A Talk by Mr. Usama Tharwat Elhagari in Seminar In Info. Sec. Class (MCS 2070)

Assalamualaikum...This is the 4th talk and this time by Mr. Usama Tharwat Elhagari. He is from Egypt and he is doing his research in Trusted Computing. This talk was held on 2nd and 3rd March 2011. Mr. Usama shared his knowledge about Trusted Computing Background. According to him, today's systems are very vulnerable to a range of attacks. Protecting IT Systems through software-only mechanisms cannot solve alone all the security problems. Operating System (OS) and application software are very complex and removing all software vulnerabilities is almost an impossible task. The number of attacks on software, OS and applications are higher as compared with attacks on hardware. Users become more mobile, physical theft become more concern. He then stated that some security problems are unsolvable without a bootstrap to protected hardware. He then added, software-only security application cannot protect the hardware platform against attacks on its integrity or modification of the security software. Then he brief us some information about Trusted Computing Platform Alliance (TCPA). The TCPA was established in the year 1999, the promoters (main players) are Compaq, IBM, Intel, HP and Microsoft that consist of more than 200 members. He then talked about the TCG Mission Statement. The TCG is Trusted Computing Group. The TCG Mission Statement is a not-for-profit organization formed to develop, define and promote open, vendor-neutral, industry standards for trusted computing building blocks and software interfaces across multiple platforms.

He then told us about the definition of TRUST. Trust means different things to different people. In trusted computing, we use it in the sense of behavioral reputation : something is trusted if it behaves in the expected manner for a particular purpose (Mitchell, 2005). He then added, trust with better definition is an entity can be trusted if it always behaves in the expected manner for the intended purpose. An entity is a platform or an applications or service running on a platform. An example of platform are PC, PDA, smart phone and etc. The trusted computing is of great significance for building secure computing systems based on new architecture in both hardware and software (Kallath, 2005). TC is an industry initiatives intended to protect data in computer platform from software attack and that includes protecting servers, desktops, laptops, PDAs, mobile phones and computer peripherals (Mitchell, 2005). He then explain about the Trusted Platform (TP). TP is a computing platform that has a trusted component, probably in the form of built in hardware, which it uses to create a foundation of trust for software processes (Pearson, 2002). Then he explain something about the Chain of Trust. The chain of trust expands from component to component. The chains of trust generic are receive control, measure next entity and pass control to entity. The Root of Trust is hardware or software mechanism that one implicitly trusts (Gunupudi, 2008, Siani Pearson, 2005, Stravvoulakis et. al. 2010). Root of trust misbehavior is not detectable and affects on all the chain of transitive trust. Then he explain in detail about the Fundamental Features of Trusted Platform. The fundamental consists of three criteria which are Protected Capabilities, Integrity Measurement and Storage and Integrity Reporting. He then added about the TCG's Specifications, issued different spec for enabling trust in different platforms such as desktops and laptops. He then explained about the roots of trust, secure storage, attestation, TPM key types, example of key usage and TPM components.

A Talk by Mr. Dahliyusmanto in Seminar In Info. Sec. Class (MCS 2070)

Assalamualaikum...This is the third talk and this time by Mr. Dahliyusmanto on 24th of February 2011. Here's a brief about him, he is from Indonesia and he is a PhD. student under supervised from Prof. Hanan. During his Master by Research study, he is focusing on research on Intrusion Detecting System (IDS) of Combination Anomaly Detecting Different Analysis. In this brief talk, he shared to us about the Intrusion Detecting System (IDS). Firstly he begin with the definition of intrusion. An intrusion is a set of action that attempt to compromise the Confidentiality, Integrity and Availability (CIA) of a resource. For example, a Denial of Service (DoS) attacks ; an attempt to starve a host of resources and Compromises ; obtain privilege access to a host by known vulnerabilities. An Intrusion Detection is a process of identifying & responding to intrusion activities. He then explain about the Elements of Intrusion Detection ; Primary Assumptions - system action are observable and normal & intrusive action have distinct evidence.

The components of IDS from algorithmic perspective are the features and models. The features capture intrusion evidence while the models is a piece of evidences together. From a system architecture perspective, various components : audit data processor, knowledge base, decision engine, alarm generation and responses. The components of IDS are, (1) Information Collection, (2) Detection and, (3) Responses. Meanwhile, the parameters of IDS are (1) Accuracy, (2) Performance and, (3) Completeness. Sources are (1) Host-Based, (2) Network-based, (3) Application-Based and, (4) Hybrid. Furthermore, he stated that there are two responses of IDS such as Active and passive. For IDS placement, it could be place anytime, anywhere whether inner or outer firewall. The IDS approaches Modeling are, (1) features : evidences extracted from audit date and analysis approach. There are two type of detection. First one is Misuse Detection and the other one is Anomaly Detection. Misuse Detection looks for attack signatures in the user's behavior. The weakness of this kind of detection is always need to update virus signature and can't detect new virus threats. The Anomaly Detection is statistically analysis user's current action, compares profiles describing user's normal behavior & report significant deviation to security officer. The advantage of anomaly detection is it can detect new virus threats. He then explains about Host-Based VS Network Based IDS. The Host-Based IDS is using operating system (OS) to auditing mechanisms. For example, BSM on Solaris : logs all direct or indirect events generated by a user. The Host-Based IDS then monitoring executions of system programs, e.g : analyze system calls made by "sendmail". Detect & examine malicious activity. Then optimize for monitoring individual hosts and monitor system network activity, file system, log files and user actions. The Network-Based IDS is deploying sensors at strategic locations, eg. : packet sniffing via tapdump at routers. Inspecting network traffic, watch for violations of protocols & unusual connection patterns. Monitoring user activities and may be easily defeated. He then stated that the next generation of IDS is adaptive - detect new intrusion, the scenario-based, correlate (multiple sources of) audit data and attack information. The challenges of IDS are (1) Runtime limitations, (2) Specification of detection signatures, (3) Dependency on environment- high rate false alarms -  the limitation factor for the performance of IDS. The potential solutions are : (1) Data mining, (2) Machine Learning technique, Supervised Learning, Unsupervised Learning, (3) Co-Simulation Mechanism, integrating the misuse & anomaly detection techniques, applying a co-stimulation mechanism. Lastly, he stated that in the future may be he could talk about Intrusion Prevention System and then the class dismissed.