Computers & Security (March) [Volume 26, Issue 2]


289 105 2MB

English Pages 92 Year 2007

Report DMCA / Copyright

DOWNLOAD PDF FILE

Table of contents :
EEn......Page 1
Computers & Security, Volume 26, Issue 2, March 2007......Page 2
TOC......Page 3
From the Editor-in-Chief: Windows Vista: Microsoft’s brave new world......Page 4
Update in the war against cybercrime......Page 5
More compromises of personal and financial information occur......Page 7
Judge turns down request for access to e-Voting machine source code......Page 9
Gathering of information about air travelers continues to stir controversy......Page 10
VISA USA offers USD 20 million incentive for PCI compliance......Page 11
French Court Rules in favor of personal privacy over piracy searches......Page 12
UK patients may opt out of having their electronic health records shared......Page 13
Introduction......Page 14
An overview of biometric authentication......Page 15
Studying the feasibility of keystroke analysis......Page 16
Results......Page 17
Viability of keystroke analysis......Page 18
Achieving a composite authentication mechanism......Page 19
Discussion......Page 22
Conclusions......Page 23
References......Page 24
Introduction......Page 25
An access control scenario......Page 26
The dynamic update approach......Page 27
Clustering of subjects......Page 28
The access request evaluation process......Page 29
Complexity analysis of access request evaluation procedure......Page 30
Task 1: find the subject policy file associated with the requesting subject......Page 31
Overall complexity of the access request evaluation process......Page 32
References......Page 33
Introduction......Page 35
Related work......Page 36
Sython modifications to python......Page 37
Implementation details......Page 38
Discussion and applications......Page 39
References......Page 40
Introduction......Page 42
Motivation......Page 43
RTT algorithm......Page 44
Estimation of parameter q......Page 45
Sample experiments......Page 46
Packet-matching algorithm comparison......Page 47
References......Page 48
Introduction......Page 50
Controls......Page 51
Introduction planning......Page 52
Criteria......Page 53
Breaking down the problem......Page 56
Conclusion......Page 57
References......Page 58
Introduction......Page 59
Vicarious capability......Page 61
User substitution detection from the perspective of SCT......Page 62
Multifactor-systems theory of individuality......Page 63
Factors vs. storages......Page 64
Individual behavioral aspects......Page 65
Individual environmental aspects......Page 67
Object system......Page 68
Technical system......Page 69
Process of user identity verification......Page 70
Related concepts of authentication, intrusion detection, and fraud detection......Page 72
Authentication......Page 73
Intrusion detection......Page 74
Directions for further research......Page 75
Conclusions......Page 76
Structure of personality systems......Page 77
References......Page 79
Introduction......Page 82
Research background......Page 83
Information security practices for production activities......Page 84
Implications for practice......Page 85
References......Page 86
Investigative response: After the breach......Page 88
Refereed papers -- Guide for Authors......Page 91
Recommend Papers

Computers & Security (March) [Volume 26, Issue 2]

  • 0 0 0
  • Like this paper and download? You can publish your own PDF file online for free in a few minutes! Sign Up
File loading please wait...
Citation preview

Computers & Security Editor-in-Chief Dr Eugene Schultz, CISSP Chief Technology Officer High Tower Software 26970 Aliso Viejo Pathway Aliso Viejo, CA92656, USA Email: [email protected]

Academic Editor

IFIP TC-11 Editor

Prof. Eugene Spafford Professor and Director Purdue University CERIAS Department of Computer Science 1398 Computer Science Building Purdue University, West Lafayette IN 47907-1398, USA Email: [email protected]

Prof. Dr Dimitris Gritzalis Dept. of Informatics Athens University of Economics and Business 76 Patission Street, Athens GR-104 34 Greece Email: [email protected]

Editorial Board August Bequai Attorney At Law, McLean, Va. Email: [email protected]

Sarah Gordon Senior Research Fellow, Symantec Security Response Email: [email protected]

Professor William J (Bill) Caelli Head — School of Software Engineering and Data Communications, Queensland University of Technology Email: [email protected]

Stephen Hinde Group Information Protection Manager, BUPA Email: [email protected]

Prof. Zhenfu Cao Department of Computer Science and Engineering Shanghai Jiao Tong University Email: [email protected] Dr Richard Ford Associate Professor Florida Institute of Technology Email: rford@fit.edu

David Lacey David Lacey Consulting Ltd Email: [email protected] Charles Pfleeger Pfleeger Consulting Group Email: chuck@pfleeger.com Marcus K. Rogers Purdue University Email: [email protected]

Publisher David Clark

Marketing Ursula Culligan

PUBLISHED 8 ISSUES PER YEAR Orders, claims, and journal enquiries: please contact the Customer Service Department at the Regional Sales office nearest you: Orlando: Elsevier, Customer Service Department, 6277 Sea Harbor Drive, Orlando, FL 32887-4800, USA; phone: (877) 8397126 or (800) 6542452 [toll free numbers for US customers]; (+1) (407) 3454020 or (+1) (407) 3454000 [customers outside US]; fax: (+1) (407) 3631354 or (+1) (407) 3639661; e-mail: [email protected] or [email protected]; Amsterdam: Elsevier, Customer Service Department, PO Box 211, 1000 AE Amsterdam, The Netherlands; phone: (+31) (20) (4853757); fax: (+31) (20) 4853432; e-mail: [email protected]; Tokyo: Elsevier, Customer Service Department, 4F Higashi-Azabu, 1-Chome Bldg, 1-9-15 Higashi-Azabu, Minato-ku, Tokyo 106-0044, Japan; phone: (+81) (3) 5561 5037; fax: (+81) (3) 5561 5047; e-mail: jp.info@ elsevier.com; Singapore: Elsevier, Customer Service Department, 3 Killiney Road, #08-01 Winsland House I, Singapore 239519; phone: (+65) 63490222; fax: (+65) 67331510; e-mail: [email protected] © 2007 Elsevier Ltd.

www.elsevier.com/locate/cose

Number 2

March 2007

Contents Windows Vista: Microsoft’s brave new world E. E. Schultz Security views

99 100

Advanced user authentication for mobile devices N. L. Clarke and S. M. Furnell

109

Clustering subjects in a credential-based access control framework K. Stoupa and A. Vakali

120

Privacy-preserving programming using sython M. Gaiman, R. Simha and B. Narahari

130

Probabilistic analysis of an algorithm to compute TCP packet round-trip time for intrusion detection J. Yang and S.-H. S. Huang

137

A study on decision consolidation methods using analytic models for security systems S. Kim and H. J. Lee

145

A framework for behavior-based detection of user substitution in a mobile context O. Mazhelis and S. Puuronen 154 Information security in networkable Windows-based operating system devices: Challenges and solutions I. Oshri, J. Kotlarsky and C. Hirsch

177

Investigative response: After the breach C. J. Novak

183

computers & security 26 (2007) 99

From the Editor-in-Chief

Windows Vista: Microsoft’s brave new world

By the time this editorial will appear, Microsoft will have just released Windows Vista, its new client operating system. Every newly released Microsoft product includes numerous new features designed to entice users into buying the product. Many such new features are designed to bolster security; the features in Windows Vista are no exception. Some features are designed to help prevent malware infections, others will help to protect against data security breaches, others will reduce the likelihood that users will succumb to phishing attacks, and still others will help in countering risks due to users running Vista with Administrator-level privileges. The security-related changes in Vista’s version of the Internet Explorer 7 are particularly impressive. Vista promises to be the best operating system it has developed from a security perspective. Microsoft has truly come a long, long way when it comes to integrating security functionality into its operating systems. Vista’s release also raises several very interesting issues, the first of which is the need for user intervention at critical points during which the risk of a malware infection or unauthorized change to the system escalates. One of many examples in Vista’s version of the Internet Explorer 7 concerns when a Web site attempts to use browser extensions to install new software. Vista’s Internet Explorer 7 does not automatically allow this to occurdby default, users must decide whether or not to allow the software to be installed. Like anything else in the security arena, this function has an associated cost in that it requires user intervention. The tradeoff between the costdthe need for user interventiondand the benefitda much-lower probability of a malware infectiondis on the surface trivial to analyze. The fact that there are so many steps in user interaction sequences in which user intervention of this nature is by default required inflates the cost factor considerably, however. Another concern is that users may not know enough to make good decisions concerning whether or not to allow something such as a download that may have dire security consequences to occur; they may, in fact, soon simply allow every potentially dangerous operation to occur without thinking any more. Still, it is better to offer users a choice than to offer no choice at all. One of the real downsides to Vista has little to do with security per se. The End User License Agreement (EULA) that comes with this operating system in essence states that

Microsoft alone owns the operating systemdthe user has only paid to use itdand that Microsoft can at any time and for any reason whatsoever revoke the user’s use of its operating system. A feature in Vista ‘‘phones home’’ to a Microsoft server or a special key management server to activate Vista. This feature provides Microsoft with a considerable amount of information about the system in which Vista is installed. Users who are suspected of having illegal versions of Vista may have their usage revoked. Additionally, Digital Rights Management (DRM) functionality that can negatively affect the quality of audio and video substantially is built into Vista. It is safe to predict that this EULA and Vista’s informationgathering functionality will be strongly challenged in court. Perhaps in time Microsoft will be compelled to back down concerning its claimed right to for any reason revoke the user’s right to use Vista and to gather so much information about each system. What is worse in my mind, however, is the possibility that Microsoft’s new licensing and enforcement schemes will encourage other software vendors to follow suit, leaving a large portion of the user community at the mercy of vendors who have become too avid in their fight against piracy. Microsoft has in effect created a ‘‘brave new world’’ with its new EULA and other provisions. I wonder whether organizations and individuals will overlook what Microsoft has done and buy Vista anyway, or whether there will be such a negative reaction that Vista sales will fall far below expectations. Former US Attorney General Robert F. Kennedy once said ‘‘May you live in interesting times.’’ One thing is for suredtimes are certainly getting more interesting for users and potential users of Vista. Dr. E. Eugene Schultz, CISSP, CISM High Tower Software, Chief Technology Officer, 26970 Aliso Viejo Pathway, Aliso Viejo, California 92656, USA E-mail address: [email protected] 0167-4048/$ – see front matter ª 2007 Elsevier Ltd. All rights reserved. doi:10.1016/j.cose.2007.02.002

computers & security 26 (2007) 100–108

Security views 1.

Malware Update

A personally owned computer infected with a virus appears to have caused information related to military operations in Iraq, Kuwait, and other countries to be distributed over the Internet. Japanese law enforcement confiscated a computer owned by an officer in the Japanese Air Self-Defense Forces believed to be the source of the data compromise. The virus reportedly worked through Winny, a file-sharing program. All information that was compromised in this manner was unclassified. The Big Yellow worm (called the ‘‘Sagevo worm’’ by Symantec) exploits a bug in Symantec Anti-virus and Symantec Client Security. This worm turns infected computers into bots that belong to a botnet. Although Symantec released a patch for this bug last year, many organizations have still not installed it. Several new Windows worms that convey season’s greetings surfaced recently. Luder (also called ‘‘Mixor,’’ ‘‘Nuwar,’’ or ‘‘Draf’’) arrives as a message with a subject line such as ‘‘Happy New Year’’ and contains an attachment that appears to be a holiday greeting card. Users who open the attachment infect their computers. Another worm, a variant of the Warezov Trojan horse, spreads itself through an attachment, postcard.zip or postcard.exe, which if opened infects computing systems. Once a machine is infected, it spews messages with infected attachments to other computing systems. It seems as if increasingly fewer news items regarding malware are showing up in Security Views. The trend thus continuesdfewer highly noticeable, widely spread viruses and worms, and more surreptitious and deadly malware. Things are thus by no means ‘‘quiet on the Western front’’ as far as malware goes. This trend should continue into the foreseeable future.

2.

Update in the war against cybercrime

Victor Faur of Romania has been arrested on the grounds that he allegedly intruded into more than 150 US government computing systems, including those at the NASA Goddard Space Flight Center, the Jet Propulsion Laboratory, the Department of Energy (DOE), and the US Naval Observatory. Faur’s indictment alleges that he led a team that repeatedly attempted to intrude into US government computing systems, that this team hosted IRC chat rooms on the systems that

they compromised, and that they went through the systems attempting to find passwords for other systems. The US Attorney’s Office has estimated that the break-ins to NASA systems alone resulted in a loss of at least USD 1.4 million. If convicted of the charges against him, Faur could face a maximum prison sentence of 54 years. A company has settled with the state of Washington concerning allegations that it offered no cost spyware scanning services, but then without exception found spyware that needed to be eradicated for a charge. Without admitting guilt or wrongdoing, Secure Computer has consented to pay USD 200,000 in civil penalties, USD 75,000 in compensation to consumers, and USD 725,000 in state attorneys’ fees and costs. John Bombard of Florida pleaded guilty to two counts of deliberately gaining access to a protected computing system without authorization. Bombard broke into computer systems at Bucknell University and Columbia University nearly three years ago in a ploy to perpetrate a distributed denial-ofservice (DDoS) attack against Akamai Technologies. He may be sentenced to a maximum of two years of imprisonment and may have to pay a fine of up to USD 100,000. Through a plea bargain Navy Petty Officer Third Class Ariel J. Weinmann received a sentence of 12 years of imprisonment for pilfering a laptop computer and then giving classified information to a foreign government. Without the plea bargain, he faced a sentence of life in prison. Additionally, Weinmann received a dishonorable discharge. Michael Mraz, Jr., a student at the University of WisconsinWhitewater, has been arrested on charges that he gained unauthorized access to four university staff members’ computing systems and then installed keystroke loggers to glean sensitive information. He allegedly used his flash drive to install the keystroke loggers. The sensitive information was allegedly collected over a period of nearly two months last year; this information included dialogues regarding student disciplinary cases, answers to an examination, and information about a law enforcement investigation. He faces two felony counts; if convicted of all charges, he will receive a maximum prison sentence of 19 years. A teenager in New Zealand sentenced to attend a computer training course to remedy anti-social behavior acknowledged that he used what he learned to gain unauthorized access to people’s bank accounts and to pilfer almost NZD 45,000. Aggravated robbery, threatening behavior, and kidnapping are among his offenses.

computers & security 26 (2007) 100–108

Three individuals, Mirza and Sameena Ali of California and Keith Griffen of Oregon, have been convicted for participating in a ploy in which they bought Microsoft software at the heavily discounted educator’s rate and then resold it at much higher prices. As a result, Microsoft was swindled out of more than USD 60 million. The Ali’s were convicted on 30 counts of conspiracy, wire fraud, money laundering, and mail fraud, whereas Griffen was convicted on nine related counts. Sentencing is imminent; each individual is likely to be sentenced to a long prison sentence and a large fine. Jeremy Hammond of Illinois has received a sentence of two years of imprisonment for pilfering credit card information from a Web site run by a conservative political activist organization. He gained unauthorized access to this site and then downloaded credit card information pertaining to roughly 5000 individuals who had used the site to make purchases or donations. Hammond had originally intended to use the credit card information to make donations to left wing organizations against which the site was opposed, but later decided not to. He must also pay fines and restitution totaling USD 5250. Robert Schofield, a US Department of Homeland Security (DHS) supervisor and employee of US Citizenship and Immigration Services, has been arrested on the grounds that he committed naturalization fraud. He allegedly sold citizenship to hundreds of Asian immigrants over a 10 year period and may have taken in as much as USD 600,000 in bribes. He is accused of working in connection with Qiming Ye, an immigration broker, to create false paperwork for immigrants. Ye has pleaded guilty; Schofield faces a prison sentence of up to 25 years. Ryan C. Shrouder of Florida has been arrested on charges that he intruded into one of his high school’s computing systems and then modified students’ grades. Shrouder, a senior and class president at the high school, allegedly used the password of a school board employee to break into the system. He faces suspension and has been recommended for expulsion. Two other students involved in the incident have already been suspended. In a separate but similar case, two New Jersey teenagers, one 18 years old and one younger, also face charges of gaining unauthorized access to a high school computer system and then modifying grades. If convicted, the older of the pair could be sentenced to up to 10 years of imprisonment; the other could get detention until he turns 21. An audit of grade reports and school transcripts led to the discovery of this incident. Symantec has filed a lawsuit against software distributors SILI, GT Micro, and ANYI and their affiliates, claiming they have been selling illegal copies of Symantec products, including Norton AntiVirus, Norton Internet Security, Norton SystemWorks, Veritas Backup Exec, and pcAnywhere. The lawsuit requests USD 15 million because of copyright infringement, fraud, false advertising, engaging in trademark infringement, and unfair competition. Symantec conducted an investigation that culminated in the confiscation of more than 100,000 disks with pirated software on them. A UK court made a summary judgment against Paul Martin McDonald, who sold email addresses to be used in connection with spamming ploys. Microsoft sued McDonald on the basis that his selling addresses violated the Privacy and Electronic Communications Regulations. The judge came to the conclusion that the evidence clearly showed that McDonald’s

101

company had furnished addresses of individuals who had not agreed to receive direct marketing email and also that it had encouraged those who bought these addresses to send emails to those individuals. Spanish law enforcement has arrested six individuals who allegedly pilfered financial information pertaining to more than 20,000 individuals. The accused allegedly posted phishing Web pages designed to glean credit card and bank account information they allegedly used later in unauthorized financial transactions. Law enforcement confiscated more than 500 fraudulent credit cards. Numerous music labels, including Arista, Capitol, and Warner Bros. as well as the British Phonographic Industry, have sued Russian music Web site Allofmp3.com, which sells complete albums for roughly USD 1 each. Allofmp3.com is, according to the plaintiffs, profiting by selling copyrighted music without having obtained proper permission. Allofmp3. com has countered that it has complied with Russian copyright law because it pays royalties to a Russian licensing group called Roms. The plaintiffs assert, however, that Roms has no authority to collect and allocate royalties. A US grand jury has indicted Yung-Hsun Lin of New Jersey on charges that he planted a logic bomb in one of his former employer’s computing systems. Lin allegedly installed this code because he was afraid that he would be laid off from his job at Medco Health Solutions, which was spinning off from Merck. The code could have impaired more than 70 servers and erased both customer prescription and payroll information, but it was detected before it could trigger. Lin was indicted on two charges of intending to cause fraudulent, unauthorized changes to computer systems. If he is convicted, he could be sentenced to a maximum of 10 years in prison for every count as well as fined USD 250,000. Garyl Tan Jia Luo of Singapore, who is 17 years old, pleaded guilty to piggybacking on the wireless network of a neighbor. This crime is punishable by a maximum jail sentence of three years and a fine of up to SD 10,000. Because Tan would have a criminal record if he served jail time, the judge in this case is leaning instead towards putting Tan on probation and also having Tan serve in Singapore’s obligatory national service earlier than usual. Another Singapore man has been charged with accessing a wireless network and using that connection to post a bomb threat on-line. Lin Zhenghuang of Singapore also faces charges of illegal wireless network piggybacking, but he allegedly went farther than Tan by using his access to make a bomb threat. Lin also faces an additional prison term of up to seven years and a maximum fine of SD 50,000 if he is convicted on the bomb threat charges. Two unnamed German men have been sentenced to prison for their participation in a ploy to cause PCs to dial premium rate telephone numbers. They both belong to a gang that took in roughly 12 million Euros in a 14-month interval between 2002 and 2003 by installing malicious code that dialed the numbers in more than 100,000 computing systems. Eric McCarty of California has been sentenced to six months of home detention and two and one half years of probation for gaining unauthorized access to a University of Southern California computer. He broke into the university’s on-line application system nearly two years ago, causing it to be off-line for 10 days. His lawyers asserted that he broke

102

computers & security 26 (2007) 100–108

into the computer to show how bad its security was. The database on the compromised system stored information pertaining to 275,000 university admission applicants. The detention is part of McCarty’s three-year probation; he must also make a restitution payment of almost USD 38,000 to the university. While he is on probation, McCarty will be restricted in his use of Internet-connected devices; only job-related activity will be allowed. Sohu.com of the People’s Republic of China must pay 1.085 million yuan in damages as the result of a court ruling. His company was charged with making movie files available to be downloaded without obtaining permission from the copyright holders. Sohu.com must also publish an admission of guilt and pledge that he will not infringe on copyrights in the future. The Motion Picture Association, the international branch of the Motion Picture Association of America (MPAA), initiated the lawsuit. A county employee responding to a phishing message and providing information necessary for accessing the bank accounts of Oceana County, Michigan may have been the cause of money being stolen from these accounts. The fact that money was missing from these accounts was discovered last November. The affected accounts were closed, given new numbers, and then reopened two days later. The Oceana county treasurer and clerk are both putting new security procedures in place. The FBI is conducting an investigation. The county staff was cautioned about phishing threats twice last fall. The US Securities and Exchange Commission (SEC) has filed charges against Evgeny Gashichev, a Russian who owns Grand Logistics SA, for allegedly intruding into people’s computing systems and then using their on-line brokerage accounts to pump up stock prices. Gashichev’s company may, according to the SEC, have made more than USD 350,000 from the ploy. He allegedly bought stock in roughly 20 companies and then used the compromised brokerage accounts to boost the price of his holdings. Gashichev allegedly then sold the stock at artificially high values. The SEC has successfully initiated an emergency asset freeze against Gashichev’s company. Two Los Angeles transportation engineers face charges that they engaged in illegal activity in connection with a traffic control system. One faces one count of unauthorized access to a computing system and identity theft. The other faces one count of unlawful access to a computing system and four counts of unlawful disruption/denial-of-computer services. The two allegedly gained unauthorized access to disconnect traffic lights at four busy intersections before a labor union strike last August. No accident resulted, although getting the traffic control system back to normal required days of effort. Both pleaded not guilty to the charges. A 16-year-old Norwegian youth could be sentenced to jail time of 60 days and a fine of NOK 4000 for allegedly operating a file-sharing site in which songs, movies and videos were distributed for free on the Internet. He allegedly used the Direct Connect P2P file-sharing program. His parents could also be required to pay a hefty fine to compensate the music and movie industries for lost income. George Nkansah Owusu of Virginia pleaded guilty to computer fraud and aggravated identity theft in connection with his using computing systems to pilfer personal data pertaining to Virginia Commonwealth University (VCU) students.

Owusu has been sentenced to four years of imprisonment. He conceded that he had installed keystroke loggers on student-use computers in the VCU library and in some science labs to obtain student and faculty login information. He also changed his grades and downloaded a female student’s photos and email. Finally, he logged in as another student and dropped several of that student’s courses. PRC citizen Luo Zhiguo has admitted in court that he made money by operating an illegal on-line game and charged his customers well below the charge for the genuine version. Luo and two others allegedly duplicated Mir 3 and made it permanently accessible for only 300 yuan. Luo said that he did not realize that he was engaging in criminal activity because so many others were making games available in this manner. Ye Weilong, an accomplice, turned himself in to authorities a year ago, but he jumped bail. You Tangcun, another accomplice, was arrested last spring and was sentenced to three years of house arrest. The ploy was discovered when an investigation triggered by the game’s legitimate operator’s complaints that he was losing millions of yuan monthly due to the unauthorized operation of the game was launched. Computer crime continues to manifest itself in a wide variety of ways, everything from gaining unauthorized access to systems to engaging in piracy schemes to causing computer-controlled traffic lights to malfunction. The possibilities are becoming almost limitless. Fortunately, despite having resources that are too often insufficient, law enforcement around the world seems to be doing increasingly better in identifying computer crime and ensuring that those who engage in it are brought to justice. Unfortunately, too many organizations and individuals still leave their systems, networks, applications, and databases unprotected, making committing computer crime much easier than it should be.

3. More compromises of personal and financial information occur Data security breaches involving personal and financial information show no signs whatsoever of slowing down. Computer theft and loss of computers remain one of the most common types of such compromises, as explained in the following news items:  Pennsylvania state officials have announced that two computing systems pilfered from a driver’s license office have personally identifiable information pertaining to over 11,000 persons. The stolen information includes names, addresses, Social Security numbers (SSNs), driver’s license numbers, and birthdates. The thieves also stole equipment and materials needed to fabricate bogus driver’s licenses. The State will inform affected individuals via letter.  A laptop of a member of the West Virginia Army National Guard 130th Airlift Wing has been stolen. This computer contained personal information, including names, SSNs and birthdates, pertaining to members of this unit. Each member of this unit has been notified of the incident, as has the FBI and two military investigative agencies.  A laptop system pilfered from a Boeing Co. employee’s car stored personally identifiable informationd home

computers & security 26 (2007) 100–108

addresses, SSNs, birthdates, and moredpertaining to roughly 382,000 current and prior employees of this company. Boeing is notifying current employees of the incident by email, whereas prior employees will receive letters. This laptop theft is one of 250 such incidents at Boeing during the last year.  Deaconess Hospital in Indiana has mailed letters to 128 patients to inform them that their personal information (including SSNs) was stored in a laptop system that has been missing since late last year. No evidence that the information has been misused exists. The hospital is now considering improving its security through measures such as encrypting data stored on computers. Other compromises were the result of unauthorized access to systems, as described below.  A data security breach at the University of California, Los Angeles (UCLA) has potentially affected 800,000 current and prior students, staff, and faculty as well as applicants for admission and financial aid, and even some parents. The information includes names, addresses, SSNs, and birthdates. UCLA computer security staff detected the incident last November 21 on the basis of a plethora of suspicious database queries. A follow-up investigation showed that attackers had been attempting to gain access to the information since the fall of 2005 and that they were trying to find SSNs. University staff has reconstructed the compromised database and has adopted measures to tighten its security. University staff has begun notifying affected persons; the FBI has also been notified.  Personal information pertaining to up to 600 St. Vrain Valley, Colorado School District students was put at risk when a laptop system was stolen from the car of a school nurse. The stolen laptop contains no information about students, but it can be used to remotely access such information. The information includes names, parents’ names, Medicaid numbers, birthdates, the school each student attends, and the grade level of each student. School district technical staff changed the password of the computer containing this information. The school district has notified students who were potentially affected.  Nissan has admitted that information in its customer database may have been compromised. Nissan is informing over five million potentially affected customers, and will implement additional security safeguards this year. Among these measures will be physical security monitoring in secure areas and monitoring of database assess. Additional personal data exposure incidents were due to poor protection of personal information on Web sites, as described below:  The names and SSNs of hundreds of Vermont health care providers were accidentally exposed on a public Web site at which the state of Vermont had posted a request for bids for being Vermont’s health insurance administrator. The state acknowledges that the information was available on the site for slightly over a month last year, but an anonymous doctor said that her SSN was still on the site.

103

 The names, SSNs and other personal information of roughly 15,000 Utah Valley State College (UVSC) students and faculty became accessible by mistake on Yahoo for about six weeks late last year. The information pertains to students and faculty who took part in the college’s distance learning program from January 2002 to January 2005. UVSC staff removed the files containing this information from its servers as soon as it learned of this incident, and has been informing everyone who was potentially affected.  Personal information pertaining to Rocky Rapids, Alberta Area residents was accessible on the Alberta Energy and Utilities Board Web site for up to six months. The information, which includes legal land descriptions, telephone numbers, work hours, and times when children would be home by themselves, was collected for emergency planning purposes. Alberta’s Office of the Information and Privacy Commissioner is looking into this problem. A few data compromises involved missing or stolen media:  Computer tapes taken during a burglary in Massachusetts in all likelihood contain personal information, including names and SSNs, of over 40,000 New York City employees. The burglary occurred at the offices of Concentra Preferred Systems, a vendor that works with Group Health Insurance, Inc. and also provides auditing services for Aetna. Roughly 130,000 Aetna customers across the US were also probably affected by the incident.  A hard drive that disappeared from a medical office in Somerset, Pennsylvania has presumably been stolen. Because only the hard drive was taken, whoever took it appears to have wanted the information on the device. The medical office provided no information concerning the data that may have been stored on the hard drive. Other news related to data security breaches includes:  The US Federal Trade Commission (FTC) has mailed reparation forms to 1400 persons who had financial expenses resulting from the data security breach at ChoicePoint over two years ago. A third of the USD 15 million settlement arrived at early last year has been set aside for compensating affected individuals. The claims had to be postmarked by February 4, 2007 if they were to be considered.  A perpetrator obtained login information for Arizona-based TransUnion Credit Bureau from a courthouse in Kingman, Arizona and then stole personally identifiable credit data, including SSNs, pertaining to more than 1700 persons. TransUnion is informing affected individuals.  Customer information pilfered from various Russian banks is being sold on the Internet at a price of 2000–4000 Rubles. This information, however, pertains to customers who have defaulted on loans, something that substantially reduces its prospective attractiveness to potential perpetrators.  Texas Woman’s University (TWU) has mailed letters to roughly 15,000 of its students to inform them that their personal information was compromised when an Internal Revenue Service (IRS) tuition data document was transmitted to a vendor over an unsecured channel. The incident

104

computers & security 26 (2007) 100–108

has potentially affected every TWU student who was enrolled at the school in 2005. News items concerning data security breaches continue to comprise a significant portion of each Security Views column. Negative consequences such as loss of reputation and class action lawsuits resulting from experiencing such incidents continue to occur, but apparently they are insufficient to motivate most organizations into boosting data security. Additionally, with customer and other information stored in so many places, including computers used by third party service providers, the likelihood that perpetrators will be able to find and glean personal and financial information is much higher than the average person might suspect. As I have said so many times before, data protection legislation that requires adequate levels of protection for such data appears to be the only truly viable solution.

PRC has an estimated 123 million users, a number that is second only to the US. The four associations that signed the MOU include the MPAA, Publishers Association of the UK, Association of American Publishers, and the Business Software Alliance. The percentage of illegal software in the PRC is estimated to be 86%, resulting in an estimated USD 3 billion loss to the software industry in 2005. The MOU also includes provisions for promoting public awareness between the PRC government and the associations as well as cooperative training efforts. All signs appear to indicate that the PRC is serious about cracking down on piracy of all typesdsoftware, music, and movies. The MOU described in this news item will not by any means solve the problem, but it represents another big step forward in doing so. I particularly like the provisions for training and awareness in the MOU. Using law enforcement to crack down on piracy will do some good, but this approach does not go far enough in that there is a huge human dimension to the piracy problem. Training and awareness will thus address the human dimension better.

4. USD 50 million class action settlement for privacy violation A US District Court judge has okayed a class action settlement that awards USD 50 million to compensate Florida motorists whose personal information the state sold to Fidelity Federal Bank and Trust over a period of three years for one cent per name. The bank used the information to send brochures that advertised loans to individuals who had recently bought automobiles. Under the terms of the settlement, every affected motorist will get USD 160. Attorneys for the plaintiffs successfully argued that the bank violated the Driver’s Privacy Protection Act, which forbids companies from buying records about drivers from states, when it obtained the motorists’ names. This law, which allows for a penalty of up to USD 2500 for each violation, was passed to deter criminals’ ability to stalk individuals; TV actress Rebecca Schaeffer was murdered after a stalker was able to find where she lived through motor vehicle records. This whole case is unbelievable. It is difficult to understand how a state government could sell personal data to a bank in the first place. One would think that state officials would have at a minimum realized that there was something improper and unethical about doing so. Furthermore, doing so was against the law. Then, after Fidelity Federal Bank and Trust bought and used the data, this bank has ‘‘taken the fall,’’ so to speak, while the state of Florida appears to have come out unscathed. Common sense should dictate that the bulk of the punishment should instead fall on the Florida government officials who broke the law and made this privacy violation possible in the first place.

5. People’s Republic of China signs on-line copyright memorandum The PRC government has signed a memorandum of understanding (MOU) with four US and UK industry associations to boost on-line copyright protection. The associations will provide the PRC with lists of products they deem needing protection and will provide information concerning suspected piracy. The

6. Sony BMG continues out-of-court settlements Shortly after agreeing on settlements with California and Texas concerning its use of what has widely been regarded as a rootkit to conceal digital rights management (DRM) software, Sony BMG settled a lawsuit with 39 other states (including Pennsylvania, Wisconsin, Oregon, New York, and Michigan, New York) and the District of Columbia (DC). Sony BMG, which is a joint venture between Sony Corporation and Bertelsmann AG, will pay more than USD 4.25 million. Each of the states that initiated the lawsuit will receive USD 316,000, whereas the other states and DC will each receive USD 5000. According to the terms of the settlement, Sony will pay persons who spent money to eradicate the software from their computers up to USD 175 each, the same amount paid in Sony BMG’s settlements with California and Texas. Sony BMG has created a Web site that describes the terms of the settlement as well as the procedures for filing a claim. Sony BMG continues to suffer negative consequences related to its ill-advised Digital Rights Management (DRM) scheme. Most significantly, Sony BMG’s public image has taken a big hit; it will take years for this company to recover its loss of reputation. Surprisingly, however, Sony BMG appears to have largely gotten off the hook when it comes to both fines and financial remuneration to those who were adversely affected by its DRM software. Having to pay a fine of USD 4.25 million is trivial for a company such as Sony BMG. The real question, therefore, is whether the consequences that Sony BMG experienced are sufficiently distasteful that they will serve as a deterrent to this company as well as others when they consider implementing future DRM schemes.

7. Judge turns down request for access to e-Voting machine source code A Florida judge has turned the request of US Democratic congressional candidate Christine Jennings to have the source

computers & security 26 (2007) 100–108

code of e-Voting machines used in last November’s election in Florida examined by outside experts. The suit brought against Sarasota County voting officials alleges that there were irregularities in the vote counting method. Jennings lost by only 369 votes in the 13th Congressional District election, but more than 18,000 voters who cast ballots in other district races had no votes recorded in the congressional race. Roughly 4000 more votes were recorded in Sarasota County’s Southern District Hospital Board race than in the congressional race, for example. Jennings and district voters filed the lawsuit. The basis for the judge’s denying the request to examine the source code was that the source code was ruled to be a trade secret. Jennings has indicated that she will appeal the ruling, saying that it is outrageous that concern about defending a company’s profits outweighed the integrity of the voting process. I find the reasoning behind this ruling (by Judge William Gary of Florida’s Second Judicial Circuit) appalling. The judge in this case has said that the economic interests of the eVoting industry outweigh the need for integrity in voting, something that by all appearances demonstrates disregard for the democratic process. What is perhaps even more distressing is that Judge Gary is in all likelihood only one of many judges in the US who would come to such a decision in a case such as this one. E-Voting is already very much in disrepute; Judge Gary’s rule just added fuel to this proverbial fire.

8. AIB customers to use Special Signature Devices Irish bank AIB has begun to furnish corporate and business on-line banking clients in Ireland and the UK with alphanumeric Digipass 550 transaction signature devices in an attempt to prevent bogus large cash transactions. The devices provide customers with one-time passcodes, host authentication, and transaction data signatures to boost security in banking transactions. When they access their accounts, clients will use a one-time password created by Digipass. Transactions will be protected using a combination of the account number and the payment beneficiary’s sort code. The Digipass 550 device will then use this information to create a transaction data signature that users must input for validation by Vasco’s Vacman server. Both the Digipass-generated onetime password and transaction signature will help safeguard against phishing and man-in-the-middle attacks. AIB is the first bank anywhere to use the particular devices in question. European banks (and to a lesser degree, US banks) are moving forward in providing stronger authentication and authorization in banking transactions in reaction to levels of banking transaction fraud that are growing at an alarming pace. The approach that the AIB bank has chosen is particularly appropriate in that it uses one-time authentication credentials that greatly reduce security-related risk from sniffing and man-in-the middle attacks. I would be curious to find out how much the Digipass 550 device deployment cost. Additionally, I wonder whether extensive user testing was conducted. Hopefully, the AIB bank conducted thorough user testing with the Digipass 550 device and found that users could readily use this device with minimum training.

105

9. Gathering of information about air travelers continues to stir controversy The US Congress has asked for greater information sharing within government and law enforcement circles. Concerns about privacy have caused the Office of the Director of National Intelligence to furnish guidelines for state agencies in handing individuals’ data. The guidelines call for US government organizations to make sure that information is gathered legally and that sharing this information with other organizations is done in a lawful manner. The information may be shared only if it concerns national security, terrorism, or law enforcement. The guidelines mandate that each agency create internal policies and procedures to guarantee that access to and use of protected information obtained through the Information Sharing Environment is in accordance with the reason that it was authorized. Meanwhile, the US has an agreement with the European Commission for airlines to furnish 34 pieces of information to US authorities each time an EU citizen flies to the US. The US government uses the Automatic Targeting Scheme (ATS), a program that gathers the information about travelers, whether or not they are US citizens, as well as cargo coming into or out of the US, puts the information into a database, and determines the risk or threat posed by a person. The airline data that are gathered have prompted numerous protests by European privacy advocates. According to a report by the US Department of Homeland Security’s (DHS’s) privacy office, Secure Flight, a government program that screens domestic air passengers on the basis of terrorist watch lists, broke federal law during the time this program was being tested. By obtaining passenger data from commercial brokers in 2004 without informing passengers, this program violated a 1974 Privacy Act requirement that the public be informed of changes in any federal program that infringes upon US citizens’ privacy. Additionally, the Transportation Security Agency (TSA) stored 100 million commercial personal passenger data records improperly after this agency announced that there would be no data storage. The objective is establishing the Secure Flight program by 2008, but if specific guidelines are not observed, more violations of the law are likely to occur. The US Congress has halted the Secure Flight program in the interim until privacy and security concerns are adequately addressed, although testing may continue. I, like European privacy advocates, am concerned about the gathering of information about individuals that is occurring in the US in the name of greater air travel security. So far the record of the US government concerning protection of personal information has been so sub par that there are serious doubts concerning its ability to protect information about travelers. I predict that it is only a matter of time before a serious data security breach involving this information occurs. Additionally, the US government has not always operated within the confines of the law. Enough is enoughdit is well past time that the US government either act more responsibly in obtaining, handling and safeguarding information about air travelers or abandon this approach and instead go with other measures that do not threaten personal privacy as much.

106

computers & security 26 (2007) 100–108

10. US Federal Rules of Civil Procedure electronic discovery amendments go into effect Amendments to the US Federal Rules of Civil Procedure concerning the discovery of electronically stored information have recently gone into effect. Included are revisions and additions to Rules 16, 26, 33, 34, 37, and 45 as well as to Form 35. The amendments include: (1) Definition of Discoverable Material, which brings in the phrase ‘‘electronically stored information,’’ stating that all of this information, whether on hard drives, flash drives, voice mail, PDAs, or instant messaging (IM), is discoverable, (2) early attention to Electronic Discovery Issues, which requires that parties address electronically stored information early during the discovery process because this is critical in controlling the scope and cost of electronic discovery as well as in avoiding discovery disputes, (3) format of production, which addresses the format of creation of electronically stored information and allows the requesting party to specify the form or forms in which it wants electronically stored information produced and provides a framework for resolving disputes over the form of production if the responding party does not find the requested format to be acceptable, (4) electronically stored information from sources that are not reasonably accessible, which creates a two-level approach to creating electronically stored information by distinguishing between that which is and that which is not reasonably accessible (with the cost of producing such information being the major criterion for ‘‘reasonably accessible’’), (5) asserting Claim of Privilege or Work Product Protection after production, which specifies a procedure through which a party that has unintentionally produced trial preparation material or privileged information may nevertheless assert a protective claim concerning that material, forbids the receiving party from using or disclosing the information, and mandates that the producing party preserve the information until there is a ruling concerning the claim, and (6) safe harbor, which stipulates that if no exceptional circumstances exist, a court may not place sanctions on a party for neglecting to provide electronically stored information that has been lost due to the routine, good-faith operation of a computing system. A recent on-line survey showed that high-level management is not prepared for the new amendments to these rules. Almost 70% of the respondents, including many attorneys, CFOs, controllers, tax directors, and finance directors, indicated that they desire more training concerning their corporate record archiving policies and procedures. According to a study by the American Management Association and the ePolicy Institute last year, more than half of those who use IM on the job relate that their employers have no clue concerning what they are doing with it. The biggest concerns related to the unconstrained use of IM in most corporations are high costs and lowered productivity. The fact that these rule revisions and additions have now gone into effect is extremely significant because they define more clearly than ever before what is and is not allowable in US investigations that involve the need for access to electronically stored information. I am not a lawyer, but after having read the revisions and additions I felt that they struck a nice

balance between allowing access to electronic information if such access is necessary and reasonable and protecting the interests of those who store and/or create such information. At the same time, however, it is clear from the results of the recent survey that quite a bit of training is going to be necessary if corporations are going to be able to comply with the rule revisions and additions. One thing is certainddealing with physical evidence in investigations is considerably easier than dealing with electronic evidence. The recent amendments to the US Federal Rules of Civil Procedure, while reasonable, will, unfortunately, only make dealing with electronic evidence more complicated.

11. Corporate executives’ main concerns are security breaches and terrorism Findings of a Harris on-line survey of nearly 200 corporate executives last fall showed that corporate executives are more concerned about system security breaches and terrorism than any other type of incident. Nearly two-thirds of those interviewed reported being most concerned about system compromises; another 55% reported being worried about terrorism. In contrast, a mere 9% indicated that security breaches were of no concern, while 14% reported that terrorism caused no worry. Forty percent of those surveyed indicated that a crisis management plan has been implemented; of those who had implemented such a plan, 85% was either very or somewhat satisfied with the plan. Corporate malfeasance was a cause for concern in 40% of those interviewed. The results of this survey constitute both good news and bad news. It is certainly good news that nearly two-thirds of the corporate executives in this survey put system security breaches at the top of their worry list. Getting high-level management’s attention concerning security-related risks is often one of the most challenging tasks for information security professionals. At the same time, however, the fact that only 40% of those surveyed had a crisis management plan is a genuine cause for concern given the multitude of serious disruption-related risks in today’s IT environments.

12. VISA USA offers USD 20 million incentive for PCI compliance In an attempt to boost the level of merchant compliance with the Payment Card Industry (PCI) Data Security Standard (DSS), VISA USA is offering to pay USD 20 million in financial incentives and is also creating new fines. The PCI–DSS standard is a set of mandatory requirements established by the Payment Card Industry Security Standards Council to safeguard cardholder data. The requirements are applicable to all banks, merchants, and service providers that hold, process, or send cardholder information. The VISA PCI Compliance Acceleration Program (PCI CAP) focuses on acquirers accountable for the largest 1200 merchants (known as ‘‘Level 1 and 2 merchants’’). The PCI CAP’s goal is to get rid of the storage of card data such as PINs and to raise the level of PCI compliance among level 1 and 2 merchants. Current PCI compliance among level 1 and level 2 merchants is only 36 and 15%,

computers & security 26 (2007) 100–108

respectively. VISA will pay incentives to the acquiring banks of merchants that validate their PCI compliance before August 31 this year and that have not experienced a data securityrelated incident. In addition, VISA will tie the advantages of multi-tiered interchange rates to PCI compliance. Out-ofcompliance acquirers will be fined between USD 5000 and USD 25,000 every month for each of the level 1 and 2 merchants that have not validated by September 30 and December 31 this year, respectively. Last year VISA assessed merchants USD 4.6 million in fines, an increase from USD 3.4 million in the year before last. To be eligible for an incentive payment, acquirers of level 1 and 2 merchants that have validated that they are in full compliance with PCI–DSS by March 31 will get a one-time payment for each eligible merchant. Acquirers whose level 1 and 2 merchants prove that they are in compliance after March 31 and before August 31 can get a smaller one-time payment for every eligible merchant. For forbidden storage practices, acquirers that are unable to provide confirmation that their level 1 and 2 merchants are not storing PINs, full-track data or card verification value (CVV2) numbers by March 31 can be fined up to USD 10,000 every month per merchant. I like VISA USA’s approach, namely by rewarding acquirers whose merchants are in compliance with PCI–DSS and by punishing those who are not. Too often information security is reduced to a series of punishments, causing those who potentially face the punishments to abhor both information security and information security professionals. VISA’s two pronged approach presents the threat of punishment, namely fines, but it also offers incentivesda much better alternative than simply trying to avoid fines. My only concern is that the fines that VISA USA will levy against non-compliant acquirers are really quite small in comparison to the volume of business that these entities conduct every day. I suspect that these fines will have to be substantially increased before some acquirers start paying more attention to the PCI–DSS requirements.

13.

DOE LANL firing due to security breaches

US DOE Secretary Samuel Bodman announced that Linton Brooks, chief of the National Nuclear Security Administration (NNSA), had recently been fired because of security breaches at weapons facilities such as Los Alamos National Laboratory (LANL). These breaches included the disappearance of computer files containing personal information, including SSNs of 1500 employees at an NNSA facility at Albuquerque, New Mexico. Additionally, classified nuclear-related documents were found at the residence of a former LANL worker who had a top-secret clearance. The DOE Inspector General said that the security breach was especially disconcerting because of all the money spent on security improvements at LANL. An acting NNSA chief will be named in the near future. My fear is that Mr. Bodman is finding a scapegoat for the deep-seeded security problems throughout the US DOE complex. As in the case of the Veterans Administration nearly one year ago, the head of the DOE is blaming subordinates instead of looking at the real root causes of the security breaches that seem to constantly occur within this Department.

107

Security and other failures reflect management problems at the highest levels, yet those at the highest levels are so busy playing zero-sum political games and covering their proverbial behinds that they seldom entertain the thought that they might be to blame. It would be so wonderful (and also so astounding) if just once a high-level manager within the US government such as Mr. Bodman would say ‘‘the buck stops here,’’ as US President Harry Truman once did.

14. Alleged spammers prevail in court over anti-spammer Mark Mumma, a spam fighter, was sued in an appeals court by Omega World Travel and its subsidiary, Cruise.com. The suit asks for USD 3.8 million in damages to compensate for what the plaintiffs claim is defamation. Mumma posted an entry on his Web site in which he threatened to sue Omega World Travel after this company sent him multiple unwanted messages that advertised cruise vacations. Mumma, owner of Oklahoma-based MummaGraphics, has filed countersuits against the companies and CEO Gloria Bohan. The federal court has so far ruled in favor of the alleged spammers; the judges concede that the email messages that Omega World Travel sent may have had bogus Internet addresses and specious ‘‘From:’’ addresses, but nevertheless decided that these emails were permissible under the US Can-Spam Act. According to the judges, this act does not determine liability when cases such as the Omega World Travel case occur. Furthermore, the judges determined that state laws that forbid fraudulent or misleading communications will not be of use against junk email. The Can-Spam Act, passed in 2003, was originally supposed to override state spam laws except for the ones that address speciousness or deception in any part of a commercial email message. Other states have decided that the Can-Spam Act does not stop them from pressing charges against individuals who use bogus and fraudulent information in email messages that they send. The ruling in this case appears to be a major blow to antispam efforts in the US. Frankly, I cannot believe that judges could interpret the provisions of the Can-Spam Act as they havedthat somehow despite the wording of this Act, sending bulk email from falsified email addresses is perfectly o.k. When the Can-Spam Act was originally passed, virtually nobody expected it to produce miracles in combating spam, but then again few would also have predicted that a court would in essence rule that this Act has no teeth, so to speak. It may thus be time for the US Congress to go back to the proverbial drawing boards by drafting and passing stronger antispam legislation.

15. French Court Rules in favor of personal privacy over piracy searches A French court has decided that music companies and other copyright holders cannot perform unrestrained Internet monitoring to find pirates. The ruling pits European Union (EU) sanctioned data protection rules against aggressive tracing methods that the music and film industry use with

108

computers & security 26 (2007) 100–108

organizations. The case in which the ruling was reached concerned a peer-to-peer user in Paris whose IP address was traced. The loser in this case, the Society of Music Authors, Composers and Publishers (SMACP), said that it would appeal. A legal adviser at the French government commission that protects Internet privacy, the National Commission for Information Technology and Liberty, stated that this decision has established an important precedent. Invasion of privacy can result in a fine of up to V300,000 and five years of imprisonment. Although individuals must pursue any such legal action, a government-supported organization is contemplating taking action against those who conduct Internet monitoring. The basis for the French privacy law is a directive issued by the European Commission; variations in national laws may, however, affect the impact that this ruling may have in other EU countries. Anyone who works for the music or film industries should not feel at all comfortable with any part of this ruling. These industries have engaged in determined efforts to locate and punish individuals who have made or possess illegal copies of music and movies. According to the recent French ruling, those who engage in such monitoring efforts will now open themselves to invasion of piracy lawsuits. At the same time, however, it is important to realize that the last round in the privacy versus piracy monitoring battle in France has not in all likelihood yet been fought. The music and film industries are not likely to give up easily, and they have already announced their intention to appeal this ruling.

16. US Military and US Government Agencies to give their employees phishing tests The US military and certain US agencies will be initiating analytical phishing attacks that target their own employees. These attacks, approved by the government, will test how well federal employees conform to email security policies. Core Security Technologies’ CORE IMPACT penetration testing tool will be used to launch the attacks. This tool will record how many employees click on malicious links provided in email messages sent to them so that the military and agencies can assess the value of their IT security education effort. The US Computer Emergency Readiness Team’s quarterly trends and analyses show that phishing attempts comprise almost 84% of all reported attacks. The DHS, DOE, the Veterans Affairs, Labor, and Agriculture departments; the National Institute of Standards and Technology (NIST), the US Postal Service, the US courts, and the US Agency for International Development will all participate in the phishing tests. Testing that closely approximates real-life situations usually is the best, so presenting employees with phishing email and then determining how many of them go along with the directions therein appears to be an excellent way to determine how well anti-phishing training given within US military and government circles has worked. Previous studies have

shown that users repeatedly succumb to social engineering attacks, even after training, but will the same hold true for phishing attacks? My fear is that the answer is once again ‘‘yes.’’ Whatever the outcome may be, however, I am anxious to learn of the results.

17. UK patients may opt out of having their electronic health records shared Because of data security concerns, UK medical patients will be permitted to stop their health records from being shared nationally. The records are part of a recently upgraded National Health Service system designed to improve health care. This new system will electronically link more than 30,000 surgeries in the UK to almost 300 hospitals, and could store records for 50 million people in the UK. Both doctors and patients are, however, concerned that a mandatory electronic record system could harm doctor-patient relationships as well as result in data security breaches. Electronic health records are becoming increasingly necessary because the current paper-based system has become obsolete, but permitting remote access to records poses many serious security risks. Physicians will still be able to reach electronic care records containing information about medication, adverse drug reactions, and allergies for their patients. Pilot studies concerning patients’ ability to veto remote access to their records will commence soon. Additionally, the UK government is creating an advisory group to determine how patients can opt out of having their health records from being remotely accessible. Patients will be able to access their records on-line before they are entered into the national database, allowing them to change details or prevent them from being available. Patients who do not opt to stop remote access to electronic records at this point in time will be assumed to allow remote access to their health records. Patients can also opt out before their records are digitized if they claim that having their records being remotely available causes them significant mental duress. What to do concerning more sensitive electronic health data such as HIV status is still being evaluated. In allowing UK health patients to veto having their electronic health records from being remotely accessible, the UK government has set a model for other governments around the world to follow. The UK government is 100% correct in recognizing that such records are major targets of data security breach attempts and as such has left deciding whether or not these records will be remotely available to each patient. Opting in will help ensure that patient medical data will be available during urgent healthcare situations; opting out will help preclude the possibility that such data will be accessed without authorization. Individuals, not governments, should make such decisions, as the UK government has so correctly surmised.

computers & security 26 (2007) 109–119

Advanced user authentication for mobile devices N.L. Clarke, S.M. Furnell* Network Research Group, School of Computing, Communication and Electronic, University of Plymouth, Drake Circus, Plymouth PL4 8AA, UK

article info

abstract

Article history:

As mobile devices continue to evolve in terms of the capabilities and services offered, so

Received 22 August 2005

they introduce additional demands in terms of security. An issue that has traditionally

Revised 22 August 2006

been poorly served is user authentication, with the majority of devices relying upon prob-

Accepted 22 August 2006

lematic secret knowledge approaches. This paper proposes the use of more advanced biometric methods as an alternative. After considering the general range of available

Keywords:

techniques and their applicability to mobile devices, the discussion focuses upon the con-

Keystroke analysis

cept of keystroke analysis. Results of a practical evaluation are presented based upon the

User authentication

entry of both telephone numbers and text messages on a mobile phone. The findings reveal

Biometrics

the technique to have promise for certain users with average error rates below 5%. The pa-

Mobility

per then proceeds to explain how the accuracy could be further improved by incorporating

Composite authentication

keystroke analysis within a composite authentication mechanism that utilises a portfolio of authentication techniques to provide robust, accurate and transparent authentication of the user. ª 2006 Elsevier Ltd. All rights reserved.

1.

Introduction

Mobile devices such as cellular phones and Personal Digital Assistants (PDAs) are now allowing access to an increasing range of data-centric services. Users of such devices can now pay for products using micro-payments, surf the Internet, buy and sell stocks, transfer money and manage bank accounts. In order to enable delivery of such services, mobile devices have become increasingly powerful: phone handsets in particular have evolved from relatively basic terminals, that would handle analogue telephony communications, to digital handsets capable of providing a host of data-centric services, turning the handset into a multimedia, multipurpose, mobile communications tool, providing much of the functionality of today’s PDAs. With more applications being accessible, and more data being stored, it can be argued that users are now carrying devices that require correspondingly greater levels of protection. Specifically, the reasons for this will include: * Corresponding author. Tel.: þ44 1752 233521; fax: þ44 1752 233520. E-mail address: [email protected] (S.M. Furnell).

1. More technologically advanced mobile handsets – future handsets will be far more advanced than current mobile phones, increasingly incorporating much of the functionality of PDAs, MP3 players, and other portable devices. As such, they will be more expensive and attractive to thieves, resulting in a financial loss to the subscriber. 2. Availability of data services – cellular and wireless networks will provide the user with the ability to download and purchase a whole range of data services and products that would be charged to the subscriber’s account. Theft and misuse of the handset would result in financial loss for the subscriber. 3. Sensitive Information – devices will store much more information than current handsets. Proposed applications could result in a whole range of personal, financial and medical information being held, alongside records of business and personal communications conducted by the user (e.g. via emails and multimedia messages). As a simple example of how such evolution has already occurred we need only

110

computers & security 26 (2007) 109–119

consider the contact list on a typical handset. Whereas devices a few years ago would simply hold names and phone numbers, current devices can store full home and business address details for each contact, as well as multiple phone numbers, date of birth and other family information (e.g. names of spouses and children). As such, the compromise of the device would reveal a far greater degree of personal data. The increasing requirement for protection is evidenced by a survey of 230 business professionals, which found that 81% considered the information on their PDA was either somewhat or extremely valuable. As a result, 70% were interested in having a security system for their PDA, with 69% willing to pay more for a PDA with security than one without (Shaw, 2004). With this in mind, it is relevant to consider the degree to which related security measures are already provided and utilised. Currently, the most widely deployed authentication methods are passwords and PINs (Personal Identification Numbers) – secret knowledge approaches that relies heavily upon the user to ensure continued validity. For example, the user should not use the default factory settings, share their details with others, or write the information down. However, the poor use of passwords and PINs has been widely documented (Denning, 1999), and many mobile users do not even use the security which is available. For example, a survey assessing authentication and security practices on mobile handsets found that 34% of the 297 respondents did not use any PIN security (Clarke, 2004). In addition, even for those respondents who did use the PIN at switch-on only, 85% would leave their handset on for more than 10 h a day, thereby mitigating any security the PIN might provide. Interestingly however, it would appear users do have an appreciation of security, with 85% of respondents in favour of additional security for their mobile device. These findings introduce an interesting and somewhat contradictory view of security, with users willing to adopt new security but not willing to utilise current functionality. It is widely recognised that authentication can be achieved by utilising one or more of three fundamental approaches: something the user knows (password); something the user has (token) and something the user is (biometric) (Nanavati et al., 2002). The downside of the first approach has already been highlighted, with the use of PINs found to be somewhat lacking in practice. Similarly to secret knowledge techniques, token based approaches fundamentally rely upon the user to remember something to ensure security, with the token needing to be physically present in order to access the device. However, it is considered that this does not lend itself particularly well to the mobile device context either. The most likely scenario is that users would simply leave the token within the mobile handset for convenience. Indeed, this is the case with the Subscriber Identity Module (SIM) in mobile handsets, which already exists as a token and could be physically removed from a phone when not in use. Users typically do not do this because it is inconvenient, and increases the risk of losing or damaging the SIM card. In contrast to the other methods, the third approach to authentication does not rely upon the user to remember anything – it just requires them to be themselves. Such techniques are collectively known as

biometrics, and it is here that the most suitable alternatives for going beyond the PIN can be found. This paper introduces the concept of advanced user authentication for mobile devices through the application of biometrics in a composite, transparent and continuous fashion. This is supported by a study into the feasibility of one particular biometric that lends itself to mobile devices, enabling an increase in the security that can be provided by a device. The main discussion begins by considering biometric technology in more detail, describing particular techniques that lend themselves to mobile devices and the levels of performance that can be typically expected. Section 3 presents a formal study into the application of one such biometric upon a mobile handset. The study looks into authenticating users by the way in which they enter a telephone number or write a text message using a biometric called keystroke analysis. Given the wide variety of mobile devices that exist, with different hardware configurations and processing capabilities, it is clear that no single authentication technique would be suitable for all situations. Rather it would be far more appropriate to provide a suite of authentication techniques that could provide an overall authentication approach for mobile devices. Section 4 describes how such an approach can be achieved, fulfilling the objectives of a more secure, transparent and continuous authentication mechanism. The paper concludes by discussing further areas of work currently underway by the authors.

2.

An overview of biometric authentication

The identification and verification of individuals based upon human characteristics has existed for hundreds of years in one form or another, whether it is a physical description of a person or perhaps more recently a photograph. However, the definition of biometrics within the IT community is somewhat broader than just requiring a unique human characteristic(s) and describes the process as an automated method of determining or verifying the identity of a person (Kung et al., 2005). Biometric approaches are typically subdivided into two categories, physiological and behavioural. Physiological biometrics classify a person according to some physical attribute, such as their fingerprints, facial features, or iris patterns. Conversely, behavioural biometrics attempt to characterise the way in which an individual does things, such as speak, type, or sign their name. The first stage in any biometric system is enrolment, where a reliable sample from the user is acquired. It is essential during this stage the users identity is confirmed, as it is this sample that all subsequent authentications will be compared against. The subsequent comparison stage (which occurs during each authentication attempt) gives rise to a measure of similarity between the sample taken at enrolment (called the template) and the new sample. This process subsequently has the potential for two categories of error: the False Acceptance Rate (FAR), denoting the degree to which impostors are accepted by the system, and the False Rejection Rate (FRR), indicating the likelihood of authorised users being denied access. The error rates tend to share a mutually exclusive relationship giving rise to a situation where neither of the error

computers & security 26 (2007) 109–119

rates are typically both at zero (Cope, 1990). This effectively leads to a trade-off situation between security and user acceptance, and a decision has to be made about the threshold at which a sample will be considered to match a template. Set this threshold too high and it increases the security against impostors at the possible expense of rejecting legitimate users (i.e. increasing FRR). Conversely, setting the threshold too low will increase the chances of erroneous matches between templates and impostor samples (i.e. increasing FAR). The point at which the FRR and FAR rates cross is termed the Equal Error Rate (EER), and is typically used as a comparative measure within the biometric industry (Ashbourne, 2000). The actual performance of different techniques varies considerably with the uniqueness and sophistication of the pattern classification engine. In addition, published figures from companies often portray a better performance than typically achieved given the tightly controlled conditions in which they perform their tests. The UK National Physical Laboratory conducted an independent evaluation of a number of biometric systems, giving a more realistic perspective upon the performance that can be achieved (Mansfield et al., 2001). The results from this study are illustrated in Table 1. Although the performance of the technique is a vital factor, it is important to realise that other factors play an important role in the choice of biometric for any given authentication application. As such it is impossible to specify an ideal biometric for all contexts, or even to quantify what level of performance is needed for successful deployment, without knowing the intended scenario. When applied to a mobile device, the hardware capabilities and form factor will dictate that some techniques will be more suitable than others. For instance, in its present form, it would not be possible to deploy a hand geometry technique as the equipment used to create the image is bulky, expensive and requires the hand to be spread flat on a surface rather than simply to be holding a device. However, the inclusion of a camera for video calls – a standard service for third generation cellular networks – would permit the use of facial recognition. The microphone, present for telephony services, would open the potential for voice verification, and the keypad would allow a keystroke analysis technique to be applied. For handsets or PDAs without a keypad, a touch sensitive screen is usually

Table 1 – Comparing the performance of biometric techniques Biometric technique

EER (%)

Company

Hand geometry

1.5

Facial recognitiona Voice verification Fingerprint (chip)a Fingerprint (chip)a Facial recognitiona Fingerprint (optical)

2.5 3.5 4.5 6 7 9

Vein

9

Recognition Systems HandKey II Identix FaceIT OTG SecurPBX Infineon VeriTouch Infineon VeriTouch Identix FaceIT Company name not disclosed Neusciences Biometrics Veincheck Prototype

a

Alternative classification algorithms provided.

111

provided as the human–computer interface, where signature recognition could subsequently be utilised. Of all the biometric techniques considered applicable to a mobile device, the use of keystroke analysis represents an intriguing proposal given that keyboards and keypads are present on the majority of devices and authentication can take place whist the user is interacting with the device in a normal fashion. As such, this technology was selected for further analysis as a part of the authors’ research programme.

3. Studying the feasibility of keystroke analysis The feasibility of keystroke analysis applied to a traditional QWERTY keyboard has been well documented, with a number of studies presenting very favourable results (Brown and Rogers, 1993; Cho et al., 2000; Joyce and Gupta, 1990; Leggett and Williams, 1987; Monrose and Rubin, 1999; Napier et al., 1995; Obaidat and Macchairolo, 1994; Obaidat and Sadoun, 1997; Spillane, 1975). Work began as far back as 1975 (Spillane, 1975) with subsequent studies building upon the initial results, progressively utilising more advanced pattern classification techniques for the comparison of samples. More recent studies have shown it is feasible to authenticate users successfully based upon usernames and passwords (i.e. in parallel with a typical Windows login request), with a commercial product on the market utilising this technology (Biopassword, 2005). However, the technique’s applicability to keypads, with smaller and fewer keys and a different tactile environment has not been widely documented. An initial study, performed by the authors, based upon authenticating users via the entry of telephone numbers and PIN codes achieved EERs of 10.4 and 10.1% (Clarke et al., 2003). While these results provided a good indication of the viability of the technique there is still clear scope for improvement. As such, the initial contribution of this paper is to present further evidence of the feasibility of the technique through substantially extending the investigation. Specifically, the extensions to the study were as follows: 1. Increasing the user population from the first study of 16 subjects to 30 in order to obtain more robust figures and then further evaluating the performance of entering telephone numbers using classification algorithms identified in the first study. 2. Investigating the feasibility of authenticating users based upon how they compose text messages. This is particularly relevant as text messaging is a popular handset interaction, with over a billion text messages a month being sent in the UK (Mobile Data Association, 2004). The classification of users based upon entering telephone numbers and PINs is achieved utilising the inter-keystroke latency (or time between two successive keystrokes), a traditional characteristic utilised in keystroke analysis. However, previous research also identified the hold-time (the time taken to press and release a key) as a discriminative typing characteristic (Obaidat and Macchairolo, 1994; Obaidat and Sadoun, 1997). As such, the classification of users based upon text

112

computers & security 26 (2007) 109–119

message entry was performed utilising the hold-time, to provide a point of comparison between the characteristics.

3.1.

Experimental procedure

The investigation sought to authenticate users based upon three interaction scenarios: 1. Entry of 11-digit telephone numbers. 2. Entry of 4-digit PINs. 3. Entry of text messages. A total of 30 participants were asked to enter data for the three scenarios. Each participant entered 30 instances of a single telephone number, 30 instances of a PIN code and 30 text messages. Although it would have been advantageous to collect more data in order to ensure the statistical significance of the results, these restrictions were necessary in order to minimise the time taken for users to enter the data. Twothirds of this data were then utilised in training the pattern classification algorithm, with one-third used to calculate the performance. The latter involved each participant in turn acting as the authorised user, and the remaining participants acting as impostors. A modified mobile handset interfaced to a laptop, as illustrated in Fig. 1, was developed in order that participants were able to enter data in a natural environment and applications were developed to capture and log the sample data as it was felt imperative to maintain the form factor and tactile qualities. The pattern classification process was developed from the previous study, which had performed an evaluation of a number of statistical and neural network techniques. From this study it was concluded that although different classification techniques performed better than others in particular scenarios, overall the Feed-Forward Multi-Layered Perceptron (FF-MLP) neural network provided the best overall performance. The FF-MLP with back-propagation algorithm is best known for its pattern associative properties, by responding in a pre-described way when given a particular input sample (Bishop, 1995; Haykin, 1999). Correspondingly the FF-MLP was applied to each of the interaction scenarios, which were evaluated using a range of network configurations, in an attempt to optimise

Fig. 1 – The user interface for the experimental study.

performance. The input to each neural network depended upon the scenario with which it was evaluating. For both the numerical input scenarios it was a series of inter-keystroke latencies, with 4 latencies for the PIN and 11 for the telephone number. The text-based classification, however, required more consideration. Previous research had understandably demonstrated how static-based classification outperformed its dynamic counterpart, as dynamic inputs gave rise to large sample variances making subsequent classification more difficult. Therefore, it would not be sufficient to merely present the neural network with a series of hold-times representing any characters and as such a static-analysis procedure was developed based upon authenticating a user on between 2 and 6 of the most recurrent characters. Each user had five neural networks with the number of inputs ranging from 2 to 6. The choice of network to utilise in any authentication request would depend upon how many of the most recurrent characters they had entered. This assumed, however, that in practice a user could be expected to enter at least two of the most recurrent characters in any single text message.

3.2.

Results

Analysis of the input data provides an insight into the complexities of successfully discriminating between the users. The problem is that latency vectors observed from a single user may incorporate a fairly large spread of values. This spread, otherwise known as variance, is likely to encompass input vectors that closely match those of other users. Because users’ latency vectors do not exist on clearly definable discriminative regions, the problem is made much more complex for the classification algorithms. Two types of variance can be extracted from the latency data:  Inter-sample variance, which ideally would be zero, so that every sample a user inputs would be identical and therefore easier to classify.  Inter-user variance, a measure of the spread of the input samples between users, which would be ideally as large as possible in order to widen the boundaries between users. The calculation of the vector similarity in a multi-dimensional space is a complex task, and is essentially what the classification algorithms aim to achieve. Fig. 2 illustrates a three-dimensional plot taken from one user’s input data for the 11-digit input scenario. Because it is impossible to present an image in more than three dimensions, the figure only plots the first three latency values in each input vector. Even for the limited number of dimensions, the vector plot already appears fairly complex as a basis for deriving efficient decision boundaries. Fig. 3 illustrates how difficult the classification problem then becomes when the remaining users are also plotted. The correct classification of users in a multi-dimensional space is no simple task, and although the inter-sample and inter-user variances go some way in explaining the inherent relationships, indicating possible users that would result in good classification, it does not fully explain what the multi-dimensional relationships are at work here.

computers & security 26 (2007) 109–119

Latency 3 (Milliseconds)

A Graph to Show the Latency Plots in 3D Space For User 1

1200 1000 800 600 400 200 1500 1000 500 Latency 2 (Milliseconds)

0

200

300

400

500

700

600

Latency 1 (Milliseconds)

Fig. 2 – A 3D plot of a user’s input latencies.

The initial study found that the individual performance of users varied considerably between neural network configurations, with only a small deviation in the averaged results. As such, in addition to the standard set of FF-MLP neural network configurations, two further algorithms are presented: 1. Best Case Neural Network. This algorithm simply takes the best performance rate for each user from across the complete range of network configurations. 2. Gradual Training Algorithm. This algorithm evaluates user’s performance at defined training intervals and will reset network parameters to the level that represents that individual’s best performance. This technique effectively tunes the network to each user’s inputs. Fig. 4 illustrates the performance of the three algorithms, with the 11-digit static telephone number achieving an EER of 5% with the best case neural network algorithm. Unfortunately, the best case algorithm can only really provide an indication to the success of the technique and cannot readily be utilised in practice due to the large number of iterative tests

Latency 3 (Milliseconds)

A Graph to Show the Latency Plots in 3D Space For All Users

2500 2000 1500 1000 500 0 4000 3000 2000 1000 0 Latency 2 (Milliseconds)

0

500

1000

1500

2000

2500

Latency 1 (Milliseconds)

Fig. 3 – A 3D plot of the input latency from all users.

113

required to achieve the result. The gradual training algorithm, however, represents a more plausible technique and can be seen to make considerable improvements in performance over the traditional single FF-MLP configuration. The 4-digit and 11-digit input scenarios achieved an EER of 9 and 8%, respectively, for the gradual training algorithm, an improvement over the initial study whilst utilising a larger test population. The most successful result for the text message scenario was the 6-digit input, based upon the characters ‘e’, ‘t’, ‘a’, ‘o’, ‘n’, ‘i’, achieving an EER of 15 and 19% with the best case neural network and gradual training algorithms, respectively. The average error rates are still far too high to be considered viable in practice. However, the findings are significantly better when considering some of the individual results obtained amongst the user group. For example, in the 11-digit input scenario, 16 of the 30 users achieved an EER below 2%, with 26 users achieving an FRR of 0%. Having said this, however, some users also experienced higher error rates with two users in the 4-digit input scenario and one in the 11-digit input scenario achieving EERs over 20%. The text message scenario exhibited larger errors, with nine users achieving EERs over 20% with the 6-digit input, with worsening results the smaller the input vector becomes. This would be expected as less discriminative information will be present in the smaller input vectors. Conversely however, it would be expected that an improvement in the performance would occur with larger input vectors.

3.3.

Viability of keystroke analysis

The study has investigated the feasibility of authenticating users based upon their typing characteristics on a mobile handset – showing both the keystroke latency and hold-time as viable discriminative characteristics for at least some of the participants. Based upon previous research, the overall process of discrimination would arguably be improved if both typing characteristics could be used in conjunction with each other, which could be implemented for telephone/ PIN-based authentication (Obaidat and Macchairolo, 1994; Obaidat and Sadoun, 1997). However, the process of continuous and non-intrusive authentication does not easily permit this technique for character-based authentication due to the large number of digraph pairs (combinations of two characters) that exist. From the results of this study, keystroke analysis has shown promise when compared against commercial biometrics, as illustrated in Table 1. However, the results must still be considered in context. Two feasibility studies were performed in controlled conditions, with users entering data repeatedly. Within a practical environment, the variability of the users’ input data is likely to be larger, as users may be walking whilst typing or performing other tasks, making the process of authentication more difficult. Therefore, it would not be viable to apply this technique in such a way that a user would be entirely accepted or rejected based upon a single keystroke analysis result. However, it would be possible to use an unsuccessful authentication attempt as a trigger for a heightened level of monitoring on the device. Therefore, keystroke analysis is capable of increasing the transparent authentication capability of devices with keypads.

114

computers & security 26 (2007) 109–119

25

Equal Error Rate (%)

21 19

20 16

15

15

13 12 9

10

8 5

5 0 4-Digit Input

11-Digit Fixed FF MLP

Best Case Neural Network

6-Digit Text Message Gradual Training

Fig. 4 – The overall performance of Keystroke Analysis in the three contexts.

As previously identified, keystroke analysis is one of many biometric techniques that could be utilised to transparently authenticate a user. However, it would clearly not be sufficient in isolation. Although the majority of users experience good to fair performance, a number still remain for whom the approach performs unsatisfactorily. In addition to this, the varying hardware configurations of mobile devices will mean that keypad input will not be available in all cases. Therefore, any practical implementation of keystroke analysis would best occur within a flexible framework, which is adaptable to different hardware configurations, and capable of utilising an array of authentication techniques to maintain the security of the system. Such a framework is the focus of the next section.

4. Achieving a composite authentication mechanism It is envisaged that a successful authentication mechanism for mobile devices must meet a number of objectives:  to increase the authentication security beyond secret knowledge based approaches;  to provide transparent authentication of the user (within limits) to remove the inconvenience factor from authentication;  to provide continuous or periodic authentication of the user, so that confidence in the identity of the user can be maintained during usage of the device rather than simply at switch-on;  to provide an architecture that would function (to one extent or another) across the complete range of mobile devices, taking into account the differing hardware configurations, processing capabilities, and varying levels of network connectivity. It is not in the scope of this paper to present a complete framework (Clarke, 2004), however, this section will present the operation of a number of key concepts and security processes which will enable composite, transparent and continuous authentication. The underlying mechanism utilises a combination of secret knowledge and biometric techniques within an

appropriately flexible framework. The framework operates by initially providing a baseline level of confidence in the user, using secret knowledge approaches, which progressively increases as the user interacts with their device and biometric samples are captured. No longer will the user immediately have to provide point-of-entry authentication but instead will be polled periodically throughout a session. Although user authentication will still begin rather intrusively (e.g. when the device is switched on for the first time), with the user having to re-authenticate periodically, the system will, however, quickly adapt, and as it does so the reliance upon secret knowledge techniques is replaced by a reliance upon biometrics – where the user will be continuously and nonintrusively authenticated. The result is a highly modular framework that can utilise a wide-range of standardised biometrics, and which is able to take advantage of the different hardware configurations of mobile devices – where a combination of cameras, microphones, keypads, etc. can be found. Therefore, any given device will have a range of authentication techniques that the system can utilise to maintain security. It is important to note, however, that due to the different performance rates biometrics achieve, each of the techniques is assigned a confidence level tied to the performance rate. This will give rise to mobile devices being able to provide different levels of security based upon the hardware available to capture the biometric samples. To maintain security within this system, two security mechanisms are considered imperative: 1. Alert Level. 2. System Integrity. The Alert Level is controlled via the process illustrated in Fig. 5, and has four possible states: normal, authenticate on next input, authenticate with strong biometric, and lock device from use. The level of authentication required is increased when previous requests are failed, until the point at which the device is locked (requiring an administrative password or PUK code from a cellular network provider before the user can regain access). The general operation of the system is to periodically poll the device with an authentication request. The system will subsequently retrieve the last and

computers & security 26 (2007) 109–119

Transparent AL=1 Authentication Request Most Recent Input Data from the Cache

AL – Alert Level

PASS

Authentication Response

FAIL Transparent AL=1 Authentication Request Remaining Data in Input Cache

PASS

Authentication Response

FAIL Transparent AL=2 Authentication Request Next Input Data (Protected Services Locked Out)

PASS

Authentication Response

FAIL Intrusive AL=3 Authentication Request User Required to Enter Biometric (High Confidence) or PIN/Cognitive Question

PASS

PASS

Authentication Response

Biometric (& Number)

Number Only FAIL

Intrusive AL=3 Authentication Request User Required to Enter Biometric (High Confidence) or PIN/Cognitive Question

PASS

PASS

Authentication Response

Number Only

Biometric (& Number) FAIL Intrusive AL=4 LOCK HANDSET Request Unlock Code from Administrator

Fig. 5 – The authentication process, showing the increase in the Alert Level in response to failed authentication attempts.

highest (in terms of confidence value – different authentication techniques will be more reliable than others) set of user’s inputs (i.e. a camera image from a video conference call, or a sound file from voice dialling). If the request is passed, the system goes back into a monitoring mode. If not, then the system makes another authentication request, but using the remaining data that has been stored within a specified time using the highest confidence level technique. If no additional data is present or the response is a fail, the system increases the Alert Level and will request authentication on the next input sample to the device – the user would now not be able to use any of the more sensitive and protected services a mobile device might have until this stage had been completed. If the user passes this, or any of the previous stages, then the system goes back into a monitoring/collection mode. If the request is a fail, however, the system will issue an explicit authentication

115

request to the user. The system will use a biometric technique with the highest confidence value in order to minimise the risk of a false acceptance. If, and only if, no biometric techniques are supported by the device, or no templates exist with a high confidence value, then the user will be requested to enter their PIN, password or answer a cognitive question. If they pass this, and the PIN or password has a corresponding keystroke analysis template, then this will also be utilised in order to provide a stronger two-factor authentication mechanism (Monrose et al., 1999). If the keystroke analysis template exists, and the user passes the biometric authentication, then the system will revert back to a monitoring mode. If the biometric fails, or the template does not exist, then the Alert Level will remain at a heightened status of ‘‘authenticate on next input’’. If an intrusive authentication request is passed, the previous biometric samples that were failed are deemed to be in fact from the authorised user and incorrectly failed. As such, these samples are added to a Profile database for subsequent re-training and are not deleted. The Alert Level is inherently biased toward the authorised user, as they are given three non-intrusive chances to authenticate themselves correctly, with two subsequent additional intrusive chances. This enables the system to minimise inconvenience from the legitimate user’s perspective. However, due to the trade-off between the error rates, this has a detrimental effect on the false acceptance rate, increasing the probability of wrongfully accepting an impostor every time an authentication request is sent. For an impostor to be locked out of the device they must have their authentication attempt rejected five consecutive times. However, this is where the second security mechanism operates. The probability of an impostor continually being accepted by the system becomes very small as the number of authentication requests increases. This indicates that the impostor would be identified as such more often than not (even if not consecutively as required by the Process Algorithm). The System Integrity is a sliding numerical value between 5 and þ5,1 with 5 indicating a low security, 0 a normal ‘device switch-on’ level, and þ5 indicating a high security level. The System Integrity changes depending upon the result of the authentication requests and the time that has elapsed between them. Each of the biometric techniques confidence levels are given a number which is added or subtracted from the System Integrity dependent upon whether the technique has passed or failed the input sample, up to a defined maximum level (to ensure weak authentication techniques do not provide a mechanism for obtaining high System Integrity values). This ensures a user with a System Integrity Level of five has not only had consistent successful authentication requests during their session, but has also recently been authenticated by a biometric technique with a high confidence value. Access to the applications and services found on a mobile device can then be tied to the System Integrity level, such that immediate access is only given to a user if they have the required level or greater. For instance, when a user attempts to access a protected service or file location, if they do not have the required integrity 1 The boundaries defined on the numerical scale are only provided as a suggestion. Practical evaluation might result in a redefinition of these limits.

116

computers & security 26 (2007) 109–119

level, the system will intrusively request them to authenticate using a technique with the required confidence value to permit access to the file or service. In this case, should the Alert Level reside at ‘‘normal’’ or ‘‘authenticate on next input’’, the authentication request can be used as the next authentication request in the Process algorithm. Should the request succeed then the user is given access to the information or service they require. However, should the request fail, the user will be blocked from using the file or service and the Alert Level will proceed to the next stage. The trade-off existing within these processes is between user convenience and device misuse. Although an impostor will not be rejected from the system immediately under this process, the degree of misuse has been limited by the presence of the System Integrity. In a practical situation, it is likely an impostor will be able to make a telephone call or send a text message before the system locks down (the actual range of services available to the impostor will largely depend upon the authentication techniques available). However, all of the key sensitive and expensive services will be locked out of use. By permitting this limited misuse of the device, it is possible to achieve a much higher level of user convenience at minimal expense to the security. Architecturally this system could take many forms, but it is envisaged a number of key components would be required, such as an ability to capture and authenticate biometric samples, an intelligent controller, administrative capabilities and storage of the biometric profiles and authentication algorithms. A proposed architecture, referred to as the Intelligent Authentication Management System (IAMS) is illustrated in

Figs. 6 and 7. Built around a server-client topology, the system also has the flexibility of operating in an autonomous mode to ensure security is maintained even during periods with limited or no network connectivity. The architecture, illustrated in Fig. 6, outlines the functional components of the server topology. The Authentication Manager has overall control of the authentication system, determining both when authentication should take place and what the current state of security is. The process engines provide the computational power of the system, with an Authentication Engine to authenticate users, a Biometric Profile Engine to generate and train the relevant biometric templates required for subsequent classification, and a Communications Engine to communicate and synchronise data with the client device. To supplement these process engines, a number of storage elements are utilised. As the OS and hardware on mobile devices tend to vary considerably, devices will not automatically be supported. The Hardware Compatibility database contains information about which mobile devices are configured to work with the architecture, along with a list of supported biometrics. The system administrator will utilise this information, in addition to a number of system parameters to generate a client profile, which is stored in the Client database. This database holds a master list of clients enabled, along with individual user information such as performance rates, confidence levels and history of the relevant authentication techniques. The main bulk of the device topology, as illustrated in Fig. 7, is identical to the server architecture, with the operation of the process engines, storage elements and Authentication Manager remaining (in principle) the same. The device topology

System Administrator Client Device Configuration

Hardware Compatibility

System Parameter Setting

Client Database

Authentication Manager (Server)

Biometric Profile Engine

Profile

Communications Engine

Authentication Engine

Input Cache

Fig. 6 – IAMS Server Architecture.

IAMS Device

117

computers & security 26 (2007) 109–119

Device Administrator

Authentication Response

Authentication Assets/History

Output Device

Security Status Authentication Manager (Device)

Biometric Profile Engine

Profile

Intrusion Interface

Input Characteristics

Authentication Engine

Data Collection Engine

Input Cache

Communications Engine

IAMS Server

Fig. 7 – IAMS Client Architecture.

does, however, introduce a number of additional components that provide the input and output functions of the system. The fourth process engine in the form of the Data Collection Engine is included on the device topology and provides the input mechanism, which collects and processes users’ device interactions. The output components consist of an Intrusion Interface and Security Status. The former provides the IAMS to OS connection for restricting user access and provides user information as and when required, and the latter provides an overview to the system integrity and security of the device. The implementation of the architecture will differ depending upon the topology that a device is being used within. For instance, in a standalone topology the device has no use for the Communications Engine – as no network exists to which it can connect. Meanwhile, in a client-server topology the components required will vary depending upon the processing split between the server and client. There are numerous reasons why a network administrator may wish to split the processing and control of IAMS differently, such as network bandwidth and availability, centralised biometric template storage and processing, and memory requirements of the mobile device. For example, in order to minimise network traffic, the network administrator may require the host device to authenticate user samples locally, or conversely, the administrator may wish the device to only perform pre-processing of input samples and allow the server to perform the

authentication, thus removing the majority of the computational overhead from the device, but still reducing the sample size before transmitting across the network. More detailed information on this architecture can be found in (Clarke, 2004). The security of the topology, in terms of being able to circumvent and by-pass this architecture is out of the scope of this paper, however, it is assumed that the architecture will be deployed in an environment that prevents this; for instance, through the encryption of biometric samples and correct integration of IAMS in the mobile devices own security architecture.

5.

Discussion

The performance of such a composite authentication mechanism will be largely dependent upon the authentication techniques available to a particular mobile device. Those with stronger techniques will be more capable of successfully detecting an authorised and unauthorised user than their counterparts. Table 2 illustrates the performance achieved for a number of test cases based upon the authentication techniques that could potentially be available given their specific hardware configuration. The devices themselves are illustrated for reference in Fig. 8. As this composite mechanism involves multiple authentication requests and multiple

118

computers & security 26 (2007) 109–119

Table 2 – Composite authentication performance Mobile device Sony Ericsson T68 HP IPAQ H5550

Sony Clie PEG NZ90

Authentication techniques

FRR at stage 4 of the process algorithm (%)

FAR at a system integrity level of þ5 (%)

Keystroke analysis Voice verification Facial recognition Fingerprint scanning Voice verification Facial recognition Keystroke analysis Voice verification

0.001–0.4

0.000001–0.00002

0.00003–0.0001

0.00000007–0.0000008

authentication techniques it is difficult to obtain a single FAR and FRR. Table 2 presents the FRR at the point where the authorised user is essentially locked out from using the device, and the FAR of an unauthorised user achieving a System Integrity level of þ5, which would permit the user to access the most sensitive services and information. The FAR and FRR for the authentication techniques which the subsequent system level performances were calculated were derived from the results of the keystroke analysis study and the National Physical Laboratory. Worked example: FRR at Stage 4 of the Process Algorithm: Best Case Probability ¼ Voice FRR  Voice FRR  Voice FRR  PIN FRR  PIN FRR ¼ 0:04  0:04  0:04  0:4  0:4 ¼ 0:0000102 ¼ 0:001% Worst Case Probability ¼ Tele FRR  Tele FRR  Tele FRR  PIN FRR  PIN FRR ¼ 0:29  0:29  0:29  0:4  0:4 ¼ 0:00039 ¼ 0:04% Even with devices such as the cellular handset, with limited authentication techniques, the levels of FAR and FRR achieved are still stronger than many individual authentication techniques alone, with a (worst case) probability of an authorised user incorrectly being rejected of 0.4% (equivalent FRR) and a (worst

0.0002–0.4

0.0000008–0.00002

case) probability of an unauthorised user gaining entry to the most sensitive services of 0.00002% (equivalent FAR). The results from the theoretical system performance illustrate how difficult it is for an impostor to obtain access to sensitive services, with a FAR in the range of 0.00000007– 0.000001% compared with the best FAR of 0.1% using a fingerprint technique. The false rejection probability has also improved, with a worst case of 0.4% and a best case of 0.00003%. Although it is difficult to directly compare the performance of this composite system against individual techniques (as the probability of successfully authenticating a person depends on various stages of the security algorithms), a comparison of these results against individual results, as presented in Table 2, illustrates the improvement in performance this mechanism experiences.

6.

Conclusions

With mobile device functionality increasing, the ability to perform suitable user authentication becomes evermore important. Existing PIN-based techniques are under-utilised, and in any case provide an inadequate level of protection when compared to the sensitivity of data and services accessible through the devices. Individual techniques such as keystroke analysis can provide valuable enhancements in certain contexts, but are not suited to all users and scenarios. However, the use of multiple authentication techniques, bound within a wider

Fig. 8 – Mobile devices. (a) Sony Ericsson T68i, (b) HP IPAQ H5550, and (c) Sony Clie PEG NZ90.

computers & security 26 (2007) 109–119

framework, enables the system to compensate for potential weaknesses of one technique by using the strengths of others. In a worst case, the proposed mechanism enhances PIN/ password-based authentication with keystroke analysis that periodically asks the user to re-verify their identity. At best, this mechanism can provide completely transparent authentication of the authorised user throughout the duration of the day protecting key services and information from misuse. Both scenarios increase the level of authentication beyond that currently available from the standard point-of-entry PIN/password technique. Through adding a level of intelligence to the authentication process, it is no longer a matter of providing a pass or fail response, but a probability level indicating the confidence the system has in the identity of the user, with the system’s behaviour becoming dependent upon the result. With a low confidence, the system removes automatic access to key services and information and increases the level of monitoring of the user. With a high confidence level, the user has the ability to interact and access the complete range of services and applications provided by the mobile device without hindrance.

references

Ashbourne J. Biometric. Advanced identity verification. The complete guide. Springer; 2000. Biopassword. Biopassword: the keystroke dynamics approach; 2005. Available form: http://www.biopassword.com/bp2/ welcome.asp. Bishop M. Neural networks for pattern classification. Oxford University Press; 1995. Brown M, Rogers J. User identification via keystroke characteristics of typed names using neural networks. International Journal of Man–Machine Studies 1993;39:999–1014. Cho S, Han C, Han D, Kin H. Web based keystroke dynamics identity verification using neural networks. Journal of Organisational Computing and Electronic Commerce 2000;10:295–307. Clarke N. Advanced user authentication for mobile devices. PhD thesis, University of Plymouth, UK; 2004. Clarke N, Furnell S, Lines B, Reynolds P. Using keystroke analysis as a mechanism for subscriber authentication on mobile handsets, Security and privacy in the age of uncertainty. International Federation of Information Processing; 2003. p. 97–108. Cope B. Biometric systems of access control. Electrotechnology April/May 1990;71–4. Denning D. Information warfare & security. US: ACM Press; 1999. Haykin S. Neural networks: a comprehensive foundation. 2nd ed. Prentice Hall.; 1999. Joyce R, Gupta G. Identity authorisation based on keystroke latencies. Communications of the ACM 1990;33(2):168–76. Kung Y, Mak M, Lin S. Biometric authentication: a machine learning approach. Prentice Hall; 2005. Leggett J, Williams G. Verifying identity via keystroke dynamics. International Journal of Man–Machine Studies 1987;28:67–76. Mansfield T, Kelly G, Chandler D, Kane J. Biometric product testing: final report. Crown Copyright; 2001.

119

Mobile Data Association. UK text messaging total tops 20 billion for 2003. Mobile Data Association. Available from: http://www. text.it/mediacentre/default.asp?intPageId¼617; 2004. Monrose R, Rubin A. Keystroke dynamics as a biometric for authentication. Future Generation Computer Systems 1999; 16(4):351–9. Monrose R, Reiter M, Wetzel S. Password hardening based on keystroke dynamics. Proceedings of the sixth ACM conference on computer and communication security, Singapore; November 1999. p. 73–82. Nanavati S, Thieme M, Nanavati R. Biometrics identity verification in a networked world. John Wiley & Sons; 2002. Napier R, Laverty W, Mahar D, Henderson R, Hiron M, Wagner M. Keyboard user verification: toward an accurate, efficient and ecologically valid algorithm. International Journal of Human– Computer Studies 1995;43:213–22. Obaidat M, Macchairolo D. A multilayer neural network system for computer access security. IEEE Transactions on Systems, Man, and Cybernetics 1994;24(5):806–13. Obaidat M, Sadoun B. Verification of computer uses using keystroke dynamics. IEEE Transactions on Systems, Man, and Cybernetics: Part B – Cybernetics 1997;27(2):261–9. Shaw K. Data on PDAs mostly unprotected. Network World Fusion. Available from: http://www.nwfusion.com/; 2004. Spillane R. Keyboard apparatus for personal identification. IBM Technical Disclosure Bulletin 1975;17:3346.

Dr. Nathan Clarke is a lecturer in Information Systems Security within the Network Research Group, at the University of Plymouth. His research interests reside in the area of biometrics, mobility and wireless security, having previously completed a PhD on the topic of advanced user authentication on mobile devices. His research has given specific consideration to the use and applicability of biometrics in this context, as well as the practical implementation and evaluation of a range of related techniques. Prof. Steven Furnell is the head of the Network Research Group at the University of Plymouth in the United Kingdom, and an Adjunct Associate Professor with Edith Cowan University in Western Australia. He specialises in computer security and has been actively researching in the area for 14 years, with current areas of interest including security management, computer crime, user authentication, and security usability. Prof. Furnell is a Fellow and Branch Chair of the British Computer Society (BCS), a Senior Member of the Institute of Electrical and Electronics Engineers (IEEE), and a UK representative in International Federation for Information Processing (IFIP) working groups relating to Information Security Management (of which he is the current chair), Network Security, and Information Security Education. He is the author of over 160 papers in refereed international journals and conference proceedings, as well as the books Cybercrime: Vandalizing the Information Society (2001) and Computer Insecurity: Risking the System (2005). Further details can be found at www.networkresearch-group.org.

computers & security 26 (2007) 120–129

Clustering subjects in a credential-based access control framework K. Stoupa*, A. Vakali Aristotle University of Thessaloniki, Thessaloniki, Greece

article info

abstract

Article history:

Currently, access control of distributed Internet resources (such as files, documents and

Received 5 November 2005

web services) has become extremely demanding. Several new access control models

Revised 5 July 2006

have been introduced. Most of the proposed approaches increase the complexity of the ac-

Accepted 3 August 2006

cess control procedure and at the same time expressing these models is becoming complicated. Improving the execution time of the access control procedures is a challenging task

Keywords:

due to the increased number of resources (available over the Internet) and the size of the

Access control

audience involved. In this paper, we introduce an approach for speeding up the access con-

Clustering users

trol procedure under an environment accessed by known subjects (i.e. subjects whose

Credentials

identity and attributes are known apriori through a subscription phase). This approach is

XML-based access control

based on some update functions (employed at the background during idle times) over files

Access request evaluation time

which are associated with subjects. The core task of the proposed update is its dynamic nature and its clustering of subjects according to their interests and credentials. Moreover, this work associates subjects with security policies that are most likely to be triggered according to (the subjects) interests. Credential-based access control is considered to properly protect frameworks distributing resources to known subjects and here emphasis is given to the complexity involved in order to decrease the access request evaluation time under a credential-based access control framework. ª 2006 Elsevier Ltd. All rights reserved.

1.

Introduction

Web-based environments offer a wide range of resources to a heterogeneous audience and the access control procedures involved should cope with a large number of policies expressing which clients (i.e. subjects) can access which protected resources (i.e. objects). In an effort to reduce the number of policies that need to be specified, modern access control models have been proposed (see Castano and Ferrari, 2003; Pallis et al., 2004; Stoupa and Vakali, in press for a discussion of the most widely-used access control models). Furthermore, centralized access control mechanisms cannot cope with distributed networked computing environments since they should cope with

new security issues (such as separation of duties, and consistent control throughout the network; Ward and Smith, 2002). Moreover, the increased number of subjects leads to an exponential increase of the number of the needed security policies. Therefore, expression of policies for groups of subjects seemed mandatory. Credential-based access control model (Winslett et al., 1997) seems to be a solution for such frameworks, since each subject is associated with some attributes (forming its credentials) and authorizations are assigned to credentials (or credential expressions) and not subject identities. Although, the goal of modern access control models was to reduce the number of policies that need to be specified, by

* Corresponding author. E-mail addresses: [email protected] (K. Stoupa), [email protected] (A. Vakali).

computers & security 26 (2007) 120–129

grouping subjects and/or objects according to their characteristics or by organizing them into hierarchies where each set of user is assigned a security clearance (Yang and Li, 2004), the number of subjects and objects has been increased so much that the number of needed policies still remains huge. Additionally, a fine granularity level for access control is often a requirement, in that web resources often contain information at different sensitivity levels. As a result, time delays required for evaluating the associated policies and granting or denying access may cause subject’s inconvenience. Although many access control models have been proposed for the Web (Chakrabarti, 2003), few research efforts have addressed such a ‘‘delay’’ problem. For example, in an effort to propose effective access control services, Murata et al. (2003) have introduced the use of static analysis in improving access queries and thus decreasing time delays. Carminati and Ferrari (2005) propose the use of Access Control XML (AC-XML) documents containing for each object (either XML document or DTD) the associated policies. In this context, we focus on speeding up the access control procedure involved in a credential-based environment. This paper proposes an access control technique that can be employed for protecting any web data source (whose structure will be given through XML files and XML Schemas), where known subjects can have access and the policies are specified according to the credential-based paradigm. The proposed technique aims at decreasing the access request evaluation time and we assume that the data, the credentials, and the policies are encoded in XML. Our paradigm can work with any XML-based security language but we have adopted X-Sec (Bertino et al., 2001) (an XML-based security language) to express the credentials and the policies. To simplify the process of evaluating subject credentials against access control policies, all the credentials a subject possesses are placed into an XML document, called subject profile. Subject profiles are maintained by the protected organization. More specifically, the main contribution of the proposed work is summarized in:  using the so called ‘‘dynamic update’’ method on associating subjects with policies for speeding up the access request evaluation phase. Each subject, apart from other attributes, will be associated with policies which are more possible to be triggered in a future access. The list of the associated policies is modified dynamically as the subject accesses objects, and it is stored in a separate file associated with the subject. This method can be considered mostly in subscriptionbased systems, in that it requires the server to store the subject credentials.  grouping of subjects according to their interests (Middleton et al., 2004; Wang et al., 2004; Xie and Phoha, 2001) and their credentials. This grouping is inspired from the ideas proposed in earlier research efforts related to Web clustering (Baldi et al., 2003; Chakrabarti, 2003; Jain et al., 1999; Jeng et al., 2002). Subjects are initially grouped into the (so called) interest clusters according to their interests such that subjects with common interests are organized into the same cluster. The interest clusters are refined by, also considering the credentials of the members, a filtering which may be applied by using two distinct practices:

121

1. Content-based filtering: each subject is associated with a vector of objects he/she has accessed in the past and how many times. By using content-based filtering we can extract the interests of the subject, i.e. the object categories which he/she is most likely to request in the future. 2. Collaborative filtering: identifying subjects who own similar interest profiles and measure the similarity between such profiles. It is assumed that subjects with similar interests and credentials are likely to trigger common access control policies. Therefore, we build a list of such policies.  presenting a complexity analysis for the proposed access request evaluation procedure in order to prove improvement in the involved time. The complexity analysis estimates the complexity of the algorithms describing the access request evaluation procedure under the proposed approach (dynamic update approach) and the typical access request evaluation procedure. The results of the analysis are given in a separate table. The rest of the paper is organized as follows. Section 2 gives a scenario that will be followed throughout the paper. Section 3 discusses the dynamic update approach. Section 4 gives the complexity analysis of the access request evaluation in the dynamic update approach and in a typical access control environment. Finally, Section 5 concludes the paper and discusses future work directions.

2.

An access control scenario

Consider a network belonging to the organization ‘‘X-Company’’ which can be accessed by both internal users and external ones who request access through the Internet. In both cases requesting subjects should be known to the organization, thus they should subscribe first in order to be associated with some credentials. Some of the defined credential types in ‘‘X-Company’’ are: general manager, financial manager, accountant, and secretary. Moreover, we assume that this company stores its data under the XML standard so the protected (XML-oriented) documents are organized into categories according to their purpose (e.g. invoice, report) and they are stored in a separate database. Here, we use a particular XML document as a running example which refers to payroll information about employees of the ‘‘X-Company’’. As shown in Table 1, the DTD1 specifies the payroll information about employees of a specific department. A user requesting access to the ‘‘X-Company’’ should first subscribe in order to be associated with some credentials (subscription phase), i.e. each user is associated with both a subject profile (summarizing his/her credentials) and as many credential files as his credential types. In order to present the access request evaluation, we introduce a policy base, which has four distinct policies. According to X-Sec, we represent a policy p as a tuple: p ¼ ðcred  expr; target; path; priv; type; propÞ; 1

In this paper we use DTDs for brevity reasons. In the implementation XML Schemas are adopted.

122

computers & security 26 (2007) 120–129

Table 1 – An example of a resource DTD: the payroll.dtd



]>

to declare that subjects denoted by cred-expr (which is a specific credential name or a credential expression) are allowed or not allowed according to the type to exercise privilege priv on the portion path of the protection object target. The prop defines the propagation mode of the policy. Three options are provided for the propagation: cascade, meaning that the policy propagates to all the direct and indirect sub-elements of the elements on which the policy is specified; first level, meaning that the propagation is limited to the direct children; and no-prop, denoting no propagation option. Some examples of access control policies are presented in Table 2 which defines that all managers can read the salary and the hire date of every employee (policies 1, 2). Moreover, the general manager can modify every XML file following the payroll.dtd (policy 3) and the human resources manager can modify the hire date element of every file following the payroll.dtd (policy 4).

3.

The dynamic update approach

The proposed dynamic update approach is tailored for a subscription-based environment (such as a confined network of an organization), where subjects should first subscribe in order to request access. Such environments operate as the ‘‘X-Company’’ network which may be accessed over the web. Each subject is associated with some credentials during an initial so called subscription phase (e.g. such credentials can be manager, financial manager, accountant, and secretary). Fig. 1 illustrates the modules underlying the dynamic update approach and the phases involved which are described as follows: 1. Subscription phase: the subject interacts with the subscription module by sending his/her credentials and his/her interests (optionally). Upon the receipt of such information the module creates a number of credential files associated

Fig. 1 – Dynamic update approach.

with the subject and a subject profile, summarizing the credential types of the newly subscribed subject. Moreover, it creates an interest profile, containing the explicitly defined interests of the subject. 2. Access control phase: this phase is divided into two subphases: a. Dynamic Update: in order to understand the functionality of this task some extra files are required, which are encoded in XML, created and dynamically updated in the background during idle times. Those are (a) the access log file, containing the objects that have been accessed by the subject and the frequency of accesses (for how many times there have been accessed objects of this category), and (b) the subject policy file, containing the list of policies that are more likely to be triggered by the associated subject, and (c) the object category file associating each XML Schema with a category. The category of each .xml file is defined by the category of the XML Schema it follows. Fig. 1 depicts the process of generating and updating these files, which is summarized in the following: i. The update access log file module periodically scans the systems’ log file and updates the subjects’ access log files. Initially, this file is empty and it is updated after the associated subject has been granted at least one access.

Table 2 – An example of access control policies SN 1 2 3 4

Cred-expr

Target

Path

Type

Priv

Prop

/manager /manager /manager[@type ¼ ‘‘general’’] /manager[@type ¼ ‘‘humanResources’’]

payroll.dtd payroll.dtd payroll.dtd payroll.dtd

/payroll//salary /payroll//hireDate – /payroll//hireDate

þ þ þ þ

Read Read Write Write

No-prop No-prop – No-prop

123

computers & security 26 (2007) 120–129

ii. The update interest profile module takes as input the access log file and according to the access frequencies of each object type updates implicitly defined interest part of the interest profile of the associated subject. iii. The clustering subjects module takes as input the interest profiles and the subject profiles of all subjects and clusters them according to their interests and credentials using collaborative filtering techniques (a more detailed description is given in Section 3.2). iv. Finally, the update subject policy file module updates the policy files of all the subjects belonging in the same cluster with the policies that have been triggered by the other members of the cluster. The proposed dynamic update functions are designed for being executed in the background and on idle times (e.g. late at night) such that the system idle times are exploited towards improving the access request evaluation process. b. Access Request Evaluation: after the dynamic update functions have taken place, the access control module responses more quickly to the access request of the subjects. Indeed, upon a new access request arrives the module scans the policy file of the requesting subject and if it finds a matching policy it triggers it otherwise, it scans the policy base to find a policy granting the access. If a policy is found a reply is sent to the subject and the systems log file is updated.

3.1.

Structure of the files involved

The proposed dynamic update function is based on some more files such as the access log file (its DTD is given in Fig. 2(a)) which is used to organize the accesses of the associated subject (i.e. such a file contains a list of entries organized according to object categories). Each entry associates an object category with the number of accesses to it, the type of access mode and the policy used. In order to generate or update this file (update access log file module), the system’s log file should be scanned. Every time the system finds an entry referring to a subject, it activates the associated access log file. The system finds the category of the accessed object (by scanning the object categories file) and the access mode and finds the appropriate access element in order to increase the frequency by one and add the identifier of the policy triggered by that access. To find the new interests of the subject, the frequency element should become zero periodically in order to discover if interests change or not.





]>

(a)

The interest profile contains both explicitly defined interests (i.e. object categories) and implicitly defined, and its DTD is given in Fig. 2(b). The part of the file that is automatically updated is the implicitlyDefined element. The term ‘‘interests’’ refers to object categories (i.e. similar objects, or objects belonging to the same category, e.g. invoice) that the subject has explicitly declared to be of her/his interest. Certainly, such interests may change and the system can implicitly realize such by analyzing the access log file of the subject. Thus, the interest profile update module may frequently scan the access log file in order to find out whether the subject frequently accesses specific object categories (i.e. the frequency attribute of the specific object category element is greater than a threshold) which do not belong to his interests list. In such a case another object category is added to the implicitlyDefined element. The subject policy file (its DTD is given in Fig. 3) contains the list of policies that are more likely to be triggered by the associated subject. This file is organized according to the object categories for which one the accesses frequency is defined. Moreover, for each object category, it contains a list of policies referring to this category or to a specific object belonging to this category. Each policy element has the same elements as those defined in Section 2 (i.e. cred-expr, path, target, priv, type, prop). When the file is initialized it includes the object categories which are the explicitly defined subject’s interests (according to the interest profile) and later on, the access log file is scanned in order to find the policies referring to the implicit interests. Those functions are executed by the update subject policy file module.

3.2.

Clustering of subjects

We propose the organization of subjects into clusters in order to improve the execution time of the overall access request evaluation process. The clusters are defined based on twofold information: 1. Interests: by scanning the interest profiles of the subjects, where each object category belonging in the interests of a subject is associated with a frequency and based on this information we can adopt an approach originating from the Latent Semantic Indexing (Jiang, 1997) idea to represent important associative relationships between subjects and interests.



]>

(b)

Fig. 2 – The DTD of (a) access log file and (b) interest profile.

124

computers & security 26 (2007) 120–129











]>

Fig. 3 – DTD of the subject policy file.

2. Credentials: consider the credentials of the subjects and prior to considering a new policy triggered by a subject for clustering we evaluate both the subject’s interests and the credentials. Clustering is executed by the clustering subjects module (Fig. 1) in order to continuously update subject policy files with the policies triggered by other subjects belonging to the same cluster. Moreover, the list of policies will be updated automatically and it will be modified every time the interest of the associated subject changes. We also consider a threshold defining the maximum number of policies that can be added in the policy list concerning an object category, and every time this threshold is exceeded, garbage collection takes place (i.e. update of the policy list to contain only frequently triggered policies).

3.3.

Task 2 (implemented by scanSubjectPolicyFile( )): scan the list of policies in the subject policy file related to the category of the requested object until finding a match, i.e. evaluate the policies until you find a policy that can be triggered. If a match is found, return the policy to the access control module else execute task 3. Task 3 (implemented by scanPolicyBase( )): find in the policy base the list containing policies related to the obj-cat of the requested object and scan it until you find a policy that can be triggered. If a match is found, return the policy to the access control module else execute task 4. Task 4 (optional): return the policy id value to the access control module. The overall access request process is sketched in Fig. 4 where the above tasks are highlighted in an algorithmic fashion. The functionality of this algorithm is dependent on the following characteristics:

The access request evaluation process

Each access request can be modeled by the tuple (cred-expr, target, path, priv), which involves the elements similar to those defined previously in the policy tuple (in Section 2). The access request evaluation procedure proposed here under the dynamic update approach involves the following tasks: Task 1: find the subject policy file associated with the requesting subject.

 The objects are organized into categories according to their XML Schema. For instance, with reference to the example given in Fig. 1, since payroll.xml is an instance of payroll.dtd, then such XML file belongs to the object category payroll (object categories are identified by the term obj-cat).  Credential types are not organized into hierarchies for simplicity reasons.  The policy base is also organized according to the object category of the object that a policy protects.

Algorithm 1 : Access Request Process INPUT: A request r=(cred-expr, target, path, priv) OUTPUT: A policy id that can be triggered or a null value if no policy can be triggered. PolicyId pid=null; find the subjectPolicyFile associated with the requesting subject pid=scanSubjectPolicyFile(r, subjectPolicyFile); //Task 2 if pid!=null: return pid; else: goto policy base; pid=scanPolicyBase(r); //Task 3 return pid; //Task 4

//Task 1

Fig. 4 – The access request processing algorithm.

computers & security 26 (2007) 120–129

 Only the no-prop propagation option is considered for simplicity reasons. The two above mentioned functions, namely the scanSub jectPolicyFile( ) (in task 2) and the scanPolicyBase( ) (in task 3) are highlighted in Fig. 6. Fig. 6(a) summarizes the scanSubjectPolicyFile employed by the access control module to verify whether the access request can be granted only by inspecting the subject policy file. This function makes use of the policyEvaluation( ) function (given in Fig. 5), that compares the relating fields of an input policy p and an access request r to discover if they match (in case of no match true is returned). More specifically, in comparing policy p and request r the following checking actions take place: 1. Is the priv of the request equal to that of the policy? 2. Does the requesting subject own the credential type given in the cred-expr of the request? 3. Is the path of the request equal to that of the policy and is any of the following cases also addressed? a. The target of both policy and request is similar. b. The target of the request is an XML file and the evaluated policy’s target is the DTD that is followed by the request’s target. In case that there is no matching policy found in the subject policy file, we have to scan the part of the policy base containing policies relating to the obj-cat of the target in the input access request. Such a task is implemented through function scanPolicyBase( ) which takes as argument the request r, and returns the policy id if an appropriate policy can be found (summarized in Fig. 6(b)). The following section presents the

125

complexity analysis of the access request evaluation process by estimating the complexity of each task described previously.

4. Complexity analysis of access request evaluation procedure In order to evaluate the proposed access request process functions we identify the main parameters involved which are summarized in Table 4. More specifically we consider that the number of object categories is n and that for the subject policy file of subject i, in the j-th object category we have (soci)j policies. Since we consider to adopt garbage collection, each (soci)j will be smaller than a threshold msoc which is the maximum number of policies that can be found in the policy list of an object category. Moreover, the policies in the policy base are also organized according to the object category of the resource they refer to and if the number of policies for a category i is poci the maximum number of policies (under the n object categories) is mpoc ¼ max(poc1, poc2,.,pocn). According to the dynamic update approach the response time of the access request evaluation process will be calculated by adding the completion times of the following tasks (discussed in Section 3.3): 1. Task 1: find the subject policy file associated with the requesting subject. 2. Task 2: scanning subject policy file in order to retrieve an appropriate policy (implemented by scanSubjectPolicy File( )).

boolean policyEvaluation (Policy p, Request r) { Boolean found=false; goto the associated subject file /*The loop evaluates the cred-expr field of the policy against the subject types found in the subject profile of the subject subj-id. */ for(i=0;i 0}. (2) Combine data from sets Ej (1  j  m) to form clusters Xu (1  u  nm): Xu ¼ {t(ij, j ) ˛ Ejj c 1  j  m & i1 < i2 < / qs1

We estimate the probability that rj is selected incorrectly by using Chebyshev inequality (Kao, 1996; Feller, 1968) as the following:   P rj is selected incorrectly ¼ P skþ1 ej is selected  ¼ P skþ1 ej  m1 < sk ej  m1  1 ¼ P sk ej  m1 > qs1 < 2 q

The probability of making an incorrect selection of a packet RTT is bounded if we select the cluster with smallest standard m deviation among all Xu (1  u  n ) as the RTT sequence. In other words, the probability to make a correct selection of a packet RTT can be estimated by using the following equation:  1 P rj is selected correctly  1  2 : q

(4)

The parameter q varies depending on the inter-arrival distribution of the send packets and RTTs distribution.

3.3.

Estimation of parameter q

The parameter q is determined by the smallest interval L of distribution Y. The probability of making an incorrect selection of a packet RTT is determined by L. If the interval between two consecutive send packets is the smallest one of Y, we get the lowest boundary of the probability. The point is the probability that the interval between two consecutive send packets takes the smallest interval of Y is very small. So in reality, we usually do not use the smallest interval to estimate the parameter q. We use the interval Lp which makes the cumulative probability P(x < Lp) in Y be 5%. We estimate Lp upon the assumption that Y is Gamma distribution with shape parameter b and scale parameter a. In other words, we select Lp that must satisfy the following equation: Z Lp x ðx=aÞb1 e a dx ¼ 0:05 (5) aGðbÞ 0 RN where GðbÞ ¼ 0 eu ub1 du. We can compute Lp from Eq. (5) if b and a are known. Parameters b and a vary upon keystroke and network environment. The most usual way to estimate Lp is to take a sample of send packets inter-arrival to estimate the parameters b and a by using MLE (maximum likelihood estimation) or other methods (Johnson and Kotz, 1970), and then compute the Lp for the distribution with the parameters b and a estimated. This way is appropriate for individual computation, but not convenient for probabilistic analysis. Here the way we use is to estimate the range of the parameters b and a of the interval distribution of send packets, and compute the range of Lp by the range of estimated parameters b and a. We use the lower bound of Lp to compute the probability that one element is selected correctly in SDBA. We could probably know

141

computers & security 26 (2007) 137–144

4.

Empirical study

We have discussed that we can use Gamma distribution to simulate the inter-arrival of send packets on an interactive session. This is foundation of our probabilistic analysis. So in this section, we shall show that it is reasonable to simulate inter-arrival distribution of send packets by Gamma distribution. We have proved that the probability of making a correct selection of RTT in SDBA is bounded by a boundary which is given by Eq. (4). Then we shall compute some real examples to give a practical sense of this equation. SDBA can compete against the Conservative and the Greedy algorithms both in packet-matching rate and accuracy. Finally we compare the performance among SDBA, the Conservative, and the Greedy algorithms on packet matching.

4.1.

Inter-arrival distribution of send packets

We established a connection chain which spanned U.S. and Mexico by using OpenSSH (Ylonen, 1996). There is at least one host, such as Acl08, that we have the administrator access while we have only regular user rights to access all the other hosts. At the starting point of the chain we ask several students to simulate intruders by typing some commands independently and collected all the send packets on the corresponding outgoing connection of Acl08. We computed the intervals of these send packets and use Matlab to fit their distribution. Before fitting the distribution, we first drew the

Table 1 – The range of Lp estimated by experiment Samples

1 2 3 4 5 6 7

Size of each sample 1297 990 816 900 176 800 412

Items b

a

Lp

2.043 1.956 1.4434 1.809 1.426 1.629 1.364

137280 137480 212600 143970 280220 172720 242270

51115 46448 33733 40541 43016 37617 32874

12 10

Y Quantiles

how well SDBA is from the probability estimated by using Eq. (4). We did many experiments with different users and different environments (i.e., connection chains with different paths) on the Internet and present some typical examples in Table 1, where the unit of the send packet inter-arrival of each sample is microsecond, as well as the unit of Lp. From the experiment we know that the range of interval Lp of send packets with cumulative probability 0.05 is from 32,000 to 52,000 approximately. There is no way to predict the exact range of Lp by merely using experiment without further theory analysis. In Section 4, we will use the lower bound of Lp to compute the probability of making a correct selection of RTT to evaluate SDBA of finding packet RTTs of an interactive session.

8 6 4 2 0

0

2

4

6

8

10

12

X Quantiles Fig. 1 – Verification of send packets interval distribution.

histogram of these data to see what kind of distribution they look like. It is found that they are more like a Gamma distribution with a shape parameter bigger than one. And then we use Matlab distributing fit function to estimate its shape parameter b and scale parameter a. Once we have obtained these two parameters, we have a theoretical distribution determined by its shape parameter b and scale parameter a. We use quantile–quantile function of Matlab to verify how well the Gamma distribution fit the example. Fig. 1 shows the verification result with one typical example presented, where X- and Y-axis have scale 105. In this example the shape and scale parameters are estimated to be 2.0426 and 137,280, respectively. From Fig. 1 we found that the points with intervals more than 400,000 (microseconds) are not well fitted with Gamma distribution where the gray dashed line (red in the web version) indicates an ideal fitting. But the points with intervals less than 400,000 (microseconds) are simulated closely by this Gamma distribution with b ¼ 2.0426 and a ¼ 137,280. We are confident about the value Lp computed from the Gamma distribution because it is much less than 400,000.

4.2.

Sample experiments

The key idea of the algorithm SDBA is to select the combination of send–echo gaps with smallest standard deviation as the RTT sequence. The best way to verify this point is compare the RTT sequence from SDBA with corresponding correct RTTs to see if they are consistent. The problem is there is no way to know the correct RTTs for the packets of an interactive session. If there was a way we could find the correct RTTs, we would not propose the above algorithm. From Yang and Huang (2005) we know that matching each send and its corresponding echo packet is trivial when there is no send–echo pair overlap. So in our first experiment we control the keystroke speed so as to generate the scenario without send– echo pair overlap to make it easy to compute the correct RTTs, with which we compare the RTT sequence coming from SDBA to verify if SDBA can compute the RTTs correctly. This is to validate SDBA by using this controlled data set. Another way to evaluate SDBA when there are send–echo pair overlaps, which occur often on the Internet where we

142

computers & security 26 (2007) 137–144

x 105

2.9 Real RTT SDBA

2.7

x 105 SDBA Conservative Greedy

2.85

RTT value (microsecond)

RTT value (micro second)

2.75

2.65

2.6

2.55

2.5

2.8 2.75 2.7 2.65 2.6 2.55

2.45

0

10

20

30

40

50

60

70

80

90

100

2.5 60

RTT Index

65

70

75

80

85

90

95

100

105

110

RTT index

do not have correct RTTs, is to justify its performance by computing the probability of making a correct selection of RTT. We established a connection chain similar to the previous section. The students were asked to control their keystroke speed. We collected all the send and echo packets in a period of time at Acl08. First we match the send and echo packets to compute the correct RTTs, and then use the send and echo packet set as the input of SDBA to get the RTT sequence. We repeated the experiment many times with one of the comparisons presented in Fig. 2, where Y-axis represents RTT value with unit microsecond and X-axis represents RTT index number. This experimental result showed that the RTTs from SDBA are exactly same as the correct RTTs. The second experiment is for the situation when there are send–echo pair overlaps. The student participants type independently and freely, we captured all the send and echo packets in a period of time, and compute the RTTs from SDBA. We take Lp as its lower bound 32,874 and compute the lower bound probability of making a correct selection of RTT by using Eq. (4). Three examples are presented in Table 2, where the second to the fifth columns are average value of the RTTs with smallest standard deviation with unit microsecond, standard deviation, q number, and the boundary of the probability, respectively. From the probability estimated, we are confident about the result from SDBA because the probabilities in these three examples are all higher than 97%. So even if we cannot compare the result from SDBA to

Table 2 – The results of probability estimation Examples

a correct RTT because we do not have a correct one when there are send–echo pair overlaps, but we can still evaluate SDBA by estimating the probability of making a correct selection of RTT.

4.3.

Packet-matching algorithm comparison

Conservative algorithm is supposed to give correct packetmatching results (Yang and Huang, 2005), but only few packets are matched when there are send–echo pair overlaps. If there is no send–echo pair overlap, the Conservative and Greedy algorithms are all supposed to match TCP packets correctly. First, we compare SDBA with the Conservative and Greedy algorithms under the situation that there is no send–echo pair

3.8

x105 SDBA Conservative

3.6

3.4

3.2

3

2.8

Items m

1 2 3

Fig. 3 – Packet-matching comparison among the Conservative, Greedy, and SDBA without send–echo pair overlaps.

RTT value (microsecond)

Fig. 2 – Verification of SDBA under the situation without send–echo overlap.

264947.0 265756.3 265727.2

s 2810.708 5514.666 5549.605

q 11.695 5.9612 5.9237

p 0.9927 0.9719 0.9715

2.6 100

110

120

130

140

150

160

RTT index Fig. 4 – Packet-matching comparison between the Conservative and SDBA with send–echo pair overlaps.

170

computers & security 26 (2007) 137–144

11

RTT value (microsecond)

correctness of the other 12 RTTs (for clarity only 7 points are displayed in Fig. 5) of the Greedy algorithm until we compare them with the results of the Conservative algorithm because it should always give us correct results. We found there are at least 4 of the 12 RTTs potentially incorrect after comparing with the Conservative results. Comparing with the RTTs found by the Greedy algorithm, the RTTs found by SDBA are closer to the ones found by the Conservative algorithm. The experimental results showed that SDBA can compete favorably not only against the Conservative in packet-matching accuracy but also against the Greedy in packet-matching rate.

x 105 SDBA Greedy

10

143

9 8 7 6 5 4 3 2 100

110

120

130

140

150

160

170

RTT index Fig. 5 – Packet-matching comparison between the SDBA and the Greedy with send–echo pair overlaps.

overlap. When we did the experiment we need to control our typing speed as we did before as slow as possible so as to be sure there is no send–echo pair overlap. Three algorithms ran on Acl08 at the same time interval to monitor the same connection chain. The packet-matching results by the three algorithms are showed partly in Fig. 3, respectively, where each point represents the RTT gap for a send packet. From the result shown in Fig. 3 we know if there is no send–echo pair overlap, we can get the same packet-matching results from the three methods and compute the same RTTs. Second, however, most probably there are send–echo pair overlaps on the Internet. We cannot claim that these three algorithms still give us the same packet-matching result under this situation. But what we have to be sure is that the Conservative algorithm can still give correct result with fewer send packets matched. If we compare the packet-matching results by SDBA with results by the Conservative and the Greedy algorithms, we will know the performance of SDBA both in matching rate and accuracy. Fig. 4 shows the packet-matching comparison between the Conservative algorithm and SDBA when there are send–echo pair overlaps. Here we collect 169 send packets, in which 44 send packets (in Fig. 4 only 29 are displayed for clarity) are matched by the Conservative algorithm, 169 send packets are matched by SDBA. The RTT gaps found by the Conservative algorithm are exactly included in RTT gaps found by the SDBA. Even though we are not sure about the correctness of the rest RTTs, but we still get a sense about the correctness of RTTs computed by SDBA from this comparison. We verify the packet-matching rate of SDBA by comparing with the Greedy algorithm. Fig. 5 still shows only part of the packet-matching comparison results between SDBA and the Greedy algorithm. It indicates that most of the RTTs are consistent but there are fewer of them. Among the 169 RTTs, 157 RTTs of the Greedy matches are included in the results of SDBA. But we are not sure about the

5.

Conclusion and future work

Estimating the length of a downstream connection chain is an effective way to detect stepping-stone intrusion. The core technology of estimating the length of a connection chain is to compute the round-trip time for each send packet by matching send and echo packets through the chain. We have proposed the approach SDBA to compute round-trip time and a way to evaluate SDBA by probabilistic analysis. SDBA takes advantage of the fact that the RTTs of a connection chain are around a value which indicates average network traffic. SDBA can compete against the best known packet-matching algorithm both in matching rate and accuracy. We have proved that the probability of making a correct selection of RTT through SDBA is bounded by 1  ð1=q2 Þ where q is a number related to the distribution of RTTs and inter-arrival distribution of send packets. Some real case experimental results showed that SDBA computes a correct RTTs with a probability higher than 97%. There are still some problems about the algorithm SDBA. The algorithm is somewhat inefficient in time complexity. Finding an efficient one is our future work and under way currently even though we have discussed it a little in Section 3.1. Also SDBA can only compute the packet RTTs for a connection chain on its downstream part. Finding the packet RTTs for the upstream part of a connection chain is more challenging and will provide us a better estimation of the connection chain length, thus a better stepping-stone detection.

references

Feller W. An introduction to probability theory and its applications, vol. I. New York: John Wiley & Sons, Inc.; 1968. Jain A, Dubes R. Algorithms for clustering data. New Jersey: Prentice Hall, Inc.; 1988. p. 55–143. Johnson Normal I, Kotz Samuel. Continuous univariate distributions-1. New York: John Wiley & Sons, Inc.; 1970. p. 166–97. Kao E. An introduction to stochastic processes. New York: Duxbury Press; 1996. Mirkin B. Mathematical classification and clustering. Dordrecht, The Netherlands: Kluwer Academic Publishers; 1996. p. 169–98.

144

computers & security 26 (2007) 137–144

Yang Jianhua, Huang Shou-Hsuan Stephen. Matching TCP packets and its application to the detection of long connection chains. In: IEEE proceedings of 19th international conference on advanced information networking and applications (AINA’05), Taipei, Taiwan; March 2005. p. 1005–10. Ylonen T. SSH – secure login connections over the Internet. In: Sixth USENIX Security Symposium, San Jose, CA, USA; 1996. p. 37–42. Ylonen T. SSH protocol architecture (draft–IETF document), ; June 2004a. Ylonen T. SSH Transport layer protocol (draft IETF document), ; June 2004b. Yoda K, Etoh H. Finding Connection Chain for Tracing Intruders. In: Proceedings of the sixth European symposium on research in computer security (LNCS 1985), Toulouse, France; 2000. p. 31–42. Yung Kwong H. Detecting long connecting chains of interactive terminal sessions, RAID 2002. Zurich, Switzerland: Springer Press; October 2002. p. 1–16. Yin Zhang, Vern Paxson. Detecting stepping-stones. In: Proceedings of the ninth USENIX security symposium, Denver, CO; August 2000. p. 67–81.

Dr. Jianhua Yang is an Assistant Professor in the Department of Mathematics and Computer Science at Bennett College for Women, Greensboro NC. His research interests are computer, network and information security. Dr. Yang earned his Ph.D. in Computer Science at the University of Houston. Before joining in Bennett College, Dr. Yang was an Associate Professor at Beijing Institute of Computer Technology, Beijing, China from 1990 to 2000. He is currently a member of IEEE. Dr. Yang can be reached at [email protected]. Dr. Shou-Hsuan Stephen Huang is a professor of Computer Science at the University of Houston. His research interests include data structures and algorithms, intrusion detection and computer security. Stephen Huang received his Ph.D. degree from the University of Texas – Austin. He is a senior member of the IEEE Computer Society. Dr. Huang can be reached at [email protected].

computers & security 26 (2007) 145–153

A study on decision consolidation methods using analytic models for security systems Sangkyun Kima, Hong Joo Leeb,* a

Somansa Co., Ltd., Woorim Center, Yangpyeongdong, Yeongdeungpogu, Seoul, South Korea School of Computer Science, Carnegie Mellon University, Pittsburgh, PA 15213, USA

b

article info

abstract

Article history:

The successful management of information security within an organization is vital to its

Received 2 August 2005

survival and success. The necessary security controls need to be implemented and man-

Revised 21 August 2006

aged effectively. In this paper, using the characteristics of the AHP, a study on information

Accepted 22 August 2006

security management systems is selected from the perspective of Process Model and Criteria. A case study has proven potential value of this methodology in helping decision-

Keywords:

makers in supporting their selection of security controls.

Security controls

ª 2006 Elsevier Ltd. All rights reserved.

Evaluation criteria Package introduction

1.

Introduction

Information has become the key resource and even the lifeblood of many organizations. ‘‘Information is the glue that holds an organization together and that allows all other resources to be managed’’ (Wood, 1991). We live in an unsafe world where we encounter threats against our safety and security every day. This is especially true in the information processing environment. More and more companies are becoming totally dependent on computer systems for their day-to-day operations. Computer technology is developing at a dramatic rate and, unfortunately, so are the techniques and mechanisms utilized by computer criminals. Crime usually does its ingenious best to keep pace with technology (Forcht, 1994). The value of our information systems and our dependence on them make them increasingly attractive targets for those who wish to disrupt, destroy, steal, defraud, misuse, or spy. Such attacks may be mounted by pranksters, criminals, competitors, terrorists, hackers, or (most commonly of all) disgruntled employees (Stewart, 1998). * Corresponding author. Tel.: þ1 412 443 6438. E-mail address: [email protected] (H.J. Lee).

So, as organizations become more and more dependent on their computer-based information systems, which play a vital role and important part in their business operations. There needs to be a greater awareness and concern about the security of these systems. Information security appears on the list of critical success factors of most major organizations today (Eloff et al., 1993). The successful management of information security within an organization is vital to its survival and success. An organization needs to be able to determine the current security status of its information and computer resources and raise it to a level that is acceptable to management. To do this, the risks that threaten the security of its information and computer resources need to be assessed and the necessary security controls need to be implemented and managed effectively. This paper provides the methodology which consists of process and criteria to support selection activities of the security control. This paper presents the rating approach for prioritizing security controls and the hierarchical structure of process and criteria.

146

computers & security 26 (2007) 145–153

2.

Literature review

2.1.

Defining security and methodology

The security refers to ‘‘minimizing the risk of exposure of assets and resources to vulnerabilities and threats of various kinds’’ (Bayle, 1988). Risk is a function of the consequences (or impact) of an undesirable event and the likelihood of that event occurring. Risk assessment is the process whereby risk relationships are analyzed, and an estimate of the risk of asset compromise is developed. Compromise includes unauthorized disclosure, destruction, removal, modification, or interruption. The options for managing risk include reduction, transfer, avoidance, and acceptance (CSE, 1996). There are three fundamental qualities of information which are vulnerable to risk. They are availability, integrity and confidentiality, and they need to be protected at all times. Swanson (1998) defined confidentiality as ‘‘the system contains information that requires protection from unauthorized disclosure.’’, integrity as ‘‘the system contains information which must be protected from unauthorized. Unanticipated, or unintentional modification.’’, and availability as ‘‘the system contains information or provides services which must be available on a timely basis to meet mission requirements or to avoid substantial losses.’’ According to March and Smith (1995), a method is a set of steps used to perform a task. Nolan points out that methods are based on a set of underlying constructs and a representation of the solution space. According to Checkland (1981), ‘‘a methodology can be described as a set of tools, perhaps even research methods, or a bridge, translating management theory to management practice.’’ According to Brannback (1993), methodology organizes theory into something understandable. Lyytinen (1990) writes that: ‘‘methodology research is needed to link the descriptive empirical and theoretical studies with a constructive view of IS research on how to design and deliver effectively.’’ By virtue of methodology, we can make practical activities from theory, so the effective methodology must support necessary processes and tools. Also, previous researches show that enterprises which have systematic methodology construct more effective information systems (Earl, 1993).

2.2. Methodologies for selection and introduction of information systems METHOD/1 simplifies the introduction process of information systems by breaking down each phase into smaller and more manageable units called segments, and tasks. A series of manuals describes each of these units in detail (Fraser and Vaishnavi, 1997; Monheit and Tsafrir, 1990). ASAP is SAP’s rapid implementation solution specifically designed to streamline and standardize the implementation process to achieve mission critical business functionality as soon as possible. ASAP optimizes time, quality and efficient use of resources of systems implementation. One of the most important features about ASAP is that it supports the entire team, both internal team members from the customer and external consultants: project management, business process consultants and the technical areas.

Leem and Kim (2002) proposed integrated methodology framework (VIP-2000) which is composed of patterns, scenarios (level 1), road map (level 2), components (level 3) and repository (level 4). Level 3 offers detailed functional components needed in the implementation path generated in level 2, which includes S3IE (Support Systems for Solution Introduction & Evaluation). The previous methodologies (METHOD/1, ASAP, VIP-2000) do not consider security related issues, but only focus on reliability and usability related issues (Choi, 2000). METHOD/1 and VIP-2000 suggest a process model of selection and introduction of information systems, but do not supply any decision criteria. ASAP suggests a process model, decision criteria for selection and introduction of SAP ERP.

2.3.

Evaluation on security controls

In early 1970s, US Department of Defense began work on a collection of requirements for trusted computer security for US military. Efforts eventually resulted in the Trusted Computer Security Evaluation Criteria also known as ‘‘Orange Book’’, which was formally published in 1983. The current version of TCSEC was published in 1985. Since then, several other documents have been provided to come up with interpretations of the criteria for networks and databases. Together these books are often referred to as the ‘rainbow’ series. ITSEC was a common project of the EU members France, Germany, The Netherlands and Great Britain. Unlike TCSEC, ITSEC separates strictly between: functionality and assurance, correctness and effectiveness of assurance. In order to constitute a single, international standard replacing its national ancestors, Canada, France, The Netherlands, Germany and the United States have agreed in 1993 to work on improved evaluation criteria. As a major objective, certification should be accepted in each sponsoring country, diminishing costs and augmenting market opportunities for developers of security systems. The new framework was called Common criteria. A first version appeared in January 1996. The final version (CCv2) was published in May 1998. Since that time, the standard has been accepted by the International Standards Organization (ISO) as an international standard and is now formally known as ISO 15408. The standard comes in three parts: Part 1 is the ‘‘Introduction and General Model’’, which contains general information and reference material, Part 2 sets out ‘‘Security Functional Requirements’’ and Part 3 details on ‘‘Security Assurance Requirements’’. TCSEC, ITSEC, and CC just focus on functionality or effectiveness of product itself. The objective of these evaluation schemes is to supply official certification of particular security controls, so it’s difficult to use these evaluation schemes when an organization evaluate and select security controls that have similar level of certification.

2.4.

Controls

Controls are implemented to mitigate risk and reduce the potential for loss. Controls consist of safeguards and countermeasures. A safeguards is defined as any mechanism or procedure designed to mitigate the effects of a threat before it can occur. A countermeasure is defined as any mechanism

147

computers & security 26 (2007) 145–153

or procedure designed to mitigate subsequent effects of some threat that has already occurred (Amoroso, 1994). The controls can be administrative, logical or technical, and physical (Schweitzer, 1983; Hutt, 1988; Fites et al., 1989; Vallabhaneni, 2000; Krutz and Vines, 2001). Administrative controls are concerned with the computer security policies and/or procedures adopted by management for the security of data and computer installation (Madnick, 1978). Logical controls embrace data, files, and programs. It seeks to limit access to data, files, or programs via special access control programs or security features embedded in operating systems (Fine, 1983). Physical controls provide protection against unauthorized use, damage, loss, or modification of computing resources (Li, 1983). Elements of security controls are shown in Table 1.

2.5.

Process and criteria

2.5.1.

Framework

Several methods have been proposed in previous researches to characterize and guide selection of security tools (package based security solutions). In the NIST special publication, ‘‘Guide for Selecting Automated Risk Analysis Tools’’ (Gilbert, 1989), Gilbert listed data collection, analysis, and output of results as the three modules that should be present in any automated risk analysis tool. This represents a purpose-specific description of the inputprocessing-output model by which any tool may be characterized. Gilbert also describes site-specific selection criteria. Among these, she includes hardware and software compatibility, methodology, reporting requirements, documentation, history and security features, utility and ease of use, training and technical support, and cost. These criteria represent qualitative measures by which selection can be made between otherwise apparently acceptable tools. In ‘‘A Guide to the Selection of Anti-Virus Tools and Techniques’’ (Polk and Bassham, 1992), Polk and Bassham used the titles detection, identification, and removal to name three primary classes of anti-virus products. Each of these classes is supported by a variety of techniques and categories of tools. Barbour (1996) suggested SCE (Software Capability Evaluation) implementation guide for supplier selection which provides software organizations with guidance for planning and implementing to identify software risk during a source selection and develop

appropriate policies, implementing instructions, and guidelines in source selection and institutionalize as a routine practice. Henze (2000) suggested an implementation model of IT security safeguards which presents a number of aspects which have to be considered when implementing IT security safeguards. It has six steps: step 1 – examine results of investigation, step 2 – consolidate the safeguards, step 3 – prepare an estimate of the costs and effort required, step 4 – determine implementation sequence, step 5 – assign responsibilities, step 6 – measures to accompany implementation. Gilbert (1989)’s methodology and Polk and Bassham (1992)’s methodology only focused on a specific security (risk analysis tool, anti-virus tool) product so these cannot be used as general methodology for diverse security controls. Barbour (1996)’s methodology and Henze (2000)’s methodology provided generalized process model focusing on operational viewpoint, but there were absent of an evaluation and selection criteria. Framework of this methodology consists of Process Model (it consolidates strategic and operational viewpoint in a process model) and Criteria (it provides evaluation and selection criteria to support decision making on vendor and product in competitive bidding environments).

2.6.

Process model

Process model is shown in Fig. 1 which is derived from Leem and Kim (2002), Barbour (1996), and Henze (2000).

2.6.1.

Requirement analysis

Technical and administrative requirement must be consolidated. Technical requirement includes type of database, communication protocol, manipulation structure, interoperability, function list, and so on. Administrative requirement includes allocatable resources (time, fund, human, facility, space), legal liability (due care and due diligence), business needs, and constraints.

2.6.2.

Introduction planning

Introduction plan must be based on a requirement analysis. It arranges resources and makes time plans from a RFP development to operation phase. The team must be organized with experienced and trained members. Roles and responsibilities

Table 1 – Elements of security controls Administrative control - Policies and procedure - Security awareness - Personnel screening - Separation of duties - Job rotation - Media controls - Contingency planning - Risk management

Logical control -

Identification Authentication Authorization Data encryption Shared resource controls Access logs Journaling Intrusion detectors Tiger team service Virus scanners Transaction controls Smart cards

Physical control -

Fire prevention and suppression Power protection Water damage controls Housekeeping Physical access controls HVAC Off-site storage Emergency response planning

148

computers & security 26 (2007) 145–153

2.6.7. Requirement Analysis Introduction Planning Functional Requirement Architectural Requirement Management Requirement

Time Schedule Member of the Team

2.6.8. RFP

White Papers Certification Best Practices

Development Bidder List Proposal

Bidder’s

Receipt

Briefing

Judgement & Contract

Training Manuals

Contract Introduction Plan Introduction

Operation Accreditation

Audit Report Compliance Check Certification

Fig. 1 – Process model.

are defined regarding an introduction plan and characteristics of each member.

2.6.3.

RFP (Request for Proposal) development

RFP is developed regarding internal requirements and market environments. Internal requirements are consolidated during requirement analysis phase. Market environments include information on what kinds of vendor and product are available (through collective intelligence and RFI) and the best practices. Criteria may be used in this phase.

2.6.4.

Proposal receipt

The team identifies solution providers who have a public confidence and judge bidders who will receive a RFP. A NDA (NonDisclosure Agreement) must be made before sending a RFP and other related materials.

Operation

Awareness training on users, auditing on violation, compliance checking on legal liability and security policy (between planning and implementation), and change management on security related features must be performed.

2.7. Technical Report Administrative Report

Introduction

Prototype implementation may be required to guarantee an operational assurance on production environments. Installation and data migration must be conducted with detailed test and revise activities. Administrators must be trained before an operation phase. Finally, accreditation is required based on contract terms.

Criteria

Lynch (1996) suggested a methodology for rating security vendors to help organizations assess business and technological risks associated with product acquisitions from information security vendors. The rating system assigns scores to vendors in four major categories: product strength (this measures the competitive strength and market focus of the product mix for information security requirements in relation to competition), vision and experience of the management team (this measures the completeness of the company’s vision and the experience of its management team), distribution channels (this measures the size and focus of the company’s primary distribution channels, i.e. those generating most of the revenue), and financial stability (this measures the company’s potential to financially sustain its operations and expand). Kavanaugh (2001) surveyed purchase factors which influence customer’s decision to purchase IT security service. Respondents used a seven-point scale, where ‘‘1’’ means no impact at all, and ‘‘7’’ indicates a high level of impact. The mean score for each factor is shown in Table 2. Beall and Hodges (2002) provided comparison charts of network security and protection solutions. He used comparison factors: function, minimum RAM, hardware, operating system, source language, source code available, network operating systems, network protocols supported, networking environment supported, network monitoring protocols supported, web services supported, component model supported, pricing, special marketing programs, first installed, maintenance, support services, additional requirements, product options, and product description. Firth et al. (1998) suggested functionalities which represent specific activities associated with common security

Table 2 – Factors in purchasing IT security services Factor

2.6.5.

Bidder’s briefing

The team conducts a review on presented proposals, vendor presentations, interviews, and benchmarking test.

2.6.6.

Judgment and contract

The team consolidates data (gathered during bidder’s briefing), makes judgment on vendor and product, and produces a report. Finally, introduction team makes a contract regarding technical and administrative requirements.

IT security expertise reputation track record IT services expertise, reputation Price Offers turnkey it security Certification, organizational Affiliation Geographic coverage Familiarity with industry Existing relationship

Importance 5.88 5.60 5.38 5.15 5.07 4.84 4.76 4.54 4.48

149

computers & security 26 (2007) 145–153

Table 3 – Criteria Credibility of supplier Track record Market share Certification Relationship

Speciality

Coverage

Security expertise Solution lineup Best practice Offers turnkey IT security

Geographic coverage

Competitiveness of product Sales condition Price Marketing program Maintenance Support services

Architecture

Functiona

Performance

Hardware requirement OS supported Source language Source code available NOS supported Protocols supported Component model supported

Preventive function Detective function Recovery function Corrective function

Functionality Reliability Usability Efficiency Maintainability Portability

Continuity of service Vendor stability

Contract terms

Financial stability Vision and experience of the management staff

Warranty Product Liability

a

Functions are specified regarding characteristics of the security control as shown in Table 4.

objectives: hiding, encrypting, decrypting, locking, limiting, reserving, filtering, shielding, containing, authenticating, access controlling, enforcing, tunneling, obliterating, eradicating, replicating, mirroring, preserving, restoring, probing, scanning, monitoring, logging, inspecting, auditing, integrity checking, notifying, reporting, patching, substituting, proxying, inoculating (vaccinating), and retreating. CSE (1996) model suggested that the effectiveness of a safeguard option in reducing risk is determined by: the vulnerabilities it addresses in the system, its dependence on other safeguards to operate correctly, its vulnerability to accidental failure or deliberate evasion, its acceptability to users and operators, its requirements for intervention or interpretation by personnel, and its visibility to the threat agents. These factors can be used as a basis in which to determine the overall effectiveness of a specific safeguard in reducing threat scenario likelihoods, impacts, and risk. Barbacci et al. (1995) summarized quality attributes of software products. He found that there are

Planning

Implementation Operation Corrective Control

Recovery Control Detective Control Preventive Control Physical Control Logical Control Administrative Control

Fig. 2 – (CIS)2: control cube for integrated information security systems.

different schools/opinions/traditions concerning the properties of critical systems and the best methods to develop them: performance (from the tradition of hard real-time systems and capacity planning), dependability (from the tradition

Table 4 – Functional criteria of security controls Functional criteria of security controls Preventive Hiding function Encrypting & decrypting Locking Limiting & reserving Filtering Shielding Containing Authenticating & AC Enforcing Tunneling Obliterating & eradicating Substituting Proxying Detective Probing & scanning function Monitoring, logging & auditing Inspecting Integrity checking

Firewall IDS Anti- VPN virus     B

    

    

B

B

B

B

 

    

B

   

      

B

 B B

   B

  B

  



B

B



B

B

B

B

 

B

B

B



B

B

Recovery Notifying & reporting function Replicating & mirroring Preserving & restoring Patching

B

B

B

B

  

  

  

  

Corrective Inoculating (vaccinating) function Retreating

 

B

B

B

B

 

150

computers & security 26 (2007) 145–153

best security control

credibility of supplier L: 0.222 G: 0.222

track record L: 0.396 G: 0.088

speciality L: 0.325 G: 0.072

market share L: 0.355 G: 0.031

security expertise L: 0.312 G: 0.023

certification L: 0.327 G: 0.029

solution lineup L: 0.183 G: 0.013

relationship L: 0.318 G: 0.028

competitiveness of product L: 0.452 G: 0.452

coverage L: 0.279 G: 0.062

performance L: 0.272 G: 0.123

sales condition L: 0.266 G: 0.120

architecture L: 0.179 G: 0.081

continuity of service L: 0.326 G: 0.326

function L: 0.284 G: 0.128

vendor stability of supplier L: 0.528 G: 0.172

contract terms L: 0.472 G: 0.154

price L: 0.361 G: 0.043

HW requirement L: 0.153 G: 0.012

filtering L: 0.247 G: 0.032

financial stability L: 0.548 G: 0.094

warranty L: 0.403 G: 0.062

reliability L: 0.191 G: 0.023

marketing program L: 0.197 G: 0.024

OS supported L: 0.065 G: 0.005

shielding L: 0.116 G: 0.015

management staff L: 0.452 G: 0.078

product liability L: 0.597 G: 0.092

best practice L: 0.294 G: 0.021

usability L: 0.164 G: 0.020

maintenance L: 0.254 G: 0.030

source language L: 0.077 G: 0.006

containing L: 0.118 G: 0.015

turnkey IT security L: 0.211 G: 0.015

efficiency L: 0.155 G: 0.019

support service L: 0.189 G: 0.023

source code available L: 0.338 G: 0.027

authentication & AC L: 0.187 G: 0.024

maintainability L: 0.178 G: 0.022

NOS supported L: 0.119 G: 0.010

monitoring, logging & auditing L: 0.171 G: 0.022

portability L: 0.133 G: 0.016

protocols supported L: 0.164 G: 0.013

notifying & reporting L: 0.162 G: 0.021

geographic coverage L: 0.279 G: 0.062

functionality L: 0.178 G: 0.022

component model supported L: 0.083 G: 0.007

L: local priority–priority relative to parent G: global priority–priority relative to goal

Fig. 3 – Local and global priorities.

of ultra-reliable, fault-tolerant systems), security (from the traditions of the government, banking and academic communities), and safety (from the tradition of hazard analysis and system safety engineering). ISO9126 (2001) offers a framework for appraisal of software on the basis several areas of performance. The areas of investigation illustrated in ISO9126 and they are as following: functionality, reliability, usability, efficiency, maintainability, and portability. This paper takes Leem (1999)’s model to suggest the first level of criteria. Lynch (1996)’s model, Kavanaugh (2001)’s model, Beall and Hodges (2002)’s model, Firth et al. (1998)’s model, CSE (1996) model, Barbacci et al. (1995)’s model, and ISO9126 (2001) are used to derive second and third level of criteria (Table 3).

There are so many kinds of security control. Functional criteria of security controls are different from each other. In this paper, I suggest (CIS)2 model to classify security controls (Fig. 2). (CIS)2 means ‘‘Control Cube for Integrated Information Security Systems’’. This model has three axes which are security purpose, lifecycle, and mechanism. The security purpose consists of preventive, detective, recovery, and corrective controls. The lifecycle of security management consists of security planning, implementation, and operation. The security mechanism consists of administrative, logical, and physical controls. It’s almost impossible to design functional criteria of particular security controls on an entire set of existing security controls. Firth et al. (1998) suggested common functional criteria of security controls. Kim and Kang (1999) suggested

151

computers & security 26 (2007) 145–153

functional criteria of firewall, IDS, anti-virus, and VPN. The relationship of Firth et al. (1998) and Kim and Kang (1999) is shown in Table 4. As shown in Table 4, we can describe functional criteria of certain security control using Firth et al. (1998).

3.1.3.

3.2.

3.

A case study using AHP

3.1.

Assumptions

3.1.1.

Purpose

In this case study, AHP was applied to a particular project in which XYZ Co. Ltd. wanted to implement information security systems. XYZ Co. Ltd. had a planning to introduce a firewall.

3.1.2.

Objective of project

In this study, implementation of security controls is initiated by management requirement of XYZ Co. Ltd. (not legal enforcement).

No relationship between vendors and XYZ Co. Ltd.

In this study, there was no relationship between vendors and XYZ Co. Ltd. and vendors and products were treated as independent.

Process of implementation

Process model shown in Fig. 1 was used to support introduction steps. They used selection criteria to support RFP development, judgment, and contract. The detailed description of this step is shown in next chapter (4.3).

3.3.

Applying the AHP method on selection criteria

3.3.1.

Breaking down the problem

The first step was to develop a hierarchical structure of the problem. Fundamental rule of classification is shown in Table 3. This classifies the goal and all decision criteria and variables into four major levels. The highest level of the

Table 5 – Normalized priority weights for the criteria

Credibility of supplier Track record

Speciality

Coverage Competitiveness of product Sales condition

Architecture

Function

Performance

Continuity of service Vendor stability Contract terms

Firewall-C

Firewall-N

Firewall-S

Market share Certification Relationship Security expertise Solution lineup Best practice Offers turnkey IT security Geographic coverage

0.393 0.440 0.200 0.412 0.499 0.415 0.328 0.471

0.281 0.321 0.200 0.310 0.216 0.327 0.250 0.406

0.326 0.238 0.600 0.278 0.284 0.258 0.422 0.123

Price Marketing program Maintenance Support services Hardware requirement OS supported Source language Source code available NOS supported Protocols supported Component model supported Filtering Shielding Containing Authenticating & AC Monitoring, logging & auditing Notifying & reporting Functionality Reliability Usability Efficiency Maintainability Portability

0.269 0.403 0.313 0.315 0.164 0.378 0.362 0.333 0.355 0.425 0.333 0.356 0.401 0.395 0.408 0.371 0.325 0.386 0.351 0.306 0.320 0.347 0.320

0.329 0.320 0.237 0.265 0.721 0.331 0.333 0.333 0.353 0.312 0.333 0.356 0.326 0.323 0.266 0.296 0.248 0.324 0.435 0.200 0.435 0.460 0.219

0.402 0.276 0.450 0.419 0.114 0.291 0.305 0.333 0.292 0.263 0.333 0.287 0.274 0.281 0.326 0.333 0.427 0.291 0.215 0.493 0.245 0.193 0.461

Financial stability Management staff Warranty Product liability

0.446 0.379 0.299 0.302

0.330 0.331 0.299 0.257

0.224 0.290 0.401 0.440

152

computers & security 26 (2007) 145–153

shows that firewall-C scored the highest in the result, followed by firewall-S and firewall-N.

Synthesis with respect to: Best Security Control(firewall) Overall inconsistency = .01 Firewall- C 0.361

4.1.2.

Firewall- N 0.317 Firewall- S 0.321

Fig. 4 – Synthesis for firewall selection problem.

hierarchy is the overall goal: to select the best firewall. Level 2 and Level 3 represent the criteria in selecting the firewall. Level 4 contains the decision alternatives that affect the ultimate selection of chosen firewalls (firewall-C, firewall-N, firewall-S).

3.3.2.

Comparative judgments

Judgments were elicited from the security experts in the security solution provider and government agency. Expert Choice provided rating to facilitate comparison, these then needed to be incorporated into the decision making process. For example, the competitiveness of product was the most important criteria in Level 2. After inputting the criteria and their importance into Expert Choice, the priorities from each set of judgments were found and recorded in Fig. 3.

4.

Discussion of results

4.1.

Priorities for the criteria of each firewall

4.2.

4.1.1.

Validation of this methodology

The validation of the model was carried out with the help of five consultants and three planners of security controls. The model was checked to ensure that the results reflected what was happening in the real world and that reasonable solutions were produced.

4.2.1.

Functionality

The functionality of the model was examined by comparison of results between the judgments of security consultants with their own business know-how and the judgments of planners of XYZ with the methodology provided in this paper. Results were found to match their judgments in most instances.

4.2.2.

Table 5, showing the normalized priority weights, help to determine the preferable firewall for each attribute. The overall consistency of the input judgments at all levels is within the acceptable ration of 0.1, as recommended by Satty (1980).

Sensitivity analysis

Sensitivity analysis attempts to check the impact of change in the input data or parameters of the proposed firewalls. Relatively small changes in the hierarchy or judgment may lead to a different outcome. Using Expert Choice, the sensitivity of the outcome can be tested. Fig. 5, shows a gradient sensitivity analysis of the alternative priorities with respect to changes in the relative importance of the criteria (level 2 elements of decision tree).

Usefulness

The usefulness of the model was examined through observing its effect on the decision making process in security control selection. The approach follows a systematic decision making process. The security consultants and planners found that the developed methodology was very useful for supporting managers in security control selection.

Overall priority of each firewall

The overall priority of a firewall alternative was calculated by multiplying its global priority with the corresponding weight along the hierarchy. When I synthesized all the elements using Expert Choice, I obtained the result shown in Fig. 4. It

5.

Conclusion

The successful management of information security within an organization is vital to its survival and success. The

.50

.50

.50

.40

.40

.40

.30

.30

.30

.20

.20

.20

.10

.10

.10

.00 .00 .00 .0 .1 .2 .3 .4 .5 .6 .7 .8 .9 1 .0 .1 .2 .3 .4 .5 .6 .7 .8 .9 1 .0 .1 .2 .3 .4 .5 .6 .7 .8 .9 1

Credibility of Supplier Firewall- C

Competitiveness of Product Firewall- N

Fig. 5 – Sensitivity analysis.

Continuity of Service Firewall- S

computers & security 26 (2007) 145–153

necessary security controls need to be implemented and managed effectively. This paper presents a methodology which consists of Process Model (it consolidates strategic and operational viewpoint in a process model) and Criteria (it provides evaluation and selection criteria to support decision making on vendor and product) to support selection of security control for information security management systems. A case study using the analytic hierarchy process (AHP) is provided to prove its practical value. A case study has proven potential value of this methodology in helping decision-makers in supporting their selection of security controls.

references

Amoroso E. Fundamentals of computer security technology. Prentice Hall; 1994. Bayle AJ. Security in open system networks: a tutorial survey. Inf Age July 1988;10(3):131–45. Barbacci M, Klein MH, Longstaff TA, Weinstock CB. Quality attributes, software engineering institute. Carnegie Mellon University; December 1995. Barbour R. Software capability evaluation: implementation guide for supplier selection. Software Engineering Institute; April 1996. Beall S, Hodges R. Protection & security: software comparison columns. Gartner; October 2002. Brannback M. Effective strategic market management with knowledge-based support systems. Institute for Advanced Management Systems Research (IAMSR); 1993. Checkland PB. Systems thinking, systems practice. John Wiley & Sons; 1981. Choi S. A study on the methodology to establish the security systems for e-business. Master Thesis: Yonsei University; 2000. CSE. Guide to risk assessment and safeguard selection for information technology systems. CSE; 1996. Earl MJ. Experience in strategic information systems planning. MIS Quarterly; 1993. Eloff JHP, Labuschagne L, Badenhorst KP. A comparative framework for risk analysis methods. Comput Secur 1993; 12(6):597–603. Fine LH. Computer security – a handbook for management. William Heinemann; 1983. Fites PE, Kratz MPJ, Brebner AF. Controls and security of computer information systems. Computer Science Press; 1989. Firth R, Fraser B, Konda S, Simmel D. An approach for selecting and specifying tools for information survivability. Software Engineering Institute, Carnegie Mellon University; July 1998. Forcht KA. Computer security management. Boyd & Fraser; 1994. Fraser MD, Vaishnavi VK. A formal specifications maturity model. Commun ACM December 1997;40(12):95–103. Gilbert IE. Guide for selecting automated risk analysis tools (SP 500-174). NIST; 1989. Henze D. IT baseline protection manual. BSI (Bundesamt fu¨r Sicherheit in der Informationstechnik); October 2000. Hutt AE. Management’s roles in computer security, Computer security handbook. Macmillan Publishing Company; 1988. ISO9126-1. Software engineering – product quality: Part 1 – quality model, No. ISO/IEC 9126-1:2001. International Organization for Standardization (ISO), Geneva; 2001.

153

Kavanaugh K. Security services: focusing on user needs. Gartner; August 2001. Kim S, Kang S. A study on the security vulnerabilities and defense mechanism for SET-based electronic commerce. J Korean Inst CALS/EC September 1999;4(2). Krutz RL, Vines RD. The CISSP prep guide: mastering the ten domains of computer security. John Wiley & Sons; 2001. Leem CS. A research on a consulting methodology of enterprise information systems. ITR; 1999. Leem CS, Kim S. Introduction to an integrated methodology for development and implementation of enterprise information systems. J Syst Software February 2002;60(3):249–61. Li DH. Controls in a computer environment: objectives, guidelines, and audit procedures. EDP Auditors Foundation; 1983. Lynch G. Threat assessment: a methodology for prioritizing enemies. Gartner; October 1996. Lyytinen K. Information systems and critical theory – a critical assessment. Department of Computer Science, University of Jyvaskyla; 1990. Madnick SE. Management policies and procedures needed for effective computer security. Sloan Manag Rev Fall 1978;19(3): 61–74. March ST, Smith GF. Design and natural science research on information technology. Decis Support Syst 1995;(15):251–66. Monheit M, Tsafrir A. Information systems architecture: a consulting methodology, CompuEuro’90. In: Proceeding of the 1990 IEEE international conference on computer systems and software engineering; 1990. Saaty TL. The analytic hierarchy process. NY: McGraw-Hill; 1980. Schweitzer JA. Protecting information in the electronic workplace: a guide for managers. Reston, VA: Reston Publishing Company; 1983. Stewart TR. Selected E-business issues: perspectives on business in cyberspace, version 1.0. Deloitte Touche Tohmatsu September 1998. Swanson M. Guide for developing security plans for information technology systems. NIST Special Publication 800-18, NIST; December 1998. Polk WT, Bassham LE. A guide to the selection of anti-virus tools and techniques (SP 800-5). NIST Special Publication. NIST; 1992. Vallabhaneni R. CISSP examination textbooks. SRV Professional Publications; 2000. Wood CC. Effective information security management. Oxford: Elsevier Advanced Technology; 1991.

Sangkyun Kim is a director in charge of planning, design, and consulting of IT compliance solutions at Somansa which is the leading company of ERM (Enterprise Records Management) solutions in Korea. His area of interest is in SecureSoft and KCC Information & Communication. He lectures to KT (Korea Telecom), SK Telecom, HP, Hyundai and Samsung on security, electronic commerce and IT consulting. Hong Joo Lee has been studied at School of Computer Science, Carnegie Mellon University, Pittsburgh, PA, USA. He has received Ph.D. degree in Industrial System Engineering from Yonsei University, Seoul, Korea. He was a senior researcher in DAEWOO Electronics Corp and he has been worked at Dankook University. His research interests focus on Ubiquitous Technology and strategic uses of New Technology.

computers & security 26 (2007) 154–176

A framework for behavior-based detection of user substitution in a mobile context Oleksiy Mazhelis*, Seppo Puuronen Department of Computer Science and Information Systems, University of Jyva¨skyla¨, P.O. Box 35, FIN-40351, Jyva¨skyla¨, Finland

article info

abstract

Article history:

Personal mobile devices, such as mobile phones, smartphones, and communicators can be

Received 15 January 2005

easily lost or stolen. Due to the functional abilities of these devices, their use by unintended

Revised 22 August 2006

persons may result in severe security breaches concerning private or corporate data and

Accepted 22 August 2006

services. Organizations develop their security policy and employ preventive techniques to combat unauthorized use. Current solutions, however, are still breakable and there is

Keywords:

a strong need for means to detect user substitution when it happens. A crucial issue in

Mobile devices

designing such means is to define the measures to be monitored.

Intrusion detection

In this paper, a structured conceptual framework for mobile-user substitution detection is

Masquerader detection

proposed. The framework is based on the idea that some aspects of user behavior and en-

User profiling

vironment reflect the user’s personality in a recognizable way. These hypothesized aspects

Identity verification

are further studied in order to identify the characteristics describing the individuality of these aspects, and to identify the measures whereby the characteristics can be represented. The main constructs of the framework are defined and explained in the paper; these include the components describing individuality of user behavior and environment, and the technical components needed to implement user substitution detection based on this individuality. The paper also provides a tentative list of individual behavioral and environmental aspects, along with characteristics and measures to represent them. The contemporary solutions, aimed at user substitution detection, are analyzed from the perspective of the framework, and the needs for further research are discussed. ª 2006 Elsevier Ltd. All rights reserved.

1.

Introduction

Today, mobile devices have become a convenient and often essential component assisting us in our everyday life. The number of mobile devices in use has grown significantly during the last decade and continues to grow. The advances in the area of mobile devices are reflected not only in the growth of the numbers but also in the spread of these devices; the devices themselves are becoming increasingly powerful. Some modern devices (e.g. Personal Digital Assistants or PDAs)

are, in their computing power and functionalities, comparable to powerful notebooks and workstations produced just some years ago. Such technological advances enable the use of mobile devices in new application areas and allow the development of mobile e-commerce where a personal mobile device plays a key role (Veijalainen, 1999). Some of the capabilities of modern mobile devices are potentially risky from the security perspective. Among these are (i) the ability to store (private and corporate) data, (ii) the ability to perform mobile e-transactions, and (iii) the ability to

* Corresponding author. Tel.: þ358 40 515 0641; fax: þ358 14 260 3011. E-mail addresses: [email protected] (O. Mazhelis), [email protected] (S. Puuronen).

computers & security 26 (2007) 154–176

access a corporate intranet. These capabilities pose security concerns, since only the legitimate user of the device should be permitted to access the private data and the corporate intranet, or to carry out mobile e-transactions allowed to the device. While these concerns are common for laptops and networked workstations, the problem is more severe with mobile devices because these can be more easily lost or stolen – according to the estimation of F-Secure Corporation (2002), more than 10 mobile devices are lost or stolen in the world every minute. Currently, in order to ensure the legitimacy of a user, an authentication procedure is performed, usually consisting of entering a PIN/password by a claimant (a device user whose legitimacy is not verified yet). The authentication process is usually launched when the device is being turned on, or after a certain idle time. However, many users find such protection mechanisms inconvenient and do not use them (Clarke and Furnell, 2005). Besides, sometimes it is possible to bypass the authentication procedure, or the authentication password can be compromised thus enabling illegal use of the device. Therefore, there is a strong need for further security means to detect the use of a mobile device by a non-legitimate person. The basic goal of information security is to protect the resources (as information, services, and equipment) from unintended use. Generally, this goal can be decomposed into the following sub-goals (Stoneburner, 2001): provision of confidentiality, provision of system/data integrity, provision of availability of system and data, as well as provision of accountability and assurance that the above sub-goals are achieved. In order to achieve the security goal, a set of security services should be implemented. These services include deterrence, prevention, detection, and remedies (Straub and Welke, 1998). The use of these services is justified by the general deterrence theory, which assumes that a person’s intension to commit a crime is influenced and controlled by the threat of punishment (Pearson and Weiner, 1985). Deterrent measures are aimed at making potential system users aware of the details of the security regulations (e.g. security policy in an organization), as well as of certainty and severity of sanctions in case intentional security violations occur. When the deterrence fails, preventive measures are needed to defend against an abuse. Examples of preventive security measures are encryption of files, authentication with password, or locked doors. Since preventive measures cannot be completely unbreakable, detective measures are required to expose the cases of abuse, which have succeeded or are in progress. For example, file integrity checks are needed to reveal illegal modifications of files; sensors of service availability should be used to detect Denial-of-Service attacks, etc. Generally, the preventive measures are considered as proactive due to their integrated capability to combat abuse, while detective measures are seen as reactive, i.e. merely aimed at registering the cases of on-going or happened abuse and collecting evidence of it. However, the distinction is not always clear as the same security means, e.g. virus scanning or face recognition, may be used for both abuse prevention and abuse detection. Finally, the security system should remedy the damage caused by a successful abuse. Besides, the offenders should be punished to create a deterrence effect.

155

The detective security means are based on the assumption that both normal and malicious activities are manifested in system audit traces, and that malicious activity can be detected through the analysis of these traces. A crucial issue in designing such means is to define what measures to monitor, and what models to assign to these measures (Sundaram, 1996; Lane, 2000; Sequeira and Zaki, 2002). However, the available frameworks, models, methods, and approaches for detecting security breaches are often based on various heuristics and intuition of experts (as in Anderson et al., 1995a,b; Hofmeyr et al., 1998; Lane and Brodley, 1999), or are largely data-driven (as in Ryan et al., 1998; Ghosh et al., 1999; Lee and Stolfo, 2000). As pointed out by McHugh (2001, p. 14), many works in intrusion detection have been based on ‘‘a combination of intuition and brute-force techniques’’. Furthermore, these works are targeted at networked workstations and servers, and hence do not take into account the peculiarities of personal mobile devices. This paper focuses on addressing the issue of detective security services in the context of mobile devices. We use the term of user substitution detection (USD) consistently throughout the paper to refer to the means of detecting a situation where a person other than the legitimate user (the user ahead) is using the device’s protected resources, such as the information stored on the device, or allowed services. The closely related concepts of authentication, intrusion detection, and fraud detection, will be considered in Section 7. The paper is aimed at improving the theoretical underpinnings behind the USD, emphasizing the context of mobileterminal users. We propose a conceptual framework for the USD, wherein the detection problem is considered from user identity verification (UIV) point of view. The fact that cognitive processes of each human are individual is utilized in the framework. These cognitive processes are a part of human personality which can be defined as ‘‘a dynamic organization, inside the person, of psychophysical systems that create a person’s characteristic patterns of behavior, thoughts, and feelings’’ (Carver and Scheier, 2000, p. 5). Such characteristic patterns are a natural choice to verify one’s identity. The difficulty is that the psychological personality cannot be directly observed and measured. To solve this problem, the framework relates psychological personality to one’s behavior and environment, using Bandura’s (1986) Social Cognitive Theory summarized in Section 2. Using the theory, the reflection of human personality on his/her behavior and environment is considered. Namely, the decomposition of human personality into multiple factors according to the multifactor theory of personality (Royce and Powell, 1983) as described in Section 3 is projected onto individual aspects of behavior (considered in Section 4) and individual aspects of environment (considered in Section 5). Thereafter, some characteristics to describe these individual aspects are hypothesized, and the measures to represent these characteristics are proposed. The framework can be decomposed into a descriptive and a prescriptive part. The former is concerned with the description of an object system – a part of reality involved in USD context i.e. the user, his/her personality, behavior, and environment. The latter considers technical components (e.g. databases, knowledge bases, processing units, etc.) that

156

computers & security 26 (2007) 154–176

are needed to implement the UIV system based on the above object system. The above description of user personality and its reflection in one’s behavior and environment belong to the descriptive part of the framework devoted to the object system; it continues the earlier work we presented in Mazhelis and Puuronen (2005). The main constructs of the descriptive part are defined and discussed in Section 6. This is followed by the definition and discussion of the main constructs of the technical system employing the object system to implement user identity verification. Section 7 is dedicated to the evaluation of the contemporary techniques of authentication, intrusion detection, and fraud detection that can be used in detecting user substitution, from the perspective of the framework. Finally, conclusions are provided in Section 8. The following assumptions are made in the proposed framework:  There exists only one legitimate user. All the others who try to act as the user are considered as impostors.  User behavior and environment include aspects that are peculiar to the user. Furthermore, the superposition of the values of measures describing these aspects is individual.  Operations of the mobile device are managed by the user who is assumed to carry the device and control it through a predefined interface.  The user accepts the monitoring of his/her behavior and environment for USD purposes.  Within a limited time period, the peculiar aspects of user behavior and environment undergo only minimal changes.  The user does not suffer from mental stress, psychic shock, or other extreme conditions that are inherently anomalous and can change user behavior dramatically. While the measures to be assigned to various characteristics are hypothesized in the paper, neither statistical nor other models to be assigned to these measures are considered. In addition, exact procedures to decide whether the user has been substituted as well as any detailed elaboration of the architecture for implementing the technical system are out of the scope of this paper.

2. Social Cognitive Theory and its application to USD problem The Social Cognitive Theory (SCT) that has its roots in the Social Learning Theory was officially launched by Bandura in 1986. In this section, we first summarize the SCT and then discuss its application to USD.

2.1.

Social Cognitive Theory of Bandura

Social Cognitive Theory considers psychological and biological personality of a human, his/her behavior, and environment as mutually interfering. According to the theory, a complex network of reciprocal influences between personality (P), behavior (B), and environment (E ) frames the being of human (Fig. 1). The theory considers behavior of an individual being as uniquely determined by those three factors P, B, and E and largely regulated through cognitive processes. This

P

B

E

Fig. 1 – Triadic reciprocal determinism (Bandura, 1989, p. 2).

suggests that the mind has an active role when an individual constructs his/her own reality. The model of causation proposed by the SCT is very complex because the interaction between the three factors will be different depending on the individual, the particular behavior being examined, and the situation in which the behavior occurs. Below, the main constructs of the theory are summarized according to Bandura (1989).

2.1.1.

Reciprocal determinism

Reciprocal determinism corresponds to the existence of bidirectional influences between both cognitive and biological personal factors (P), behavior (B), and environment (E ). This has three important implications. First, human behavior is regulated not only by environment and personality, but also by the interaction of these two factors. Second, the behavior itself influences environment as well as personality. Through behavior, a person influences environment by selecting or modifying it. The influence of behavior on personality is reflected in one’s thoughts and attitudes. Third, the personality and behavior affect each other. According to the SCT, there are five basic capabilities that provide humans with cognitive means by which to determine behavior. These five unique capabilities, which are symbolizing, vicarious, forethought, self-regulatory, and self-reflective capabilities, are shortly overviewed below.

2.1.2.

Symbolizing capability

The symbolizing capability is an ability to form mental symbols (verbal or pictorial) representing a person’s experiences obtained directly or through observation. These symbols serve as operands in human thinking when people manipulate their symbolical representation by operators having a form of rules and strategies. According to Bandura (1989), the development of symbolizing capability is correlated with the process of language acquisition. As the language becomes abstract, thinking becomes more independent of the real occurrences. As a result, the ability to form and memorize symbols enables a person to foresee the outcomes of possible actions.

2.1.3.

Vicarious capability

Vicarious capability refers to the human’s ability to learn through observing behavior of others and through evaluation of its outcomes. This ability is complementary to the ability to

computers & security 26 (2007) 154–176

learn through personal experience, which is time-consuming and may even result in dangerous consequences. Observational learning offers a person a quick way to ascertain and extend one’s knowledge and it can be further supported by communication technologies such as radio, television, and Internet among others. Four processes are involved in observational learning: attentional, retention, production, and motivational processes. All the four processes are partially regulated by general personal characteristics of the observer. Attentional process specifies what to observe, and determines the information to be extracted from the observation. The set of attentional determinants consists of personal characteristics (e.g. perceptual capabilities) and characteristics of observed events (e.g. complexity and affective valence). The retention process is responsible for storing the extracted information for further use. This process involves transforming and restructuring the information into symbolical memory representation using the symbolizing capability discussed above. The process of production consists in translating the symbolic representation into activity. The behavior is adjusted (learnt) by comparing the actions produced against the internal representation of a proper activity. Finally, the motivational process determines the behavior among all the learnt ones that will be triggered. The likelihood of a behavior being executed is determined by the expected outcomes of this behavior.

2.1.4.

Forethought capability

Social Cognitive Theory sees the human behavior as purposive, i.e. a person’s behavior includes discrepancy production (goal setting) followed by discrepancy reduction (attaining the goal). Forethought capability allows a person to anticipate likely outcomes of his/her actions and therefore determine what sequence of actions (operators) is needed to reach the goal. Such planning activity is heavily based on the symbolizing capability. By employing symbolizing capability, a human is able to represent future events in present and thus a motivation regulating behavior is provided.

2.1.5.

Self-regulatory capability

Translation of the above forethoughts into incentives and actions is supported by self-regulatory capability. Selfregulation is an internal mechanism of control over one’s own motivation and therefore behavior. The self-regulation of the motivation distinguishes between aspirational standards and social and moral standards. Motivation based on the aspirational standards includes comparison of personal achievements against the internal standard. Among the factors influencing effectiveness of these aspirational standards are search for satisfaction from attaining goals, self-efficacy (sureness of one’s capability to achieve the goal), self-influence (readjustment of personal standards), and estimated time needed to achieve the goal. The aspirational standards are not fixed; they are adopted (proactive control) to provide initial motivation, and they are adjusted (feedback control) after the goal is achieved. Besides aspirational standards, human motivation is determined by social and moral standards, which are created through evaluation of prescribed, taught, or observed norms. In turn, the norms acquired regulate the motivation and

157

behavior by matching the anticipatory self-pride or selfcriticism for actions against personal standards.

2.1.6.

Self-reflective capability

Human’s understanding of himself/herself and of the external world requires the ability to reflect upon one’s own experiences, i.e. self-reflective capability. Besides enabling this understanding, self-reflection allows a person to evaluate one’s own thoughts, analyze their outcomes, and adjust the thinking process according to these outcomes. Evaluation of one’s own thinking process (called thought verification) can be accomplished through (i) the comparison of thoughts and outcomes of one’s actions (enactive verification), (ii) the judgment of one’s own thoughts after observing the actions of others (vicarious verification), (iii) contrasting one’s thoughts against thoughts of others (persuasory verification), or (iv) the comparison of thoughts against the outcomes of logical reasoning applied to the established body of knowledge. According to Bandura, the most important type of selfreflection is self-efficacy defined as ‘‘people’s judgment of their capabilities to exercise control over events that affect their lives’’ (Bandura, 1989, p. 42).

2.2. User substitution detection from the perspective of SCT In an attempt to detect a user substitution situation, two conceptually distinct approaches are possible: the detection may be realized either through impostor recognition or through user identity verification. In the impostor-recognition based USD, the fact that the goals of the user and an impostor are often different can be utilized. When an impostor sets his/her goal, he/she has to determine the chain of actions that allows the goal to be achieved. However, once (s)he finds a solution, another impostor can easily adopt this solution through the process of vicarious/observational learning described in the SCT. The modern communication facilities play an important role in accelerating this learning, and even if the solution is suboptimal, a human being tends to adopt it rather than devise a better or an optimal solution (Bandura, 1989). Thus, once discovered, a similar chain of actions can be learnt by multiple impostors as long as their goals remain the same. Consequently, such chains of actions can be monitored for occurrence and if such a chain is later discovered it may indicate the presence of an impostor. Observational learning has another important implication for USD. All the processes of the observational learning (attentional, retention, production, and motivational) are partially determined by personal cognitive characteristics. As a result, the symbolic representation of the learnt model as well as its translation into behavioral activity are partially determined by these cognitive characteristics and, therefore, include aspects reflecting the impostor’s personality. In other words, the personality of an impostor results in a peculiarity of his/her behavior similar to the ‘‘signature of crime’’ in criminology. Thus, by analyzing the peculiarity of the impostor’s behavior, it might be possible to establish impostor identity but only if the impostor’s behavior has been already observed and registered in past.

158

computers & security 26 (2007) 154–176

environment is selected, created, or changed through individual behavior.  E / B (individual aspects of behavior due to individual environment): as indicated by this influence, behavior is determined not only by personality factors but also by environment. Consequently, individual aspects of environment may impose (probably together with personality factors) individual aspects of behavior.

P

B

E

Fig. 2 – Relationships between P, B, and E. The relationships important in the USD are represented by solid arrows, while the relationships not considered in this paper are represented by dotted arrows.

In treating USD as user’s identity verification, the fact that inherent constituents of human personality – cognitive structures and processes – are individual for each user can be employed. This individuality, as reflected in the user’s behavior and environment, is to be represented through a set of measurements. As the impostors’ cognitive structures and processes are assumed to be different from those of the user, these measurements for the impostor are assumed to diverge significantly enough from those for the user, thus allowing a differentiation between the impostors and the user. In order to verify user’s identity based on psychological personality, it is necessary to determine what aspects of human behavior and environment reflect this personality. According to the SCT, personality, behavior, and environment mutually influence each other. However, not all of these influences have equal importance in revealing individualityreflecting aspects of behavior and environment in the USD context. While interested in how (psychological) personality is reflected in behavior and environment, the influences (B / P and E / P) are not immediately interesting (see Fig. 2) since these influences correspond to the changes in the personality caused by the influence of behavior and environment. Such changes are mostly important in a long run, but in shortterm perspective, we assume that personality undergoes extremely small changes only. The influence P / E implies that personality (without behavior) may cause changes in the environment. Such changes appear to be of social nature, e.g. changes in attitudes, which are out of the scope of our immediate interest and will be neglected in this paper. The remaining influences (as denoted by solid arrows in Fig. 2) are important in revealing aspects of behavior and environment reflecting personality. These influences are:

In the following sections, individual factors of personality, individual aspects of behavior, and individual aspects of environment will be considered. First, in the next section, the psychological factors constituting the personality of an individual will be described using the theory of personality and individual differences presented by Royce and Powell (1983). Then, through the analysis of relationships between personality and behavior, individual aspects of behavior will be hypothesized in Section 4. After that, the individual aspects of environment will be considered in Section 5.

3. Multifactor-systems theory of individuality In this section the theory of individuality and personality by Royce and Powell (1983) is summarized. This theory describes psychological differences between individuals, as well as ensuing inter-personal differences in integrative personality, including world view, life style and self-image. The personality is hypothesized in the theory to be composed of mutually interacting sensory, motor, cognitive, affective, style, and value systems (Fig. 3). These systems, together with the underlying hierarchies of subsystems and traits, are deemed to transduce, transform, and integrate psychological information. According to the theory, personality is hierarchically organized. The six systems comprising personality can be divided into high-, middle- and low-level systems. An arrow from a higher-level system to a lower-level system depicts coordinating influence of the first one and an arrow to the opposite direction represents feedback from a lower-level system to a higher-level system. The higher-level systems, in comparison with lower-level systems, ‘‘1) are more important with respect to the processes involved in personality integration; 2) can input coordinating information; 3) are concerned with longer units of time; 4) have a higher priority of action;

Level of integrative personality

Style system

Cognitive system

 P / B (individual aspects of behavior due to influence of personality): this influence suggests that some behavioral aspects are individual as a result of the influence of personality factors.  B / E (individual aspects of environment due to influence of behavior): according to this influence, the behavior in turn may become evident in the individual aspects of environment. In other words, due to personality, individual

Sensory system Input

High-level

Value system

Affective system

Sensorimotor integration

Motor system

Middle-level

Low-level

Output

Fig. 3 – Integrative personality model after Royce and Powell (1983, p.13).

computers & security 26 (2007) 154–176

and 5) are more closely related to the deeper (in the sense of significant) levels or aspects of personality’’ (Royce and Powell, 1983, p. 12). The theory sees personality and its component systems as goal-seeking systems, wherein internal norms are used for evaluating the successfulness of actions. Each system itself is further decomposed into a hierarchy of factors at several levels, from the lowest-level factors (first-order factors) to the highest-level factors indicating the systems and subsystems of personality. The values of these factors determine the processes within the systems. Below we first overview the six personality systems level by level (low to high) and then present some notions about individual differences. The detailed structure of these personality systems as suggested by Royce and Powell (1983) can be found in Appendix A.

3.1.

Low-level systems

The sensory and motor systems being at the lowest level of the structure act as input and output components of the whole system. There exists a close alignment between the sensory and motor systems. The sensory system senses the energy from the environment, transforms it into a suitable form, and transmits it through the human nervous system (Royce and Powell, 1983, p. 85). According to the authors, the sensory system has a multilevel hierarchical structure whose highest-order construct is the sensory type. The sensory type is further divided into two fundamental cross-modality dimensions, spatiality and temporality. Spatiality is related to the transduction of a sensory pattern at many receptors simultaneously and it is further divided into visual, chemical, and somesthetic–kinesthetic dimensions. Temporality is related to the transduction of a sensory pattern from sequential time related stimuli and it is further divided into chemical, somesthetic–kinesthetic, and auditory dimensions. All the four dimensions (visual, chemical, somesthetic–kinesthetic, and auditory) further subsume many modality specific factors that are sensitive to different kinds of input energy. At the lowest factor level they recognize 13 factors. Authors expect that individuals show a particular pattern of integrating temporal and spatial stimulations, which has major overall effect on sensory processing. The other low-level system, namely the motor system, acts as an output component transducing the individual psychological information into physical energy (Royce and Powell, 1983, p. 11). It also has a multilevel hierarchical structure where the highest-order construct is the motor type. It is further divided, as the sensory type above, into spatiality and temporality. Spatiality characterizes motor function related to the organization of individual behavior through space and is further divided into motor reactivity, transport, bodily orchestration, and precision dimensions. Temporality, in turn, characterizes motor functions related to the organization of individual behavior through time and is further divided into bodily orchestration, precision, vocalization, and dynamism dimensions. All the dimensions are further divided into several lower-order factors, and in the lowest level the different factors total 28.

3.2.

159

Middle-level systems

At the middle level are the cognitive and affective systems and the authors consider this level to be learning-adaptive or transformational (Royce and Powell, 1983). Authors consider them as multi-dimensional, hierarchical systems that transform psychological information. The first of these systems effects a transformation in order to identify environmental invariants and the second one in order to attain optimal arousal states. The authors refer to the highest-order construct of the cognitive system as the cognitive type. This type is further divided into three high-level dimensions according to different ways of knowing: perceiving, conceptualizing, and symbolizing. Each of these is further divided into two lower-level dimensions totaling, at the lowest factor level, 23 factors. The affective system’s highest-order construct is in turn the affective type which is further divided into three dimensions: emotional stability, emotional independence, and introversion–extraversion. The division of these dimensions at the lowest level results in a total of 20 different factors. These middle-level systems also have interactions with each other.

3.3.

High-level systems

At the highest level are the style and the value systems which coordinate, direct, and focus the systems in the middle and low levels (Royce and Powell, 1983). They both provide conceptual linkages between cognition and affect. However, while the value system determines what goals are to be pursued most persistently, the style system defines how these goals are to be pursued. The authors distinguish three major style constructs, namely cognitive, affective, and cognitive–affective styles. Each of these is divided into a hierarchy of lower-level factors. Styles themselves determine the combinations of traits that are activated when an individual has alternative possibilities. The value system is also considered to include three major constructs. The cognitive–affective values concern the ways in which values simultaneously integrate both cognitive and affective traits. The affective values correspond to the needs that direct, coordinate, and arouse affective processes in the individual’s goal-directed activities. The cognitive values are related to the individual’s interests and they direct, coordinate, and evoke cognitive activities in the pursuit of high-level goals. Each of these constructs is divided into a hierarchy of lower-level factors. Values themselves determine interests and needs of an individual, expressing commitments about goals that are considered worth taking risks.

3.4.

Factors vs. storages

Factor values describe processes within various personality systems. For example, values of the factors of the value system (e.g. needs or interests) describe goal-seeking processes. At the same time, the goals established are not processes any more but rather ‘‘records in memory’’, i.e. storages. In turn, in a problem-solving process, a goal to be achieved is decomposed by a person into a number of sub-goals, and a suitable ‘‘operator’’ is applied to each sub-goal

160

computers & security 26 (2007) 154–176

(Anderson, 2000). Here, the operator is an action transforming one problem state to another problem state. Similarly to the established goals, operators rather than being processes have now become storages. Thus, here the so-called process and storage concepts (Royce and Powell, 1983, p. 117, 184) can be distinguished. Such storages include goals established, knowledge (operators, invariants) obtained, and motor programs constructed. Due to individual differences and due to differences in learning environments, sub-goals, acquired operators, and other storages may differ among individuals, i.e. they also can be individual. Thus, in addition to the variety of factors, these storages (or, more precisely, their content) comprise the personality of a human being.

3.5.

Life-span development and environmental effects

Suggesting the multifactor-systems theory of individuality, Royce and Powell (1983) present an overall view of the development trends at the level of systems and discuss shortly also environmental effects on personality based on sampling of the available findings at that time. From life-span point of view the systems of all the three levels described above change over an individual’s life span. The motor and sensory functioning changes more radically, reaching peak between 20 and 40 years. In the declining phase that follows, changes in the sensory systems forego the changes in the motor systems functioning. On the middle level, the affect is dominant in the beginning and at the end of the life span while cognition is dominant during most of adulthood. The styles and values tend to be stable over time; they are developing monotonically and may reach their peak at the last portion of adulthood. Heredity and environment are the two main aspects giving rise to differences between individuals. Royce and Powell (1983) suggest that the sensory and motor systems are heredity dominant, that the cognitive and affective systems are partially heredity dominant (55–60% of the variance attributable to heredity and the reminder attributable to environment), and that the style and value systems are environment dominant.

3.6.

Conclusions

Commonly used methods to differentiate a user from impostors are based on certain aspects that are peculiar to the authorized user. These aspects may be incorporated in an object in possession (magnetic stripe card), or knowledge (password). A natural way to enhance the ability of differentiating a user from another person is to employ human personality characteristics that have the effect of making a person different from all other individuals. As summarized in this section, human personality may be decomposed into a number of dimensions, or factors, along which individual differences may be identified. Around 200 such dimensions are described in the multifactor-system theory of Royce and Powell (1983). Besides, personality is amplified by individual differences in the content of various storages. Taken together, the values of the personality factors along with the storage content can be thought of as an array of

values describing, or encoding, one’s identity. It is reasonable to assume that such identity description is peculiar to each human being. Besides the work of Royce and Powell (1983) considered in this section, a number of other studies are aimed at investigating the determinants and the structure of human personality, and a number of personality dimensions have been proposed. Among them are Cattell’s (1945) list of 35 trait variables which later resulted in 12 personality factors included in the sixteen personality factor questionnaire (Cattell et al., 1970), Eysenck’s (1986, 1990) three top-level personality factors of a four-level hierarchical personality model, and Tupes and Christal’s (1961) five factors, later referred to as the ‘‘Big Five’’. These five factors were replicated by Norman (1963), who also proposed a three-level hierarchical structure of personality traits. Considerable efforts have been subsequently made in order to replicate and refine the structure of the ‘‘Big Five’’; among them are the studies of McCrae and Costa (1985) who later proposed a five-factor theory of personality (McCrae and Costa, 1996, 1999). However, the abovementioned studies are mainly focused on the high-level aspects of personality (for example, Eysenck’s three personality factors could be put in correspondence to the affective types of Royce and Powell (Eysenck, 1990, p. 245)) while often leaving the low-level sensory and motor aspects as well as human cognitive abilities out of scope. Consequently, the Royce and Powell’s (1983) theory was selected for our study, because it considers the personality factors at several levels of hierarchy, and because it addresses, in addition to the factors of high- and middle-level systems, the factors comprising the low-level motor and sensory systems. Unfortunately, psychological determinants of personality are latent and cannot be directly observed not to speak of making automatic measurements. Therefore, in order to be able to employ the psychological personality, it is necessary first to consider where and how this personality is reflected. As suggested by the SCT, due to reciprocal determinism, personality affects one’s behavior and environment. Consequently, it is possible to assume that some aspects of behavior and environment are individual as well. The superposition of these individual behavioral and environmental aspects constitutes the reflection of one’s personality, and thus it may be used to differentiate individuals. In two subsequent sections, some of these individual aspects of behavior and environment are hypothesized.

4.

Individual behavioral aspects

As was described above, the integrated personality of an individual is composed of a set of factors of different hierarchical levels. A superposition of the factor values is assumed to ‘‘identify a processor’’ (Royce and Powell, 1983, p. 47). Therefore, an evident approach to the personality based user identity verification would be to match a claimant’s factor values against the previously acquired factor values of the user. However, already Allport (1937) as referred by Eysenck (1970) recognized that human traits cannot be directly observed, but need to be inferred. The process of factor inference may involve, for example, answering specific questions or

161

computers & security 26 (2007) 154–176

conducting an interview. In the context of user identity verification, such method of inference would not be appropriate. Instead of inferring the factor values, an alternative approach is adopted in this paper. While psychological personality is latent, it influences (according to the SCT described in Section 2) the individual’s behavior and individual’s environment, aspects of which can be observed more easily. In turn, the characteristics describing these behavioral and environmental aspects can be thought of as functions of multiple variables; some of these variables are personality factors. Since the superposition of these factor values is individual, it is possible to hypothesize that the superposition of values of characteristics describing one’s behavior and environment is also individual. Therefore, the behavioral and environmental characteristics reflecting personality may be used to verify the identity of a person. In this section, some of the individual aspects of behavior to be employed for user identity verification are hypothesized, while the consideration of the individual aspects of environment is left to the next section. For this, we analyze how the individuality described by personality systems is manifested in user behavior. Our starting point is that the goals of the user and an impostor guide their behaviors. According to these goals, different operators are triggered, and different affective and motor processes are launched, controlled by the value, style, cognitive, and sensory systems. We are interested in how these individual peculiarities of personality systems (including probably distinct goals) manifest themselves in an observable behavior. Impostor’s goals may be categorized according to the target resources being illegitimately accessed. In the context of mobile devices, target resource categories are: (i) equipment (mobile terminal, SIM-card), (ii) services (functional abilities connected to the device as calls, e-transactions, access to corporate intranet services, etc.), and (iii) information (e.g. private and corporate data stored on the terminal). According to these categories, an impostor may have, e.g. the following goals:  Equipment-oriented: (i) to sell or rent the device; (ii) to destroy the device hardware; (iii) to destroy or modify the device software.  Service-oriented: (i) to communicate with another person (e.g. make a call); (ii) to use other network services (e.g. perform mobile e-transactions); (iii) to access corporate intranet services.  Information-oriented: (i) to disclose the private data; (ii) to access, modify, or erase the private or corporate data. Some of these goals can be pursued in the same way by an impostor and by the user. For example, the user may also want to sell his/her mobile device or to modify the device software. Some other goals (as ‘‘to access corporate data’’ or ‘‘to disclose the private data’’) may be pursued in a different way by the user and an impostor: some attributes of relevant operators may be distinct, or the operators themselves may be different. For example, the goal ‘‘to communicate with another person’’ may be pursued by making a call as well as by writing an SMS or e-mail, and the user and an impostor are not necessarily using the same way of communication. In addition, they both may make calls, but an impostor might tend

to make long-distance calls of long length, while the user may mostly make local calls of moderate length. Similarly, while both the user and an impostor may be interested in the access to the user private data (e.g. work related information), it is unlikely that the user will extensively access his/her profile (which evidently belongs to private data as well). Thus, the analysis of the selected operators and their attributes may be fruitful in the USD. Noteworthy, the impostor’s awareness of the countermeasures which the user is likely to take may urge him/her to massively make use of the services accessible through the terminal, in order to maximize his/her derived benefits before detection can take place. The resulting sudden changes in the behavior may make the user substitution easier to detect. To consider individual aspects of user behavior, we have categorized various behavioral aspects into three hierarchical levels of behavior: high, middle, and low levels corresponding to the division of personality systems into three levels (Section 3). The high-level aspects are hypothesized to reflect/manifest the peculiarities of high-level personality systems, i.e. the style and value systems. Accordingly, these aspects are supposed to describe behavior that occurs over long time periods, involves selection of a particular mode of action, requires high-level coordination, etc. In turn, middle- and low-level aspects of behavior manifest the peculiarities of, respectively, middle- and low-level personality systems. This categorization supports more structural considerations of individual behavioral aspects. The division into these three categories does not pretend to be imperative, because all the psychological systems (and therefore the behavioral and environmental aspects) are correlated, and the same aspect may reflect peculiarities of several personality systems from different levels. For each of the three hierarchical levels, we consider the personality factors as well as the content of storages (goals, operators, invariants, and motor programs). As a result, a set of individual aspects of observed behavior have been recognized; these aspects are presented in Fig. 4 and discussed below. High-level behavioral aspects reveal the peculiarities of the values and the styles of the user. The values determine what goals are selected, while the styles determine how the stated

Observed behavior High-level aspects: - way of obtaining information - way of communication with others - way of performing tasks - movements

- time/efforts devoted to work/businesses - time/efforts devoted to entertainment - changes in behavior

Middle-level aspects: - concepts used - speed of comprehension - decision-making - accuracy - disposition towards communication Low-level aspects: - way of writing - way of typing - voice - gait

Fig. 4 – Individual aspects of observed behavior.

162

computers & security 26 (2007) 154–176

goals are to be achieved. The following high-level aspects are recognized:  Way of obtaining information (e.g. through communication with people, web-brows, services, etc.): this aspect is assumed to reflect the individuality of operators and goals, which in turn are influenced by the factors of the value system (e.g. need for exhibition,1 need for autonomy), by factors of the affective system (e.g. cooperativeness, selfsufficiency), etc.  Way of communication with others (calls, e-mail, SMS, etc.): it is hypothesized that the difference in operators is reflected in this aspect.  Way of performing tasks: it is assumed that sequences of actions employed, the frequency of different sequences of actions, and other characteristics describing how the user carries out his/her tasks reflect the individuality of the user’s operators and goals.  Movements (routes, speed of movements, etc.): as above, this aspect is assumed to manifest individuality of the user’s operators and goals.  Time/efforts devoted to work/businesses: need for endurance (a factor of the value system) is supposed to partly determine this aspect of behavior.  Time/efforts devoted to entertainment: need for play (a factor of the value system) is supposed to be reflected in this aspect.  Changes in behavior: need for change (a factor of the value system) is supposed to be reflected in this aspect. Behavioral changes implied here concern the behavior that is intentionally coordinated and regulated by a human, i.e. concerns high-level aspects of behavior. Middle-level behavior reflects the transformational processes within the cognitive system where the external information is transformed in order to identify environmental invariants, and within the affective system that transforms the cognitive information in order to achieve the optimal arousal states. The peculiarities of these systems are hypothesized to be manifested in the following behavioral aspects:  Concepts used are assumed to reflect individual differences in invariants.  Speed of comprehension is assumed individual as it is determined by multiple factors of the cognitive system (perceptual speed, verbal comprehension, memory span, associative memory, etc.).  Decision-making (e.g. time to respond): individuality of this aspect may be attributed to multiple factors of the cognitive system (perceptual speed, verbal comprehension, memory span, associative memory, memory for design, induction, deduction, spontaneous flexibility, etc.), and also to factors of the style system (e.g. reflection/impulsivity).  Accuracy: personality factors of the cognitive system (deductive reasoning and spontaneous flexibility) and the affective 1

The definitions and explanations of the personality factors are provided in Royce and Powell (1983), and the structures of the personality systems as proposed by Royce and Powell is represented in Appendix A.

system (surgency, autonomic balance, etc.) are hypothesized to influence this behavioral aspect.  Disposition towards communication: this aspect is assumed to be partly regulated by factors of the affective system (e.g. self-sufficiency and self-sentiment), and also by factors of the value system (e.g. need for exhibition). Low-level behavior is mainly regulated by the sensory and motor personality systems responsible for transforming the environmental information into psychological information and back. The individual behavioral aspects at this level are:  Way of writing: individuality of this aspect may be explained by the individuality of the motor system factors (e.g. dexterity and speed of small movements), motor programs (dictionary of letters, rules to produce words, etc.), and also by the individuality of the control-decision processes within the cognitive and the affective systems.  Way of typing: as above.  Voice: this aspect may be attributed to factors of the motor system (articulation, phonation, and respiration), and also to factors of the cognitive and affective systems.  Gait: similarly to above, this aspect is regulated by factors of the motor system (horizontal and vertical movements, general mobility, steadiness, etc.), but also by factors of other personality systems including the sensory, cognitive, and affective systems. The above list of individual behavioral aspects does not pretend to be complete. These behavioral aspects were produced deductively by analyzing the factors suggested by Royce and Powell (1983). While they recognize around 200 factors, for many of them we have not managed to reveal a linkage with observable behavioral aspects. Some aspects corresponding to other or the same factors may have been overlooked, and further analysis may reveal other aspects to be added to the list.

5.

Individual environmental aspects

In Section 2, it was hypothesized that due to the influence of personality on behavior, some aspects of human behavior are individual; furthermore, due to the influence of user personality through user behavior on his/her environment, some environmental aspects may also be individual (a person selects environment that fits his/her own personality). Individual aspects of behavior were considered in the previous section, and this section is devoted to the individual environmental aspects. Individual environmental aspects are classified into high-, middle-, and low-level aspects, in order to make the process of inference more structural. High-, middle-, and low-level environmental aspects are supposed to reflect, respectively, high-, middle-, and low-level personality systems, similarly to the behavioral aspects above. For each level, it is analyzed what aspects of environment (if any) could reflect the individuality of factors and storages of this level. As a result of this analysis,

163

computers & security 26 (2007) 154–176

the following individual aspects of environment are hypothesized (Fig. 5).2 High-level environmental aspects are regulated by the factors and storages of the value and style systems determining the goals of the user and the ways to attain them. The high level individual environmental aspects consist of the following:

 Choice of screen resolution: it is hypothesized that the choice of screen resolution is partly determined by visual acuity (a factor of the sensory system).  Choice of volume level: the choice of volume level is partly determined by the auditory acuity factor of the sensory system.

 Choice of people to contact with: the aspect is hypothesized to reflect the individuality of the user goals and to a certain degree operators, and also the individuality of factors (needs and interests) of the value system. The goals and operators of a user partly determine the people the user has to be in contact with, while the needs (e.g. need for affiliation, need for nurturance, etc.) and interests partly determine the people the user wants to be in contact with.  Choice of places to visit: individuality of the places the user visits can be attributed to the individuality of the goals and operators which partly determine the places the user has to visit, and to the individuality of the needs and interests which partly determine the places the user wants to visit.  Choice of tools (software): individual tools are supposed to be chosen according to the individual goals, and also according to the individual factors of the cognitive system (memory span, associative memory, etc.) and the individual cognitive styles.  Personal preferences are supposed to reflect the individuality of individual goals and operators, and also the individuality of the cognitive system factors (e.g. perceptual speed, memory span, and flexibility of closure).  Choice of clothes to wear: this aspect is assumed to be partly determined by the factors of the value system (need for affiliation and need for social recognition), and also by the individual goals.  Changes in the choice of environment: similarly to abovementioned aspect of changes in behavior, changes in the choice of the environment are supposed to reflect need for change (a factor of the value system). These changes correspond to changes in high-level environmental aspects, e.g. changes in places visited.

Neither the list of behavioral aspects proposed in previous section, nor the list of environmental aspects is likely to be complete. Further analysis may reveal other aspects reflecting personality factors and storages. The list therefore should be treated as initial and serving as a basis for further research.

Middle-level aspects of environment reveal the peculiarity of the user’s cognitive and affective systems involved in the processes of identifying invariants and attaining emotional activation needed. So far, only one aspect is recognized:  Tendency to ‘‘being online’’ is assumed to reveal the individuality of factors of the cognitive system (perceptual speed, verbal comprehension, extraversion, etc.), and also need for exhibition (a factor of the value system). Low-level environmental aspects are determined by the factors from the low-level personality systems (the sensory and the motor systems) implementing a transformation between psychological information and physical energy. Among these aspects are:

6. Framework for USD: object system and technical system Psychological personality of a human along with behavioral and environmental aspects reflecting this personality constitutes the foundation for the conceptual framework of USD introduced in this section. The proposed framework depicted in Fig. 6 consists of two parts: descriptive (object system) and prescriptive (technical system). The descriptive part is concerned with the user of a mobile device, his/her behavior and environment. It describes what the user’s psychological personality is composed of and what aspects of behavior and environment reflecting this personality may be used to differentiate the user from impostors. The part of reality described by this part of framework, i.e. the user, his/her behavior and environment, is referred to as an object system. In turn, the prescriptive part deals with technical system, which is placed above the object system with the aim to employ the object system for USD purposes. This part outlines the way the components of the technical system may be used to realize the USD based on the peculiarities of user behavior and environment.

6.1.

Object system

A description of the object system is provided by this part of the framework. Specifically, it explains how user personality

Environment High-level aspects: - choice of people to contact with - choice of places to visit - choice of tools (software)

- personal preferences - choice of clothes to wear - changes in the choice of environment

Middle-level aspects: - tendency to “being on-line”

Low-level aspects: - choice of screen resolution - choice of volume level

2

We limit the environmental aspects to those that may interact or otherwise be in contact with the device.

Fig. 5 – Individual aspects of (observed) environment.

164

computers & security 26 (2007) 154–176

User

Contains

Personal. systems

Contains Aspects

Determines

Behavior

Factors

Profile

Contains Models

Described by

and

Contains

Described by

Reference model

environment

Contains

Personality

Behav./Environm.

Determines

Characteristics

Described by

Measured by

Object system

Model

Measurement

Personality

Features

Are based on Measures

Technical system

Fig. 6 – Framework for behavior- and environment-based user substitution detection.

is reflected in his/her behavior and environment according to the multifactor-system theory and the Social Cognitive Theory. This description uses the terms of human personality, behavior, and environment that were examined in previous sections. Personality: from trait perspective, personality traits are considered as dimensions of individual differences that influence patterns of thoughts, feelings, and actions (McCrae and Costa, 1999). According to McCrae and Costa (1999), these traits represent individual difference variables. In our framework, these individual differences are important for differentiating between the user and an impostor, and therefore personality is seen as a complex of relatively enduring aspects which make a person distinct from other individuals. As described in Royce and Powell’s multifactor-system theory of individuality summarized in Section 3, personality comprises multiple personality factors organized into six personality systems on three hierarchical levels. Also the inter-person differences in goals, operators, invariants, and motor programs contribute to the personality of a human. Behavior and environment: the personality factors and storages are latent and hence cannot be directly observed and measured. However, according to the Social Cognitive Theory, these factors and storages are reflected in different aspects of behavior and environment, that can be observed directly. Similarly to the personality systems, these aspects of behavior and environment are divided into three hierarchical levels. Aspects of a level are assumed to reflect the personality factors of the corresponding level of personality. For example, as described in Section 4, ‘‘changes in behavior’’ (a high-level aspect of behavior) is assumed to reflect the need for change factor (i.e. the factor belonging to the high-level value system). Similarly, ‘‘concepts used’’ (a middle-level aspect of behavior) is assumed to reflect individual’s invariants (a storage from

the middle level of personality). The organization of aspects into levels does not mean that a given aspect is influenced only by factors/storages from the corresponding level of personality. Equally, it is difficult to divide aspects into categories corresponding to the personality systems, since one and the same aspect is likely to be influenced by multiple personality systems from one or several levels. Each of the behavioral and environmental aspects, in turn, may be described by one or several characteristics. For example, the accuracy in typing can be taken as a characteristic describing ‘‘accuracy’’ (middle-level aspect of behavior). Tentative characteristics to describe various individual behavioral and environmental aspects hypothesized in the previous sections are presented in Table 1. Some of the aspects (e.g. choice of clothes to wear) that cannot be automatically monitored by contemporary mobile devices are excluded from the table.

6.2.

Technical system

Since the above object system is employed for USD purposes, there is a need for a technical system that would implement identity verification relying on the described object system. In the implementation, the personality (as reflected in behavior and environment) of the user should be described by quantitative measurements. The model describing the regularities of these measurements should be created and stored for further reference, and the stored model should be further used during the user identity verification process. These measurements and models are represented, respectively, by the measurement and by the reference model elements of the framework, as shown in Fig. 6. Finally, the verification process involves comparison of current measurement results against the information in the reference model. If the comparison reveals significant

computers & security 26 (2007) 154–176

165

Table 1 – List of distinctive characteristics Level

Aspect(s)

Personality reflected in behavior High Way of obtaining information Way of communication with others Way of performing tasks

Movements

Middle

Low

Time devoted to work Changes in the behavior Concepts used Speed of comprehension Decision-making Accuracy Disposition towards communication Way of writing Way of typing Voice

Personality reflected in environment High Choice of people to be in contact with Choice of places to visit Choice of tools Changes in the choice of environment Middle ‘‘Being online’’ Low Choice of screen resolution Choice of volume level

Characteristics –Device’s facilities usage –Sequences of actions followed –Temporal lengths of actions –Temporal intervals between actions in a sequence –Retrieving contact details from the device’s memory vs. entering them ad-hoc –Use of shortcuts vs. use of menu –Routes taken –Speed of move conditioned on route/time –Length of work day –Changes in behavior –Words or phrases used more often –Time of reading a unit of textual information –Time between incoming event and response conditioned on time of day –Accuracy in typing, in menu item selection, etc. –Time devoted to communication –Pressure, direction, acceleration, and length of strokes –Temporal characteristics of keystrokes –Statistical characteristics of voice

–People contacted, conditioned on type of communication, time, etc. –Places visited, conditioned on time of day, week, etc. –Set of software installed –Changes in the choice of environment –Time, when the user is online –Current screen resolution –Volume level

dissimilarity, it may indicate that a user substitution has taken place. While a detailed elaboration of the technical system design is out of the scope of this paper, the outline of the system components is provided below. Measurement: to be used in (automatic) UIV, the characteristics of user behavior and environment should be quantitatively measured. For this, one or more appropriate observable variables, or measures should be assigned to each characteristic. These variables can be directly measured, and the results are stored as numerical or categorical values. Tentative measures to be assigned to the distinctive characteristics are proposed in Table 2. For example, ‘‘frequency of typing errors’’ may be employed as a measure of the characteristic ‘‘accuracy in typing’’. Three characteristics – set of installed software, current screen resolution, and volume level – can be measured by a single measure indicating changes of device configuration made. Therefore, these three characteristics were united in the table into a single characteristic. Not always the values of measures are immediately useful in evaluating the corresponding characteristics. Therefore, a set of linear or nonlinear transformations is often applied to the measures. Such transformations are employed, for example, in estimating statistical characteristics of voice. In particular, fast Fourier transform is employed in order to calculate the cepstrum coefficients of the power of voice signal (Brunelli and Falavigna, 1995; Campbell, 1997). Additional transformations, such as feature extraction procedure (Bishop, 1995), can also be applied in order to reduce the dimensionality of the data and to reveal the features whereby

better distinction between the user and impostors can be achieved. The features, extracted through the above transformations, are used to quantitatively evaluate the behavioral or environmental characteristics. The characteristics, according to the Social Cognitive Theory, depend on the personality factors, and hence these features can be assumed to be dependent on them, too. Therefore, the features can be seen as measurable indicator variables (Lee, 1997), wherein the latent variables (personality factors) are manifested. Reference model: in identity verification process, the behavior and environment of the user is compared against the behavior and environment of the person currently interacting with the device. Therefore, the behavior and environment of the user represented by feature values should be stored in a profile for further reference. Thus, the content of the profile can be seen as the quantitative description of user behavior and environment stored for further use. In the simplest case, the profile may contain all the collected values of features. Alternatively, the employed features may be assigned specific models that describe the regularities of feature values in a compact form. Examples of these models are probabilistic models, sets of rules, or boundary description (Tax, 2001).

6.3.

Process of user identity verification

In the proposed framework, the verification of user identity is divided into the learning and the verification phases. In the learning phase, through the monitoring of the behavior and

166

computers & security 26 (2007) 154–176

Table 2 – Tentative measures to be employed in mobile-user substitution detection Characteristic

Measures (observable variables)

Device’s facilities usage

Type of program or service evoked; temporal interval between two consecutive evocations of a program or service of a same type

Sequences of actions followed

Sequences of n actions

Temporal lengths of actions

Temporal lengths of actions

Temporal intervals between actions in a sequence

Temporal intervals between subsequent actions

Retrieving contact details from the device’s memory vs. entering them ad hoc

Way of entering or retrieving contact details

Use of shortcuts vs. use of menu

For each menu command with shortcut, the chosen option

Routes taken

Sequence of cells traversed between two consecutive prolonged stops

Speed of move conditioned on route/time

Speed of move conditioned on route and time

Length of work day

Time that the terminal is in the place affiliated with the user’s workplace(s); day/ time of main activities

Changes in behavior

Changes in behavioral characteristics

Words or phrases used more often

Frequency of different words used in a piece of handwriting (with stylus) or typing

Time of reading a unit of textual information

Time during which a document is open for reading

Time between incoming event and response conditioned on time of day

Temporal interval between reading an incoming message (e.g. e-mail or SMS) and writing the response

Accuracy in typing, menu item selection, etc.

The ratio of errors to the overall number of actions, i.e. the frequency of mistyped keystrokes, errors in menu item selection, etc.

Time devoted to communication

Time during a day spent for communication (using terminal) by different types of communication (calls, e-mails, etc.)

Pressure, direction, acceleration, and length of strokes

Pressure, direction, acceleration, and length of strokes

Temporal characteristics of keystrokes

Key duration time, inter-key latency time

Statistical characteristics of voice

Cepstrum coefficients of the signal power

People contacted with, conditioned on type of communication, time, etc.

Phone number, e-mail address, or other address information of the contacted people

Places visited, conditioned on time of day, week, etc.

Locations where prolonged stops were made

Changes in the choice of environment

Changes in environmental characteristics

Time, when the user is online

Time, during which the communication facilities of the terminal are not deliberately restricted

Set of installed software

Changes of device configuration

Current screen resolution Volume level

environment of the legitimate user, the values of a set of measures are obtained by a data collector (Fig. 7). These values are transformed into a set of features by the feature extractor, and the features are then fed to the learner responsible for building the models to be stored in the reference profile. In turn, the user identity verification is performed by comparing the model of the user included in the profile of the reference model against the behavioral and environmental measures of the person currently interacting with the device. The comparison itself is performed by an analyzer (Fig. 7), which is a computational processing element responsible for the assessment of the match between the reference models and the current values of the features. If the comparison reveals a significant mismatch, then a user substitution is suspected. The comparison procedure implements a verification technique that may be based on statistical outlier detection, autoassociation-based classification, etc. (Tax, 2001). Instead of a single

analyzer processing the entire set of features, several analyzers may be employed. In this case, the features are grouped in several subsets (a feature may belong to one or several subsets), and a separate analyzer is assigned to every subset. The outputs of separate analyzers are subsequently combined, so that a final decision about user identity could be produced. The following arguments justify the use of multiple analyzers:  Different aspects of behavior or environment and therefore different features may require different techniques to analyze them. This may be caused, e.g. by the difference in the nature of measures (e.g. categorical vs. numerical measures) or by difference in scales.  Even if the use of a single analyzer to process the entire set of measures is possible, the complexity of the analysis grows exponentially with the number of features due to the curse of dimensionality (Bishop, 1995). The division of

167

computers & security 26 (2007) 154–176

Reference model

Profile

Contains Models Learner

Model

Analyzer

KB of verification and combining techniques

Features

Measurement

Feature extractor

Are based on Measures

Information flow

Data collector

Fig. 7 – Process of behavior- and environment-based identity verification.

the set of features into subsets and treating them independently simplifies the analysis process. As a result, provided an appropriate combining technique is applied, the accuracy of detection may improve (Ross and Jain, 2003).  Finally, only a subset of measures (and hence features) may be available at a given point in time. For example, keystroke dynamics can be analyzed only when the user or an impostor is typing. Having divided the characteristics and features into groups, it is possible to verify user identity by analyzing only those groups wherein the variables can be measured currently. As a result, the context, in which identity verification may be performed, can be broadened. Thus, different aspects of behavior and environment may be analyzed using different techniques depending on the nature of the aspect and the properties of the measures collected. Therefore, a knowledge base of available verification techniques is needed for the technical system to be implemented. In addition, if different aspects are to be analyzed independently, there is a need to combine the results of these individual analyses and, hence, a knowledge base of combining techniques is needed as well.

7. Contemporary USD techniques from the perspective of the framework In this section, the concept of USD is compared with similar concepts of authentication, intrusion detection, and fraud detection. Strong and weak sides of the techniques currently employed in authentication, intrusion detection, and fraud detection are examined from the point of view of their suitability for the task of USD. Finally, based on the results of the examination, suggestions are made regarding directions in which further research is needed.

7.1. Related concepts of authentication, intrusion detection, and fraud detection Seen as a security service, USD has some similarities with three other security services, including authentication, intrusion detection, and fraud detection. Authentication can be defined as a process whereby the opposite side (in our case the mobile device) ensures that the user is the legitimate one; it is performed before granting access to the device. Intrusion detection is aimed at revealing any deliberate unauthorized attempt to access information, manipulate information, or render a system unreliable or unusable (Sundaram, 1996). The objective of fraud detection is to reveal a dishonest or illegal use of services, with the intention to avoid service charges (Hollmen, 2000). Below, the similarities and the differences between these concepts and the concept of USD are discussed. Authentication: substitution detection is similar to authentication in the sense that it may be based on the verification of the user identity. However, the difference is that authentication belongs to preventive services and is performed before granting the access, while substitution detection is a service of the detective category, and is performed continuously after the access has been granted. Thus, it is possible to say that substitution detection complements authentication. Intrusion and fraud detection: intrusion detection systems are responsible for detecting a variety of equipment-, service-, and information-oriented attacks. The means of fraud detection employed in mobile communication networks are aimed at revealing service-oriented attacks, and therefore they may be seen as special-purpose intrusion detection services. The attacks which intrusion detection systems are supposed to detect may be classified into eavesdropping and packet sniffing, snooping and downloading, tampering with data, spoofing, flooding, malicious code, exploiting design

168

computers & security 26 (2007) 154–176

and implementation flaws, and cracking passwords and keys (Denning, 1997). A common form of spoofing attack is a masquerade attack, i.e. an attack performed by an impostor who masquerades as a user with legitimate access to sensitive data. It follows from the above definition that the masquerade attack implies user substitution, and hence the user substitution detection can be considered as intrusion detection. However, we consider user substitution detection to be a more general term than intrusion detection. Intrusion detection emphasizes a malicious intent of the intruder (e.g. a masquerader), which may be natural to assume in security applications. Meanwhile, the techniques employed in user substitution detection, in addition to the security domain, can be utilized in other application areas. For example, in the application areas where more than one user per device is allowed, the substitution detection along with user recognition techniques may be employed to detect the moment when the current user of the terminal is substituted and, when possible, to recognize a new user. It might be useful for securing the user private data kept on the terminal, and also for adjusting the functionality and the interface of the terminal, or prefetch data. In such application areas, user substitution represents delegation of authority rather than masquerading, and may have little to do with a violation of security (Bishop, 2002).

7.2. Authentication, intrusion detection, and fraud detection techniques from the perspective of the USD framework A great number of authentication, intrusion detection, and fraud detection techniques have been proposed for the last two decades. Some of them implicitly or explicitly employ UIV relying on user individuality and behavior. These techniques are briefly summarized in this section, and their pros and cons are analyzed from the point of view of their applicability in the USD framework. The research efforts being summarized are concerned with improving performance characteristics of UIV. Such performance characteristics, also relevant for the USD, include the accuracy of verification, rate of errors,3 time of verification, continuity of work, user-friendliness, computational complexity, etc.

7.2.1.

Authentication

Authentication, whereby the device verifies that a person is the one who is eligible to use it, involves verification of user identity and, therefore, may be utilized for USD purposes. Contemporary authentication techniques are based on (i) something one knows (password, PIN, etc.), (ii) something one possesses (e.g. token or smart-card), or (iii) something one is (biological and behavioral characteristics of the user). 3 Two types of errors are encountered: (i) false acceptance errors that occur if an impostor is recognized as a legitimate user, and (ii) false rejection errors that occur if the legitimate user is classified as an impostor. The more accurate the verification, the lower the rates of these errors.

Passwords and PINs used alone fail to provide continuous and user-friendly authentication. As indicated by the survey of Clarke and Furnell (2005), 34% of mobile phone users consider the usage of PIN inconvenient and therefore disable the PIN authentication. It is not continuous either because the identity verification is performed only at some points in time. Besides, a password can be compromised or forgotten. Another approach to authenticate a user may be based on authentication tokens (Corner and Noble, 2002; Ensure Technologies, 2006). Being worn by a user, such a token automatically communicates with the mobile device through a wireless channel and authenticates the user to this device. Consequently, continuous user verification can be achieved. The user has to authenticate to the token periodically. This is supposed to be done infrequently; as a result, the user is expected to perceive the authentication process as less intrusive (as compared with traditional password-based authentication). However, the employment of this technique induces additional costs due to supplementary hardware needed. Moreover, similarly to the device itself, the token can be lost or stolen. Although the above two approaches involve UIV, they are not based on user individuality nor behavior, and therefore are out of the scope of the proposed USD framework. The third approach, however, is directly related to the proposed framework as it is based on various biometrics, i.e. individual biological and behavioral characteristics of a user. As opposed to the PINs and passwords, the biometrics cannot be easily compromised or forgotten; some biometrics could even provide continuous and user-friendly identity verification. The problem is that biometric measurements vary in time for the same person. Consequently, the authentication based on such biometric measurements may result in a poor accuracy (Chandra and Calderon, 2005). For example, the false rejection rate for face recognition and for fingerprints verification may reach 40 and 44%, respectively (Phillips et al., 2000). The accuracy of authentication based on behavioral characteristics, may be even worse. The authentication based on biological characteristics suffers from further limitations. Some of the characteristics involved do not support continuous and user-friendly authentication (such as fingerprints or hand geometry) while others (such as face recognition) require considerable computational resources and therefore may be unpractical given restricted computational power of modern mobile devices. Special hardware is required as, e.g. fingerprint scanner to implement the authentication; this adds to the total cost of the device. In addition, the use of biological biometrics in authentication is often intrusive and may encourage the user to disable or circumvent such a security means. The authentication techniques based on behavioral characteristics can eliminate or alleviate the problems mentioned above. Examples of such techniques are those based on voice recognition and on typing rhythms. They are not intrusive, relatively conservative in resource consumption, support continuous UIV, and often do not require additional hardware. However, their use in authentication is limited, probably

computers & security 26 (2007) 154–176

because of relatively long time needed to accurately verify user identity. To strengthen biometrics-based authentication, multiple biometrics are often analyzed simultaneously. A number of studies are devoted to the problem of the user authentication based on multiple biometrics. This form of authentication is referred to as multi-modal user authentication. Many studies focus on combining visual and acoustic features for identity verification purposes (for example, Choudhury et al., 1999; Ben-Yacoub et al., 1999; Verlinde et al., 2000; Sanderson and Paliwal, 2004; Cheng et al., 2005). In the work by Koreman et al. (2006), voice, face, and signature are used in combination for PDA-user identity verification. The combination of written signature and fingerprints is explored by Fierrez-Aguilar et al. (2005). Combinations of face, fingerprint, hand geometry, and speech-based biometrics have been investigated at Michigan State University, and the reported studies concentrate on integrating face and fingerprints (Hong and Jain, 1998; Snelick et al., 2005), fingerprints, face, and speech (Jain et al., 1999), and face, fingerprint, and hand geometry (Ross et al., 2001; Ross and Jain, 2003) within a single authentication approach. It is noteworthy that only two behavioral characteristics (voice and written signature) have been used in the research devoted to combining multiple biometrics. To the knowledge of authors, environmental characteristics have not been used for UIV purposes, neither singly nor in combination with other behavioral or environmental characteristics.

7.2.2.

Intrusion detection

Intrusion detection approaches may be divided into those based on anomaly detection and those based on misuse detection. The approaches based on anomaly detection track user behavior and try to determine (on the basis of users’ personal profiles) whether their current activities are consistent with the established norm of their behavior. Contrary to this, the misuse detection approaches utilize knowledge about unacceptable behavior and directly search for the occurrences of such behavior. As was explained in Section 7.1, the masquerade attacks dealt with by intrusion detection systems (IDS) are essentially user substitution cases. Furthermore, the above two approaches to intrusion detection may be aligned with the two approaches to the USD discussed in Section 2, namely, with the USD via user identity verification, and the USD via impostor recognition:  USD via user identity verification: this first approach involves continuous verification of user identity. In other words, it verifies whether the user is present and alarms if the verification fails. This is therefore similar to the anomaly detection in a sense that deviations from an established norm are searched for.  USD via impostor recognition: this approach is complementary to the first one and involves detecting predefined patterns associated with impostor activity or identity. Thus, it is aimed at detecting the presence of an impostor, and is similar to the misuse detection.

169

Thus, the USD based on UIV is similar to the anomaly intrusion detection. Moreover, we argue that most of (if not all) the anomaly intrusion detection techniques focusing on the detection of the masquerade attacks explicitly or implicitly assume the individuality of user behavior. For example, in the paper presenting neural network intrusion detection, the authors stated that they ‘‘believe that a user leaves a ‘print’ when using the system; a neural network can be used to learn this print and identify each user much like detectives use thumbprints to place people at crime scenes’’ (Ryan et al., 1998, p. 943), and, later, ‘‘the set of commands used and their frequency, therefore, constitute a ‘print’ of the user, reflecting the task of the user and the choice of application programs, and it should be possible to identify the user based on this information’’ (Ryan et al., 1998, p. 945). Therefore, it is reasonable to expect that the techniques devised for the detection of the masquerade attacks fit the proposed framework. The analysis of user behavior characteristics has proven fruitful in many approaches to the anomaly intrusion detection, whose functioning involves detecting anomalies in user behavior. Probably the most often cited of them is the statistical approach used in NIDES (Anderson et al., 1995a,b). More recently, many other approaches have been investigated as reported in Ryan et al. (1998), Lee and Stolfo (2000), Upadhyaya et al. (2001), Sequeira and Zaki (2002), Lane and Brodley (2003), Yeung and Ding (2003), Shavlik and Shavlik (2004), Maxion and Townsend (2004), Kim and Cha (2005), Ma¨ntyja¨rvi et al. (2005), and Sun et al. (2006), to mention a few. In these approaches, different measures are monitored to model user behavior: frequencies and sequences of Unix shell commands or system calls, temporal parameters of user actions and temporal intervals between them, etc. The reported results indicate the feasibility of the use of these measures for intrusion detection. The choice of the characteristics has been rather data- and technology-driven, i.e. governed by available data and processing techniques. The choice itself is based either on the intuition of researchers or other experts (as in Ryan et al., 1998), or on the supporting knowledge discovery tools juxtaposing the data describing the behavior of different users (as in Lee and Stolfo, 2000). Substantial efforts in intrusion detection research have been devoted to combining multiple characteristics, techniques, and their outcomes as a means of improving detection performance. Combining multiple characteristics can be exemplified by the statistical component of NIDES (Anderson et al., 1995a,b), which is capable of monitoring and processing multiple characteristics describing user behavior. Some approaches combine several anomaly and/or misuse detection techniques within one IDS (Porras and Neumann, 1997; Valdes and Skinner, 2000; Giacinto et al., 2003). Finally, sizeable amount of work have been dedicated to combining the outcomes (i.e. alerts) of the IDSs by means of alert aggregation, multistep correlation, multisensor correlation, and filtering (Haines et al., 2003). Since up to 20,000 alarms may be produced by the IDSs daily (Manganaris et al., 2000), the set of alarms should be compressed (aggregated) into a manageable number of reports (Valdes and Skinner, 2001; Porras et al., 2002; Xu and Ning, 2004). Alert filtering

170

computers & security 26 (2007) 154–176

is justified by the fact that up to 99% of the raised alarms are false positives (Julisch and Dacier, 2002); many of these alerts can be filtered using automatically or manually created rules (Clifton and Gengo, 2000; Manganaris et al., 2000; Julisch and Dacier, 2002). When an attack involves several steps detected separately, the corresponding alerts may be collected in a single report; this is achieved through a multistep correlation (Valdes and Skinner, 2001; Debar and Wespi, 2001; Ning et al., 2002; Cuppens and Miege, 2002; Wang et al., 2005). Besides, different IDSs may detect different or the same steps of an attack. The alerts produced by these IDSs should be correlated; this is referred to as the process of multisensor correlation (Valdes and Skinner, 2001; Debar and Wespi, 2001; Ning et al., 2002; Goldman et al., 2001). However, to our knowledge, no reported research has focused on combining multiple techniques of detecting masquerade attacks. Thus, when considered from the perspective of the proposed framework, contemporary intrusion detection techniques may be enhanced. Firstly, the set of measures currently employed in intrusion detection is limited and may be extended for USD, e.g. by taking into consideration individual environmental aspects. Additional characteristics and measures may provide further information describing the user, and consequently, the detection accuracy may improve. Secondly, research on combining multiple techniques of detecting masquerade attacks appears to be missing; further research on USD should address this issue. Finally, the reported techniques dealt with static hosts; i.e. intrusion detection techniques are rarely tailored to mobile devices. The works of Zhang and Lee (2003) and Sun et al. (2006) which take into account mobility patterns of users in intrusion detection are rather exceptional.

7.2.3.

Fraud detection

While the intrusion detection means are aimed at detecting equipment-, service- and information-oriented attacks, the means of fraud detection focus on the detection of serviceoriented attacks only, and therefore they may be seen as a specific type of intrusion detection means. The techniques employed in fraud detection may be divided into the techniques based on absolute analysis, and the techniques based on differential analysis (Hollmen, 2000). The techniques based on absolute analysis employ models of normal and fraudulent calling activity, whereas the techniques based on differential analysis detect anomalous changes in behavior. The techniques of the second category often assume that frauds are caused by impostors, and hence attempt to detect frauds through detecting user substitution. As the user substitution is detected by analyzing the changes in behavior, an implicit assumption is made regarding the individuality of the user behavior. Thus, fraud detection in these techniques is achieved through the verification of user identity by analyzing his/her behavior. These techniques therefore are related to the proposed USD framework. A number of fraud detection techniques based on differential analysis have been proposed. Different approaches were investigated by Hollmen (2000); self-organizing maps, adaptive Gaussian mixture model, regime-switching time-series

model, and extension of hidden Markov models were employed to model user behavior. Fawcett and Provost (1997) employed data-mining and machine learning techniques for fraud detection purposes. Many other fraud detection approaches based on differential analysis have been investigated and reported, e.g. in Burge and Shawe-Taylor (1997), Samfat and Molva (1997), Buschkes et al. (1998), and Cahill et al. (2002). The characteristics and measures used in fraud detection techniques are not limited by behavioral characteristics; they also employ individual environmental characteristics, e.g. information about visited places. Unfortunately, the abilities of the above fraud detection techniques are restricted due to their focus on illegal use of network services. Thus, should an impostor pursue equipment- or information-oriented goals, it would be unlikely that the user substitution would be detected by the above techniques. For example, these techniques fail to reveal illegal access to the information stored on the device. The research in differential-analysis based fraud detection has addressed, to some extent, the problem of combining several techniques in order to increase the accuracy of detection. Howard and Gosset (1998) report a performance improvement due to the combination of three fraud detection techniques, among which there is a technique based on differential analysis. Logistic regression was employed to adjust this combining technique. Fawcett and Provost (1997) utilized weighted sum of analyzers’ outputs as their combining technique; weights were learnt using linear threshold units.

7.3.

Directions for further research

As summarized above, previous research in the domains of authentication, intrusion detection, and fraud detection has resulted in a vast number of techniques that are currently used or can be used for USD purposes. In all these domains, this research can be broadly divided into three subareas which are: (i) extension of the set of characteristics and measures employed; (ii) improvement or extension of the techniques that analyze these measures, and (iii) improvement of combining techniques. When one or several new characteristics to differentiate between the user and impostors is proposed in the first subarea, appropriate techniques to analyze these characteristics need to be identified. As the research aimed at improving these techniques provides more and more techniques, the third subarea of research emerges striving for further improvement in performance by combining multiple characteristics and techniques. Similarly, further research in USD may be divided into three subareas. It is possible to divide the future research into being extension- or intensification-oriented. Extension orientation implies efforts to extend the number of characteristics and measures and the number of UIV techniques to analyze these measures. Intensification orientation refers to more efficient analysis of the available measures. It can be achieved through the improvement of the techniques of analysis, as well as through the improvement of the combining techniques.

computers & security 26 (2007) 154–176

Extension-oriented research: past research produced an extensive set of characteristics to be used for UIV. However, their choice was often based on the intuition and experience of experts rather than on solid theoretical foundations. To our knowledge, the proposed USD framework is the first attempt to build a systematic approach covering the whole field of these characteristics. Further research is expected to result in an extended set of characteristics and measures aimed at improving the performance of detection. In turn, additional characteristics and measures require additional techniques to analyze them. Accordingly, an extension of the set of UIV techniques is to be produced in further research. The additional techniques not only would analyze new characteristics but also can be used to analyze the previously known characteristics while optimizing or improving different aspects of performance. For example, while one technique may prioritize the time of verification, another one may be aimed at reducing the computational overhead. Intensification-oriented research: as the number of characteristics and UIV techniques grows, some of them may be made obsolete by other characteristics or techniques, respectively. If the use of, say support vectors, provides better results compared to the technique relying on Parzen windows density estimation, the latter technique being less efficient might become obsolete. By applying a better technique, the same characteristics may be analyzed more efficiently, or in other words, utilized more intensively. Often, however, instead of selecting a single (best) subset of characteristics or selecting a single (best) UIV technique, multiple subsets of characteristics as well as different techniques may be combined. Used together, multiple characteristics and/or multiple techniques are expected to provide complementary pieces of information needed to verify user identity with a high accuracy. Thus, intensification can be achieved through selecting or combining multiple subsets of characteristics and multiple analysis techniques.

8.

Conclusions

Traditionally, the problem of deterring the use of lost or stolen mobile devices is addressed by means of authentication at the preventive stage, and by means of intrusion or fraud detection at the detective stage. The USD is approached by researchers through the detection of anomalous changes in user behavior and environment, or through the recognition of behavior and environment, which is common for impostors. The proposed solutions to the detection problem including frameworks, models, techniques, etc. are often based on heuristics, experience or intuition of experts, or are data-driven. This adhocness is likely to be one of the reasons making the development of new and improved solutions difficult. As a result, while a number of solutions have been proposed, the performance of detection in general, and the detection accuracy in particular is still not good enough. Theories from the domain of psychology offer an opportunity to extend the view of USD research. Using these theories it is possible to explain the differences in human

171

behavior and environment by differences of cognitive processes and psychological/biological factors. Being applied in the USD context, such theories shift the focus of research from the heavily technological aspects of the problem to the social and individual aspects concerning the human being interacting with the device. Such shift in focus is needed in order to understand why the detection of user substitution (either through detecting anomalies or through recognizing patterns associated with impostors) is possible. In turn, this understanding is important in determining the limitations of the contemporary research and thereafter for the development of improved solutions to the problem. The conceptual framework proposed in this paper is aimed at extending the theoretical background behind the solutions currently used in the USD. It is focused only on the USD based on the detection of anomalous changes in the user behavior and environment. The USD problem is seen in this conceptual framework as a problem of verifying user identity. The behavior and environment are considered as reflecting the personality traits of the user. Accordingly, by analyzing certain aspects of behavior and environment, the user identity claim can be accepted or rejected. It is expected that the use of the framework in designing new USD solutions will result in an extended set of individual characteristics and, consequently, in an extended set of techniques to analyze them. As a result, a better model of user behavior and environment may be produced, leading to improved performance of USD systems being implemented. A set of characteristics and measures potentially useful for user substitution detection has been proposed in the paper; however, further empirical research is needed in order to evaluate their suitability. The techniques aimed at (or capable of) the verification of user identity and, hence, detecting user substitution can be found in the fields of authentication, intrusion detection, and fraud detection. Within these fields, USD through UIV may be performed implicitly or explicitly by authentication techniques based on behavioral biometrics, by anomaly intrusion detection techniques, and by fraud detection techniques relying on differential analysis. In this paper, these techniques were considered from the perspective of the framework. Through the analysis of their limitations, directions for further research were formulated. These directions include discovery of characteristics and measures reflecting the user personality, research into the techniques for analyzing the measures to detect user substitution, and investigation of how multiple characteristics and analysis techniques can be combined in order to improve the performance of USD. Among these three directions, the first and the third appear to be less elaborated, and therefore additional research efforts in these directions are essential. It is our belief that the framework contributes to the theoretical body of knowledge related to detective security means. We hope that the framework will open additional directions for further empirical research, and will help both the researcher and practitioner communities in elaborating and implementing new approaches and solutions to USD.

172

computers & security 26 (2007) 154–176

Appendix A. Structure of personality systems

Acknowledgments This work was partly supported by the COMAS Graduate School of the University of Jyva¨skyla¨. The authors would like to thank anonymous reviewers for valuable suggestions and comments.

In Figs. 8–13, structures of six personality systems as suggested by Royce and Powell (1983) are reproduced.

SensoryType

Auditory Acuity

Rhythm

Loudness

Vestibular I

Auditory

Vestibular II

Kinesthetic Sensitivity

Chemical Saturation

Somesthetic-kinesthetic

Taste Quality

Chemical

Brightness

Visual Hue

Visual Acuity

Visual

Temporality

Auditory Closure Auditory Masking

Spatiality

Fig. 8 – The hierarchical structure of the sensory system (Royce and Powell, 1983, p. 87).

Motor Type

Strength Endurance Speed

Power Static Strength Dynamic Strength Stamina Muscular Endurance Speed (Large move) Speed (Small move)

Dynamism

Equilibrium Impulsion Flexibility Dexterity

Posturing Gross Body Equilib.

Vocalization

Steadiness Reflexivity Dynamic Flexibility Extent Flexibility Manual Dexterity Finger Dexterity Control Precision

Reactive Emphasis Gestural

Multilimb Coord.

Bodily Orchestration Precision

Gross Body Coord.

Transport

Vertical Horizontal General Mobility

Activity Level Motor Discharge Consummatory Muscle Tension

Motor Reactivity

Temporality

Articulation Phonation Respiration

Spatiality

Fig. 9 – The hierarchical structure of the motor system (Royce and Powell, 1983, p. 95).

Fluency

Affective Style

Originality

Reasoning

Surgency Conditionability Self-Sentiment

Word Fluency Ideational Fluency Expressional Fluency Associational Fluency Sensitivity to Problems Semantic Redefinition

Induction Deduction Spontaneous Flexibility

Conceptualizing

Dominance Self-sufficiency Gregariousness

Affectothymia

Emotional Independence

Physiognomic vs.Literal

Tendermindedness

Realism

Number

Verbal

Reflection vs. Impulsivity

Cognitive Style

Cooperativeness

Verbal Comprehension Syllogistic Reasoning

Memorization

Trust

Memory Span Associative Memory Memory for Designs

Spatial Relations Flexibility of Closure Speed of Closure Figural Adaptive Flexibility Spatial Scanning Perceptual Speed Visualization

Perceiving

Tolerance for the Unconventional

Rational Empirical Metaphoric

Constricted vs. Flexible Control

Emotional Stability

Cycloid Tendency Ego Strength

Autonomic Balance Ergic Tension Fearfulness Guilt

Escape Territoriality Avoidance

Spatiovisual

Compartmentalization Conceptual Integration

Analytic vs. Relational Abstract vs. Concrete Sharpening vs. Leveling

Cognitive Complexity Category Width Conceptual Differentiation

computers & security 26 (2007) 154–176

173

CognitiveType

Symbolizing

Imaginativeness

Fig. 10 – The hierarchical structure of the cognitive system (Royce and Powell, 1983, p. 109).

AffectiveType

Introversion-Extraversion

Energy Mobilization Anxiety Excitability Autonomy Cortertia Social Inhibition General Inhibition

Fig. 11 – The hierarchical structure of the affective system (Royce and Powell, 1983, p. 123).

Style Type

Cognitive-affective Style

Rational Empirical Metaphoric Rational Empirical Metaphoric

Fig. 12 – The hierarchical structure of the style system (composed from figures in Royce and Powell (1983, pp. 136, 140, 142)).

174

computers & security 26 (2007) 154–176

ValueType

Cognitive Values (Interests)

Social

Cognitive-affective Values

Intrinsic Self

Social

Military Mechanical Adventure Agriculture Nature Science Mathematics Medical Science Medical Services Writing Art Music/Drama Public Speaking Law/Politics Merchandising Sales Office Practices Mathematics Military Public Speaking Law/Politics Law/Politics Domestic Arts Teaching Social Services Religion Medical Services

Conventional Social

Self

Artistic Enterprising

Contact

Intrinsic

Realistic Investigative

Social

Interdependence

Self

Cognitive Structure Order Impulsivity Achievement Endurance Sentience Understanding Change Nurturance Affiliation Abasement Defendence Aggression Dominance Exhibition Play Social Recognition Succorance Harmavoidance Autonomy

Organization General Achievement Meaning

Intrinsic

Self-protection Ascendence

Affective Values (Needs)

Fig. 13 – The hierarchical structure of the value system (composed from figures in Royce and Powell (1983, pp. 148, 151, 155)).

references

Allport GW. Personality, a psychological interpretation. London: Constable & Co.; 1937. Anderson D, Frivold T, Valdes A. Next-generation intrusion detection expert system (NIDES): a summary. Technical report SRI-CSL-95–07. Menlo Park, California: Computer Science Laboratory, SRI International; May 1995a. Anderson D, Lunt T, Javitz H, Tamaru A, Valdes A. Detecting unusual program behavior using the statistical components of NIDES. SRI technical report SRI-CRL-95-06. Menlo Park, California: Computer Science Laboratory, SRI International; May 1995b. Anderson JR. Cognitive psychology and its implications. 5th ed. 2000. New York. Bandura A. Social foundations of thought and action: a social cognitive theory. Englewood Cliffs, NJ: Prentice Hall; 1986. Bandura A. Social cognitive theory. Annals of Child Development 1989;6:1–60. Ben-Yacoub S, Abdeljaoued Y, Mayoraz E. Fusion of face and speech data for person identity verification. IEEE Transactions on Neural Networks 1999;10(5):1065–74. Bishop CM. Neural networks for pattern recognition. Oxford: Oxford University Press; 1995. Bishop M. Computer security: art and science. Addison Wesley Professional; 2002. Brunelli R, Falavigna D. Person identification using multiple cues. IEEE Transactions on Pattern Analysis and Machine Intelligence 1995 October;17(10):955–66. Burge P, Shawe-Taylor J. Detecting cellular fraud using adaptive prototypes. In: Fawcett T, editor. Technical report of AAAI-97 workshop on AI approaches to fraud detection and risk management, WS-97–07. AAAI Press; 1997. p. 1–8. Buschkes R, Kesdogan D, Reichl P. How to increase security in mobile networks by anomaly detection. In: Fourteenth annual computer security applications conference. IEEE Computer Society; 1998 December. p. 3–12.

Cahill MH, Lambert D, Pinheiro JC, Sun DX. Detecting fraud in the real world 2002. p. 911–29. Campbell Jr JP. Speaker recognition: a tutorial. Proceedings of The IEEE 1997 September;85(9):1437–62. Carver C, Scheier M. Perspectives on personality. 4th ed. Boston: Allyn and Bacon; 2000. Cattell RB. The description of personality: principles and findings in a factor analysis. American Journal of Psychology 1945;58: 69–90. Cattell RB, Eber HW, Tatsuoka MM. Handbook for the sixteen personality factor questionnaire (16 PF). Champaign, IL: Institute for Personality and Ability Testing; 1970. Chandra A, Calderon T. Challenges and constraints to the diffusion of biometrics in information systems. Communications of The ACM 2005;48(12):101–6. Cheng H-T, Chao Y-H, Yeh S-L, Chen C-S, Wang H-M, Hung Y-P. An efficient approach to multimodal person identity verification by fusing face and voice information. In: IEEE international conference on multimedia and expo (ICME 2005); 2005. p. 542–5. Choudhury T, Clarkson B, Jebara T, Pentland A. Multimodal person recognition using unconstrained audio and video. In: The second international conference on audio-visual biometric person authentication; 1999. p. 176–81. Clarke NL, Furnell SM. Authentication of users on mobile telephones – a survey of attitudes and practices. Computers and Security 2005 October;24(7):519–27. Clifton C, Gengo G. Developing custom intrusion detection filters using data mining. In: Twenty-first century military communications conference proceedings (MILCOM 2000), vol. 1. IEEE Communications Society; 2000 October. p. 440–3. Corner M, Noble B. Zero-interaction authentication. In: Akyildiz IF, Lin JYB, Jain R, Bharghavan V, Campbell AT, editors. Proceedings of the eighth ACM conference on mobile computing and networking, New York, NY, USA. ACM Press; 2002 September. p. 1–11. Cuppens F, Miege A. Alert correlation in a cooperative intrusion detection framework. In: Proceedings of 2002 IEEE symposium

computers & security 26 (2007) 154–176

on security and privacy, Washington, DC, USA. IEEE Computer Society; 2002 May. p. 187–200. Debar H, Wespi A. Aggregation and correlation of intrusiondetection alerts. In: Lee W, Me L, Wespi A, editors. Recent advances in intrusion detection (RAID 2001). Number 2212 in lecture notes in computer science. Berlin/Heidelberg: Springer-Verlag; 2001. p. 85–103. Denning D. Cyberspace attacks and countermeasures, Internet besieged: countering cyberspace scofflaws. Boston, MA: Addison-Wesley Professional; 1997. p. 29–56. Ensure Technologies. User’s guide for XyLoc client ver 8.x.x. Available from: ; 2006 April. Eysenck HJ. The structure of human personality. 3rd ed. London: Methuen; 1970. Eysenck HJ. Models and paradigms in personality research. In: Angleitner A, Furnham A, VanHeck G, editors. Personality psychology in Europe: current trends and controversies, vol. 2. Lisse, Netherlands: Swets & Zeitlinger; 1986. p. 213–23. Eysenck HJ. Biological dimensions of personality. In: Handbook of personality: theory and research. New York: Guilford; 1990. p. 244–76. F-Secure Corporation. Content security at hand. A white paper on handheld device security. White paper. Available from: ; 2002 November [read 30.04.2004]. Fawcett T, Provost FJ. Adaptive fraud detection. Data Mining and Knowledge Discovery 1997;1(3):291–316. Fierrez-Aguilar J, Garcia-Romero D, Ortega-Garcia J, GonzalezRodriguez J. Adapted user-dependent multimodal biometric authentication exploiting general information. Pattern Recognition Letters 2005;26(16):2628–39. Ghosh AK, Schwartzbard A, Schatz M. Learning program behavior profiles for intrusion detection. In: Proceedings of the first USENIX workshop on intrusion detection and network monitoring, Berkeley, CA, USA. USENIX Association; 1999 April. p. 51–62. Giacinto G, Roli F, Didaci L. Fusion of multiple classifiers for intrusion detection in computer networks. Pattern Recognition Letters 2003;24(12):1795–803. Goldman RP, Heimerdinger W, Harp SA, Geib C, Thomas V, Carter RL. Information modeling for intrusion report aggregation. In: Proceedings of the DARPA information survivability conference and exposition II (DISCEX ’01). IEEE Computer Society; 2001 June. p. 329–42. Haines J, Ryder D, Tinnel L, Taylor S. Validation of sensor alert correlators. IEEE Security and Privacy Magazine 2003 January/ February;1(1):46–56. Hofmeyr SA, Forrest S, Somayaji A. Intrusion detection using sequences of system calls. Journal of Computer Security 1998; 6(3):151–80. Hollmen J. User profiling and classification for fraud detection in mobile communications networks. PhD thesis, Helsinki University of Technology; 2000. Hong L, Jain AK. Integrating faces and fingerprints for personal identification. IEEE Transactions on Pattern Analysis and Machine Intelligence 1998;20(12):1295–307. Howard P, Gosset P. D20-Project final report and results of trials. ASPeCT: advanced security for personal communications technologies. Final report AC095/VOD/W31/DS/P/20/E; 1998 December. Jain AK, Hong L, Kulkarni Y. A multimodal biometric system using fingerprint, face, and speech. In: The second international conference on audio-visual biometric person authentication; 1999 March. p. 182–7. Julisch K, Dacier M. Mining intrusion detection alarms for actionable knowledge. In: Zaiane OR, Goebel R, Hand D, Keim D,

175

Ng R, editors. Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining, New York, NY, USA. ACM Press; 2002. p. 366–75. Kim H-S, Cha S-D. Empirical evaluation of svm-based masquerade detection using unix commands. Computers and Security 2005;24(2):160–8. Koreman J, Morris A, Wu D, Jassim S, Sellahewa H, Ehlers J, Chollet G, Aversano G, Bredin H, Garcia-Salicetti S, Allano L, Ly Van B, Dorizzi B. Multi-modal biometric authentication on the securephone pda. In: Second workshop on multimodal user authentication (MMUA 2006); 2006. Lane T. Machine learning techniques for the computer security domain of anomaly detection. PhD thesis. W. Lafayette, IN: Purdue University; 2000. Lane T, Brodley CE. Temporal sequence learning and data reduction for anomaly detection. ACM Transactions on Information and System Security 1999;2(3):295–331. Lane T, Brodley CE. An empirical study of two approaches to sequence learning for anomaly detection. Machine Learning 2003 April;51(1):73–107. Lee B. Discovery and representation of casual relationships in mis research: a methodological framework. MIS Quarterly 1997 March;21(1):109–36. Lee W, Stolfo SJ. A framework for constructing features and models for intrusion detection systems. ACM Transactions on Information and System Security (TISSEC) 2000;3(4):227–61. Manganaris S, Christensen M, Zerkle D, Hermiz K. A data mining analysis of RTID alarms. Computer Networks 2000 October; 34(4):571–7. Ma¨ntyja¨rvi J, Lindholm M, Vildjiounaite E, Ma¨kela¨ S-M, Ailisto H. Identifying users of portable devices from gait pattern with accelerometers. In: Proceedings of IEEE international conference on acoustics, speech, and signal processing, vol. II; 2005. p. 973–6. Maxion R, Townsend T. Masquerade detection augmented with error analysis. IEEE Transactions on Reliability 2004 March; 53(1):124–47. Mazhelis O, Puuronen S. Characteristics and measures for mobile-masquerader detection. In: Dowland P, Furnell S, Thuraisingham B, Wang XS, editors. Proceedings of the IFIP TC-11 WG 11.1 & WG 11.5 joint working conference on security management, integrity, and internal control in information systems. Springer ScienceþBusiness Media; 2005. p. 303–18. McCrae RR, Costa Jr PT. Towards a new generation of personality theories: theoretical contexts for the five-factor model. In: The five-factor model of personality: theoretical perspectives. New York: Guilford; 1996. p. 51–87. McCrae RR, Costa Jr PT. A five-factor theory of personality. In: Handbook of personality: theory and research. 2nd ed. New York: Guilford; 1999. p. 139–54. McCrae RR, Costa Jr PT. Updating Norman’s ‘‘adequate taxonomy’’: intelligence and personality dimensions in natural language and questionnaires. Journal of Personality and Social Psychology 1985;49(3):710–21. McHugh J. Intrusion and intrusion detection. International Journal of Information Security 2001;1(1):14–35. Ning P, Cui Y, Reeves DS. Analyzing intensive intrusion alerts via correlation. In: Wespi A, Vigna G, Deri L, editors. Recent advances in intrusion detection (RAID 2002). Number 2516 in lecture notes in computer science. Berlin/Heidelberg: Springer-Verlag; 2002. p. 74–94. Norman W. Towards an adequate taxonomy of personality attributes: replicated factor structure in peer nomination personality ratings. Journal of Abnormal and Social Psychology 1963;66:574–83. Pearson F, Weiner N. Toward an integration of criminological theories. Journal of Criminal Law and Criminology 1985; 76(Winter):116–50.

176

computers & security 26 (2007) 154–176

Phillips P, Martin A, Wilson C, Przybocki M. An introduction evaluating biometric systems. IEEE Computer 2000 Februrary; 33(2):56–63. Porras PA, Fong MW, Valdes A. A mission-impact-based approach to INFOSEC alarm correlation. In: Wespi A, Vigna G, Deri L, editors. Recent advances in intrusion detection (RAID 2002). Number 2516 in lecture notes in computer science. Berlin/ Heidelberg: Springer-Verlag; 2002. p. 95–114. Porras PA, Neumann PG. EMERALD: event monitoring enabling responses to anomalous live disturbances. In: Proceedings of the 20th NIST-NCSC national information systems security conference; 1997 October. p. 353–65. Ross A, Jain A. Information fusion in biometrics. Pattern Recognition Letters 2003;24(13):2115–25. Ross A, Jain AK, Qian J-Z. Information fusion in biometrics. In: Third international conference on audio- and video-based person authentication, Sweden; 2001 June. p. 354–9. Royce JR, Powell A. Theory of personality and individual differences: factors, systems and processes. Englewood Cliffs, NJ: Prentice Hall; 1983. Ryan J, Lin M-J, Miikkulainen R. Intrusion detection with neural networks. In: Jordan MI, Kearns MJ, Solla SA, editors. Advances in neural information processing systems. Cambridge, MA, USA: The MIT Press; 1998. p. 943–9. Samfat D, Molva R. IDAMN: an intrusion detection architecture for mobile networks. IEEE Journal on Selected Areas in Communications 1997;15(7):1373–80. Sanderson C, Paliwal KK. Identity verification using speech and face information. Digital Signal Processing 2004;14:449–80. Sequeira K, Zaki M. ADMIT: anomaly-based data mining for intrusions. In: Hand D, Keim D, Ng R, editors. Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining, Edmonton, Alberta, Canada. ACM Press; 2002. p. 386–95. Shavlik J, Shavlik M. Selection, combination, and evaluation of effective software sensors for detecting abnormal computer usage. In: Proceedings of the 2004 ACM SIGKDD international conference on knowledge discovery and data mining. ACM Press; 2004. p. 276–85. Snelick R, Uludag U, Mink A, Indovina M, Jain A. Large-scale evaluation of multimodal biometric authentication using state-of-the-art systems. IEEE Transactions on Pattern Analysis and Machine Intelligence 2005 March;27(3):450–5. Stoneburner G. Underlying technical models for information technology security (NIST special publication MD 20899-8930). Gaithersburg: National Institute of Standards and Technology; 2001 December. Straub DW, Welke RJ. Coping with systems risk: security planning models for management decision making. MIS Quarterly 1998 December;22(4):441–69. Sun B, Yu F, Wu K, Xiao Y, Leung VCM. Enhancing security using mobility-based anomaly detection in cellular mobile networks. IEEE Transactions on Vehicular Technology 2006 May; 55(3):1385–96. Sundaram A. An introduction to intrusion detection. ACM Crossroads 1996;2(4):3–7. Tax D. One-class classification. PhD thesis, Delft University of Technology; 2001. Tupes E, Christal R. Recurrent personality factors based on trait ratings. Technical report no. asd-tr-61-97. Lackland Air Force Base, TX: US Air Force; 1961.

Upadhyaya S, Chinchani R, Kwiat K. An analytical framework for reasoning about intrusions. In: Twentieth IEEE symposium on reliable distributed systems, New Orleans, LA; 2001 October. p. 99–108. Valdes A, Skinner K. Adaptive, model-based monitoring for cyber attack detection. In: Debar H, Me L, Wu F, editors. Recent advances in intrusion detection (RAID 2000). Number 1907 in lecture notes in computer science. Berlin/Heidelberg: Springer-Verlag; 2000 October. p. 80–92. Valdes A, Skinner K. Probabilistic alert correlation. In: Lee W, Me L, Wespi A, editors. Recent advances in intrusion detection (RAID 2001). Number 2212 in lecture notes in computer science. Berlin/Heidelberg: Springer-Verlag; 2001. p. 54–68. Veijalainen J. Transactions in mobile electronic commerce. Lecture Notes in Computer Science 1999 December;1773: 208–29. Verlinde P, Chollet G, Acheroy M. Multi-modal identity verification using expert fusion. Information Fusion 2000;1(1):17–33. Wang L, Liu A, Jajodia S. An efficient and unified approach to correlating, hypothesizing, and predicting intrusion alerts. In: de Capitani di Vimercati S, Syverson P, Gollmann D, editors. Proceedings of ESORICS 2005: 10th European symposium on research in computer security. Volume 3679 of lecture notes in computer science. Berlin/Heidelberg: Springer; 2005. p. 247–66. Xu D, Ning P. Alert correlation through triggering events and common resources. In: ACSAC ’04: proceedings of the 20th annual computer security applications conference (ACSAC’04), Washington, DC, USA. IEEE Computer Society; 2004. p. 360–9. Yeung D-Y, Ding Y. Host-based intrusion detection using dynamic and static behavioral models. Pattern Recognition 2003; 36(1):229–43. Zhang Y, Lee W. Intrusion detection techniques for mobile wireless networks. Wireless Networks 2003;9(5):545–56.

Oleksiy Mazhelis received a degree of expert in computer engineering from Kharkiv State Technical University of Radio Electronics, Ukraine in 1997, and a Ph.Lic. degree in 2005 from the University of Jyva¨skyla¨, Department of Computer Science and Information Systems, where he is currently pursuing a Ph.D. degree. His research interests include information security, machine learning, user modeling, wireless networks, and software engineering. Seppo Puuronen recieved his Ph.D. (Economics) in computer science in 1988 from the University of Jyva¨skyla¨, Finland. He is now professor of information systems at the University of Jyva¨skyla¨ and he has acted as professor, associate professor and lecturer of computer science at University of Jyva¨skyla¨ and at Lappeenranta University of Technology. He has acted as head of the Department of Computer Science and Information Systems at the University of Jyva¨skyla¨ 1988–89, 1990–91, and 1997 and as head of the COMAS graduate school 1999– 2001. He has written several international journal and conference papers. His main research interests are data mining, knowledge discovery, and computers in education.

computers & security 26 (2007) 177–182

Information security in networkable Windows-based operating system devices: Challenges and solutions Ilan Oshria,*, Julia Kotlarskyb,1, Corey Hirschc,2 a

Rotterdam School of Management Erasmus, P.O. Box 1738, 3000 DR Rotterdam, The Netherlands Warwick Business School, Gibbit Hill, Coventry CV4 7AL, England c Associate Faculty, Information Systems, Greenlands, Henley on Thames Oxforshire, RG9 3AU, UK b

article info

abstract

Article history:

This paper explores information security risks in networkable Windows-based operating

Received 1 November 2005

system (NWOS) devices. While these devices face the same information security risks as

Accepted 8 September 2006

any other Windows platform, NWOS devices present additional challenges to vendors and buyers throughout the product lifecycle. It appears that NWOS devices are particularly

Keywords:

vulnerable to information security threats because of the vendors’ and buyers’ lack of

Information security

awareness of the security risks associated with such devices. Based on evidence collected

Networkable devices

from a manufacturer of Digital Storage Oscilloscopes, the paper offers a set of challenges

Organizational capabilities

faced and solution applied by this vendor in its interactions with buyers. In order to reduce

Management of security risks

the vulnerability of NWOS devices, the paper considers several information security mea-

Vendor–user relationship

sures for the production, sales and after-sales phases. Lastly, the paper outlines the business reasoning for both vendors and buyers to pursue this information security strategy. ª 2006 Elsevier Ltd. All rights reserved.

1.

Introduction

Recent years have seen a surge in the introduction of networkable Windows-based operating system (NWOS) devices. Some examples are home entertainment systems (e.g. Xbox), smart phones (e.g. Motorola i930 and PlamOne’s Treo) and Pocket PC (e.g. Toshiba e850). While NWOS devices present an appealing proposition for both software vendors and buyers in terms of the flexibility to add supplementary software applications, such devices also introduce new challenges in terms of managing information security risks. NWOS devices are particularly vulnerable to information security threats because of the vendors’ and buyers’ lack of awareness of the security risks associated with such devices. In addition to the direct damage to business operations that an infected NWOS device

might cause, other consequences may also include alienated customers and a tarnished reputation (Austin and Darby, 2003). The information security literature has indeed discussed at length prevention, detection and recovery strategies related to information security management (e.g. Joseph and Blanton, 1992; Jung et al., 2001); however, these studies mainly focused on computer- and Internet-related information security threats and highlighted practices associated with the management of software development and information systems that could offer protection from malicious software. In this regard, NWOS devices present an extended set of challenges that call for the development of additional capabilities by the vendor. Indeed, several studies have recently discussed the need to integrate software development and operational processes with

* Corresponding author. Tel.: þ31 10 408 1993; fax: þ31 10 408 9013. E-mail addresses: [email protected] (I. Oshri), [email protected] (J. Kotlarsky), [email protected] (C. Hirsch). 1 Tel.: þ44 2476 524692; fax: þ44 2476 5244539. 2 Tel.: þ44 1491 571454; fax: þ44 1491 571635.

178

computers & security 26 (2007) 177–182

strategic business objectives, when building security into products (McAdams, 2004; von Solms and von Solms, 2004; Taylor and McGraw, 2005; von Solms and von Solms, 2005). Clearly, the careless management of information security of NWOS devices will not only risk the vendor’s or the buyer’s network environment but could also harm the relationships between vendors and buyers, as malicious software may be transferred between their networks during production, sales, and after-sales activities. In a recent article, Arce (2003) acknowledges that networkable gadgets pose unique information security risks to vendors; however, little is so far known about the challenges faced and solutions applied by vendors when managing the information security of NWOS devices throughout the product lifecycle. This paper aims to address this gap by reporting on key information security challenges that vendors of NWOS devices face during the lifecycle of the product. In discussing these challenges, this paper will attempt to bring out aspects relating to the alignment of information security issues, operational activities and strategic objectives that a vendor should consider during the lifecycle of an NWOS product. The challenges faced by vendors will be associated with three phases, critical to devising an information security strategy, during the product lifecycle: production, sales and aftersales. Furthermore, in this paper the solutions applied by a supplier of digital oscilloscope, LeCroy, a New York based company, to reduce the vulnerabilities presented by NWOS devices will be outlined per phase. Lastly, the paper will offer practical implications for vendors attempting to improve their information security strategy in the NWOS devices market.

2. Information security: the case of NWOS devices While the literature on information security has addressed various issues relating to (i) best practices in managing information security programs (e.g. Joseph and Blanton, 1992; Austin and Darby, 2003; Farahmand et al., 2003), (ii) risk management and evaluation of security management programs (e.g. von Solms et al., 1994; McAdams, 2004), and (iii) the links between the management of information security and operational activities (McAdams, 2004), recent studies have claimed that there is a serious lack of empirical research in this area (Kotulic and Clark, 2004), and in practice, firms rarely apply a systematic and methodological approach (Austin and Darby, 2003) that aligns their information security strategy with business objectives and operational processes (McGraw, 2004; von Solms and von Solms, 2004; Taylor and McGraw, 2005; von Solms and von Solms, 2005). Indeed, most vendors of off-the-shelf computing products will either ‘‘bundle’’ an information security solution into the product or give the buyer the freedom to select a solution that fits their needs. In this regard, the market for NWOS devices presents unique challenges, as a vendor of such devices is required to consider information security measures during different stages of the product lifecycle. This is mainly because most buyers of NWOS devices do not consider their devices to be a target for malicious attack by viruses or worms. However, being a NWOS device puts such device under the same

category of most personal computers and servers that operate on Windows platforms. Because of the large installed-base of Windows-based platforms, these are subject to a large majority of hackers’ attacks. Consequently, the risk for NWOS devices has become acute and the challenges that some NWOS devices present to vendors and buyers may require the development of new capabilities. For example, NWOS devices that are designed for a particular usage (e.g. digital microscopes, digital storage oscilloscopes) impose interactions between the vendor and the buyer during the lifecycle of the product. Consider product demonstration activities during which an NWOS device could be connected to the local network to demonstrate its printing capabilities. Without considering the information security risks involved in connecting this networkable device to the buyer’s network, in doing so, the vendor puts at risk the buyer’s network and the demonstration product by allowing the transfer of malicious software from the buyer’s network to the NWOS device and vice versa. The risk can be even more acute should the sales person use the same device while visiting other clients, without protecting both the client’s network and the demonstration device. Table 1 summarizes information security risks that vendors of NWOS devices face when managing their relationship with buyers. Building on existing studies that consider the full lifecycle of software development (e.g. McGraw, 2004), this paper considers three key stages in product lifecycle in which vendors and buyers are likely to interact and in which operational activities can be aligned with information security measures to reduce the vulnerability of the NWOS devices and buyer’s network. The key stages are: production, sales and after-sales activities. The design stage, though is important in building security into the product through software development tools and methodologies, presents little interactions between vendors and buyers that require the development of information security measures. The solutions applied by LeCroy, a vendor of Digital Storage Oscilloscopes (DSO) based in New York, will be discussed at length following the research method section.

3.

Research background

An in-depth case study was carried out in August 2005 at LeCroy Research Systems, New York during which the challenges faced and solutions applied by this vendor of digital storage oscilloscopes were examined and analyzed. LeCroy Research Systems specializes in the design and production of oscilloscopes and other signal analyzer equipment. The company employs more than 400 people worldwide and its 2004 sales amounted to $120 million. In particular, LeCroy’s line of DSOs, also known as the WaveMaster and WaveRunner series, is of interest in this research. Being a networkable Windowsbased operating system device, the WaveRunner posed new challenges to the management of information security of this vendor, which required the company to develop new capabilities related to their information security strategy. The research was designed to capture the information system risks involved in producing and maintaining the WaveRunner throughout the product lifecycle and to collect evidence as to

computers & security 26 (2007) 177–182

Table 1 – Information security risks for vendors of NWOS devices Stage Production

Demonstration activities

Product delivery

Maintenance and upgrades

Risks to vendor  Malicious software that attacks the vendor’s network may infect the production environment and NWOS devices.  Malicious software is transferred from the buyer’s network to the NWOS device during demo activities.  Sales person infects clients’ network with malicious software when demonstrating product functionality that requires connection to the client’s network, thus ruining the vendor’s reputation.  Buyers do not consider the device to be networkable and a target for malicious software, so do not protect the device and its network. The product becomes a risk for the vendor upon return to the factory for repair or upgrade.  Buyers do not update virus definitions, thus allowing malicious software to attack the NWOS device. Upon connection to the vendor’s network for maintenance or upgrade activities, the vendor’s network is at risk.

the solutions applied and capabilities developed by this vendor.

4. Information security in networkable Windows-based operation systems: evidence from LeCroy research systems The trigger: In 2003, LeCroy introduced an oscilloscope (WaveMaster) that operated on Windows 2000. This operating system did not offer a firewall protection, and anti-virus software was not offered or installed on this particular product release. One unit was delivered to a LeCroy client in Japan. After a while, the client contacted LeCroy’s service department with a complaint that the performance of this unit had worsened. To solve this problem, LeCroy suggested that the unit be sent back to the service department for inspection and repair. Anticipating a hardware malfunction or a software glitch in this particular machine, LeCroy’s service engineers were surprised to find that this unit was infected by a malicious worm. LeCroy contacted the client and informed them about their findings. Later on, LeCroy learnt that the client

179

changed some of the settings in the unit that were supposed to provide some protection against malware, and the client also connected this unit to their network without consulting its own Information Systems (IS) department. Following this event, LeCroy re-evaluated its information security strategy by considering various measures needed in securing NWOS devices, as well as in the practices relating to interactions with buyers. The change: Realizing that such events put at risk their relationships with buyers and might damage their reputation, the management at LeCroy started paying more attention to issues pertaining to the information security of the DSO. The following case description outlines the measures taken by the management to ensure that their information security strategy is aligned with operational activities and their business objectives. While the information security strategy developed constantly between 2003 and 2005, we have chosen to report the present state of LeCroy’s information security strategy with regard to NWOS devices.

4.1. Information security practices for production activities Acknowledging that the production environment can also be a source of malicious software, the management of LeCroy took some steps to isolate the production environment and improve engineers’ awareness of information security issues relating to its DSO products. To increase awareness, the company introduced an annual information security fair at which issues relating to the company’s information security strategy were presented and discussed. One engineer described it: Every year we organize a Security Fair, [.] I do the DSO part because I’m in charge of production and I work on the DSO. [.] we have eight different stands where you can go and learn about security. In addition, LeCroy introduced an isolated network for production to eliminate the possibility that malicious software would get into the production environment. One engineer explained: [.] to avoid viruses, Trojan and any security threats, we build these machines on an isolated network. That means this network has no access to the Internet. In addition, to ensure that the production network was isolated, engineers were instructed not to connect external devices (e.g. memory sticks and laptops) or use CDs on the production network. The production procedure was updated to include a final virus check of the DSO before shipping it to a customer. Moreover, information package and anti-virus software were included in each product shipment. Buyers were advised to contact their Information System department prior to connecting the DSO to their network and to install anti-virus software of their preference. To ensure that buyers paid attention to the risk involved in connecting the DSO to the network, LeCroy placed a sticker on the Ethernet socket that said ‘‘This is a Windows networkable device; visit the security

180

computers & security 26 (2007) 177–182

website’’. This way, users had have to consider the consequences of plugging this unit to the network without consulting their IS department. Lastly, LeCroy offered a recovery disk in each product shipment to ensure that, if a DSO did get infected by a virus, the buyer could always restore the unit to its original settings and start again.

4.2.

Information security practices for sales activities

LeCroy invested in educating its sales force about information security issues. The objectives of this training program were twofold. First, it was necessary to educate the sales force to consider information security threats when performing product demonstrations at the buyer’s site. This training included several practices that the sales force was asked to follow. For example, before product demonstrations requiring a connection to the local network, the salesperson should contact the IS department at the site and check their information security arrangements. In addition, the salesperson was instructed to perform a virus check following each product demonstration that included a connection to the network. Nonetheless, one major challenge that the sales force faced when attempting to implement these new practices was the difficulty in getting updates of virus definitions while on the road. This was solved through a synchronization process that the company supported, in which the latest virus definitions and patches were transferred to the salesperson, stored on a memory stick, and later on were uploaded onto the DSO. The second challenge was to train the sales force how to educate buyers about information security risks concerning their DSO. This line of training was particularly challenging, as the sales force was mainly focused on getting ‘‘the deal done’’ and devoted less attention to technical matters. Nonetheless, the management at LeCroy emphasized the importance of educating their buyers about information security risks as a long-term business strategy. Indeed, salespersons, during visits to clients, provided clients with some information about the security risks involved in connecting the DSO to the network and the way to handle information security issues concerning the DSO. One manager explained LeCroy’s approach: We tell the customer if you are going to network this instrument, we advise you to contact your IS department and have them install an anti-virus. And we usually say use Norton’s anti-virus, this is the one we use in the company: it’s been tested on our products and we know that it works. In addition, the salesperson walks the buyer through LeCroy’s website to get them familiar with how security updates can be downloaded and updated. Finally, the company provides an anti-virus package in every box shipped.

4.3. Information security practices for after-sales activities There are two key challenges relating to after-sales activities that LeCroy applied as part of its DSO information security strategy. One issue concerns the way DSOs sent back for repair or upgrade were handled upon arrival. The procedure

applied in this case was similar to the handling of products during production. One key difference was the immediate check for viruses of a returning DSO using an independent CD, ensuring that the unit was clean before admitting it to the service network. The second challenge relates to LeCroy’s responsibility to test that updates from Microsoft, which often result in new updates for anti-virus software, do not affect the functionality of the DSO. To cope with this challenge, LeCroy tested each new update and informed its clients about the compatibility of the update through its website. One manager described this process: [.] anytime new updates for Windows come up, new updates for anti-virus come up, [.] I have to test them on all our platforms. I have to make sure that all these do not affect the functionality of our products. [.] if there’s a new update that doesn’t work, then we will put the warning signs ‘‘do not install this update’’. Reflecting on the evidence presented above, we argue that NWOS devices indeed pose new challenges to vendors in the way information security issues are managed throughout the product life. In the following section we present the implications for practice.

5.

Implications for practice

The main objective in this paper was to report on the information security challenges faced and solutions applied by vendors of NWOS throughout the product lifecycle. Our early discussion outlined the challenges that vendors of NWOS may face in some critical stages in the product lifecycle. LeCroy, a vendor of Digital Storage Oscilloscopes, have addressed these challenges by introducing various measures that attempted to reduce the vulnerability of its NWOS products to malicious software and improve the usage of the product by its clients over time. In doing so, this vendor focused on improving information security practices during production, sales and after-sales activities by building capabilities that aligned their operational activities with their business objectives. It was not our intention to offer a generic model for managing information security risks in the NWOS devices market. Rather, this paper highlights the importance of understanding the nature of challenges that a vendor of NWOS devices may face and to offer an insight into the set of solutions provided by this particular vendor. We acknowledge that the challenges and solutions associated with NWOS devices are contextdependent thus requiring additional research into this emerging market. From a business objectives perspective, pursuing an information security strategy by applying some of the proposed practices in Table 2 can be beneficial for both vendors and buyers in the short- and long-term. In particular, it is imperative that senior managers create an information security policy that takes into consideration the business objectives of the firm (e.g. the retention of clients). In devising such information security policy, senior managers should list down the firm’s business objectives and the information security risks that may hamper achieving

181

computers & security 26 (2007) 177–182

Table 2 – Challenges and solution in managing information security for NWOS devices Stage

Challenges

Production

 Produce virus-free products

Sales

 Ensure virus-free demo devices  Educate buyers about information security risks

After-Sales

 Support buyer’s virus-free usage of the device

them. In addition, the risks in each stage in product lifecycle (i.e. production, sales and after-sales) should be examined from information security viewpoint. For the production stage, the challenges can go beyond the control of management as more companies engage in outsourcing their manufacturing activities. In this case, senior managers require combining business objectives related to managing their supply network with the objectives related to client relationships. Assisting the subcontractor to secure and isolate their production network may seem as a sunken investment from the buyer viewpoint; however, such investments may prove to be critical for the vendor in terms of maintaining their clients satisfied and ensuring high retention levels. Similarly, the sales and after-sales stages require top management’s attention. The challenges involved in aligning business objectives with information security measures concern the handling of demonstration and defect devices. In such cases, third party service provider can also be involved as some companies outsource maintenance activities. Nonetheless, the most significant challenge is to educate the sales force to consider information security risks as part of their daily activities. As argued before, a salesperson would mainly be concerned with ‘‘getting the deal done’’, which is a short term business objective, and may pay less attention to technical and operational aspects such as securing entry points to the demonstration device and the client’s network. These technical and operational aspects are in fact long-term strategic goals that if not carefully implemented, may alienate clients and ruin the firm’s reputation. What value is added from these information security measures? Through such information security measures, vendors of NWOS devices may differentiate their product from vendors who prefer to shift the responsibility for managing information security risks to their clients. Vendors of NWOS devices may offer extra value in offering support with information security risks, thus positioning their product as superior to others and possibly commanding premium prices for their products. In the long-term, bonding clients and vendors through such practices may improve the retention of existing

Solutions  Increase awareness of information security issues through newsletters, fairs, security exercises and conferences  Isolate production network from firm’s network  Check products for viruses before shipment  Provide essential information security tools in product package  Train the sales force to check for virus after each demo  Provide the sales force with the support to download virus definitions and updates while on the road  Provide buyers with critical information about information security risks  Provide support for Windows and anti-virus packages over the web (test and confirm compatibility)  Check returning devices for viruses before connecting them to your network

clients and may offer the vendor additional opportunities to promote new product introductions. In addition, buyers develop a degree of dependency on vendors through constant updates and upgrades related to anti-virus packages, which can in return serve the vendors in future offerings. Buyers, on the other hand, may enjoy a continuous support relating to information security issues from the vendor during the product life, a value-adding activity that also reduces the vulnerability of their network.

references

Austin RD, Darby CAR. The myth of secure computing. Harvard Business Review 2003;June:120–6. Farahmand F, Navathe SB, et al., Managing vulnerabilities of information systems to security incidents. The 5th international conference on electronic commerce ICEC03 Pittsburgh, PA, USA; 2003. Joseph GW, Blanton JE. Computer infectors: prevention, detection, and recovery. Information and Management 1992;23: 205–16. Jung B, Han I, et al. Security threats to Internet: a Korean multiindustry investigation. Information and Management 2001;38: 487–98. Kotulic AG, Clark JG. Why there aren’t more information security research studies. Information and Management 2004;41: 597–607. McAdams A. Security and risk management: a fundamental business issue. Information Management Journal 2004;38(4): 36–44. McGraw G. Software security. IEEE Security & Privacy 2004;2(2): 80–3. Taylor D, McGraw G. Adopting a software security improvement program. IEEE Security & Privacy 2005;3(3):88–91. von Solms B, von Solms R. The ten deadly sins of information security management. Computers and Security 2004;23:371–6. von Solms B, von Solms R. From information security to business security. Computers and Security 2005;24:271–3. von Solms R, van de Haar H, et al. A framework for information security evaluation. Information and Management 1994;26: 143–53.

182

computers & security 26 (2007) 177–182

Dr. Ilan Oshri is Assistant Professor of Strategic Management, Rotterdam School of Management Erasmus, The Netherlands. Ilan holds a PhD degree in technological innovation from Warwick Business School (UK). His main research interest lies in the area of knowledge management and innovation. Ilan has published widely his work in journals and books which include IEEE Transactions on Engineering Management, Communications of the ACM, European Journal of Information Systems, Information Systems Journal, Management Learning, and others. Dr. Julia Kotlarsky is Assistant Professor of Information Systems, Warwick Business School, UK. She holds a PhD degree in Management and IS at Rotterdam School of Management Erasmus (The Netherlands). Her main research interests revolve around social and technical aspects involved in the management of globally distributed IS teams, and IT

outsourcing. Julia published her work in Communications of the ACM, European Journal of Information Systems, Information Systems Journal, International Journal of Production Research, and a number of book chapters. Dr. Hirsch has served as Associate Faculty in Information Systems, and subject tutor and course author in Customer Relationship Management Systems at Henley Management College since January 2002, and recently as tutor in Information and Communications Technology. He completed his Doctorate degree in Business Administration, awarded by Brunel University, London, and his Masters in Business Administration from the University of Oregon. Recently he has earned a Certification in Information Security Management (CISM) from Information Systems Audit and Control Association (ISACA).

computers & security 26 (2007) 183–185

Investigative response: After the breach Christopher J. Novak* Cybertrust Inc., Cybertrust Principal Consultant, Investigative Response, 125 Maiden Lane, 15th Floor, New York, NY 10038, USA

article info Article history: Received 31 July 2006 Revised 29 August 2006 Accepted 29 August 2006 Keywords: Investigative Response Incident Breach Compromise Identity Theft Fraud Cybertrust Forensics

Data security is a function of an effective risk mitigation strategy, encompassing people, technology and process. While that may sound easy enough, any IT security professional will tell you that properly and thoroughly securing an IT environment is an ongoing and uphill battle. Hackers and IT security vendors and administrators play a constant cat and mouse game to stay ahead of one other. We are all painfully aware that 100% security is impossible to achieve – unfortunately, even with 99.9% security, it’s that miniscule 0.1% that is the weak link in the security chain that time and time again ultimately leads to an organization being breached. While many security administrators accept that a breach may occur in their futures, very few have a solid understanding of how they would handle the situation and the investigative response process. Often we find that organizations have an incident response plan that basically ends with, ‘‘Call * Tel.: þ1 212 240 9300x369. E-mail address: [email protected]

a professional’’. Of course, it’s extremely important to understand your limits and know when it’s time to ask for help, but it is just as important to understand what an investigative response engagement entails and have appropriate expectations. This understanding can empower your organization to not only better deal with a potential breach but also minimize both the financial costs of dealing with a loss of sensitive data as well as the public relations aspect of security breach. What is investigative response? It is the process of responding to a computer-related incident in a manner that secures, preserves and documents evidence. This evidence is then used to investigate the systems and infrastructure in order to determine if they played a role in a security breach or data compromise. However, investigative response engagements are far from ‘one size fits all’ and are usually custom tailored to the situation based on the initial background details provided to the investigative team. Much like you see

184

computers & security 26 (2007) 183–185

in the investigative television shows, computer investigative response operates in a similar manner in terms of a natural progression based on the details as the investigators see them. After initial fact-finding and personnel interviews, an investigative response team will examine the scene of the incident and look for signs of corroboration, or lack thereof, with personnel interviews. A lack of corroboration can often be indicative of a potential avenue of intrusion – and thus a lead. Notice that I said ‘‘scene of the incident’’ and not ‘‘scene of the crime’’. While many investigations do have a criminal aspect to them, not all revolve around local, state or federal law violations but rather violations of internal corporate policy or other private regulations/requirements. In one such case, this is exactly how we dug up our first lead. An internal SQL database server suddenly began acting strangely and become unstable, requiring reboots and constant monitoring by the IT operations team. When interviewing the IT security administrator that was responsible for perimeter security, he mentioned that outbound traffic to the Internet was heavily restricted and only specific web sites and corporate email were permitted. However, upon reviewing their network diagram against their access control lists, it was clear that the administrator was predicating his statement based on a user’s rights and privileges, and not a server’s. The difference that we noticed was that the outbound restrictions were not at the firewall level, but were handled mostly by the proxy server. All users were forced through a proxy server in order to reach the Internet, thus limiting the outbound access – or so he thought. The firewall on the other hand, while disallowing all inbound access, freely permitted outbound access under the assumption that it was restricted by the proxy. However, the servers in the environment were not configured like user workstations and thus had no proxy configured, but rather just a default gateway pointing out to the Internet. While many aspects of evidence preservation had already been put in place prior to our arrival onsite, it was at this point that we fully quarantined the suspect internal SQL database system along with its entire subnet. The suspect system, as well as those neighboring it or directly interacting with it, were photographed by one investigator as another used various forensically sound ‘live capture’ tools in order to gather details regarding the current running state of the environment. Once completed, the systems were taken offline to be forensically imaged – creating a bit-by-bit exact duplication of the hard drives. The forensic imaging took approximately 6 h to complete – not bad given the large size of the RAID hard drive configuration. Evidence acquisition must occur at the scene of the incident in order to preserve and protect evidence as well as assure that chain-of-custody – the documentation or paper-trail of evidence history – is appropriately maintained. However, just as seen on TV, the bulk of the investigative analysis activity occurs at offsite forensic laboratories where the evidence is scrutinized using a breadth of significantly more high-end tools and techniques. This phase of the investigative response effort typically takes the most time, as you are ultimately examining each directory, file and bit on the suspect hard drive(s). In the case discussed above, our lab analysis had determined that a Trojan horse application had been installed on

the SQL server. At this point we needed to dig further through the system to see what level of log information may have been present and whether it would give us any further information regarding the Trojan. Upon recovering the previous log history information from the unallocated portions of the hard drive, we were able to track the Trojan’s history back to the point at which it had been installed. The culprit: a server administrator had been browsing the Internet from the SQL server and inadvertently downloaded the Trojan onto the server. Once installed, the Trojan began establishing outbound ‘‘phone home’’ type of connections. During the forensic analysis of the system, the connection was traced back to an overseas IP address. Further dissection of the Trojan indicated that it actually presented the intruder with administrative GUI access to the system and all of the system’s contents. The Trojan analysis indicated that it was very poorly written, which often resulted in memory access violations that would explain the unusual behavior of the SQL system that initially triggered concern. Upon completion of the SQL server’s forensic analysis, it was confirmed that no further malware had been present and that the intruder conducted all of his activities using the Trojan in conjunction with in-place Windows system utilities and applications. Luckily, the organization that had suffered the breach had only two other systems on the same subnet as the affected SQL server. Both of those systems were also determined to be compromised – the intruder utilized the administrative access gained on the SQL server to compromise the other two. However, the firewall rules in place between the organization’s various subnets effectively prevented the situation from cascading throughout their enterprise and potentially affecting thousands of other servers and workstations. In conjunction with state and federal law enforcement, the situation was escalated as the organization pursues prosecution of the individual identified as perpetrating the malicious activity. The downside to this investigation was the lack of integration with the organization’s public relations, compliance and legal teams. Until it had been confirmed that there was in fact a security breach and sensitive customer information could be at risk, these groups had not been involved in the investigation, so an internal battle ensued over how to handle the public response. There were no strict internal policies that tied these teams into the incident response process, nor were all of the teams even fully aware of the details of the situation, thus creating misinformation and furthering the conflict. At a time where the organization was still struggling with getting to the bottom of the investigation, they had to quell the fears of ill-prepared and uninformed management. Obviously, the organization in this example learned quite a bit from their experience. Needless to say, it is now maintaining strict outbound firewall rules for all systems, regardless of whether they pass through the proxy. There have also been a number of follow-up remediation items that they are continuing to move through to improve their overall security posture. Additionally, they have used the feedback information from the investigation to reshape their prior ‘paper’ incident response plan into something that is significantly more practical and effectual.

computers & security 26 (2007) 183–185

All organizations can benefit from being fully prepared to address what is involved with an investigative response effort. Beyond the security team, incident response is truly a corporate issue. Knowing the steps that will be involved in managing the crisis, and preparing any potentially involved parties in advance, will make a potentially catastrophic situation organized, manageable and ultimately handled in the best possible manner. Chris Novak is a Principal Consultant within Cybertrust’s Investigative Response Unit. He maintains a breadth of

185

experience from his more than 10 years within the IT security industry, as well as a significant depth of expertise surrounding investigative response and computer forensic analysis. He has led many high profile criminal forensic investigations within the United States as well as internationally. His work is highly regarded by many United States government agencies, such as the FBI, Secret Service and the Department of Homeland Security. Mr. Novak has also led a number of civil investigations for some of the nation’s top financial institutions, as well as speaking in many forums to educate the public on the topics of securing personal information and non-public data.

Refereed papers — Guide for Authors Scope Computers & Security is the most comprehensive, authoritative survey of the key issues in computer security today. It aims to satisfy the needs of managers and experts involved in the computer security field by providing a combination of leading edge research developments, innovations and sound practical management advice for computer security professionals worldwide. Computers & Security provides detailed information to the professional involved with computer security, audit, control and data integrity in all sectors — industry, commerce and academia.

Submissions Original submissions on all computer security topics are welcomed, especially those of practical benefit to the computer security practitioner. From 1 April 2006, submissions with cryptology theory as their primary subject matter will no longer be accepted by Computers & Security as anything other than invited contributions. Authors submitting papers that feature cryptologic results as an important supporting feature should ensure that the paper, as a whole, is of importance to the advanced security practitioner or researcher, and ensure that the paper advances the overall field in a significant manner. Authors who submit purely theoretical papers on cryptology may be advised to resubmit them to a more appropriate journal; the Editorial Board reserves the right to reject such papers without the full reviewing process. Cryptography papers submitted before this date will be subject to the usual reviewing process, should the paper pass the pre-review process which has been in place since 2004. All contributions should be in English and, since the readership of the journal is international, authors are reminded that simple, concise sentences are our preferred style. It is also suggested that papers are spellchecked and, if necessary, proofread by a native English speaker in order to avoid grammatical errors. All technical terms that may not be clear to the reader should be clearly explained. Copyright is retained by the Publisher. Submission of an article implies that the paper has not been published previously; that it is not under consideration for publication elsewhere; that its publication is approved by all authors and tacitly or explicitly by the responsible authorities where the work was carried out; and that, if accepted, it will not be

published elsewhere in the same form, in English or in any other language, without the written consent of the Publisher. All papers will be submitted to expert referees from the editorial board for review. The usual size of a paper is 5000 to 10 000 words. Please contact [email protected] if further clarification is needed. Please ensure that the title contains all the authors’ names, affiliations, and their full mailing addresses. These should be followed by a brief abstract and a list of five to 10 keywords. Please supply figures and tables separately. Figures should be high resolution computergenerated graphics, clearly printed black and white line drawings, or black and white glossy photographs. All illustrations should be large enough to withstand 50% reduction and still be easily readable. Try to incorporate all material into the text, and avoid footnotes wherever possible. Any measurements must be in SI (Système International) units. References should be consecutively numbered throughout the text and then listed in full at the end of the paper.

Accepted papers If the paper is accepted, or accepted subject to revision, the authors are requested to send a digital copy of the final version of the paper. Please supply the digital file as either a Microsoft Word file or as a LaTeX file, together with an Adobe Acrobat PDF. Please supply figures and tables as separate files. We will also need a short (100 words) biographical sketch of each author. A copy of the relevant journal issue will be supplied free of charge to the main author. Twenty five reprints can be provided on request. Further reprints (minimum order of 100) can be supplied at a reasonable cost if the request is received before the issue goes to press. Papers or abstracts for discussion should be submitted to:

Submission for all types of manuscripts to Computers & Security now proceeds totally online. Via the Elsevier Editorial System Website for this journal at http://ees.elsevier.com/cose, you will be guided stepwise through the creation and uploading of the various files.

When submitting a manuscript to Elsevier Editorial System, authors need to provide an electronic version of their manuscript. For this purpose only original source files are allowed, so no PDF files. Authors should select a category designation for their manuscripts (network intrusion, security management etc). Authors may send queries concerning

the submission process, manuscript status, or journal procedures to Author Support at [email protected]. Once the uploading is completed, the system generates an electronic (PDF) proof, which is then used for reviewing. All correspondence, including the editor’s decision and request for revisions, will be by e-mail.