I am a computer networking and security researcher. I have previously explored software-defined networking security, techniques related to network function virtualization, online deception detection, particularly phishing, and automated attacks, such as SQL injection attacks. I also explored the concentration of malicious networks and threats from USB devices.
I am interested in pursuing Internet-scale measurements to help secure networks and identify opportunities to help Internet users. I am also interested in cloud computing and distributed systems.
- Douglas C. MacFarland, Craig A. Shue, Andrew J. Kalafut, "The Best Bang for the Byte: Characterizing the Potential of DNS Amplification Attacks," Elsevier Computer Networks (COMNET) Journal, Volume 116, Issue C, pages 12-21, April, 2017.
[ Abstract ] [ Full Paper ]DNS amplification has been instrumental in over 34% of high-volume network DDoS attacks, with some floods exceeding 300Gbps. Today's best practices require Internet-wide cooperation and have been unable to prevent these attacks. In this work, we investigate whether these best practices can eliminate DNS amplification attacks and characterize what threats remain. In particular, we study roughly 130 million DNS domains and their associated servers to determine the DNS amplification potential associated with each. We find attackers can easily use these servers to create crippling floods and that few servers employ any protection measures to deter attackers.
- Craig A. Shue, Andrew J. Kalafut. "Resolvers Revealed: Characterizing DNS Resolvers and their Clients," ACM/IEEE Transactions on Internet Technology, vol. 12, issue 4, July 2013.
[ Abstract ] [ Full Paper ]The Domain Name System (DNS) allows clients to use resolvers, sometimes called DNS caches, to query a set of authoritative servers to translate host names into IP addresses. Prior work has proposed using the interaction between these DNS resolvers and the authoritative servers as an access control mechanism. However, while prior work has examined the DNS from many angles, the resolver component has received little scrutiny. Essential factors for using a resolver in an access control system, such as whether a resolver is part of an ISP's infrastructure or running on an end-user's system, have not been examined. In this study, we examine DNS resolver behavior and usage, from query patterns and reactions to non-standard responses to passive association techniques to pair resolvers with their client hosts. In doing so, we discover evidence of security protocol support, misconfigured resolvers, techniques to fingerprint resolvers, and features for detecting automated clients. These measurements can influence the implementation and design of these resolvers and DNS-based access control systems.
- Craig A. Shue, Andrew J. Kalafut, Mark Allman, Curtis R. Taylor, "On Building Inexpensive Network Capabilities," ACM SIGCOMM Computer Communication Review, April 2012.
[ Abstract ] [ Full Paper ]There are many deployed approaches for blocking unwanted traffic, either once it reaches the recipient's network, or closer to its point of origin. One of these schemes is based on the notion of traffic carrying capabilities that grant access to a network and/or end host. However, leveraging capabilities results in added complexity and additional steps in the communication process: Before communication starts a remote host must be vetted and given a capability to use in the subsequent communication. In this paper, we propose a lightweight mechanism that turns the answers provided by DNS name resolution---which Internet communication broadly depends on anyway---into capabilities. While not achieving an ideal capability system, we show the mechanism can be built from commodity technology and is therefore a pragmatic way to gain some of the key benefits of capabilities without requiring new infrastructure.
- Craig A. Shue, Andrew J. Kalafut, Minaxi Gupta, "Abnormally Malicious Autonomous Systems and their Internet Connectivity," IEEE/ACM Transactions on Networking, vol. 20, issue 1, pages 220 -- 229, February 2012.
[ Abstract ] [ Full Paper ]While many attacks are distributed across botnets, investigators and network operators have recently identified malicious networks through high profile autonomous system (AS) de-peerings and network shut-downs. In this paper, we explore whether some ASes indeed are safe havens for malicious activity. We look for ISPs and ASes that exhibit disproportionately high malicious behavior using ten popular blacklists, plus local spam data, and extensive DNS resolutions based on the contents of the blacklists. We find that some ASes have over 80% of their routable IP address space blacklisted. Yet others account for large fractions of blacklisted IP addresses. Several ASes regularly peer with ASes associated with significant malicious activity. We also find that malicious ASes as a whole differ from benign ones in other properties not obviously related to their malicious activities, such as more frequent connectivity changes with their BGP peers. Overall, we conclude that examining malicious activity at AS granularity can unearth networks with lax security or those that harbor cybercrime.
- Andrew J. Kalafut, Craig A. Shue, Minaxi Gupta, "Touring DNS Open Houses for Trends and Configurations," IEEE/ACM Transactions on Networking, vol. 19, issue 6, Pages 1666 - 1675, December 2011.
[ Abstract ] [ Full Paper ]DNS is a critical component of the Internet. It maps domain names to IP addresses and serves as a distributed database for various other applications, including mail, Web, and spam filtering. This paper examines DNS zones in the Internet for diversity, adoption rates of new technologies, and prevalence of configuration issues. To gather data, we sweep 60% of the Internet's domains in June - August 2007 for zone transfers. 6.6% of them allow us to transfer their complete information. Surprisingly, this includes a large fraction of the domains deploying DNSSEC. We find that DNS zones vary significantly in size and some span many ASes. Also, while anti-spam technologies appear to be getting deployed, the adoption rates of DNSSEC and IPv6 continue to be low. Finally, we also find that carelessness in handing DNS records can lead to reduced availability of name servers, email, and Web servers. This also undermines anti-spam efforts and the efforts to shut down phishing sites or to contain malware infections.
- Craig A. Shue, Minaxi Gupta, "An Internet without the Internet Protocol," Computer Networks, vol. 54, issue 18, December, 2010.
[ Abstract ] [ Full Paper ]The growth of the Internet has brought about many challenges for its critical infrastructure. The DNS infrastructure, which translates mnemonic host names into IP addresses understood by the routers, is frequently the target of cache poisoning attacks. Internet routers are also experiencing alarming growth in their routing table sizes, which may soon make it impossible for them to forward packets quickly enough to meet demand. Further, concerns about IPv4 address space exhaustion loom on the horizon despite the availability of IPv6. In this paper, we take a fresh look at Internet routing and propose a scheme that addresses all of these concerns cleanly. Our scheme forgoes IP addresses entirely and instead uses host names as identifiers in packets. The scalability of routing is ensured by encapsulating these packets in highly aggregated routing locators: we use autonomous system numbers (ASNs), which are already an integral part of inter-domain routing. We present data and experiments to show that a much simpler and scalable routing infrastructure can be designed for a future Internet by using fewer identifiers for its entities.
- Craig A. Shue, Minaxi Gupta, Matthew P. Davy, "Packet Forwarding with Source Verification," Computer Networks, vol. 52, issue 8, pages 1567-1582, Jun. 2008.
[ Abstract ] [ Full Paper ]Routers in the Internet do not perform any verification of the source IP address contained in the packets, leading to the possibility of IP spoofing. The lack of such verification opens the door for a variety of vulnerabilities, including denial-of-service (DoS) and man-in-the-middle attacks. Currently proposed spoofing prevention approaches either focus on protecting only the target of such attacks and not the routing fabric used to forward spoofed packets, or fail under commonly occurring situations like path asymmetry. With incremental deployability in mind, this paper presents two complementary hop-wise packet tagging approaches that equip the routers to drop spoofed packets close to their point of origin. Our simulations show that these approaches dramatically reduce the amount of spoofing possible even under partial deployment.
Conferences and Workshops
- Curtis R. Taylor, Tian Guo, Craig A. Shue, Mohamed E. Najd, "On the Feasibility of Cloud-Based SDN Controllers for Residential Networks," IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN), November 2017.
[ Abstract ] [ Full Paper ]Residential networks are home to increasingly diverse devices, including embedded devices that are part of the Internet of Things phenomenon, leading to new management and security challenges. However, current residential solutions that rely on customer premises equipment (CPE), which often remains deployed in homes for years without updates or maintenance, are not evolving to keep up with these emerging demands. Recently, researchers have proposed to outsource the tasks of managing and securing residential networks to cloud-based security services by leveraging software-defined networking (SDN). However, the use of cloud-based infrastructure may have performance implications.
In this paper, we measure the performance impact and perception of a residential SDN using a cloud-based controller through two measurement studies. First, we recruit 270 residential users located across the United States to measure residential latency to cloud providers. Our measurements suggest the cloud controller architecture provides 90% of end-users with acceptable performance with judiciously selected public cloud locations. When evaluating web page loading times of popular domains, which are particularly latency-sensitive, we found an increase of a few seconds at the median. However, optimizations could reduce this overhead for top websites in practice.
- Mohamed E. Najd, Craig A. Shue, "DeepContext: An OpenFlow-Compatible, Host-Based SDN for Enterprise Networks," IEEE Conference on Local Computer Networks (LCN), October 2017.
[ Abstract ] [ Full Paper ]The software-defined networking (SDN) paradigm promises greater control and understanding of enterprise network activities, particularly for management applications that need awareness of network-wide behavior. However, the current focus on switch-based SDNs raises concerns about data-plane scalability, especially when using fine-grained flows. Further, these switch-centric approaches lack visibility into end-host and application behaviors, which are valuable when making access control decisions.
In recent work, we proposed a host-based SDN in which we installed software on the end-hosts and used a centralized network control to manage the flows. This improve scalability and provided application information for use in network policy. However, that approach was not compatible with OpenFlow and had provided only conservative estimates of possible network performance.
In this work, we create a high performance host-based SDN that is compatible with the OpenFlow protocol. Our approach, DeepContext, provides details about the application context to the network controller, allowing enhanced decision-making. We evaluate the performance of DeepContext, comparing it to traditional networks and Open vSwitch deployments. We further characterize the completeness of the data provided by the system and the resulting benefits.
- Curtis R. Taylor, Craig A. Shue, "Validating Security Protocols with Cloud-Based Middleboxes," IEEE Conference on Communications and Network Security (CNS), October 2016.
[ Abstract ] [ Full Paper ]Residential networks pose a unique challenge for security since they are operated by end-users that may not have security expertise. Residential networks are also home to devices that may have lackluster security protections, such as Internet of Things (IoT) devices, which may introduce vulnerabilities. In this work, we introduce TLSDeputy, a middlebox-based system to protect residential networks from connections to inauthentic TLS servers. By combining the approach with OpenFlow, a popular software-defined networking protocol, we show that we can effectively provide residential network-wide protections across diverse devices with minimal performance overheads.
- Curtis R. Taylor, Craig A. Shue, Mohamed E. Najd, "Whole Home Proxies: Bringing Enterprise-Grade Security to Residential Networks," IEEE ICC Communication and Information Systems Security Symposium, May 2016.
[ Abstract ] [ Full Paper ]While enterprise networks follow best practices and security measures, residential networks often lack these protections. Home networks have constrained resources and lack a dedicated IT staff that can secure and manage the network and systems. At the same time, homes must tackle the same challenges of securing heterogeneous devices when communicating to the Internet. In this work, we explore combining software-defined networking and proxies with commodity residential Internet routers. We evaluate a "whole home" proxy solution for the Skype video conferencing application to determine the viability of the approach in practice. We find that we are able to automatically detect when a device is about to use Skype and dynamically intercept all of the Skype communication and route it through a proxy while not disturbing unrelated network flows. Our approach works across multiple operating systems, form factors, and versions of Skype.
- Curtis R. Taylor, Douglas C. MacFarland, Doran R. Smestad, Craig A. Shue, "Contextual, Flow-Based Access Control with Scalable Host-based SDN Techniques," IEEE INFOCOM Conference, April 2016.
[ Abstract ] [ Full Paper ]Network operators can better understand their networks when armed with a detailed understanding of the network traffic and host activities. Software-defined networking (SDN) techniques have the potential to improve enterprise security, but the current techniques have well-known data plane scalability concerns and limited visibility into the host's operating context.
In this work, we provide both detailed host-based context and fine-grained control of network flows by shifting the SDN agent functionality from the network infrastructure into the end-hosts. We allow network operators to write detailed network policy that can discriminate based on user and program information associated with network flows. In doing so, we find our approach scales far beyond the capabilities of OpenFlow switching hardware, allowing each host to create over 25 new flows per second with no practical bound on the number of established flows in the network.
- Douglas C. MacFarland, Craig A. Shue, "The SDN Shuffle: Creating a Moving-Target Defense using Host-based Software-Defined Networking," ACM CCS Workshop on Moving Target Defense (MTD), October 2015.
[ Abstract ] [ Full Paper ]Moving target systems can help defenders limit the utility of reconnaissance for adversaries, hindering the effectiveness of attacks. While moving target systems are a topic of robust research, we find that prior work in network-based moving target defenses has limitations in either scalability or the ability to protect public servers accessible to unmodified clients. In this work, we present a new moving target defense using software-defined networking (SDN) that can service unmodified clients while avoiding scalability limitations. We then evaluate this approach according to seven moving-target properties and evaluate its performance. We find that the approach achieves its security goals while introducing low overheads.
- Marc Green, Douglas C. MacFarland, Doran R. Smestad, Craig A. Shue, "Characterizing Network-Based Moving Target Defenses," ACM CCS Workshop on Moving Target Defense (MTD), October 2015.
[ Abstract ] [ Full Paper ]The moving target defense (MTD) strategy allows defenders to limit the effectiveness of attacker reconnaissance and exploitation. Many academic works have created MTDs in different deployment environments. However, network-based MTDs (NMTDs) share key components and properties that determine their effectiveness. In this work, we identify and define seven properties common to NMTDs which are key to ensuring the effectiveness of the approach. We then evaluate four NMTD systems using these properties and found two or more key concerns for each of the systems. This analysis shows that these properties may help guide developers of new NMTD systems by guiding the evaluation of these systems and can be used by others as a rubric to assess the strengths and limitations of each NMTD approach.
- Douglas C. MacFarland, Craig A. Shue, Andrew J. Kalafut, "Characterizing Optimal DNS Amplification Attacks and Effective Mitigation," Passive and Active Measurement Conference, 2015.
[ Abstract ] [ Full Paper ]Attackers have used DNS amplification in over 34\% of high-volume DDoS attacks, with some floods exceeding 300Gbps. The best current practices do not help victims during an attack; they are preventative measures that third-party organizations must employ in advance. Unfortunately, there are no incentives for these third parties to follow the recommendations. While practitioners have focused on reducing the number of open DNS resolvers, these efforts do not address the threat posed by authoritative DNS servers.
In this work, we measure and characterize the attack potential associated with DNS amplification, along with the adoption of countermeasures. We then propose and measure a mitigation strategy that organizations can employ. With the help of an upstream ISP, our strategy will allow even poorly provisioned organizations to mitigate massive DNS amplification attacks with only minor performance overheads.
- Evan J. Frenn, Craig A. Shue, "Towards Leveraging Late-Launch to Create Trustworthy Thin-Terminal Clients," ASE International Conference on Privacy, Security, Risk and Trust (PASSAT), 2014.
[ Abstract ] [ Full Paper ]In computer security, there is often a disconnect between the trust placed in a device to meet a security goal and the actual ability of the device to meet these goals. In organizational environments, this disconnect may become larger as users increasingly use their personally-owned computing devices for work purposes. These users often lack IT backgrounds and do not properly secure their devices, creating greater security risks. In this work, we propose using a Trusted Platform Module (TPM) to enter a ``late-launch'' environment, where it will exclusively execute trusted, organization-provided code to create a thin-terminal on user devices. This thin-terminal will interact with centralized IT servers, providing useful functionality to the user while ensuring the device itself will pose no risk to the organization's security goals. We have implemented a proof-of-concept version of this environment and showed how simple text-based interactions can be performed with a trustworthy client. In doing so, we highlight the challenges and tradeoffs inherent in such an approach.
- Daniel Robertson, Craig A. Shue, Krishna K. Venkatasubramanian, Curtis R. Taylor, "Bandwidth Aggregation in Allied WiFi Routers," IEEE Globecom Management of Emerging Networks and Services (MENS) Workshop, 2014.
[ Abstract ] [ Full Paper ]Residential and small business customers often have need for high instantaneous download throughput for their Internet transactions which can exceed the throughput provided by the customer's Internet Service Provider (ISP). At the same time, these peak demand periods are relatively brief and may constitute only a few hours a day. During the non-peak periods, these customers have an unused Internet capacity that could be used by others.
In this work, we propose and evaluate a bandwidth aggregation system for wireless routers. This system allows neighboring users to form bandwidth pools from the users' connections to their ISPs, allowing users to achieve aggregated instantaneous bandwidth. By transparently segmenting large Web requests, our approach avoids changes to the users' machines, ISPs, or remote servers. We implement and evaluate such a system and discuss related issues.
- Krishna K. Venkatasubramanian and Craig A. Shue, "Adaptive Information Security in Body Sensor-Actuator Networks," USENIX Summit on Health Information Technologies (HealthTech), 2014.
[ Abstract ] [ Full Paper ]A Body Sensor Actuator Network (BSAN) consists of a set of sensing and actuating devices deployed on a person (user) typically for health management purposes. Securing the information exchanged within a BSAN from unauthorized tampering is essential to ensure that such systems are safe, and thus do no harm, to the people using them. Current solutions for enabling information security in BSANs impose considerable overhead on the nodes. In order to make security viable in BSANs, one needs to move away from this one-size-fits-all solution and take a more adaptive approach where the level of security provided matches the level of threat present. In this regard, we present an adaptive information security scheme for BSANs that uses honeypots to measure the current threat context, by interacting with the adversaries trying to undermine user safety. The measurements made by the honeypot can then be used to determine the appropriate balance for the tradeoff between the level of security and associated overhead at any given time. This paper provides an overview of our approach and the associated research challenges in successfully implementing it.
- Ryan Danas, Douglas Lally, Nathaniel Miller, John Synott, Craig A. Shue, Krishna K. Venkatasubramanian, "Designing User-specific Plug-n-Play into Body Area Networks," ACM MobiHoc Workshop on Pervasive Wireless Healthcare (MobileHealth), 2014.
[ Abstract ] [ Full Paper ]A Body Area Network (BAN) consists of a set of sensing devices deployed on a person (user) typically for health monitoring purposes. The BAN continuously monitors various physiological and environmental parameters and typically transfers this information to a base station for processing and storage in a back-end medical cloud. Despite the incredible potential that these systems offer, their utilization is largely limited to lab settings. One of the requirements for adoption in the real-world is the ease of deployment and configuration of such systems for the users. Much work has been done in developing middleware-based solutions that enable easy application development for BANs by abstracting out the details of the devices and sensors. However, none of the current approaches extend this capability to the users of the system. What is required is the ability to provides a means to dynamically add diverse devices in to the system without requiring substantial reprogramming of the device and the base station.
In this paper, we present BAN-PnP, a communication protocol for enabling devices and the base station (or middleware) to communicate effectively with minimal user involvement. The key idea of the protocol is to allow the devices in the BAN to "teach" the base station about their capabilities. By adding a few extra control messages, we are able to transform a traditional BAN into a plug-n-play BAN that is easy for the usually non-tech-savvy users of such systems to deploy. The performance analysis of the BAN-PnP protocol demonstrates that the protocol enables plug-n-play operation of BANs with an affordable increase in overhead.
- Curtis R. Taylor, Craig A. Shue, Nathanael R. Paul, "A Deployable SCADA Authentication Technique for Modern Power," IEEE International Energy Conference (ENERGYCON), 2014.
[ Abstract ] [ Full Paper ]The modern power grid makes extensive use of automated data collection and control. These supervisory control and data acquisition (SCADA) systems often use communication protocols that were developed for isolated networks. However, the underlying SCADA systems often use the Internet for data transit, exposing these SCADA devices to remote, malicious adversaries. Unfortunately, these protocols are often vulnerable to impersonation attacks, and the devices can be susceptible to cryptographic key compromise. This allows adversaries to pollute the protocols with misinformation. In this paper, we propose an approach to authenticate the underlying SCADA protocols that combines a different approach to data authenticity and hardware-protected key distribution approach. Unlike prior work, our approach does not require modification to the SCADA end-points themselves, allowing the technique to be combined with legacy devices.
- Russell C. Toris, Sonia Chernova, Craig A. Shue, "Message Authentication Codes for Secure Remote Non-Native Client Connections to ROS Enabled Robots," IEEE International Conference on Technologies for Practical Robot Applications (TePRA) 2014.
[ Abstract ] [ Full Paper ]Recent work in the robotics community has lead to the emergence of cloud-based solutions and remote clients. Such work allows robots to effectively distribute complex computations across multiple machines, and allows remote clients, both human and automata, to control robots across the globe. With the increasing use and importance of such ideas, it is crucial not to overlook the critical issue of security in these systems. In this work, we discuss the use of web tokens for achieving secure authentication for remote, non-native clients in the widely-used Robot Operating System (ROS) middleware. Written in a system-independent manner, we demonstrate its use with an application for securing clients within the popular rosbridge protocol.
- Curtis R. Taylor, Krishna K. Venkatasubramanian, Craig A. Shue, "Understanding the Security of Interoperable Medical Devices using Attack Graphs," ACM International Conference on High Confidence Networked Systems (HiCoNS), Apr. 2014.
[ Abstract ] [ Full Paper ]Medical device interoperability is an increasingly prevalent example of how computing and information technology will revolutionize and streamline medical care. The overarching goal of interoperable medical devices (IMDs) is increased safety, usability, decision support, and a decrease in false alarms and clinician cognitive workload. One aspect that has not been considered thus far is ensuring IMDs do not inadvertently harm patients in the presence of malicious adversaries. Security for medical devices has gained some traction in the recent years following some well-publicized attacks on individual devices, such as pacemakers and insulin pumps. This has resulted in solutions being proposed for securing these devices, usually in stand-alone mode. However, the introduction of interoperability makes medical devices increasingly connected and dependent on each other. Therefore, security attacks on IMDs becomes easier to mount and in a stealthy manner.
This work outlines our effort in understanding the threats faced by IMDs, an important first step in eventually designing secure interoperability architectures. In this regard, we present: (1) a detailed attack graph-based analysis of threats on a specific interoperability environment based on providing patients pain medication (PCA) under various levels of interoperability from data aggregation to fully closed-loop control, (2) a description of the mitigation approaches possible for each of class of attack vectors identified, and (3) lessons learned from this experience which can be leveraged for improving existing IMD architectures. Our analysis demonstrates that even if we use provably safe medical systems in an interoperable setting with a safe interoperability engine, the presence of malicious behavior may render the entire setup unsafe for the patients.
- Craig A. Shue, Nathanael R. Paul, Curtis R. Taylor, "From an IP Address to a Street Address: Using Wireless Signals to Locate a Target," USENIX Workshop on Offensive Technologies (WOOT), Aug. 2013.
[ Abstract ] [ Full Paper ]How quickly can somebody convert an IP address of a target into a real-word street address? Law enforcement regularly has need to determine a suspect's exact location when investigating crimes on the Internet. They first use geolocation software and databases to determine the suspect's rough location. Recent research has been able to scope a targeted IP address to within a 690m (0.43 mile) radius circle, which is enough to determine the relevant law enforcement department that has jurisdiction. Unfortunately, investigators face a "last half mile" problem: their only mechanism to determine the exact address of the suspect is to subpoena the suspect's Internet Service Provider, a process that can take weeks. Instead, law enforcement would rather locate the suspect within the hour with the hope of catching the suspect while the crime is still on-going, which leads to stronger evidence and straightforward prosecution.
Given these time constraints, we investigate how quickly an adversary can locate a target without any special law enforcement powers. Instead, we leverage the use of ubiquitous wireless networks and a mobile physical observer that performs wireless monitoring (akin to "wardriving," which seeks to search for wireless networks). We develop an approach that allows an adversary to send traffic to the target's address that can be detected by the observer, even if wireless encryption is in use.
We evaluated the approach in two common real-world settings. In one of these, a residential neighborhood, we used a single-blind trial in which an observer located a target network to within three houses in less than 40 minutes (with potential for more exact results using hardware such as directional antennas). This approach had only a 0.38% false positive rate, despite 24,000 observed unrelated packets and many unrelated networks. These results show significant promise for the geolocation strategy and demonstrate that adversaries with multiple potential observation points, such as law enforcement personnel, could quickly locate a target.
- David Muchene, Klevis Luli, Craig A. Shue, "Reporting Attacks via a Covert Ethernet Channel," IEEE S&P Workshop on Research for Insider Threat (WRIT), May 2013. This paper received the Best Paper Award at WRIT.
[ Abstract ] [ Full Paper ]Trusted insiders that betray an organization can inflict substantial harm. In addition to having privileged access to organization resources and information, these users may be familiar with the defenses surrounding valuable assets. Computers systems at the organization need a mechanism for communicating suspicious activity that is difficult for a malicious insider (or even an outsider) to detect or block.
In this work, we propose a covert channel in the Ethernet frame that allows a computer system to report activity inside other, unrelated network communication. The covert channel leverages the differences in the framing approaches used by Ethernet and IP packets to append hidden information to IP packet and transmit it to an organization's administrator. This stealthy communication is difficult for even advanced attackers and is challenging to block since it opportunistically uses unrelated communication. Further, since the transmission is tied to the Ethernet frame, the communication cannot traverse network routers, preventing security information from leaving the organization.
We introduce the covert channel, incorporate it into a working prototype, and combine it with an intrusion detection system to show its promise for security event reporting.
- Erik M. Ferragut, David M. Darmon, Craig A. Shue, Stephen J. Kelley, "Automatic Construction of Anomaly Detectors from Graphical Models," IEEE Symposium on Computational Intelligence in Cyber Security (SSCI), Apr. 2011.
[ Abstract ] [ Full Paper ]Detection of rare or previously unseen attacks in cyber security presents a central challenge: how does one search for a sufficiently wide variety of types of anomalies and yet allow the process to scale to increasingly complex data? In particular, creating each anomaly detector manually and training each one separately presents untenable strains on both human and computer resources. In this paper we propose a systematic method for constructing a potentially very large number of complementary anomaly detectors from a single probabilistic model of the data. Only one model needs to be trained, but numerous detectors can then be implemented. This approach promises to scale better than manual methods to the complex heterogeneity of real-life data. As an example, we develop a Latent Dirichlet Allocation probability model of TCP connections entering Oak Ridge National Laboratory. We show that several detectors can be automatically constructed from the model and will provide anomaly detection at flow, sub-flow, and host (both server and client) levels. This demonstrates how the fundamental connection between anomaly detection and probabilistic modeling can be exploited to develop more robust operational solutions.
- Craig A. Shue, Brent J. Lagesse, "Embracing the Cloud for Better Cyber Security," IEEE International Workshop on Middleware and System Support for Pervasive Computing (PERWARE), Mar. 2011.
[ Abstract ] [ Full Paper ]
The future of cyber security is inextricably tied to the future of computing. Organizational needs and economic factors will drive computing outcomes. Cyber security researchers and practitioners must recognize the path of computing evolution and position themselves to influence the process to incorporate security as an inherent property.
The best way to predict future computing trends is to look at recent developments and their motivations. Organizations are moving towards outsourcing their data storage, computation, and even user desktop environments. This trend toward cloud computing has a direct impact on cyber security: rather than securing user machines, preventing malware access, and managing removable media, a cloud-based security scheme must focus on enabling secure communication with remote systems. This change in approach will have profound implications for cyber security research efforts.
In this work, we highlight existing and emerging technologies and the limitations of cloud computing systems. We then discuss the cyber security efforts that would support these applications. Finally, we discuss the implications of these computing architecture changes, in particular with respect to malware and social engineering.
- Craig A. Shue, Erik M. Ferragut, "Dead Phish: An Examination of Deactivated Phishing Sites," Collaboration, Electronic messaging, Anti-Abuse and Spam Conference (CEAS), Jul. 2010.
[ Abstract ] [ Full Paper ]Efforts to combat phishing and fraud online often center around filtering the phishing messages and disabling phishing Web sites to prevent users from being deceived. Two potential approaches to disabling a phishing site are (1) to eliminate the required DNS records to reach the site and (2) to remove the site from the machine itself. While previous work has focused on DNS take-down efforts, we focus on determining how long a phishing site remains on a machine after the DNS records have been removed. We find that on the day a site is reported, as many as 56\% of phishing sites remain present on the hosting machines even after the DNS records have been removed. While many of these sites are removed within a few days, the DNS caching behavior at ISP resolvers may preserve the phishing site accessibility until the phishing site itself is completely removed.
- Andrew J. Kalafut, Craig A. Shue, Minaxi Gupta, "Malicious Hubs: Detecting Abnormally Malicious Autonomous Systems," IEEE INFOCOM mini-conference, Mar. 2010.
[ Abstract ] [ Full Paper ]While many attacks are distributed across botnets, investigators and network operators have recently targeted malicious networks through high profile autonomous system (AS) de-peerings and network shut-downs. In this paper, we explore whether some ASes indeed are safe havens for malicious activity. We look for ISPs and ASes that exhibit disproportionately high malicious behavior using 12 popular blacklists. We find that some ASes have over 80% of their routable IP address space blacklisted and others account for large fractions of blacklisted IPs. Overall, we conclude that examining malicious activity at the AS granularity can unearth networks with lax security or those that harbor cybercrime.
- Craig A. Shue, Minaxi Gupta, "Hiding in Plain Sight: Exploiting Broadcast for Practical Host Anonymity," Hawaii International Conference on System Sciences (HICSS), Jan. 2010.
[ Abstract ] [ Full Paper ]Users are being tracked on the Internet more than ever before as Web sites and search engines gather pieces of information sufficient to identify and study their behavior. While many existing schemes provide strong anonymity, they are inappropriate when high bandwidth and low latency are required. In this work, we explore an anonymity scheme for end hosts whose performance makes it possible to have it always on. The scheme leverages the natural grouping of hosts in the same subnet and the universally available broadcast primitive to provide anonymity at line speeds. Our scheme is strongly resistant against all active or passive adversaries as long as they are outside the subnet. Even within the subnet, our scheme provides reasonable resistance against adversaries, providing anonymity that is suitable for common Internet applications.
- Craig A. Shue, Andrew J. Kalafut, Minaxi Gupta, "A Unified Approach to Intra-Domain Security," IEEE International Symposium on Secure Computing (SecureCom), Aug. 2009.
[ Abstract ] [ Full Paper ]While a variety of mechanisms have been developed for securing individual intra-domain protocols, none address the issue in a holistic manner. In this work, we develop a unified framework to secure prominent networking protocols within a single domain. We begin with a secure version of the DHCP protocol, which has the additional feature of providing each host with a certificate. We then leverage these certificates to secure ARP, prevent spoofing within the domain, and secure SSH and VPN connections between the domain and hosts which have previously interacted with it locally. In doing so, we also develop an incrementally deployable public key infrastructure which can later be leveraged to support inter-domain authentication.
- Craig A. Shue, Minaxi Gupta, John J. Lubia, Chin Hua Kong, and Asim Yuksel, "Spamology: A Study of Spam Origins," Conference on Email and Anti Spam (CEAS), 2009.
[ Abstract ] [ Full Paper ]The rise of spam in the last decade has been staggering, with the rate of spam exceeding that of legitimate email. While conjectures exist on how spammers gain access to email addresses to spam, most work in the area of spam containment has either focused on better spam filtering methodologies or on understanding the botnets commonly used to send spam. In this paper, we aim to understand the origins of spam. We post dedicated email addresses to record how and where spammers go to obtain email addresses. We find that posting an email address on public Web pages yields immediate and high-volume spam. Surprisingly, even simple email obfuscation approaches are still sufficient today to prevent spammers from harvesting emails. We also find that attempts to find open relays continue to be popular among spammers. The insights we gain on the use of Web crawlers used to harvest email addresses and the commonalities of techniques used by spammers open the door for radically different follow-up work on spam containment and even systematic enforcement of spam legislation at a large scale.
- Craig A. Shue, Minaxi Gupta, "Sensitive Data Requests: Do Sites Ask Correctly?," IEEE International Conference on Communications (ICC), June 2009.
[ Abstract ] [ Full Paper ]To ensure the security of sensitive Web content, an organization must use TLS and do so correctly. However, little is known about how TLS is actually used on the Web. In this work, we perform large-scale Internet-wide measurements to determine if Web sites use TLS when needed and when they do, if they use it correctly. We find hundreds of thousands of pages where TLS is either not used when it should be or is used improperly, putting sensitive data at risk.
- Andrew J. Kalafut, Craig A. Shue, Minaxi Gupta, "Understanding the Implications of DNS Server Provisioning," ACM/USENIX Internet Measurement Conference (IMC), 2008.
[ Abstract ] [ Full Paper ]The DNS is a critical component of the Internet. This paper takes a comprehensive look at the provisioning of Internet domains and its impact on the availability of various services. To gather data, we sweep 60% of the Internetâ€™s domains for zone transfers. 6.6% of them allow us to transfer their complete information. We ï¬nd that carelessness in handling DNS records can lead to reduced availability of name servers, email, and Web servers. It also undermines anti-spam efforts and the efforts to shut down phishing sites or to contain malware infections.
- Craig A. Shue, Andrew J. Kalafut, Minaxi Gupta, "Exploitable Redirects on the Web: Identification, Prevalence, and Defense," USENIX Workshop on Offensive Technologies (WOOT), Jul. 2008.
[ Abstract ] [ Full Paper ]Web sites on the Internet often use redirection. Unfortunately, without additional security, many of the redirection links can be manipulated and abused to mask phishing attacks. In this paper, we prescribe a set of heuristics to identify redirects that can be exploited. Using these heuristics, we examine the prevalence of exploitable redirects present in today's Web. Finally, we propose techniques for Web servers to secure their redirects and for clients to protect themselves from being misled by manipulated redirects.
- Craig A. Shue, Andrew J. Kalafut, Minaxi Gupta, "The Web is Smaller than it Seems," ACM/USENIX Internet Measurement Conference (IMC), San Diego, CA, Oct. 2007.
[ Abstract ] [ Full Paper ]The Web has grown beyond anybody's imagination. While significant research has been devoted to understanding aspects of the Web from the perspective of the documents that comprise it, we have little data on the relationship among servers that comprise the Web. In this paper, we explore the extent to which Web servers are co-located with other Web servers in the Internet. In terms of the location of servers, we find that the Web is surprisingly smaller than it seems. Our work has important implications for the availability of Web servers in case of DoS attacks and blocklisting.
- Craig A. Shue, Minaxi Gupta, "Projecting IPv6 Forwarding Characteristics Under Internet-wide Deployment," ACM SIGCOMM 2007 IPv6 Workshop, Kyoto, Japan, Aug. 2007.
[ Abstract ] [ Full Paper ]While routing table growth, its impact, and causes have been examined extensively for IPv4, little work in this direction exists for IPv6. This paper is the first step at examining performance aspects of IPv6 packet forwarding. We do so by using a software implementation of various packet forwarding algorithms used by routers and running them against IPv6 tables. In the lack of a wide deployment of IPv6, we generate IPv6 routing entries based on IAB allocation recommendations. We simulate growth of routing tables due to new prefix allocations and under partial deployment scenarios. Additionally, we consider factors that inflate routing table sizes artificially. These include load balancing, multi-homing, and failure to aggregate aggregatable prefixes. We conclude that if modern routers were to simply replace their IPv4 prefixes with an equivalent number of IPv6 prefixes, without changing anything else, an average lookup in the routing table will be 67% more expensive. Further, the IPv6 routing table will require at least 4.5 times more memory to store the same number of prefixes.
- Craig A. Shue, Minaxi Gupta, Steven A. Myers, "IPSec: Performance Analysis and Enhancements," IEEE International Conference on Communications (ICC), Glasgow, Scotland, June 2007.
[ Abstract ] [ Full Paper ]Internet Protocol Security (IPSec) is a widely deployed mechanism for implementing Virtual Private Networks (VPNs). In previous work, we examined the overheads incurred by an IPSec server in a single client setting. In this paper, we extend that work by examining the scaling of a VPN server in a multiple client environment and by evaluating the effectiveness of connection credential caching. Motivated by the potential benefits of caching, we also propose a cryptographically secure cache resumption protocol for IPSec connections to reduce the connection establishment overheads.
- Craig A. Shue, Minaxi Gupta, "Packet Forwarding: Name-based Vs. Prefix-Based," IEEE INFOCOM Global Internet (GI) Symposium, Anchorage, AK, May 2007.
[ Abstract ] [ Full Paper ]Using domain names for routing, instead of IP prefixes, has the potential to address many of the core outstanding issues in today's Internet. To initiate research in that direction, this paper compares the performance of name-based routing in the core of the Internet with that of IPv4 routing. Our analysis concludes that name-based routing is well within the scope of feasibility.
- Jonathan Mills, Matt Parker, Bryce Himebaugh, Craig A. Shue, Brian Kopecky, Chris Weilemann, "'Empty Space' Computes: The Evolution of an Unconventional Supercomputer," ACM International Conference on Computing Frontiers, May 2006.
[ Abstract ] [ Full Paper ]Lee A. Rubel defined the extended analog computer to avoid the limitations of Shannon's general purpose analog computer. Partial differential equation solvers were a "quintessential" part of Rubel's theoretical machine. These components have been implemented with "empty space," or VLSI circuits without transistors, as well as conductive plastic. For the past decade research at Indiana University has explored the design and applications of extended analog computers. The machines have become increasingly sophisticated and flexible. The "empty" computational area is devoted to solving partial differential equations. The rest of the space includes fuzzy logic elements, configuration memory and input/output channels. This paper describes the theoretical definition, architecture and implementation of these unconventional computers. Two parallel applications are described in detail. Rubel's model can be viewed as an abstract specification for a distributed supercomputer. We close with a description of an inexpensive 64-node processor that was designed using our current single processor. The next step is to return to VLSI with an improved understanding of the architecture -- and seek computation speeds approaching trillions of partial differential equations per second.
- Craig A. Shue, Youngsang Shin, Minaxi Gupta, Jong Youl Choi, "Analysis of IPSec Overheads for VPN Servers," IEEE International Conference on Network Protocols (ICNP) Network Protocol Security (NPSec) Workshop, Boston, MA, Nov. 2005.
[ Abstract ] [ Full Paper ]Internet Protocol Security (IPSec) is a widely deployed mechanism for implementing Virtual Private Networks (VPNs). This paper evaluates the performance overheads associated with IPSec. We use Openswan, an open source implementation of IPSec, and measure the running times of individual security operations and also the speedup gained by replacing various IPSec components with no-ops. The main findings of this study include: VPN connection establishment and maintenance overheads for short sessions could be significantly higher than those incurred while transferring data, and cryptographic operations contribute 32-60% of the total IPSec overheads.
- Minaxi Gupta, Craig A. Shue, "Spoofing and Countermeasures," Book chapter in Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft, edited by Jakobsson and Myers published by Wiley, ISBN: 0-471-78245-9, 2006.
- Evan J. Frenn, Craig A. Shue, "Securing Enterprise Networks using Trusted Thin Terminals," Advanced Cyber Security Center (ACSC) Annual Conference, Nov. 2012.
[ Poster ]
- Curtis R. Taylor, Craig A. Shue, "Marco Polo: Geographically Pinpointing Clients on Wireless Networks," Advanced Cyber Security Center (ACSC) Annual Conference, Nov. 2012.
[ Poster ]
- Erik Archambault, Craig A. Shue, "Understanding New Anonymity Networks From a User's Perspective," Poster at ACM Conference on Computer and Communication Security (CCS), Oct. 2012.
[ Poster ]
- Craig A. Shue, Minaxi Gupta, "Freeing the Internet from the DNS," Indiana University Computer Science and Informatics Poster Session, Bloomington, IN, Mar. 2007.
[ Poster ]
- Craig A. Shue, Minaxi Gupta, "Spoofing Resistant Packet Routing," Poster at IEEE International Conference on Networking Protocols (ICNP), Nov. 2005.
[ Poster ]
- Craig A. Shue, Joshua Hursey, Arun Chauhan, "MPI over Scripting Languages: Usability and Performance Tradeoffs," IUCS Technical Report TR631, Feb. 2006.
[ Abstract ] [ Full Paper ]We present a comparative study of two popular implementations that make the MPI available on MATLAB-MatlabMPI and MPI-TB. We evaluate their performance through micro-benchmarks on a high-performance Linux cluster and compare those to their corresponding implementations on Octave as well as to the LAM/MPI library accessed through a C API. We have discovered that there are significant performance advantages to using an implementation of the MPI that utilizes highly tuned libraries built for high-speed interconnects, such as the Myrinet. However, a price must be paid in terms of higher installation and setup times and a more complicated API.
We conclude that even though there are advantages to using the MPI within a high-level scripting language, such as MATLAB or Octave, there are important philosophical differences between the programming models of scripting languages and a relatively low-level communication library interface, such as the MPI. This points to the need for a more sophisticated long-term support for parallel programming from the language compiler and runtime system.
- Craig A. Shue, Brian Kopecky, Chris Weilemann, "Denial of Service Attack Detection Using Extended Analog Computers," IUCS Technical Report TR624, Jan. 2006.
[ Abstract ] [ Full Paper ]Denial of Service (DoS) attacks, a damaging assault on computer networking infrastructure, have been extensively examined by the digital computing community. However, no work has been done to examine the ability of Extended Analog Computers (EAC) to detect DoS attacks. In this paper, we discuss how EACs could be used in DoS detection.