IEEE Security and Privacy

PrePrint: Protecting DNS from Routing Attacks: A Comparison of Two Alternative Anycast Implementations

DNS is a critical piece of the Internet supporting the majority of Internet applications. Because it is organized in a hierarchy, its correct operation is dependent on the availability of a small number of servers at the upper levels of the hierarchy. These \emph{backbone} servers are vulnerable to routing attacks in which adversaries controlling part of the routing system try to hijack the server address space. Using routing attacks in this way, an adversary can compromise the Internet's availability and integrity at a global scale. In this article, we evaluate the relative resilience to routing attacks of two alternative anycast implementations of DNS, the first operating at the network layer and the second operating at the application layer. Our evaluation informs fundamental DNS design decisions and an important debate on the routing architecture of the Internet.

PrePrint: Designing Host and Network Sensors to Mitigate the Insider Threat

We propose a design for insider threat detection that combines an array of complementary techniques that aims to detect evasive adversaries. We are motivated by real world incidents and our experience with building isolated detectors: such standalone mechanisms are often easily identified and avoided by malefactors. Our work-in-progress combines host-based user-event monitoring sensors with trap-based decoys and remote network detectors to track and correlate insider activity. We identify several challenges in scaling up, deploying, and validating our architecture in real environments.

PrePrint: Model-Based Verification of Security and Non-Functional Behavior using AADL

Modeling of system quality attributes, including security, is often done with low fidelity software models and disjointed architectural specifications by various engineers using their own specialized notations. These models are typically not maintained or documented throughout the life cycle and make it difficult to obtain a system view. However, a single-source architecture model of the system that is annotated with analysis-specific information allows changes to the architecture to be reflected in the various analysis models with little effort. We describe how model-based development using the Architecture Analysis and Design Language (AADL) and compatible analysis tools provides the platform for multi-dimensional, multi-fidelity analysis and verification. A special emphasis is given to analysis approaches using Bell-LaPadula, Biba, and MILS approaches to security and that enable a system designer to exercise various architectural design options for confidentiality and data integrity prior to system realization.

PrePrint: Open Issues in Secure Domain Name System (DNS) Deployment

The Domain Name System (DNS) is the primary infrastructure component of the Internet as it translates easy-to-remember Internet destination (web pages, mail servers) addresses (called URLs) into actual network addresses (IP addresses). Being the foundational technology for the Global economy, the DNS needs protection using state of practice security measures. A set of security specifications called DNS Security Extensions (DNSSEC) specification has been proposed by IETF and has been demonstrated to provide the needed protection. However ubiquitous DNSSEC deployment throughout the DNS infrastructure calls for certain critical security operations. There are some unresolved issues with respect to the rollout of these operations in terms of specification gaps, consensus security procedures and operational challenges. This article discusses those issues and provides some directions for resolving them.

PrePrint: Building A System For Insider Security

Current protection strategies against insider adversaries are expensive, intrusive, and not systematically implemented; too often, these strategies are defeated. In this paper, we discuss the development of methods for a systems-based approach to insider security. To investigate the evolution of the insider within an organization, we have used system dynamics to develop a preliminary model of the employee life cycle. In this model, we define and analyze interactions of the employee population with insider security protection strategies. The model was exercised for an example scenario that focused on human resources and personnel security activities, specifically, pre-hiring screening and security clearance processes. The model provides a framework to understand important interactions, interdependencies, and gaps in insider protection strategies. This work provides the basis to develop an integrated systems-based process for building - designing, evaluating and operating - a system for effective insider security.

IEEE Security and Privacy - September/October 2009 (Vol. 7, No. 5)

IEEE Security and Privacy

PrePrint: Detecting the Theft of Trade Secrets by Insiders: A Summary of MITRE Insider Threat Research

Economists estimate that between 50% and 85% of the value of today’s corporations stem from intangibles such as trade secrets. The importance of proprietary information makes it a tempting target for individuals willing and able to steal it. One recent survey found that although intellectual property theft accounted for less than 1% of all cyber crimes against businesses, it resulted in over 50% of the total monetary loss. In most cases, the offender was an insider with access to corporate assets. We describe our work at MITRE on the detection of insiders who misuse their privileges, which has been ongoing since 2002. Our research effort began after a frustrating attempt to apply intrusion-detection methods to detect insider threats. This led to a three-year, MITRE-funded research project that produced a prototype called ELICIT. This work prompted a second project to explore the differences in the behavior of malicious and benign users.