Approaches to computer security: Filtering, testing, and detection

In recent years a variety of approaches to computer security have evolved, including filtering, testing, and detection. In this dissertation, we present research based on each of these approaches.; We first introduce a design and prototype for a device called Safe Modem that protects a computer from Internet threats. Safe Modem examines network packets and discards suspicious ones. We implemented two key features in the prototype: e-mail filtering and header-based packet filtering. We also conducted experiments to measure communication delays caused by the prototype.; Regarding testing, we present a methodology for testing intrusion detection systems (IDSs). The methodology includes test-case selection strategies and detailed testing procedures, especially for stress-testing. We include quantitative results from testing an IDS called Network Security Monitor. We also describe a software platform we developed to support the methodology.; Concerning detection, we present a protocol called WATCHERS that detects routers that drop or misroute packets. The protocol checks for “conservation of flow” in each router: the number of data bytes in packets flowing into a router should match the number of data bytes in packets flowing out. We discuss WATCHERS' response to several different attack scenarios. We also provide a complexity analysis of WATCHERS' memory and communication requirements and running time.; We next introduce a filtering strategy that protects network programs against message-flooding attacks. Under this strategy, the server scans its queue of incoming messages periodically and discards messages from unauthorized or misbehaving clients. The defense depends on a strong message-authentication method for identifying unauthorized clients. We present simulation results showing that the strategy helps a server to perform significantly better during a flooding attack. We also present a preliminary mathematical model of a server using the strategy.; As a second example of testing research, we introduce a methodology for testing network programs, based on analyzing the grammar that specifies valid incoming messages. The methodology is an instance of a general testing approach called partition testing. We describe how we used the methodology to test the Unix finger daemon program.