Highlights

Our project has had a strong record of publications over the first round of funding (April 2005--present). In particular, we have made significant progress in the areas of detecting malicious activity and mitigating malicious activity.

We have developed techniques for detecting virus and worm propagation within an enterprise through observing anomalous Domain Name System (DNS) requests [whyte2005a] and Address Resolution Protocol (ARP) requests [whyte2005c]. and Address Resolution Protocol We developed techniques for securing email including one for detecting spam relaying machines in an enterprise environment [whyte2005b]. and a simple statistical model for detecting unauthorized access to a user's email archive [li2005a], [li2005b]. Additionally, we have studied more sophisticated statistical & machine learning-based approaches to detecting network intrusions including a hybrid hidden Markov model/neural network approach [al-subaie2006]. and one involving random forests-based decision trees [zhang2005], [zhang2006].

We have also discovered some limits on the detection of malicious activity. Other researchers have proposed various techniques for having programs protect themselves from unauthorized tampering through checksumming (hashing) their own code at runtime; we have found, though, that the sophisticated memory management capabilities of modern computers can be used to defeat such attacks [wurster2005], [vanoorschot2005].

We have made progress on mitigating the damage that can be caused by attacks. One problem we have studied is the propagation of malicious software via instant messaging networks such as AOL Instant Messenger. We have developed techniques for ``hardening'' these networks to make it more difficult, both via CAPTCHAs and selective message throttling [mannan2005], as well as via cryptographic protocols [mannan2006].

Another source of security problems is the relatively poor protection that operating systems currently provide between applications. While current solutions attempt to solve this problem by isolating applications in their own virtual machines using a virtual machine monitor (VMM), this hard isolation makes applications less useful by constraining their ability to have legitimate interaction with each other [garfinkel2003a]. As an alternative, we have developed Proxos, a system in which applications split their operating system requests between an untrusted, standard operating system and a private trusted one [ta-min2006]. Such an architecture can allow an application to protect sensitive information (e.g., cryptographic keys, user financial information) in the event of a total compromise of the operating system, but still communicate with other applications in a safe way.

We have also studied the problem of how to make the Internet infrastructure itself more resistant to attack. One problem is that the basic internetwork routing protocol (used to establish how the different networks of the Internet connect to each other), the Border Gateway Protocol (BGP), currently has no mechanisms for guaranteeing the authenticity or correctness of routes [wan2005c]. This lack of authentication and correctness checks have lead to significant outages on the Internet such as one experienced by parts of Google in May 2005 [wan2005a]. To address such problems, we have proposed a new protocol, Pretty Secure BGP (psBGP) which provides both authentication and consistency guarantees for routing update messages [wan2005b], [wan2005d].

Even if the routing tables of the Internet are properly configured, problems can still arise from an overload of packets. Whether those packets originate from a propagating worm or a popular website, denials of service can still occur. Toward this end, we have been developing algorithms for dynamically managing network traffic by dividing packets into equivalence classes based upon byte-level similarity and then prioritizing traffic based upon class membership [matrawi2005]. In pursuing this research, we have discovered that it can be very difficult to understand what type of traffic a network is carrying at a high level, particularly in the case of stream-oriented protocols such as web traffic; thus, we have developed a library called qcap for reconstructing and analyzing such streams through the use of protocol grammars [hughes2005], [hughes2006].