Potential Project Topics (Research-based)

Internet Architecture

Securing Internet routing in an incremental deployable fashion: Currently all known solutions to securing Internet routing protocols either depend on a Public Key Infrastructure (PKI) and/pr require global deployment. Can we design security solutions for Internet routing which can be deployed in an incremental manner? Here, one possibility is to use the notion of "defensive policy filters" where every autonomous system uses policy filters to accept/deny routes from neighbors. Can we tweak policy filters
in such a way that it raises the bar for an attacker? This project would involve developing new ideas
for setting policy filters in Internet routers.

Decentralized Security mechanisms for DNS: The DNS is vulnerable to a wide-range of security attacks. Our research group has been working on decentralized security solutions for the DNS. Interested students can get involved with the project; here. we are looking for new students who can help us expand the existing implementation.

IP spoofing attacks: Many Internet services use TCP and UDP as base protocols for communicating with hosts. Hence, if an attacker spoofs IP addresses, the attacker can pretend to be another host and propagate bogus packets. Through such attacks, the attacker can disrupt many Internet services e.g. give bogus DNS responses, reset TCP connections between routers. How can we deal with such attacks?
 


P2P systems

Consistent groups: Combining the ideas of "byzantine agreement" and "reliable communication", this project explores the possibility of building large-scale secure P2P systems using the notion of "consistent groups". This is an ongoing project and you can possibly get involved in this effort.

P2P reputation: When a node in a P2P network claims that it has a "file", how do you trust the node to be genuine or not? This project explores designing reputation mechanisms that can be used to detect bogus file entries in a P2P environment.

Securing unstructured P2P networks:  The underlying network structure of unstructured P2P networks lends them to a larger suite of attacks than structured P2P networks i.e. a smaller set of networks can disrupt the operation of the entire network. Can we rearchitect the structure and design of unstructured P2P networks for better robustness?


Storage systems

Untrusted storage: There have been prior works on "Secure Untrusted Data Repository" where the clients using the storage system do not trust the server. Can we extend these ideas to build distributed storage storages which do not rely on the servers?


Enterprise networks

Simplifying access control: Configuration in enterprise networks is known to be a very complex process.
We have been working on mechanisms to make the configuration process simpler in enterprise networks. In a recent work, we designed a mechanism called "Access control routing" to address this problem. In this project, we are looking for students to enhance the current system implementation.

High-speed Firewalls: Current day firewalls perform deep packet inspection to check the validity of
packets entering an enterprise network. However, current day snort checkers are relatively slow. This project explores the design space of applying algorithmic techniques that can be used to design high speed firewalls.

Detecting "Abnormal behavior " in IDS: Many Intrusion Detection Systems are designed based around the fact of looking for different attack patterns. However, the attacker is often designing mechanisms to evade these IDS mechanisms. Can we use learning mechanisms to detect "abnormal behavior" at IDS boxes to curtail the power of an attacker while not affecting regular traffic.

Private data leakage: With the current thrust on Sarbanes Oxley, there has been a dire need for technical solutions that can aid companies in maintaining compliance with the act. One specific problem in this space is private data leakage. Can we design firewall-based mechanisms that can detect potential leakage of external traffic from end-hosts within an enterprise?


Host-level protection

Secure kernels: Can we design kernel level protection mechanisms that can prevent hosts from acting in a malicious manner? This might involve a combination of verifying the semantics of memory accesses of applications, trapping systems calls of applications etc.

Host-based firewalls:  Can we design an "automated firewall" on a per host basis which limits the inflow and outflow of bad traffic on a per-host basis. This defines a basic notion of correctness and disallows
arbitrary communication from a host. Here, the assumption is that the host is not compromised.



Wireless Security

Studying 802.11 security: Many of the proposed 802.11 security mechanisms especially WEP and share key protocols are not secure. Also, the proposed MAC authentication mechanism also can easily be defeated. Can we design simple 802.11 security mechanisms to prevent attackers from being able to gain access into otherwise closed APs.



Malware, Spam, Botnets and Worms

Network-level Worm defense: A myriad of worm defense mechanisms have been proposed in prior works. However, many of these require significant changes to all the hosts or need widespread deployment. Can we combine these mechanisms to develop an incrementally deployable worm defense mechanism at the network level?

Host-level worm defense: There have been proposed end-host level mechanisms to deal with worms

Spyware detector: Can we write a good spyware detector that can detect for spyware with a higher success rate that the proposed solutions in the market? This study would involve determining how existing spyware detectors work and determining mechanisms to improve their accuracy of detection.

Analyzing malware spread: How does malware spread? Malware typically originates from a few specific sources. Is it possible to analyze the flow of "who contacts whom" to backtrace to determine the potential sources of malware. 
 
Designing a better automated spam detector:  If we gather "mail" information from multiple sources, can we use this information to design better spam detection mechanisms.



Potpourri

Electronic voting machines: There have been many studies which have pinpointed flaws in the design of
electronic voting machines. This project will involve analyzing the security of electronic voting machines and suggesting alternative designs that can address existing flaws.

Security in an intermittent world: Often to analyze the security in a distributed system, communication is essential. If the network connectivity is very intermittent, how do we design security solutions which are bandwidth efficient, which rely on the intermittent connectivity property. Assume someone is using an ATM over an intermittent link; can we verify the correctness of the user without always relying on connectivity.

Privacy preserving databases: This is an ongoing project where the goal is to build privacy preserving techniques where one can compute queries across multiple different databases in a privacy preserving manner. The main application for this is to compute queries across different hospitals which have sensitive patient data which they do not intend to reveal.

Network games: Multi-player network games are not always fair. A player who cheats in a game can actually gain significantly in the game at the expense of other player. While there are inbuilt mechanisms to deal with cheaters, these mechanisms are not sophisticated. In this project, the users will study different cheating mechanisms in network games and come up with defense strategies to prevent them.