Loading...
Please wait, while we are loading the content...
Similar Documents
Resilient and Self-healing Systems 1 . Towards Lighter-weight ( Byzantine ) Fault Tolerance
| Content Provider | Semantic Scholar |
|---|---|
| Author | Narasimhan, Priya Maier |
| Copyright Year | 2006 |
| Abstract | In this proposal, we tackle the problem of protecting the Internet routing infrastructure from the perspective of the management plane. Our approach has three components. The first parses existing router configuration files across a network, and models them at an abstract level in terms of relationships between objects and functions. The second mines these relationships to discover security constraints and potential problems in the network. The third monitors changes to router configurations, and detects network-wide security implications. Description of research and goals The routing infrastructure is a crucial element in the Internet. Unfortunately, CERT/CC has reported that router scanning is active and on the rise. According to CERT/CC, there exist underground lists consisting of thousands of compromised routers being traded as platforms for spamming, DoS attacks and other malicious activities. Since routers are considered as trusted entities, their power can be easily exploited when compromised. Considerable effort has poured into securing routing protocols on the control plane; examples include S-BGP, so BGP and Internet Drafts from the rpsec working group in IETF. Recently, researchers start to look into data plane mechanisms such as secure traceroute to detect misbehaving or faulty routers. The focus of this proposal is on the management plane. Our work aims to protect the routing infrastructure through network-wide modeling, mining and monitoring of router configuration files. Network management is the top problem faced by the networking community today. A complex network can have hundreds or even thousands of heterogeneous routers. The NSA has published a list of useful guidelines to help network operators to harden routers, which include simple things such as shutting down unnecessary httpd services, and more complex ones like setting access control lists. However, there remain a number of problems. Current tools for the management plane only control individual routers and do not provide a network-wide perspective. The security of the routing infrastructure rests on the collective configurations of all routers, but it is difficult to understand the network-wide security implications of configuration changes made at a single router. Our project consists of three components: modeling, mining and monitoring. The first component aims to automatically model the security constraints of an existing network through parsing router configuration files. We will develop a graph representation to model the flat, router-specific configuration commands in a hierarchical, vendor-independent manner. We will focus on commands that contribute to security: 1) device and service access control, including access to virtual terminal (vty) and SNMP server which can directly alter a router's behavior, 2) packet filters, such as those applied to a router's incoming and outgoing interfaces, and 3) route filters, specified explicitly by prefix lists and implicitly through other policy means. Our goal is to design a network security graph that links together the relationships between objects and controls, not just on a single router, but across a network over multiple routers. The second component will use the network security graph and do data mining to discover problematic security relationships. For example, let us suppose all routers in a network restrict access to vty from only directly connected networks, except one router. This router allows vty access from a random address in the Internet. This random address would not point to another element in the graph because it is not part of a directly connected network. The last component aims to monitor changes to the router configuration files. It incorporates these changes into network security graph and evaluates their implications on security constraints. 9. Secured SNMP agents (DMZ proxy) in MANET (Raj Rajkumar) No prior work has been addressed for secure Simple Network Management Protocols (SNMP) in Mobile Networks. SNMP is further hindered in secure contexts such as a DoD environment by enclaves which allow data to go from a lower-security (e.g., secret) to a higher-security (e.g., top-secret) domain but not vice versa. The challenge is to provide a simple network management protocol that can perform adequately in this environment. Further extension into a mobile ad-hoc network instantiation is also desirable. The Simple Network Management Protocol (SNMP) was created in 1988 for human network managers to monitor and administer multiple network devices from different vendors from a single console. It utilizes a manager-agent model that comprises of a manager, an agent, a database of management information, managed objects and the network protocol that is used to communicate between the manager and the agent. The manager supplies the interface between the human network manager and the management system. The agent provides the interface between the manager and the physical device(s) being managed (as shown above). Now, consider the following requirements imposed on the above system: 1. Each node serves as a manager or as an agent that can query one another (for current settings, for example), 2. Each node is a member of a mobile ad-hoc network (MANET), and 3. Each node resides within a particular security domain, which may be higher than, equal to or lower than that of another node it is communicating with. In configurations with different levels of security, information can flow from a lower-security domain to a higher-security domain but not vice-versa. The first requirement stipulates that requisite support needs to be efficient in nature, since it will likely be replicated on all nodes. The second requirement likely obviates (or at least makes less desirable) the use of centralized architectures. The third requirement implies that secure (hierarchical) access control must be utilized. Since information must not be allowed to pass from a higher-security domain to a lower-security domain, information passed between nodes must not be in plaintext, and must be suitably encrypted. For efficiency reasons, symmetric encryption schemes may be preferred. The goal of this effort is to explore a range of techniques at both the managed and manager (server) nodes and in the communication network protocol between the two nodes to support multi-level security. Sandboxing technologies such as virtual machines will also be explored in all nodes. II. User Authentication and Access Control 10. Multi-Modal Biometric Recognition (Marios Savvides and B.V.K. Vijaya Kumar) There is a growing demand for systems that can verify (1:1 matching) and identify (1:N matching) individuals using different biometric signatures such as face images, fingerprints, palmprints and iris patterns. By recognition, we refer to both verification and identification. Over the past three years, we have advanced face recognition (FR) methods significantly with funding from Technology Support Working Group (TSWG), a research funding arm of DHS. In parallel, CyLab has funded our research in iris recognition and in the theory of fusion of information provided by multiple biometric modalities. The main goals of this project are to advance face recognition and iris recognition algorithms to handle large populations, apply the multi-biometric fusion theory to combine face and iris biometrics and to implement these ideas in a prototype to be housed in CyLab in order to showcase the capabilities of the technologies. Face Recognition The US Government has shown a great interest in advancing robust face recognition and iris recognition technologies. There are many possible government applications including identifying suspects in surveillance videos, biometrics-based facilitated access cards for frequent travelers and secure access cards for government facilities. In addition to government interest in biometric recognition technologies, commercial sectors (e.g., banking, supermarkets, automobiles, etc.) are increasingly looking at biometric recognition for identifying the subject in applications such as access control, expedited checkout and customized settings for individuals. With the goal of evaluating and advancing face recognition (FR) technology, NIST (supported by many different Government agencies such as ITIC, TSWG, NIJ) has recently organized the Face Recognition Grand Challenge (FRGC) and the Face Recognition Vendor Test (FRVT) to push the academic research community and the face recognition companies to create the next generation FR algorithms that can handle large scale databases. One such example is the new FRGC database containing over 50,000 3.1megapixel images collected under controlled and un-controlled environments (indoor and outdoor) leading to face images with significant cast shadows due to sharp overhead lighting which also include variations in pose and significant expression changes. The NIST baseline algorithm yields 12% verification rate (VR) at 0.1% false accept rate (FAR), which is too low to be useful. With the goal of increasing the visibility of our biometrics research to the Government and Industry, we have participated in FRGC and FRVT and developed new FR algorithms (e.g., the Kernel Correlation Feature Analysis (KCFA) coupled with Support Vector Machines) that offer enhanced recognition performance. We have improved over the baseline algorithm significantly, leading to the first rank in the FRGC competition, a significant achievement. Our early top-ranking results were shown by the FRGC program manger at the September 2005 Biometrics Consortium and more recent top-ranking FR results at a recent NIST Workshop (March 7-8, 2006). While ranking at the top in a national competition is very satisfying, our research however indicates us that FR is still not ready for real-time applications, needing many improvements to achieve a robust FR system. One of the biggest challenges is scaling of the FR |
| File Format | PDF HTM / HTML |
| Alternate Webpage(s) | http://www.wpeaf.org/CyLab%20Project%20Abstracts%20AY%2006-07%20V1%20(2).pdf |
| Language | English |
| Access Restriction | Open |
| Content Type | Text |
| Resource Type | Article |
