Research
Intrusion Detection Analysis Project
The goals of this research are to develop a model of data sanitization that describes the relationship between the requirements of security analysis and privacy, and to study the features of attacks launched over a network in an academic environment.
Sanitization:
Data is sanitized when some set of sensitive information is removed or disguised. The data that is sensitive is defined either by patterns (words) or by position. If left intact, the sensitive data would reveal information that a party requires be kept secret. Other work in this area has been on algorithms to transform sensitive data into non-sensitive information (aliases). The problem with this work is that, if the set of sanitized words is known (or can be guessed), a straightforward dictionary attack will reveal the mapping without
inverting the hash function. Our focus is on the scheme and system mechanisms to prevent unauthorized rederivation of the original data.
Our approach is to express the requirements for security analysis and the requirements for privacy as properties of the data. Under sanitization, these properties must be preserved. This reduces the problem of balancing privacy and security analysis to a policy decision. Given the proper form of expression, we can analyze the properties to discover inconsistencies (where privacy requires some data be sanitized, and security analysis requires that the data be present), and resolve these problems.
The specific goals of this part of the project are to develop a little language to sanitize data that is amenable to such an analysis; and prove the feasibility of this approach by building a tool to use the language to sanitize network data.
Data Correlation:
Intrusion detection systems are designed to detect attacks against hosts throughout the network. This requires a characterization of the signatures of each attack.
To understand attacks better, we need to be able to describe them, and correlate information from data sensors with attacks to be able to characterize the descriptions in low-level terms. As attacks are usually multi-stage, the description of an attack consists of descriptions of the stages of the attack.
Consider an attack to be a sequence of goals. Each intermediate goal corresponds to successful completion of a stage of the attack. Our hypothesis is that attack tools constructed by composing tools to achieve each goal will generate signatures indistinguishable from those of attack tools available on the Internet. If this hypothesis is true, then the collection of attack tools becomes unnecessary.We need only describe the attack in this way, and we can generate the tool and the relevant signature.