the shipping and transportation industry and discusses the potential impacts of that analysis on U.S. shipping and transportation infrastructure.

A hybrid signcryption approach can efficiently encapsulate new keys and securely transmit data for various applications such as Advanced Metering Infrastructures (AMIs) and Wireless Sensor Networks (WSNs). However, since most hybrid signcryption approaches rely on traditional PKI using a certificate trusted by CA, they require the management of certificates. Although Identity-based Public Key Cryptography (ID-PKC) was introduced to eliminate the dependency from explicit certificates, it suffers from a key escrow problem because the Key Generation Center (KGC) stores the private keys of all users. In order to resolve these drawbacks, certificateless public key cryptography (CL-PKC) was introduced, that splits the user’s private key into two parts: one is a partial private key generator by the KGC, and the other one is a secret value selected by the user. CL-PKC is able to overcome the key escrow problem because the KGC is unable to access the user’s secret value. Only when a valid user holds both the partial private key and the secret value, the cryptographic operations such as decryption or digital signing based on CL-PKC can be performed.

Recently,the concept of certificateless hybrid signcryption (CL-HSC) evolved by combining the ideas of signcryption based on tag-KEM and certificateless cryptography. However, existing CL-HSC schemes are not secure against existential forgery attack and are constructed by utilizing bilinear pairing operations. In spite of the recent advances in implementation techniques, the computational cost required for pairing operation is still considerably higher in comparison to standard operations such as ECC point multiplication. In this technical report, we propose a elliptic curve cryptography based certificateless hybrid signcryption (CL-HSC) scheme without pairing operations. We present the formal security model of our CL-HSC scheme. Then, we provide the security proof of our CL-HSC scheme against both adaptive chosen ciphertext attack and existential forgery in the appropriate security models for certificateless hybrid signcryption. Since our CL-HSC scheme does not depend on the pairing-based operation, it reduces the computational overhead. It is also adopted to utilize ECC (Elliptic Curve Cryptography). Thus, we take the benefit of ECC keys defined on an additive group with a 160-bit length as secure as the RSA keys with 1024-bit length.

This study is a part of the smart grid initiative providing electric vehicle charging infrastructure. It is a refueling structure, an energy generating photovoltaic system and charge point electric vehicle charging station. The system will utilize advanced design and technology allowing electricity to flow from the site’s normal electric service to the charging stations or for the solar system to provide available electricity to fuel the cars reducing the cost of the driver’s fuel bills. In case where the charging station do not need the electricity produced by the solar system, the excess electricity will be given back for use in the host facility or net metered back to the utility and credited to the meter owner’s monthly electric bill. Therefore our proposed system is capable of providing frequency and regulation services, harnessing renewable source of energy, providing both AC and DC charging options to the electric vehicle owners, in addition to be able to function as a micro-grid. ^ The above mentioned tasks cannot be completed without an IT communication infrastructure in place. As all these components will be connected together with a mesh of networks, it is without doubt that there will be concerns regarding to the security of overall structure more in terms of the information that will be passed through the networks for different purposes. The security and privacy of this information becomes all the more important as it is concerned with the safety and lives of everyone associated with this structure. ^ Thus the objective of this study is to look and understand the various processes and domains that our system will have and how those domains or in other words the infrastructure of our system can be secured. In our study we will build a logical security architecture based on the Sherwood Applied Business Security Architecture model and draw conclusions whether the said model can be applied in more scenarios like ours in the future.^

The prevalent need for publicly available datasets, coupled with the spate of privacy-related incidents pertaining to the release of such data, have spurred the need to develop resilient and accurate methods of privacy-preserving data publishing. In this dissertation, we consider the problem of private data publishing while satisfying the robust notion of differential privacy. In particular, we consider the scenario in which a trusted curator gathers sensitive information from a large number of respondents, creates a dataset where each tuple corresponds to one entity, and publishes a privacy-preserving synopsis of the dataset. The diverse nature of the datasets of interest prevents the development of a single general method of data publishing that works in all situations. We therefore develop differentially private synopsis mechanisms for various types of data. We start with the simplest data publishing scenario: publishing a single-dimensional histogram. We explore hierarchical approaches to publishing histograms and propose various optimizations. Next we consider two-dimensional datasets and propose grid-based approaches for publishing geospatial datasets. For datasets with more than just a few dimensions, we propose a framework for publishing k -way marginals and contingency tables while guaranteeing accuracy and consistency. Furthermore, for high-dimensional datasets, we propose a framework for frequent itemset mining while guaranteeing differential privacy. Finally, we explore relaxations to differential privacy in light of an adversary’s uncertainty about the dataset.

The oil & gas industry is a multibillion-dollar industry that has a history of conflict. As modern technology has developed, both the corporate aspects and technical aspects of the oil & gas industry have become heavily reliant on the Cyber domain. The inherently insecure origins and evolution of computing has led that dependence to become a severe vulnerability. Recent events have brought this fact to light with a deluge of “cyber attacks” launched globally against the industry. These attacks raise specter of cyber conflict and the question of culpabil- ity. This report seeks to analyze a selection of these events, looking for patterns that would indicate one or more advanced actors. By observing the motives means and opportunities presented to actors, and looking at a cross section of these attacks over time, conclusions will be drawn as to the past, present, and future of cyber conflict within the industry.

Access control mechanisms and Privacy Protection Mechanisms (PPM) have been proposed for data streams. The access control for data stream allows roles access to tuples satisfying an authorized predicate sliding-window query. When the sensitive stream data is shared without a PPM the privacy can be compromised. The PPM meets privacy requirements, e.g., k-anonymity or l-diversity by generalization of stream data. This imprecision introduced by generalization can be reduced by delaying the publishing of stream data. However, the delay in sharing the stream tuples to achieve better accuracy can lead to false negatives if the tuples slide out of the window when a sliding-window query predicate is evaluated for access control mechanism. To set a threshold on the loss of precision, access control mechanism defines the imprecision bound for each query. The challenge is to optimize the time duration for which the stream data is held by PPM so that the imprecision bounds for the maximum possible number of queries are met. In our formulation of the aforementioned problem we present the hardness results, provide an anonymization algorithm, and conduct experimental evaluation of the proposed algorithm. Experiments demonstrate that the proposed heuristic provides better precision as compared to the minimum or maximum delay heuristics.

In April 2007, what has been incorrectly called the first cyber war and since then referred more correctly as a cyber riot, an attack on the domain name systems and the various servers of Estonia occurred. It was perpetrated by ethnic Russians living in Estonia who were incensed by the movement of a bronze war memorial for Russian soldiers to a grave yard from the center of town (Evron, 2008, p. 122). The cyber riot was nearly simultaneous with the actual real world riots. This brought the idea of cyber warfare and conflict in cyberspace into the public view. ^ It may be better to replace the idea of asymmetric threats with the idea of strategic threats as the threat may not be asymmetric (e.g. large scale cyber warfare) but the adversary’s strategy is asymmetric in effort. If according to Clausewitz, we are willing to accept that there are two primary things needed for war (politically opposed will-power and the ability to field a military) then a missing element of cyber warfare may be the ability to field a military (Szafranski, 1990, p. 39). ^ This research states, “Given the unstructured domain of cyber warfare knowledge a specific model will allow experts to produce a concept map significantly more detailed than absent the model.” Experts were solicited in a variety of venues to map cyber warfare using a concept mapping process and provide a deeper understanding of the concept. Two technology-centric models were given to groups of experts to assist them in explaining elements of cyber conflict. One group was just given the cyber warfare question and no specific model as guidance. The groups were then compared to see if either of the models had better explanatory power per the experts responses.^

The tremendous growth in electronic media has made publication of information in either open or closed environments easy and effective. However, most application domains (e.g. electronic health records (EHRs)) require that the fine-grained selective access to information be enforced in order to comply with legal requirements, organizational policies, subscription conditions, and so forth. The problem becomes challenging with the increasing adoption of cloud computing technologies where sensitive data reside outside of organizational boundaries. An important issue in utilizing third party data management systems is how to selectively share data based on fine-grained attribute based access control policies and/or expressive subscription queries while assuring the confidentiality of the data and the privacy of users from the third party. ^ In this thesis, we address the above issue under two of the most popular dissemination models: pull based service model and subscription based publish-subscribe model. Encryption is a commonly adopted approach to assure confidentiality of data in such systems. However, the challenge is to support fine grained policies and/or expressive content filtering using encryption while preserving the privacy of users. We propose several novel techniques, including an efficient and expressive group key management scheme, to overcome this challenge and construct privacy preserving dissemination systems.^