Presentation is loading. Please wait.

Presentation is loading. Please wait.

TRUST:Team for Research in Ubiquitous Secure Technologies Overview

Published byGarey Smith Modified over 6 years ago

Similar presentations

Presentation on theme: "TRUST:Team for Research in Ubiquitous Secure Technologies Overview"— Presentation transcript:

1 TRUST:Team for Research in Ubiquitous Secure Technologies Overview
Shankar Sastry, PI and Dir. Ruzena Bajcsy, Outreach Dir. Sigurd Meldal, Education Co-Dir. John Mitchell, co-PI Vijay Raghavan, Exec Dir Mike Reiter, co-PI Fred Schneider, Chief Sci. Janos Sztipanovits, co-PI and Education Co-Dir Steve Wicker, co-PI

2 Technology Generations of Information Assurance
1st Generation (Prevent Intrusions) Cryptography Trusted Computing Base Access Control & Physical Security Multiple Levels of Security Intrusions will Occur 2nd Generation (Detect Intrusions, Limit Damage) Firewalls Intrusion Detection Systems Boundary Controllers VPNs PKI Resist approach is not cost effiective Not amenable to COTS & legacy systems Does not work for insider threat and Life Cycle Attacks Identify attacks amenable to cost-effective resistance Tolerate the rest Tolerance mechanisms must stay ahead of attackers Functionality, performance and security must be traded off in real time Identify Attacks amenable to cost-effective resistance Functional, performance & security must be traded off in real-time Some Attacks will Succeed 3rd Generation (Operate Through Attacks) Big Board View of Attacks Real-Time Situation Awareness & Response Intrusion Tolerance Graceful Degradation Hardened Core Functionality Performance Security "Overview", Shankar Sastry

3 TRUST worthy Systems More than an Information Technology issue
Complicated interdependencies and composition issues Spans security, systems, and social, legal and economic sciences Cyber security for computer networks Critical infrastructure protection Economic policy, privacy TRUST: “holistic” interdisciplinary systems view of security, software technology, analysis of complex interacting systems, economic, legal, and public policy issues Trustworthiness problems invariably involve solutions with both technical and policy dimensions (theme of Schneider’s talk) Goals: Composition and computer security for component technologies Integrate and evaluate on testbeds Address societal objectives for stakeholders in real systems "Overview", Shankar Sastry

4 Faking Spoofing Phishing Integrative Project: Identity Theft
An that seems to be from a legitimate source Spoofing A Web site that appears to be “official” Phishing Luring users to provide sensitive data From Aucsmith, Microsoft "Overview", Shankar Sastry

5 PHISHING Impact Stats Most people are spoofed People are tricked
Over 60% have visited a fake or spoofed site People are tricked Over 15% admit to having provided personal data 2780 phishing websites in March 2005 alone Target for spoofing attacks Banks, credit card companies, Web retailers, online auctions (E-bay) and mortgage companies. Economic loss 1.2 million U.S. adults have lost money The total dollar impact in first 6 months of 2005: $929 million, in all of 2003 $ 1.2B. Source: TRUSTe & Gartner "Overview", Shankar Sastry

6 SPYWARE Impact Stats Software that: Privacy Reliability Support Costs
Collects personal information from you Without your knowledge or permission Privacy 15 percent of enterprise PCs have a keylogger Source: Webroot's SpyAudit Number of keyloggers jumped three-fold in 12 months Source: Sophos Reliability Microsoft Watson ~50% of crashes caused by spyware Support Costs Dell, HP, IBM: Spyware causes ~30% of calls Estimated support costs at $2.5m+ / year "Overview", Shankar Sastry

7 ID Protection: Client Side Tools
SpoofGuard: Stanford (NDSS ’04) Alerts user when browser is viewing a spoofed web page. Uses variety of heuristics to identify spoof pages. A new type of anomaly detection problem. Dynamic Security Skins: Berkeley (SOUPS ’05) Allows a remote web server to prove its identity in a way that is easy for human to verify and hard for attacker to spoof: uses a photograph to create trusted path PwdHash: Stanford (Usenix Sec ’05) Simple mechanism for strengthening password web auth. SpyBlock: Stanford (under development) Prevent Spyware from capturing sensitive data. "Overview", Shankar Sastry

8 Tech Transfer from Phishing Work
SpoofGuard: Some SpoofGuard heuristics now used in eBay toolbar and Earthlink ScamBlocker. Very effective against basic phishing attacks. PwdHash: Collaboration with RSA Security to implement PwdHash on one-time RSA SecurID passwords. RSA SecurID passwords vulnerable to online phishing PwdHash helps strengthen SecurID passwords "Overview", Shankar Sastry

9 Coordinated Research Agenda
The TRUST center will develop and demonstrate science and technology in real-life testbeds. NSF core funding over 5 years plus option 5 years Possible support from US Air Force for IAS for GIG Network of partnerships with industry, infrastructure stakeholders NSF/US State Department would like to make partnerships with key international partners Coordinated research: eleven challenge areas across three key topics: Security Science Systems Science Social Science "Overview", Shankar Sastry

10 TRUST Structure Objective: Information Assurance in a Systems Context
Societal Challenges Privacy Critical Computer and Infrastructure Network Security Integrative Testbeds - Role: Connect societal challenges to technical agenda Integrate component technologies Measure progress in real-life context Network Security Testbed Power Grid Secure Networked Testbed Embedded Systems Testbed Technologies System Science Security Science Social Science Software Security Complex Inter - Dependency mod. Secure Info Mgt. Software Tools Trusted Platforms Secure Network Embedded Sys Econ., Public Pol. Soc. Chall. Applied Crypto - graphic Protocols Model - based Security Integration. Forensic and Privacy Network Security Secure Compo - nent platforms HCI and Security Objective: Information Assurance in a Systems Context "Overview", Shankar Sastry

11 Software Security (language based)
Security Science (1) Software Security (language based) Static Code Verification Dynamic Analysis Multi-lingual Security Software Design Trusted Platforms Composition Security and Vulnerability Minimal Software and Hardware Configurations Applied Cryptographic Protocols Protocol design methods Protocol analysis, testing, and verification "Overview", Shankar Sastry

12 Security Science (2) Network Security
Focused on making the Internet more secure Challenges Denial of service attacks Spoofed source addresses Routing security Approaches: Structured overlay networks Better infrastructure Epidemic protocols Simulation and Emulation on DETER testbed "Overview", Shankar Sastry

13 Cyber Defense Technology and Experimental Reseach Network: DETER
Inadequate wide scale deployment of security technologies Lack of experimental infrastructure Testing and validation in small to medium-scale private research labs Missing objective test data, traffic and metrics Create reusable library of test technology for conducting realistic, rigorous, reproducible, impartial tests For assessing attack impact and defense effectiveness Test data, test configurations, analysis software, and experiment automation tools "Overview", Shankar Sastry

14 System Science (1) Complex Interdependency Modeling and Analysis
Four-fold approach to reducing vulnerability of interdependent systems to disruptive failure Modeling Strategies Analysis Techniques Design Technologies Operational Tools Secure Network Embedded Systems Present unique security concerns Conventional end-to-end approaches break down New code must be propagated throughout the network Focus areas: Automated design, verification, and validation Secure, composable, and adaptive software Emphasis on sensor networking technology as high-impact application "Overview", Shankar Sastry

15 Mote Evolution "Overview", Shankar Sastry

16 Secure Network Embedded System Testbed (577 nodes) at Berkeley
Software TinyOS Deluge Network reprogramming Drip and Drain (Routing Layer) Drip: disseminate commands Drain: collect data DetectionEvent Multi-moded event generator Multi-sensor fusion and multiple-target tracking algorithms Other testbeds at Cornell, Vanderbilt (Wicker’s talk) "Overview", Shankar Sastry

17 System Science (2) Model-Based Integration of Trusted Platforms
Supports system integration through embedded software Model-based design Model transformation technology QoS-enabled component middle-wareSecure Information Management Software Emphasis on new software tools for monitoring and controlling large sensor infrastructures Combines peer-to-peer protocols with epidemic algorithms Highly scalable Rigorous semantics User-friendly APIs "Overview", Shankar Sastry

18 Sample Application:The proposed DoD NCES/GIG architecture
Basis is Web Services standard, although CORBA is likely to be used on server clusters Primary application platform will be Microsoft Windows NSA and DISA are playing key roles in mapping these components to military needs "Overview", Shankar Sastry

19 Social Science Economics, Public Policy and Societal Challenges
From privacy to personal security Liability and insurance are critical concerns What are the benefits and costs of security policies? What are the nature and size of transaction costs associated with security? Digital Forensics and Privacy Privacy cuts across the trust/security issues that are the focus of TRUST Common interfaces are needed for specifying privacy requirements Emphasis on strong audit, selective revelation of information, and rule-processing technologies Human Computer Interfaces and Security Security problems may arise through the mis-configuration of complex systems Generally, humans lack many computational abilities that are conducive to securing networks and systems Strengthening standard passwords Using biometric information Using image recognition "Overview", Shankar Sastry

20 Healthcare Information Technology
Rise in mature population Population of age 65 and older with Medicare was 35 million for 2003 and 35.4 million for 2004 New types of technology Sensors for elderly assisted living Increased demand for health data Health information technology Commercial use of health data Current Responses for Technology Assisting Healthcare: Electronic Patient Records Telemedicine Remote Patient Monitoring Table compiled by the U.S. Administration on Aging based on data from the U.S. Census Bureau. United Nations ▪ “Population Aging ▪ 2002” 2050 Percentage of Population over 60 years old Global Average = 21% "Overview", Shankar Sastry

21 Patient Portal Project
Vanderbilt Patient Portal Electronic healthcare records Include real-time monitoring of congestive heart failure patients Heterogeneous sensor network for monitoring Data integrated into patient portal Berkeley ITALH Testbed: seniors in Sonoma Stationary sensors: Motion detectors, Camera systems Wearable sensor: Fall sensors, Heart rate or pulse monitors "Overview", Shankar Sastry

22 LARGE INTEGRATIVE PROJECTS
My Health Portals for Electronic Patient Records: Vanderbilt, Berkeley, Cornell (Sztipanovits’ talk) Phishing, Spyware, Identity Theft: Stanford, Berkeley (Mitchell’s talk) Secure Sensor Networks: Berkeley, CMU, Cornell, Vanderbilt (Wicker’s talk) DoD GIG IAS: Cornell, Vanderbilt, Berkeley (Birman’s talk) Cybersecurity Educational Modules: SJSU, Vanderbilt, Stanford (Meldal’s talk) "Overview", Shankar Sastry

23 Healthcare Information Access Privacy and Security Everywhere
Provider Patient Payer Society Primary care Specialists Ancillaries Immediate Family Extended Community Support Friends Legally Authorized Reps Admin. Staff Claims Processors Subcontractors Clearinghouses Insurers Public Health State Licensure Boards Law Enforcement Internal QA External accreditation orgs Clinical Trials Sponsors Fraud Detection Medical Information Bureau Business Consultants National Security Bioterrorism Detection "Overview", Shankar Sastry

24 Sensor Networks in Public Places
Protecting Infrastructure Opportunities for embedding sensor networks Transportation Water and Fuel Power Grid TRUST is emphasizing development of supporting technology for randomly distributed sensors Buildings Combine surveillance with energy control Integrate into building materials Open Spaces (parks, plazas, etc.) Combine surveillance with environmental monitoring Line-of-sight surveillance technologies "Overview", Shankar Sastry

25 EDUCATIONAL INITIATIVES
Meldal, Sztipanovits and Bajcsy will speak in detail about the repositories, course work development, summer school and other educational initiatives under way Policy, Technology, Psychological Motivations of Terrorism: Maurer (Berkeley), Lazowska (Washington), Savage (UCSD) and Microsoft, Fall 05 Lampson, “Accountability and Freedom Varian “Economics and Computer Security” Maurer “The Third Wave of Terrorism” Aucsmith “Crime on the Internet” Samuelson, Mulligan, Wicker, and Goldberg: Video Privacy in Public Places? Capacity Building program for HBCU, HIS: Reiter TRUST Summer School (TSS) in June 2006 "Overview", Shankar Sastry

26 Outreach Initiatives BFOIT - Berkeley Foundation for Opportunities in Information Technology SUPERB-IT - Summer Undergraduate Program in Engineering Research at Berkeley - Information Technology SIPHER - Summer Internship Program in Hybrid and Embedded Software Research Pennsylvania Area HBCU Outreach - Historically Black Colleges and Universities Women’s Institute in Summer Enrichment (WISE) to be kicked off in July 2006 "Overview", Shankar Sastry

27 SUMMARY TRUST has been successfully launched: research, education, outreach programs under way Hallmark of TRUST: Grand Challenge Projects Large Integrative Projects Identity Theft Secure Network Embedded Systems Secure Electronic Patient Records Portal DoD Global Information Grid Security Education: Large Projects Repositories: Evaluation using Learning Theory Modules for existing courses TRUST Summer School Outreach: Comprehensive BFOIT, SUPERB, SIPHER Capacity Building Program for HBCU/HSI WISE outreach to women researchers "Overview", Shankar Sastry

28 BACKUPS

29 Project Structure "Overview", Shankar Sastry Security Technology Teams
Systems Science Teams Social Science Teams Integrative Projects Education Program Software Security Complex Interdependency Modeling and Analysis Economics, Public Policy and Societal Challenges System/Sec CoDesign Boeing+Raytheon Summer School Trusted Platforms Sensor Networks ORNL Curriculum Secure Network Embedded Systems Digital Forensics and Privacy Applied Cryptographic Protocols Human Computer Interfaces and Security Patient Portals VUMC Learning Science & Technology Insertion Model-based Integration of Trusted Components Network Security Repository Secure Information Management Software "Overview", Shankar Sastry

30 Example Experiment: Bandwidth-limited Scanning Worm Experiment
ICSI and PSU: characterization, modeling and scale-down simulation of Slammer SQL worm’s propagation through the Internet: ICSI+PSU WORM’04 paper. Development of virtual nodes that model the response of sub-networks or whole Internet to a worm attack for the purposes of scale-down – 1/64th scale Internet Near term activity: Other worm attack recreations in the near term Collaborative defenses under test Large-scale enterprise network simulation "Overview", Shankar Sastry

31 NEST Final Experiment: Demo
"Overview", Shankar Sastry

32 Overview of Agenda Schneider “Technology + Policy”
Sztipanovits “Patient Medical Records Portals” Wicker “Secure Sensor Networks and Network Embedded Systems Mitchell “PwdHash, Spoofguard, Spyware, Botnets” Birman “Global Information Grid” POSTERS with 3 minute introductions Meldal, Sztipanovits and Bajcsy, Education and Outreach Activities Tygar, Technology Transition Strategy "Overview", Shankar Sastry

Download ppt "TRUST:Team for Research in Ubiquitous Secure Technologies Overview"

Similar presentations

Security that is... Ergonomic, Economical and Efficient! In every way! Stonesoft SSL VPN SSL VPN.

Security that is... Ergonomic, Economical and Efficient! In every way! Stonesoft SSL VPN SSL VPN.
TRUST, Washington, D.C. Meeting January 9–10, 2006 TRUST :Team for Research in Ubiquitous Secure Technologies Overview Shankar Sastry, PI and Dir. Ruzena.

TRUST, Washington, D.C. Meeting January 9–10, 2006 TRUST :Team for Research in Ubiquitous Secure Technologies Overview Shankar Sastry, PI and Dir. Ruzena.
TRUST Retreat, October 8-9, 2006 EMR Project Vanderbilt (Sztipanovits, Karsai, Xue) Stanford (Mitchell, Datta, Barth, Sundaram) Berkeley (Bajcsy, Sastry)

TRUST Retreat, October 8-9, 2006 EMR Project Vanderbilt (Sztipanovits, Karsai, Xue) Stanford (Mitchell, Datta, Barth, Sundaram) Berkeley (Bajcsy, Sastry)
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection.

Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection.
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
A Robust Health Data Infrastructure P. Jon White, MD Director, Health IT Agency for Healthcare Research and Quality 2014-06-10.

A Robust Health Data Infrastructure P. Jon White, MD Director, Health IT Agency for Healthcare Research and Quality
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
Securing Legacy Software SoBeNet User group meeting 25/06/2004.

Securing Legacy Software SoBeNet User group meeting 25/06/2004.
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Securing Information Systems

Securing Information Systems
A First Course in Information Security

A First Course in Information Security
Whitacre College of Engineering Panel Interdisciplinary Cybersecurity Education Texas Tech University NSF-SFS Workshop on Educational Initiatives in Cybersecurity.

Whitacre College of Engineering Panel Interdisciplinary Cybersecurity Education Texas Tech University NSF-SFS Workshop on Educational Initiatives in Cybersecurity.
Computer Science and Engineering 1 Csilla Farkas Associate Professor Center for Information Assurance Engineering Dept. of Computer Science and Engineering.

Computer Science and Engineering 1 Csilla Farkas Associate Professor Center for Information Assurance Engineering Dept. of Computer Science and Engineering.
TRUST September 13 th 2004NSF STC Site Visit TRUST :Team for Research in Ubiquitous Secure Technologies Shankar Sastry (Berkeley), Mike Reiter (CMU), Steve.

TRUST September 13 th 2004NSF STC Site Visit TRUST :Team for Research in Ubiquitous Secure Technologies Shankar Sastry (Berkeley), Mike Reiter (CMU), Steve.
Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.

Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.
TRUST NSF Site Visit, Berkeley, March, 2007 Sensor Networks: Technology Transfer Stephen Wicker – Cornell University.

TRUST NSF Site Visit, Berkeley, March, 2007 Sensor Networks: Technology Transfer Stephen Wicker – Cornell University.
TRUST NSF Site Visit, Berkeley, April 27 th - 28 th, 2006 Trust Patient Portal Project – Real Time Patient Monitoring Josh Denny Mike Elkund Philip Kuryloski.

TRUST NSF Site Visit, Berkeley, April 27 th - 28 th, 2006 Trust Patient Portal Project – Real Time Patient Monitoring Josh Denny Mike Elkund Philip Kuryloski.

Similar presentations

Ads by Google