It is not possible to view a computer operating in the real world, including the possibility of Trojan Horse programs and computer viruses, as simply a finite realisation of a Turing Machine.  We consider the actions of Trojan Horses and viruses in real computer systems and suggest a minimal framework for an adequate formal understanding of the phenomena. Some conventional approaches, including biological metaphors, are shown to be inadequate; some suggestions are made towards constructing virally-resistant systems.

The purpose of the study was to determine the effect of computer viruses on disaster recovery model development.  Through a review of the literature and careful thought, the Susceptibilities/Assets/Frequencies and Expected Value Model was developed. The design of this model is unique in that it addresses the threat of computer viruses to organizational computing resources. The model consists of two concrrent processes. These processes are the management process and the prevention recovery process.  The S.A.F.E. Model is inended to function as a tool that guides and organization through the systematic assessment of areas that are essential to the development of viral recovery strategies within the organization. Computer viruses are a dynamic threat.  The S.A.F.E. Model represents an attempt to outline a process that can be utilized to develop prevention and recovery strategies to cope with this threat.

This paper describes a method of monitoring file integrity (changes in file contents) using a collection of embedded sensors within the kernel.  An embedded sensor is a small piece of code designed to monitor a specific condition and report to a central logging facility. In our case, we have built several such sensors into the 4.4 BSD kernel (OpenBSD V2.7) to monitor for changes in file contents. The sensors look for files which are marked with a specific system flag in the inode. When the sensors detect a file with this flag, they will report all changes to file contents made through the file system interface. This provides administrators with a valuable audit tool and supplies more reporting granularity than conventional file system integrity checkers (such as Tripwire).

Our technique relies on only two fundamental file system characteristics. First, the file system object must have a provision for storing file characteristics (i.e. flags) within the object. Secondly, the file system must present a block device interface to the operating system.

We show that system performance is not severely hampered by the presence of this monitoring mechanism given the select set of files that would be monitored in a conventional system and the beneficial audit data that results from monitoring.

This dissertation introduces the concept of using internal sensors to perform intrusion detection in computer systems. It shows its practical feasibility and discusses its characteristics and related design and implementation issues.

We introduce a classification of data collection mechanisms for intrusion detection systems. At a conceptual level, these mechanisms are classified as direct and indirect monitoring. At a practical level, direct monitoring can be implemented using external or internal sensors. Internal sensors provide advantages with respect to reliability, completeness, timeliness and volume of data, in addition to efficiency and resistance against attacks.

We introduce an architecture called ESP as a framework for building intrusion detection systems based on internal sensors. We describe in detail a prototype implementation based on the ESP architecture and introduce the concept of embedded detectors as a mechanism for localized data reduction.

We show that it is possible to build both specific (specialized for a certain intrusion) and generic (able to detect different types of intrusions) detectors. Furthermore, we provide information about the types of data and places of implementation that are most effective in detecting different types of attacks.

Finally, performance testing of the ESP implementation shows the impact that embedded detectors can have on a computer system. Detection testing shows that embedded detectors have the capability of detecting a significant percentage of new attacks.

Survivability and secure communications are essential in a mobile computing environment. In a secure network, all the hosts must be authenticated before communicating, and failure of the agents that authenticate the hosts may completely detach the hosts from the rest of the network. In this paper, we describe two techniques to eliminate such a single point of failure. Both of these approaches make use of backup servers, but they differ in the way they are organized and deployed. We evaluate our proposed architectures with threats and performance issues in group (multicast) communications in mobile computing environments. We propose a scheme for efficient key distribution and management using key graphs to provide secure multicast service.

Drawing from the experience obtained during the development and testing of a distributed intrusion detection system, we reflect on the data collection needs of intrusion detection systems, and on the limitations that are faced when using the data collection mechanisms built into most operating systems.  We claim that it is best for an intrusion detection system to be able to collect its data by looking directly at the operations of network packets.  Furthermore, for collecting data in an efficient, reliable and complete fashion, incorporation of monitoring mechanisms in the source code of the operating system and its applications is needed.

The trend towards a strong interdependence among networks has serious security implications.  Not only does the compromise of one network adversely affect resources needed by others, but the compromised network may be part of a multi-network attack targeting other systems.  The task of identifying such attacks in progress can be quite difficult.  Other researchers have found that data sharing is needed to detect many systemic attacks involving multiple hosts even within a single network [PN97].  Systems such as DIDS and EMERALD have been developed to gather and analyze such data network and enterprise-wide, respectively.  However, neither system addresses data sharing between networks that lack central administration.  This paper identifies some of the issues that need to be addressed if cooperative intrusion detection using data sharing between distinct sites is to become a viable option, and provides a set of requirements for designing such a system.  A substantial subset of these requirements have been modelled in a functional cooperative data sharing system.

With the growing need for multimedia data management, security requirements are becoming very crucial.  Composing multimedia documents involves bringing together media objects that exist in various formats.  These objects may reside in a distributed environment and belong to different security domains.  We propose a time augmented colored-Petri Net model for multimedia document composition that allows the specification of multilevel security.  The model also allows handling multiple security policies and hierarchical and path-based protection schemes.

We introduce a technique for tracing a class of

The natural immune system has evolved many interesting mechanisms to solve the problem of self-nonself discrimination.  An anomaly detection system based upon principles derived from the immune system was introduced in [Forr94].  Its main advantages are that it is distributable, local, and tunable.  This paper provides an overview of the theoretical, algorithmic,and practical developments extending the original proposal.  In particular, we present information theoretic results on the detection method, show the possibility of strings that cannot be detected for a given combination of self set and matching rule, present efficient algorithms to generate the detector set, and provide rules of thumb for setting the parameters to apply this method to a real data set.

Deniel of service is becoming a growing concern.  As our systems communicate more and more with others that we know less and less, they become increasingly vulnerable to hostile intruders who may take advantage of the very protocols intended for the establishment and authentication of communication to tie up our resources and disable our servers.  Since these attacks occur before parties are authenticated to each other, we cannot rely upon enforcement of the appropriate access control policy to protect us (as is recommended in the classic work of Gligor and Millen in [5, 18, 19]).  Instead we must build our defenses, as much as possible, into the protocols themselves.  This paper shows how some principles that have already been used to make protocols more resistent to deniel of service can be formalized, and indicates the ways in which existing cryptographic protocol analysis tools could be moidified to operate within this formal framework.

As organizations rush to build and support eCommerce applications there is an increasing realization that information and financial assets are becoming more vulnerable to attack. Media hyped reports of the BubbleBoy virus and frequent network failure of eCommerce sites like eTrade may serve to alarm the public, but the threats are real and the potential risks catastrophic. One industry survey discovered that organizations engaged in Web commerce, electronic supply chains, and enterprise resource planning experience three times the incidents of information loss and theft of trade secrets than everybody else.

Data products (macrodata or tabular data and micro-data or raw data records), are designed to inform public or business policy, and research or public information. Securing these products against unauthorized accesses has been a long-term goal of the database security research community and the government statistical agencies. Solutions to this problem require combining several techniques and mechanisms. Recent advances in data mining and machine learning algorithms have, however, increased the security risks one may incur when releasing data for mining from outside parties. Issues related to data mining and security have been recognized and investigated only recently.