Notes 20110214 CIS 6650 Computer Security

From SnOwy - Ed's Wiki Notebook

Contents 1 A2 Q5 2 A2 Q4 3 Midterm Solutions 3.1 Q3 3.2 Q4 3.3 Q11 3.4 Q12 3.5 Q15 3.6 Q17 4 RSA / Totient Note 5 Presentation 6 SOFM/SOM 7 Making Progress 8 Results 9 Databases Intro 10 Database Security

A2 Q5

• demonstration of RSA message encryption and decryption
  • Tuesday March 1, 10am to 3pm demonstrate the software for Dr. Obimbo
• allowed to use the internet to do primality testing for the hundred digit prime
• pick prime numbers due Wednesday -- send public keys by Noon!

A2 Q4

• due Friday

Midterm Solutions

• 3, 4, got 11, got 12, got 15, 17

Q3

• 121 121 121 121
• which is this not divisible by?
• 7, 11, 13, 19, divisible by ∀
• divisible by 11 -- 11² = 121 and repeat.
• 121 121 / 11 = 1001
• 1001 / 7 = 143
• 143 = 11 * 13
• solution is 19
• another way: 121 121 * 1 000 001
• 121 121 = 11³ * 7 * 13
• then 1 000 001 | 9 ? false

Q4

• 73 = 243_b
• 442_b = ?
• 2b² + 4b + 3 = 73
• 2b² + 4b - 70 = 0
• b² + 2b - 35 = 2
• (b - 5)(b + 7) = 0
• b = 5
• 442_b = 4(25) + 4(5) + 2 = 122₁₀
• 8 | 122
• 8 | 15 r 2
• 8 | 1 r 7
• 8 | 0 r 1
• solution: all of the above

Q11

CRT

• x = (2,2,1,3)S(3,4,5,7)
• x1 = 3 + 3(3)(7) = 66
• x3 = 66 + 2(2)(140) = 206
• 206 % (3,4,5,7) ... checked.
• notes: only solvable if all of the divisors are relatively prime
• if not relatively prime, solutions might not exist (conflict), or there may be several solutions (remainders are compatible)

Q12

inverses

Q15

Pigeon Hole Principle

Q17

• Φ(1060)
• ← 1060 = 2² * 5 * 53
• need to do a complete prime factorization
• = 1060(1/2)(4/5)(52/53)
• = 104(4) = 416
• I got the right answer (none of the above) for the wrong reason (424 -- missed 53)

RSA / Totient Note

• mod(p, 1060) = 1
• p^Φ(1060)(mod 1060) = 1

Presentation

Self-Organizing Feature Maps for User-to-Root & Remote-to-Local Network Intrusion Detection on the KDD Cup 1999 Dataset

• Ryan Wilson
• the KDD training and testing data subsets are not supposed to be compatible
  • KDD = Knowledge Discovery and Data mining Cup Competition (ACM)
  • you shouldn't be able to train a system on the training set that will generalize to the testing set
• Ryan took that claim as a challenge
• perfect smart system -- allows us to think about intrusion detection since intrusions change all the time
• different types of detection -- anomaly versus misuse detection
• anomaly -- against what's considered normal or average behaviour
  • lacks labelling specific attack types
  • high false positive rate
• misuse -- attack signatures for specific attacks
  • low false-positives
  • can't understand new intrusions
• User-to-Roote and Remote-to-Local attack
  • privilege escalation
  • often in conjunction
• 1999 challenge: distinguish between good and bad connections
  • 4.9 million training entries
  • 311 thousand entries
• all techniques submitted in 1999 were supervised learning techniques
• best technique: Booster Tree (Bernard Pfahringer)
  • variant of C5 decision tree -- build a forest, groom forest by picking the best trees
• DoS 83%, Probe 97%, U2R 13%, R2L 8.4%, Normal 99%
• current systems ...
• Misuse detection: MIDAS, IDES
  • rule-based system
  • layer 1: certain types of events
  • layer 2: certain suspiscious activity
  • layer 3 (IDES only): human supervision
  • NIDES (current system)
• Anomaly detection: Haystack, NIDES, Emerald
  • all of these systems will not adapt to new kinds of attacks
• Hybrid Detection: Both Misuse and Anomaly detection ...
  • best of both worlds -- future of intrusion detection

SOFM/SOM

• unsupervised classification technology
• six variables ...
  • t -- current iteration
  • Λ -- iteration limiter (final iteration -- note -- an iteration is NOT the same as an epoch)
  • W_v -- current weight vector
  • D -- target input
  • θ(t) -- neighbourhood function
  • α(t) -- learning restraint
• must determine the size of the SOFM -- determined empirically
• training
  1. randomize map node weight vectors
  2. grab an input vector
  3. traverse each node in map
     1. use euclidean distance to find similarity
     2. track node
  4. find the best matching unit that is most similar to target input
  5. ...

Making Progress

• dimensionality of data
• 4 initial classifiers
• 37 numerical data points
• 1 attack or normal type
• total dimensionality of 42 points
• used only 37 numerical data points
• attack type was used for verification only since non-supervised
• SOMs do not implement biases, normalization used
• NormalizedValue = (Value / log(max+1))
• train the map for only two epochs
  • once from top to bottom, once from bottom to top
• why not randomize for a single epoch?
  • allows for repeatable results
• training data laid out on trained SOFM
• stored number of times each node was chosen as candidate node
• data stored by attack type -- attack type classifier from dataset
• same was done with test set ...
• hotspot vector -- each hotspot is pulled from the hotspot matrix
  • store only the relevant node
  • vector of each hotspot for each type -- five training vectors, five testing vectors
• vector pruning -- eliminates hotspots that are redundant
• reduces probability of false positive

Results

• 93% DoS
• 65% Probe -- slightly weaker
• 62% U2R -- much better
• 0% R2L -- entirely missing
• 95% Norm

Databases Intro

• database -- collection of related data
• rules organize data
• administrators are concerned with security
• a database consists of tables
• attributes
  • must be atomic
    • smallest functional unit
  • no partial dependencies
  • no transitive dependencies
  • "APT"
• tables (composed of tuples)
• columns -- attributes, fields
• user queries -- retrieve, modify, add, delete
• select operator
  • σ_{Hobby='stamps'}(Person)
  • narrows down the rows
• project operator
  • narrows down the fields
  • π_Name,Address(Person)
• set operators -- think of in ∪, ∩, −, ¬.
• union compatibility
  • must come from the same or similar domain
  • same number of columns
• Cartesian product
• Join (bowtie)
• Views
  • used as a relation -- rows are not physically stored
  • contents of view is computed in the query
  • access control
• why databases?
  • transparency -- no need to know file structure
  • redundancy
  • ...
• Mandatory Access Control (MAC)
• Discretionary Access Control(DAC)
  • grants users privileges
  • weakness -- a user may evade privilege revoking from one cascade due to escalation of privilege from another cascade
• Role Based Access Control (RBAC)

Database Security

• Integrity
  • only authorized users may modify data
• Availability
  • authorized users must be able to access data
• Secrecy (Confidentiality)