Towards improving e-mail content classification for spam control: architecture, abstraction, and strategies

Marsono, Muhammad Nadzir

28 August 2007

This dissertation discusses techniques to improve the effectiveness and the efficiency of spam control. Specifically, layer-3 e-mail content classification is proposed to allow e-mail pre-classification (for fast spam detection at receiving e-mail servers) and to allow distributed processing at network nodes for fast spam detection at spam control points, e.g., at e-mail servers. Fast spam detection allows prioritizing e-mail servicing at receiving e-mail servers to safeguard non-spam e-mail deliveries even under heavy spam traffic. Fast spam detection also allows spam rejection during Simple Mail Transfer Protocol sessions for inbound and outbound spam control. We have four contributions in the dissertation. In our first contribution, we propose a hardware architecture for naive Bayes content classification unit for a high-throughput spam detection computation. We use the logarithmic number system to simplify the naive Bayes computation. To handle the fast but lossy logarithmic number system computation, we analyze the noise model of our hardware architecture. Through noise analysis, synthesis, and verification by numerical simulation, we show that the naive Bayes classification unit, implemented on FPGA is capable of processing, with very low computation noise, more than one hundred million features per second, an order of magnitude faster than that on a general-purpose processor implementation. In our second contribution, we propose e-mail content pre-classification at network layer (layer 3) instead of at application layer (layer 7) as currently being practiced to allow e-mail packet pre-classification and distributed processing for effective spam detection beyond server implementations. By performing e-mail content classification at a lower abstraction level, e-mail packets can be pre-processed, without reassembly, at any network node between sender and receiver. We demonstrated that the naive Bayes e-mail content classification can be adapted for layer-3 processing. We also show that fast e-mail class estimation can be performed at receiving e-mail servers. Through simulation using e-mail data sets, we showed that the layer-3 e-mail content classification is capable of detecting spam with accuracy and false positive values that approximately equal the ones at layer 7. In our third contribution, we propose a prioritized e-mail servicing scheme using a priority queuing approach to improve spam handling at receiving e-mail servers. In this scheme, priority is given higher to non-spam e-mails than spam. Four servicing strategies for the proposed scheme are studied. We analyzed the performance of this scheme under different e-mail traffic loads and service capacities. We show that the non-spam delay and loss probability can be reduced when the server is under-provisioned. In our fourth contribution, we propose a spam handling scheme that rejects spam during Simple Mail Transfer Protocol sessions. The proposed spam handling scheme allows inbound and outbound spam control. It is capable of reducing servers' loadings and hence, non-spam queuing delay and loss probability. We analyze the performance of this scheme under different e-mail traffic loads and service capacities. We show that the non-spam delay and loss probability can be reduced when the server is under-provisioned. In this dissertation, we present four techniques to improve spam control based on e-mail content classification. We envision that our proposed approaches complement rather than replace the current spam control systems. The proposed four approaches are capable to work with existing spam control systems and support proactive spam and other e-mail-based threats such as phishing and e-mail worm controls anywhere across the Internet.

Network security

Spam control

Intelligent online risk-based authentication using Bayesian network model

Lai, Dao Yu

12 May 2011

Risk-based authentication is an increasingly popular component in the security architecture deployed by many organizations in mitigating online identity threat. Risk-based authentication uses contextual and historical information extracted from online communications to build a risk profile for the user that can be used to make accordingly authentication and authorization decisions. Existing risk-based authentication systems rely on basic web communication information such as the source IP address or the velocity of transactions performed by a specific account, or originating from a certain IP address. Such information can easily be spoofed and as such put in question the robustness and reliability of the proposed systems. In this thesis, we propose in this work an online risk-based authentication system which provides more robust user identity information by combining mouse dynamics, keystroke dynamics biometrics, and user site actions in a multimodal framework. We propose a Bayesian network model for analyzing free keystrokes and mouse movements involved in web sessions. Experimental evaluation of our proposed model with 24 participants yields an Equal Error Rate of 6.91%. This is encouraging considering that we are dealing with free text and mouse movements and the fact that many web sessions tend to be short. / Graduate

Risk-based authentication

network security

mouse dynamics

keystroke dynamics

biometric technology

Bayesian network model

Advanced visualizations for network security

Nunnally, Troy J.

12 January 2015

Monitoring volumes of malicious network data for across multiple sources can potentially be overwhelming. As a result, vital data is at a greater risk of being overlooked and the time span for analyzing it could be too lengthy. One way to address this issue is to employ network security visualization techniques to evaluate security risks and identify malicious activity to help mitigate compromised nodes on a network. The purpose of this thesis is to introduce a visualization framework to help reduce task-completion time, enhance situational awareness, and decrease user error of complex visualizations for network security applications. From the developed framework, three techniques are suggested as contributions using visualization and interaction: (1) Stereoscopic visualization technique aims to increase user awareness of vulnerabilities and malicious attacks, (2) the recommender system aims to ensure efficient navigation in complex 3D environments, and (3) an interaction system aims to assist in usability of visualization environments using Natural User Interfaces (NUIs). To investigate the aforementioned techniques, the following tools were created: 3D Stereoscopic Vulnerability Assessment Tool (3DSVAT), Parallel 3D Coordinate Visualization (P3D), NAVSEC recommender system, and Interaction System for Network Security (InterSec).

Natural user interface

Human computer interaction

Security visualization

3D visualization

Vulnerability assessment

Stereoscopic visualization

Network security

Behavioral Mimicry Covert Communication

Ahmadzadeh, Seyed Ali

January 2013

Covert communication refers to the process of communicating data through a channel that is neither designed, nor intended to transfer information. Traditionally, covert channels are considered as security threats in computer systems and a great deal of attention has been given to countermeasures for covert communication schemes. The evolution of computer networks led the communication community to revisit the concept of covert communication not only as a security threat but also as an alternative way of providing security and privacy to communication networks. In fact, the heterogeneous structure of computer networks and the diversity of communication protocols provide an appealing setting for covert channels. This dissertation is an exploration on a novel design methodology for undetectable and robust covert channels in communication networks. Our new design methodology is based on the concept of behavioral mimicry in computer systems. The objective is to design a covert transmitter that has enough degrees of freedom to behave like an ordinary transmitter and react normally to unpredictable network events, yet it has the ability to modulate a covert message over its behavioral fingerprints in the network. To this end, we argue that the inherent randomness in communication protocols and network environments is the key in finding the proper medium for network covert channels. We present a few examples on how random behaviors in communication protocols lead to discovery of suitable shared resources for covert channels. The proposed design methodology is tested on two new covert communication schemes, one is designed for wireless networks and the other one is optimized for public communication networks (e.g., Internet). Each design is accompanied by a comprehensive analysis from undetectability, achievable covert rate and reliability perspectives. In particular, we introduced turbo covert channels, a family of extremely robust model-based timing covert channels that achieve provable polynomial undetectability in public communication networks. This means that the covert channel is undetectable against any polynomial-time statistical test that analyzes samples of the covert traffic and the legitimate traffic of the network. Target applications for the proposed covert communication schemes are discussed including detailed practical scenarios in which the proposed channels can be implemented.

Covert Communication

Information Hiding

Channel Coding

Wireless Security

Network Security

Protocol Design

Electrical and Computer Engineering

Towards securing networks of resource constrained devices: a study of cryptographic primitives and key distribution schemes

Chan, Kevin Sean

25 August 2008

Wireless networks afford many benefits compared to wired networks in terms of their usability in dynamic situations, mobility of networked devices, and accessibility of hazardous environments. The devices used in these networks are generally assumed to be limited in resources such as energy, memory, communications range, and computational ability. Operating in remote or hostile environments, this places them in danger of being compromised by some malicious entity. This work addresses these issues to increase the security of these networks while still maintaining acceptable levels of networking performance and resource usage. We investigate new methods for data encryption on personal wireless hand-held devices. An important consideration for resource-constrained devices is the processing required to encrypt data for transmission or for secure storage. Significant latency from data encryption diminishes the viability of these security services for hand-held devices. Also, increased processing demands require additional energy for each device, where both energy and processing capability are limited. Therefore, one area of interest for hand-held wireless devices is being able to provide data encryption while minimizing the processing and energy overhead as a cost to provide such a security service. We study the security of a wavelet-based cryptosystem and consider its viability for use in hand-held devices. This thesis also considers the performance of wireless sensor networks in the presence of an adversary. The sensor nodes used in these networks are limited in available energy, processing capability and transmission range. Despite these resource constraints and expected malicious attacks on the network, these networks require widespread, highly-reliable communications. Maintaining satisfactory levels of network performance and security between entities is an important goal toward ensuring the successful and accurate completion of desired sensing tasks. However, the resource-constrained nature of the sensor nodes used in these applications provides challenges in meeting these networking and security requirements. We consider link-compromise attacks and node-spoofing attacks on wireless sensor networks, and we consider the performance of various key predistribution schemes applied to these networks. New key predistribution techniques to improve the security of wireless sensor networks are proposed.

Cryptography

Sensor networks

Network security

Computers--Access control

Data protection

Computer security

Data encryption (Computer science)

Framework for botnet emulation and analysis

Lee, Christopher Patrick

12 March 2009

Criminals use the anonymity and pervasiveness of the Internet to commit fraud, extortion, and theft. Botnets are used as the primary tool for this criminal activity. Botnets allow criminals to accumulate and covertly control multiple Internet-connected computers. They use this network of controlled computers to flood networks with traffic from multiple sources, send spam, spread infection, spy on users, commit click fraud, run adware, and host phishing sites. This presents serious privacy risks and financial burdens to businesses and individuals. Furthermore, all indicators show that the problem is worsening because the research and development cycle of the criminal industry is faster than that of security research. To enable researchers to measure botnet connection models and counter-measures, a flexible, rapidly augmentable framework for creating test botnets is provided. This botnet framework, written in the Ruby language, enables researchers to run a botnet on a closed network and to rapidly implement new communication, spreading, control, and attack mechanisms for study. This is a significant improvement over augmenting C++ code-bases for the most popular botnets, Agobot and SDBot. Rubot allows researchers to implement new threats and their corresponding defenses before the criminal industry can. The Rubot experiment framework includes models for some of the latest trends in botnet operation such as peer-to-peer based control, fast-flux DNS, and periodic updates. Our approach implements the key network features from existing botnets and provides the required infrastructure to run the botnet in a closed environment.

Simulation

Simulators

Emulation

Spam

DDoS

Information security

Botnets

Network security

Computer networks Security measures

Computer crimes

Efficient Secure E-Voting and its Application In Cybersecurity Education

Nathan Robert Swearingen (12447549)

22 April 2022

<p>As the need for large elections increases and computer networking becomes more widely used, e-voting has become a major topic of interest in the field of cryptography. However, lack of cryptography knowledge among the general public is one obstacle to widespread deployment. In this paper, we present an e-voting scheme based on an existing scheme. Our scheme features an efficient location anonymization technique built on homomorphic encryption. This technique does not require any participation from the voter other than receiving and summing location shares. Moreover, our scheme is simplified and offers more protection against misbehaving parties. We also give an in-depth security analysis, present performance results, compare our scheme with existing schemes, and describe how our research can be used to enhance cybersecurity education.</p>

Other education not elsewhere classified

System and network security

e-voting

cybersecurity

education

Computer System Security

Education

Secure, privacy assured mechanisms for heterogeneous contextual environments

Vasanta, Harikrishna

January 2006

Location information is used to provide a diverse range of services to users such as emergency, navigation, billing, security, information and advertising services. This information is derived from a broad range of indoor and outdoor technologies. The location information thus derived is of different granularity, different co-ordination system and is controlled by numerous service providers. In addition to this, broad selections of devices are used for providing these services. Having a diverse range of applications requiring location information at different levels of granularity, the need to export location information across multiple devices and the existence of different location determination technologies necessitates the need for heterogeneous location network. These networks derive location information from multiple sources and provides various location-based services to users irrespective of the medium, device or technology used. Security, user privacy and management of location information are some of the important issues that need to be addressed. The main contribution of this thesis is the design of a secure and privacy assured heterogeneous location architecture. A formal methodology was chosen to design the heterogeneous location architecture. The design of the architecture resulted in a novel key distribution protocol and a model for information flow that can be easily encapsulated into applications or architectures having similar requirements. The research also resulted in the enhancement of a proposed location framework for securing critical infrastructures using context-aware self-defending objects. The proposed enhanced framework helps to negate the security vulnerabilities introduced through the use of general-purpose computer systems in critical infrastructures.

heterogeneous location networks

context aware computing

pervasive computing

ubiquitous computing

secure system design

network security

Developing security services for network architectures

Tham, Kevin Wen Kaye

January 2006

In the last 15 years, the adoption of enterprise level data networks had increased dramatically. This is mainly due to reasons, such as better use of IT resources, and even better coordination between departments and business units. These great demands have fuelled the push for better and faster connectivity to and from these networks, and even within the networks. We have moved from the slow 10Mbps to 1Gbps connectivity for end-point connections and moved from copper-based ISDN to fibre-linked connections for enterprise connections to the Internet. We now even include wireless network technologies in the mix, because of the greater convenience it offers. Such rapid progress is accompanied by ramifications, especially if not all aspects of networking technologies are improved linearly. Since the 1960s and 1970s, the only form of security had been along the line of authentication and authorisation. This is because of the widely used mainframes in that era. When the Internet and, ultimately, the wide-spread use of the Internet influxed in the 1980s, network security was born, and it was not until the late 1980s that saw the first Internet Worm that caused damage to information and systems on the Internet. Fast forward to today, and we see that although we have come a long way in terms of connectivity (connect to anywhere, and anytime, from anywhere else), the proposed use of network security and network security methods have not improved very much. Microsoft Windows XP recently switched from using their own authentication method, to the use of Kerberos, which was last revised 10 years ago. This thesis describes the many problems we face in the world of network security today, and proposes several new methods for future implementation, and to a certain extend, modification to current standards to encompass future developments. Discussion will include a proposed overview of what a secure network architecture should include, and this will lead into several aspects that can be improved on. All problems identified in this thesis have proposed solutions, except for one. The critical flaw found in the standard IEEE802.11 wireless technology was discovered during the course of this research. This flaw is explained and covered in great detail, and also, an explanation is given as to why this critical flaw is not fixable.

secure network architecture

security services

protocols

denial-of-service

network security

worm

denial-of-service

Engineering Trusted Location Services and Context-aware Augmentations for Network Authorization Models

Wullems, Christian John

January 2005

Context-aware computing has been a rapidly growing research area, however its uses have been predominantly targeted at pervasive applications for smart spaces such as smart homes and workplaces. This research has investigated the use of location and other context data in access control policy, with the purpose of augmenting existing IP and application-layer security to provide fine-grained access control and effective enforcement of security policy. The use of location and other context data for security purposes requires that the technologies and methods used for acquiring the context data are trusted. This thesis begins with the description of a framework for the analysis of location systems for use in security services and critical infrastructure. This analysis classifies cooperative locations systems by their modes of operation and the common primitives they are composed of. Common location systems are analyzed for inherent security flaws and limitations based on the vulnerability assessment of location system primitives and the taxonomy of known attacks. An efficient scheme for supporting trusted differential GPS corrections is proposed, such that DGPS vulnerabilities that have been identified are mitigated. The proposal augments the existing broadcast messaging protocol with a number of new messages facilitating origin authentication and integrity of broadcast corrections for marine vessels. A proposal for a trusted location system based on GSM is presented, in which a model for tamper resistant location determination using GSM signaling is designed. A protocol for association of a user to a cell phone is proposed and demonstrated in a framework for both Web and Wireless Application Protocol (WAP) applications. After introducing the security issues of existing location systems and a trusted location system proposal, the focus of the thesis changes to the use of location data in authorization and access control processes. This is considered at both the IP-layer and the application-layer. For IP-layer security, a proposal for location proximity-based network packet filtering in IEEE 802.11 Wireless LANs is presented. This proposal details an architecture that extends the Linux netfilter system to support proximity-based packet filtering, using methods of transparent location determination through the application of a pathloss model to raw signal measurements. Our investigation of application-layer security resulted in the establishment of a set of requirements for the use of contextual information in application level authorization. Existing network authentication protocols and access control mechanisms are analyzed for their ability to fulfill these requirements and their suitability in facilitating context-aware authorization. The result is the design and development of a new context-aware authorization architecture, using the proposed modifications to Role-based Access Control (RBAC). One of the distinguishing characteristics of the proposed architecture is its ability to handle authorization with context-transparency, and provide support for real-time granting and revocation of permissions. During the investigation of the context-aware authorization architecture, other security contexts in addition to host location were found to be useful in application level authorization. These included network topology between the host and application server, the security of the host and the host execution environment. Details of the prototype implementation, performance results, and context acquisition services are presented.

Pervasive

ubiquitous

authorization

access control

location

trusted location

context

context-aware

network security