Salvatore J. Stolfo - US grants

9313847 Stolfo We study solutions to the performance bottleneck in expert databases using the PARADISER 10 distributed rule processing environment as our testbed. We purpose an approach that combines statically computed restrictions on the rules of a rule program for partitioning the workload of rule evaluation among an arbitrary number of rule program replicas evaluated at distinct processing sites, and dynamic load balancing protocols that update and reorganize the distribution of workload by modifying the restrictions at runtime. (Rules are not redistributed.) Our techniques utilize one form of "meta-data", namely, statistics gathered on the attribute values and size of relations of the underlying database (e.g., number of distinct values of an attribute, number of tuples in a relation etc.) in the algorithms that compute the restrictions on the rules. We analyze the dynamic load balancing protocols in terms of efficiency and scalability criteria, which provide guidance on the expected behavior of the protocols with increasing database size. The proposed research falls into three main categories: (a) workload distribution paradigms among processing sites to ameliorate the performance degradation resulting from scaling up of database size, (b) a suite of load balancing protocols for dynamic "logical" reorganization of the underlying database, and their scaling characteristics, and , (c) experimental validation in the PARADISER expert database environment, using a suite of benchmark rule programs. A fully operational and transferable rule processing environment will be constructed that embodies these results.

This proposal presents research, development, deployment and testing of data-mining and machine learning-based technology for email and instant messaging data, including attached documents and files, and allowing for a broad range of applications for criminal investigation (both evidence gathering and evidence analysis) by law enforcement agencies. This tool can be applied to email and/or account misuse, user behavior-based analyses such as detecting criminal groups using email and Instant Messaging accounts
that communicate with one another, and for the purpose of detecting various roles of the individuals that communicate with each other, as well as the subject matter discussed and exchanged between parties or groups of corresponding parties. Such investigative activities are routinely performed today by law enforcement agencies for criminal intelligence gathering, evidence processing of subpoenaed electronic records and in the detection of stegonographic communications between suspect groups of criminals and terrorists. If successful, this research will substantially improve the productivity of forensic analysis personnel, and support evidence gathering and tracking.

Angelos Keromytis
Columbia University
Enabling Collaborative Self-healing Software Systems
0627473
Panel P060975

Abstract

Collaborative Self-healing Systems (COSS) is a new paradigm for protecting software systems. Software monocultures are widely used applications that share common vulnerabilities. Hence, any attack that exploits one instance of a vulnerable application provides the means for wide-spread damage. The emerging concept of collaborative security, wherein independent but cooperative entities form a group to improve their individual security, provides the opportunity to exploit the homogeneity of a software monoculture for collective and mutual protection. Monocultures can be leveraged to improve an application's overall security and reliability. COSS members running independent instances of the same application will continuously exchange information that allows them to collectively identify new application faults and attacks (collaborative monitoring), identify the core vulnerability shared by all instances of the application (vulnerability identification), and to automatically develop, test and apply fixes (heal the application). Identifying the application vulnerability requires potentially substantial costs in instrumentation and monitoring in each application instance. We leverage the size of a COSS to amortize the cost of monitoring the application's behavior on a per-instance basis by distributing the monitoring task across a large population; each instance only monitors a portion of the common application but collectively the entire application is covered. COSS may be viewed as a large-scale, diverse software-testing facility that allows its members to identify how a potentially large and complex host application behaves at a very fine level of granularity. This project develops, prototypes and evaluates technologies for automatically building collaborative, self-securing software systems, enabling reliable and secure commodity software.

To develop computer security as a science and engineering discipline, metrics need to be defined to evaluate the safety and security of alternative system designs. Security policies are often specified by large organizations but there are no direct means to evaluate how well these policies are followed by human users. The proposed project explores fundamental means of measuring the security posture of large enterprises. Risk management and risk mitigation requires measurement to assess alternative outcomes in any decision process. The project is intended to devise metrics and measurement methods, and test and evaluate these in a real institution, to evaluate how human users behave in a security context. Financial institutions in particular require significant controls over the handling of confidential financial information and employees must adhere to these policies to protect assets, which are subject to continual adversarial attack by thieves and fraudsters. Hence, financial institutions are the primary focus of the measurement work. The technical means of measuring user actions that may violate security policy is performed in a non-intrusive manner. The measurement system uses specially crafted decoy documents and email messages that signal when they have been opened or copied by a user in violation of policy. The project will develop collaborations with financial experts to devise risk models associated with users of information technology within large enterprises. This line of work extends traditional research in computer security by opening up a new area focused on the human aspect of security.