<p>With the Internet's rapid growth has come a proportional
increase in exposure to attacks, misuse and abuse. Modern viruses
and worms are causing damage much more quickly than those created
in the past. The fast replication and epidemic nature of the
spreads limits the time security experts have to respond and be
able to protect and fortify their systems. A pathogen might infect
thousands of machines and cascade across the network producing
consequences that could overwhelm the internet very quickly. Such
attacks have the potential of making a human response to them all
but ineffective. While pathogens are becoming much more
aggressive, there is also a significant delay between the
identification of a new threat and the generation of a cure for
it. Worms and viruses have been able to cause significant damage
in this 'submission to cure generation' window of
vulnerability. Having timely and credible security information is
thus becoming critical to network and security management.</p><p>The main hypothesis behind our research is that sharing threat
information and forensic evidence among cooperating domains yields
important benefits for dealing with modern day pathogens in a
timely fashion. The idea is that each host might have an
incomplete, approximate or inexact information about a particular
threat or attack. We can get a more comprehensive view of the
extent and nature of developing threats by observing suspect
behavior and combining information gathered from different vantage
points. A better understanding of the pathogen allows for
effective and timely immunization in order to thwart epidemic
cascading of threats. We also propose cooperative policing
mechanisms as an effective approach to trace large scale
distributed threats like Ddos attacks. Increased cooperation
amongst domains helps to mitigate such attacks nearer to the
sources so that their effects on the overall network are
minimized.</p><p>This thesis leverages experiences and ideas from fields of
cryptography, machine learning, security and multi-agent systems
to build Foresight: an internet scale threat analysis, indication,
early warning and response architecture. Foresight allows
cooperating domains to share a global threat view in order to
detect zero-day pathogens and isolate them using cooperative
policing mechanisms.</p><p>- We describe a novel behavioral signature scheme to extract a
generalized footprint for multi-modal threats. Blended or
multi-modal threats combine the characteristics of
viruses, worms, trojan horses and malicious code to initiate,
transmit and spread attacks. By using multiple methods and
techniques, blended threats can quickly spread and surpass
defenses that address only a single type of malicious activity and
hence are much more difficult to defend against. System
performance analysis, through trace-based simulations, shows
significant benefits for sharing forensics data between
cooperating domains.</p><p>- We present Mail-trap, an anomaly based system that catches
zero-day email borne pathogens and retards their growth through
effective behavior monitoring of mail traffic and active forensics
sharing between cooperating domains. Mail-trap relies on
Foresight's cooperative policing model to identify and pre-empt
email-borne threats. Our results show that behavior monitoring
alone can be an effective tool for malware detection. Cooperation
amongst domains greatly increases the effectiveness of our
approach. Domains are able to pre-empt attacks and respond to
malware behavior that they have not seen before. We also analyze
various immunization/prevention and containment techniques.</p><p>- We present AMP, a service architecture for countering
distributed denial of service attacks using alert sharing and
cooperative policing mechanisms. Our simulation architecture
enables us to test the system with actual, benign and worm traffic
traces, and realistic network topologies. AMP does not require
universal deployment and is complementary to other schemes for
countering Ddos attacks, however with the use of collaborative
policing techniques, the performance of the scheme can be improved
greatly.</p><p>- We also present a prototype implementation for Paranoid, a novel
global secure file sharing mechanism which can be used to allow
secure resource access across administrative domains. We describe
the design of a trust-based cooperation scheme to create a global
community which is more accountable and hence less vulnerable to
attacks and abuse.</p> / Dissertation
| Identifer | oai:union.ndltd.org:DUKE/oai:dukespace.lib.duke.edu:10161/830 |
| Date | 08 August 2008 |
| Creators | Zaffar, Fareed M |
| Contributors | Kedem, Gershon |
| Source Sets | Duke University |
| Language | en_US |
| Detected Language | English |
| Type | Dissertation |
| Format | 12242299 bytes, application/pdf |
Page generated in 0.0028 seconds