Making the New Currency Safer to Transport
Georgia Tech's Information Security Center studying technical and
By Jane M. Sanders and C. Blake Powers
From customer records to advanced product research, information has become the cornerstone of operations for business, government, industry and the military. Every day, threats to the safety of this "new currency" blare from news headlines:
curious hackers, computer-based terrorists, industrial espionage and even "information warfare" between nations. Protecting this new commodity is of critical importance.
photo by Stanley Leary GTRI researcher Jim Cannady, right, and his colleagues are using a Cray supercomputer to develop information security technologies.
Last year, the Georgia Institute of Technology moved to address both technical and policy issues
of information security with the establishment of the Georgia Tech Information Security Center (GTISC). Researchers are now identifying the problems and developing solutions to those problems. GTISC is expected to make great strides under the leadership of its new director, Dr. Blaine Burnham, who assumed his position in December 1998. He formerly worked at the National Security Agency.
See sidebar story: Two Infamous Cases of Computer Hacking
"Until now, most efforts at information security have been ad hoc in that a problem is discovered and a Band-Aid applied," said Dr. J. Michael Cummins, the director of Georgia Center for Advanced Telecommunications Technology (GCATT), who also served as GTISC's interim director. "There is no underlying conceptual framework to think through all these issues particularly on a policy level. We formed the Information Security Center to be the leader in developing that theoretical infrastructure, while providing specific solutions to both technical and policy issues."
Among the fundamental issues under study by GTISC are the sources of information security breaches and the importance of information security to economic growth. Specific technical issues being investigated include: network security evaluation; external attack detection; computer performance versus security tradeoffs; broadband network security; the security and viability of the Internet II; and security applications to make telecommuting more widely adopted. GTISC is addressing these issues with a cross-disciplinary group of researchers from: the Georgia Tech College of Computing, the organizational seat of GTISC; Georgia Tech Research Institute; GCATT; and the Sam Nunn School of International Affairs.
"We have strengths in both basic and applied research, and researchers are already collaborating with each other," says Peter Freeman, dean of the College of Computing. "Georgia Tech also has a lot of experience working with top industry, governmental and academic leaders. So we bring a strong and integrated approach to the information security issue."
Fundamental Issues of Information Security
Just what is information security? Dr. Philip Enslow, a professor in the College of Computing, explains it this way: "It means that tomorrow morning when I get to work and turn on my computer, all my systems and processes will work correctly, my information will be available and not be corrupted, and no one will have had access to my data."
Such issues as defining the standard for information security represent the theoretical side of the problem, Enslow says. "There are a lot of pieces required to make a secure operating system," he explains. "There's encryption for data links, firewalls and other issues like digital signatures.... But I want to help develop the overall framework for such security issues and not get mesmerized by individual components such as firewalls.
"Security systems operate in an environment created by government regulation, criminal law and the mores of society," Enslow says. "These are political issues that are important to business, society and government."
Educating the stakeholders about security issues is Enslow's focus. He wants to emphasize the importance of information security to economic growth.
"There's been a lot of focus on the Y2K problem, but after it is dealt with, I think more businesses will start to realize that their economic survival depends on the security of their information," Enslow says. "But it may not get enough attention until there's some nasty litigation like a stockholder lawsuit. Really, information security is as much the responsibility of the board of directors as is having sprinkler systems and guards for their warehouses."
Two Infamous Cases of Computer Hacking
The New York Times
In September 1998, hackers sabotaged The New York Times Web site in the first known successful hack of a major media organization. The hackers were able to break in to the Times Web site and replace its front pages with pornography and hidden messages. When the Times attempted to update its site, the hackers responded with counterattacks. Finally, the Times gave up and took its site down for about eight hours.
The Times was using what is called a common gateway interface, or CGI, to create its Web pages. Experts believe the hackers probably launched their attack through holes they found in the site’s CGI scripting. This language is used for various interactive features on Web pages.
In a series of break-ins in 1994, the bank's payment system was compromised for about $10 million. The bank says it eventually recovered most of that sum. Subsequently, Citibank tightened its computer security system.
But before those measures were taken, the Russia-based hackers were able to electronically transfer large sums of money into their international bank accounts.
The hackers apparently used valid user IDs and passwords of other banks to accomplish the fund transfers. How they got those passwords, given Citibank's security, remains a mystery. Some officials believed the hackers had inside help, but Citibank says no employees were involved.
Jane M. Sanders
Enslow also wants to dispel a common misperception. Most information security breaches are not external ones. They are internal ones caused by sabotage, accidents or incompetence, he says. Businesses need to learn how they can verify the reliability of their employees and their information processing operations to maintain security.
Evaluating Security of Networks
Meanwhile, businesses are addressing security issues such as electronic commerce conducted via the Internet. They are increasingly dependent on the security of their computer networks. Yet they lack an effective method for assessing the security of external networks that could dramatically degrade their own computer network security, says Jim Cannady, a research scientist at the Georgia Tech Research Institute (GTRI).
"The current lack of a standard method of assessing the security of networks is one of the factors that has prevented the large-scale use of electronic commerce," Cannady says.
So GTRI researchers are developing a standard methodology called the Network Security Evaluation Criteria (NetSEC) for evaluating the security of external network systems. It will also help system administrators identify improvements needed to elevate their networks to desired levels of security.
Learning the Characteristics of Attacks
While internal attacks on information security may be more widespread, the threat of external attacks by hackers is still very real and quite complex.
"The individual creativity of attackers, the wide range of computer hardware and operating systems, and the ever-changing nature of the overall threat to targeted systems have contributed to the difficulty in identifying network system intrusions," Cannady says.
The need to detect both known and new types of external attacks on a system is the focus of another GTRI research project. Cannady is addressing this need with the power and flexibility of artificial neural networks. These networks consist of collections of processing elements that are highly interconnected. Each collection transforms a set of inputs to a set of desired outputs.
In a neural network demonstration project called SENTINEL, Cannady is developing an intrusion detection system that identifies not only previous types of attacks, but new ones something current rule-based systems cannot do. The system gains experience with each effort so that it "learns" the characteristics of attacks. That should allow the system to eventually predict attacks and monitor activities, collecting information for responses to attacks and the prosecution of those behind them.
Cannady has compiled promising results from tests of two prototype neural networks. One, the multi-level perceptron (MLP) network, was able to correctly identify each of the embedded attacks in the test data. This test demonstrated the ability of a neural network to identify specific events that may be part of an intrusion. But most attacks involve a series of events, Cannady says. So he also tested a hybrid MLP/self-organizing map prototype. Results showed the network's ability to identify seemingly subtle, time-evolving attack patterns interspersed randomly in ordinary Internet traffic.
Information Security vs. Application Performance
Yet another issue is the tradeoff between information security and application performance. Security computations consume a great deal of application processing resources, and this detracts from the performance of shared, collaborative, real-time and electronic commerce software programs. Thus host computers often cannot handle Internet user demand for applications such as ones designed for electronic commerce that require high levels of security.
Enter the concept of adaptive security being developed by researchers in the Georgia Tech College of Computing. Adaptive security provides a protocol for systems to adapt to changes in user/application security requirements and host system computation resource capability.
"Our mission is to address performance vs. security tradeoffs by adapting to the constantly changing availability of computation and communication resources," says Dr. Phyllis Schneck. She is a recent Ph.D. graduate conducting this research with Dr. Karsten Schwan, a professor in the College of Computing, and Dr. Santosh Chokhani, president and CEO of CygnaCom Solutions, an information security company in McLean, Va.
"We want to provide an on-line, near-optimal allocation of these resources over time," Schneck says. "The end goal is to minimize overall risk by borrowing available security processing resources on one communication stream to 'lend' to other application streams that may currently be lacking."
She and her colleagues have developed a suite of dynamic authentication heuristics (basically, exploratory problem-solving techniques) to help achieve high levels of security with scarce computation resources. The suite optimizes the use of host computer resources while still preserving appropriate levels of security and providing feedback to users when any changes are made. Users can initiate changes in security level as well, while applications are running. A Georgia Tech Research Corporation patent is pending on the heuristics suite.
Uniqueness of GTISC
Expectations are high for the success of GTISC in solving major information security problems because of its unique comprehensive approach. Several institutions in the United States collect statistics, investigate vulnerabilities and conduct research, Schneck says. But Georgia Tech is unique because it offers a "fusion" of technical and policy expertise.
"One of the special qualities about Georgia Tech is the way in which the research here is often a cross-disciplinary, collaborative effort done with industrial partners," Schneck says. "In that same spirit, GTISC symbolizes the synergistic combination of academia and industry to conduct new research, commercialize new technologies and educate our community. It is this combination that eventually enables greater global economic growth."
For more information, you may contact Dr. Blaine Burnham, College of Computing, Georgia Institute of Technology, Atlanta, GA 30332-0280. (Telephone: 404/894-3152) (E-mail: email@example.com); or Jim Cannady, Information Technology & Telecommunications Laboratory, Georgia Tech Research Institute, Atlanta, GA 30332-0832. (Telephone: 404/894-9730) (E-mail: firstname.lastname@example.org)
Last updated: January 14, 1999
Contents | Research Horizons | GT Research News | GTRI | Georgia Tech
Send questions and comments regarding these pages to Webmaster@gtri.gatech.edu