Title: Advanced Tactical Intrusion Detection and Vulnerability Assessment
PI: Cannady
Summary: As the Academic PI for the program GTRI will conduct basic research in revolutionary intrusion detection and analysis techniques for the U.S. Army Future Combat System (FCS). With the ultimate objective of developing a comprehensive integrated intrusion detection and response system for FCS we will concentrate our research efforts in the program in four parallel areas of investigation. The research activities in this task will include the investigation of methods that will enable the efficient acquisition of information from a variety of tactical information sources. This research area will contribute to the development of an effective method of intrusion detection and response by developing new methods of collecting network data from distributed nodes with intermittent connectivity for use in intrusion and vulnerability analysis. The information will then be processed using innovative knowledge representation capabilities based on adaptive threat models. These intrusion representations will enable the detection of complex attacks in the FCS network environment by enhancing the management of data that will often be incomplete, noisy, and potentially originating from network components that may be in insecure areas of the battlefield. This subtask will include research on selective data collection from these dynamic sources. We will also develop new methods of correlation and inferencing oftactical information to identify complex attacks in FCS networks. The research conducted in this subtask will concentrate on the correlation of data from FCS network components that have intermittent connectivity in a self-configuring architecture. Finally, we will investigate new methods of reasoned response to attacks that are conducted against FCS components. In particular, the research efforts in this area will facilitate the analysis of self-configuring networks. These research activities will be integrated in subsequent years to produce highly accurate vulnerability assessment and intrusiondetection systems for FCS.

Title: Aligning Societal Values, Privacy Policy, and IT Requirements
Co- PIs: Potts, Anton (NC State)
Summary: The guarantee and assurance of privacy must be included in the design of information technologies from the onset. This research focuses on how society uses, values, and protects citizens’ personal information. From the perspective of system design, software engineers need methods and tools to enable them to design systems that reflect those values and protect personal information, accordingly. This research examines how privacy considerations and value systems influence the design, deployment, and consequences of information technology.

Title: A Broad Information Security Curriculum Integrating Technologies and Policies
PI: Ahamad
Co-PIs: dos Santos, Xu, Goodman, Namuduri (Clark Atlanta U)
Summary: Georgia Tech teams with Clark-Atlanta University to design and develop an innovative and broad curriculum that could be used to train future information security professionals. The development and implementation of the curriculum requires the identification of the body of knowledge for each course. It will also be necessary to create teaching materials and projects for the courses. The creation of such materials will be a key component of the proposed work. A laboratory where the projects can be done in a controlled environment will also be developed as part of this project. The curriculum development and its implementation will enable a variety of programs in the information security area for a diverse body of students. These programs include and undergraduate specialization, a Master’s certificate and a concentration area for doctoral students. The courses that support these programs will be available to students from Georgia Tech, Clark-Atlanta and other historically black colleges and universities that are located in Atlanta. These students will be able to meet the critical needs that have motivated the Federal Cyber Service Program.

Title: Building Trust to Protect Services and Clients in Open Networks
Co-PIs: Ahamad, Pu
Summary: This proposal seeks to develop novel techniques to harden the critical infrastructure against both denial-of-service and denial-of-information attacks at a level where effective access control mechanisms can be deployed. In particular, the project will develop a uniform set of mechanisms to answer the following questions:

Is the source of a request for a service a legitimate client of the service? In other words, should the client be granted access to the service and can it be trusted to use the service’s resources in a reasonable manner?
Can information supplied by a service be trusted to meet the needs of a client that has made the request?

Title: Career: Building & Effective Defense Measures Against Network Denial ofService Attacks
PI: Xu
Summary: The recent tide of distributed Denial of Service (DoS) attacks against well-known websites demonstrates how devastating the distributed DoS attacks are and how defenseless the Internet is under such attacks. The project proposes to design, implement, and evaluate a set of practical and effective protection measures against present and potential DoS attacks, in current and future networks.

Title: Career: Exploring the Power of Safe Areas of Computation
PI: dos Santos
Summary: Current computer systems and software used by the average user offer virtually no security. A general approach to increase the level of security provided to users when interacting with otherwise unsafe applications and computing systems has been proposed called Safe Areas of Computation (SAC). The SAC uses trusted devices, such as smart cards, to provide an area of secure processing and storage. This research proposes to develop the DAC approach to work in heterogeneous, complex environments and classify the effectiveness of the approach in protecting systems in general

Title: Career: A Framework for Developing and Deploying Adaptive Intrusion
Detection Models
PI: Lee
Summary: Current intrusion detection systems are not capable of detecting new attacks. They are usually statically configured, and as a result, can easily become the target of subversion. The project seeks to develop "adaptive" intrusion detection systems. New attacks are detected first as anomalies. A semi-automatic modeling engine then computes a more efficient misuse detection model using the anomaly data. The run-time architecture includes multiple detection components and a manager/monitor so that run-time detection performance can be monitored and detection workload can be redistributed when necessary. Attack scenario analysis techniques are used to predict the likely forth-coming attacks to help pro-actively configure the intrusion detection system.

Title: Critical Infrastructure Protection (CIP)
PI: Goodman
Summary: This proposal provides analytical support and policy-relevant advice to the Principal Assistant Secretary of Defense for C3I in its mission as the lead agency for protecting the defense critical infrastructure under Presidential Decision Directive 63.

Title: A Data Mining Approach for Building Cost-Sensitive and Light Intrusion Detection Models
Co-PIs: Lee, Stolfo (Columbia), Chan (Florida Tech), Doug Reeves (NCSU)
Summary: A mere high statistical accuracy should not be the main goal of an IDS; rather, the more important goal should be the maximum reduction in intrusion damage cost with minimum IDS operational cost. This project seeks to study the theoretical foundations and the development approaches for cost-sensitive intrusion detection systems. In particular, we are focusing on: study of the cost factors, cost models, and cost metrics related to intrusion detection; development of automated techniques for building cost-sensitive models that are optimized for user-defined cost metrics; and design of a system architecture for dynamically activating and configuring light intrusion detection modules that each specializes for a set of similar intrusions.

Title: Denial of Service Attacks: Taxonomy and Protections
Co-PIs: dos Santos, Xu
Summary: This proposal will survey all existing forms of DoS and DDoS attacks and investigate vulnerabilities in existing systems that would invite new types of DDoS attacks. In addition, we propose to generalize the methods and characteristics of DDoS attacks, instead of concentrating on the characteristics of each different attack or the attack signatures of different tools. In order to better understand and generalize the attacks we will classify them according different categories. These categories include:

How damaging the attack in its current form is, and how it would be five years from now, based on the projection of the improvement of CPU speed and network bandwidthat the attackers’ side?
For each known DDoS attack, how effective are existing countermeasures? Will the existing countermeasures continue to be effective five years from now, taking into consideration the improvement of CPU speed and network bandwidth?
In countering DDoS attacks, how to be creative and proactive? We should not only study known DDoS attacks, but also closely examine widely used networking and application protocols for unknown vulnerabilities.

Considering that a new vulnerability found and fixed could mean many disasters averted, this effort is both meaningful and important. We would especially look for those vulnerabilities that, if fixed, could make many types of DDoS attacks impossible.
The proposal will classify the existing DoS and DDoS attacks and generalize them in order to model DDoS independently of particular tools that implement them. The modeling of the characteristics of DDoS attacks will enable to better understand current attacks, which will be used to validate or not current protection mechanism, and serve as basis for future research on DDoS detection and prevention techniques. This work will provide data to evaluate approaches being proposed to detect and prevent DDoS, e.g., protection mechanisms based on active network techniques. In addition, this work would complement our ongoing research on introducing new and more effective countermeasures that protect the targeted resources from being depleted.

Title: Evidence Extraction and Link Discovery
PI: Lee
Summary: The current generations of data mining or machine learning algorithms are not capable of finding attack/fraud evidence that is embedded across multiple data sources. The project seeks to develop link analysis techniques to address this problem.

Title: Georgia Enterprise Information Security Program
PI: Wandelt
Summary: GTRI is assisting the GTA in the development of the Georgia Enterprise Information Security Program (GEISP). In order to realize Georgia’s enterprise IT vision enabling e-commerce and a trusted digital government, it is imperative that a comprehensive and sustaining Enterprise Information Security Program be established. GTRI’s support will include:

Implement state security infrastructure (people, policy and procedures, technology, training, and management, organizational and operational controls), necessary to ensure the confidentiality, integrity, and availability of state information assets over the entire life cycle.
Create partnerships between state government, academia, and the private sector to nurture information security education and research opportunities.
Build a state Public Key Infrastructure solution that provides a high level of assurance supporting e-commerce and digital government applications.

Title: Information Security Laboratory
PI: dos Santos
Summary: This proposal will establish a laboratory consisting of heterogeneous machines and networking hardware from a number of vendors. In addition to its instructional role, the laboratory will also support a research program that will explore tools and techniques to identify and address vulnerabilities in system and applicationsoftware.

Title: Intrusion Detection Sensor Networks, collaboration w/ Scientific Systems.
PI: Lee
Summary: This project seeks to develop a distributed architecture where sensors (or detection agents) specialized in various audit data sources can collaborate to detect distributed/coordinated attacks.

Title: ITR/SI: Guarding the Next Frontier: Countering Denial of Information
PI: Ahamad
Co-PIs: dos Santos, Lee, Liu, Mark, Pu, Omiecinski
Summary: The critical nature of the information infrastructure has been well documented by recent studies. Because applications important to our society’s well being will depend on the services of the Internet, Quality of Service (QoS) is an important ongoing area of research. Although sufficient amount of resources in a system can be used to meet desired QoS needs, Denial of Service (DoS) attacks are a major threat to QoS in open distributed environments. We claim that as applications become information rich, in addition to QoS requirements, they will also depend on the timely availability of high quality information. Thus, meeting Quality of Information (QoI) needs
of applications will be the next major challenge after QoS. Analogous to DoS attacks against QoS, Denial of Information (DoI) attacks are the major malicious threat against QoI. In particular, by deliberately introducing noise, a malicious adversary can confuse an information system and severely limit its ability to provide critical information to applications in a timely fashion.

Examples of DoI attacks already exist and their likelihood will only increase as more information rich applications are deployed over the Internet. At the same time, there is little work in the areas of secure and survivable systems that addresses DoI attacks and how to counter them. This project will focus on techniques that can be utilized to meet QoI needs of applications in the face of DoI attacks. Our research will lead to characterizations of QoI metrics that are particularly relevant in the presence of DoI attacks. In particular, we define two complementary QoI metrics. Information regularity, the first metric captures predictability in the patterns of information creation, content,update and access rates. Thus, a significant change in this metric could indicate a potential DoI attack and the change could be used to sound an alarm. QoI-trust, the second metric captures the known ability of the information sources to meet the needs of consumers. Sources that have low values of QoI-trust can be filtered out, as they are not known to be trustworthy. We will explore techniques that can be used to determine the values of these QoI metrics in an open distributed environment. As future applications become increasingly information rich, we believe that results such as the ones obtained by this research will be key enablers in our ability to guard the information frontier of the Internet.

Title: Mandatory Human Participation: A New Paradigm for Building Secure Systems
PI: Xu
Co-PIs: Essa, Lipton
Summary: Denial of service (DoS) is one of the most difficult security problems to address. While most existing techniques (e.g., IP trace back) focus on tracing the location of the attackers after-the-fact, little is done on how to mitigate the effect of an attack while it is raging on. We design a system that can sustain the availability of web services during severe DoS attacks. One of the techniques used in this system is called "Mandatory Human Participation (MHP)." It is a novel authentication scheme that asks the question "are you human?" (instead of "who are you?"), and upon the correct answer to this question, can prove a principal to be a human being instead of a computer program. MHP helps solve old and new problems in computer security that existing security measures cannot address properly such as the denial of service at the application layer.

Title: Mechanisms for Securing Emerging Applications
PI: Ahamad
Co-PIs: Essa, Venkateswaran
Summary: As computers become pervasive in the home and community, new applications will emerge that will make daily living easier by automating or assisting in a variety of human activities. Such applications will be information rich and they will create and manipulate sensitive information about the activities of their users, and the environment in which they live and work. At the Georgia Institute of Technology, an information rich "Aware Home" has been built to explore many such applications. Clearly, it is important that such applications be secured if they are to be deployed successfully. This project will undertake a range of research activities to secure future
applications. These include new security policies for such applications, and intuitive and flexible access control models. A variety of automatic user identification techniques will also be investigated to authenticate sources of requests without requiring burdensome participation from the users making the requests. New notions of integrity for information accessed from outside sources will be developed. The authorization, authentication and integrity mechanisms will be used to build security services for emerging applications. The use of formal models will be explored to study important properties of the new security policies and access control models.

Title: Regional Computer Forensics Laboratory
PI: Cannady
Summary: GTRI is working with the Atlanta Field Office of the FBI to create a regional computer forensics laboratory on the Georgia Tech campus. The laboratory will serve as a state-of-the-are facility for federal, state, and local law enforcement agencies to develop evidence of computer-based criminal activity.

Title: A Secure Store for Managing Personal Information
Co-PIs: Ahamad, Venkateswaran
Summary: As information rich applications proliferate in the home and community, secure storage of information created and manipulated by such applications will become increasingly important. For example, sensors such as cameras can record information about the residents and their activities in the Broadband Residential Laboratory. Clearly, such information could be private and the storage service where it is kept must secure access to it. Other information such as medical or financial records also needs to be stored securely. The increased reliance of people on applications that will be deployed in future homes and community institutions (e.g., school or city hall) motivate the design of a secure storage service that will meet the following security requirements:

confidentiality so that private information is not disclosed to unauthorized parties,
integrity which implies that its content can be trusted, and
availability, which means that critical information, can be provided to applications when they need it.

The goal of this project is to build a secure storage service for the home and community environment that will meet these security needs.

Title: Securing Applications in the Aware Home
Co-PIs: Ahamad, Abowd
Summary: We have developed a new access control model to support flexible security policies that will be needed to secure applications in the Aware Home. The Generalized Role Based Access Control (GRBAC) model is novel because it allows controlled access to information and resources based on not only the user or subject role but also on the security relevant state of the environment. For example, the location or time of a request could be used in deciding if a request should be granted or denied. Such security relevant environment state is abstracted as system roles that need to be activated prior to granting a request. The activation of both subject and system roles requires information about the source of the request as well as the context in which it is made. In the Aware Home, the Context Toolkit already collects such information and makes it available to other applications and services. Thus, GRBAC based security services can exploit the facilities provided by the Context Toolkit if the information provided by it can be trusted. We will explore the integration of the Context Toolkit and the security services by addressing the following problems. Our proposed work integrates the security research with the Context Toolkit and the user end work on characterizing security needs that is going on in the Aware Home project. It will also result in concrete services that can meet the security needs of applications that want to control access to information generated in the home or to other resources that exist in the home. We will work with application researchers to understand the security policies and their expression using the access control model.

Title: Securing Scalable Distributed Services
PI: Ahamad
Summary: As information systems become a greater part of our lives, a variety of new applications will emerge which will allow widely distributed users to share and manipulate continuously evolving information. The problem of providing secure access to such information in a timely fashion is highly challenging in wide area environments where the applications will be deployed. The project focuses on an integrated approach that will explore the scalability and security of such demanding applications. To provide interactive response time to requests for shared information, a variety of consistency models and protocols will be developed, and they will specifically address the timeliness needs of applications. To secure the applications, a new context-aware security approach will be explored. In this approach, access can be controlled not only based on the user that makes the request but also on the security relevant context of the request. An access control model based on this approach as well as relevant security services will be developed. A general service architecture that employs the scalability mechanisms and the associated services will be built in a distributed object based middleware system. The effectiveness of these services will be evaluated using novel applications and workloads.

Title: Security for Advanced Digital Cable Systems
PI: Copeland
Summary: Scientific-Atlanta has donated the equipment to ECE for a two-way digital CATV communications research laboratory. The Scientific-Atlanta head-end system consists of a satellite antenna and digital receivers, digital network control system, broadband integrated gateway, head-end QSPK and QAM modulators, DAVIC controller, and several explorer digital home communications terminals with facilities for software development. It is located in the Communications Systems Center laboratory in the Georgia Center for Advanced Telecommunications Technology (GCATT) building. The Scientific-Atlanta equipment will be the basis of a Two-way Digital CATV Communications Research Laboratory. The S-A system will consist of a satellite antenna and digital receivers, Digital Network Control System, Broadband Integrated Gateway, head-end QSPK and QAM modulators, DAVIC Controller, and twenty Explorer 2000 Digital Home Communications Terminals with facilities for software development. The latter have the Power TV operating system with support for HTML and JavaScript and Power Key system for security and conditional access. A steerable 4.5-meter satellite dish with C-band and Ku-band receivers completes the installation. Students will be used the facility to do research projects on the following:

Network Access Protocols
CATV Network Security
CATV Digital Network Modeling and Measurements
Telephony over Cable
Video-conferencing over Cable
Video on Demand
Home Communications Terminal based Applications Software

Development of set-top based software for application areas such as E-Commerce and others that require a real-time Operating System and special security features are possible.

Title: Security and Efficiency of Code Slicing for Smart Cards
Co-PIs: dos Santos, Pande
Summary: The application domains of smart cards are rapidly increasing; smart cards are being used in many areas such as health-care, finance etc. Privacy and security demands coupled with real time response needs are critical to the success of newer application domains on smart cards. The resources locally available on smart cards such as the limited local memory and registers pose interesting challenges to mapping of the applications. Future applications will involve downloading mobile codes on demand on smart cards, compiling them just-in-time (JIT) and executing. Given the limited budgets on memory and computing power, standard techniques involving encryption tend to be less attractive due to their heavy demands on storage. In this work, we investigate techniques that are orthogonal to the encryption resorting to compiler analysis of mobile code. Our goal is to synthesize "slices" of mobile code and send those one-by-one on demand. The key characteristic is that slices are sent only on demand as per execution thereby hiding the entire program behavior from the observer. Moreover, slices are synthesized in such a way that adds to this concealment of the program behavior. This must be done, however, without affecting code efficiency hence making the role of compiler critical. The key properties of the process are as follows:

define a notion of critical variables of the program and safe slices of the mobile code
perform analysis to identify safe regions. We propose new analysis and restructuring techniques to maximally generate the safe regions
perform the slicing of such safe regions under the constraint of memory
In the first phase of the project, we will propose an intermediate form (IF) that captures these properties. The analysis, restructuring and code generation techniques will be developed in the subsequent phases. Finally, efficient just-in-time (JIT) code generation techniques will be developed along with a run time kernel.

Title: Security Issues for Real Time Network Protocols and Applications
PI: Ammar (with Current Students Jinliang Fan and Paul Judge)
Summary: We propose a three-year effort investigating security issues in the provision of real-time data communication applications. Our research will consider issues in the security of real-time protocols and applications. This includes providing efficient security mechanisms that do not hamper the scalability or real-time requirements of these protocols. This funding support will enable us to leverage our previous work and apply the results to the other research in an original proposal. We propose research in managing security for heterogeneous groups, content protection, securing QoS Modelsand QoS for security applications.

Title: Security Support to the Georgia Crime Information Center
PI: Cannady
Summary: GTRI is providing assistance to the Georgia Crime Information Center as they prepare to establish direct connections between law enforcement agencies in Georgia and the National Crime Information Center (NCIC) 2000 data system. The GBI is the Control Terminal Agency (CTA) for Georgia in providing access to NCIC data. As the CTA, the GBI is responsible to facilitate access and ensure compliance with stated policy for access, use, and dissemination among Georgia agencies. As part of this responsibility the GBI must ensure adequate security mechanisms (i.e. authentication, encryption, access control) are implemented in a consistent and cost-effective manner.

Title: Southwest Border States Anti-Drug Information System
PI: Wandelt
Summary: GTRI is acting as primary systems designer and integrator to facilitate rapid, secure information sharing of criminal intelligence information between independent law enforcement agencies. Participating Agencies are state and local law enforcement in California, Arizona, New Mexico, Texas, six Regional Information Sharing Systems, and five contractors under the Criminal Information Sharing Alliance (CISA)

Title: Vulnerability Assessment Tools for Complex Information Networks
Co-PIs: Lee, Ho (Harvard), Pfeffer (Harvard), Cassandras (Boston U.), Gong (U Mass, Amherst)
Summary: Currently, the accepted best way to obtain vulnerability assessment is with so-called Red Teaming (human penetration testing). The drawbacks of Red Teaming are expense, invasiveness, lack of real-time continuous protection, bias, and risk of damage. We propose to develop tools that are primarily simulation based, and when coupled with real-time measurements would be capable of providing real-time continuous assessment and protection. We envision the tools should provide the following three basic services:

a measure of the overall level of protection --- to indicate to a network administrator when a security problem exists;
an identification of actual, possible, or potential areas of weakness and vulnerability--- to allow a network administrator to locate and identify the nature of the security problem;
suggestions for improving a security posture --- by allocating resources to respond to security problems, dynamically to respond in real-time or statically for planning and design.