Presentation is loading. Please wait.

Presentation is loading. Please wait.

Research Problems in Information Assurance Talk for the second year DPS students Li-Chiou Chen Seidenberg School of Computer Science and Information Systems.

Published byNaomi Carroll Modified over 8 years ago

Similar presentations

Presentation on theme: "Research Problems in Information Assurance Talk for the second year DPS students Li-Chiou Chen Seidenberg School of Computer Science and Information Systems."— Presentation transcript:

1 Research Problems in Information Assurance Talk for the second year DPS students Li-Chiou Chen Seidenberg School of Computer Science and Information Systems Pace University 03/15/08

2 © Li-Chiou Chen, CSIS, Pace 2 Agenda Past research projects in Internet-based attacks Ongoing research projects in security usability & web security Student research projects

3 © Li-Chiou Chen, CSIS, Pace 3 Interdisciplinary study in information assurance Technology domain: Security Technology Problem domain: Social, Economical and Policy Issues Research Methodology: Computational Modeling

4 © Li-Chiou Chen, CSIS, Pace 4 Countermeasures for the propagation of computer viruses Problem: What anti-virus strategy works better to slow down the propagation of a new computer virus Method:  Simulate the spread of computer viruses and countermeasures using agent-based simulation  Run on 4 different theoretical network topology and 2 different empirical network topology  Compare five different strategies  Propose a new one – Countermeasure competing (CMC) Past project - Computer viruses

5 © Li-Chiou Chen, CSIS, Pace 5 Results and further research issues Results - countermeasure propagation network is more effective than others when  this network has a few highly connected nodes like P2P networks  the rate of countermeasure propagation is faster than the rate of virus infection Further research  How about zero-day worms?  The same model can be used to discussed the diffusion of ideas, the diffusion of disease, etc Past project - Computer viruses

6 © Li-Chiou Chen, CSIS, Pace 6 Distributed denial-of-service (DDOS) attacks and defenses Past project - Distributed denial of service

7 A research framework for DDOS problems © Li-Chiou Chen, CSIS, Pace 7 Past project - Distributed denial of service

8 © Li-Chiou Chen, CSIS, Pace 8 Further research problems Defenses for attacks against infrastructures, such as routers and DNS servers Assessment of risk attitude of subscribers and providers  E.g., the premium that a subscriber would like to pay in order to avoid the risk of DDOS attacks Procedures for determining a liability assignment Past project - Distributed denial of service

9 © Li-Chiou Chen, CSIS, Pace 9 Security usability of banking web sites What is usability? Problems:  Phishing: users can distinguish legitimate web sites from phishing web sites  a security usability problem of web interface design  What is the status quo?  What can we improve from here? Ongoing project – Security Usability

10 How do you distinguish legitimate web sites from fake ones © Li-Chiou Chen, CSIS, Pace 10 Ongoing project – Security Usability

11 Banking web site survey Top 100 banks from FDIC (Federal Deposit Insurance Corporation) Institution Directory Database Examine the login page of each online banking web site Three types of information  Security indicators: HTTPS, lockpad, security seal  Security certificate: common name, organization name, SSL version, cipher, validity  Site security information: security guide, phishing info, lock next to login Tools: Openssl library, awk, Linux shell programs © Li-Chiou Chen, CSIS, Pace 11 Ongoing project – Security Usability

12 Confusing login interfaces Company web site redirect to a secure server with a login page SSL is negotiated after users enter user name and password Popup windows for login The little secure lock next to login screen has a different meaning in different sites  Some have no links, some link to security information, some change the interface to show security indicators, some connects to 3 rd party certification © Li-Chiou Chen, CSIS, Pace 12 Ongoing project – Security Usability

13 Preliminary Results Number Percentage of total servers surveyed Banking Secure Servers Surveyed80 Login page without certificate padlock and https 19 24% Popup window used for login3 4% Invalid certificate1 1% Bank name is inconsistent with subject name11 14% outsourcing6 8% bank holding company name5 6% © Li-Chiou Chen, CSIS, Pace 13 Ongoing project – Security Usability

14 Cipher exchanged is not always the most secure one © Li-Chiou Chen, CSIS, Pace 14 Cipher SuiteNumber of Servers Percentage of the total server surveyed AES256-SHA13 16% DES-CBC3-SHA4 5% DHE-RSA-AES256-SHA6 8% RC4-MD551 64% RC4-SHA6 8% Total80100% Ongoing project – Security Usability

15 Long validation period might give certificate longer period to be exploited Validity durationNumberPercentage < 2 years5670% =2 years2025% >=3 years 4 (3 of them are between 3-4 years and one is 5 years) 5% Total80100% © Li-Chiou Chen, CSIS, Pace 15 Ongoing project – Security Usability

16 Implications Invalid security certificates: should not be there; defy anti-phishing tools Establish SSL connection after user enters username and password: no way to verify security indicator before login Inconsistent domain name with brand name: 3 rd party secure servers; using domain name checking strategy fails Confusing security indicators: multiple indicators, etc Confusing security information : consumers do not know which one to follow or look at Confusing login visual interface design: popup windows; may suffer visual deception attack Industry common practice do not echo the best available technology: vulnerability with the older versions © Li-Chiou Chen, CSIS, Pace 16 Ongoing project – Security Usability

17 Further research problems Align consumer trust and security on the web Security usability scanner Solve phishing problems from risk management perspectives, where should government put money and resources? Risk identification, reduction, or mitigation © Li-Chiou Chen, CSIS, Pace 17 Ongoing project – Security Usability

18 © Li-Chiou Chen, CSIS, Pace 18 Student Research Projects Joseph Acampora –MS in IS  XML-DNR: A Bandwidth-Saving Technique for Distributed Intrusion Detection Systems Yosef Lehrman – MS in IT  Client-side solutions for phishing prevention Konrad Koenig  Analyzing access control policies of banking data using Secure UML Alex Tsekhansky - DPS  Byzantine fault tolerant DNS for networks with limited PKI infrastructure Student projects

Download ppt "Research Problems in Information Assurance Talk for the second year DPS students Li-Chiou Chen Seidenberg School of Computer Science and Information Systems."

Similar presentations

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
SECURITY CHECK Protecting Your System and Yourself Source:

SECURITY CHECK Protecting Your System and Yourself Source:
Network Security aka CyberSecurity Monitor and manage security risks at the network level for the entire Johns Hopkins Network.

Network Security aka CyberSecurity Monitor and manage security risks at the network level for the entire Johns Hopkins Network.
Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.

Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.
Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.

Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Research Problems in Information Assurance Talk for the second year DPS students Li-Chiou Chen Information Systems Seidenberg School of Computer Science.

Research Problems in Information Assurance Talk for the second year DPS students Li-Chiou Chen Information Systems Seidenberg School of Computer Science.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

Similar presentations

Ads by Google