SECURITY BASED RESEARCH IN CS DEPARTMENT

1
SECURITY BASED RESEARCH IN CS DEPARTMENT

• TEXAS
• AM
• UNIVERSITY

2
Intrusion Detection

• Greg White (August 1995) "Cooperating Security
  Managers Intrusion Detection in a Distributed
  Environment"
• Daniel J. Ragsdale (2001) "Adaptive Intrusion
  Detection"
• Jeffrey Humphries (2001) "Secure Mobile Agents

3
Intrusion Detection and Response

• Curtis A. Carver, Jr. (2001) "Adaptive
  Agent-Based Intrusion Response"
• One currently working PH.D. student

4
Intrusion Damage Assessment and Recovery

• Eric Fisch (Apr. 1996) "Intrusive Damage Control
  and Assessment Techniques."

5
Security Issues in Mobile Network

• Paul Brutch (May 2001) "Evaluation and Analysis
  System for Intranet Access Control."
• Tasneem Gandapur Brutch (May 2001) "Mutual
  Authentication, Confidentiality, and Key
  Management in Mobile Wireless Systems."
•  4 four currently working Ph.D. students)

6
Miscellaneous Topics

• N. Abrol (May 1996) "Security Vulnerabilities in
  the User Network Inference (UNI 3.1) Signaling
  Protocol."
• Tamara Collins (August 2000) "An Efficient Public
  Key Infrastructure Revocation Mechanism"
• Charles Cropper (August 2000) "Risk Assessment of
  Selected Commercial Firewall Software"
• 4 currently working Ph.D. students

7
Advanced Networking and SecurityCPSC 665
(started 1992)

• A graduate-level computer security course is
  offered in the Department of Computer Science at
  Texas AM University. As part of this course,
  students participate in a hands on security
  laboratory during which they perform informal
  penetration tests against a network of machines

8
Advanced Networking and Security

• The goal of the penetration teams is to
  compromise a machine, managed and monitored by
  the system administration team, without being
  detected or traced.

9
Advanced Networking and Security

• Once the penetration teams have compromised a
  UNIX host by acquiring superuser privilege, they
  need to hide this activity from the system
  administration team and to maintain superuser
  privilege in the future

10
Advanced Networking and Security

• The Network Security "Sandbox" is a fully
  contained facility where different network and
  system security environments and tools may be
  taught and attack/defend labs conducted without
  effecting outside systems

11
Advanced Networking and Security

• The graduate computer security course was started
  in the summer of 1992 by Dr. Udo Pooch. Including
  the Spring 2001 semester, Dr. Pooch has taught
  this course to over 200 students at Texas AM
  University. The course is a mixture of formal
  classroom instruction on computer and network
  security principals, and a hands on security
  laboratory. As part of the security laboratory,
  students are divided into multiple penetration
  teams and a single system administration team.

12
Advanced Networking and Security

• Each penetration team is given superuser access
  to a Linux machine which resides on a private
  network. The penetration teams have complete
  control over their assigned Linux machine and the
  system administration team is not normally
  allowed to venture onto the penetration team's
  network

13
Advanced Networking and Security

• The system administration team manages machines
  on a separate network, and these two networks are
  connected via a router. The system administration
  team's network consists of a number of Sun
  Workstations running Solaris 2.5.1 and one NT 4.0
  machine

14
Advanced Networking and Security

• The goal of the penetration teams is to
  compromise a machine managed and monitored by the
  system administration team. The penetration teams
  are allowed to make almost any type of attack as
  long as their activity remains within the domain
  of the security laboratory

15
Advanced Networking and Security

• The penetration teams have accounts on their own
  Linux machines, and separate user accounts on
  some of the system administration team's
  machines. Therefore, the penetration team's can
  conduct attacks as inside intruders and simulate
  remote attacks from the Internet.

16
Advanced Networking and Security

• The system administration team also provides one
  Sun Workstation running Solaris 2.5.1, without
  any security patches, for use as a training
  machine by the penetration teams. Although this
  training machine resides on the system
  administration team's network, it is not trusted
  by any of the other machines and it is not is not
  monitored by the system administration team

17
Advanced Networking and Security

• Penetration teams have successfully launched
  attacks from this training machine to compromise
  more secure hosts on the system administration
  team's network

18
Advanced Networking and Security

• The goal of the system administration team is to
  detect and trace all unauthorized access for the
  machines that they manage and monitor. The system
  administration team makes every effort to ensure
  that the systems they monitor are secure.

19
Advanced Networking and Security

• Ideally, the system administration team should
  install the latest vendor security patches
  perform vulnerability scanning by running Tiger
  scripts by Doug Schales install tcp wrapper by
  Wieste Venema to monitor and filter incoming
  requests for certain network services run Crack
  by Alec Muffet against the password file enable
  remote logging via the syslog facility and run
  Tripwire by Gene Kim and Eugene Spafford to
  perform system integrity checking

20
Advanced Networking and Security

• Unfortunately the system administration team
  spends much of their time in thebeginning of each
  semester performing mundane administrative tasks
  such as setting up user accounts. In some cases,
  penetration teams have compromised a monitored
  host before the system administration team was
  even able to install all of their security tools

21
Advanced Networking and Security

• Throughout the past five years, various hardware
  and software configurations were installed in the
  security laboratory. For example in the 1998
  security laboratory, secure hubs were used for
  physical connectivity to prevent penetration
  teams from sniffing traffic on the system
  administration team's network Marti98.

22
Advanced Networking and Security

• The security laboratory changes each year as new
  system administration teams try different
  configurations to implement different security
  solutions. As the security laboratory
  configuration becomes more complex, it requires
  more time from the system administration team to
  setup and manage

23
Advanced Networking and Security

• If you are looking for more details on these
  attacks, a survey paper on the penetration tests
  performed during the 1995, 1997, and 1998
  security classes was presented at the SANS
  Network Security 98 Conference and is available
  in the conference proceedings Brutch98. A
  version of the survey paper is also available
  on-line as a technical report from the Department
  of Computer Science at Texas AM University
  TR98-021

24
Advanced Networking and Security

• If you are planning on starting your own
  laboratory to perform security vulnerability
  testing and analysis, we recommend that you read
  Marti, Bourne, and Fish's paper CPSC 665 Advanced
  Networking and Security Game Administration Plan
  Marti98 and Bishop and Heberlein's paper An
  Isolated Network for Research Bishop96

25
REFERENCES

• Bishop 96 Bishop, M. and Herberlein, L. "An
  Isolated Network for Research", The 19th National
  Information Systems Security Conference. 1996.
• Brutch98 Brutch, P. Brutch, T. Mitchell, E.
  and Pooch, U. "UNIX Penetration Tests Attempts
  Performed During A Graduate Security Class at
  Texas AM", SANS Network Security 98, Technical
  Conference Part 1, October 24-31, 1998.
• Kahn98 Kahn, C., "Using Independent
  Corroboration to Achieve Compromise Tolerance",
  1998 Information Survivability Workshop, October
  28-30, 1998.
• Marti 98 Marti, W. Bourne, J. and Fish, B.
  "CPSC 665 Advanced Networking and Security Game
  Administration Plan", WECS '98, Workshop on
  Education in Computer Security, 19-21 January
  1998.
• TR98-021 Brutch, P. Brutch, T. Mitchell, E.
  and Pooch, A Survey of UNIX Penetration Tests
  Performed During a Graduate Computer Science
  Class at Texas AM University, Technical Report
  98-021, Department of Computer Science, Texas AM
  University, 1 October 1998. Available from
  http//www.cs.tamu.edu/research.shtml.

26
RESEARCH FUNDING

• Co-Principal Investigator, IBM "DCE Analysis,
  Porting, and Monitoring," Contract No.C-MS-92145.
• Initial Contract 99,000, February 1993
• Add-On 1 41,000, September 93 (PO966CH8Y)
• Add-On 2 99,000, January 1994 (PO966CY38)
• Add-On 3 200,000, July 1994 (CSS070794)

27
RESEARCH FUNDING

• Co-Principal Investigator, Trident Data Systems
  Inc. (USAF Subcontract), Contract No. TDS-93-123,
  "Audit Trail Information Sanitization Project",
  50,000, September 1993.
• Project Manager, TEES Rockwell Space Systems,
  Project 48390 Support Service Agreement
  J6X4XWH-450017M, "Dual Use Academic Liaison
  Program System Design of a Firewall Decision
  Support Tool," January 20 September 27, 1996.

28
RESEARCH FUNDING

• Engineering and Technical Services Support
  (ETSS)," member of TAMU Consortium with BTG (San
  Antonio) in response to US Air Force Information
  Warfare Center (AFIWC) BAA, 5 year SETA contract
  (Awarded).
• "Support to CSAP and TASP Programming for
  Planning, Statistical Analysis, Reporting and
  Implementation of Information Protection
  Systems," to BTG (in response to BTG/AFWIC task
  orders) Co-Principal Investigator, December 9,
  1998 (300,000).

29
RESEARCH PROPOSALS

• Anomaly Detection Based on a Moving Window
  Weighted Composite Session Profile, "
  Co-Principal Investigator, December 1992, USAF
  Security Command, Kelly, San Antonio, TX,
  114,000.
• "Communications Manager Associate," Co-Principal
  Investigator, December 1992, USAF Security
  Command, Kelly, San Antonio, TX, 98,000.
• "Access Controlled Personal Computer Networks,"
  Co-Principal Investigator, December 1992, USAF
  Security Command, Kelly, San Antonio, TX,
  100,000.

30
RESEARCH PROPOSALS

• "Programming for Tested PC DOS," Co-Principal
  Investigator, December 1992, USAF Security
  Command, Kelly, San Antonio, TX, 75,000.
• "Documentation of Recent Network Security
  Events," Co-Principal Investigator, December
  1992, USAF Security Command, Kelly, San Antonio,
  TX, 60,000.
• "A Simple Public Key System for Telnet and FTP
  Security," Co-Principal Investigator, December
  1992, USAF Security Command, Kelly, San Antonio,
  TX, 80,000.

31
RESEARCH PROPOSALS

• "Computer Intrusion Detection A Statistically
  Based System," Co-Principal Investigator,
  December 1992, USAF Security Command, Kelly, San
  Antonio, TX, 94,000.
• "Distributed Intrusion Detection and Tracking
  through Cooperating Security Managers," Principal
  Investigator, NSA, January 1993, 119,000.
• Multilevel Secure Windowing Systems,"
  Co-Principal Investigator, USAF Security Command,
  Kelly, San Antonio, February 1993, 335,000.

32
RESEARCH PROPOSALS

• "Cooperating Security Manager (CSM),"
  Co-Principal Investigator, USAF Security Command,
  Kelly, San Antonio, February 1993, 380,000.
• "Prototyping Network Security Protocols,"
  National Security Agency, principal investigator,
  January 1994, 196,500.
• "Cooperating Security Managers Intrusion
  Detection in a Distributed Environment,"
  Principal Investigator, January 1994, 196,500.

33
RESEARCH PROPOSALS

• "System Architecture Research for War Breaker,
  Intelligence and Planning," Co-Principal
  Investigator - joint proposal with E-Systems
  (Greenville Division), ARPA, July 1993.
• "Operational Demonstration in Multi-tiered Crisis
  Management," Co-Principal Investigator - joint
  proposal with E-Systems (Greenville Division),
  ARPA, Ocotber 1993.
• Equipment Proposal (E-mass Storage devices) to
  E-mass, Co-Principal Investigator, November 1993.

34
RESEARCH PROPOSALS

• "Audit Trail Information Sanitization Project,"
  Co-Principal Investigator, March 1994, 240,000,
  USAF via Trident Data Systems.
• "Security and Reliability Issues in Asynchronous
  Transfer Method (ATM) Switch Protocols" --
  submitted for 1995 ATP, (120,000).
• "Cooperating Security Managers" -- submitted to
  E-Systems, Sept., 1995, (140,000).

35
RESEARCH PROPOSALS

• "Security and Reliability Issues in Interfacing
  ATM to Wideband Systems" -- submitted to
  E-Systems, Sept., 1995, (260,000).
• "Testing, Performance Measurements and Intrusion
  Detection of Computer and Networked Systems" --
  submitted to EGG, Nov. 1995, (100,000).
• "Systems Description Methodology for Design of
  Survivable Distributed Systems" -- submitted for
  ARPA BA 96-03, February 1996, (1.4 million).

36
RESEARCH PROPOSALS

• "Systems Description Methodology for Design of
  Survivable High Confidence Networks,"
  Co-principal Investigator, submitted for ARPA BA
  97-04 (Management for Survivability), December
  1996, (1,366,000).
• "System Description Methodology for Design of
  Survivable High confidence Networks," submitted
  to DARPA BAA 97-04, Jan. 16, 1997.
• "Internet Security Protocol Development and
  Analysis," submitted to NSA (Security Management
  and Infrastructure) Principle Investigator,
  Spring 1998 (179,181).

37
RESEARCH PROPOSALS

• Security Characterization of Processes and
  Programs in a Unix-based Environment, submitted
  via SecureLogix Corp., San Antonio, TX, to
  DARPA-SBIR, TEES Proposal 99-432, Apr. 12, 1999
  (59,400).
• Active Host-based Defense Using Autonomous
  Agents, submitted via SecureLogix Corp., San
  Antonio, TX, to DoD/STTR, TEES Proposal 99-436,
  Apr. 14, 1999.
• Secure Operations in Web-based
  Videoconferencing, via TEES Proposal 0332-1999
  to ARP (129, 800).

38
QUESTIONS

• Dr. Udo W. Pooch
• E-Systems Professor
• Office 502C H. R. Bright BuildingPhone (409)
  845-5498Fax (409) 847-8578Email
  pooch_at_cs.tamu.edu