Potential Project Topics (Research-based)
Securing Internet routing in an incremental deployable fashion:
Currently all known solutions to securing Internet routing protocols
either depend on a Public Key Infrastructure (PKI) and/pr require
global deployment. Can we design security solutions for Internet
routing which can be deployed in an incremental manner? Here, one
possibility is to use the notion of "defensive policy filters" where
every autonomous system uses policy filters to accept/deny routes from
neighbors. Can we tweak policy filters
in such a way that it raises the bar for an attacker? This project would involve developing new ideas
for setting policy filters in Internet routers.
Decentralized Security mechanisms for DNS: The DNS is vulnerable to a
wide-range of security attacks. Our research group has been working on
decentralized security solutions for the DNS. Interested students can
get involved with the project; here. we are looking for new students
who can help us expand the existing implementation.
IP spoofing attacks: Many Internet services use TCP and UDP as base
protocols for communicating with hosts. Hence, if an attacker spoofs IP
addresses, the attacker can pretend to be another host and propagate
bogus packets. Through such attacks, the attacker can disrupt many
Internet services e.g. give bogus DNS responses, reset TCP connections
between routers. How can we deal with such attacks?
Consistent groups: Combining the ideas of "byzantine agreement" and
"reliable communication", this project explores the possibility of
building large-scale secure P2P systems using the notion of "consistent
groups". This is an ongoing project and you can possibly get involved
in this effort.
P2P reputation: When a node in a P2P network claims that it has a
"file", how do you trust the node to be genuine or not? This project
explores designing reputation mechanisms that can be used to detect
bogus file entries in a P2P environment.
Securing unstructured P2P networks: The underlying network
structure of unstructured P2P networks lends them to a larger suite of
attacks than structured P2P networks i.e. a smaller set of networks can
disrupt the operation of the entire network. Can we rearchitect the
structure and design of unstructured P2P networks for better robustness?
Untrusted storage: There have been prior works on "Secure Untrusted
Data Repository" where the clients using the storage system do not
trust the server. Can we extend these ideas to build distributed
storage storages which do not rely on the servers?
Simplifying access control: Configuration in enterprise networks is known to be a very complex process.
We have been working on mechanisms to make the configuration process
simpler in enterprise networks. In a recent work, we designed a
mechanism called "Access control routing" to address this problem. In
this project, we are looking for students to enhance the current system
High-speed Firewalls: Current day firewalls perform deep packet inspection to check the validity of
packets entering an enterprise network. However, current day snort
checkers are relatively slow. This project explores the design space of
applying algorithmic techniques that can be used to design high speed
Detecting "Abnormal behavior " in IDS: Many Intrusion Detection Systems
are designed based around the fact of looking for different attack
patterns. However, the attacker is often designing mechanisms to evade
these IDS mechanisms. Can we use learning mechanisms to detect
"abnormal behavior" at IDS boxes to curtail the power of an attacker
while not affecting regular traffic.
Private data leakage: With the current thrust on Sarbanes Oxley, there
has been a dire need for technical solutions that can aid companies in
maintaining compliance with the act. One specific problem in this space
is private data leakage. Can we design firewall-based mechanisms that
can detect potential leakage of external traffic from end-hosts within
Secure kernels: Can we design kernel level protection mechanisms that
can prevent hosts from acting in a malicious manner? This might involve
a combination of verifying the semantics of memory accesses of
applications, trapping systems calls of applications etc.
Host-based firewalls: Can we design an "automated firewall" on a
per host basis which limits the inflow and outflow of bad traffic on a
per-host basis. This defines a basic notion of correctness and disallows
arbitrary communication from a host. Here, the assumption is that the host is not compromised.
Studying 802.11 security: Many of the proposed 802.11 security
mechanisms especially WEP and share key protocols are not secure. Also,
the proposed MAC authentication mechanism also can easily be defeated.
Can we design simple 802.11 security mechanisms to prevent attackers
from being able to gain access into otherwise closed APs.
Malware, Spam, Botnets and Worms
Network-level Worm defense: A myriad of worm defense mechanisms have
been proposed in prior works. However, many of these require
significant changes to all the hosts or need widespread deployment. Can
we combine these mechanisms to develop an incrementally deployable worm
defense mechanism at the network level?
Host-level worm defense: There have been proposed end-host level mechanisms to deal with worms
Spyware detector: Can we write a good spyware detector that can detect
for spyware with a higher success rate that the proposed solutions in
the market? This study would involve determining how existing spyware
detectors work and determining mechanisms to improve their accuracy of
Analyzing malware spread: How does malware spread? Malware typically
originates from a few specific sources. Is it possible to analyze the
flow of "who contacts whom" to backtrace to determine the potential
sources of malware.
Designing a better automated spam detector: If we gather "mail"
information from multiple sources, can we use this information to
design better spam detection mechanisms.
Electronic voting machines: There have been many studies which have pinpointed flaws in the design of
electronic voting machines. This project will involve analyzing the
security of electronic voting machines and suggesting alternative
designs that can address existing flaws.
Security in an intermittent world: Often to analyze the security in a
distributed system, communication is essential. If the network
connectivity is very intermittent, how do we design security solutions
which are bandwidth efficient, which rely on the intermittent
connectivity property. Assume someone is using an ATM over an
intermittent link; can we verify the correctness of the user without
always relying on connectivity.
Privacy preserving databases: This is an ongoing project where the goal
is to build privacy preserving techniques where one can compute queries
across multiple different databases in a privacy preserving manner. The
main application for this is to compute queries across different
hospitals which have sensitive patient data which they do not intend to
Network games: Multi-player network games are not always fair. A player
who cheats in a game can actually gain significantly in the game at the
expense of other player. While there are inbuilt mechanisms to deal
with cheaters, these mechanisms are not sophisticated. In this project,
the users will study different cheating mechanisms in network games and
come up with defense strategies to prevent them.