380 likes | 576 Views
SECURITY BASED RESEARCH IN CS DEPARTMENT. TEXAS A&M UNIVERSITY. Intrusion Detection. Greg White (August 1995) "Cooperating Security Managers: Intrusion Detection in a Distributed Environment" Daniel J. Ragsdale (2001) "Adaptive Intrusion Detection"
E N D
SECURITY BASED RESEARCH IN CS DEPARTMENT TEXAS A&M UNIVERSITY
Intrusion Detection • Greg White (August 1995) "Cooperating Security Managers: Intrusion Detection in a Distributed Environment" • Daniel J. Ragsdale (2001) "Adaptive Intrusion Detection" • Jeffrey Humphries (2001) "Secure Mobile Agents
Intrusion Detection and Response • Curtis A. Carver, Jr. (2001) "Adaptive Agent-Based Intrusion Response" • One currently working PH.D. student
Intrusion Damage Assessment and Recovery • Eric Fisch (Apr. 1996) "Intrusive Damage Control and Assessment Techniques."
Security Issues in Mobile Network • Paul Brutch (May 2001) "Evaluation and Analysis System for Intranet Access Control." • Tasneem Gandapur Brutch (May 2001) "Mutual Authentication, Confidentiality, and Key Management in Mobile Wireless Systems." • 4 four currently working Ph.D. students)
Miscellaneous Topics • N. Abrol(May 1996)"Security Vulnerabilities in the User Network Inference (UNI 3.1) Signaling Protocol." • Tamara Collins (August 2000) "An Efficient Public Key Infrastructure Revocation Mechanism" • Charles Cropper (August 2000) "Risk Assessment of Selected Commercial Firewall Software" • 4 currently working Ph.D. students
Advanced Networking and SecurityCPSC 665 (started 1992) • A graduate-level computer security course is offered in the Department of Computer Science at Texas A&M University. As part of this course, students participate in a hands on security laboratory during which they perform informal penetration tests against a network of machines
Advanced Networking and Security • The goal of the penetration teams is to compromise a machine, managed and monitored by the system administration team, without being detected or traced.
Advanced Networking and Security • Once the penetration teams have compromised a UNIX host by acquiring superuser privilege, they need to hide this activity from the system administration team and to maintain superuser privilege in the future
Advanced Networking and Security • The Network Security "Sandbox" is a fully contained facility where different network and system security environments and tools may be taught and attack/defend labs conducted without effecting outside systems
Advanced Networking and Security • The graduate computer security course was started in the summer of 1992 by Dr. Udo Pooch. Including the Spring 2001 semester, Dr. Pooch has taught this course to over 200 students at Texas A&M University. The course is a mixture of formal classroom instruction on computer and network security principals, and a hands on security laboratory. As part of the security laboratory, students are divided into multiple penetration teams and a single system administration team.
Advanced Networking and Security • Each penetration team is given superuser access to a Linux machine which resides on a private network. The penetration teams have complete control over their assigned Linux machine and the system administration team is not normally allowed to venture onto the penetration team's network
Advanced Networking and Security • The system administration team manages machines on a separate network, and these two networks are connected via a router. The system administration team's network consists of a number of Sun Workstations running Solaris 2.5.1 and one NT 4.0 machine
Advanced Networking and Security • The goal of the penetration teams is to compromise a machine managed and monitored by the system administration team. The penetration teams are allowed to make almost any type of attack as long as their activity remains within the domain of the security laboratory
Advanced Networking and Security • The penetration teams have accounts on their own Linux machines, and separate user accounts on some of the system administration team's machines. Therefore, the penetration team's can conduct attacks as inside intruders and simulate remote attacks from the Internet.
Advanced Networking and Security • The system administration team also provides one Sun Workstation running Solaris 2.5.1, without any security patches, for use as a training machine by the penetration teams. Although this training machine resides on the system administration team's network, it is not trusted by any of the other machines and it is not is not monitored by the system administration team
Advanced Networking and Security • Penetration teams have successfully launched attacks from this training machine to compromise more secure hosts on the system administration team's network
Advanced Networking and Security • The goal of the system administration team is to detect and trace all unauthorized access for the machines that they manage and monitor. The system administration team makes every effort to ensure that the systems they monitor are secure.
Advanced Networking and Security • Ideally, the system administration team should install the latest vendor security patches; perform vulnerability scanning by running Tiger scripts by Doug Schales; install tcp wrapper by Wieste Venema to monitor and filter incoming requests for certain network services; run Crack by Alec Muffet against the password file; enable remote logging via the syslog facility; and run Tripwire by Gene Kim and Eugene Spafford to perform system integrity checking
Advanced Networking and Security • Unfortunately the system administration team spends much of their time in thebeginning of each semester performing mundane administrative tasks such as setting up user accounts. In some cases, penetration teams have compromised a monitored host before the system administration team was even able to install all of their security tools
Advanced Networking and Security • Throughout the past five years, various hardware and software configurations were installed in the security laboratory. For example in the 1998 security laboratory, secure hubs were used for physical connectivity to prevent penetration teams from sniffing traffic on the system administration team's network [Marti98].
Advanced Networking and Security • The security laboratory changes each year as new system administration teams try different configurations to implement different security solutions. As the security laboratory configuration becomes more complex, it requires more time from the system administration team to setup and manage
Advanced Networking and Security • If you are looking for more details on these attacks, a survey paper on the penetration tests performed during the 1995, 1997, and 1998 security classes was presented at the SANS Network Security 98 Conference and is available in the conference proceedings [Brutch98]. A version of the survey paper is also available on-line as a technical report from the Department of Computer Science at Texas A&M University [TR98-021]
Advanced Networking and Security • If you are planning on starting your own laboratory to perform security vulnerability testing and analysis, we recommend that you read Marti, Bourne, and Fish's paper CPSC 665 Advanced Networking and Security Game Administration Plan [Marti98] and Bishop and Heberlein's paper An Isolated Network for Research [Bishop96]
REFERENCES • [Bishop 96] Bishop, M.; and Herberlein, L. "An Isolated Network for Research", The 19th National Information Systems Security Conference. 1996. • [Brutch98] Brutch, P.; Brutch, T.; Mitchell, E.; and Pooch, U. "UNIX Penetration Tests: Attempts Performed During A Graduate Security Class at Texas A&M", SANS Network Security 98, Technical Conference Part 1, October 24-31, 1998. • [Kahn98] Kahn, C., "Using Independent Corroboration to Achieve Compromise Tolerance", 1998 Information Survivability Workshop, October 28-30, 1998. • [Marti 98] Marti, W.; Bourne, J.; and Fish, B.; "CPSC 665 Advanced Networking and Security Game Administration Plan", WECS '98, Workshop on Education in Computer Security, 19-21 January 1998. • [TR98-021] Brutch, P.; Brutch, T.; Mitchell, E.; and Pooch, A Survey of UNIX Penetration Tests Performed During a Graduate Computer Science Class at Texas A&M University, Technical Report 98-021, Department of Computer Science, Texas A&M University, 1 October 1998. Available from http://www.cs.tamu.edu/research.shtml.
RESEARCH FUNDING • Co-Principal Investigator, IBM "DCE Analysis, Porting, and Monitoring," Contract No.C-MS-92145. • Initial Contract : $99,000, February 1993 • Add-On 1: $41,000, September 93 (PO#966CH8Y) • Add-On 2: $99,000, January 1994 (PO#966CY38) • Add-On 3: $200,000, July 1994 (CSS070794)
RESEARCH FUNDING • Co-Principal Investigator, Trident Data Systems Inc. (USAF Subcontract), Contract No. TDS-93-123, "Audit Trail Information Sanitization Project", $50,000, September 1993. • Project Manager, TEES – Rockwell Space Systems, Project 48390 Support Service Agreement J6X4XWH-450017M, "Dual Use Academic Liaison Program: System Design of a Firewall Decision Support Tool," January 20 – September 27, 1996.
RESEARCH FUNDING • Engineering and Technical Services Support (ETSS)," member of TAMU Consortium with BTG (San Antonio) in response to US Air Force Information Warfare Center (AFIWC) BAA, 5 year SETA contract (Awarded). • "Support to CSAP and TASP Programming for Planning, Statistical Analysis, Reporting and Implementation of Information Protection Systems," to BTG (in response to BTG/AFWIC task orders) Co-Principal Investigator, December 9, 1998 ($300,000).
RESEARCH PROPOSALS • Anomaly Detection Based on a Moving Window Weighted Composite Session Profile, " Co-Principal Investigator, December 1992, USAF Security Command, Kelly, San Antonio, TX, $114,000. • "Communications Manager Associate," Co-Principal Investigator, December 1992, USAF Security Command, Kelly, San Antonio, TX, $98,000. • "Access Controlled Personal Computer Networks," Co-Principal Investigator, December 1992, USAF Security Command, Kelly, San Antonio, TX, $100,000.
RESEARCH PROPOSALS • "Programming for Tested PC DOS," Co-Principal Investigator, December 1992, USAF Security Command, Kelly, San Antonio, TX, $75,000. • "Documentation of Recent Network Security Events," Co-Principal Investigator, December 1992, USAF Security Command, Kelly, San Antonio, TX, $60,000. • "A Simple Public Key System for Telnet and FTP Security," Co-Principal Investigator, December 1992, USAF Security Command, Kelly, San Antonio, TX, $80,000.
RESEARCH PROPOSALS • "Computer Intrusion Detection: A Statistically Based System," Co-Principal Investigator, December 1992, USAF Security Command, Kelly, San Antonio, TX, $94,000. • "Distributed Intrusion Detection and Tracking through Cooperating Security Managers," Principal Investigator, NSA, January 1993, $119,000. • Multilevel Secure Windowing Systems," Co-Principal Investigator, USAF Security Command, Kelly, San Antonio, February 1993, $335,000.
RESEARCH PROPOSALS • "Cooperating Security Manager (CSM)," Co-Principal Investigator, USAF Security Command, Kelly, San Antonio, February 1993, $380,000. • "Prototyping Network Security Protocols," National Security Agency, principal investigator, January 1994, $196,500. • "Cooperating Security Managers: Intrusion Detection in a Distributed Environment," Principal Investigator, January 1994, $196,500.
RESEARCH PROPOSALS • "System Architecture Research for War Breaker, Intelligence and Planning," Co-Principal Investigator - joint proposal with E-Systems (Greenville Division), ARPA, July 1993. • "Operational Demonstration in Multi-tiered Crisis Management," Co-Principal Investigator - joint proposal with E-Systems (Greenville Division), ARPA, Ocotber 1993. • Equipment Proposal (E-mass Storage devices) to E-mass, Co-Principal Investigator, November 1993.
RESEARCH PROPOSALS • "Audit Trail Information Sanitization Project," Co-Principal Investigator, March 1994, $240,000, USAF via Trident Data Systems. • "Security and Reliability Issues in Asynchronous Transfer Method (ATM) Switch Protocols" -- submitted for 1995 ATP, ($120,000). • "Cooperating Security Managers" -- submitted to E-Systems, Sept., 1995, ($140,000).
RESEARCH PROPOSALS • "Security and Reliability Issues in Interfacing ATM to Wideband Systems" -- submitted to E-Systems, Sept., 1995, ($260,000). • "Testing, Performance Measurements and Intrusion Detection of Computer and Networked Systems" -- submitted to EG&G, Nov. 1995, ($100,000). • "Systems Description Methodology for Design of Survivable Distributed Systems" -- submitted for ARPA BA 96-03, February 1996, ($1.4 million).
RESEARCH PROPOSALS • "Systems Description Methodology for Design of Survivable High Confidence Networks," Co-principal Investigator, submitted for ARPA BA 97-04 (Management for Survivability), December 1996, ($1,366,000). • "System Description Methodology for Design of Survivable High confidence Networks," – submitted to DARPA BAA 97-04, Jan. 16, 1997. • "Internet Security Protocol Development and Analysis," submitted to NSA (Security Management and Infrastructure) Principle Investigator, Spring 1998 ($179,181).
RESEARCH PROPOSALS • “Security Characterization of Processes and Programs in a Unix-based Environment,” submitted via SecureLogix Corp., San Antonio, TX, to DARPA-SBIR, TEES Proposal # 99-432, Apr. 12, 1999 ($59,400). • “Active Host-based Defense Using Autonomous Agents,” submitted via SecureLogix Corp., San Antonio, TX, to DoD/STTR, TEES Proposal # 99-436, Apr. 14, 1999. • “Secure Operations in Web-based Videoconferencing,” via TEES Proposal # 0332-1999 to ARP ($129, 800).
QUESTIONS • Dr. Udo W. Pooch • E-Systems Professor • Office: 502C H. R. Bright BuildingPhone: (409) 845-5498Fax: (409) 847-8578Email: pooch@cs.tamu.edu