TRUST Security Seminar

   Steven Bellovin, Columbia University

   Thursday, September 1, 2011 at 1:00 PM
   Soda Hall, Wozniak Lounge

Abstract. From more or less any perspective, we have failed in our attempts to build secure systems. We argue that given one uncontroversial assumption -- that bug-free code is impossible, if only because we cannot construct bug-free specifications -- this is unlikely to change. Doing the same thing over and over again and expecting a different result is one class definition of insanity, but that's what security people have been doing. Instead, we outline a fundamentally different approach to security, called resilient system design.  

Steven Bellovin is a professor of computer science at Columbia University, where he does research on networks, security, and especially why the two don't get along. He joined the faculty in 2005 after many years at Bell Labs and AT&T Labs Research, where he was an AT&T Fellow. He received a BA degree from Columbia University, and an MS and PhD in Computer Science from the University of North Carolina at Chapel Hill. While a graduate student, he helped create Netnews; for this, he and the other perpetrators were given the 1995 Usenix Lifetime Achievement Award (The Flame). He is a member of the National Academy of Engineering and is serving on the Computer Science and Telecommunications Board of the National Academies, the Department of Homeland Security's Science and Technology Advisory Committee, and the Technical Guidelines Development Committee of the Election Assistance Commission; he has also received the 2007 NIST/NSA National Computer Systems Security Award.

Bellovin is the co-author of Firewalls and Internet Security: Repelling the Wily Hacker, and holds a number patents on cryptographic and network protocols. He has served on many National Research Council study committees, including those on information systems trustworthiness, the privacy implications of authentication technologies, and cybersecurity research needs; he was also a member > of the information technology subcommittee of an NRC study group on science versus terrorism. He was a member of the Internet Architecture Board from 1996-2002; he was co-director of the Security Area of the IETF from 2002 through 2004.

   Adam J. O'Donnell, Sourcefire

   Thursday, September 8, 2011 at 1:00 PM
   Soda Hall, Wozniak Lounge

Abstract. With a healthy dose of technologies and techniques borrowed from big-data companies such as Google and Facebook, engineers in the security industry have led a sea change in how security products are designed and implemented. Rather than rely upon ad hoc threat detection networks and loose partnerships with other security firms to detect new threats, security firms are moving to cloud-based product models, where threat information for malicious network traffic, malware, and various forms of attacks is centrally aggregated and processed from endpoints. Large teams of analysts-focused manual identification of threats are now being displaced by data mining and machine learning, pushing the effective time to live of an attack from weeks to hours. In this talk I will provide an overview of how it's been done.  

Adam J. O'Donnell is the Chief Architect in the Cloud Technology Group at Sourcefire, a computer security company based in Columbia, Maryland, where is he responsible for the architecture and development of Sourcefire's cloud antivirus infrastructure. He joined Sourcefire through its 2010 acquisition of Immunet, the Palo Alto-based cloud antivirus firm, where he served as the co-founder and director of cloud engineering. Prior to Sourcefire and Immunet, he developed a number of technologies for filtering spam in e-mail and social networks at Cloudmark and held positions at managed security services firms Guardent and The Logan Group. Adam has contributed to and co-authored several books, including the Hacker's Challenge series and Building Open Source Network Security Tools, and has served as a contributor to IEEE Security and Privacy and the ZDNet Zero Day blog. He is frequently quoted by leading publications such as USA Today and the Wall Street Journal. Adam completed his Ph.D. as a NSF Graduate Research Fellow in Drexel University's Department of Electrical and Computer Engineering in 2005.

   Alefiya Hussain, University of Southern California

   Thursday, September 15, 2011 at 1:00 PM
   Soda Hall, Wozniak Lounge

Abstract. In the area of cyber security research, the ability to rapidly and systematically explore a threat scenario is a key enabler. Systematically exploring a threat scenario typically requires several iterations of integrating and parameterizing the components, instantiating the components, and comparing the results. This process currently is ad hoc and hard to repeat.

In this talk, I will discuss recent tools and methodologies developed at DETERLab, a cyber security experimentation facility, that provide a collaborative environment where experimenters can iteratively build on their own work and the work of others to design, execute, and analyze their cyber security experiments.

Alefiya Hussain is a Computer Scientist at USC/Information Sciences Institute where her research in focused on cyber security and networked systems. Alefiya received a Ph.D. in Computer Science from University of Southern California in 2005, and a B.E. in Computer Engineering from University of Pune, India in 1997. Alefiya worked at Sparta Inc. for five years prior to joining USC/ISI.

   Kameshwar Poolla, University of California, Berkeley

   Thursday, September 22, 2011 at 1:00 PM
   Soda Hall, Wozniak Lounge

Abstract. Real power injections at loads and generators, and real power flows on selected lines in a transmission network are monitored, transmitted over a SCADA network to the system operator, and used in state estimation algorithms to make dispatch, re-balance and other Energy Management System decisions.Coordinated cyber-attacks of power meter readings can be arranged to be undetectable by any bad data detection algorithm. These unobservable attacks present a serious threat to grid operations. Of particular interest are sparse attacks that involve the compromise of a modest number of meter readings.

We present an efficient algorithm to find all unobservable attacks [under standard DC load flow approximations] involving the compromise of exactly two power injection meters and an arbitrary number of power meters on lines. This requires O(n2m) flops for a power system with n buses and m line meters. If all lines are metered, there exist canonical forms that characterize all 3, 4, and 5- sparse unobservable attacks. These can be quickly detected in power systems using standard graph algorithms. We argue that these characterizations apply to the full nonlinear power flow model also. Known-secure phase measurement units [PMUs] can be used as countermeasures against an arbitrary collection of cyber-attacks. (p + 1) PMUs at carefully chosen buses are sufficient to neutralize a collection of p cyber-attacks. We conclude with a discuss of open problems and opportunities in cyber-security of electricity grids.

Kameshwar Poolla is the Cadence Distinguished Professor at UC Berkeley. He also currently serves as the Director of the IMPACT center for Integrated Circuit manufacturing at the University of California. He has worked as a Field Engineer with Schlumberger on oilrigs in West Africa. In 1999, he co-founded OnWafer Technologies which offers metrology based yield enhancement solutions for the semiconductor industry. OnWafer was acquired by KLA-Tencor in 2007. He has also serves as a technology and mergers/acquisitions consultant for Cadence Design Systems.

Dr. Poolla has been awarded a 1988 NSF Presidential Young Investigator Award, the 1993 Hugo Schuck Best Paper Prize, the 1994 Eckman Award,the 1998 Distinguished Teaching Award of the University of California, and the IEEE Transactions on Semiconductor Manufacturing Best Paper Prizes in 2005 and 2007. His research interests are in Power System operations, Renewable Integration, Cyber-security, Electricity Markets, and Smart-Grid infrastructure technologies.

   Prateek Saxena, University of California, Berkeley

   Thursday, September 29, 2011 at 1:00 PM
   540 Cory Hall    <-----NOTE DIFFERENT LOCATION

Abstract. The web platform: it brings us most services today, but also exposes us to more harm than ever before. This talk describes a class of vulnerabilities that plagues nearly all major web applications, several web browser components and even embedded devices. Through empirical analyses, we investigate why these vulnerabilities are so wide-spread. We propose new analysis and defense techniques to eliminate these vulnerabilities in existing and emerging systems. Some of these techniques are now deployed in Google products and protect services such as Google+.    

Prateek Saxena is a graduate student at UC Berkeley. His research interests are in computer security and its intersection with programming languages, formal methods and operating systems. He is actively involved in two umbrella research projects at UC Berkeley: BitBlaze and Webblaze. He is a recipient of the Symantec Research Labs Graduate Fellowship 2011-12 and his work received the AT&T Award for Best Applied Security Research Paper in 2010. He earned his MS in Computer Science from Stony Brook University in 2007.

   Alvaro Cardenas, Fujitsu Laboratories of America

   Thursday, October 6, 2011 at 1:00 PM
   Soda Hall, Wozniak Lounge

Abstract. The smart grid refers to multiple efforts around the globe to modernize aging power grid infrastructures with new technologies, enabling a more intelligently networked automated system. The goal of a smart grid is to deliver energy with greater efficiency, reliability, security and provide more transparency and choice, to electricity consumers.

While the smart grid promises many benefits, it raises many new security and privacy challenges with its large-scale deployment of ubiquitous, remotely accessible networked devices, and their fine-grained data collection.

The first part of this talk will give a broad view on the security and privacy landscape of the industry and the current efforts by several groups (like the NIST CSWG, NERC CIP, and state regulators) to secure it and some of the current gaps. The second part of the talk will focus on a security study of smart meters and propose attack-detection countermeasures by time series analysis of smart meter data.

Alvaro Cardenas is a research staff engineer at Fujitsu Laboratories of America. His research focuses on smart grid, machine learning and statistical methods applied to security, cyber-physical systems security and wireless communications for embedded systems and the Internet of Things. He has received numerous awards for his research including a best paper award from the U.S. Army Research Office, a best presentation award from the IEEE, a fellowship from the University of Maryland, and a Distinguished Assistantship from the Institute of Systems Research. Alvaro holds M.S. and Ph.D. degrees from the University of Maryland, College Park, and a B.S. from Universidad de los Andes. He was a postdoctoral fellow at the University of California, Berkeley before joining Fujitsu Labs. He was also an invited visiting professor at the University of Cagliari.

   Sami Ayyorgun, Telcordia Technologies

   Thursday, October 13, 2011 at 1:00 PM
   Soda Hall, Wozniak Lounge

Abstract. A methodology for modeling Distributed Energy Resources (DERs) will be presented. Desired properties of the modeling suite include being generic (i.e. not specific to a DER), host neutral (i.e. not specific to a hosting platform), self-x (i.e. self-adjusting, automated), and online (relies on input up to current time). A methodology for having increased cybersecurity for Smart Grid will also be presented, where focus will be on C12.22, C37.118, and ICCP protocols.

Sami Ayyorgun is currently a Director & Senior Scientist in Applied Research of Telcordia Technologies. Previously, he had been a Technical Staff Member at Los Alamos National Laboratory of the U.S. Department of Energy. His current research interests are focused on modeling, simulation, emulation, optimization, cybersecurity involving the Smart Grid. He received his PhD in Electrical and Computer in Engineering from University of California in San Diego in 2001.

   Thursday, October 20, 2011 at 1:00 PM
   Soda Hall, Wozniak Lounge

Abstract. Malicious softwares or malwares for short have become a major security threat. While originating in criminal behavior, their impact are also influenced by the decisions of legitimate end users. Getting agents in the Internet, and in networks in general, to invest in and deploy security features and protocols is a challenge, in particular because of economic reasons arising from the presence of network externalities.

An unexplored direction of this challenge consists in under- standing how to align the incentives of the agents of a large network towards a better security. This paper addresses this new line of research. We start with an economic model for a single agent, that determines the optimal amount to invest in protection.

The model takes into account the vulnerability of the agent to a security breach and the potential loss if a security breach occurs. We derive conditions on the quality of the protection to ensure that the optimal amount spent on security is an increasing function of the agent’s vulnerability and potential loss. We also show that for a large class of risks, only a small fraction of the expected loss should be invested.Building on these results, we study a network of interconnected agents subject to epidemic risks. We derive conditions to ensure that the incentives of all agents are aligned towards a better secu- rity. When agents are strategic, we show that security investments are always socially inefficient due to the network externalities.Moreover if our conditions are not satisfied, incentives can be aligned towards a lower security leading to an equilibrium with a very high price of anarchy.

Marc Lelarge is a INRIA researcher in the computer science department of Ecole Normale Superieure in Paris. Marc graduated from Ecole Polytechnique (Palaiseau, France) in 1999 and qualified as an engineer at Ecole Nationale Superieure des Telecommunications (Paris, France) in 2001. He received his PhD degree in Applied Mathematics from Ecole Polytechnique in 2005. His reasearch interests include random graphs, combinatorial optimization, economics of networks, and stochastic networks.

   Thursday, October 27, 2011 at 1:00 PM
   Soda Hall, Wozniak Lounge

Abstract In this talk we will suggest that some of the things which make a network vulnerable and difficult manage paradoxically also make it robust and difficult to destroy. We will suggest that there are related lessons to be learned from biology that should be considered in network architecture and configuration. We will go on to offer a view of important challenges that are certain confront us in the future when humans actually 'join' the network in new ways. Finally, we will describe what the NSA Mathematical Science Program offers and new NSA initiatives to address the "Science of Security."    

Floyd B. Cole, III is a Cryptologic Mathematician currently directs all Special Projects for the Research Directorate (RD) of NSA. In 1970, upon completion of active duty with the United States Army, Dr. Cole began his civilian career with NSA in the Office of Techniques and Standards. During his years at the Agency, Dr. Cole has been detailed to the Office of COMSEC Evaluations, the Communications Research Division of the Institute for Defense Analyses (now Center for Communications Research, Princeton, New Jersey), the Office of Operations Analysis, and the Office of Reconnaissance and Telecommunications. Between these detail assignments, Dr. Cole spent the majority of his career as a Cryptologic Mathematician in the Office of Mathematical Research. He assumed a position as Technical Director of the Research Directorate, RD, in the fall of 1999. Throughout his Agency career, Dr. Cole has remained in technical positions except for a brief time serving as Acting Chief of the Consultation Division in the Office of Mathematical Research. For more than seven years Dr. Cole was the Technical Director of the Research Director and acted as the Deputy Director for another year. He has chaired many technical conferences involving experts from NSA and the academic/industrial community. He has directed major research efforts including 3 SCAMP and 2 ESCORT workshops. Dr. Cole has served as the technical advisor on a system acquisition team for major Agency computer systems. He has also led several research efforts with second parties and foreign partners. Dr. Cole remained an active participant in the USAR, Military Intelligence Branch, until he was retired with the rank of Lt. Colonel in 1988. During his active service, he trained on tours at Ft. Devens, MA, Arlington Hall Station, VA, and Vint Hill Farms, VA. In his present capacity, Dr. Cole often represents NSA on the Intelligence Community's interagency committees and intergovernmental working groups. He serves as the NSA representative on a number of advisory/evaluation boards for National Laboratories and FFRDC's.

Dr. Cole graduated from Davidson College, Davidson, NC in 1963 with a BS degree in Mathematics and English. He attended Rutgers University, New Brunswick, NJ, where he received a MS degree in 1965 and his Ph.D. in 1968, both in Mathematics. His doctoral dissertation was in a branch of mathematical logic known as Recursive Function Theory. While serving in the USAR, Dr. Cole completed the basic and advanced courses in intelligence and security as well as numerous other courses and seminars in strategic intelligence. Dr. Cole has taught for many colleges and universities. In 2007 Dr. Cole spent a sabbatical year as the Distinguished Visiting Professor of Mathematics at the US Military Academy, West Point, where he taught courses and facilitated engagement between the Academy and NSA. Currently, he is a faculty member at the University of Maryland teaching advanced courses in Mathematics and Computer Science at both the Baltimore County and College Park campuses. Dr. Cole regularly participates in the academic peer review process for government research grants. He is also an active participant in the NSA Mathematics Outreach Program through which he often speaks on mathematical topics to students at all levels from elementary through graduate school. He regularly attends meetings of the American Mathematical Society where he is actively involved in recruiting mathematical talent for NSA.

   HOTEL PALOMAR, WASHINGTON, D.C.

    November 2-3, 2011
  

   Munther Dahleh, Massachusetts Institute of Technology

   Thursday, November 10, 2011 at 1:00 PM
   Soda Hall, Wozniak Lounge

Abstract. In this talk, we present recent results on the stability and robustness properties of transportation networks with respect to the agents' route choice behavior. We perform the analysis within a dynamical system framework over a directed acyclic graph between a single origin-destination pair. The dynamical system is composed of ordinary differential equations (ODEs), one for every link of the graph. Every ODE is a mass balance equation for the corresponding link, where the inflow term is a function of the agents' route choice behavior and the arrival rate at the base node of that link, and the outflow term is a function of the congestion properties of the link. We propose a novel decision framework, where the drivers combine their historical knowledge about the global congestion levels with real-time local information to make route choice decisions at every node. We show that, if the rate of update of global information is sufficiently slow and if the drivers make route choice decisions cooperatively, then the Wardrop equilibrium is globally asymptotically stable. We then study the resilience of the flow transferring capability of the whole network under disturbances that reduce the flow carrying capacity of the links. In particular, we characterize various margins of resilience of the network with respect to the topology, 'pre-disturbance' equilibrium and agents' local route choice behavior. We show that the cooperative route choice behavior is maximally resilient in this setting. We also setup a simple convex optimization problem to find the most resilient 'pre-disturbance' equilibrium for the network and determine link-wise tolls that yield such an equilibrium. Finally, we extend our analysis to link-wise outflow functions that accommodate the possibility of cascaded failures and study the effect of such phenomena on the margins of resilience of the network.

**This work is done in collaboration with Giacomo Como, Ketan Savla, Daron Acemoglu, and Emilio Frazzoli.

Munther A. Dahleh joined LIDS as an assistant professor of EECS in 1987 and became a full professor in 1998. He is currently the associate director of MIT's Laboratory for Information and Decision Systems. He spent the spring of 1993 as a visiting professor in the Department of Electrical Engineering, California Institute of Technology and has held consulting positions with several companies in the U.S. and abroad.

Dr. Dahleh is interested in problems at the interface of robust control, filtering, information theory, and computation, which include control problems with communication constraints and distributed mobile agents with local decision capabilities. His interests include problems in network science, such as distributed computation over noisy networks and information propagation over complex social networks. He also studies model reduction problems for discrete-alphabet hidden Markov models and universal learning approaches for systems with both continuous and discrete alphabets. His research includes the interface between systems theory and neurobiology, and in particular, providing an anatomically consistent model of the motor control system.

   Rahul Telang, Carnegie Mellon University

   Thursday, November 17, 2011 at 1:00 PM
   Soda Hall, Wozniak Lounge

Abstract. We study the effect of hospital market concentration on the quality of patient data protection practices. We use approximately 200 reported data breaches in US hospitals over the period 2006 - 2011 as a measure of the quality of patient data protection practices.

Treating each Metropolitan Statistical Area (MSA) as a distinct hospital market, we measure market concentration by calculating the Herfindahl-Hirschman Index (HHI) in each of these markets. Surprisingly, we find that increased hospital market concentration (lower competition) is associated with increased quality of patient data protection practices. We use a number of specifications to model the count of incidents, the number of records breached, and the severity of data breaches. All of these specifications suggest a positive association between hospital market concentration and quality of patient data protection.

Rahul Telang is professor of Information systems and Management at the Heinz College at Carnegie Mellon University. He has been at the Heinz College since 2002 and predominantly teaches in the School of Information Systems and Management. Professor Telang's research interest lies in two major domains. First is on Digital Media Industry with a particular focus on digitization of songs, movies, TV and books is affecting the incentives of content provider, content distributors as well public policy challenges in terms of innovation and copyright. In particular, he has examined the issue proliferation of distribution platforms including online piracy and its impact on traditional music, movies and books industry. Recently, he is investigating the role of social networks on music diffusion, technology adoption, and employee job search. Some of his prior work explored the challenges of interaction of multiple platforms (web portals vs telephony for customer service; SMS and voice for cellular phones). He was the recipient of Sloan Foundation Industry Study fellowship for his work in this domain and co-directs the Digital Media Research thrust at iLAB, an inter-disciplinary research center at the Heinz College. His work is also funded extensively by industry participants including Google, Disney and so on. He is also deputy director of a large and ambitious project called "living analytics" which is a joint endeavor between Singapore Management University and The Heinz College and CMU. He will be directing projects related to digital and social media.

His second area of work is on economics of information security and privacy. His key interest is in understanding the incentives of various parties (users, firms and hackers), what markets fail, and how to create a useful policy framework and how to measure the effectiveness of such policies. He has examined the issue of software vendors' incentives to improve the quality of their products, and their incentives to release timely patches. In this context his work explores how different policies, competition and security standards shape these incentives. His work explored the controversy surrounding vulnerability disclosure, vulnerability markets and their role in generating optimal outcomes. Recently, he has been examining the role of data breach disclosure laws on identity thefts. He was the recipient of NSF CAREER award for his work on economics of information security. He is also part of Cylab and Institute for Infrastructure Protection (I3P).

   Thursday, November 24, 2011
  

   J. Alex Halderman, University of Michigan

   Thursday, December 1, 2011 at 1:00 PM
   Soda Hall, Wozniak Lounge

Abstract. In this talk I will present Telex, a new approach to circumventing repressive governments' Internet censorship. Most anticensorship systems work by making encrypted connections to proxy servers outside the censor's network, but this leads to a cat-and-mouse game, where the censor attempts to discover the server addresses and block them. Telex avoids this by operating in the network infrastructure - through cooperation with ISPs between the censor's network and non-blocked portions of the Internet - rather than at network end points. This approach, which we call "end-to-middle" proxying, makes Telex significantly more robust that previous approaches against the censor's countermeasures. We envision that friendly countries will create incentives for ISPs to deploy Telex, providing a state-level response to state-level censorship. For more information and a live prototype, visit https://telex.cc.    

J. Alex Halderman is an assistant professor of electrical engineering and computer science at the University of Michigan, where his research spans applied computer security and tech-centric public policy. Topics that interest Alex include software security, data privacy, electronic voting, censorship resistance, digital rights management, and cybercrime, as well as technological aspects of intellectual property law and government regulation. He is best known for his work developing the "cold boot attack" against disk encryption systems, for exposing the Sony DRM rootkit and other harmful side effects of DRM, and for finding security flaws in many different electronic voting systems. Recently, Halderman and his students participated in a public trial of an Internet voting system fielded by the city of Washington, D.C.; within 36 hours, they were able to take control of the servers and change every vote.

   Nickolai Zeldovich, Massachusetts Institute of Technology

   Thursday, December 8, 2011 at 1:00 PM
   540 Cory Hall    <-----NOTE DIFFERENT LOCATION

Abstract. Virtually any computer system can be compromised. New vulnerabilities are discovered and exploited daily, and even if the base system is secure, unaware users may install malware along with free screensavers or greeting cards they download from the Internet, or click on dialog boxes with little understanding of the consequences. Cleaning up after these inevitable compromises leads to days of wasted effort by users or system administrators, with no conclusive guarantee that all traces of the attack are gone, or that no legitimate changes are lost. This talk will present our recent work on undo computing, which aims to efficiently and precisely recover system integrity by undoing attacks that occurred in the past.

The key challenge in recovering integrity after an intrusion lies in undoing all side effects of the attack while preserving legitimate changes to the same system. Our approach is to combine fine-grained rollback with precise dependency tracking and re-execution of affected computations, which allows us to re-apply legitimate changes after rollback undoes the effects of the attack. I will describe two systems that we have built along these lines: Retro, which recovers from intrusions at the level of system calls in a Linux system, and Warp, which recovers from attacks on web applications.

Nickolai Zeldovich is the Douglas T. Ross Career Development Assistant Professor at MIT's EECS department and a member of the Computer Science and Artificial Intelligence Laboratory. His research interests are in building practical secure systems, from operating systems and hardware to programming languages and security analysis tools. He received his PhD from Stanford University in 2008, where he developed HiStar, an operating system designed to minimize the amount of trusted code by controlling information flow. In 2005, he co-founded MokaFive, a company focused on improving desktop management and mobility using x86 virtualization. Prof. Zeldovich received a Sloan fellowship in 2010, and an NSF CAREER award in 2011.

Details about how the seminar is managed can be found at How is the TRUST Seminar managed?