GTISC Research Thrusts
GTISC is viewed as a leader in several key research areas in information security. In particular, the center has had a major impact recently in two areas: novel strategies for detecting emerging cyber security threats, and techniques for countering large-scale attacks. The CLEANSE project, directed by Professor Wenke Lee, was funded by the National Science Foundation Cyber Trust program in 2008 as a large team award. CLEANSE is conducting research in areas such as botnet detection, malware analysis and broader challenges associated with monitoring of large-scale systems. Prof. Lee has also received signifi-cant funding from DoD (a recent MURI award) and DHS for research in this broad area. The Apiary initia-tive, jointly launched with GTRI in 2008, will allow us to conduct data collection and analysis for emerging threats research in the classified domain, as well. In 2008, Prof. Patrick Traynor established the Converged Infrastructures Security (CISEC) laboratory to explore security challenges for converged communication, including mobile-device security and security of cellular and wireless networks. The MedVault project, jointly with Children's Healthcare of Atlanta, is focusing on security and privacy of electronic medical records, including user-centric access control and detection of potentially anomalous access patterns. Other projects in areas such as cryptography, virtualization security, embedded soft-ware security, privacy, and information quality demonstrate the significant breadth and depth of GTISC research programs.
CLEANSE: Cross-Layer Large-Scale Efficient Analysis of Network Activities to SEcure the Internet
Attacks on the Internet have not only increased in the past half-decade, they have also become more organized or planned. Whereas previous virus and worm epidemics were motivated by fame or curiosi-ty, the current generation of malware authors seek to harvest the resources of victimized machines and then use them to launch for-profit fraudulent activities, such as email/blog spam, phishing, click fraud, etc., as well as traditional attacks such as distributed Denial-of-Service (DDoS). We call the fraudulent activities on the Internet "layer-8" attacks because, rather than disrupting network services or exploiting application software, they misuse the features and functions of network applications. Layer-8 attacks pose a serious threat to vital Web applications such as e-commerce and social communication and net-working.
The CLEANSE project aims to develop an analysis and detection framework to secure the Internet against large-scale and coordinated layer-8 attacks by botnets or other/future forms of large-scale com-promises. A key objective is to anticipate and detect new trends in how a large mass of infected ma-chines (such as a botnet) is used to launch attacks. We identify the basic network services that are necessary for large-scale attacks, and we develop new analysis and detection algorithms and infrastruc-tures to monitor network activities related to these services to detect and predict/prevent current and future attacks. In addition to the new monitoring technologies, a critically important objective of CLEANSE is to develop new or improved network services/protocols that can prevent attacks and enable more effective and efficient Internet-monitoring mechanisms.
The CLEANSE project team includes leading security research groups from Georgia Tech, the University of North Carolina at Chapel Hill, and the University of Michigan at Ann Arbor, and strong partners in in-dustry (major ISPs, Internet/network operators, security companies). The CLEANSE project will ensure that the set of new security technologies developed by the researchers, with the help of industry part-ners, will be integrated and evaluated in the real world and have a path for technology transfer. In addi-tion, our education and outreach efforts include joint technical workshops with industry and law enforcement agencies.
CISEC: Converging Infrastructures SECurity
The convergence of mobile and fixed networks combined with the rich applications enabled by these networks has revolutionized the way people and businesses communicate and access information. Technologies such as VoIP, IPTV and IMS have seen tremendous growth in popularity. Since these tech-nologies will rely on Internet Protocol (IP) -based networks, they will face the same kind of security threats that exist in the Internet. In fact, there are strong reasons to believe that many of the threats we face in the desktop and laptop world will migrate to mobile devices such as smart phones. Since com-munication and information sharing are essential for many critical applications, we will have to address the security of such networks and applications to meet high trust and availability expectations that come from traditional telecommunications networks.
The Converging Infrastructure Security (CISEC) Laboratory is exploring security challenges for emerging communications technologies. In particular, we seek to develop innovative methods, techniques and tools with which critical communications infrastructure can be protected as it rapidly converges with the larger Internet. Our efforts broadly cover both technical and policy issues, with particular focus and ex-pertise in the areas of cellular network security, VoIP and emerging telecommunications security, wire-less and mobile systems security, IPTV, and identity management. For example, we are developing techniques to remotely repair compromised mobile devices and studying how social network linkages can be used to reduce unwanted communication without sacrificing privacy. Communication prove-nance, a broader research challenge that seeks to securely discover relevant attributes of a communi-cating party or the quality of the communication itself, also presents numerous problems that are being addressed by this group.
The CISEC research team includes both security and networking researchers from GTISC, GTRI and OIT. Members of the Georgia Tech Research Network Operations Center (GT-RNOC) are active participants in this project. The GT-RNOC-supported IMS laboratory, which is the only such research and educational resource in an academic setting, is a unique resource for CISEC projects. Our research has been featured in the top security and networking conferences and journals, presented regularly to corporate and gov-ernment partners, and covered extensively in the popular press.
MedVault: Privacy and Security of Electronic Medical Records
Storage of medical record information in electronic format and the sharing of this information among different health care organizations have the potential to produce enormous improvements in the quality and efficiency of the health care system. At the same time, the proliferation of electronic medical records (EMRs) carries with it significant risks. The information contained in medical records is of the utmost sensitivity, and unauthorized disclosure of such information has the potential to damage lives and harm careers. Concerns over security and privacy have slowed the adoption of advanced informa-tion technologies by the health care industry. As one simple example, the use of mobile devices—not only handhelds but also laptops—is forbidden by many large health care organizations because of po-tential data leakage when the devices are taken out of protected health care IT domains. Currently, the movement toward widespread sharing of EMR data among different organizations is being impeded by legitimate privacy concerns. There is an urgent need for research to provide a broad set of information security and privacy mechanisms that are well integrated with health care systems and workflows, the-reby enabling more rapid adoption of advanced information technologies in this critical application area.
To protect security and privacy of EMR information, the MedVault project is exploring new techniques for the storage, maintenance and control of sensitive data that permit open sharing among a wide varie-ty of legitimate users while protecting the data against unauthorized use and disclosure. There are a number of unique challenges to providing security and privacy of widely shared EMR data. Among these are how to provide flexible access-control mechanisms and policies in a federated environment; how to closely integrate privacy and access-control mechanisms with secure storage techniques that are necessary to protect the integrity, confidentiality and availability of data in storage systems; and how to pro-tect data everywhere in the system, including on the end devices that are the most vulnerable points. Finally, any technological solutions that are developed must be seamlessly integrated with the overall health system and its medical processes. In particular, the solutions must be capable of providing strong security and privacy while at the same time ensuring that patient safety is never compromised as a re-sult of security precautions.
The interdisciplinary MedVault research team is comprised of computer systems security researchers, health care systems researchers and health care practitioners. It is uniquely suited to carry out research to address the security and privacy challenges we will face with EMRs.
GT Apiary: Experimental Test-beds and Research Facilities for Collection and Analysis of Hostile Network Traffic
To facilitate data-driven research, GTISC has jointly worked with GTRI to architect and deploy a honey-net framework known as the GT Apiary. The goal of the GT Apiary is to provide a shared resource to academic and applied research teams for the collection and analysis of hostile traffic. By providing a common facility for such projects, it is possible to offer richer resources and foster collaboration (where appropriate). Since all Apiary-enabled efforts will share a common infrastructure, high-level evaluation and demonstration of ongoing projects becomes easier, which addresses the goal of being able to raise awareness of Apiary capabilities to internal and external stakeholders.
GT Apiary will also facilitate greater collaboration between GTISC academic faculty and GTRI research-ers. In particular, GTRI projects potentially could use the facilities in support of classified research. The data sharing for threat- and vulnerability-assessment research will be able to utilize the tools and tech-niques developed by the broader GTISC research community.