Publications

Assessing Trusted Network Access Control Cost-Benefit Factors 

Published in: The Workshop on the Economics of Securing the Information Infrastructure 2006 Proceedings

“Organizations spend millions on security products and services but leave the responsibility of installing and updating these critical security measures in the hands of users, expecting most users to voluntarily comply.”2 This may impact the security infrastructure adversely. This becomes a major problem in maintaining the security posture of the computing devices. Organizations may choose to alleviate this problem by acquiring solutions that mandate the compliance with the organization’s security implementation and change management policy. Different cost-benefit factors associated with voluntary and mandatory compliance are assessed using the Trusted Network Access Control framework.

Keywords: NAC, Network Access Control, Trusted Computing, Investment Analysis, Cost-benefit factor analysis.

More Information:

An Experimental Evaluation to Determine if Port Scans are Precursors to an Attack

Published in: IEEE
This paper describes an experimental approach to determine the correlation between port scans and attacks. Discussions in the security community often state that port scans should be considered as precursors to an attack. However, very few studies have been conducted to quantify the validity of this hypothesis. In this paper, attack data were collected using a test-bed dedicated to monitoring attackers.

The data collected consist of port scans, ICMP scans, vulnerability scans, successful attacks and management traffic. Two experiments were performed to validate the hypothesis of linking port scans and vulnerability scans to the number of packets observed per connection. Customized scripts were then developed to filter the collected data and group them on the basis of scans and attacks between a source and destination IP address pair. The correlation of the filtered data groups was assessed. The analyzed data consists of forty-eight days of data collection for two target computers on a heavily utilized subnet.

Susmit Panjwani, Stephanie Tan, Keith M. Jarrin, Michel Cukier, "An Experimental Evaluation to Determine if Port Scans are Precursors to an Attack," dsn, pp.602-611, 2005 International Conference on Dependable Systems and Networks (DSN'05), 2005

More Information:

A Statistical Analysis of Attack Data to Separate Attacks

Published in: IEEE
This paper analyzes malicious activity collected from a test-bed, consisting of two target computers dedicated solely to the purpose of being attacked, over a 109 day time period. We separated port scans, ICMP scans, and vulnerability scans from the malicious activity. In the remaining attack data, over 78% (i.e., 3,677 attacks) targeted port 445, which was then statistically analyzed. The goal was to find the characteristics that most efficiently separate the attacks. First, we separated the attacks by analyzing their messages. Then we separated the attacks by clustering characteristics using the K-Means algorithm. The comparison between the analysis of the messages and the outcome of the K-Means algorithm showed that 1) the mean of the distributions of packets, bytes and message lengths over time are poor characteristics to separate attacks and 2) the number of bytes, the mean of the distribution of bytes and message lengths as a function of the number packets are the best characteristics for separating attacks.

Michel Cukier, Robin Berthier, Susmit Panjwani, Stephanie Tan, "A Statistical Analysis of Attack Data to Separate Attacks," dsn, pp.383-392, International Conference on Dependable Systems and Networks (DSN'06), 2006

More Information: