Research area synopsis: Design and implementation of adaptive security systems that can adjust the security sophistications or change the security schemes intelligently and dynamically to defend against the worst possible self-adaptive attackers. It includes fundamental research and design on adaptive cryptography, HW/SW hardware/software implementations, key infrastructures, user authentication, and information storage.
Research team: Professors, Sha (team leader), Wang, Prabhakaran, and Khan
Research description: As system security becomes more effective, the possible attacks also become much more sophisticated and adaptive. Statically secure schemes are unable to protect systems from self-adaptive attacks. A secure system should be able to adjust its security schemes and sophistication levels rapidly and intelligently when attacks are detected. An integrated framework with new adaptive and parameterized techniques will be developed in cryptography, real-time low-power hardware/software implementations, key infrastructures, user authentication, and information storage.
The tradeoff between performance and level of security has become a severe problem in secure real-time and wireless systems. Implementing existing cryptographic functions and key management because of their huge resource consumptions in terms of time, power, memory, or transactions is not practical. For example, the cryptographic hash functions such as MD5 and SHA1 that are commonly used for data integrity and data authentication is extremely difficult to apply to wireless systems. In practice, it might not be necessary to consume this much resource to always maintain the highest degree of security while violating real-time or power constraints. Therefore, it is important to design adaptive and parameterized cryptosystems and explore detailed hardware/software realizations including the use of reconfigurable hardware to meet various security and performance requirements.
The security level of information storage depends on the sensitivity of stored information. A decision must be made rapidly based on the sensitivity of the information, dynamic security requirement and other constraints such as time, power and storage constraints. This project will study the design of ultra-secure storage schemes and how to make adjustments to meet different security requirements. One possible approach to obtain a secure storage is to design an adaptive protocol where the data can be smartly distributed to multiple servers so break-ins to the minority number of servers will not compromise its integrity. But this data distribution with data encryption also introduces a lot of extra computational overhead for data access, mining and forensics analysis. It must be noted that digital forensic data includes a variety of media such as images, video, audio, and text. To utilize adaptive cryptography, this project will design an efficient and secure database structure for handling the relationships among the digitized data, such as, fingerprints, audio samples, and voice samples of a suspect, which may be related to other suspects as well. An integrated solution for ultra-secure storage will be produced that involves operating systems, system/hardware interfaces and physical devices.
Research area synopsis: Many techniques have been developed to harden Internet-based systems against security attacks. However, these systems can still be vulnerable due to undetected loopholes or unforeseen attacks. In this project, we propose to develop a tool set and associated techniques for adaptive intrusion detection, responsive system reaction, and collaborative intruder tracking, to further protect the system even if it is under attack.
Research team: Professors, Wong and Zhang (team leaders), Chen, Dattatreya, Khan. Sha, Uma,and Yen
Research description: The first step toward intrusion detection and digital forensics is on-line monitoring, which collects behavioral information and traffic patterns of the system. Though all intrusion detection methods require this data collection phase, there is no well-established work in guiding the collection process to avoid intrusive monitoring which may impact the system performance and/or alter the system behavior. Our approach is to first conduct threat identification and then perform impact analysis to identify the critical system components that may be vulnerable. Subsequently, effective and efficient data collection procedures will be developed.
Many methods have been developed for data analysis and intrusion identification, including those based on statistical analysis, classification techniques, data mining, rule-based inferences, etc. We will explore the strength and weaknesses of existing approaches and develop an adaptive tool set that can automatically select and apply the most effective analysis algorithms for specific system resources and data patterns. We will also investigate innovative approaches for threat identification. For example, graph-based analysis methods will be investigated due to their potential for achieving higher accuracy in intrusion identification. These methods map system access or traffic patterns to graphs and analyze graph properties to identify abnormalities. Methods that can enhance the regularity of system behaviors and subsequently facilitate more rapid intrusion detection will also be investigated. For example, critical software can be executed at a set of distributed servers following a combination of secure random patterns to generate recognizable normal behavior. Active watermarking techniques can be developed to generate computation and/or communication patterns that allow easy system behavior recognition. Learning mechanism and rule-based inference techniques will be used to enhance the system adaptivity to unforeseen attacks.
We also will use graph-based visualization techniques to facilitate rapid human intervention. A few experienced operators can monitor a vast, distributed diverse network of computers, links, and sensors through an effective visualization tool to quickly detect any malicious behavior. Further visualization mechanism for understanding how the data packets flow in the network and how a potential intrusion is propagated will also be investigated and developed.
Research area synopsis: Hardware and software will be developed to enable a new paradigm for highly secure rapidly deployable networks. The innovative network architecture will be based on the virtual information organization and will be optimal for crisis prevention and emergency response.
Research team: Professors, Venkatesan and MacFarlane (team leaders), Prakash, Sarac, Mittal, Balsara, Bhatia, Fumagalli, Nourani, Saquib, and Torlak
Research description: During times of crisis it is essential to quickly and securely marshal the correct and necessary resources to prevent and respond to an emergency. The “virtual information organization” (VIO) is a preferred solution to delivering networked resources in times of crisis. A virtual organization comprises a core network that evolves slowly, along with extended members to provide specialized depth in times of need. Operationally, the VIO delivers the required resources in an economical and survivable, fault tolerable, manner. In part by employing advanced networked architectures, adaptive digital forensics, and innovative reconfigurable hardware, the work proposed here will guarantee secure operation with no false negatives or false positives. To enable the VIO, the team will develop all layers of the infrastructure of UTD’s Rapidly Deployable Networks (RDN) architecture. This consists of building all layers of the network hierarchy -- physical, data link, network, transport, and application layers for both wired and wireless technologies. The team will develop a secure and fault-tolerant broadband communication facility that can be operational with a very short development time and very short field deployment time. The major components of the proposed communication platform include mobile or fixed (but portable) base stations and mobile nodes. The communication between mobile nodes and the base stations is via wireless channels. The proposed system will be implemented using a novel and efficient combination of hardware and software components. Reconfigurable systems offer high performance, inexpensive and highly flexible method of executing information processing applications. Customizable hardware results in greatly enhanced performance both in speed and security. In fact, CMOS FPGA based custom hardware is shown to outperform some of the well known supercomputing platforms including CRAY. In this work, hardware development will include the design and deployment of unique CMOS reconfigurable hardware for enabling cost effective secure RDNs. In addition to the CMOS solution, we are also developing an innovative photonic integrated circuit that allows data signals to be processed at THz clock rates. Importantly, this photonic integrated circuit can be economically manufactured using well-proven fabrication processes. The team will design and build a demonstration system that has unprecedented mobility, robustness, speed of deployability and high security. An extremely high degree of coordination will exist between this team and the software engineering group. This will enable leveraging this support to practical applications including sensor network coordination for crime fighting, industrial security, financial markets, and electric power grid protection.
Research area synopsis: Our research effort in high performance architectures will create unified platforms for efficient execution of various information security specific algorithms. System reliability, graceful degradation in the presence of soft/hard faults, embedded hardware security, and above all performance will be the key aspects of our undertakings. This research and development effort will collaborate with other existing and evolving efforts under Digital Forensics and Network Security.
Research team: Professors, Bhatia (team leader), Balsara, and Nourani
Research area description: Asymmetric threats like those posed by a collection of people loosely organized in shadowy networks that are difficult to identify and define are serious problems for national and personal security. Information availability is a key to the success of any operation. In the world of security, information availability in time, especially information that can prevent threat posed to the successful operation of any system, is extremely important. Most of the asymmetric threats exist in the form of very low-density data. Most of the threats have some form of signature associated with them. However, mining such low-density data is a tremendously compute intense task.
It is highly unlikely that by simply making our systems secure we will solve the security problem as new and more sophisticated mechanisms of threatening the security will keep appearing. To effectively counter the threats one must be able to convert nebulous data to knowledge and action items. Algorithmic methodologies are required to detect, counter, and launch counter attacks against such threats. Software executing only on general-purpose computers will unlikely solve the problem. What algorithms and software will present is perhaps a methodology. In order to accomplish these tasks in time, specialized architectures are necessary. The performance required for converting data to knowledge and action items before threat becomes active will be achievable by exploiting system level architectures. Such architectures will be aided by custom hardware for enhancing the performance of compute intense parts of algorithms. An ability to dynamically adapt to requirements will ensure performance is maintained during runtime of applications (algorithms). Our research effort in high performance architectures will create carefully analyzed unified platforms for efficient execution of various information security specific algorithms. System reliability, graceful degradation in the presence of faults, embedded hardware security, and above all performance will be the key aspects of our undertakings.
This research and development effort will collaborate with other existing and evolving efforts under Digital Forensics and Network Security. Active demonstrations of working systems will be used as milestones to track progress of research undertakings. The proposed research is backed by our proven track record in building and delivering high performance architectures and supporting middleware environments to federal government agencies like NSF, DARPA, US Air Force, and consortiums like SRC. Examples of these include flagship architectures like RACE, NEBULA, and REACT.
Reconfigurable Hardware Platforms
Figure 1: A fully statically reconfigurable platform "RACE" built by investigators in support of an AFRL funded program.
Figure 2: A partially and dynamically reconfigurable platform "NEBULA" built by investigators in support of an AFRL funded program.
Research area synopsis: Due to the rapid development in network-centric information systems, information assurance has become a major research focus. NSF, DARPA, and DOD are initiating funding programs to support research in this area. In this project, we identify the problems in network-centric information systems and propose innovative solutions to assure that even if a part of the system (platforms, network, and/or information) is compromised, the system confidentiality, integrity, and availability can still be assured.
Research team: Professors, Yen (team leader), Chen, and Prabhakaran
Research description: In this project, we are developing techniques for information systems assurance. We consider providing confidentiality, integrity, reliability, and availability for network-centric information systems. A network-centric information system involves a large number of processing nodes and network subsystems that provide various system functions. These processing nodes and network subsystems can be in public domain or belong to different organizations. Hardening specific sites is not sufficient since information may flow through unreliable channels or can be cached by untrusted proxy servers for better performance and/or cost-effectiveness. Also, modern information systems require information to flow through multiple entities belonging to different companies or organizations with different information representations and security policies.
In our approach, secure data partitioning techniques are used as the fundamental confidentiality protection mechanism. We have developed a linear-algebraic partitioning technique and associated computing algorithms to allow operations to be performed on encrypted data. Hence, secrecy is achieved not just for information storage but also for information processing. To assure data integrity and availability, we use the replication technique. Conventional replication techniques cannot be scaled easily for widely-distributed systems. An O(cn2) access overhead is incurred by naïve replication schemes, where n is the degree of replication and c is the average communication cost. We have developed efficient access algorithms for replicated data accesses which reduce the access overhead to O(cn). We plan to extend our research in the following directions. (1) Extend our algorithm to provide confidentiality, integrity, and survivability for data in all phases, including storage, caching, processing, and communication phases for trusted as well as untrusted subsystems. (2) Develop highly reliable and interoperable authentication and access control protocols for an open group of intercommunicating heterogeneous systems. (3) Develop performance improvement algorithm such as data allocation strategies and service migration approaches that satisfy high assurance requirements. (4) On the experimental side, we will use the PeAgent system developed at the UTD Embedded Software Center to establish an Internet-based experimental environment to simulate the network-centric system infrastructure. This environment will be used as a tested to validate our approaches. Tools to assess the security, reliability, and performance of our experimental information systems and associated algorithms will be developed.
Research area synopsis: Important aspects of system security are (1) the encryption of data and (2) software tools enabling attack detection and prevention. The objective of this research is to develop improved encryption key management systems enabling (1) secure data to be accessible to authenticated users at disperse locations and (2) perfect forward and backward security as users are added or evicted.
Research team: Professors, Sudborough (leader), Tollis, Daescu, and Mili
Research description: Homeland security requires that specific classified data be available at central locations and that it be rapidly accessible, say, via the Internet. Databases are needed to provide data about, for example, (1) individuals entering or staying in the country, (2) weapons systems and their deployment, and (3) terrorists and their organizations. Public key encryption safeguards sensitive data and ensures only authorized individuals access it. Efficient management of encryption keys in dynamic groups is critical. To ensure forward security, when users are evicted, data must be re-encrypted with a new key so evicted users no longer can access it. The system needs to support a lattice of clearance levels, demands of wireless access, and the needs of many-to-many multicasting of data among users. Improved key systems will support these efforts and allow rapid re-keying and the necessary distribution of new keys to valid users.
We also propose to develop a framework for the visualization and simulation of distributed, multi-agent systems. Agents are software entities, which are intelligent, autonomous, and self-aware, with intentions and the ability to interact with others. Our visualization tool will look at three levels: the micro-social level with emphasis on visualization of agent interactions; the group level where the focus is on differentiation of agent roles and activities, their organization, and aggregation; the macro-social level with a focus on visualization of agent dynamics and environmental structure. Our simulation tool will allow the construction of artificial micro-worlds. The user can insert agents, alter an agent's behavior, and modify environmental conditions. The simulation tool is of utmost importance, as multi-agent systems are not deterministic: any modification of a condition or the introduction of a random variable will be amplified by agent interactions and result in unpredictable states.
Research area synopsis: The objective of this research is to develop static and dynamic (on-line) methods of enabling the assessment of the vulnerability of a network to security attacks and failures. Static vulnerability detection methods will be developed to eliminate residual software defects that can be exploited by hackers as well as embedded “Trojan Horses” that pose serious security risks for systems integrated from COTS or GOTS components. Dynamic vulnerability detection methods will be developed to rapidly assess potential security risks due to hardware failures and unusual operating situations, such as network congestion.
Research team: Professors, Bastani (team leader), Cangussu, Chung, Cooper, Dong, Gupta, Huynh, Ntafos, and Yen
Research description: Software defects and maliciously embedded “Trojan Horses” can pose serious security threats for network systems integrated from COTS or GOTS components. Hackers typically exploit software defects to bring down a system or gain unauthorized entry into it. Similarly, “Trojan Horses” in even highly secure systems can be remotely activated via the network (or via predetermined time triggers or when the system reaches some specific states) to cause catastrophic system failures. Hence, effective methods are needed to achieve high confidence in the security of critical information systems and network software. We propose to investigate software design methods as well as a suite of verification and validation technique that ensure that a system can be certified to a high degree of confidence.
To facilitate high assurance vulnerability detection, we will investigate methods of decomposing complex systems, including critical middleware services, into orthogonal aspects such that (a) each aspect is sufficiently simple that it can be validated cost-effectively, (b) the overall system properties can be inferred from the component properties, and (c) the aspects can be independently hardened to tolerate failures and security attacks. We also propose to develop a suite of rigorous validation and verification tools that can be used to attain high confidence that the system is free of defects that can be exploited by hackers and also free of embedded “Trojan Horses.” The tools will span testing, verification, and “faster-than-real-time” simulation systems to rapidly assess the vulnerability of the system. We will also investigate and develop the concept of “proof carrying programs” that, in conjunction with run-time monitoring tools and middleware, can be used to enable dynamic vulnerability assessment depending on the current state of the system and initiate recovery from failures and attacks.
Research area synopsis: Secure and Forensic Signal and Image Processing. We will: (a) investigate fundamental and practical aspects of secure multimedia data transfer via watermarking, and (b) develop image and audio signal processing algorithms to extract useful forensic information from digital audio and image/video data. This research will aid law enforcement by providing court-admissible evidence from digital data, and be an enormous aid in combating terrorism.
Research team: Professors, Nosratinia (team leader), Kehtarnavaz, and Loizou
Research description: This research has two parallel and closely related thrusts. Secure and Signal and Image Processing, and Forensic Signal and Image Processing. In secure and signal and image processing, we will investigate fundamental aspects of watermark design for secure multimedia data transfer, by finding the capacity of watermarking (also known as steganography, or data hiding) in various scenarios. It is of utmost importance to find the capabilities of our adversaries in this mode of data transfer. We will develop novel watermarking algorithms, as well as methods to detect and destroy watermarks. Furthermore, we will develop watermarks for the purposes of signal authentication in the presence of compression or other nonlinear system components, as well as in the presence of malicious attacks.
In a parallel track, we will investigate forensic signal and image processing. Surveillance cameras are extensively used for crime prevention and are often used as evidence in court. The raw image data captured by surveillance cameras in general have low quality (limited resolution and contrast). The objective of this research effort is to extract useful forensic information from such image data. Some of the research problems include: motion de-blurring over a sequence of images, resolution enhancement through super-resolution techniques, obtaining various scene measurements such as size, face identification, gait identification, extraction of velocity or movement of an object in the scene, etc.
In the area of audio forensics, we will concentrate on two important problems: (1) isolation and enhancement of one voice in the background of multiple talkers (e.g., a crowd, outdoors, a restaurant). This is a challenging problem because noise is highly non-stationary in this scenario. Our group has generated some promising preliminary results on this problem using wavelet de-noising. (2) Isolate the voice of a particular speaker (not necessarily the primary speaker) from a multiple-speaker recording. The background and track record of this research team is excellent, especially in the specifically mentioned areas, and the indicated problems are of direct use to homeland security and digital forensics.
Research area synopsis: The objective of this research is to “immunize” or “attack-proof” an information system so that it can completely resist entire classes of cyber attacks, including viruses, worms, denial-of-service, and defect exploitation attacks. Software and hardware assisted methods will be used for this along with middleware that will reside at network routers. To facilitate rapid deployment of these cyber shields, IETF protocols will be analyzed and new or revised attack-resistant protocols will be proposed to the industry.
Research area synopsis: We will do research on graph theoretic problems on web graphs (classify nodes according to capability and/or vulnerability to attack and consider problems like blocking an attack, finding the cost of an attack, etc.)
Research team: Professors, Ntafos (team leader) Bespamyatnikh, Daescu, Raghavachari, and Sudborough.
Research description: We propose to research, develop and implement hierarchical, scalable methods for security prevention/prediction on web-graphs.
The methods to be developed will allow user centric computation, based on the interdependencies existing at, and between, different levels in the hierarchical representation of data, and account for local dynamical changes; we plan to develop some abstract frameworks to handle them efficiently.
Algorithms on web graphs have recently emerged as a new direction of study on graph algorithms. We will study problems related to blocking propagation in such graphs (e.g., how many “guard nodes” are required to efficiently block virus propagation). Such problems have tremendous importance, for example in identifying potential terrorist groups that communicate over the web.
In a decentralized network, such as Internet, in which multiple groups own different parts of the network, it becomes increasingly important to be able to implement efficient security methods based on the vulnerability of specific nodes in the network. The related problem of pricing the links (between two nodes) based on contribution to optimal cost path between a source and target node has been very recently solved using shortest path techniques and Vickrey’s auction-based pricing scheme. We propose to study the dual problem, in which one wants to estimate the cost of a node on a given path in the network. The cost of a node will be defined with respect to the number of possible nodes that could be affected if a node is taken over, or using other node vulnerability pricing schemes.
We will research the following question: Assuming a node in the network is taken over by an intruder (virus, unauthorized user), how will this affect the security of a given sub-network? Previous experience indicates an efficient solution to this problem will be based on computing some optimal cost paths in the network. By computing such paths it is hoped to gain insight about the "security costly" parts of the network and in turn design effective prevention solutions and prediction algorithms (for example, add more security at a node).
Research team: Professors, Ntafos and Bastani (team leaders), Cangussu, Dantu, Dong, and Krishnan
Research description: Cyber attacks on computer networks have become so commonplace that most see them as an inevitable fact of life; like biological viruses and bacteria, poisonous gases, and predatory species, one hopes that they get detected and controlled before too much damage is done. Unfortunately, the typical sequence of “attack, detect, control, and recover” often results in major damages and high costs. This makes it imperative to develop methods that will protect computer systems (especially sensitive ones) from such attacks. This is similar to the use of vaccines to protect against viruses, fluoride to protect against tooth cavities, and food processing to guard against bacteria. We propose to investigate methods that can detect and completely neutralize entire classes of cyber attacks, including viruses, worms, denial-of-service, and defect exploitation attacks, before they have a chance to do any damage. In essence, we propose to develop cyber shields that are guaranteed to be completely immune to entire classes of attacks and hacking strategies. To be practical, such methods need to be easily deployable and also effective without imposing an unreasonable performance burden on the system.
For example, consider a computer virus. It typically modifies code in an application or a system program. Approaches to neutralize a virus attack include: (a) ideas from data integrity research; (b) code instrumentation and executable assertions; (c) extending object code to include security safeguards; and, (d) a variety of hardware-assisted methods. Considerable work has already been done on protecting documents and software from tampering during transmission over networks. Enhanced versions of methods that work on data integrity may be useful for detecting modifications to a program caused by a virus; then the program could be replaced by a trusted copy. Insertion of counters and assertions in code is a method that has been used for many years in testing and verification of software. They could be used to detect modifications made by a virus. The third approach calls for extending machine-level instructions so that they include a security segment that is checked before the instruction is executed. Code inserted by a virus will not have the proper security segment and the virus will be detected before it can run. Finally, program instructions could be stored in special “read-only” memories. In all of these approaches, it is important to develop ways to continue processing once the virus is detected (since "denial of service" is itself a costly type of attack).
Research area synopsis: The objective of this research is to develop methods of ensuring that a compromised system will not be used as a platform to initiate a cascading series of additional attacks that can bring down the entire network. The approach will also ensure that critical information will not be damaged by cyber attacks. Both objectives will exploit sophisticated technologies to achieve protocol, software, and hardware isolation without impairing the functionality of the system.
Research team: Professors, Bastani (team leader), Dattatreya, MacFarlane, Prabhakaran, and Wong
Research description: The overall strategy of our research is to employ powerful techniques to detect and thwart cyber attacks. However, there is always a slight probability that the software will have some residual defects or that an enemy will come up with some new attack strategy or that the password of some legitimate user may be compromised and used to attack the system. In the worst case scenario, it is prudent in security research to assume that an attack can succeed and to devise strategies that assure that even in such situations critical resources would be protected. These resources can include highly confidential personal, business, and military information as well as audit-trail information that is maintained by the system to facilitate digital forensics investigations that can identify the intruder and enable counter measure and/or prosecution of cyber crimes.
We will investigate sophisticated hardware and software technologies that guarantee that critical information in the system will not be compromised in spite of successful security attacks. The goal is to develop methods of achieving isolation between communication, software, and hardware subsystems such that attacks at one node in the network cannot cross-protected boundaries surrounding it. This “inverse” shield is designed to be a fail-safe mechanism that provides complete protection of interior nodes in a subnet even in the face of compromised and malicious exterior nodes that interface with the rest of the network. The interior nodes will be augmented with redundant, active authentication methods and independent propagation paths to ensure that only legitimate users can access and modify critical data. The research will be validated using a platform derived from the three year old, highly secure QuEST Forum Measurement Repository System (MRS) developed and implemented by the University of Texas at Dallas with the goal of ensuring that users can securely update and access the data in spite of concerted security attacks.