Making the Internet World Safe From Cyber-Criminals

As early as 1996, the dangers of a cyber-assault were recognized by Professor Salvatore J. Stolfo of the Department of Computer Science, and he received Defense Advanced Research Projects Agency (DARPA) funding for a project for intrusion detection systems (IDS). His foresight has resulted in Columbia’s computer science security group being regarded as one of the top research groups in the country.

Fifteen years ago, it would have been difficult to imagine how deeply dependent Americans would become on the Internet and network-based technologies — and how vulnerable because of them. “Computer security was quite underdeveloped in academic institutions prior to 2000, except for the areas of cryptography and secure network protocols,” says Stolfo. “Today, if you think cryptography alone is the answer, you don’t know the problem.”

Through his persistence and insistence, the Computer Science Department began to hire new faculty to broaden the areas of security research, establish a strong educational program in computer security, and build a faculty with similar and related interests. The core group of Columbia researchers who work with Stolfo includes Professor Steven M. Bellovin, a member of the National Academy of Engineering formerly with AT&T Labs Research, Associate Professor Angelos Keromytis, and Assistant Professor Tal Malkin.

Working with them in interdisciplinary efforts are Professor and Department Chair Henning Schulzrinne, Professor Gail Kaiser, Associate Professors Tony Jebara, Jason Nieh, Vishal Misra and Dan Rubenstein; Assistant Professor Simha Sethumadhavan, and Adjunct Senior Research Scientist Moti Yung. These faculty members form Columbia’s Systems Security Center that researches network systems security to provide responses to anomalous conditions and malicious attacks.

“We now have a group of talented faculty that focuses on hard problems to secure our computing infrastructure and our own personal computing devices that we depend upon as well as to make the Internet a safe place,” Stolfo says. Over the last five years, the group has won grants and awards that total more than $11 million.

Bellovin, Keromytis, Malkin and Stolfo’s most recent grant, for nearly $650,000, is to investigate how to search databases using a method that protects both the querier and the subject of the query. It is essential to find a solution that will serve law enforcement and intelligence agencies without violating civil liberties. Stolfo says the group already has an algorithm, an approach, and an elegant system with which to demonstrate it, but there is still significant work to do. “The solution must be implemented in a manner that is efficient, because if you can execute only one query a day, it is not good enough,” he says.

An important component of the group’s research is developing sound mathematical foundations for applications requiring security and privacy by expanding the foundations of cryptography to withstand stronger, more realistic attacks. “Traditional cryptographic models are not sufficient for many current applications that take place in complex computing environments, such as the Internet, or on small portable devices that are easily tamperable,” says Malkin. To address this, the team has developed new solutions with provable security against various attacks, including side channel attacks, key exposure and tampering, and active and dynamic malicious adversaries.

The research of Columbia’s security team will make it safer to be on the Internet. Cyber-threats to the average American are well-known and come from multiple directions. From the credit card numbers stolen by hackers who place “keyloggers” on home computers to those taken from the databases of major retail chains, the average consumer is at daily risk. Columbia’s security researchers are not waiting for the attackers; they are studying new attacks. They have created an engine that generates polymorphic malicious code that looks “normal,” such as text. They devised this engine to understand how to defend against this advanced threat.   

Polymorphic malware (malicious software) can be automatically recomposed to look entirely different. Hackers can generate a vast number of distinct instances of their malware to defeat current signature-based anti-virus scanners. The number of signatures a typical AV scanner would need is enormous, rendering the use of “black list” signatures unfeasible. The current generation of AV scanners that are commonly used are now obsolete because of this polymorphic threat.

But there is a solution. Instead of using the “black list” concept of checking against known viruses or worms, the approach is “white listing,” recognizing what is good and categorizing everything else as abnormal and suspect. Normal, good data is modeled by an anomaly detection (AD) algorithm and anything that does not fit within the parameters of the AD model is considered suspect and either deleted, not accepted, or tested further. The most recent virus scanners use end-point scanners and have partially adopted this “white listing” technique by emulating suspect data in a protected sandbox.

Keeping an individual’s computer safe from intrusion is a small problem compared to protecting the computers that provide the infrastructure to run the country. The risk to the nation is great and the stakes are far higher. It has been reported that cyber-attacks on U.S. government computer networks were up 40 percent over last year, with more infiltrators using more sophisticated malicious software to steal data or control critical systems. Major intrusions were reported in systems controlled by the Departments of Defense, State, Homeland Security and Commerce.

“Everything is now at risk,” says Stolfo. “The Internet does not just give us the ability to twitter or e-mail. It reaches critical networks that control the country’s critical infrastructure — electric power, water, chemical plants—all our infrastructure is accessible through the Internet.”

While businesses have made it easy to remotely access the IT systems operating at power plants for cost savings, this also has created enormous security problems. President Barack Obama has recognized this threat to national security and has included $355 million in cyber-security funding for the government’s 2010 budget. He also has mandated a review of the government’s current cyber-security programs and activities, appointing a new cyber-security chief, Melissa E. Hathaway, to conduct the review and report to the administration with recommendations.

Stolfo hopes that the report will highlight the importance of supporting significant basic and applied research into cyber-security. “There are too many opportunities for our adversaries to break into government systems and do bad things,” says Stolfo. “Advanced research is crucial to defend against this behavior. It really takes a lot of brain power. It is brain against brain. There are very clever, technically astute people who are malicious and driven by a profit motive out there and the defenders have to put themselves in the mindset of the bad guys and predict what they may do in order to prevent them from doing it. Only if we make the right investments will we win. Each side is figuring out how to cripple each other’s systems. It is cyber-war.”

To help educate the next generation of standard-bearers, the CS security faculty has more than 26 doctoral students specializing in computer security. In addition, it has established 10 courses that form the core of a new MS degree track in computer security. More than 30 current graduate students have chosen to concentrate in this track, while students in many other CS tracks are also enrolled in these computer security courses.