Tackling Global Cybersecurity Threats: Georgia Tech Is Developing Technologies and Strategies to Enable Cybersecurity Solutions

Contact

Research News


Georgia Institute of Technology


177 North Avenue


Atlanta, Georgia  30332-0181  USA

 

Media Relations Contacts:

 

John Toon


404-894-6986

jtoon@gatech.edu



 

Brett Israel


404-385-1933

brett.israel@comm.gatech.edu

Sidebar Content
No sidebar content submitted.
Summaries

Summary Sentence:

Georgia Tech cybersecurity researchers are developing technologies and security strategies to enable the global cybersecurity solutions of the future.

Full Summary:

No summary paragraph submitted.

Media
  • Research Horizons - Tackling Cyber Threats - GTRI’s new Cyber Technology and Information Security Laboratory Research Horizons - Tackling Cyber Threats - GTRI’s new Cyber Technology and Information Security Laboratory
    (image/jpeg)
  • Research Horizons - Tackling Cyber Threats - computers compromised by the Mariposa botnet Research Horizons - Tackling Cyber Threats - computers compromised by the Mariposa botnet
    (image/jpeg)
  • Research Hoizons - Tackling Cyber Threats - Wenke Lee Research Hoizons - Tackling Cyber Threats - Wenke Lee
    (image/jpeg)
  • Research horizons - Tackling CyberThreats - investigated the GPU threat to password security, Research horizons - Tackling CyberThreats - investigated the GPU threat to password security,
    (image/jpeg)
  • Research Horizons - Tackling Cyber Threats - developing tools to improve the security of mobile devices Research Horizons - Tackling Cyber Threats - developing tools to improve the security of mobile devices
    (image/jpeg)
  • Research Horizons - Tackling Cyber Threats - eveloping a broad set of information security and privacy tools Research Horizons - Tackling Cyber Threats - eveloping a broad set of information security and privacy tools
    (image/jpeg)
  • Research Horizons - Tackling Cyber Threats - critical field of information operations Research Horizons - Tackling Cyber Threats - critical field of information operations
    (image/jpeg)
  • Research Horizons - Tackling Cyber Threats -Army Research Horizons - Tackling Cyber Threats -Army
    (image/jpeg)
  • Research Horizons - Tackling Cyber Threats - detecting and removing bots and botnets Research Horizons - Tackling Cyber Threats - detecting and removing bots and botnets
    (image/jpeg)

Written by Abby Robinson

Every morning, Paul Royal sifts through reports on tens of thousands of new malicious software samples to find the few that are truly novel and warrant further analysis. With 20 million new malware samples created last year alone, Royal stays busy.

“Modern malware is almost exclusively authored by professional criminals that act in the domain of organized crime,” said Royal, a research scientist in the Georgia Tech Information Security Center (GTISC). “Given the enormous popularity of inexpensive malicious software generation kits, even the technically illiterate can easily build stealthy malware with sophisticated anti-detection mechanisms.”

The number and complexity of cybersecurity threats has grown as corporate, government and consumer dependence on secure and reliable computer and cellular networks has increased – and the software Royal examines is only part of the problem. In 2010, malware programmers developed new forms of malicious software, including Stuxnet, which targeted Iran’s critical infrastructure. In addition, Google disclosed that its systems had been deeply penetrated by sophisticated international attackers.

Georgia Tech cybersecurity researchers are developing technologies and security strategies to enable the global cybersecurity solutions of the future. Georgia Tech’s cybersecurity research efforts are multidisciplinary and institute-wide – involving researchers from the College of ComputingCollege of EngineeringIvan Allen College of Liberal Arts and the Georgia Tech Research Institute (GTRI).

GTISC, established in 1998, and the recently created GTRI Cyber Technology and Information Security Laboratory (CTISL), leverage the cybersecurity expertise across Georgia Tech to define and develop research programs that have made Georgia Tech an international leader in basic and applied cybersecurity research.

This article examines Georgia Tech cybersecurity research efforts in the areas of threat monitoring and analysis, mobile device and telephone security, secure information sharing, and U.S. government agency security.

Threat Monitoring and Analysis

Malware, which includes everything from worms to viruses to botnets, is spreading faster than ever over the Internet. Bots are automated software programs that steal computing power every time an infected computer connects to the Internet. Computer hackers harness these stolen resources to form scattered yet powerful networks – called botnets – that can be used to send spam, execute phishing scams or steal financial information.

The fight against malware is often viewed as an arms race. Cybersecurity experts must continually raise the bar, sometimes by high profile arrests and takedowns of cybercrime networks. In the past year, Royal helped dismantle two large botnets – Mariposa and Kraken – using a system he developed called MTrace.

MTrace is an automated malware analysis system that uncovers certain characteristics of each malware sample and aggregates the information into a malware intelligence database that is used by corporate security groups, hosting providers, domain registrars and law enforcement.

“With tens of thousands of new malware samples uncovered daily, this automated analysis software is valuable to security researchers because the time required by a human to analyze every piece of new malware has become overwhelming and nearly impossible,” said Royal.

At its peak, the Mariposa botnet comprised more than 1 million computers, including compromises in half of the Fortune 1000 firms, as well as government agencies, universities and home users in more than 190 countries. When Mariposa’s command-and control domains were shut down and its operators arrested, 800,000 financial credentials were found on one of the operator’s home computers.

Royal also used MTrace to gather intelligence about the resurgence of the large spamming botnet, Kraken. The Kraken botnet – which at one point included about 650,000 compromised computers, including computers in 10 percent of the Fortune 500 companies – re-emerged about a year after its last takedown, bootstrapped by another botnet that acted as a malicious installation service. According to Royal, this shutdown took exceptional persistence, as the Kraken operators continuously changed their domain names and hosting providers.

Cybersecurity professionals like Royal and programs like MTrace are placing increasing pressure on the controllers of the tens of thousands of botnets worldwide.

Botnets aren’t the only threats researchers in GTISC are battling – they’re also trying to eliminate “drive-by downloads.” During a drive-by download, a website installs malicious code, such as spyware, on a computer without the user’s knowledge or consent. Approximately 1.2 million websites worldwide were found to be infected with malware in 2010.

Georgia Tech School of Computer Science professor Wenke Lee, graduate student Long Lu and collaborators from California-based SRI International developed a tool to eliminate drive-by download threats. BLADE – short for Block All Drive-By Download Exploits – is browser-independent and designed to eliminate all drive-by malware installation threats. Funding for the BLADE tool was provided by the National Science Foundation, U.S. Army Research Office and U.S. Office of Naval Research.

“By simply visiting a website, malware can be silently installed on a computer to steal a user’s identity and other personal information, launch denial-of-service attacks, or participate in botnet activity,” said Lee, who is also co-director of GTISC. “BLADE is an effective countermeasure against all forms of drive-by download malware installs because it is vulnerability and exploit agnostic.”

The researchers evaluated the tool on multiple versions and configurations of Internet Explorer and Firefox. When they exposed a computer to more than 1,900 malicious websites, BLADE successfully blocked all drive-by malware installation attempts. The software produced no false positives and required minimal resources from the protected computer. Major antivirus software programs caught less than 30 percent of the more than 7,000 drive-by download attempts from the same websites.

The BLADE testing showed that the applications most frequently targeted by drive-by download exploits included Adobe Acrobat Reader, Sun Java and Adobe Flash – with Adobe Reader attracting almost three times as many attempts as the other programs. Computers using Microsoft’s Internet Explorer 6 became infected by more drive-by downloads than those using versions 7 or 8, while Firefox 3 had a lower browser infection rate than all versions of Internet Explorer. Among the more than 1,900 active malicious websites tested, Ukraine, the United Kingdom and the United States were the top three countries serving active drive-by download exploits.

“BLADE monitors and analyzes everything that is downloaded to a user’s hard drive to cross-check whether the user authorized the computer to open, run or store the file on the hard drive. If the answer is no to these questions, BLADE stops the program from installing or running and removes it from the hard drive,” explained Lu.

The researchers hope to release BLADE to the public for download later this year.

While computer users are waiting for this release, they should spend some time protecting their personal information with stronger passwords. A recent study by researchers in the Georgia Tech Research Institute (GTRI) found that seven-letter passwords might not be safe for long because of the growing computing power of graphics processing units (GPUs).

“Right now we can confidently say that a seven-character password is hopelessly inadequate and as GPU power continues to go up every year, the threat will increase,” said GTRI senior research scientist Richard Boyd.

Designed to handle the ever-growing demands of computer games, today’s top GPUs can process information at the rate of nearly two teraflops (a teraflop is a trillion floating-point operations per second). Until recently, multi-core graphics processors – which are made by either Nvidia Corp. or by AMD’s ATI unit – were difficult to use for anything except producing graphics for a monitor.

But that changed in February 2007 when Nvidia released an important new software-development kit. These new tools allow users to directly program a GPU using the popular C programming language. Unfortunately, this new capability dramatically accelerates a password-breaking technique that engineers call “brute forcing.”

In brute forcing, attackers use a fast GPU (or even a group of linked GPUs) – combined with the right software program – to break down passwords that are keeping them out of a computer or a network. The intruders’ high-speed technique basically involves trying every possible password until they find the right one.

“Length is a major factor in protecting against brute forcing a password,” explained Joshua L. Davis, a GTRI research scientist involved in this project. “A computer keyboard contains 95 characters, and every time you add another character to your password, your protection goes up exponentially, by 95 times.”

Complexity also adds security, he said. Adding numbers, symbols and uppercase characters significantly increases the time needed to decipher a password.

Would-be password crackers have other advantages, said Carl Mastrangelo, an undergraduate student in the College of Computing who is working with GTRI on the password research. A computer stores user passwords in an encrypted “hash” within the operating system. Attackers who locate a password hash can besiege it by building a “rainbow table,” which is essentially a database of all previous attempts to compromise that password hash. Generating a rainbow table takes a long time, but if an attacker wants to crack many passwords quickly, once he’s built a rainbow table it might then only take about 10 minutes per password rather than several days.

Davis believes the best password is an entire sentence, preferably one that includes numbers or symbols. That’s because a sentence is both long and complex, and yet easy to remember. He said any password shorter than 12 characters could be vulnerable – if not now, soon.

Mobile Device and Telephone Security

Smartphones – such as BlackBerrys, Droids and iPhones – have become indispensable to everyone from today’s highly mobile workforce to tech-savvy youngsters. While these devices keep friends and colleagues just a few thumb-taps away and allow business to be done anywhere that has cellphone reception, they also pose new security and privacy risks.

“Traditional cellphones have been ignored by attackers because they were specialty devices, but the new phones available today are handheld computers that are able to send and receive email, surf the Internet, store documents and remotely access data – all actions that make them vulnerable to a wide range of attacks,” said Patrick Traynor, an assistant professor in the Georgia Tech School of Computer Science and a GTISC faculty member.

Traynor and Jonathon Giffin, also an assistant professor in the School of Computer Science, recently received a National Science Foundation grant to develop tools that improve the security of mobile devices and the telecommunications networks on which they operate. These Georgia Tech faculty members, together with a team of graduate students, are developing methods of identifying and remotely repairing mobile devices that may be infected with viruses or other malware.

Malware can potentially eavesdrop on user input, steal sensitive information, destroy stored information or disable a device. Attackers may snoop on passwords for online accounts, electronic documents, emails that discuss sensitive topics, calendar and phonebook entries, and audio and video media.

“Because mobile phones typically lack security features found on desktop computers, such as antivirus software, we need to accept that the mobile devices will ultimately be successfully attacked. Therefore, our research focus is to develop effective attack recovery strategies,” explained Giffin.

The researchers are investigating whether cellular service providers – such as AT&T and Verizon Wireless – can detect infected devices on their respective networks. Because infected devices often begin to overutilize the network by sending a high volume of traffic to a known malicious Web server or by suddenly generating a high volume of text messages, monitoring traffic patterns on the network should allow these infected phones to be located, according to the researchers.

To assess their proposed methods of finding and repairing infected mobile devices, the researchers are building a cellular network test bed at Georgia Tech that will simulate how cellular devices communicate over a network. This test bed will be interoperable with GTRI’s Mobile Innovation, Security and Forensic Test bed (MISFiT), which examines the entire mobile ecosystem and its vulnerabilities.

“The focus of MISFiT is in-depth analysis with a system view, including mobile data analytics for capacity planning, machine-to-machine security and security issues associated with mobile and location-based commerce,” said Chuck Bokath, a GTRI senior research engineer.

Another dimension of privacy and security concern for mobile phones is their future integration with consumer credit and banking capabilities. Imagine – instead of fumbling for a credit card, coupons and loyalty card at a grocery store, you use your mobile phone to provide all that information.

This futuristic-sounding experience may not be far off. In November 2010, AT&T Mobility, Verizon Wireless and T-Mobile USA announced the formation of the Isis mobile commerce network, with pay-by-phone service expected in some markets within 18 months. In advance of these new mobile capabilities, a research team at Georgia Tech recently analyzed the technical and policy gaps that make pay-by-mobile users vulnerable.

With support from the National Science Foundation and SAIC, the study was conducted by Seymour Goodman, a professor in the Sam Nunn School of International Affairs and the School of Computer Science at Georgia Tech, Traynor, and graduate students Andrew Harris of the Sam Nunn School and Frank Park of the School of Computer Science.

“It is essential that we understand both the opportunities and the dangers presented by mobile devices,” said Goodman, who is also co-director of both the Georgia Tech Information Security Center (GTISC) and the Center for International Strategy, Technology and Policy (CISTP). “The safe and responsible deployment of emerging mobile technologies requires not only additional understanding, but also the willingness of government, corporations and civil society to confront these challenges expeditiously.”

Customers must first be educated about how data is collected and shared on mobile phones and how they can protect against theft and abuse of their personal information. The researchers propose the creation of a comprehensive national privacy policy to ensure that consumers can use a “digital wallet” to purchase goods with confidence that the data generated through those transactions will not be bought, sold or traded. In addition, the study suggests that digital wallet developers consider sensible privacy statements designed specifically for mobile phones.

On the technical side, vulnerabilities lie in authenticating the legitimacy of a digital wallet reader. Near-field communication technology – a form of radio-frequency identification (RFID) – will likely be used to process consumer transactions. The researchers suggest there should be a mechanism to authenticate readers and notify users before they disclose their private information.

“Users are willing to trust devices with which they are interacting without proper validation, so the public will need to be educated about what these digital wallet readers should look like and how to spot an illegitimate device,” said Goodman.

Goodman, Harris and collaborators at Carnegie Mellon University are also concerned with the security risks that mobile phones bring to less-developed countries. In 2009, the 53 countries of Africa boasted 295 million mobile phone subscriptions for a penetration rate of 37.5 per 100 inhabitants.

With funding from the MacArthur Foundation, the researchers investigated cellular security vulnerabilities in Africa. They found that many African nations suffer from a deficiency of appropriate laws and organizations needed to confront cyber crime.

“In such an environment, mobile phones become an unprecedented tool to track a citizen’s activities. An unscrupulous government could easily use the cellular network to track an individual’s movement, listen to conversations and access financial records,” explained Goodman.

The research team has suggested solutions to these vulnerabilities, such as requiring device manufacturers and service providers to offer adequate security, increasing the African workforce of information security professionals, and initiating a public awareness campaign to alert the African people to the potentially detrimental effects mobile phones can have.

GTISC researchers are also investigating security on landline phones, as phishing scams make the leap from email to the world’s voice systems. Today, it is relatively easy for criminals to fake caller ID and employ the same sort of phishing scams they use on the Internet.

Funded in part by the National Science Foundation, Traynor and Mustaque Ahamad, a professor in the School of Computer Science and GTISC director, identified a digital fingerprint hidden within voice signals that can reveal fraud and thwart voice phishing scams.

The team created a system called PinDr0p that exploits artifacts left on call audio by the voice networks themselves and then determines the path a call takes to get to a recipient’s phone with at least 90 percent accuracy. The team is currently working on using PinDr0p to geolocate the origin of calls.

Secure Information Sharing

Information sharing requires that partners establish broad electronic trust among the caretakers of critical information and those who need and are authorized to use that information.

Researchers from Georgia Tech teamed with Children’s Healthcare of Atlanta and Emory University’s Center for Comprehensive Informatics to develop technologies that will protect the security and privacy of electronic health information.

“Storing medical records in electronic format and sharing them among different health care organizations has the potential to produce enormous improvements in the quality and efficiency of the health care system, but unauthorized disclosure of the information has the potential to damage lives and harm careers,” said Douglas Blough, a professor in the School of Electrical and Computer Engineering at Georgia Tech.

Through a project called MedVault, Blough and professors Mustaque Ahamad and Ling Liu of the School of Computer Science at Georgia Tech are developing a broad set of information security and privacy tools that can be integrated with electronic health records systems and work flows. MedVault is supported by the National Science Foundation and the Atlanta Clinical and Translational Science Institute.

With health information exchanges popping up across the country, individuals will begin sharing health documents with various health care system entities, which will need to verify the source and trustworthiness of the documents. MedVault researchers developed a system that uses redactable signature technology for source-verifiable, patient-controlled information sharing. The system enables documents digitally signed by a health care provider to be authenticated, while at the same time invisibly deleting information a patient wants to keep confidential.

“This technology could be especially valuable, for example, to parents who need certified health records to enroll a child in school, college, summer camp or other activity because parents would just need this one digitally signed document and could use it in many different ways,” explained Blough.

The research team also designed a policy combination and conflict resolution system that can examine the policies of multiple health care entities and ensure they are all followed.

“Each organization with a health information exchange may have a different policy about what information in their system can be disclosed under specific circumstances and patients might want to set their own disclosure controls, and all of these policies must be enforced. Our system combines these multiple policies and resolves any conflicts,” added Blough.

The MedVault team is working to ensure that these technologies are seamlessly integrated with the overall health system and its medical processes to provide strong security and privacy while assuring patient safety.

While secure information sharing is necessary in the health care sector, it’s also essential for criminal justice organizations. The Global Federated Identity and Privilege Management(GFIPM) initiative provides a way for justice and public safety organizations to securely access information from multiple agencies with a single logon. John Wandelt, a GTRI principal research scientist, is the GFIPM initiative’s project manager.

Established through a collaborative effort of the Global Justice Information Sharing Initiative membership, the U.S. Department of Justice, Office of Justice Programs, Bureau of Justice Assistance and the U.S. Department of Homeland Security, the GFIPM initiative provides the justice community with a secure information-sharing architecture based on an electronic justice credential. This standards-based justice credential can be used to securely connect law enforcement and public safety personnel to interagency applications and data over the Internet.

“By separating the roles of identity providers from service providers, the GFPIM architecture allows agencies to leverage their existing local security infrastructures, policies and mechanisms to significantly reduce overall cost and increase privacy, security and usability,” explained Wandelt.

The GFIPM framework supports identifying and authenticating users; managing the certifications, clearances, job functions, local privileges and organizational affiliations associated with each user that can serve as the basis for authorization decisions; and determining what information is required to audit systems.

The framework leverages the National Information Exchange Model (NIEM) for which Wandelt and other GTRI researchers provided engineering support and technical guidance.

In September 2010, the GTRI team working in conjunction with the Global Security Working Group published a baseline set of GFIPM technical and governance specifications. The specifications are currently being adopted by the U.S. Department of Justice, U.S. Department of Homeland Security, Federal Bureau of Investigation, and several state and local agencies to securely exchange sensitive information.

U.S. Government Agency Security

For decades, researchers at Georgia Tech have developed technologies for defending against and defeating attacks on the battlefield. More recently, they have been focusing major efforts on defending the virtual battlefield.

Experts in the Georgia Tech Research Institute (GTRI) and the Georgia Tech Information Security Center (GTISC) are tackling security issues with government and military networks, and developing new tools and methods for securing information and networks.

To develop and deploy advanced technologies to defend against and deter cyber attacks on the United States, researchers are pursuing challenges in various agencies within the U.S. Departments of Defense and Homeland Security, and local, state and allied foreign governments.

Georgia Tech’s work focuses on providing resilient command-and-control solutions to war fighters operating in contested environments, and helping government agencies defend against cyber criminals to safeguard the nation’s critical infrastructure.

Command and Control Mission Assurance

The sophisticated, multiphase cyber attacks that increasingly target government operations are often invisible to traditional security technology. To construct systems that control homeland and combat operations, GTRI researchers are designing and fielding resilient information systems that include secure network enclaves, virtualization and multilevel security.

GTRI researchers are helping the U.S. Department of Defense develop, test and integrate new technologies for defending networks.

“The objective of this work is to assure command and control from a networking perspective in a hostile cyber environment,” said Jeff Moulton, a GTRI principal research associate.

The Network-centric Test and Training System (NeTTS) developed by GTRI also provides command-and-control mission assurance. NeTTS is a family of nonintrusive test tools for distributed, network-centric environments that support test and training through the creation of realistic virtual environments.

Since 1997, GTRI has developed these tools, with most funding from the Department of Defense’s Resource Enhancement Program. The first of these tools, the Realistic Operational Communications Scenarios (ROCS) System, pioneered a systematic approach to Command, Control, Communications, Computers and Intelligence (C4I) testing, focusing on ground combat elements. Successor systems – the Commander’s Air Defense Environment Test Tool (CADETT) and the Integrated Broadcast Service Test and Analysis Tool (ITAS) – focused on air operations and intelligence systems.

The centralized code base allows rapid deployment of updated code, new plug-ins and drivers, new development language versions, troubleshooting and other changes. The NeTTS training component emphasizes realism, focusing on software that can merge training with actual tactical communications systems to offer a true hands-on experience.

“NeTTS has been used by all four military services, providing support during pre-test planning, test conduct and post-testanalysis of a wide variety of communication networks and systems,” said Fred Wright, a GTRI principal research engineer.

U.S. Army personnel use a Deployable Joint Command and Control (DJC2) forward command post. GTRI researchers have supported information technology upgrades for the DJC2. (Credit: U.S. Army)

GTRI has also been involved for more than seven years with the U.S. military’s Deployable Joint Command and Controlsystem (DJC2) – a self-contained, self-powered temporary headquarters facility. GTRI has been responsible for designing DJC2’s information technology infrastructure since the initial prototype stage.

“The time it used to take to deploy a joint task force infrastructure was significant,” said Jack Hart, a senior research engineer leading the program for GTRI. “Our forces need to be able to stand up a joint task force communications infrastructure in a very short amount of time – not two or three weeks but 72 hours or less.”

The work, which is directly sponsored by the DJC2 Joint Program Office, has included networks and wired and wireless communications, as well as newer elements such as advanced peer-to-peer internetworking convergence and satellite communication terminals.

One major hurdle, Hart explained, has involved migrating from the serial equipment originally used by the joint task forces. The serial approach was based largely on modem communications, which made tactical communications between field units and headquarters problematic.

To enable the migration, GTRI designed a seamless, phased transition from the original equipment to Ethernet systems based on current Internet protocol (IP) technology. Hart’s team created a hybrid architecture that allowed older serial equipment to connect to new IP systems when required.

Now that the DJC2 rapid-response kit has been designed, tested and fielded, GTRI is focusing on enhancing important technical elements of the system. Hart’s team is developing a secure DJC2 wireless architecture, expected to become one of the few operational systems that is fully accredited for security. To support this wireless architecture, the team is utilizing wideband satellite Ka and X-band communications technologies.

Network Vulnerability

Georgia Tech’s cyber researchers are also applying the latest technologies in signal and protocol exploitation, Web crawling, malware analysis, and reverse engineering of embedded and application programs to counter adversary information networks.

For one project, GTRI researchers are developing new techniques for critical infrastructure and network defense and information operations in the Air National Guard. GTRI plans to develop interoperability solutions for connecting aircraft to various data link systems and ground forces, along with analyzing and identifying security issues.

GTRI will also develop an interactive process for tracking cyber technologies and threats. In particular, a systems engineering process will be customized to provide an understandable presentation of cyberspace trends and issues, and predict future threats.

“As technology changes and new systems come online, the Air National Guard needs new tools to watch for attacks so that they can continue to progress as new technologies develop into cyber concerns,” Wright explained.

Also in the network vulnerability area, GTRI has developed a platform called SpiderSense, which provides intelligent crawling and analysis modules for Web research. The platform is currently used for automated penetration testing and exploits research, but new tools and techniques can be rapidly prototyped. Initial development of SpiderSense was led by former GTRI senior research engineer Steve Millar with support from GTRI’s Independent Research and Development program.

Web servers often have full access to databases and supporting services within an organization. If they are compromised, they have the network permissions to cause damage to other, more critical systems like databases or directory servers. Web threats like this are currently addressed by an infrequent and uneven application of code reviews and penetration tests.

One of the SpiderSense modules assesses websites for possible entry points that malicious programs could use to gain access to Web servers and withdraw data from them, and tests each point for exploitability. The SpiderSense tool enables organizations to automatically defend websites from SQL injection, cross-site scripting, denial of service and other attacks.

“SpiderSense enables government and industry to conduct repeatable, automated and customizable security assessments of their Web applications to validate software development life-cycle practices and ensure information assurance,” said GTRI research scientist Andrew Howard, who is currently leading this research effort.

In addition, SpiderSense can be used as a platform for directing simulated intrusion attacks into networks, a practice called “red teaming.” Automated discovery of the vulnerable entry points in Web servers provides a technique for developing cyber weapons that also automate the exploitation of the vulnerabilities.

In another network vulnerability project, GTISC and GTRI researchers are helping the U.S. Department of Defense and other government agencies block and remove botnets from networks, shut down botnet operations on the Internet, assess current botnet threats and predict future trends.

Georgia Tech computer science professor Wenke Lee leads the five-year, $7.5 million Multidisciplinary University Research Initiative (MURI) from the U.S. Office of Naval Research, which is aimed at developing practical approaches to detecting and removing botnets. The multi-university team, which includes collaborators at the University of Michigan, Stanford University and the University of California at Santa Barbara, plans to develop botnet detection and removal approaches that will work against all bots and botnets.

To do this, the researchers will first identify the basic properties of all bots and botnets, and then determine how they can target these structural and operational properties to locate bots and botnets. Lastly, they will develop practical ways to shut down the botnets and remove the bots from affected computers.

For example, a basic property of all bots is that they are not human, thus their activity is generated by a computer program. With this knowledge, the researchers hope to develop techniques that would help find bot-infected computers by distinguishing human-generated network traffic from program-generated traffic. To put this theory into practice, they would need to develop an effective way of monitoring the activity on computers and determining whether it originated from humans or programs.

To do that, they might develop a way to determine whether an email sent from a computer was sent by a user clicking a send button or some program sending it without user action. While all activity generated by programs is not bad, this could be their first clue that a computer might be infected with a bot. If additional bot-like properties are observed, the researchers would be able to determine for sure whether the computer was compromised.

“We are confident that by following this methodology, we can deliver approaches that are fundamental, meaning that if a botnet changes, the solutions will still work because they target the fundamental properties of botnets that each one has to have to survive,” said Lee.

Secure Information Systems

GTRI researchers working in the secure information systems area design, develop and deploy enterprise information systems requiring state-of-the-art database, platform and Internet security. They are currently providing secure applications and cross-domain extensible markup language (XML) guards to the U.S. Department of Defense to enable sharing of compartmented data between networks and domains.

These applications are built from the ground up with redundant security measures at every layer. This security infrastructure provides the necessary protections to prevent data spills that could be catastrophic to national defense.

Looking Forward

With the growing scale and sophistication of cybersecurity threats, multidisciplinary teams at Georgia Tech are focused on gaining a better understanding of emerging threats, as well as the motives and methods of cyber attackers.

Georgia Tech researchers are working together and partnering with local Internet security companies to provide solutions for defending against highly sophisticated and well-funded cyber criminal activities. The basic research conducted at GTISC provides the forward-looking activities required to defend proactively, and the applied research of GTRI incorporates these ideas into proof-of-concept and functional models. By partnering with small business, these solutions can be implemented.

To foster this vision, GTRI is developing a long-term strategic plan that invests in collaborative research involving numerous Georgia Tech units and small businesses. These plans include building a cyber test laboratory that provides development, testing and visualization capabilities in support of wired and wireless transport media. Plans also include connectivity to government test ranges, partnering with private industry to include its solutions in the laboratory, and developing targeted educational courses to enhance awareness.

“By developing solutions to impending cyber concerns at an early stage before they become widespread sources of harm, Georgia Tech will continue to be a leader in the cybersecurity arena,” said Mustaque Ahamad, director of GTISC.

Rick Robinson and Michael Terrazas also contributed to this story.

This material is based upon work supported by the National Science Foundation (NSF) under Award Nos. CNS-0716570, CNS-0916047 and 0911886; U.S. Army under Award No. W911NF-06-1-0316; U.S. Navy under Award No. N00014-09-1-1042; National Institutes of Health’s (NIH) National Center for Research Resources under PHS Grant UL1 RR025008 from the Clinical and Translational Science Award program; and the Office of Naval Research (ONR) under Award No. N00014-09-1-1042. Any opinions, findings, conclusions or recommendations expressed in this publication are those of the principal investigators and do not necessarily reflect the views of the NSF, U.S. Army, U.S. Navy, NIH or ONR.

Additional Information

Groups

Research Horizons

Categories
Art Research
Related Core Research Areas
National Security
Newsroom Topics
No newsroom topics were selected.
Keywords
Winter/Spring 2011 Issue
Status
  • Created By: Claire Labanz
  • Workflow Status: Published
  • Created On: Nov 4, 2014 - 11:57am
  • Last Updated: Oct 7, 2016 - 11:17pm