Project Title: Protecting e-Government

E-Government is characterised by complex interacting software systems, where the potential for attack and fraud comes not only from outside the different systems, but also from inside. Users of the system or administrators and third parties may abuse or attack the system by exploiting application level inadequacies in the software. Detecting such application level attacks can be almost impossible at the packet or operating system level, which is the level that most Network-based Intrusion Detection Systems (NIDS) and Host-based IDS systems (HIDS) work on.

For the kind of software system typically deployed by e-Government this project has:

·         Investigated novel approaches to application-oriented anomaly detection in the context of web applications,  the service-oriented architecture and message oriented middleware; developed systems to support the monitoring of interactions and the automated analysis of relationships and invariants in these system;

·         developed new approaches via the vehicle of Aspect Oriented Programming (AOP) to abstract complex cross-cutting security concerns in  into clear-cutting AOP modules, e.g. solutions for some vulnerabilities, monitoring, testing;

·         developed new approaches for the detection of vulnerabilities in typical e-Government components, e.g. inter component communication middleware and application servers. 

Anomaly Detection with Multiple Models

The paradigmatic idea of an anomaly based intrusion detection system is that the system has knowledge of normal or “self” behaviour and looks for exceptional or “non-self” activity assuming that attacks often appear as radical abnormal usage of system. The scheme was inspired by human immune system differentiating self and non-self protein patterns. With similar biological analogy, our system focuses on application level security on the contrary to NIDS or HIDS. The anomaly detector being developed uses a range of detection models, in order to characterize different features of normal behaviour pattern in system. In training phase, models are trained to approximate the normal characteristics of features in e-Government system. In detection phase when the new data is observed, each trained model produces a probability representing a feature extracted from data being normal; and abnormal behaviours are measured with lower probabilities. In the case of e-Government, anomaly detection system is designed in the context of web application, service-oriented architecture and message oriented middleware. In these contexts the features that different models characterize, are the length of attributes, timing between requests, structure of messages, character distribution of attributes (e.g. n-grams), etc.

The multi-model anomaly detector analyzes messages passing in business interactions and derives an application specific profile from outputs probabilities of multiple models. Utilizing application specific characteristics, the system detects anomalies which represents malicious intrusions or other faults, and hence efficiently provides protection for each application. The detectors are deployed in each distributed component in an e-Government domain. In the future, methodologies (e.g. correlation, reaction) to analyze detection results from distributed components in one domain, will be investigated. 

Enhancing Application Level Security via AOP

Aspect Oriented Programming (AOP) is a promising advanced modularization technique which works on top of other modularization methods such like OOP or procedure based design. It mainly aimed to resolve or separate crosscutting concerns in program design with possibility to specify both the behaviour of one specific concern (an “aspect”) as well as how this behaviour is related or bound (“crosscutting”) to other concerns. AOP tools work by weaving new AOP “aspects” into original byte code at “pointcuts”. This also means AOP does not necessarily change and has least dependency on the availability of source code.

Security concerns in a complex system are often distributed across different modules. As the continuous evolvement of a system, crosscutting security concerns need to update with other modules such as business logic modules, in order to ensure system secure. Further more, often requirements and problems about security concerns are not well understood or not completely predictable in the design stage. Hence, the evolvement of security concerns or a redesign often requires radical changes across many modules with different functionalities in a system. These security problems and errors introduced as the evolvement of a system will cause rapidly growing complexity, which makes it hard to manage and to maintain the system secure.

We use AOP as vehicle could separate security concerns, from other functional concerns. These security concerns which we are interested in, include solutions for vulnerabilities (specifically we design and developed an AOP general solution for Cross Site Request Forgery attack, for servlet applications), monitoring, testing, and application level honeypots.

Pre-emptive Vulnerability Detection

As part of this project we have been investigating effective techniques for black box testing (a.k.a. fuzzing). Large software systems depend on many software components from different providers. When the components are installed the implicit assumption is that they are benign. However, simple bugs in a component can expose the system to malicious code. Also when components are interfaced to each other, for example to form new services, there can be unexpected interactions and vulnerabilities introduced as the trust boundaries are crossed. This is common in e-government applications. There are a variety of approaches of security testing approaches to discover vulnerabilities in software. No one single approach is correct and can uncover all possible vulnerabilities in given target. At high level there are three primary approaches: White-box, static source code analyse often used in the software development stage. Grey-box, static binary analyse or runtime analyse, e.g. debugging, with insights offered by reverse code engineering (RCE) has similarities to White-box testing but with extra complexity. And black-box, dynamic runtime testing, which can be enhanced by insights from grey-box or white-box approaches. Most of vulnerabilities in applications are caused by unexpected inputs putting targeted system into unexpected states. Black-box testing is good as it is arguably the only way to confirm real vulnerabilities; it is possible to automate and is reproducible, making little assumptions about the target and availability. A notable aspect of fuzzing is, with its unexpected inputs fuzzing could break the assumptions made by testers in White or Grey box testing, which is proved to be efficient to detect vulnerabilities prior to their exploitation. These suites the interests of attackers (and is why fuzzers are used by attackers). As a powerful tool for finding threats in developing and deployed systems, and providing a mechanism for continual security assurance against new threats, fuzzers are employed as part of development cycle in companies like cisco and microsoft. We created fuzzers targeted on vulnerabilities in typical e-Government components, e.g. inter component communication middleware and application servers, and also employed open source software framework to automating testing, monitoring and debugging process. And we are investigating using Genetic Algorithm to improve the efficiency of fuzzing. 

The overall research objectives of this project are to investigate novel methodologies to fulfill the gaps in current security perimeter; specifically: anomaly based intrusion detection for application level attacks, AOP modules to address security concerns, and pre-emptive security testing. 

Project duration: Nov 2006 to Nov 2008, 24 months.
Contacts: Dr. John Bigham  Jinfu Wang and Bob Chu

Project Title: Self-organising Smart Antennas for Wireless Networks

This project is to implement a network management tool for wireless networks that uses co-operative smart antennas for managing the radio resources in order to minimise the effects of congestion and to provide Quality of Service. This will be done in the context of the Macao environment.

This work builds on previous research athat has led to novel approaches for changing radio patterns from a mobile base station (or from a wireless LAN (WLAN) access point) in real time in a co-operative manner by applying the technology to real geographical layouts, in this case Macao. Recent research at QM has shown that the adaptive shaping has the potential to simplify network planning to cater to non-uniform demand, which is the norm in practice. This work will extend that network planning to realistic geographical environments, something that has not been done before. 

The proposal identifies exploitation routes for the technology that will benefit the Macao economy.

The exact nature of the collaboration is dynamic and autonomous, so it can be made dependent on load and the location of that load. The principle of operation is illustrated in Figure 1. If there is congestion in one cell then an exchange takes place between that cell and its neighbours in order to collaboratively optimise the radiation patterns to allow the congested cell to shrink and the neighbours to expand in order to fill any “holes”. This can be done in real time.

Figure 1: Principle of operation

A simulation result showing how the antenna patterns change in a homogeneous unconstrained network is shown in Figure 2. This taken from Queen Mary research shows how the shape of the real radiation patterns (solid lines) have changed in response to a traffic build-up. As hot spots form in a mobile network, the call-blocking rate increases, but by using intelligent geographic load balancing, congestion is much lower than in conventional networks, especially when there are hotspots rather than uniform increase. This scenario is particularly relevant to Macao, especially during events.

(a) Radiation patterns

(b) Performance evaluation

Figure 2: Results from simulation on homogeneous networks

From the map in Figure 3 it can be seen that the propagation characteristics in Macao (or indeed any other city) will depend very much on the geography and the layout of the cells. This is part of the normal radio planning of any mobile network since an operator needs to be able to take into account the effects of such factors as buildings, hills and open spaces; deciding where to base stations depends on this radio planning. This means that the radiation patterns are not simple circles on a rectangular grid, but depend very much on the local characteristics: for example, buildings create radio shadows.  The project will produce a system that take the geographic data into account, using sophisticated patch antenna technology, automatically control base stations' coverage to adapt the always changing patterns.

Figure 3: Map of part of Macao

The overall objectives are, therefore, to:

­       Apply the self-organising smart-antenna concept to city scenarios where there are geographical constraints.
­       Produce a working proof-of-concept network management demonstrator for managing radio resources using smart antennas for GSM/GPRS, WLAN and/or 3G.
­       Apply this to the geographical attributes of Macao.

Project duration: Jan 2006 to Jan 2008, 24 Months
Contact: Dr. Yapeng Wang