Never Ending Security

It starts all here

Tag Archives: CERIAS Security Symposium

CERIAS Security Symposium 26&27 March 2014

We’re living in a time of transition. Cyberthreats are increasing and becoming more sophisticated, victimized organizations are cooperating with competitors and fighting back, and the discussion of expected privacy has become front-page news. These topics, and more, were explored at the 15th Annual CERIAS Security Symposium.

Welcome and Opening Keynote

Watch on Youtube

Welcome: Mitch Daniels

President, Purdue University

Keynote: Amy Hess

Executive Assistant Director of Science and Technology, FBI

Fireside Chat

Watch on Youtube

At the Table

  • Prof. Eugene Spafford
    Executive Director, CERIAS – Purdue University
  • George Kurtz
    President/CEO and Co-Founder, CrowdStrike
  • Josh Corman
    Chief Technology Officer, Sonatype
  • Amy Hess
    Executive Assistant Director of Science and Technology, FBI

Featured Technical Speaker

Watch on Youtube

Josh Corman

Chief Technology Officer, Sonatype

Keynote #2

Watch on Youtube

George Kurtz

President/CEO and Co-Founder, CrowdStrike

Security Plus (not Versus) Privacy

Watch on Youtube

Mark Rasch

Former Chief Privacy Officer at SAIC and Principal at Rasch Technology and Cyber Law

David Medine

Chairman, Privacy and Civil Liberties Oversight Board


Watch on Youtube

Awards Given

  • Diamond & Pillar Awards
  • Poster Presentation Winners

Panel: Sharing Incidence Data While Under Attack

Watch on Youtube

On the Panel

  • Dave Fiore
    Senior Systems Engineer, CyberPoint
  • Paul Baltzell
    Chief Information Officer at State of Indiana
  • Kevin Nauer
    Cyber Security Researcher, Sandia National Laboratories
  • Prof. Sam Liles
    Associate Professor, Cyber Forensics Laboratory – Purdue University
  • Michael West
    Vice President, Cyber Investigations – Fidelity Investments

Panel: APT, Threat Actors, and Trends in Cybercrime

Watch on Youtube

On the Panel

  • Ben Anderson
    Sandia National Laboratories
  • Kevin Alejandro Roundy
  • Marc Brooks
    MITRE Corporation
  • Prof. Marcus Rogers
    Purdue College of Technology

Posters & Presentations 2014

Page Content

  • Consumer Privacy Architecture for Power Grid Advanced metering infrastructure
  • Privacy Preserving Access Control in Service Oriented Architecture
  • pSigene: Generalizing Attack Signatures
  • Resilient and Active Authentication and User-Centric Identity Ecosystems
  • Semantic Anonymization of Medical Records
  • The Password Wall — A Better Defense against Password Exposure
  • Top-K Frequent Itemsets via Differentially Private FP-trees
  • VeryBioIDX: Privacy Preserving Biometrics-Based and User Centric Authentication Protocol
  • A Framework for Service Activity Monitoring
  • A Key Management Scheme in BYOD Environment
  • FPGA Password Cracking
  • A Study of Probabilistic Password Models
  • Analysis of Coping Mechanisms in Password Selection
  • Detecting Tic-Tac-Stego: Anomaly Detection for Steganalysis in Games
  • Enhancing Analyst Situation Awareness and Event Response in Cyber Network Operations Centers
  • Finland’s Cyber Warfare Capabilities
  • Mutual Restraining Voting Involving Multiple Conflicting Parties
  • Natural Language IAS: The Problem of Phishing
  • Using social network data to track information and make decisions during a crisis
  • A Framework to Find Vulnerabilities Using State Characteristics in Transport Protocol Implementations
  • Divide & Recombine for Big Data Analysis for Cybersecurity – Application of DNS Blacklist Query Study
  • Confidentiality Guidelines for Cloud Storage
  • Cyber 9/12 Student Challenge: Team Purdue Cyber Forensics
  • DC3 Digital Forensics Challenge
  • Implementing Bayesian Statistics from an Analysis of Competing Hypothesis Framework
  • Netherland’s Cyber Capabilities
  • Saudi Arabian Policy on Cyber Capabilities
  • South Korea ICT Index Leader Cyber Assessments
  • Technological Impact of Criminal Enterprises: The Impact of Cloud Computing:
  • The Efficacy of Case Studies for Teaching Policy in Engineering and Technology Courses
  • The Impact of University Provided Nurse Electronic Medical Record (EMR)Training on Hospital Provider Systems: A Computer Simulation Approach
  • The Irish Economy’s Vulnerability to Cyber Conflict
  • Threats, Vulnerabilities, and Security Controls in Cloud Computing
  • A Critical Look at Steganographic Investigations
  • Analysis of Cyberattacks on UASs in Simulation
  • Communications, Information, and Cybersecurity in Systems-of-Systems
  • Distributed Fault Detection and Isolation for Kalman Consensus Filter
  • End to End Security in Service Oriented Architecture
  • INSuRE — Information Security Research and Education
  • Log-Centric Analytics for Advanced Persistent Threat Detection
  • Making the Case of Digital Forensics Field Training for Parole Services
  • Periodic Mobile Forensics
  • Robust Hybrid Controller Design: Cyber Attack Mitigation Strategy for Cyber-Physical Systems
  • Text-based Approaches to Detect Phishing Attacks
  • The Case of Using Negative (Deceiving) Information in Data Protection

Assured Identity and Privacy

Consumer Privacy Architecture for Power Grid Advanced metering infrastructure

Dheeraj Gurugubelli, Dr. Chris Foreman and Dr. Melissa Dark

Utilities install smart meters in homes. These smart meters allow the tracking and management of the energy consumption of the consumers. This will enable the utility companies to increase increase efficiency, lower costs, and reduce pollution. But the advanced meters, which use wireless and digital technologies to send frequent consumption data to utilities, face opposition from customers and others who see them as a threat to health, privacy, and security. From a utility company perspective, collection and management of such huge volumes of data at an individual level is not an essential business function. The goal of this research is to create an architecture preserving privacy of the consumer in the power grid advanced metering infrastructure while helping the utility company better manage data.

Privacy Preserving Access Control in Service Oriented Architecture

Rohit Ranchal, Ruchith Fernando, Zhongjun Jin, Pelin Angin, Bharat Bhargava

Service Oriented Architecture (SOA) comprises of a number of loosely-coupled services, which collaborate, interact and share data to accomplish a task. A service invocation can involve multiple services, where each service generates, shares, and interacts with the client’s data. These interactions may share data with unauthorized services and violate client’s policies. The client has no means of identifying if a violation occurred and has no control or visibility on interactions beyond its trust domain. Such interactions introduce new security challenges which are not present in the traditional systems. We propose a data-centric approach for privacy preserving access control in SOA based on Active Bundles. This approach transforms passive data into an active entity that is able to protect itself. It enables dynamic data dissemination decisions and protects data throughout its lifecycle. The granularity of the data being shared with a service is determined by the client’s data dissemination policy.

pSigene: Generalizing Attack Signatures

Jeff Avery, Gaspar Modelo-Howard, Fahad Arshad, Saurabh Bagchi, Yuan Qi

Intrusion detection systems (IDS) are an important component to effectively protect computer systems. Misuse detection is the most popular approach to detect intrusions, using a library of signatures to find attacks. The accuracy of the signatures is paramount for an effective IDS, still today’s practitioners rely on manual techniques to improve and update those signatures. We present a system, called pSigene, for the automatic generation of intrusion signatures by mining the vast amount of public data available on attacks. It follows a four step process to generate the signatures, by first crawling attack samples from multiple public cyber security web portals. Then, a feature set is created from existing detection signatures to model the samples, which are then grouped using a biclustering algorithm which also gives the distinctive features of each cluster. Finally the system automatically creates a set of signatures using regular expressions, one for each cluster. We tested our architecture for the prevalent class of SQL injection attacks and found our signatures to have a True and False Positive Rates of over 86% and 0.03%, respectively and compared our findings to other SQL injection signature sets from popular IDS and web application firewalls. Results show our system to be very competitive to existing signature sets.

Resilient and Active Authentication and User-Centric Identity Ecosystems

Yan Sui, Xukai Zou

Existing proxy based authentication approaches have problems (e.g., non-binding, susceptible to theft and dictionary attack, burden on end-users, re-use risk). Biometrics, which authenticates users by intrinsic biological traits, arises to address the drawbacks. However, the biometrics is irreplaceable once compromised and leak sensitive information about the human user behind it. In this research, we propose a usable, privacy-preserving, secure biometrics based identity verification and protection system. Specifically, we propose a novel biometric authentication token called Bio-Capsule (BC) which is generated by a secure fusion of user biometrics and a (selected) reference subject biometrics. The fusion process preserves the biometric robustness and accuracy in the sense that the BC can be used in place of the original user’s biometric template without sacrificing the system’s acceptability for the same user and distinguishability between different users. There are more potential applications on this research: a user-centric identity ecosystem – a highly resilient, privacy-preserving, revocable, interoperable, and efficient user-centric identity verification and protection ecosystem; and an active authentication system – a provably secure, privacy-preserving, biometric active authentication system to support continuous and non-intrusive authentication.

Semantic Anonymization of Medical Records

Tatiana Ringenberg, Julia M. Taylor, Victor Raskin

With the availability of large amounts of data in the medical industry, it is becoming necessary, due to both regulatory and ethical concerns, to find unique ways of protecting patient identities. A name and social security number are no longer the only fields in a patient’s record that can identify them. Data under HIPAA requires the removal of several Protected Health Information Identifiers. Symptoms themselves can also distinctly identify an individual in a large group. To prevent this, the Purdue OST Anonymization Project is using semantics to determine the degree to which any patient record is identifiable from others in a system. Our approach combines the conceptual mapping of Ontological Semantic Technology with the anonymity principles of K-Anonymity to semantically anonymize patient data for compliance with regulatory and research policies.

The Password Wall — A Better Defense against Password Exposure

Mohammed Almeshekah, Mikhail Atallah and Eugene Spafford

We present an authentication scheme that better protects users’ passwords than in currently deployed password-based schemes, without taxing the users’ memory or damaging the user-friendliness of the login process. Our scheme maintains comparability with traditional password-based authentication, without any additional storage requirements, giving service providers the ability to selectively enroll users and fall-back to traditional methods if needed. The scheme utilizes the ubiquity of smartphones, however, unlike previous proposals it does not require registration or connectivity of the used phones. In addition, no long-term secrets are stored in the user’s phone, mitigating the consequences of losing it. The scheme significantly increases the difficulty of launching a phishing attack; by automating the decisions of whether a website should be trusted and introducing additional risk at the adversary side of being detected and deceived. In addition, the scheme is resilient against Man-in-the-Browser (MitB) attacks and compromised client machines. Finally, we incorporate a user-friendly covert communication between the user and the service provider giving the user the ability to have different levels of access (instead of the traditional all-or-nothing), and the use of deception (honeyaccounts) that make it possible to dismantle a large-scale attack infrastructure before it succeeds (rather than after the painful and slow forensics that follow a successful phishing attack). As an added feature, the scheme gives service providers the ability to have full-transaction authentication.

Top-K Frequent Itemsets via Differentially Private FP-trees

Jaewoo Lee and Chris Clifton

Frequent itemset mining is a core data mining task and has been studied extensively. Although by their nature, frequent itemsets are aggregates over many individuals and would not seem to pose a privacy threat, an attacker with strong background information can learn private individual information from frequent itemsets. This has lead to differentially private frequent itemset mining, which protects privacy by giving inexact answers. We give an approach that first identifies top-k frequent itemsets, then uses them to construct a compact, differentially private FP-tree. Once the noisy FP-tree is built, the (privatized) support of all frequent itemsets can be derived from it without access to the original data. Experimental results show that the proposed algorithm gives substantially better results than prior approaches, especially for high levels of privacy.

VeryBioIDX: Privacy Preserving Biometrics-Based and User Centric Authentication Protocol

Hasini Gunasinghe, Elisa Bertino

We propose a privacy preserving biometric based authentication protocol by which user can authenticate to different service providers from mobile phone, without involving identity provider in transactions, thus enhancing privacy. Authentication is based on a cryptographic identity token which embeds a unique, repeatable and revocable identifier generated from the user’s biometric image and a random secret, supporting two-factor authentication based on zero-knowledge proofs of knowledge. Our approach for generating biometric identifiers from users’ biometric is based on perceptual hashing and SVM classification techniques.

End System Security

A Framework for Service Activity Monitoring

Ruchith Fernando, Rohit Ranchal, Pelin Angin, Bharat Bhargava

In a service-oriented architecture (SOA) environment, a service can dynamically select and invoke any service from a group of services to offload part of its functionality. This is very useful to build large systems with existing services and dynamically add services to support new features. One of the main problems with such a system is that, it is very difficult to trust the service interaction lifecycle and assume that the services behave as expected and respect the system policies. We propose a centralized service monitor, that audits and detects malicious activity or compromised services by analyzing information collected via monitoring agents. The service monitor includes two modes of operation – active and passive – where one can evaluate service topologies with various policies.

A Key Management Scheme in BYOD Environment

Di Xie, Baijian Yang

Bring-Your-Own-Device (BYOD) refers to an IT policy that encourages and allows employees to use their personal devices to access privileged corporate network resources. Current BYOD practices are not sufficient to provide both flexible and secure access to data stored on personal devices and are likely to cause privacy infringement issues and incur high management cost. This research presents an Innovative Key Management Scheme (IKMS) approach that employs a hierarchical and time-bounded key management system to battle the security and privacy issues in BYOD deployment.

FPGA Password Cracking

Max DeWees, Michael Kouremetis, Matthew Riedle, Craig West

Field Programmable Gate Arrays (FPGAs) are a unique hardware component that allows for dynamic prototyping design and implementation of hardware logic. FPGAs provide the advantages of dedicated hardware functionality and parallelization for specific tasks. In this research, we look to apply these advantages of FPGAs to breaking cryptographic functions, primarily hash functions and encryption passwords. While this has been done successfully in the past to older functions like MD5, it has not been thoroughly analyzed for more complex systems such as TrueCrypt, Windows BitLocker, or Mac OS X FileVault. Our focus is to analyze the feasibility, scalability, and success of using one or more FPGAs to crack these systems.

Human Centric Security

A Study of Probabilistic Password Models

Jerry Ma, Weining Yang, Min Luo, Ninghui Li

A probabilistic password model assigns a probability value to each string. Such models are useful for research into understanding what makes users choose more (or less) secure passwords, and for constructing password strength meters and password cracking utilities. Guess number graphs generated from password models are a widely used method in password research. In this paper, we show that probability-threshold graphs have important advantages over guess-number graphs. They are much faster to compute, and at the same time provide information beyond what is feasible in guess-number graphs. We also observe that research in password modeling can benefit from the extensive literature in statistical language modeling. We conduct a systematic evaluation of a large number of probabilistic password models, including Markov models using different normalization and smoothing methods, and found that, among other things, Markov models, when done correctly, perform significantly better than the Probabilistic Context-Free Grammar model, which has been used as the state-of-the-art password model in recent research.

Analysis of Coping Mechanisms in Password Selection

Brian Curnett, Paul Duselis, Teri Flory

Do more stringent password policies actually create stronger and more secure passwords? Do humans reach a threshold when creating passwords that follow policies but fail to provide an adequate level of protection? Previous work has focused on password strength and the effectiveness of password defeating tools, but has only briefly touched on user frustration with policies, or the coping mechanisms that may be employed by the users to satisfy those stringent policies. Our work will utilize the information available from previous studies and expand on that to include user frustration and coping methods. Our examination will include multiple policies that are currently accepted and in use by organizations and companies from a wide variety of backgrounds. This will attempt to show the true measure of protection that the industry standard policies provide. It will be necessary to review processes of data collection, and determine the most effective procedures to gather this information. We will then develop a method, utilizing this plan, and propose this to the partners for future review and use. We will propose an analytic procedure to be used in determining an optimal relationship between password policy’s strength and coping mechanisms. And finally a set of repeatable statistical procedures that can be applied toward data sets of passwords to ensure the policy’s strength.

Detecting Tic-Tac-Stego: Anomaly Detection for Steganalysis in Games

Philip C. Ritchey, Vernon J. Rego

Motivated by the identification of potential areas in the broader field of information security where the study of human behavior can be used to enhance and improve information security, we investigated methods for detecting information hiding in games. This work builds on previous work which presented Tic-Tac-Stego, a general methodology for hiding information in games. The focus of this work is to understand and experiment with three steganalysis techniques for detecting steganography in games: rules-based, feature-based, and probabilistic model-based detectors. Under the assumption that the adversary is unable to predict the play style of the stego-agent, we find that a feature-based steganalysis method performs the best at detecting usage of the covert channel, capable of achieving accuracy greater than 97% against all stego-agents tested. On the other hand, under the assumption that the adversary is able to predict the play style of the stego-agent, the rules-based method is more accurate and requires fewer games per example than the feature-based method. The probabilistic-based method is found to be overall less accurate than both the feature-based and rules-based methods.

Enhancing Analyst Situation Awareness and Event Response in Cyber Network Operations Centers

Omar Eldardiry, Barrett Caldwell

The development of cyber network operations centers has created new needs to support human sense-making and situation awareness in a cyber network common operating picture (CNCOP). The goal of this research is to identify critical features that support expert analysts in event detection, identification, and response to cyber events (emergency scenarios, hardware breakdowns or other sources of degraded performance). The goal is to improve information visualization to support recognition and response to cyber- and cyber-physical network events. The results of this research project will be used to improve operational capability and analyst situation awareness in NOC environments and provide design guidance to improve analyst event monitoring and response in other cyber-physical infrastructure operations centers.

Finland’s Cyber Warfare Capabilities

Filipo Sharevski

In light of the discussion on cyber intelligence, the content of this paper includes analysis of open source data in respect to a methodical assessment of Finland’s cybersecurity and cyberwarfare capabilities. The information related to Finland’s cyber preparedness and cybersecurity awareness is analyzed together with the relevant statistical factors in order to outline the relative stage of cyber capability development in the military context. Finland’s cybersecurity strategy, Finnish security and defense policy, and Finland’s academia perspectives on cyber operations realms are elaborated in parallel with the conceptualization on military doctrine adaptation in the cyber domain in order to describe Finland’s posture relative to potential cyberwarfare conflict engagements. In addition to this, the key stakeholders in cybersecurity governance are also enlisted, providing insight into the practical aspects of the nations’ efforts for cybersecurity maintenance and constant improvement.

Mutual Restraining Voting Involving Multiple Conflicting Parties

Dr. Xukai Zou (, Yan Sui, Huian Li, Wei Peng, and Dr. Feng Li

Scrutinizing current voting systems including existing e-voting techniques, one can discern that there exists a gap between casting secret ballots and tallying & verifying individual votes. This gap is caused by either disconnection between the vote-casting process and the vote-tallying process or opaque transition (e.g., due to encryption) from vote-casting to vote-tallying and damages voter assurance, i.e., any voter can be assured that the vote he/she has cast is verifiably counted in the final tally. We propose a groundbreaking e-voting protocol that fills this gap and provides a fully transparent election. In this fully transparent internet voting system, the transition from vote-casting to vote-tallying is seamless, viewable, verifiable, and privacy-preserving. As a result, individual voters will be able to verify their own votes and are technically and visually assured that their votes are indeed counted in the final tally, the public will be able to verify the accuracy of the count, and political parties will be able to catch fraudulent votes. And all this will be achieved while still retaining what is perhaps the core value of democratic elections–the secrecy of any voter’s vote. The new protocol is the first fully transparent e-voting protocol which technologically enables open and fair elections and delivers full voter assurance, even for the voters of minor or weak political parties.

Natural Language IAS: The Problem of Phishing

Lauren M. Stuart, Gilchan Park, Julia M. Taylor, Victor Raskin

Phishing emails solicit personal and sensitive information while masquerading as legitimate messages from financial institutions. Automatic detection of phishing emails will help reduce the financial losses incurred by their victims. Computer understanding of message meaning and other hallmarks of legitimate and illegitimate emails can improve detection, and continue the expansion of natural language understanding techniques and processes into information assurance and security applications.

Using social network data to track information and make decisions during a crisis

Student: David Hersh Advisors: Julia Taylor, Victor Raskin

Social network use has dramatically increased in recent years, causing a surge in the amount of data people publicly share. Many share events of their lives on a daily basis, and get much of their news from social networks. So when a crisis occurs, such as a school shooting, many people in the affected area report what is going on through their social networks, allowing others to get firsthand accounts of the situation as it progresses. This information is often available before official information is, making it a valuable resource for anyone who needs to know the most up-to-date information on the crisis. In this research, we take the first steps toward the development of a system that extracts crisis information from social networking data in real time, allowing the system’s users to have a consistently up-to-date version of the situation.

Network Security

A Framework to Find Vulnerabilities Using State Characteristics in Transport Protocol Implementations

Sam Jero, Hyojeong Lee and Cristina Nita-Rotaru

We propose a platform for automatically finding attacks in transport protocol implementations. Our platform uses virtual machines connected with a network emulator to run unmodified target implementations, ensuring realism. We focus on attacks involving the manipulation or injection of protocol messages and build a framework to perform these basic malicious actions. To mitigate state-space explosion resulting from numerous combinations of malicious actions and protocol messages, we leverage protocol states. First, we build a state tracker that can infer the current state of the target system from message traces. Using the state tracker and a benign execution, we classify states based on observable characteristics. We then associate basic attack actions with characteristics of states and compose attack strategies based on this information. We monitor the effect of these attack strategies and determine which actions are effective for which states. We use this information to focus or prune our attack strategies for states with similar characteristics.

Divide & Recombine for Big Data Analysis for Cybersecurity – Application of DNS Blacklist Query Study

Ashrith Barthur, Dr. William S. Cleveland, John Gerth

D&R is a statistical approach to big data that provides comprehensive, detailed analysis. This is achieved because almost any analytic method from machine learning, statistics, and visualization can be applied to the data at their finest level of granularity. D&R also enables feasible, practical computation because the computations are largely embarrassingly parallel. Our work has two core threads. 1. Tailor the D&R environment to analyse big data in cybersecurity. 2 Apply this tailored environment the Spamhaus traffic at the Stanford University mirror.

Policy, Law and Management

Confidentiality Guidelines for Cloud Storage

Joseph Beckman, Matthew Riedle, Hans Vargas

As cloud computing is becoming more popular among the average user, and even governments, the question arises of how secure the data stored in the cloud. Guidelines have been established by FedRAMP that evaluate certain security protocols for cloud providers like Google Drive and Amazon Web Services. This project will examine the confidentiality and access control guidelines for Amazon’s S3 data storage, looking to see if they are sufficient for current and future markets.

Cyber 9/12 Student Challenge: Team Purdue Cyber Forensics

Rachel Sitarz, Eric Katz, Nick Sturgeon, & Jake Kambic

The four Purdue Cyber Forensics graduate students competed in the Cyber 9/12 Student Challenge. They were asked to take on the role of the Cyber Security Directorate of the National Security Staff. They had to create four policy response alternatives, to a fcitional major cyber incident, that affected the US National Security. They were tasked with creating the four policies, then presenting the policies to experts in Cyber Security policy in Washington DC.

DC3 Digital Forensics Challenge

Will Ellis, Jake Kambic, Eric Katz, Sydney Liles

This poster is designed to show the accomplishments of team or11–, winners of the 2013 Defense Cyber Crime Center’s Cyber Forensics Challenge. This is the largest and most prestigious cyber forensics competition in the world. Going up against over 1,200 competing teams, Purdue’s team took 1st place in US and global graduate division.

Implementing Bayesian Statistics from an Analysis of Competing Hypothesis Framework

Brian Curnett and Samuel Liles

The Analysis of Competing Hypotheses system is a decision analysis tool developed by the intelligence community to aid analysts in decision making. It was first developed by Richards J. Heuer to help analysts keep their biases in check when making important decisions. This system’s effectiveness can be furthered to counter forms of deception and cultural bias by implementing a Bayesian Belief Network and by quantifying cultural trends.

Netherland’s Cyber Capabilities

Hans Vargas

The purpose of this study was to perform a OSINT analysis of the Netherlands capabilities to protect itself from cyber-attacks. A list of all possible and typical Actors were identified as they represent different levels of threats to this nation, the table at the left explains in detail who those actors are, what their intentions might be, the level of expertise they are expected to have, and finally the more likely targets that they might attack. The Netherlands has a population of close to 18 million people with as estimated GDP of 696 billion USD and a per capita of 41,000 USD, which represents in the world rank, 23rd and 12th respectively. It comes as not surprise that its ICT rank is also high, occupying 7th place in the word from 2012.

Saudi Arabian Policy on Cyber Capabilities

Brian Curnett and Samuel Liles

Saudi Arabia is a major player in the arena of world politics. However they are only a fledgling nation in the field of cyber arena and is still trying to bring itself into the modern era. It is the Saudi Arabian policy of replacing cyber security with cyber censorship which led to the vulnerabilities which exposed then nation’s oil industry to attack. As a compensatory mechanism foreign nation’s contractors to solve technical problems rather than developing a domestic knowledge base. This has made the nation of Saudi Arabia more vulnerable for the long term.

South Korea ICT Index Leader Cyber Assessments

Faisal Alaskandrani, Dr. Samuel Liles

did South Korea neglect the security aspect while developing its telecommunication infrastructure?

Technological Impact of Criminal Enterprises: The Impact of Cloud Computing:

Rachel Sitarz, Sam Liles

Cloud computing is an abstract term, which is often difficult for people to understand, yet most are moving to the cloud to store data. Criminal organizations are also utilizing the cloud of data storage, transmission, and communications, which led to the research question of, how are current criminal organizations structuring their criminal enterprises, and how does technology impact the structure? The current project is exploratory, making comparison of current criminal organizations with historical groups and maintains that those groups that are utilizing the cloud are no different than historical criminals. They simply are utilizing a new medium to facilitate their criminal activity. Criminal organizations have typically maintained a hierarchal and organizational structure. With the developments of technology, such as the cloud, groups are continuing to maintain enterprise structure, but allowing for geographically disparate transmission of data. This also leads to the potential problem of remote destruction of evidence, when Law Enforcement executes searches on a party or parties, within the organization. Criminals have taken to the technological advancements for many reasons, such as the anonymity factor, the expertise needed by law enforcement to apprehend criminals, and the ease of access. Technological advancements are often taken for granted, but is something that needs to be considered in the apprehension of criminals and the combat of criminal activity.

The Efficacy of Case Studies for Teaching Policy in Engineering and Technology Courses

Rylan Chong, Dr. Melissa Dark, Dr. Ida Ngambeki, and Dr. Dennis Depew

Public policy is an increasingly important topic in the engineering and technology curriculum as it has been recognized by a community of experts, National Research Council of the National Academies (NRCNA), Accreditation Board for Engineering and Technology (ABET), American Association for the Advancement of Science (AAAS), and the National Academy of Engineering (NAE). The purpose of this study was to extend the work of Chong, Depew, Ngambeki, and Dark “Teaching social topics in engineering: The case of energy policy and social goals” by exploring a method to introduce public policy using a case study approach to undergraduate engineering technology students in the engineering economics course in the College of Technology at Purdue University. The substantive contribution of this study addressed the following questions: 1) did the students understand and identify the policy context, 2) how effective was the use of case studies to introduce the students to policy, and 3) areas of improvement to enhance efficacy of the case studies to introduce students to policy?

The Impact of University Provided Nurse Electronic Medical Record (EMR)Training on Hospital Provider Systems: A Computer Simulation Approach

James Anderson, Elizabeth Borycki, Andre Kushniruk, Shannon Malovec, Angela Espejo, Marilyn Anderson

Hospitals lose valuable productivity when nurses are off of the unit for electronic medical record system (EMR) training. Universities lose valuable clinical training hours when students are required to learn various EMR systems at clinical sites during clinical rotations. Centralizing EMR training within the university classroom curriculum could provide the hospital with trained new hires while preserving student clinical time for bedside care. Through this study we investigated the cumulative influence of integrating EMR training in nursing classroom curriculum on hospital nurse time away from caregiving and number of EMR trained nurses. A computer simulation model was specified using the STELLA program. The model simulated once a year hiring of nurses over a 4 year period for a total of 500 new hires. The model predicted the number of new hires that need EMR training, the number of new hires that arrive trained by the University, and the time away from caregiving to train new hires in terms of change in University curriculum to include EMR training. Findings indicate that efficiency of clinical training can be potentially improved by centralizing EMR training within the nursing curriculum. Integrating EMR training in nursing classroom curriculum potentially results in more available time for nurse bedside care and reduced cost in health organization training of new nurses. Further investigation is needed to assess the cost impact of curricular integration.

The Irish Economy’s Vulnerability to Cyber Conflict

Courtney Falk

Information technology comprises a quarter of Ireland’s GDP. This project aims to answer the question of whether or not the Irish government is adequately prepared to protect this vulnerable sector of their economy.

Threats, Vulnerabilities, and Security Controls in Cloud Computing

Hans Vargas, Temitope Toriola

In cloud computing, information is not stored on your personal computer it is stored on the cloud. The cloud is a metaphor for the Internet. The cloud can be accessed by any computer anywhere in the world. This includes devices such as cell phone and kindle. Personal computers have limited space and often run out of resources. The equipment cannot keep up with the demand and the service slows down. The cloud can do anything it has no limits. The cloud takes the work off of one computer and puts the software into one database that many people can access at once from different computers. However there is risk in using cloud computing. Unauthorized people such as hackers may be able to get to your data as well. Cloud providers are companies that host cloud services and are in charge of protecting your data. They use many methods to protect your data in the cloud and keep it from hackers. This research investigates cloud providers to see if they are protecting cloud data like they claim to be.

Prevention, Detection and Response

A Critical Look at Steganographic Investigations

Michael Burgess

Steganography, the practice of hiding hidden information in plain sight, has been a threat for hundreds of years in different medium. In today’s world, hiding files and information digitally inside of images, audio, programs, and most any other file-type could pose a very real danger when two individuals are communicating without anyone knowing they are doing so. Researcher Michael Burgess designed a process and made a tool that takes any file and injects (and extracts) it inside of any mono wave file, as long as the wave file is approximately double the size of the target hidden file. The resulting file has the same size and properties of the original wave file, and no difference can be heard by the human ear. Alongside, all current anti-stego tools have a difficult time detecting that anything is hidden. With a tool as simple as this being able to pass by detection, steganographic investigations need to be taken much more seriously, and include more discovery of these tools rather than the files themselves.

Analysis of Cyberattacks on UASs in Simulation

Scott Yantek, James Goppert, Nandagopal Sathyamoorthy, Inseok Hwang

Unmanned aerial systems (UASs) have attained widespread use in military and research applications, and with recent court rulings their commercial use is rapidly expanding. Because of their dependence on computer systems, their high degree of autonomy, and the danger posed by a loss of vehicle control, it is critical that the proliferation of UASs be accompanied by a thorough analysis of their vulnerabilities to cyberattack. We approach the issue from a controls perspective, assuming the attacker has already gained some amount of control over the system. We then investigate vulnerabilities to certain types of attacks.

Communications, Information, and Cybersecurity in Systems-of-Systems

Cesare Guariniello, Dr. Daniel DeLaurentis

The analysis of risks associated with communications, and information security for a system-of-systems is a challenging endeavor. This difficulty is due to the interdependencies that exist in the communication and operational dimensions of the system-of-systems network, where disruptions on nodes and links can give rise to cascading failure modes. In this research, we propose the application of a functional dependency analysis tool, as a means of analyzing system-of-system operational and communication architectures. The goal of this research is to quantify the impact of attacks on communications, and information flows on the operability of the component systems, and to evaluate and compare different architectures with respect to their robustness and resilience following an attack. The model accounts for partial capabilities and partial degradation. By comparing architectures based on their sensitivity to attacks, the method can be used to guide decision both in architecting the system-of-systems and in planning updates and modifications, accounting for the criticality of nodes and links on the robustness of the system-of-systems. Synthetic examples show conceptual application of the method

Distributed Fault Detection and Isolation for Kalman Consensus Filter

Kartavya Neema, Daniel DeLaurentis

This research deals with the problem of developing a distributed fault detection methodology for recently developed distributed estimation algorithm called Kalman Consensus Filter (KCF). We extended the residual covariance matching techniques, developed for detecting faults in centralized Kalman filters, and use it for distributed fault detection in KCF. Faults present due to faulty sensor measurements are diagnosed and isolated from the system. Specifically, faults due to change in sensor noise statistics and outliers in the sensor measurements are considered. We further develop a Robust Kalman Consensus Filter algorithm and demonstrate the effectiveness of the algorithm using simulation results.

End to End Security in Service Oriented Architecture

Mehdi Azarmi, Bharat Bhargava

With the explosion of web-based services and increasing popularity of cloud computing, Service-Oriented Architecture is becoming a key architectural style for the development of distributed applications. However, there are numerous security challenges in SOA that need to be addressed. In this poster, we discuss the key security challenges in SOA and propose two solutions. These solutions are: a framework for end to end policy monitoring and enforcement; and secure and adaptive service composition.

INSuRE — Information Security Research and Education

PI: Dr. Melissa Dark, CoPI: Brandeis Marshall, Project Team: Courtney Falk, L. Allison Roberts, Filipo Sharevski

The INSuRE project is an attempt to pilot and scale, and then again pilot and scale a sustainable research network that 1) connects institution-level resources, University enterprise systems, and national research networks; 2) enables more rapid discovery and recommendation of researchers, expertise, and resources; 3) supports the development of new collaborative science teams to address new or existing research challenges; 4) exposes and engages graduate students in research activity of national priority at participating institutions; 5) provides for the development and sharing of tools that support research, and, 6) facilitates evaluation of research, scholarly activity, and resources, especially over time.

Log-Centric Analytics for Advanced Persistent Threat Detection

Shiqing Ma, Xiangyu Zhang, Dongyan Xu

Today’s enterprises face increasingly significant threats such as advanced persistent threats(APTs). Unfortunately, current cyber attack defense technologies are not catching up with the attack trends. Meanwhile, enterprises continue to generate large volume of logs and traces at system, application, and network levels and they remain under-utilized in cyber attack detection. We present an integrated framework for advanced targeted attack detection. Our framework consists of two major components: LogIC(Log-based Investigation of Causality): a fine-grain system logging and causal analysis tool which enables high-accuracy causal analysis of system log generated by an individual machine, and LogAn(Log Analytics): a “Big Data” analyzer and correlator on end-system and network logs which enables advanced targeted attack detection by querying and correlating logs across machines in an enterprise. The key idea behind LogIC is to partition the execution of a long-running application process into multiple finer-grain “execution units” for high causal analysis accuracy, without application source code. The key idea behind LogAn is to leverage the single-host causal analysis results to detect an enterprise-wide APT, via causal graph recognition and context correlation.

Making the Case of Digital Forensics Field Training for Parole Services

Chris Flory

The purpose of my research is to provide insight into the need for digital forensic field training for parole services. The current system utilized by most parole agencies is inefficient, costly, and disadvantageous to public safety. Basic forensic field training and digital equipment for parole agents could reduce arrest times, taxpayer costs, and increase public safety.

Periodic Mobile Forensics

Eric Katz

Android devices are becoming more pervasive. Currently there are few enterprise methods to identify and measure malicious user and application behavior in order to detect when a compromise has occurred. Research being conducted at MITRE in conjunction with Purdue is looking at over the air (OTA) methods to determine when a phone has been compromised and how it can best be detected.

Robust Hybrid Controller Design: Cyber Attack Mitigation Strategy for Cyber-Physical Systems

Cheolhyeon Kwon and Inseok Hwang

This paper considers the controller design for Cyber-Physical Systems (CPSs) that is robust to various types of cyber attacks. While the previous studies have investigated a secure control by assuming a specific types of attack strategy, in this paper we propose a hybrid robust control scheme that contains multiple sub-controllers, each matched to a different type of cyber attacks. Then the system can be adapted to various cyber attacks (including those that are not assumed for sub-controller design) by switching its sub-controllers to achieve the best performance. We propose a method for designing the secure switching logic to counter all possible cyber attacks and mathematically verify the system’s performance and stability as well. The performance of the proposed control scheme is demonstrated by an example of the hybrid H 2 – H infinity controller applied to a CPS subject to cyber attacks.

Text-based Approaches to Detect Phishing Attacks

Gilchan Park, Lauren Stuart, Julia M. Taylor, Victor Raskin

The purpose of the first research is to report on an experiment into text-based phishing detection. The developed algorithm uses previously published work on the, so-called PhishNet-NLP, a content based phishing detection system. In particular, this research aims to analyze the keywords that lead used to do some actions in email texts. The algorithm produced the considerable results in filtering out malicious emails (TPR); however, the rate of text falsely identified as phishing (FPR) needed to be addressed. To solve the FPR problem, tradeoff between TPR and FPR was performed to reduce the FPR while minimizing the decrease in the phishing detection accuracy. The second research’s aim is to compare the results of computer and human ability to detect phishing attempts. Two series of experiments were conducted, one for machine and the other one for humans, using the same dataset, and both were asked to categorize the emails into phishing or legitimate. The results prove that machine and human subjects differ in classification of phishing emails. This comparison suggests that humans intelligence to detect some types of phishing emails that machine could not recognize needs to be semantically computerized so as to ameliorate the machine’s phishing detection ability.

The Case of Using Negative (Deceiving) Information in Data Protection

Mohammed Almeshekah, Mikhail Atallah and Eugene Spafford

In this paper we develop a novel taxonomy of methods and techniques that can be used to protect digital information. We explore complex relationships among these protection techniques grouped into four categories. We present analysis of these relationships and discuss how can they be applied at different scales within organizations. We map these protection techniques against the cyber kill-chain model and discuss some findings. Moreover, we identify the use of deceit as a useful protection technique that can significantly enhance the security of computer systems. We posit how the well-known Kerckhoffs’s principle has been misinterpreted to drive the security community away from deception-based mechanisms. We examine advantages these techniques can have when protecting our information in addition to traditional methods of denial and hardening. We show that by intelligently introducing deceit in information systems, we not only lead attackers astray, but also give organizations the ability to detect leakage; create doubt and uncertainty in leaked data; add risk at the adversaries’ side to using the leaked information; and significantly enhance our abilities to attribute adversaries. We discuss how to overcome some of the challenges that hinder the adoption of deception-based techniques.

CERIAS Security Symposium 24&25 March 2015

Cybersecurity discussions have moved from the server room, to the board room, to the talking heads of the media — but all this new found mass awareness has not translated to being more secure. Major intrusions are now common place and a “standard operating procedure” within many industries. Join us for the 16th Annual CERIAS Security Symposium as we examine the current state and emerging trends in information assurance and security; and share some of the breaking research addressing the new landscape. Topical keynotes from government and industry, and in-depth panel discussions addressing current trends and needs, will highlight the two-day event. CERIAS research will be highlighted in faculty technical talks and poster sessions.


Invited Talk: Sam Curry, Arbor Networks

  • Eugene Spafford, Executive Director CERIAS, Purdue University
  • Debasish (Deba) Dutta, Provost – Purdue University
  • Sam Curry, CTO and CSO, Arbor Networks

Security Fireside Chat

  • Eugene Spafford, Executive Director at CERIAS
  • Sam Curry
  • John Walsh – President Sypris Electronics
  • Dave Toomey – AVP Cyber Business at SRC

CERIAS Program Overview: INSuRE, Melissa Dark

  • Melissa Dark, W.C. Furnas Professor in the College of Technology, Purdue University

Panel Discussion: Advanced Persistent Gullibility

  • Barrett Caldwell, Professor of Industrial Engineering, Purdue University
  • Ellen Powers, MITRE
  • Howard Sypher, Professor; Faculty Fellow, Purdue University, Brian Lamb School of Communication
  • David White, Senior Manager, Computer Security R&D, Sandia National Laboratories
  • Hongxia Jin, Senior Director, Advanced Technology Lab, Samsung Research America

CERIAS TechTalk: Vijay Raghunathan, Purdue University

  • Vijay Raghunathan, Associate Professor of Electrical and Computer Engineering

Invited Talk: Deborah Frincke, Director of Research, NSA/CSS

Video to be Available Soon
  • Deborah Frincke, Director of Research, NSA/CSS

CERIAS Awards: Pillar, Diamond and Poster Awards

  • Eugene Spafford, Executive Director, CERIAS, Purdue University

CERIAS Program Overview: CERIAS / Sypris Cyber Range

  • Joel Rasmus, Director of Strategic Relations, CERIAS
  • Scott Peters, Sypris Electronics

Michelle Finneran Dennedy, McAfee/Intel Security

  • Michelle Finneran Dennedy, VP and CPO McAfee/Intel Security

Download (for free!) Michelle Finneran Dennedy’s book “The Privacy Engineer’s Manifesto: Getting from Policy to Code to QA to Value”

Google Play

iTunes – Books

Barnes & Noble

Panel Discussion: Financial Sector Security

  • Sarath Geethakumar, Senior Director of Mobile & Product Security, Visa Inc
  • Jackie Rees Ulmer, Associate Professor, Management Information Systems, Purdue University
  • Ralph Spencer Poore, PCIP, CFE, CISA, CISSP, CHS-III, Director, Emerging Standards at PCI Security Standards Council
  • Blake Self, Principal Security Architect, US Bank

Firewall Policy Language and Complexity

  • CERIAS TechTalk: Ninghui Li, Professor of Computer Science, Purdue University

Trustworthy Data from Untrusted Services

  • Sunil Prabhakar, Professor and Department Head, Dept. of Computer Science, Purdue University

Indiana – Information Sharing and Analysis Center

  • CERIAS Program Overview: Indiana ISAC, Hans Vargas, CERIAS Alumnus

Closing Comments

Eugene Spafford, Executive Director, CERIAS, Purdue University

Posters & Presentations 2015

Assured Identity and Privacy

A Taxonomy of Privacy-protecting Tools to Browse the World Wide Web

Kelley Misata, Raymond Hansen, Baigan Yang

There is a growing public concern regarding big data and intelligence surveillance on unsuspecting Internet users, and an increase in public conversation around what does privacy really mean in the digital realm. Although technologies have been developed to help generate public protect their privacy, average users found the tools complex and difficult to decipher. This research aims to weed through some of these complexities by reviewing 6 publicly recognized technologies promoted to help users protect their privacy while browsing the web. The scope will be broad in order to touch on the important aspects each technology including promises, privacy realities, technical construct, ease of use and drawbacks average users should be aware of before using.

Data Spillage in Hadoop Clusters

Joe Beckman, Tosin Alabi, Dheeraj Gurugubelli

Data spillage is the undesired transfer of classified information into an unauthorized compute node or memory media. The loss of control over sensitive and protected data can become a serious threat to business operations and national security (NSA Mitigation Group, 2012. We seek to understand if classified data leaked, by user error, into an unauthorized Hadoop Distributed File System (HDFS), be located, recovered, and removed completely from the server.

Deception in Computing – Where and how it has been used

Jeffrey Avery, Chris Guterriez, Mohammed Almeshekah, Saurabh Bagchi, Eugene H. Spafford

Deception is defined as “presenting an altered view of reality” and has been used by mankind for thousands of years to influence other’s behavior and decision making. More recently, deception has also been applied to computing in a variety of areas, such as human computer interaction and digital communities. This work surveys different areas of computing to determine where and how they use deception. One area we study in particular is how deception is applied to security practices. This work also shows that while security is a growing field, deceptive practices have not been as readily adopted to improve defense.

FIDO Password Replacement: Spoofing a Samsung Galaxy S5 and PayPal Account Using a Latent Fake Fingerprint

Rylan Chong, Chris Flory, Jim Lerums, David Long, Prof Melissa Dark, and Prof Chris Foreman

Fingerprints are the most common biometric means of authentication. This project was to de-termine if the Samsung Galaxy S5 and PayPal FIDO Ready implementation was vulnerable to latent fake fingerprint spoofing using Brown’s (1990) and Smith’s (2014) approaches. Latent fake fingerprints could allow an illegitimate user access to secure information.


Melissa Dark

The INSuRE project is an attempt to pilot and scale a sustainable research network that: 1. Connects institution-level resources, University enterprise systems, and national research networks; 2. Enables more rapid discovery and recommendation of researchers, expertise, and resources; 3. Supports development of new collaborative science teams addressing new or existing research challenges; 4. Exposes and engages graduate students in research activity of national priority at participating institutions; 5. Provides development and sharing of tools that support research, and, 6. Facilitates evaluation of research, scholarly activity, and resources, especially over time.

Malware in Medical Devices

Susan Fowler

Health care facilities are increasingly adopting computers and medical devices into patient care regimens and therapies. Medical devices have evolved to become popular for many purposes, including prolonged managed care including implantable medical devices. Wireless communications are becoming popular for these IMDs as well as for networking medical devices in a clinical setting. Along with these progressions in technology, security and privacy must be considered to ensure patient privacy and safety. Malware can be introduced in many of the same ways traditional computer systems suffer compromises, with wireless technology compounding these vulnerabilities. Regulations and practices must recognize these threats to security, availability and privacy to both health care entities and patients. Keywords: Medical device, malware, information security

Monitoring DBMS Activity for Detecting Data Exfiltration by Insiders

Elisa Bertino, Lorenzo Bossi, Syed Rafiul Hussain, Asmaa Sallam

Data represents one of the most important assets of an organization. The undesired release (exfiltration) of sensitive or proprietary data outside of the organization is one of the most severe threats of insider cyber-attacks. A malicious insider who has the proper credentials to access organizational databases may, over time, send data outside the organizations network through a variety of channels, such as email, file transfer, web uploads, or specialized HTTP requests that encapsulate the data. Existing security tools for detecting cyber-attacks focus on protecting the boundary between the organization and the outside world. While such tools may be effective in protecting an organization from external attacks, they are less suitable if the data is being transmitted from inside the organization to the outside by an insider who has the proper credentials to access, retrieve, and transmit data. The “Monitoring DBMS Activity for Detecting Data Exfiltration by Insiders” (MDBMS) project is a research effort developing mechanisms to detect and counter efforts on the part of insiders to extract and exfiltrate sensitive data from government and enterprises.

Privacy-Enhancing Features of Identidroid

Daniele Midi, Oyindamola Oluwatimi, Bilal Shebaro, Elisa Bertino

As privacy today is a major concern for mobile systems, network anonymizers are widely available on smartphones systems, such as Android. However, in many cases applications are still able to identify the user and the device by means different from the IP address. Our work provides two solutions that address this problem by providing application-level anonymity. The first solution shadows sensitive data that can reveal the user identity. The second solutions dynamically revokes Android application permissions associated with sensitive information at run-time. In addition, both solutions offer protection from applications that identify their users through traces left in the application’s data storage or by exchanging identifying data messages. We developed IdentiDroid, a customized Android operating system, to deploy these solutions, and built IdentiDroid Profile Manager, a profile-based configuration tool for setting different configurations for each installed Android application.

Private Information Retrieval

Michael Kouremetis, Craig West

Private Information Retrieval(PIR) is an important subject in the field of Information Retrieval. PIR allows two parties to communicate without revealing the information to one of the parties. The goal of our project is to implement a Private Information Retrieval proof of concept utilizing a robust protocol by I. Goldberg (Goldberg’s Protocol). By implementing a proof of concept we will look at the underlying structures and cryptographic protocols used in Private Information Retrieval. With a greater understanding of Private Information Retrieval, and the underlying protocols, we would potentially be able to help develop systems which need certain privacy based queries, an extension beyond just index retrieval.

The Deep Web: An Exploratory Study of Social Networks

Rachel Sitarz and Kelly Cole

The purpose of the current study was to investigate the reason one would use an anonymous .onion social network. The current study surveyed users on various Tor social networks (n=200), through the use of an unstructured, open ended questionnaire. Data was analyzed using a Thematic Analysis method. The top 5 themes and demographics were recorded and presented below.

End System Security

Car Hacking: Determining the Relative Risk of Vehicle Compromise

David Hersh

In recent years, cars have gone through a technological renaissance, with each generation containing more features than the previous one. One of the features becoming increasingly common is built-in wireless connectivity, such as Bluetooth, Wi-Fi and 3G. While this added functionality is beneficial to the consumer, this opens up a new avenue of attack for hackers and criminals. But unlike a personal computer, if a car is hacked, the potential negative consequences are much higher. If an adversary can wirelessly exploit a car, they may be able to eavesdrop on conversations, turn off warning lights, and even control brakes and steering. Although multiple groups of researchers have shown that there are major security problems in common consumer vehicles, there is little experimental research on vehicle security. To encourage further research in this area, this work introduces a methodology for assessing the relative risk level of a vehicle (i.e., the risk associated with adding specific features to a vehicle and how they’re implemented).

Data Confidentiality and Integrity

Scott Carr, Mathias Payer

The root cause of most security vulnerabilities is memory corruption. Previous research focused on preventing memory corruptions attackers use to change the program’s intended control-flow. As these protections become more refined and widely deployed, attackers will resort to non-control data attacks. Non-control data attacks do not divert the intended control-flow, but simply read or write data in unintended ways by abusing a temporal or spatial memory safety error or a type error. A recent example of this is the HeartBleed bug where a buffer overflow allows an attacker to read the server’s private key. This example shows that non-control data attacks can be just as damaging as control-flow hijack attacks. Data Confidentiality and Integrity (DCI) augments the C programming language with a small set of annotations which allow the programmer to select protected data types. The compiler and runtime system prevent illegal reads and writes to variables of these types. The programmer selects types that contain information such as password lists, cryptographic keys, or identification tokens. Allowing the programmer to choose the protected data reduces overhead. Total memory protection mechanisms have been proposed, but have not been widely adopted due to prohibitively high overhead. With DCI, the programmer can specify the subset of security critical data and only pay the protection overhead cost of that subset – rather than all the data in the program. Our prototype shows the practicality of our approach. It effectively protects benchmarks and large programs.

PD3: Policy–based Distributed Data Dissemination

Rohit Ranchal, Denis Ulybyshev, Pelin Angin, Bharat Bhargava

Modern distributed systems (such as composite web services, cloud solutions) comprise of a number of hosts, which collaborate, interact and share data. One of the main requirements of these systems is policy-based distributed data dissemination (PD3). In the PD3 problem, the data owner wants to share data with a set of hosts. Each host is only authorized to access a subset of data. Data owner can directly interact only with a subset of hosts and relies on these hosts to disseminate data to other hosts. In order to ensure correct delivery of appropriate data to each host, it is necessary that each host shares entire data even though the hosts are only authorized for certain subset of data. We provide a formal description of the problem and propose a data-centric approach to address PD3. The approach enables policy-based secure data dissemination and protects data throughout their lifecycle. It is independent of trusted third parties, does not require source availability and has the ability to operate in unknown environments. The approach is demonstrated through its application to composite web services.

SNIPE: Signature Generation for Phishing Emails

Jeff Avery, Christopher Gutierrez, Paul Wood, Raffaele Della Corte, Jon Fulkerson Gaspar Modelo-Howard, Brian Berndt, Keith McDermott, Saurabh Bagchi, Dan Goldwasser, Marcello Cinque

Phishing attacks continue to pose a major headache for defenders of computing systems, often forming the first step in a multi-stage attacks. There have been great strides made in phishing detection and email servers have gotten good at flagging potentially phishing messages. However, some insidious kinds of phishing messages appear to pass through filters by making seemingly simple structural and semantic changes to the messages. We tackle this problem in this paper, through the use of machine learning algorithms operating on a large corpus of phishing messages and legitimate messages. By understanding common phishing features, we design a system to extract features and extrapolate out values of such features. The algorithms are specialized for phishing detection, such as, the use of synonyms or change in sentence structure. The insights and algorithms are instantiated in a system called SNIPE (Signature geNeratIon for Phishing Emails). To evaluate SNIPE, we collect the largest known corpus of phishing messages (used in any publicly known study) from the central IT organization at a tier-1 research university. We run SNIPE on the dataset and it exposes some hitherto unknown insights about phishing campaigns directed at university users. SNIPE is able to detect 100% of phishing messages that had eluded our production deployment of Sophos, a state-ofthe-art email filtering tool today.

Human Centric Security

Improving the Biometric Data Collection Process through Six Sigma

Rylan C. Chong, T. Grant Goe, Dr. Chad Laux

Since Six Sigma’s applications have been maturing and expanding into other industries, can Six Sigma be applied to the biometric industry? An area Six Sigma could be applied too is the process of improving quality of data collection. An example utilized to discuss Six Sigma application was through a case study approach using Brockly’s study (2013). Brockly’s study investigated what effect biometric multimodal data collection procedures and the test administrators had on the quality of data collected.

Information Alignment and Visualization for Security Operations Center Teams

Omar Eldardiry, Mallorie Bradlau, Barrett Caldwell

The development of cyber network operations centers (NOC) has created new needs to support human sensemaking via improved information alignment and visualization. This poster focuses on information needs and gaps involving network operations centers (NOCs) and security operations centers (SOCs) analyst personnel. Our goal is to enhance analyst sensemaking and usability of tools to assist security analysts in monitoring, managing and protecting their networks from suspicious activities. This project has proceeded in several stages. Based on previous interview findings, an in depth investigation and job shadowing was conducted with different SOC teams. The findings highlighted three promising areas of improvements for NOC and SOC tools to improve network operations sensemaking, team performance, and organizational information alignment.

Meaning-Based Machine Learning

Courtney Falk, Lauren Stuart

Meaning-Based Machine Learning (MBML) is a research program intended to show how training machine learning (ML) algorithms on meaningful data produces more accurate results than that of using unstructured data.

Natural Language IAS: Style Metrics from Semantic Analysis

Lauren M. Stuart, Julia M. Taylor, Victor Raskin

Stylometry is the quantification of author style such that authorship of a text can be posited, verified, or obfuscated. Style features currently in use capture the surface features of texts (such as punctuation use, misspellings, words or parts of words, and morphology), but some qualities of author style may be better captured by, or in conjunction with, meaning-based features. This poster outlines ongoing work in positing and evaluating author style quantification using meaning representation structures.

Password Coping Mechanisms

Austin Klasa, Dr. Melissa Dark

Passwords are the most common means of authenticating users, and the number of passwords a user must remember is increasing. This leads to the need to classify and study password coping mechanisms. This research project is a literature review and analysis of past research to classify password coping mechanisms and create a password coping mechanism taxonomy.

Network Security

A Visual Analytics based approach on identifying Server Redirections and Data Exfiltration

Weijie Wang, Baijian Yang, Yingjie Chen

How to better find potential cyber attacks is the billion question facing security researchers and practitioners. In recently years, visualization have being applied in the field of information technology but most work have not being able to provide better than non-visualization based techniques. In this work, we innovatively designed a graphic based system overview that can make suspicious activities related to server redirection attack and data exfiltration easier to identify. Due to the nature of the problem, the overview design must be scalable, accurate, and fast. This demands the system to visualize data that can reveal security events rather than simply plotting the raw data. The approach adopted in this work is to visualize aggregated traffic characteristics. The system is evaluated with the test data sets from VAST 2013 mini-challenge 3. The results are very encouraging and shed more positive lights on applying visual analytics in information Security.

Evaluating Public Cloud Providers

Courtney Falk

Security for public cloud providers is an ongoing concern. Programs like FedRAMP look to certify a minimum level of compliance. This project aims to build a tool to help decision makers compare different clouds solutions and weigh the risks against their own organizational needs.

Fast and Scalable Authentication for Vehicular Internet of Things

Ankush Singla, Anand Mudgeri, Ioannis Papapanagiotou, Atilla Yavuz

Modern vehicles are being equipped with advanced sensing and communication technologies, which enable them to support innovative services in the Internet of Vehicles (IoV) era such as autonomous driving. These services can be effective through the spatial and temporal synchronization of the vehicle with the other entities in the environment. Hence, the communication in IoVs must be delay-aware, reliable, scalable and secure to (a) prevent an attacker from injecting/manipulating messages; (b) minimize the impact (e.g., delay, communication overhead) introduced by crypto operations. For instance, consider a group of vehicles driving on a highway with high speed. Once a vehicle brakes suddenly, this is broadcasted to other vehicles to avoid collision. If the delay introduced by the crypto operations negatively affects the braking distance, then a car may not be able to stop in time. The current vehicular communication standards mandate the use of Public Key Infrastructures (PKI) to protect critical messages. However, existing crypto mechanisms introduce significant computation and bandwidth overhead, which creates critical safety problems. It is a vital research problem to develop security mechanisms that can meet the requirements of emerging IoVs. The overall goal of this research is to develop a new suite of cryptographic mechanisms, supported with time-valid framework and hardware-acceleration, to ensure secure and reliable operation IoVs. This project develops, analyzes and implements new authentication methods and then pushes the performance to the edge via cryptographic hardware-acceleration.

Hardware to Virtual Firewall Migration Heuristic Rules

Ibrahim Waziri Jr

In this era of cloud computing, many data centers rely on a composite security framework consisting of hardware and virtual firewalls. Hardware firewalls are optimized for greater throughput while virtualized firewalls can only scale to match DoS attempts. To maximize the utility of each form factor, we developed an in-line firewall scheme with variable filtering point. The primary filtering point changes between hardware and virtual firewalls based on realtime conditions. The architecture incorporates heuristic-based migration logic. To define the heuristics, a performance evaluation was conducted following two test scenarios: spike tests and endurance test. Packet throughput was also assessed using JMeter. The results indicate that a threshold approach to filter-point migration maximizes network throughout while offering the insurance of on-demand scalability.

How Secure and Quick is QUIC? Provable Security and Performance Analyses

Robert Lychev, Samuel Jero, Alexandra Boldyreva, and Cristina Nita-Rotaru

QUIC is a secure transport protocol developed by Google and implemented in Chrome in 2013, currently representing one of the most promising solutions to decreasing latency while intending to provide security properties similar with TLS. In this work we shed some light on QUIC’s strengths and weaknesses in terms of its provable security and performance guarantees in the presence of attackers. We introduce a security model for analyzing performance-driven protocols like QUIC and prove that QUIC satisfies our definition under reasonable assumptions on the protocol’s building blocks. Our analyses also reveal that with simple replay and manipulation attacks on some public parameters exchanged during the handshake, an adversary could easily prevent QUIC from achieving minimal latency by causing connection failure, probably resulting in fallback to TLS.

MIRROR: Automated Race Bug Detection for the Web via Network Events Replay

Sze Yiu Chau, Hyojeong Lee, Byungchan An, Julian Dolby and Cristina Nita-Rotaru

Many web applications are written in an asynchronous style, in which logic is triggered in response to network and user events. While this approach has performance benefits and can provide improved user experience, it also makes applications more error prone since the most used languages such as HTML and JavaScript do not provide any explicit support for concurrency control. We present MIRROR, a minimally-invasive race detector for client-side web applications which leverages recording and automated replaying of network events. Our tool uses a static approximation of happens-before ordering to automatically generate different testing scenarios by changing the order of these network events. Our tool is browser agnostic and can be used for both debugging and race finding as it does not require repeated interaction with the production server. We evaluate MIRROR using a benchmark of eight applications, where each captures a representative buggy coding pattern. Out of the eight applications, MIRROR was able to manifest and detect the bug for seven of them.

Network Forensics of Covert Channels in IPv6

Lourdes Gino D and Prof. Raymond A Hansen

According to Craig H. Rowland, “A covert channel is described as, any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy. Essentially, it is a method of communication that is not part of an actual computer system design, but can be used to transfer information to users or system processes that normally would not be allowed access to the information”. Covert channels in IPv4 has been existing for a while and there has been various detection mechanisms. But the advent of IPv6 requires new research to identify covert channels and be able to perform forensics on such attacks. The current study aims at exploring the possibilities of performing forensics on such covert channels in IPv6.

Security Business Intelligence (SBI) Curriculum – Blazing the Trail

Kelley Misata, Dr. Marcus Rogers

The vision for this project was to create an undergraduate, multi-disciplinary security business intelligence (SBI) curriculum aimed at preparing students for the future of security business intelligence in enterprises. Students will navigate through basic processes, life cycles and data gathering and analysis tools in alignment with SBI critical in an organizational setting. Learning for this course will be conducted through lectures, lab based homework assignments, examinations and a presentation project.

Policy, Law and Management

Cyber Forensics: The Need For An Official Governing Body

Ibrahim Waziri Jr, Rachel Sitarz

In this study we identified and addressed some of the key challenges in digital forensics. An intensive review was conducted of the major challenges that have already been identified. At the end, the findings proposed a solution and how having a standardized body that governs the digital forensics community could make a difference.

Digital Forensics in Law Enforcement: A Needs Based Analysis of Indiana Agencies

Teri Flory, Rachel Sitarz

Many national needs assessments were conducted in the late 1990’s and early 2000’s by the Department of Justice and the National Institute of Justice, which all indicated that State and Local Law Enforcement did not have the training, tools, or staff to effectively conduct digital investigations (Institute for Security and Technology Studies [ISTS], 2002; National Institute of Justice [NIJ], 2004). Some of these needs assessments have also been conducted at a state level, but Indiana is not one of those states (Gogolin & Jones, 2010). Further, there are multiple training opportunities and publications that are available at no cost to state and local law enforcement, but it is not clear how many agencies use these resources ( state-local-tribal; This pilot study will provide a more up to date and localized assessment of the ability of Indiana Law Enforcement Agencies to effectively investigate when a crime that involves digital evidence is alleged to have occurred.

U.S. Bank of Cyber

Danielle Crimmins, Courtney Falk, Susan Fowler, Caitlin Gravel, Michael Kouremetis, Erin Poremski, Rachel Sitarz Nick Sturgeon, Yulong Zhang and Dr. Sam Liles

The technical report looked at past cyber attacks on the United States financial industry for analysis on attack patterns by individuals, groups, and nation states to determine if the industry really is under attack. An analysis explored attack origination from individuals, groups, and/or nation states as well as type of attacks and any patterns seen. After gathering attacks and creation of a timeline, a taxonomy of attacks is then created from the analysis of attack data. A Strengths, Weakness, Opportunities, and Threats (S.W.O.T.) analysis is then applied to the case study Heartland Payment Systems.

Web Based Cyber Forensics Training

Nick Sturgeon and Dr. Marcus Rogers

There is a specific need for high availability, high quality and low cost training for Law Enforcement officers in the Cyber Forensics Domain.

What Lies Beneath? The Forensics of Online Dating

Dheeraj Gurugubelli, Lourdes Gino and Dr. Marcus K Rogers

If you are an overworked, 25-year-old professional, working through the clock, even dating websites can seem uninteresting and too time consuming. Thanks to the slide, scroll and swipe-based online dating smartphone apps. One can just scroll through pictures, and connect or pass profiles with a swipe on a smartphone. Value added features like geo-location based user filtering, college-based user matches, megaflirt and user-to-user messaging are available for a small premium subscription fees. This is exactly the phenomenon behind dating apps like Tinder, CoffeemeetsBagel, DateMySchool, Zoosk and many others. Such platorms that allow information storage and sharing, open doors to cybercriminals, who pry on the users. This research aims to discover the digital evidence from such apps in smartphones.

Prevention, Detection and Response

A Tool For Interactive Visual Threat Analytics and Intelligence, based on OpenSOC Framework

Lourdes Gino D, Dheeraj Gurugubelli and Dr. Marcus Rogers

Cyber Threat Intelligence is a booming area in the field of Information Security that deals with aggregation, processing, evaluation and reporting of reliable information in real-time pertaining to threats posed on the cyber world that encompasses computers, smartphone, tablets and any device that’s connected to the Internet. The imminent need for threat intelligence is growing rapidly as the data flowing through the cyber world is growing gargantuan and as we are moving towards Internet of Things where almost any thing is connected to the Internet. Visual Threat Intelligence takes the threat intelligence to the next step where the data is presented in a human-perceivable way so as to help in making right and quick decisions to avert the cyber threat. The OpenSOC framework provides a unified platform for ingest, storage and analytics. The purpose of this research is to build a open-source visual threat intelligence tool based on the OpenSOC framework built over the Hadoop framework.

Achieving a Cyber-Secure Smart Grid through Situation Aware Visual Analytics

Dheeraj Gurugubelli, Dr. Chris Foreman and Dr. David Ebert

Utilities face enormous pressure to streamline their operations and provide consumption information to the consumers for better energy management. Smart meters have been instrumental to achieve better energy management. But alike any new deployment of technology, smart meters are prone to cyber attacks. Except, in this case they are part of critical infrastructure of the nation. The goal of this project would be to leverage visual analytics for delivering near-to-real-time visual insights on smart meter data that will help make quicker in times of a cyber response need. Cybersecurity of the Advanced Metering Infrastructure (AMI) continues to be one of the top research priorities in the industry right now. Securing the smart grid is about managing a continuum of risk across all the components in the grid within the right timeline. Performing analytics and making decisions based on large volumes of network data in real-time would boost the response time significantly. This research aims at visualizing network data obtained from processing the end-component profile data and network data from the AMI networks through a distributed data processing model.

Assessing Risk and Cyber Resiliency

Corey T. Holzer and James E. Merritt

The project is a review of existing risk assessment models and the newly created resiliency frameworks in order to assess how risk is being calculated and incorporated into cyber resiliency and to research the underlying assumptions that have been made in the forming of the current body of knowledge surrounding risk management and analysis in the field of cyber resilience. By comparing current quantitative and qualitative risk solutions we hope to identify any discrepancies, fallacies, or oversights that may have been working into the current orthodoxy of cyber risk management. We intend to use these identified short comings to adapt and strengthen the current risk management process used to analyze risk in the field of cyber resilience.

Basic Dynamic Processes Analysis of Malware in Hypervisors: Type I & II

Ibrahim Waziri Jr

This study compares, analyze and study the behavior of a malware processes within both Type 1 & Type 2 virtualized environments. In other to achieve this we set up two different virtualized environments and thoroughly analyze each malware processes behavior. The goal is to see if there is a difference between the behaviors of malware within the 2 different architectures. At the end we achieved a result and realized there is no significant difference on how malware processes run and behave on either virtualized environment. However our study is limited to basic analysis using basic tools. An advance analysis with more sophisticated tools could prove otherwise.

ErsatzPasswords – Ending Password Cracking

Christopher N. Gutierrez, Mohammed H. Almeshekah, Mikhail J. Atallah, and Eugene H. Spafford

In this work we present a simple, yet effective and practical, scheme to improve the security of stored password hashes rendering their cracking detectable and insuperable at the same time. We utilize a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server. The scheme can be easily integrated with legacy systems without the need of any additional servers, changing the structure of the hashed password file or any client modifications. When using the scheme the structure of the hashed passwords file, etc/shadow or etc/master.passwd, will appear no different than in the traditional scheme.1 However, when an attacker exfiltrates the hashed passwords file and tries to crack it, the only passwords he will get are the ersatzpasswords — the “fake passwords”. When an attempt to login using these ersatzpasswords is detected an alarm will be triggered in the system that someone attempted to crack the password file. Even with an adversary who knows the scheme, cracking cannot be launched without physical access to the authentication server. The scheme also includes a secure backup mechanism in the event of a failure of the hardware dependent function. We discuss our implementation and provide some discussion in comparison to the traditional authentication scheme.

Increasing robustness and resilience: assessing disruptions and dependencies in analysis of System-of-Systems alternatives

Daniel Delaurentis, Karen Marais, Navindran Davendralingam, Zhemei Fang, Cesare Guariniello, Payuna Uday

This poster describes a multi-disciplinary effort, funded by the DoD’s Systems Engineering Research Center (SERC), towards establishing a System of Systems Analytic Workbench of computational tools to facilitate better-informed decision-making on SoS architectures. The work seeks to map relevant questions in system-of-system architectural decision to an appropriate set of quantitative methods that can provide analytical outputs to directly support decisions. Such an integrated approach is suitable to address the problem of increasing robustness and resilience in complex systems, with the goal of preventing or mitigating the effect of disruptions on the overall behavior of the system.

JagWarz Junior: Cyber Security for Young Adolescents​

Jasmine Herbert, Rushabh Vyas, Connie Justice, Vicky Smith

Currently there are few methodologies for introducing cyber security to young adolescents. This area of research will examine the importance of teaching cyber security at an early age as well as the significance of introducing cyber security through the use of digital game based learning. Within this study, cyber security will be taught to a sample of young adolescents through the use of a capture the flag style game, JagWaRz Junior. The effectiveness of JagWaRz Junior will be quantitatively measured through a pretest and posttest presented to the participants. Overall, this game will encompass ways to handle many of the risks that come with Internet usage at an early age. These risks include but are not limited to cyber bullying, pornography, online predators, personal privacy, and password protection. The results of this study will contribute to our understanding of the effectiveness of digital game based pedagogic learning. ​

Malware Defense with Access Control Policy and Integrity Levels

Nicole Hands, Harish Kumaravel

With the persistent threat of cyber attacks of many, ever-changing forms, the need for computer systems to have a comprehensive protection schema that can provide security against unknown, known, and polymorphic threats becomes apparent. Working under the premise that compromise is inevitable, the system should be able to detect that it has been compromised and respond in such a way that functionality degrades incrementally. This study represents a synthesis of multiple fields of research from integrity levels of operation to malware detection methods to access control policy. The system function of FTP will be used as a model and broken down into discrete computational units which will each be assigned attributes from which access control policy can be created. Upon change in the state of the attribute based on the premise that this change was caused by malware infection, the system would respond by lowering its integrity level, with processes continuing to function under modified rules. Preliminary work from the study will be presented.

Modeling Deception In Information Security As A Hypergame – A Primer

Christopher N. Gutierrez, Mohammed H. Almeshekah, Jeff Avery, Saurabh Bagchi, and Eugene H. Spafford

Hypergames are a branch of game theory to model and analyze game theoretic conflicts between multiple players who may have misconceptions of other player’s actions, preferences, and/or knowledge. They have been used to model military conflicts such as the Allied invasion of Normandy in 1945, the fall of France in WWII, the Cuban missile crisis, and etc. Unlike traditional game theory models, hypergames give us the ability to model misperception that results from the use of deception, mimicry, and misinformation. There is little work that analyzes the use of deception as a strategic defensive mechanism in computing systems. This poster will present a hypergame model to analyze computer security conflicts. We discuss how can hypergames be used to model the interaction between adversaries and system defender. We discuss a specific example where we modele the interaction between adversaries, who wish to steal some confidential data from an enterprise, and security administrators, who protect the system. We show the advantages of incorporating deception as a defenses mechanism as part of the hypergame model.

Risk Assessment in Layered Solutions

Christopher Martinez, Robert Haverkos

The transmission of classified (or highly sensitive) data requires a high degree of assurance. This project presents a meaningful method of combining risk assessments for individual security mechanisms into a risk assessment for the overall capability package (the layered solution).

Using Syntactic Features for Phishing Detection

Students: Gilchan Park / Advisor: Julia M. Taylor

The purpose of this research is to explore whether the syntactic structures and subjects and objects of verbs can be distinguishable features for phishing detection. To achieve the objective, we have conducted two series of experiments: the syntactic similarity for sentences, and the subject and object of verb comparison. The results of the experiments indicated that both features can be used for some verbs, but more work has to be done for others. The phishing corpora is comprised of old and up-to-date phishing emails, and the gap between them is over 10 years. To observe whether the pattern in phishing emails have changed over time with respect to subject and object of the verbs, we additionally compared between the two phishing corpora. The results showed us that most of subjects and objects were still identical, or similar from semantic perspective.