Network Security Research at William and Mary

1
Network Security Research at William and Mary

• Haining Wang
• Department of Computer Science
• College of William and Mary

2
Outline

• College of William and Mary
• Previous research work
• Current research work
• Other research activities

3
William and Mary

• The second oldest university in US, not Yale
• Small school with about 7,000 students
• It is a public school, not private
• Rank 6th in public schools (undergraduate)
• After Michigan, Berkeley, UVa, UCLA, and UNC

4
The oldest academic building is still being used,
not those in Harvard!
5
Where it is

• Williamsburg, VA
• One hour to Beach, two hour to Mountain
• Colonial Williamsburg historic site
• Two theme parks

6
Why join

• Cool school in hot place
• It is old, small, and good
• We also have PhD program
• Doing research
• Producing PhD graduates

7
Placement of PhD Graduates

• Iowa State, Michigan State, George Mason, UI
  Chicago, etc
• National Labs, HP research Labs, ATT research
  Labs (but not IBM research)
• Microsoft, Symantec, etc

8
Previous Work

• Change-point Intrusion Detection
• Hop-count filtering
• IP Easy-pass
• Application-aware IPsec policy system

9
Current Work

• Break Email Spam Laundering
• VoIP Intrusion Detection
• Protocol-state-machine (PSM) based mechanism
• Detect known attacks
• Hellinger-distance (HD) based mechanism
• Detect unknown attacks

10
IP Telephony
Commonly Known as Voice over IP (VoIP) is
emerging as a viable alternative to traditional
telephone systems
VoIP will account for 75 of world voice
services by 2007. - Frost and Sullivan
(consulting firm)
11
IP Telephony

• Marriage of IP with traditional Telephony
• VoIP uses multiple protocol for call control and
  data delivery

12
Vulnerabilities of VoIP

• VoIP systems use multiple protocols for call
  control and data delivery (e.g., SIP, RTP.)
• VoIP Systems are distributed in nature
• A range of devices in the path from caller to
  callee may become attackers targets
• Being a real-time service, it is more vulnerable
  to DoS attacks
• Lack of proper authentication against misbehaving
  UAs

13
Key Features of PSM

• Utilizes state transitions made in the protocol
  state machines for intrusion detection
• Transitions are due to
• the arrival of packets
• internal communication between protocol state
  machines
• Advantages
• follow the transitions (not just packets and
  their aggregated state information)
• high detection accuracy

14
Detect Unknown Attacks
In spite of traffic diversity, at any instant of
time, there is strong correlation among protocol
attributes

• In RTP
• Derived Attributes

Gaps between Attributes remain relatively stable
15
Challenges
Is it possible to compare and quantify the gap
between a number of attributes (taken at a time),
observed at two different instants of time ?
Determine whether two instants of time are
similar (or dissimilar) with respect to protocol
attributes behavior
16
Hellinger Distance
P and Q (each with N attributes) are two
probability measures with and
Distance satisfies the inequality of The
distance is 0 when P Q . Disjoint P and Q shows
a maximum distance of 1.
17
Hellinger Distance of TCP Attributes
P is an array of normalized frequencies over the
training data set
Q is an array of normalized frequencies over the
testing data set
Distance between P and Q at the end of (n1)th
time period
18
Detection Threshold Setup

• Estimation of the threshold distance is an
  instance of Jacobsons Fast algorithm for RTT
  mean and variation
• Gives a dynamic threshold

Threshold Hellinger Distance
19
Other Research Activities

• Wireless and Sensor Networks
• Cache Consistency
• Network QoS and media streaming
• Congestion Control