CERIAS Weekly Security Seminar - Purdue University

How can one automatically identify classified documents? This is a vital question for the Department of Energy (DOE), which is reviewing millions of classified documents for possible declassification, and for Los Alamos National Laboratory (LANL), which is checking its unclassified computing storage systems for the presence of classified documents. The DOE, having already developed an expert rule system for automatic document classification, provided LANL with a small set of documents with which to explore a statistical classifier as an alternative. We represented documents as vectors of character trigram frequencies, used a chi-square statistic to select the optimal trigrams, and trained a linear classifier to distinguish classified and unclassified documents. Results ranged from 60% to 87% accuracy, depending on the training set size and other variables. In contrast, the LANL effort started "from scratch" and needed to be moved rapidly into large-scale production. We implemented an expert system tailored to the classified documents of most concern to LANL. The talk will discuss the practical issues that arose in canvassing large amounts of files in a variety of formats, and the security issues involved in the sampling, analysis, and notification processes. About the speaker: Judy Hochberg is a staff scientist at Los Alamos National Laboratory. She received a B.A. in linguistics from Harvard and a Ph.D. in linguistics from Stanford. Before joining the Laboratory in 1989, she was a post-doctoral researcher at the University of Chicago, then a visiting Assistant Professor at Northwestern University. She has published in journals including Computers and Security, IEEE Transactions in Pattern Analysis and Machine Intelligence, and Language. She has been an R&D 100 award winner and a national finalist in the Johns Hopkins National Search for Computing to Assist Persons with Disabilities. Judy is interested in all manifestations of human language, including document analysis -- text and images -- and speech.

How can one automatically identify classified documents? This is a vital question for the Department of Energy (DOE), which is reviewing millions of classified documents for possible declassification, and for Los Alamos National Laboratory (LANL), which is checking its unclassified computing storage systems for the presence of classified documents. The DOE, having already developed an expert rule system for automatic document classification, provided LANL with a small set of documents with which to explore a statistical classifier as an alternative. We represented documents as vectors of character trigram frequencies, used a chi-square statistic to select the optimal trigrams, and trained a linear classifier to distinguish classified and unclassified documents. Results ranged from 60% to 87% accuracy, depending on the training set size and other variables. In contrast, the LANL effort started "from scratch" and needed to be moved rapidly into large-scale production. We implemented an expert system tailored to the classified documents of most concern to LANL. The talk will discuss the practical issues that arose in canvassing large amounts of files in a variety of formats, and the security issues involved in the sampling, analysis, and notification processes.

The recent spate of attacks against Yahoo and other sites with large on-line presences brought denial-of-service attacks into the public consciousness. The methods used in these attacks make it very difficult, if not impossible, to locate the source of the attacks. The problem lies not only in finding the particular computers used to launch the attacks, but also in finding the individuals controlling those computers. I will discuss the attacks that occurred, why it is so difficult to track the intruders, research work that attempt to make it possible do so, and open research problems in the area. CERIAS has on-going work related to the problem of tracking intruders across the Internet, and I expect this to be an evolving and interesting area of research in the future. About the speaker: Clay was born in Washington, D.C, and spent much of his childhood living overseas as required by the career of his stepfather, who was a covert agent for the CIA. Clay got an undergraduate degree in electrical engineering from the University of Virginia, and after a year as a computer programmer on Capitol Hill, joined the U.S. Army. As an infantry officer with the 101st Airborne Division, Clay served overseas with the peace-keeping force in the Sinai Peninsula, earning a commendation for liaison work with the Egyptian and Israeli military. Because sitting in a muddy foxhole with a rifle was not intellectually challenging enough, Clay left the Army to return to graduate school. He attended the University of California at Santa Cruz, and for his dissertation he studied computer networking, particularly multicast routing and network security issues. With the ink not yet dry on his PhD, Clay took a job as an assistant professor in computer science at Purdue University, not so much for easy access to corn, but to be associated with CERIAS and to continue his research into network security. Clay is particularly interested in finding ways to exploit existing protocols, in designing secure protocols and in finding ways to keep careful track of what is happening in a network while maintaining user privacy and anonymity.

The recent spate of attacks against Yahoo and other sites with large on-line presences brought denial-of-service attacks into the public consciousness. The methods used in these attacks make it very difficult, if not impossible, to locate the source of the attacks. The problem lies not only in finding the particular computers used to launch the attacks, but also in finding the individuals controlling those computers. I will discuss the attacks that occurred, why it is so difficult to track the intruders, research work that attempt to make it possible do so, and open research problems in the area. CERIAS has on-going work related to the problem of tracking intruders across the Internet, and I expect this to be an evolving and interesting area of research in the future.

In October of 1999, Denver based Space Imaging launched the world's first very-high resolution commercial satellite, IKONOS 2, into polar orbit around the earth. For the first time in history, sub-1 meter near real time digital imagery is now available for virtually the entire globe to anyone with a credit card and access to the internet. This talk will explore: (1) the policy history around the US government's decision to let this technology "go commercial," (2) the status of current US remote sensing policy and some remaining policy issues that still need to be addressed, and (3) the potential implications of this information revolution for national security, law enforcement, privacy, and several other issues. About the speaker: Dr. Gerald Thomas is an assistant professor of political science at Purdue University where he teaches and does research in the area of public policy. His current research interests focus at the intersection of environmental policy and science and technology policy. He has published on the topics of environmental security, US national security policy, and US space policy.

In October of 1999, Denver based Space Imaging launched the world's first very-high resolution commercial satellite, IKONOS 2, into polar orbit around the earth. For the first time in history, sub-1 meter near real time digital imagery is now available for virtually the entire globe to anyone with a credit card and access to the internet. This talk will explore: (1) the policy history around the US government's decision to let this technology "go commercial," (2) the status of current US remote sensing policy and some remaining policy issues that still need to be addressed, and (3) the potential implications of this information revolution for national security, law enforcement, privacy, and several other issues.

This paper explores a promising interface between natural language processing (NLP) and information assurance and security (IAS). More specifically, it is devoted to possible applications of the accumulated considerable resources in NLP to IAS. The paper is of a mixed theoretical and empirical nature. Of the four possible venues of applications, (i) memorizing randomly generated passwords with the help of automatically generated funny jingles, (ii) natural language watermarking, (iii) using the available machine translation (MT) systems for (additional) encryption of text messages, and (iv) downgrading, or sanitizing, classified information in networks, two venues, (i) and (iv), have been at least partially implemented, and the remaining two, (ii) and (iii), are being implemented to the proof-of-concept level. We feel that it is important, however, even at this early stage, to review for the information security community what NLP can do for it and to invite feedback and further efforts and ideas in this direction.

This paper explores a promising interface between natural language processing (NLP) and information assurance and security (IAS). More specifically, it is devoted to possible applications of the accumulated considerable resources in NLP to IAS. The paper is of a mixed theoretical and empirical nature. Of the four possible venues of applications, (i) memorizing randomly generated passwords with the help of automatically generated funny jingles, (ii) natural language watermarking, (iii) using the available machine translation (MT) systems for (additional) encryption of text messages, and (iv) downgrading, or sanitizing, classified information in networks, two venues, (i) and (iv), have been at least partially implemented, and the remaining two, (ii) and (iii), are being implemented to the proof-of-concept level. We feel that it is important, however, even at this early stage, to review for the information security community what NLP can do for it and to invite feedback and further efforts and ideas in this direction. About the speaker: Victor Raskin founded the Interdepartmental Program in Linguistics at Purdue and chaired it in 1979-99. He also founded the Natural Language Processing (NLP) Laboratory at Purdue in 1986 and has coordinated it ever since. He is the author of 16 books and close to 200 articles on natural language processing (computational linguistics), linguistic and semantic theory, philosophy of language and science, and various applications of linguistics and computational linguistics to adjacent areas, including to information security. Together with Sergei Nirenburg, Director, Computing Research Laboratory, New Mexico State University, he has developed a ground-breaking ontological semantic approach to NLP that, for the first time, provides near-comprehensive semantic capabilities to NLP systems and thus ensures their accuracy. He has been a PI, co-PI, and PI-level consultant for a large number of NLP research grants since 1966 in his native Russia, Israel, and this country, most recently on the interface of NLP and information security. Professor Raskin has served on the CERIAS Internal Advisory Board since its inception. The presentation is based on joint research with Mikhail J. Atallah, Craig J. McDonough, and Sergei Nirenburg

Tripwire has a long history of openly available source, having been created at Purdue University in 1992 as a publicly available security tool. It has been created into an industrial strength tool, and has been successful in protecting critical enterprise processes in business and government. One of the decisions we made was to use a conventional shrink-wrapped software model -- in other words, source code was no longer readily available to the public. Without question, this has been a smooth and successful transition. Tripwire v2.0 provided a variety of additional compelling features so that customers have embraced the new product. However, there were some things that happened along the way that didn't quite go as planned. And some things were just were downright surprising. This presentation will address some of the consequences of having a closed source product, and describe some issues in considerable detail. Then, possible "open source" opportunities will be presented, with all sorts of benefits discussed, evaluated, and some discarded. Some perceived dangers are mulled over, and also evaluated. Audience participation will be encouraged.

Tripwire has a long history of openly available source, having been created at Purdue University in 1992 as a publicly available security tool. It has been created into an industrial strength tool, and has been successful in protecting critical enterprise processes in business and government. One of the decisions we made was to use a conventional shrink-wrapped software model -- in other words, source code was no longer readily available to the public. Without question, this has been a smooth and successful transition. Tripwire v2.0 provided a variety of additional compelling features so that customers have embraced the new product. However, there were some things that happened along the way that didn't quite go as planned. And some things were just were downright surprising. This presentation will address some of the consequences of having a closed source product, and describe some issues in considerable detail. Then, possible "open source" opportunities will be presented, with all sorts of benefits discussed, evaluated, and some discarded. Some perceived dangers are mulled over, and also evaluated. Audience participation will be encouraged. About the speaker: Gene Kim is the chief technology officer and co-founder of Tripwire(tm), Inc. In 1992 at Purdue University, he co-authored the Tripwire file integrity assessment software with Dr. Gene Spafford. Kim is widely published on computer security, operating systems and networking in Usenet, ACM and IEEE publications and is a frequent speaker at industry conferences. He holds an M.S. in computer science from University of Arizona and a B.S. in computer sciences from Purdue University.

Many security breaches are caused by inappropriate inputs crafted by people with malicious intents. To enhance the system security, we need either to ensure that inappropriate inputs are filtered out by the program, or to ensure that only trusted people can access those inputs. In the second approach, we sure do not want to put such constraint on every input, instead, we only want to restrict the access to the security relevant inputs. The goal of this paper is to investigate how to identify which inputs are relevant to system's security. We have formulated the problem as an security relevancy problem, and deploy static analysis technique to identify security relevant inputs. Our approach are based on dependency analysis technique, it identifies if the behavior of any security critical action depends on certain input. If such a dependency relationship exists, we say that the input is security relevant, otherwise, we say the input is security non-relevant. We have applied this technique to a security analysis project initiated by Microsoft Windows NT security group. The project is intended to identify security relevant registry keys (a special kind of input) in Windows NT operating system. The results produced from this approach is proved to be useful to enhance Windows NT security. We will report our experience and results from this project in the paper. Thwarting Denial of Service Attacks against Communication Protocols with Backward Compatible Changes: A Case Study(for Mahesh Tripunitara) We will discuss a novel approach to building safeguards against denial of service attacks against communication protocols. Our approach involves changes to the relevant communication protocol subject to the following constraint: the protocol that results from the change must be backward compatible with the unchanged protocol. That is, an entity that employs the changed protocol must be able to communicate with an entity that employs the unchanged version. We will look at a specific problem in this context. The problem involves a class of denial of service attacks against IP. The class is called ARP (Address Resolution Protocol) cache poisoning and involves an attacker introducing a spurious IP to Ethernet mapping in a victim's ARP cache. We will discuss the solution and some implementation aspects of it. Apart from being backward compatible, our solution has two favourable properties: it is implemented as middleware, and is asynchronous

We will discuss a novel approach to building safeguards against denial of service attacks against communication protocols. Our approach involves changes to the relevant communication protocol subject to the following constraint: the protocol that results from the change must be backward compatible with the unchanged protocol. That is, an entity that employs the changed protocol must be able to communicate with an entity that employs the unchanged version. We will look at a specific problem in this context. The problem involves a class of denial of service attacks against IP. The class is called ARP (Address Resolution Protocol) cache poisoning and involves an attacker introducing a spurious IP to Ethernet mapping in a victim's ARP cache. We will discuss the solution and some implementation aspects of it. Apart from being backward compatible, our solution has two favourable properties: it is implemented as middleware, and is asynchronous.

We will discuss a novel approach to building safeguards against denial of service attacks against communication protocols. Our approach involves changes to the relevant communication protocol subject to the following constraint: the protocol that results from the change must be backward compatible with the unchanged protocol. That is, an entity that employs the changed protocol must be able to communicate with an entity that employs the unchanged version. We will look at a specific problem in this context. The problem involves a class of denial of service attacks against IP. The class is called ARP (Address Resolution Protocol) cache poisoning and involves an attacker introducing a spurious IP to Ethernet mapping in a victim's ARP cache. We will discuss the solution and some implementation aspects of it. Apart from being backward compatible, our solution has two favourable properties: it is implemented as middleware, and is asynchronous. About the speaker: Mahesh Tripunitara is a PhD student of computer science at Purdue, a member of CERIAS and an advisee of Prof. Gene Spafford. At dawn, he commutes 85 miles to campus, during the day, he dreams of graduation, and during the night he snoozes at his desk. He performed part of this work during a 9-month exile at AT&T Labs, 2500 miles away. Portions of this work will be presented at the upcoming Annual Computer Security Applications Conference (ACSAC\'99).

Information security is an inarticulate, incoherent, incomplete, incorrect folk art attempting to preserve confidentiality, integrity, and availability (CIA) of information from destruction, disclosure, use, and modification (DDUM). This CIA/DDUM framework is the equivalent of alchemy in the middle ages when the elements consisted of fire, water, earth, and air. We must have security based on a coherent and complete framework model for stopping irrational cybercriminals. We must replace security risk reduction, an unmeasurable negative goal, with achieving standards of due care consistent with the new view of security as an enabling function.

Information security is an inarticulate, incoherent, incomplete, incorrect folk art attempting to preserve confidentiality, integrity, and availability (CIA) of information from destruction, disclosure, use, and modification (DDUM). This CIA/DDUM framework is the equivalent of alchemy in the middle ages when the elements consisted of fire, water, earth, and air. We must have security based on a coherent and complete framework model for stopping irrational cybercriminals. We must replace security risk reduction, an unmeasurable negative goal, with achieving standards of due care consistent with the new view of security as an enabling function. About the speaker: Donn B. Parker (1929-2021), an emeritus senior consultant at SRI Consulting, has spent 30 of his 47 years in the computer field doing research on computer crime, and consulting, writing, and lecturing on information security. He is the founder at SRI of I-4 serving more than 75 of the largest multinational corporations in their security for 14 years. He has written six books. His newest book, "Fighting Computer Crime: A New Framework for Protecting Information," (Wiley, 1998) is an international best seller. He received the ISSA Individual Achievement Award, the United States National Computer Systems Security Award, the Aerospace Computer Security Distinguished Lecturer Award, and the MIS Infosecurity Magazine Lifetime Achievement Award. In September 1999, The Information Security Magazine profiled him as a pioneer in information security.