Browsing by Author "Raymond, David Richard"

Now showing 1 - 16 of 16
  • Thumbnail Image
    Automatic Internet of Things Device Category Identification using Traffic Rates
    Hsu, Alexander Sirui (Virginia Tech, 2019-03-12)
    Due to the ever increasing supply of new Internet of Things (IoT) devices being added onto a network, it is vital secure the devices from incoming cyber threats. The manufacturing process of creating and developing a new IoT device allows many new companies to come out with their own device. These devices also increase the network risk because many IoT devices are created without proper security implementation. Utilizing traffic patterns as a method of device type detection will allow behavior identification using only Internet Protocol (IP) header information. The network traffic captured from 20 IoT devices belonging to 4 distinct types (IP camera, on/off switch, motion sensor, and temperature sensor) are generalized and used to identify new devices previously unseen on the network. Our results indicate some categories have patterns that are easier to generalize, while other categories are harder but we are still able recognize some unique characteristics. We also are able to deploy this in a test production network and adapted previous methods to handle streaming traffic and an additional noise categorization capable of identify non-IoT devices. The performance of our model is varied between classes, signifying that much future work has to be done to increase the classification score and overall usefulness.
  • Thumbnail Image
    Cybersecurity for the Internet of Things:  A Micro Moving Target IPv6 Defense
    Zeitz, Kimberly Ann (Virginia Tech, 2019-09-04)
    As the use of low-power and low-resource embedded devices continues to increase dramatically with the introduction of new Internet of Things (IoT) devices, security techniques are necessary which are compatible with these devices. This research advances the knowledge in the area of cybersecurity for the IoT through the exploration of a moving target defense to apply for limiting the time attackers may conduct reconnaissance on embedded systems while considering the challenges presented from IoT devices such as resource and performance constraints. We introduce the design and optimizations for µMT6D, a Micro-Moving Target IPv6 Defense, including a description of the modes of operation and use of lightweight hash algorithms. Through simulations and experiments µMT6D is shown to be viable for use on low power and low resource embedded devices in terms of footprint, power consumption, and energy consumption increases in comparison to the given security benefits. Finally, this provides information on other future considerations and possible avenues of further experimentation and research.
  • Thumbnail Image
    Deceptive Environments for Cybersecurity Defense on Low-power Devices
    Kedrowitsch, Alexander Lee (Virginia Tech, 2017-06-05)
    The ever-evolving nature of botnets have made constant malware collection an absolute necessity for security researchers in order to analyze and investigate the latest, nefarious means by which bots exploit their targets and operate in concert with each other and their bot master. In that effort of on-going data collection, honeypots have established themselves as a curious and useful tool for deception-based security. Low-powered devices, such as the Raspberry Pi, have found a natural home with some categories of honeypots and are being embraced by the honeypot community. Due to the low cost of these devices, new techniques are being explored to employ multiple honeypots within a network to act as sensors, collecting activity reports and captured malicious binaries to back-end servers for later analysis and network threat assessments. While these techniques are just beginning to gain their stride within the security community, they are held back due to the minimal amount of deception a traditional honeypot on a low-powered device is capable of delivering. This thesis seeks to make a preliminary investigation into the viability of using Linux containers to greatly expand the deception possible on low-powered devices by providing isolation and containment of full system images with minimal resource overhead. It is argued that employing Linux containers on low-powered device honeypots enables an entire category of honeypots previously unavailable on such hardware platforms. In addition to granting previously unavailable interaction with honeypots on Raspberry Pis, the use of Linux containers grants unique advantages that have not previously been explored by security researchers, such as the ability to defeat many types of virtual environment and monitoring tool detection methods.
  • Thumbnail Image
    Denial-of-Sleep Vulnerabilities and Defenses in Wireless Sensor Network MAC Protocols
    Raymond, David Richard (Virginia Tech, 2008-03-25)
    As wireless sensor platforms become less expensive and more powerful, the promise of their wide-spread use for everything from health monitoring to military sensing continues to increase. Like other networks, sensor networks are vulnerable to malicious attack; however, the hardware simplicity of these devices makes defense mechanisms designed for traditional networks infeasible. This work explores the denial-of-sleep attack, in which a sensor node's power supply is targeted. Attacks of this type can reduce sensor lifetime from years to days and can have a devastating impact on a sensor network. This work identifies vulnerabilities in state-of-the-art sensor network medium access control (MAC) protocols that leave them susceptible to denial-of-sleep attack. It then classifies these attacks in terms of an attacker's knowledge of the MAC layer protocol and ability to bypass authentication and encryption protocols. Attacks from each category in the classification are modeled to show the impacts on four current sensor network MAC protocols: S-MAC, T-MAC, B-MAC and G-MAC. To validate the effectiveness and analyze the efficiency of the attacks, implementations of selected attacks on S-MAC and T-MAC are described and analyzed in detail. This research goes on to introduce a suite of mechanisms designed to detect and mitigate the effects of denial-of-sleep attacks on sensor networks. The Clustered Anti Sleep-Deprivation for Sensor Networks, or Caisson, suite includes a lightweight, platform-independent anti-replay mechanism, an adaptive rate-limiter and a jamming detection and mitigation mechanism. These tools are designed to be applied selectively or in concert to defend against denial-of-sleep attacks depending on the specific vulnerabilities in the MAC protocol used in a particular sensor network deployment. This work makes two major contributions to state-of-the-art wireless sensor network research. First, it fully explores the denial-of-sleep attack, to include the implementation of a subset of these attacks on actual sensor devices and an analysis of the efficiency of these attacks. Second, it provides a set of tools by which these attacks are detected and defeated in a lightweight, platform-independent, and protocol-independent way. If sensor networks are to live up to current expectations, they must be robust in the face of newly emerging network attacks, to include denial-of-sleep.
  • Thumbnail Image
    Designing PhelkStat: Big Data Analytics for System Event Logs
    Salman, Mohammed; Welch, Brian; Raymond, David Richard; Marchany, Randolph C.; Tront, Joseph G. (HICSS Symposium on Cybersecurity Big Data Analytics, 2017-01-04)
    With wider adoption of micro-service based architectures in cloud and distributed systems, logging and monitoring costs have become increasingly relevant topics of research. There are a large number of log analysis tools such as the ELK(ElasticSearch, Logstash and Kibana) stack, Apache Spark, Sumo Logic, and Loggly, among many others. These tools have been deployed to perform anomaly detection, diagnose threats, optimize performance, and troubleshoot systems. Due to the real-time and distributed nature of logging, there will always be a need to optimize the performance of these tools; this performance can be quantified in terms of compute, storage, and network utilization. As part of the Information Technology Security Lab at Virginia Tech, we have the unique ability to leverage production data from the university network for research and testing. We analyzed the workload variations from two production systems at Virginia Tech, finding that the maximum workload is about four times the average workload. Therefore, a static configuration can lead to an inefficient use of resources. To address this, we propose PhelkStat: a tool to evaluate the temporal and spatial attributes of system workloads, using clustering algorithms to categorize the current workload. Using PhelkStat, system parameters can be automatically tweaked based on the workload. This paper reviews publicly available system event log datasets from supercomputing clusters and presents a statistical analysis of these datasets. We also show a correlation between these attributes and the runtime performance.
  • Thumbnail Image
    Empirical Analysis of User Passwords across Online Services
    Wang, Chun (Virginia Tech, 2018-06-05)
    Leaked passwords from data breaches can pose a serious threat if users reuse or slightly modify the passwords for other services. With more and more online services getting breached today, there is still a lack of large-scale quantitative understanding of the risks of password reuse and modification. In this project, we perform the first large-scale empirical analysis of password reuse and modification patterns using a ground-truth dataset of 28.8 million users and their 61.5 million passwords in 107 services over 8 years. We find that password reuse and modification is a very common behavior (observed on 52% of the users). More surprisingly, sensitive online services such as shopping websites and email services received the most reused and modified passwords. We also observe that users would still reuse the already-leaked passwords for other online services for years after the initial data breach. Finally, to quantify the security risks, we develop a new training-based guessing algorithm. Extensive evaluations show that more than 16 million password pairs (30% of the modified passwords and all the reused passwords) can be cracked within just 10 guesses. We argue that more proactive mechanisms are needed to protect user accounts after major data breaches.
  • Thumbnail Image
    Enhancing Security and Privacy in Head-Mounted Augmented Reality Systems Using Eye Gaze
    Corbett, Matthew (Virginia Tech, 2024-04-22)
    Augmented Reality (AR) devices are set apart from other mobile devices by the immersive experience they offer. Specifically, head-mounted AR devices can accurately sense and understand their environment through an increasingly powerful array of sensors such as cameras, depth sensors, eye gaze trackers, microphones, and inertial sensors. The ability of these devices to collect this information presents both challenges and opportunities to improve existing security and privacy techniques in this domain. Specifically, eye gaze tracking is a ready-made capability to analyze user intent, emotions, and vulnerability, and as an input mechanism. However, modern AR devices lack systems to address their unique security and privacy issues. Problems such as lacking local pairing mechanisms usable while immersed in AR environments, bystander privacy protections, and the increased vulnerability to shoulder surfing while wearing AR devices all lack viable solutions. In this dissertation, I explore how readily available eye gaze sensor data can be used to improve existing methods for assuring information security and protecting the privacy of those near the device. My research has presented three new systems, BystandAR, ShouldAR, and GazePair that each leverage user eye gaze to improve security and privacy expectations in or with Augmented Reality. As these devices grow in power and number, such solutions are necessary to prevent perception failures that hindered earlier devices. The work in this dissertation is presented in the hope that these solutions can improve and expedite the adoption of these powerful and useful devices.
  • Thumbnail Image
    Exploring Cyber Ranges in Cybersecurity Education
    Beauchamp, Cheryl Lynn (Virginia Tech, 2022-04-01)
    According to a report from McAfee, the global cost of cybercrime for 2020 was over one trillion dollars (Smith, Z. et al., 2020). Cybersecurity breaches and attacks have not only cost businesses and organizations millions of dollars but have also threatened national security and critical infrastructure. Examples include the Ransomware attack in May of 2021 on the largest fuel pipeline in the United States and the February 2021 remote access system breach of a Florida water treatment facility which raised sodium hydroxide to a lethal level. Improving cybersecurity requires a skilled workforce with relevant knowledge and skills. Academic degree programs, boot camps, and various certification programs provide education and training to assist this need. Cyber ranges are a more recent development to provide hands-on skill training. These ranges, often virtual, provide a safe and accessible environment to improve practical skills and experience through hands-on application. They provide a training environment to identify threats, apply countermeasures, and secure data from risks separately from the organization's actual network. More and more academic programs utilize cyber ranges due to the perceived benefit of integrating them into their cybersecurity-related programs. Academic cyber ranges offer virtualized environments that support cybersecurity educators' needs to provide students with a safe, separated, and engaging environment. The purpose of my research has two components: 1) to understand who the educators are using academic-facing cyber ranges and how they are using them to support their cybersecurity education efforts, and 2) to understand how cybersecurity educators and students are motivated by using them. Specifically, my research is comprised of three manuscripts: (1) a mixed-method exploratory study of who are the educators using cyber ranges for cybersecurity education and how they are using them to create significant cybersecurity learning experiences, (2) a mixed-method study exploring the motivation of educators using a cyber range for cybersecurity education, and (3) a mixed-method study exploring student motivation participating in cybersecurity CTF competitions. The three manuscripts contribute to understanding cyber ranges in cybersecurity education. The results from my research provided insight from the users of these cyber ranges, cybersecurity educators and students. Results from my first manuscript suggested that high school cybersecurity educators are the primary users. These educators have less formal cybersecurity education and experience compared to cybersecurity educators in higher education. The data also showed that cybersecurity educators primarily used cyber ranges for teaching and learning to meet learning goals and objectives. Results from my second manuscript suggested that educators were motivated mainly by the importance of using a cyber range for cybersecurity education and for the interest-enjoyment their students experience from cyber range usage. Educators found using the cyber range made their class more engaging and relevant to their students.These educators were also confident they could use a cyber range and learn how to use it. However, those without prior experience in cybersecurity or previous experience using a cyber range shared they needed instructor-facing resources, professional development opportunities, and time to learn. Results from my third manuscript suggested that students were motivated by the importance of participating in a cybersecurity CTF competition. Many reported that participating was useful for developing professional skills and readiness. Although CTF competitions were considered difficult and stressful, students did not consider the difficulty pejorative. Many shared that challenging CTFs contributed towards the enjoyment of participating, making them a rewarding and worthwhile experience. However, students also shared that academic and team support contributed towards their confidence in competing. In contrast, those who did not report confidence, stated they lacked a team strategy or support from their academic institution. Additionally, they did not know what to expect to prepare before the competition event. Overall, the results of this dissertation highlight the importance of prior preparation for educators and student CTF participants. For educators, this prior preparation includes curriculum supporting resources such as content mapping to learning objectives and professional development opportunities that do not assume any prior knowledge or experience. For students, prior preparation includes understanding what to expect and recommendations for academic and team support.
  • Thumbnail Image
    HyperSpace: Data-Value Integrity for Securing Software
    Yom, Jinwoo (Virginia Tech, 2020-05-19)
    Most modern software attacks are rooted in memory corruption vulnerabilities. They redirect security-sensitive data values (e.g., return address, function pointer, and heap metadata) to an unintended value. Current state-of-the-art policies, such as Data-Flow Integrity (DFI) and Control-Flow Integrity (CFI), are effective but often struggle to balance precision, generality, and runtime overhead. In this thesis, we propose Data-Value Integrity (DVI), a new defense policy that enforces the integrity of "data value" for security-sensitive control and non-control data. DVI breaks an essential step of memory corruption based attacks by asserting the compromised security-sensitive data value. To show the efficacy of DVI, we present HyperSpace, a prototype that enforces DVI to provide four representative security mechanisms. These include Code Pointer Separation (DVI-CPS) and Code Pointer Integrity (DVI-CPI) based on HyperSpace. We evaluate HyperSpace with SPEC CPU2006 and real-world servers. We also test HyperSpace against memory corruption based attacks, including three real-world exploits and six attacks that bypass existing defenses. Our evaluation shows that HyperSpace successfully detects all attacks and introduces low runtime performance and memory overhead: 1.02% and 6.35% performance overhead for DVI-CPS and DVI-CPI, respectively, and overall approximately 15% memory overhead.
  • Thumbnail Image
    Implementing Differential Privacy for Privacy Preserving Trajectory Data Publication in Large-Scale Wireless Networks
    Stroud, Caleb Zachary (Virginia Tech, 2018-08-14)
    Wireless networks collect vast amounts of log data concerning usage of the network. This data aids in informing operational needs related to performance, maintenance, etc., but it is also useful for outside researchers in analyzing network operation and user trends. Releasing such information to these outside researchers poses a threat to privacy of users. The dueling need for utility and privacy must be addressed. This thesis studies the concept of differential privacy for fulfillment of these goals of releasing high utility data to researchers while maintaining user privacy. The focus is specifically on physical user trajectories in authentication manager log data since this is a rich type of data that is useful for trend analysis. Authentication manager log data is produced when devices connect to physical access points (APs) and trajectories are sequences of these spatiotemporal connections from one AP to another for the same device. The fulfillment of this goal is pursued with a variable length n-gram model that creates a synthetic database which can be easily ingested by researchers. We found that there are shortcomings to the algorithm chosen in specific application to the data chosen, but differential privacy itself can still be used to release sanitized datasets while maintaining utility if the data has a low sparsity.
  • Thumbnail Image
    MARCS: Mobile Augmented Reality for Cybersecurity
    Mattina, Brendan Casey (Virginia Tech, 2017-06-19)
    Network analysts have long used two-dimensional security visualizations to make sense of network data. As networks grow larger and more complex, two-dimensional visualizations become more convoluted, potentially compromising user situational awareness of cyber threats. To combat this problem, augmented reality (AR) can be employed to visualize data within a cyber-physical context to restore user perception and improve comprehension; thereby, enhancing cyber situational awareness. Multiple generations of prototypes, known collectively as Mobile Augmented Reality for Cyber Security, or MARCS, were developed to study the impact of AR on cyber situational awareness. First generation prototypes were subjected to a formative pilot study of 44 participants, to generate user-centric performance data and feedback, which motivated the design and development of second generation prototypes and provided initial insight into the potentially beneficial impact of AR on cyber situational awareness. Second generation prototypes were subjected to a summative secondary study by 50 participants, to compare the impact of AR and non-AR visualizations on cyber situational awareness. Results of the secondary study suggest that employing AR to visualize cyber threats in a cyber-physical context collectively improves user threat perception and comprehension, indicating that, in some cases, AR security visualizations improve user cyber situational awareness over non-AR security visualizations.
  • Thumbnail Image
    Privacy Preserving Network Security Data Analytics
    DeYoung, Mark E. (Virginia Tech, 2018-04-24)
    The problem of revealing accurate statistics about a population while maintaining privacy of individuals is extensively studied in several related disciplines. Statisticians, information security experts, and computational theory researchers, to name a few, have produced extensive bodies of work regarding privacy preservation. Still the need to improve our ability to control the dissemination of potentially private information is driven home by an incessant rhythm of data breaches, data leaks, and privacy exposure. History has shown that both public and private sector organizations are not immune to loss of control over data due to lax handling, incidental leakage, or adversarial breaches. Prudent organizations should consider the sensitive nature of network security data and network operations performance data recorded as logged events. These logged events often contain data elements that are directly correlated with sensitive information about people and their activities -- often at the same level of detail as sensor data. Privacy preserving data publication has the potential to support reproducibility and exploration of new analytic techniques for network security. Providing sanitized data sets de-couples privacy protection efforts from analytic research. De-coupling privacy protections from analytical capabilities enables specialists to tease out the information and knowledge hidden in high dimensional data, while, at the same time, providing some degree of assurance that people's private information is not exposed unnecessarily. In this research we propose methods that support a risk based approach to privacy preserving data publication for network security data. Our main research objective is the design and implementation of technical methods to support the appropriate release of network security data so it can be utilized to develop new analytic methods in an ethical manner. Our intent is to produce a database which holds network security data representative of a contextualized network and people's interaction with the network mid-points and end-points without the problems of identifiability.
  • Thumbnail Image
    Privacy Preserving Network Security Data Analytics: Architectures and System Design
    DeYoung, Mark E.; Kobezak, Philip; Raymond, David Richard; Marchany, Randolph C.; Tront, Joseph G. (University of Hawaii at Manoa, 2018-01-03)
    An incessant rhythm of data breaches, data leaks, and privacy exposure highlights the need to improve control over potentially sensitive data. History has shown that neither public nor private sector organizations are immune. Lax data handling, incidental leakage, and adversarial breaches are all contributing factors. Prudent organizations should consider the sensitive nature of network security data. Logged events often contain data elements that are directly correlated with sensitive information about people and their activities -- often at the same level of detail as sensor data. Our intent is to produce a database which holds network security data representative of people's interaction with the network mid-points and end-points without the problems of identifiability. In this paper we discuss architectures and propose a system design that supports a risk based approach to privacy preserving data publication of network security data that enables network security data analytics research.
  • Thumbnail Image
    Securing the Public Cloud: Host-Obscure Computing with Secure Enclaves
    Cain, Chandler Lee (Virginia Tech, 2021-01-12)
    As the practice of renting remote computing resources from a cloud computing platform becomes increasingly popular, the security of such systems is a subject of continued scrutiny. This thesis explores the current state of cloud computing security along with critical components of the cloud computing model. It identifies the need to trust a third party with sensitive information as a substantial obstacle for cloud computing customers. It then proposes a new model, Host-Obscure Computing, for a cloud computing service using secure enclaves and encryption that allows a customer to execute code remotely without exposing sensitive information, including program flow control logic. It presents a proof of concept for a secure cloud computing service using confidential computing technology, cryptography, and an emulator that runs in a secure memory space. It then provides an analysis of its effectiveness at reducing data exposure and its performance impact. Finally, it analyzes this model's advantages and its potential impact on the cloud computing industry.
  • Thumbnail Image
    Spark on the ARC - Big data analytics frameworks on HPC clusters
    DeYoung, Mark E.; Salman, Mohammed; Bedi, Himanshu; Raymond, David Richard; Tront, Joseph G. (ACM, 2017-07)
    In this paper we document our approach to overcoming service discovery and configuration of Apache Hadoop and Spark frameworks with dynamic resource allocations in a batch oriented Advanced Research Computing (ARC) High Performance Computing (HPC) environment. ARC efforts have produced a wide variety of HPC architectures. A common HPC architectural pattern is multi-node compute clusters with low-latency, high-performance interconnect fabrics and shared central storage. This pattern enables processing of workloads with high data co-dependency, frequently solved with message passing interface (MPI) programming models, and then executed as batch jobs. Unfortunately, many HPC programming paradigms are not well suited to big data workloads which are often easily separable. Our approach lowers barriers of entry to HPC environments by enabling end users to utilize Apache Hadoop and Spark frameworks that support big data oriented programming paradigms appropriate for separable workloads in batch oriented HPC environments.
  • Thumbnail Image
    Towards Improving Endurance and Performance in Flash Storage Clusters
    Salman, Mohammed (Virginia Tech, 2017-06-22)
    NAND flash-based Solid State Devices (SSDs) provide high performance and energy efficiency and at the same time their capacity continues to grow at an unprecedented rate. As a result, SSDs are increasingly being used in high end computing systems such as supercomputing clusters. However, one of the biggest impediments to large scale deployments is the limited erase cycles in flash devices. The natural skewness in I/O workloads can results in Wear imbalance which has a significant impact on the reliability, performance as well as lifetime of the cluster. Current load balancers for storage systems are designed with a critical goal to optimize performance. Data migration techniques are used to handle wear balancing but they suffer from a huge metadata overhead and extra erasures. To overcome these problems, we propose an endurance-aware write off-loading technique (EWO) for balancing the wear across different flash-based servers with minimal extra cost. Extant wear leveling algorithms are designed for a single flash device. With the use of flash devices in enterprise server storage, the wear leveling algorithms need to take into account the variance of the wear at the cluster level. EWO exploits the out-of-place update feature of flash memory by off- loading the writes across flash servers instead of moving data across flash servers to mitigate extra-wear cost. To evenly distribute erasures to flash servers, EWO off-loads writes from the flash servers with high erase cycles to the ones with low erase cycles by first quantitatively calculating the amount of writes based on the frequency of garbage collection. To reduce metadata overhead caused by write off-loading, EWO employs a hot-slice off-loading policy to explore the trade-offs between extra-wear cost and metadata overhead. Evaluation on a 50 to 200 node SSD cluster shows that EWO outperforms data migration based wear balancing techniques, reducing up to 70% aggregate extra erase cycles while improving the write performance by up to 20% compared to data migration.