Physical Sciences and Mathematics Commons^™

Security Requirements Engineering-The Reluctant Oxymoron, Michael N. Johnstone

Australian Information Security Management Conference

Security is a focus in many systems that are developed today, yet this aspect of systems development is often relegated when the shipping date for a software product looms. This leads to problems post-implementation in terms of patches required to fix security defects or vulnerabilities. A simplistic answer is that if the code was correct in the first instance, then vulnerabilities would not exist. The reality of a complex software artefact is however, driven by other concerns. Rather than probing programs for coding errors that lead to vulnerabilities, it is perhaps more beneficial to look at the root causes of …

Assessment Of Internationalised Domain Name Homograph Attack Mitigation, Peter Hannay, Christopher Bolan

Australian Information Security Management Conference

With the advent of internationalised domains the threat posed by non-english character sets has eventuated. Whilst this phenomenon remains well known in the development and internet industry the actual implementations of popular applications have been tested to determine their resilience to homograph based attack. The research found that most provided features that overcome such attacks, but there remain a few notable exceptions. Should an attacker take advantage of such oversights a victim would likely not be able to spot a fraudulent site or email and thus provide a perfect platform for subsequent attack.

Information Security Disclosure: A Case Study, I Rosewall, M J. Warren

Australian Information Security Management Conference

New social networking systems such as Facebook are an ever evolving and developing means of social interaction, which is not only being used to disseminate information to family, friends and colleagues but as a way of meeting and interacting with "strangers" through the advent of a large number of social applications. This paper will focus upon the impact of Generation F - the Facebook Generation and their attitudes to security. The paper will be based around discussing the findings of a major UK case study and the implications that this has. The case study identifies 51 recommendations to improve the …

Covert Botnet Design And Defense Analysis, Brandon Lyle Shirley

All Graduate Theses and Dissertations, Spring 1920 to Summer 2023

Intrusion defense system (IDS) development has been largely reactionary in nature. This is especially troubling given that botnets are capable of compromising and controlling thousands of computers before security professionals develop a mitigation technique. As new exploits are created, new mitigation techniques are developed to detect infections and, where possible, remove them. This thesis breaks from this tradition of reacting to malware. Instead, it looks at possible malicious software models through analyzing existing defense systems for exploitable weaknesses.

First, this thesis presents a new specialized botnet that circumvents current network intrusion detection mechanisms. The proposed botnet coordinates external communication among …

A Privacy Framework For Mobile Health And Home-Care Systems, David Kotz, Sasikanth Avancha, Amit Baxi

Dartmouth Scholarship

In this paper, we consider the challenge of preserving patient privacy in the context of mobile healthcare and home-care systems, that is, the use of mobile computing and communications technologies in the delivery of healthcare or the provision of at-home medical care and assisted living. This paper makes three primary contributions. First, we compare existing privacy frameworks, identifying key differences and shortcomings. Second, we identify a privacy framework for mobile healthcare and home-care systems. Third, we extract a set of privacy properties intended for use by those who design systems and applications for mobile healthcare and home-care systems, linking them …

Why It Managers Don't Go For Cyber-Insurance Products, Tridib Bandyopadhyay, Vijay S. Mookerjee, Ram C. Rao

Faculty and Research Publications

Despite positive expectations, cyber-insurance products have failed to take center stage in the management of IT security risk. Market inexperience, leading to conservatism in pricing cyber-insurance instruments, is often cited as the primary reason for the limited growth of the cyber-insurance market. In contrast, here we provide a demand-side explanation for why cyber-insurance products have not lived up to their initial expectations. We highlight the presence of information asymmetry between customers and providers, showing how it leads to overpricing cyber-insurance contracts and helps explain why cyber insurance might have failed to deliver its promise as a cornerstone of IT security-management …

A Study Of Content Authentication In Proxy-Enabled Multimedia Delivery Systems: Model, Techniques, And Applications, Robert H. Deng, Yanjiang Yang

Research Collection School Of Computing and Information Systems

Compared with the direct server-user approach, the server-proxy-user architecture for multimedia delivery promises significantly improved system scalability. The introduction of the intermediary transcoding proxies between content servers and end users in this architecture, however, brings unprecedented challenges to content security. In this article, we present a systematic study on the end-to-end content authentication problem in the server-proxy-user context, where intermediary proxies transcode multimedia content dynamically. We present a formal model for the authentication problem, propose a concrete construction for authenticating generic data modality and formally prove its security. We then apply the generic construction to authenticating specific multimedia formats, for …

Kiwivault: Encryption Software For Portable Storage Devices, Trevor Bradshaw Florence

Theses and Dissertations

While many people use USB flash drives, most do not protect their stored documents. Solutions for protecting flash drives exist but inherently limit functionality found in unprotected drives such as portability, usability, and the ability to share documents between multiple people. In addition, other drawbacks are introduced such as the possibility of losing access to protected documents if a password is lost. Assuming protecting portable documents is important, in order for people to be willing to protect their documents they should be required to make as few sacrifices in functionality as possible. We introduce KiwiVault, a USB flash drive encryption …

Wireless Networks: Improved Secure Network Authentication Protocol (Isnap) For Ieee 802.16, Raheel M. Hashmi, Arooj M. Siddiqui, M. Jabeen, K. Shehzad, A. Zubair, K. S. Alimgeer

International Conference on Information and Communication Technologies

Security is amongst one of the major issues in broadband wireless access (BWA) networks. After the launch of the IEEE 802.16 standard (WiMAX), a number of security issues were reported in several articles. Ever since the beginning, work has been in progress for the neutralization of these identified threats. In this paper, the analysis of the authentication protocols implemented in WiMAX has been presented along with the description of the threats posed to them. The paper also describes security sub-layer and limitations of the existing architecture. An approach has also been presented for the prevention of these threats like the …

Dartmouth Internet Security Testbed (Dist): Building A Campus-Wide Wireless Testbed, Sergey Bratus, David Kotz, Keren Tan, William Taylor, Anna Shubina, Bennet Vance, Michael E. Locasto

Dartmouth Scholarship

We describe our experiences in deploying a campus-wide wireless security testbed. The testbed gives us the capability to monitor security-related aspects of the 802.11 MAC layer in over 200 diverse campus locations. We describe both the technical and the social challenges of designing, building, and deploying such a system, which, to the best of our knowledge, is the largest such testbed in academia (with the UCSD's Jigsaw infrastructure a close competitor). In this paper we focus on the \em testbed setup, rather than on the experimental data and results.

Data For Cybersecurity Research: Process And ‘Wish List’, Jean Camp, Lorrie Cranor, Nick Feamster, Joan Feigenbaum, Stephanie Forrest, David Kotz, Wenke Lee, Patrick Lincoln, Vern Paxson, Mike Reiter, Ron Rivest, William Sanders, Stefan Savage, Sean Smith, Eugene Spafford, Sal Stolfo

Other Faculty Materials

This document identifies data needs of the security research community. This document is in response to a request for a “data wish list”. Because specific data needs will evolve in conjunction with evolving threats and research problems, we augment the wish list with commentary about some of the broader issues for data usage.

Routing In The Dark: Pitch Black, Nathan S. Evans

Electronic Theses and Dissertations

In many networks, such as mobile ad-hoc networks and friend-to-friend overlay networks, direct communication between nodes is limited to specific neighbors. Friendto-friend “darknet” networks have been shown to commonly have a small-world topology; while short paths exist between any pair of nodes in small-world networks, it is non-trivial to determine such paths with a distributed algorithm. Recently, Clarke and Sandberg proposed the first decentralized routing algorithm that achieves efficient routing in such small-world networks.

Herein this thesis we discuss the first independent security analysis of Clarke and Sandberg’s routing algorithm. We show that a relatively weak participating adversary can render …

State Of Secure Application Development For 802.15.4, Janell Armstrong

Theses and Dissertations

A wireless sensor network consists of small, limited-resource embedded systems exchanging environment data and activating controls. These networks can be deployed in hostile environments to monitor wildlife habitats, implemented in factories to locate mobile equipment, and installed in home environments to optimize the use of utilities. Each of these scenarios requires network security to protect the network data. The IEEE 802.15.4 standard is designed for WSN communication, yet the standard states that it is not responsible for defining the initialization, distribution, updating, or management of network public keys. Individuals seeking to research security topics will find that there are many …

Beyond Output Voting: Detecting Compromised Replicas Using Hmm-Based Behavioral Distance, Debin Gao, Michael K. Reiter, Dawn Song

Research Collection School Of Computing and Information Systems

Many host-based anomaly detection techniques have been proposed to detect code-injection attacks on servers. The vast majority, however, are susceptible to "mimicry" attacks in which the injected code masquerades as the original server software, including returning the correct service responses, while conducting its attack. "Behavioral distance," by which two diverse replicas processing the same inputs are continually monitored to detect divergence in their low-level (system-call) behaviors and hence potentially the compromise of one of them, has been proposed for detecting mimicry attacks. In this paper, we present a novel approach to behavioral distance measurement using a new type of hidden …

The Not So Smart, Smart Grid: Potential Security Risks Associated With Thedeployment Of Smart Grid Technologies, Craig Valli

Australian Digital Forensics Conference

The electricity grid has been up until now a relatively stable artifice of modern industrialized nations. The power grids are the most widespread wired networks in the world. They are heavily regulated and standardized to protect the integrity, stability and reliability of supply. The grids have been essentially closed systems, this is now rapidly changing with the introduction of the network enabled smart meter. These meters are “web” accessible, connect and interact directly with electrical appliances in domiciles and businesses. This move now brings a range of extreme risks and complexities into these stable networks. This paper explores the security …

Generalized Neuron Based Secure Media Access Control Protocol For Wireless Sensor Networks, Raghavendra V. Kulkarni, Ganesh K. Venayagamoorthy, Abhishek V. Thakur, Sanjay Kumar Madria

Electrical and Computer Engineering Faculty Research & Creative Works

Security plays a pivotal role in most applications of wireless sensor networks. It is common to find inadequately secure networks confined only to controlled environments. The issue of security in wireless sensor networks is a hot research topic for over a decade. This paper presents a compact generalized neuron (GN) based medium access protocol that renders a CSMA/CD network secure against denial-of-service attacks launched by adversaries. The GN enhances the security by constantly monitoring multiple parameters that reflect the possibility that an attack is launched by an adversary. Particle swarm optimization, a popular bio-inspired evolutionary-like optimization algorithm is used for …

Security Decay: An Entropic Approach To Definition And Understanding, Michael Coole, David J. Brooks

Australian Security and Intelligence Conference

This article discusses the affect decay has within a systems approach used when implementing security strategies, in particular, the theory of defence in depth. Defence in depth is implemented within a risk management framework to reduce an organisation’s identified risks, which could lead to undesirable and unacceptable consequences. Defence in depth aims to link layered security elements into a system to ensure a holistic and functional security system, underpinned by the functions of; deter, detect, delay, response and recovery. For such a system to be commissioned and maintain its commissioning effectiveness, these functions must be performed in their sequential order …

Opportunistic Sensing: Security Challenges For The New Paradigm, Apu Kapadia, David Kotz, Nikos Triandopoulos

Dartmouth Scholarship

We study the security challenges that arise in Opportunistic people-centric sensing, a new sensing paradigm leveraging humans as part of the sensing infrastructure. Most prior sensor-network research has focused on collecting and processing environmental data using a static topology and an application-aware infrastructure, whereas opportunistic sensing involves collecting, storing, processing and fusing large volumes of data related to everyday human activities. This highly dynamic and mobile setting, where humans are the central focus, presents new challenges for information security, because data originates from sensors carried by people— not tiny sensors thrown in the forest or attached to animals. In this …

Beyond K-Anonymity: A Decision Theoretic Framework For Assessing Privacy Risk, Guy Lebanon, Monica Scannapieco, Mohamed Fouad, Elisa Bertino

Cyber Center Publications

An important issue any organization or individual has to face when managing data containing sensitive information, is the risk that can be incurred when releasing such data. Even though data may be sanitized before being released, it is still possible for an adversary to reconstruct the original data using additional information thus resulting in privacy violations. To date, however, a systematic approach to quantify such risks is not available. In this paper we develop a framework, based on statistical decision theory, that assesses the relationship between the disclosed data and the resulting privacy risk. We model the problem of deciding …