M.Sc. Thesis Project Proposals

These are draft proposals, to give you a feeling of what types of project I am currently offering. If you are interested in any of them, please contact me, and we can if necessary discuss final versions adapted to your personal interests. I am also in general willing to supervise other projects in similar areas, for example in collaboration with industrial companies. If you have any proposals of this type, make sure to come and talk to me about them in good time, so we can get the details finalised well before the project is intended to start.

Robin Sharp
August 2007.

Distributed Debugging by Causality Analysis

Most techniques for debugging programs in centralised systems are in the final analysis based on collecting up a sequence of snapshots of the state of the system and using these to deduce an explanation of which parts of the program gave rise to particular (undesirable) changes in this state. In a distributed system it is not possible to get a true picture of how the global state changes without freezing all activity in the system. Thus techniques for observing the state are most often based on so-called causality analysis, in which one investigates sequences of states observed at events (such as transmission and receipt of a message) which could be related by a cause/result relationship. A well-known example of this approach is Chandy and Lamport's technique for collection of ``Distributed Snapshots''.

In this M.Sc. project, a tool based on causality analysis for debugging in a distributed system is to be specified and implemented. The task requires you to consider how relevant, causally related sub-states are to be specified and collected up, how the collected information is to be presented to the user and how non-deterministic phenomena are to be dealt with. In addition it is necessary to consider how the tool is to be incorporated into a distributed environment which, for example, has a processor pool architecture, as in a system intended for running applications based on the Grid Computing paradigm.

Prerequisites: 02222 Distributed Systems

Adaptive Firewalls for GRID Computing

Large distributed systems which are based on the Grid paradigm are typically composed from a number of smaller clusters of computers connected by a high-speed network. The clusters are usually in different administrative domains, where each domain has its own policies for security, authorisation, and so on, and typically there is a firewall on the boundary between each pair of adjacent domains. State of the art is for these firewalls to be opened up for a large number of ports which the system is set up for Grid computing. This is evidently a security risk, and more dynamic and intelligent ways of controlling the firewalls need to be developed.

In this M.Sc. project, a proposal for firewall control is to be made, which enables ports to be securely opened and/or closed on the firewalls in a dynamic manner, based on the needs of the submitted applications. The project will involve a study of the current state of the art in Grid systems, design of mechanisms for controlling the firewalls adaptively in a secure manner, and — to the extent that time permits — implementation of the design on a cluster of computers available at the department. The project is an element in a large research project on Grid Computing, in which IMM is involved in investigation of the security aspects of very large distributed computing systems.

Prerequisites: 02222 Distributed Systems, 02233 Network Security.

Incremental Trust in GRID Systems

In distributed systems, management of the right to access system resources is an important pre-condition for the implementation of secure distributed computations. An important aspect of this is the management of trust, i.e. the extent to which a system can rely on a set of credentials as proving that an access request complies with a given security policy. In a distributed system following the GRID paradigm this is a complex problem, since new users with credentials issued by new authorities can be expected to try to access resources in the system.

In this M.Sc. project, the aim is to investigate the use of a system for incremental trust management, in the sense that the degree of trust in a credential can rise and fall over time, depending on whether the activities attempted by a holder of the credential are acceptable or unacceptable from a security point of view. The project will involve an initial study of relevant literature on trust management, formulation of algorithms or heuristics for increasing and decreasing trust, and finally specification and — to the extent that time permits — implementation of an access control system based on a trust management engine which can deal with incremental trust. The project is an element in a large research project on Grid Computing, in which IMM is involved in investigation of the security aspects of very large distributed computing systems.

Prerequisites: 02222 Distributed Systems, 02230/02345 Computer Security.

Unsupervised Learning for Intrusion Detection

In a series of previous M.Sc. projects, a variety of techniques have been investigated for analysing the behaviour of computer systems in order to identify attacks by malicious persons or programs which have been designed to have malicious effects. A common feature of the techniques considered has been that they are based on supervised learning, where the analysis system has been trained to recognise patterns of activity which have been classified in advance by an experienced analyst as being malicious, or to recognise patterns of activity which deviate from those classified in advance as "normal" or non-malicious. Unfortunately, in many practical situations, the amount of data is so large that it is not feasible for an expert to carry out a complete classification, and supervised learning becomes unreliable.

In this project, the aim is to supplement the previous investigations with techniques based on unsupervised learning. Here the training process is not based on a previous classification by an expert, but on some kind of self-organising principle, such as cluster detection, principal components analysis, self-organising maps, entropy-based methods or stochastic machines. The project will involve a study of the literature on the use of unsupervised learning for intrusion detection, selection of one or more methods for evaluation, and the specification and development of a simple tool which exploits the chosen method(s) and which can provide the user with useful information about attack patterns which are observed in a real-life computer system.

Prerequisites: 02230/02345 Computer Security; 02233 Network Security.

Forensic Examination of Log Files

Most modern computer systems maintain log files which contain details of what has been going on in the system in the (recent) past. When a cybercriminal attack takes place, these files will typically collect up information which reveals that an attack is in progress, and which potentially can also reveal its origin. To recognise the attack, it is however often necessary to recognise a small pattern of log events within a very large log file — in a large system, perhaps of several tens or even hundreds of Gigabytes.

The aim of this project is to develop a tool for automatically performing examination of log files, in order to be able to detect attacks, report their existence and, if possible, localise their origins. The project involves a study of suitable pattern recognition and data mining techniques, followed by specification and implementation of a tool which makes use of one or more of these techniques in order to supply investigators with timely and appropriate information.

Prerequisites: 02230/02345 Computer Security; 02233 Network Security.

A Timed Calculus for Access Control

In 1993, Abadi, Burrows, Lampson and Plotkin published a proposal for a calculus which could be used for reasoning about access control, including aspects such as delegation of rights, trust and the acting of roles which have less authority than the principal who acts the role. However, even though the handling of access control requires guarantees of validity for a given period of time, the calculus does not deal very satisfactorily with the temporal aspects of an access control system.

In this M.Sc. project, the aim is to develop a calculus which includes the temporal aspects of the problem in a natural way. The starting point is expected to be Abadi et al.'s proposal, which is to be extended with syntactic and semantic elements for describing relevant temporal phenomena. The logic for reasoning about whether an access request can be granted under a given access control policy is then to be formulated and formalised within the framework of a proof assistant such as Isabelle. Finally, if time allows, the access control system can be implemented as a reference monitor for use in a practical distributed system, with a view to demonstrating the practical usefulness of the approach.

Prerequisites: 02243 Access Control, 02281 Data logic.

The Secure Mobile Employee

The modern business trend is for employees to use a variety of mobile devices to assist them in a wide spectrum of activities. A typical executive, salesperson or engineer may, for example, travel round with a laptop PC, a PDA and a mobile smartphone, all of which may contain information which is important, perhaps even vital, for his or her company. These devices may be extensively used outside the company premises, for example at home, in the train, at the airport, in hotels and so on — locations where security is not under the company's control and may be very poor.

In this project, the aim is to analyse this situation from the point of view of providing adequate facilities in a secure manner to employees whose work involves a degree of mobility. The project will involve investigating and evaluating the security risks which this form of working creates for the company, and making one or more proposals for how to organise the company's computer systems in order to avoid these risks.

Prerequisites: 02222 Distributed Systems, 02230/02345 Computer Security; 02233 Network Security.

Preserving Cybercrime Evidence

Cybercriminals who are trying to hack into a system usually take precautions to remove or hide as many traces of their activity as possible, for example by deleting (parts of) log files, replacing certain system functions by special "hacker versions" which if activated will not reveal the presence of the hacker, and so on. This can make it difficult for a prosecutor to secure reliable evidence of what has happened, in case it is necessary to proceed with criminal charges.

In this project, techniques for ensuring that reliable evidence can be preserved are to be investigated. These will include secure logging, secure system monitoring, and hardening of the system against changes introduced by authorised or unauthorised users. The analysis should consider as many aspects of these techniques as possible, including for example:

• The type of evidence which they can secure and its significance for the investigation of cybercrimes;
• The technical requirements for their implementation;
• The extent to which they degrade system performance.

Based on this analysis, a design proposal for a system which is resistant to the destruction of cybercrime evidence is to be produced, and (to the the extent that time permits) a demonstration model of such a system is to be implemented.

Prerequisites: 02230/2345 Computer Security; 02233 Network Security.

Intrusion Detection Systems for Mobile Wireless Networks

The recent proliferation of wireless networks and mobile computing equipment has caused a surge of interest in the security properties of such networks. A particular problem is that mobile equipment may be attacked while the user is away from his or her usual controlled environment, and may be infected with malware which then spreads back to the "home environment" when the user returns. Some such infections will be due to the usual vira and worms known from wired networks, and can be dealt with using standard IDS techniques. However, infections in wireless networks may also compromise the routing mechanisms or cause distortion of traffic patterns in quite new ways which standard IDSs cannot recognise.

The aim of this project is to develop an intrusion detection system which is able to recognise and diagnose patterns of improper activity which are specific to mobile wireless networks. The project will involve a study of the literature on security in mobile wireless networks, an analysis of features of communication which indicate various forms of attack, and the development of a software system which can be used to classify observed combinations of features to identify the nature of the attack (if any) and, where possible, its source. This project builds on a number of previous projects in which neural networks have been used for similar forms of classification in wired networks.

Prerequisites: 02230/02345 Computer Security; 02233 Network Security.

Common Criteria Design Assistant

The Common Criteria for Information Technology Security Evaluation (CC) describe a set of principles for the design and evaluation of secure IT systems. Based on these principles it is possible to formulate a design methodology which can be used to perform systematic design of secure systems, starting from a Protection Profile (PP) which specifies the security requirements of a general class of system, and proceeding via a Security Target (ST), which specifies a specific type of system from this class, to an actual design which implements the ST. Such a systematic design procedure involves selection of a collection of security functional requirements (SFRs) chosen from a large catalogue of elements presented in the CC standards, and which must be related to the specific security threats, assumptions and policies which are relevant for the system under consideration. This involves a considerable book-keeping task which would greatly benefit from computer-based assistance.

The aim of this project is to further develop an existing initial prototype of a tool to provide this assistance. The main focus of the task involves building up an ontology for concepts which typically appear in descriptions of the threats, assumptions and policies applicable to secure IT systems, and incorporating this into the tool, so as to help the designer to find appropriate SFRs for use in dealing with those threats which become apparent during a given design task. Inspiration for this can be found in an existing ontology for CC concepts developed at IMM.

The new prototype should as a minimum be able to help the designer to produce the PP and derive an ST from this. If time allows, it may be extended to include (parts of) the final step of deriving a concrete design from the ST or to assist with the process of providing assurance that the PP, ST and design are correct.

Prerequisites: 02230/02345 Computer Security; 02263 Formal Aspects of Software Engineering.

Common Criteria Assurance Assistant

The Common Criteria for Information Technology Security Evaluation (CC) describe a set of principles for the design and evaluation of secure IT systems. Based on these principles it is possible to formulate a design methodology which can be used to perform systematic design of secure systems, starting from a Protection Profile (PP) which specifies the security requirements of a general class of system, and proceeding via a Security Target (ST), which specifies a specific type of system from this class, to an actual design which implements the ST. The specification at each stage consists of a set of Security Functional Requirements (SFRs), which state what the IT system is supposed to do from a security point of view, and a set of Security Assurance Requirements (SARs), which state what has to be checked to ensure that the system is correct. Both SFRs and SARs are selected from a large catalogue which is part of the CC standards. Handling all these requirements involves a considerable book-keeping task, which would benefit considerably from computer assistance.

The aim of this project is to develop a prototype of a tool to provide assistance with the task of handling the SARs. The task involves two main elements:

1. To systematise and computerise the catalogue of possible security-related assurance requirements presented in the CC documents.
2. To produce an ontology for concepts which typically appear in descriptions of the assurance requirements, and to incorporate this into a tool which can help the designer to derive descriptions of appropriate concrete tests and controls from the (rather abstract) SARs.

Prerequisites: 02230/02345 Computer Security; 02263 Formal Aspects of Software Engineering.

Security Awareness for Senior Citizens

The use of simple questionnaires for investigating people's knowledge of and attitudes to complex technical problems is fraught with difficulties, as people without technical training often simply do not understand the questions or their implications. They may in fact have an idea of how the technical system works which is quite different from the idea in the head of the questioner. It may therefore only be possible to deduce their level of knowledge in relation to practical scenarios with which they are presented.

The aim of this project is to investigate this problem, focussing on the area of IT security awareness among elderly people. The project involves reviewing current practice in investigating elderly people's knowledge and understanding of computer security issues, setting up a number of simulated scenarios with which participants in a web-based questionnaire can interact, and which are instrumented to monitor the participants' reactions, and testing out the system on groups of elderly people, many of whom have no technical background in the use of computers.

This project is part of a larger project to investigate IT-security awareness among the general public in Denmark, in which IMM works in collaboration with DK-CERT and DPU.

Prerequisites: 02230/02345 Computer Security.