Home Security Engineering Projects Research

Select Research and Presentations


Introduction

This section contains academic research and education material that I've produced for a variety of purposes.

Review of Virtualization Architectures with a Sprinkling of Security (Presentation)

A presentation given to a mixed audience (technical, managerial, executive) on what virtualization means, the fundamental components of the technology,and some of the key security and performance aspects that need consideration prior to implementation.

Security Mechanisms for Mobile Agent Based Vulnerability Analysis Tools

Agent-based technology has several areas of security to shore up before it can enter mainstream usage. Some of these areas will be explored in this work. In order to explore the security issues related to agent technology, it is often helpful to view agents in the context of an application.In this paper, we look at applying agent based technology to the performance of network vulnerability analysis. In short, this is the process of scouring a network and examining each host to see if there are vulnerabilities that could allow unauthorized access. As will be shown, this is an application that is particularly stringent on the security of the mobile agents that will be used as the underlying mechanism. This must be so. Vulnerability scanning and analysis is a very privileged operation that, if compromised, could open an entire network to hazard or damage. Like electronic commerce, it must therefore be very secure.

Research Agenda for Security Engineering

Despite nearly 30 years of research and application, the practice of information system security engineering has not yet begun to exhibit the traits of a rigorous scientific discipline. As cyberadversaries have become more mature, sophisticated, and disciplined in their tradecraft, the science of security engineering has not kept pace. The evidence of the erosion of our digital security upon which society is increasingly dependent appears in the news almost daily.

In this article, we outline a research agenda designed to begin addressing this deficit and to move information system security engineering toward a mature engineering discipline. Our experience suggests that there are two key areas in which this movement should begin. First, a threat model that is actionable from the perspectives of risk management and security engineering should be developed. Second, a practical and relevant security-measurement framework should be developed to adequately inform security-engineering and risk-management processes. Advances in these areas will particularly benefit business/government risk assessors as well as security engineers performing security design work, leading to more accurate, meaningful, and quantitative risk analyses and more consistent and coherent security design decisions.

Using AHP/TOPSIS with Cost and Robustness Criteria for Virtual Network Node Assignment

Network virtualization is a concept in which a Virtual Network Provider constructs logical virtual networks for various clients on a common, virtualized infrastructure substrate. However, there is currently no general framework or benchmark for assessing the security properties of these logical networks within the context of network virtualization.

In this paper, we describe a virtual network security assessment process in which a preference model is constructed over a select set of network element attributes. This preference model reflects the knowledge and experience of one or more security experts. The relevant attribute values are exposed during virtual network composition. Our process answers the question: how does the security of my virtual network compare to an equivalent topology

DOI: 10.1109/ICC.2012.6364792

A Virtual Network Topology Security Assessment Process

Network virtualization is a concept in which a Virtual Network Provider constructs logical virtual networks for various clients on a common, virtualized infrastructure substrate. However, there is currently no general framework or benchmark for assessing the security properties of these logical networks within the context of network virtualization.

In this paper, we describe a virtual network security assessment process in which a preference model is constructed over a select set of network element attributes. This preference model reflects the knowledge and experience of one or more security experts. The relevant attribute values are exposed during virtual network composition. Our process answers the question: how does the security of my virtual network compare to an equivalent topology whose attribute values are most preferred by security experts?

DOI: 10.1109/IWCMC.2011.5982533

A dynamic model building process for virtual network security assessment

Network virtualization is a concept in which a Virtual Network Provider constructs logical virtual networks for various clients on a common, virtualized infrastructure substrate. However, there is currently no general framework or benchmark for assessing the security properties of these logical networks within the context of network virtualization.

In this paper, we describe a virtual network security assessment process in which a preference model is constructed over a select set of network element attributes. This preference model reflects the knowledge and experience of one or more security experts. The relevant attribute values are exposed during virtual network composition. Our process answers the question: how does the security of my virtual network compare to an equivalent topology whose attribute values are most preferred by security experts?

DOI: 10.1109/PACRIM.2011.6032941

A Short Review of Multi-Criteria Decision Making Techniques

This technical report provides an overview of theoretical and practical aspects of Multi-Criteria Decision Analysis (MCDA). This work was performed as a breadth study in support of using MCDA techniques as an element of measuring information system security through expert preference elicitation.

In MCDA, one or more decision makers (DMs) are faced with the task of choosing a best single alternative from a set of possible alternatives. This selection process can be performed by ranking the alternatives directly against each other with respect to some criteria (e.g. two cars with respect to cost) or they can be scored individually with respect to criteria whose levels have been already been ranked (e.g. the comfort level of the car where high=1.0, medium=0.5, and low=0.0).

Preference elicitation shares a common base of techniques from the domain of "expert calibration". In these techniques, biases in expert opinion are systematically targeted and removed. However, even without biases, "expert" judgement can vary significantly - especially in cases where multiple criteria are to be captured. This report also looks at group elicitation and techniques for aggregating expert judgements.

Analysis and Description of the Inner Workings of the FreeRTOS Kernel.

This document is an analysis and functional decomposition of FreeRTOS version 4.1.3. FreeRTOS is a real-time, preemptive operating system targeting embedded devices. The FreeRTOS scheduling algorithm is dynamic and priority based. Interprocess communication is achieved via message queues and basic binary semaphores. Deadlocks are avoided by forcing all blocking processes to timeout with the result that application developers are required to set and tune timeouts and deal with resource allocation failures. Basic memory allocation schemes are provided but more complex schemes can be directly coded and incorporated. FreeRTOS provides some unique capabilities. Cooperative instead of preemptive scheduling can be used and the scheduler can be suspended by any task for any duration of time. No mechanisms to counter priority inversion are implemented. Overall, FreeRTOS was determined to be slightly too feature-rich for limited resource embedded devices. A simplified version may be beneficial to certain communities.

Review of Very Recent Research into Location Services for Position-Based Routing

Position-based routing protocols use position information supplied through GPS, multilateration, etc. to assist mobile ad-hoc and sensor networks in the routing task while reducing control traffic and memory overhead when compared to traditional position-less protocols. However, position-based routing requires a location service to assist in the maintenance and dissemination of location information and the success of position-based protocols rests on the ability of the location service to be both effective and efficient. In this paper, we review four very recent developments in this area of research.