Research Tasks

   GridSec Home
   Research Tasks
   Technical Reports
   Lab Description

 Shanshan Song
GridSec: Enabling Cyber Security and Privacy in Trusted Internet, Grid and Peer-to-Peer Computing Applications
Internet-based Grid platforms and Peer-To-Peer (P2P) systems are emerging as new promising computing and information technologies for the future. Professor Kai Hwang, Viktor Prasanna, and Clifford Neuman are supervising 8 Ph.D. students working on 8 topics in the GridSec project. This GridSec project is supported by National Science Foundation to achieve security, privacy, and dependability in distributed supercomputing applications.

    Eight research tasks are highlighted below with recent experimental results and research findings. We use DHT-based overlays to detect Internet worms and defend against distributed denial-of-service (DDoS) attacks. We developed new trust and reputation systems for Grid/P2P applications using fuzzy logic and trust overlay networks. We build collaborative intrusion detection systems using datamining over Internet traffic episodes and honeynet data traces released in 2005.

  1. Trust Integration and Security Binding in Grid Computing
  2. Reputation Aggregation for P2P Systems using Overlay Network
  3. WormShield: Collaborative Internet Worm Containment
  4. Defense against Shrew DDoS Attacks
  5. Alert Clustering and Prediction for Intrusion Prevention
  6. Collaborative Intrusion Detection with Signature Generation
  7. Fine-grain Access Control
  8. Intrusion Detection Systems on FPGAs
Download PDF files: Trust Management, Wormshield & DDoS Defense, Intrusion Detection & Alert Correlation,
Trust Integration and Security Binding in Grid Computing

Student: Shanshan Song
Supervisor: Prof. Kai Hwang

Trusted Grid computing demands on-line scheduling of parallel jobs with secure outsourcing over Grid sites owned by different organizations. We developed a new security binding technique through trust integration and optimized heuristic scheduling on multiple Grid sites.

A Fuzzy trust model is proposed for distributed security enforcement. Security binding is implemented with prior job-execution experiences on target platforms. Trust integration leads to fortified site security, frequent policy update, using stateful firewalls, and self-defense capabilities, etc. The Grid security is enforced by PKI and encrypted tunnels between private networks. These security measures are meant to establish long-term trust relationship among resource sites.

Five performance metrics are developed to measure the effects of security binding through trust integration among Grid resource sites. The performance results are based on NAS benchmark experiments on simulated Grid configurations at USC.

Figure 1. Trust vector propagation and integration among four Grid sites.

Scalable Grid performance is enabled by matching the security demand from user jobs with the trust index of distributed Grid resource sites. Kiviat graph depicts compound Grid performance including the makespan, site utilization, job failure rate, job response time, and slowdown ratio. Trusted job outsourcing makes it possible to use open Grid resources with confidence, guaranteed performance, and controllable risks.

Figure 2. A kiviat graph represents the compound Grid performance based on five performance metrices.

Back to Top

Reputation Aggregation for P2P Systems using Overlay Network

Student: Runfang Zhou
Supervisor: Prof. Kai Hwang

Most reputation systems are based on collecting, aggregating and disseminating feedbacks. A TON is a virtual overlay network representing the trust relationship among peers. With empirical scrutiny of eBay trace data, we observe node degree of TON exhibits a power-law distribution. Power-law distribution in TON applies to any dynamically growing P2P systems

A DynaTrust system efficiently and effectively aggregates local scores to global reputation for P2P systems. DynaTrust is based on strategies of Look ahead Random Walk (LRW) and Distributed Sorting Mechanism (DSM). LRW is especially efficient in power-law TON with small message overhead and with DSM.

Figure 3. Trust Overlay Network for a P2P System.

Figure 4. An example of distributed sorting in a 5-node P2P network.

Figure 5. Computation convergence rates of two reputation systems: DynaTrust and EigenTrust, for various TONs under different network conditions.

Back to Top

WormShield: Collaborative Internet Worm Containment

Student: Min Cai
Supervisor: Prof. Kai Hwang

A distributed worm signature detection and dissemination system deployed at multiple edge networks. Distributed aggregation trees (DATs) are constructed to aggregate global information. A signature is identified if both the global prevalence and address dispersion are greater than thresholds. Signatures are disseminated to other monitors using efficient broadcasting on Chord overlay.

Simulated CodeRed-like worms on an Internet configuration of 105,246 edge networks and 338,562 vulnerable hosts. Use BGP table snapshot on July 19th, 2001 from RouteViews. Collaborative monitors detect signatures about 10 times faster than using independent monitors when Gp=10,000. About 27 times reduction of infected hosts as 1% of vulnerable edge networks being monitored.

Figure 6. Collaborative worm containment based on DHT overlay networks.

Figure 7. *****.

Figure 8. *****.

Back to Top

Defense against DDoS Attacks

Student: Yu Chen
Supervisor: Prof. Kai Hwang

Periodic shrew DDoS attacks throttle legitimate TCP flows by creating low-rate pulsing type of congestions. Characterized as stealthy and harder-to-detect attacks beyond the capability of ordinary traffic volume analysis tools. Cause more damages as the victims may not be aware of the shrew attacks for a long time.

The defense solution is based on the recognition of very low power spectral distribution in shrew DDoS flows. Through NS2 simulation experiments, we proved that the defense scheme can effectively segregate malicious shrew DDoS flows from the legitimate TCP flows. The legitimate TCP flows are thus rescued under shrew attacks.

Figure 9. Shrew DDoS attack flows present low frequency energy distribution compared with other Internet flows.

Figure 10. Compared with Drop Tail algorithm, our scheme effectively saves TCP flows by filtering out the malicious flows.

Back to Top

Alert Clustering and Prediction for Intrusion Prevention

Student: Xiaosong Lou
Supervisor: Prof. Kai Hwang

Based on the inherent temporal relations among intrusion alerts. Number of alerts is reduced for more than 90%. Most attack patterns are disrupted with low mis-prediction rates. Performance insensitive to parameter variations lead to easier implementation.

Figure 11. Illustration of the Intrusion Prediction System.

Figure 12. The average alert cluster size (in terms of alerts) increases as the number of alert clusters decreases.

Figure 13. While the optimizing Retiring Interval is 480 Seconds, the Disruption Ratio of the system stays above 96% for a wide range of Retiring Interval values.

Figure 14. Similar to Disruption Ratio, the system provides a very low Mis-prediction Rate (less than 4%) when the Retiring Interval is set in a wide range around optimizing value of 480 seconds. This greatly improves the practicality of implementing the system.

Back to Top

Collaborative Intrusion Detection with Signature Generation

Student: Ying Chen
Supervisor: Prof. Kai Hwang

Combine misuse-based IDS with Anomaly Detection System to detect both attacks with and without signatures. Datamining of Internet connection episodes for normal traffic profiling and automated attack signature generation.

The experiment is based on DARPA 1999 Intrusion Detection Evaluation Data Set mixed with real network data from USC. On the average, the CIDAS outperforms Snort and ADS by 51% and 40% improvement in intrusion detection rate, respectively.

Figure 14. CAIDS.

Figure 15. ROC curves for four attack classes in using the CIDAS.

Figure 16. ROC curves showing the average intrusion detection rates of 3 systems.

Back to Top

Fine-grain Access Control

Student: Li Zhou
Supervisor: Prof. Clifford Neuman

Extending the GAA/API software tools and policy update technique developed at ISI for fine-grain access control.

Intrusion Detection Systems on FPGAs

Student: Zachary K. Baker
Supervisor: Prof. Viktor Prasanna

System-wide integration of efficient intrusion detection systems and attack databases on field-programmable gate arrays (FPGAs) to enable real-time datamining for network security control.

  Last Update: August 29, 2005