What is Network and Security Research?

Network and Security Research, or Information Communication Technology (ICT) Research involves:

the collection, use and disclosure of information collected via networks or using hardware and software associated with information technology

Examples include:

• Phishing experiments

• Botnets

• Honeypots

• Analysis of internet network traffic

Ethical Challenges in ICT Research

ICT research differs from traditional human subjects research which poses new ethical challenges:

Interactions with humans are often indirect with intervening technology

It is often not feasible to obtain informed consent

Deception may be necessary

There are varying degrees of linkage between data and individuals’ identities for behaviors

Researchers can easily engage millions of “subjects” and billions of associated data “objects” simultaneously.

There is more to it than “data”

Data

Application

Host Computer

Network

Information and Information System

http://en.wikipedia.org/wiki/McCumber_cube

Case Studies of ICT Research• Shining Light in Dark

Places: Understanding the ToR Network

• Learning More About the Underground Economy: A Case Study of Keyloggers and Dropzones

• Your Botnet is My Botnet: Examination of a Botnet Takeover

• Why and How to Perform Fraud Experiments

• Measurement and Mitigation of Peer-to-Peer-Based Botnets: A Case Study on Storm Worm

• Spamalytics: An Empirical Analysis of Spam Marketing Conversion

• Studying Spamming Botnets Using Botlab

• P2P as Botnet Command and Control: A Deeper Insight

• DDoS Attacks Against South Korean and U.S. Government Sites

• BBC: Experiments with Commercial Botnets

• Lycos Europe “Make Love Not Spam” Campaign

• University of Bonn: “Stormfucker”

• Information Warfare Monitor: “Ghostnet”

• Tipping Point: Kraken Botnet Takeover

• Symbiot: “Active Defense”

• Tracing Anonymous Packets to the Approximate Source

• LxLabs Kloxo/HyperVM

• Exploiting Open Functionality in SMS-Capable Networks

• Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses

• Black Ops 2008 -- Its The End Of The Cache As We Know It

• How to Own the Internet in Your Spare Time

• Botnet Design

• RFID Hacking

• WORM vs. WORM: preliminary study of an active counter-attack mechanism

• A Pact with the Devil

• Playing Devil's Advocate: Inferring Sensitive Data from Anonymized Network Traces

• Protected Repository for the Defense of Infrastructure Against Cyber Attacks

Likely to be considered Human Subjects

Research subject to IRB review

A Bit of Context

Review boards lack expertise in this area of research

It is difficult for researcher or IRB to quantify risks

Distance1 between researcher and “subject” differs from traditional human subjects research:

– As the “distance” between the researcher and subject decreases, we are more likely to define the research scenario as one that involves “human subjects.”

– As the “distance” increases, we are more likely to define the research scenario as one that does not involve “human subjects”.

Concern about possible “human harming research”

1 Elizabeth Buchanan and Annette Markham

Subject or Object?

Social Network Honeypot Case Study

[Discuss here] SOCIAL NETWORK HONEYPOT CASE STUDY

Case Study: Social Network Honeypots

• Research Method• Deceptively “friend” millions of users

• Follow all posts, identifying malware through “sandbox” analysis

• Develop detection and filtering mechanisms

• Involved Stakeholders• End users of social networks (i.e., victims)

• Criminals

• Social network platform providers

• Law enforcement

• Researchers

Case Study: Social Network Honeypots

• Benefits• New detective, protective, and possibly investigative

techniques

• Publicity from novel, high-profile research

• Risks of harm• Loss of user privacy (researcher obtaining personal

communications and personally identifiable information)

• Harm resulting from use of deception

• Costs to provider to respond to complaints

• Harming a criminal investigation

• Violation of acceptable use policy

Case Study: Social Network Honeypots

• Benefits• New detective, protective, and possibly investigative

techniques

• Publicity from novel, high-profile research

• Risks of harm• Loss of user privacy (researcher obtaining personal

communications and personally identifiable information)

• Harm resulting from use of deception

• Costs to provider to respond to complaints

• Harming a criminal investigation

• Violation of acceptable use policy

Case study: Questions

THIS IS A TEST! In this case study:

Is there use of “personally identifiable data?”

Is there an expectation ofprivacy in communications?

Is use of deception necessary?

Does it make a difference that amillion users (as opposed to hundreds)are being deceived?

Are waivers of consent and/orof debriefing warranted?

Does it matter that researchers may impact law enforcement investigations, or other researchers’ data collection/experimentation?