Current and Future Research into Network Security Prof. Madjid Merabti

Transcription

1 Current and Future Research into Network Security Prof. Madjid Merabti School of Computing & Mathematical Sciences Liverpool John Moores University UK

2 Overview Introduction Secure component composition Secure ubiquitous computing Network privacy and security Denial-of-service (DoS) detection Intrusion detection Secure e-commerce protocols Conclusions

3 Introduction Security Problems Rapid development of technologies, e.g. Internet and ubiquitous computing, offers great services However security is a problem, e.g. CSI/FBI 2001 survey found that 90% respondents had been attacked Cost of a lack of security is great $500 million - $5 billion a year

4 Confidentiality Introduction Security Goals data/systems accessible only by authorised people Integrity data/systems modifiable only by authorised people Availability data/services are accessible by authorised users when needed

5 Introduction Some Security Threats

6 Secure Component Composition Background - 1 Component-based system development, e.g. distributed, programmable, and ubiquitous systems Determination of the security of a system from that of its components (e.g. whole programs, plug-ins, or code fragments)

7 Secure Component Composition Background - 2 The principle is that if each component analysed separately meets localised security requirements, the whole system can be guaranteed to satisfy its global security requirements Current methods are mainly applied at development stages, not runtime

8 Secure Component Composition Significance Simplification of security evaluation Facilitation of dynamic construction of a secure system from components with various security Applicability to emerging highly dynamic, fluid & heterogeneous applications, e.g. ubiquitous systems

9 Secure Component Composition Our Research Several models produced for more cost-effective component composition The models have been published in journals and at conferences Being applied to emerging applications, e.g. secure personal ubiquitous computing systems

10 Secure Component Composition Further Research Integration of different models for dynamic system security evaluation Identification of security patterns of component composition for costeffective security evaluation Development of practical models applicable to ubiquitous computing environments

11 Secure Ubiquitous Computing Background Ubiquitous computing (UC): Wirelessly networked processors embedded in everyday objects (e.g. fridges & burglar alarms), or networked appliances, will communicate with each other in the near future Integration with existing wireless and wired network infrastructures to bring us a great deal of convenience

12 Secure Ubiquitous Computing Significance Impact of UC applications on society is similar to that of the Web However, UC poses a great deal of security risk Appropriate provision of security and privacy protection is vital for wide adoption and success of UC applications

13 Secure Ubiquitous Computing Characteristics Mixture of hardware & software Device, service and application diversity Dynamic, heterogeneous and distributed Gateways to the outside world Programmable network infrastructure

14 Secure Ubiquitous Computing Security Issues Traditional models still valid Confidentiality, Integrity, Availability However UC systems combine high complexity with low skilled users Building the systems is complex Analysis of the security is difficult Security control of dynamically changing systems is even harder

15 Secure Ubiquitous Computing EPSRC Funded Project - 1 Project background Security is one of the most challenging issues for Personal Ubiquitous Computing (PUC) Security has to be manageable and controllable by ordinary users with little or no computing knowledge Funded by EPSRC Programmable Networks Initiative Programme

16 Secure Ubiquitous Computing EPSRC Funded Project - 2 Project aim Develop an extendable software framework to provide the runtime security evaluation and control of a PUC system in an automated, dynamic and adaptive manner The development is based on our research work on secure component composition

17 Secure Ubiquitous Computing Other Ongoing Work - 1 Development of a security user interface framework for UC applications to support: zero/low system security configuration low system security maintenance Development of middleware to support development & deployment of secure UC applications

18 Secure Ubiquitous Computing Other Ongoing Work - 2 Development of techniques for dynamic and adaptive security and privacy protection, e.g. Secure energy awareness computation suitable for devices with limited energy Security awareness operations in dynamically changing environments Protection of mobile agents from attacks from malicious network hosts

19 Mobile Network Privacy Background A mobile network user registered with a home network A roaming user can connect to a foreign network by updating its new location with: Foreign network stores local movements within the domain Home network stores the current remote location to forward messages/calls to

20 Mobile Network Privacy Privacy Requirements User message content Current location of the user Associated Behaviour of the user: Billing information Services accessed by the user QoS parameters used for the access Identification of communications partners

21 Mobile Network Privacy Our Research - 1 Develop a Mobile Network Privacy Architecture for pseudonymous registration of a user s location: Others learn nothing about the user Home network can t see user behaviour Foreign network cannot identify the user & home network Provision of payment, service access, etc with pseudonymity

22 Mobile Network Privacy Our Research - 2 The work have been published in journals and at conferences Further research Development of approaches to privacy protection of mobile agents Development of solutions to privacy protection in ubiquitous computing environments

23 IPSec Background Allows two IP hosts to determine their IP address with confidence Allows two IP hosts to establish an encrypted end-to-end tunnel Offer security protocols for IP Authentication Header Encapsulating Security Payload, encryption Key exchange protocol

24 IPSec Some Problems with IPSec Many variants to the protocols with sometimes overlapping goals potential weaknesses Network layer solution does not necessarily help application security Problematic interoperability with firewalls firewalls may need to inspect packet headers

25 IPSec Our Ongoing Research Further analysis of IPSec Development of ways to improve the position of IPSec as a major mechanism for network security Overall framework for development of IPSec enabled applications, including improved VPN support & firewall compatibility

26 Denial-of-Service Detection Background Denial-of-Service (DoS) attacks prevent legitimate access to services Launched across networks/internet Distributed DoS attacks combine computers into attack networks to send much more data to a victim Types of attack: resource starvation, and bandwidth consumption

27 Denial-of-Service Detection Current Solutions & Problems Rely on the perimeter model of computer security Build castles with firewalls and intrusion detection systems But. When it detects DoS attacks, they have succeeded Detection systems are also targeted to cause DoS

28 Denial-of-Service Detection Our Research Work Ongoing research: Design of cost-effective early DoS detection methods Development of a scalable, efficient & effective DoS detection framework Some results have been published Further research: Investigation of DoS issues in ubiquitous computing environments

29 Intrusion Detection Background Attackers may penetrate security of a system for unauthorised access to valuable information Detection of attacks is important, and otherwise valuable information may be disclosed or corrupted Intrusion detection systems (IDS) are used for such detection

30 Intrusion Detection Detection Techniques & Problems Main types of detection technique: Misuse detection: searching for known intrusions based on their attacking patterns Anomaly detection: searching for abnormal or unusual behaviours Problems with current techniques: Vulnerable for some attacks, e.g. using encrypted messages to avoid detection High false alarm rates

31 Intrusion Detection Our Research Work Ongoing research Development of more effective solutions to rectify high false detection rates Development of better solutions to rectify existing vulnerabilities Some results have been published Further research Intrusion detection for PUC systems

32 Secure E-commerce Protocols Background Two important e-commerce issues: Non-repudiation of receipt: a recipient of a message/doc cannot falsely deny having received the message/doc Fair exchange: for a fair doc exchange (e.g. payment for e-goods) between two parties A and B, if A has got B s doc, then B has got/can get A s doc, and vice versa

33 Secure E-commerce Protocols Techniques and Problems Types of exchange technique: Online trusted third party (TTP) based: TTP takes part in exchange Offline TTP based: TTP is only needed to resolve disputes None TTP based: no TTP is needed, but it s not an effective approach Main problem No cost-effective solution suitable for different application scenarios

34 Secure E-commerce Protocols Our Research Work Development of more efficient and effective protocols applicable to different e-commerce scenarios Development of new protocols suitable for autonomous mobile agent based applications Several protocols have been produced and published

35 Conclusions - 1 More research is needed to further develop secure component composition for emerging applications Secure ubiquitous computing has great potential, and it is attracting a great deal of research interest Much research has been done for network security and privacy, but better/new solutions are still needed

36 Conclusions - 2 There is an urgent need for development of new techniques for early detection of DoS attacks Better techniques still need to be developed to offer more accurate and effective intrusion detection More effort is needed to develop unified and efficient protocols capable of handling different e- commerce application scenarios