Indo-Spain, MICINN-DST Joint Workshop on Information and Communication Technologies

June 3-4th, 2010, IISc Bangalore

Information Security Research in India

N. Balakrishnan and CE Veni MadhavanIndian Institute of Science

Bangalore

DISCLAIMER• This presentation is based on the

combined contributions of the teams from Academia and Government Research Laboratories in India

• It is not exhaustive nor is it a complete list of achievements

• Any omission is unintentional• Purpose is to seek more inclusive

participation from every one.

3

Key Initiatives• Security Policy, Compliance and Assurance

– IT Act, 2000– IT (Amendment) Bill, 2006 , 2008– Data Protection &

Computer crimes– Best Practice ISO 27001– Security Assurance Framework for IT Industry

• Security Incident – Early Warning & Response– CERT-In National Cyber Alert System– Information Exchange with international CERTs

• Security training / Capacity building– Skill & Competence development– Domain Specific training – Cyber Forensics– Awareness

• Creation of the Data Security Council of India• Creation of National Internet Exchange• Research & Development

Cyber Security Strategy – India

Information Security Education and Awareness Activities:

MCIT, DSCI, CDAC, IISc, IITs and other academic Institutions

Capacity Building Activities

Leading to Starting of

Outcome related

activitiesOutcome

Introduction of Information Security Curriculum (Long-Term & Short-Term Courses) & Education Exchange Programme

Capacity building activities:Identify RCs/PIs & sign MoUCourse design, Syllabus design Setting up of Information Security

Labs at RCs/PIs Conducting Faculty Training

ProgrammesPhD Scheme Travel Fellowship Scheme for

attending conferences, paper presentation, workshops, etc.

Learning Material Development on specified topics.

Organising International Conferences Bilateral cooperation with foreign

institutes Accreditation of Courses offered by

RCs and PIs with Foreign Universities/ Institutes

Outcome related activities: Launch of courses by RC/PI

i) Introduction of Information Security Curriculum viz.:New course on M.Tech. in Info. SecurityM.Tech. in Computer Science with specialisation in Info.

SecurityM.Tech. in Electrical/ Electronics/ Communication/

Computers disciplines retrofitted with Info. Security courses

B.Tech. in Electrical/ Electronics/ Communication/ Computers disciplines retrofitted with Info. Security courses

PhD programme in Info. Security ii) Training of System Administrators:

2-Semester Post Graduate Diploma in Info. Security1-Semester Certificate Course in Info. Security6-week Short-Term training programme in Info.

Security (by RCs only)2-week Short-Term training programme in Info.

Security (by PIs)

Outcome:

Qualified IT security professionals for Industry/ Government.

Process of Implementation for Academic Activities

Capacity Building/ Initial

ActivitiesLeading to Starting of

Outcome related

activitiesOutcome

Process of implementation for Government Officers Training

Capacity building activities:• Sign MoU with Implementing Agencies• Train Master trainers at ISTM, IISc & CMU-USA• Create Infrastructure for training• Course design, Syllabus design• Development of Modular Learning Material

Outcome related activities:Launch of courses byImplementing Agencies

Outcome:Secured IT environment in Government offices.

CERT-IN Vision

• To become the premier Reference and Specialist Centre in Security of Communications and Information Technology in the Asia-Pacific Region.

Mission

• To enhance the security of India’s Communications and Information Technology Realm through proactive action and competent collaboration.

9

CERTIN roles

• Track attacks

• Work with the vendors to develop speedy remedies

• Work with the sys admins and CIOs to create awareness

• Send out periodic advisories

• Empanel vendors for certification

• International collaboration

• Developed extensive capabilities in analysis of individual attacks

• Generate statistics and trends in Cyber attacks on Indian Websites

• Analyze and create awareness about DDOS, BOTS, Phishing etc

Int’l Co-op: Cyber Security DrillJoint International Incident Handling Coordination

Drill

• Participated APCERT International Incident Handling Drill 2006

• Participants: 13 APCERT Members and New Zealand, Vietnam including 5 major Korean ISPs

• Scenario: Countermeasure against Malicious Code and relevant infringement as DDoS attack

• Participated APCERT International Incident Handling Drill 2007

• Participants: 13 APCERT Members + Korean ISPs

• Scenario: DDoS and Malicious Code Injection• To be Model: World Wide Cyber Security

Incidents Drill among security agencies

DATA SECURITY COUNCIL OF INDIA (DSCI)

Vision• India as the Most Secure Country for Data and Intellectual Property.Mission statement: • To enable Indian IT/ITES organizations to provide high standard of

security and data protection for customer information • To create awareness among industry professionals and other

stakeholders about security and privacy issues• To develop an appropriate security and data protection standard for

the Indian IT/ITES industry • To build capacity to provide security certification for organizations • To create a platform for promoting sharing of knowledge about

information security and foster a community of security professionals• To create an emergency response team for any crisis affecting IT

systems in the Indian industry

Research on Social And Anti-Social Network Analysis-Machine Learning and IS

Question :1

Can you track the Social Network of Hackers and establish their Modus

Operandi

Approach

• Track all hackers• Classify the attacks based on the Hacker Group,

the Operating System, Sophistication of the Attacks, Sophistication of the web administrator, messages left by the hackers after defacement.

• Clear modus operandi leading to the understanding of ability of the hacker groups, their sophistication levels, preference to the OS, motives for attack

• Possible link of the attacker groups to the social groups through event analysis- Question- 2

Gforce Attack: An example of extremely offensive and threatening messages

QUESTION 2:CAN WE PREDICT THE

RELATIONSHIP BETWEEN THE SOCIAL NETWORKS IN THE CYBER SPACE WITH THE SOCIAL NETWORK IN

THE REAL WORLD ?

Question3: Can we track the formation of Social Networks in the real world through

Open source intelligence

• May 13, 2008 – 9 bomb blasts – Jaipur• July 25, 2008 – 8 bomb blasts - Bangalore• July 26, 2008 – 17 bomb blasts – Ahmedabad• September 13, 2008 – 5 bomb blasts - Delhi• September 29, 2008 – bike blasts in Malegaon• October 30, 2008 – Assam bomb blasts• November 26, 2008 – Coordinated attack in

Mumbai

Approach• Mine the data for all information about the

terrorist groups• Mine the open source data for all information

about the persons involved with the incidents• Draw the temporal Social Network• Understand the Transitions• Establish the complete Social Network for

visualization• Establish the hierarchy of social networks• Compare with what is available officially• Great correlation !!

Question 4:Can you predict the Crisis in a

Social Network ?

Applications of Social Network Analysis to Community Dynamics

has become an important topic for tracking of the formation of

socially relevant and important as well as anti-social elements

Organizational Crisis Detection from Email Communication

• Objective– Does the e-mail communication reflect the

escalating crisis in Enron?– Does the change in informal networks reflect the

events leading to crisis?

• Suitability of Enron– Real world organization– Faced a survival threatening crisis– Temporal record of email communication– Identification of critical events leading to the crisis

Monthly Performance of SNC Vs Enron Events

Research Goals• Study of informal networks along with the structural

hierarchy can provide a signature to the e-mail communication patterns during a crisis

• Developing dynamic models can lead to a better understanding of the causes of and response to an organization failure or its dynamics or the onset of crisis

• One could identify the formation of socially relevant or anti social networks and their life span

• Evolution, Crisis and sustenance of social and anti social networks in the cyber space, in real world through the cyber activity and their inter relationship

Why do we study these ?

• Can we extend these ideas to detect the evolution of hacker communities

• Can we extend these to understanding their modus operandi and the inter relationship between hacker communities and Social groups- between Social groups in the real world and in the cyberspace

PREY- PREDATOR THEORY TO UNDERSTAND THE ECOSYSTEM OF ATTACKERS AND SECURITY TECHNOLOGIES.

ESTABLISH THE MINIMUM ACCURACY NEEDED FOR THE INTRUSION DETECTION SYSTEM

USE ML TO IMPROVE IDS ACCURACY

BUILD IDS BASED ON SENSOR FUSION

Improving the Accuracy of IDS- the need and the approach

• Machine Learning for anomaly Detection

• Use of Collocation Kernel and Sequence Kernel for Intrusion Detection

• Modeling Attack- Detector Scenario using Predator-Prey Models to establish the need for improved performance IDS

• Data Skewness in Traffic• Combining Multiple IDSs using Sensor

Fusion to enhance performance using Modified Dempster-Shafer Theory

Intrusion Detection Systems

Data-Dependent Decision fusion

• Computation of thresholds couples the choice of the local decision rules

• System-wide performance is optimized, rather than the performance of the individual detector.

IDS2

Input (x)

Output (y)IDS1 IDSn

Neural Network Learner

Fusion

UnitS1 S2 Sn w1

w2

wn

Enhanced Performance with fusion IDS

Anomaly detection with Collocation kernel

• More challenging than intrusion detection with system call traces– Unix shells provide a very rich interface– Highly noisy data– Users change their behavior

• Straightforward application of previous techniques lead to bad results.

• Augmented the collocation kernel.

Anomaly detection with user profiling

Indian R & D 1. Indian Statistical Institute, Kolkata:

– very strong group of 4 faculty and 10 scholars working in design and analysis of stream ciphers, boolean functions, hash fucntions, combinatorial design based crypto, visual cryptography, provable security, elliptic curve pairing theory Responsible for bringing the now established Indocrypt conference series since 2001 (comparable to Crypto and Eurocrypt conferences)

2. Institute of Mathematical Sciences, Chennai:– computational number theory, algebraic geometry and their implications to

cryptography, computational complexity theory3. IIT Kanpur

– arithmetical and algebraic algorithms; the famous "Primes is in P" result showing that there is an elegant deterministic polynomial time algorithm for primality testing of integers secure o/s standards for smart cards

4. IIT Chennai– secure multi-party computations, distributed secret sharing secure hardware

implementations of block, stream ciphers5. IIT Kharagpur

– hardware (FPGA, VLSI) implementations resistant to side-channel cryptanalysis such as power, fault attacks; elliptic curve, cellular automata in hardware

R & D Continued1. C-DAC Bangalore : cryptanalytic computations on grid

environments2 DRDO - SAG: cryptanalysis of stream and block ciphers,

DRDO - CAIR : design, implementation and interfacing of crypto to military communication systems

3. C-DAC Kolkata : steganalysis4. university departments - Coimbatore (PSG Tech)-

genetic algorithms for analysis of text based ciphers5. IIT Kanpur on Secure OS for Smart card and E-Passport

applications

• IISc- survivable and secure storage systems

• IISc- IDS, IPS, Network traffic monitoring and analysis, Wireless Security, Social Networks, Fused Analysis, Sensor Fusion

• C-DAC Bangalore - intrusion detection systems

• C-DAC Noida - print and paper security -digital watermarking

• C-DAC Trivandrum - cyber forensics

Payment(s)

Authorization

Payment System Provider (PSP)

Deposit(s)

Highly Suited for India

Micro-payment

46

Prototypes

SMSCrypt – secure exchange of messages between mobile handsetsMicroPay – m-commerce on a micro level using secure communications and NFCSecuVoice – encrypted voice communication via VoIP on mobileLanguage-independent information dissemination using NFCLocation based services in tourism

• Non Cooperatve Cell phone location Identification

The national InitiativeBy

the Department of Science andTechnology (GOI)

• There are five tracks that are covered :They are1. Technologies for Material Detection2. Sensors for Homeland Security3. Information Security4. Observational and surveillance Technologies5. Large Scale Data MiningWe welcome the Participation by Spain

CONCLUSIONS• The Indian Security problem has many challenges• With the Spain, we would like to collaborate to learn

about the challenges and most suitable standards and practices

• Techniques for securing, pre testing, assurance of safe to connect paradigms of Hardware, Software and IT Products that could not only inter operable, tamper proof but also misuse proof.

• Analysis of Intrusions, Annihilating Botnets and Social Malware are of interest

• Secure Processor Design, Certification and Training