As our society becomes intricately linked through computer networks, security has become a major issue. Compromise or loss of data integrity can cause violation of customer privacy and damage to customers resulting in lawsuits, penalties, and erosion of market value in firms. Billions of dollars in losses each year occur because of computer-related incidents (i.e. viruses, worms, and data theft) and as the complexity of our computing infrastructure increases, new threats keep emerging. One of the most insidious threats today is botnets, which allow hackers to control the machines of ordinary users to commit crimes. We not only need to understand how hackers attack our systems to gain control, but also need to develop solutions for building resilient networks so that they can survive new threats and automatically deal with attacks. My research in security combines three streams: 1) intrusion detection, 2) resilient self-organizing networks, 3) economics of security 4) Security Education. This statement discusses these streams, shows what impact the grants have had on the research, and how this research links to my teaching.
My research on intrusion detection involves developing security models inspired by biological systems. Biological systems have security mechanisms that are resilient and reliable (e.g. immune system and gene regulatory pathway), while computer security mechanisms are fragile and unreliable. The goal of incorporating biological mechanisms is to make computer security more reliable and resilient. The first model is based on the Mammalian Immune System on which I have worked with Dr. Jagdish Gangolly from the Accounting & Law Department in the School of Business in the past and am currently working with Dr. Stephen F. Bush from GE Global Research. Two papers on computer security models using biological paradigms have been published in the Wiley Interscience Complexity Journal and the International Journal of Information Management. I am currently working with a doctoral student at UAlbany, Prahalad Rangan, in developing a simulation for a distributed Immune System on the network. I am also working with Larry Lessner to develop an epidemiological model based on Poisson Point Processes for arrival of threats to computers in a network. A model is also being developed based on cellular processes to determine the interactions among the network components and to detect anomalies in the network. A paper on this work in collaboration with Dr. Bush is under review at the IEEE Network Magazine.
An important problem in the area of intrusion detection is botnets. Such networks are used for unlawful activities such as spam and virus attacks leading to financial losses for companies. This research involves analysis of network traffic data collected from different sources on the network that is intelligently mined to identify infected machines, sources of attacks, and other anomalies on the network. We have developed techniques for collecting network data and detecting botnet infected machines by analyzing the data. These tools employ darknets, honeynets, packet shapers, snort, etc. We have also analyzed botnet attacks in an attempt to gain insight into its operations. I am working with Justin Azoff, Adnan Baykal, and Damira Pon on this research. A paper on analysis of a botnet attack has been published in the Journal of Information Systems Security. A paper describing a decision support system for detection of botnets using data collected from darknets (fictitious networks to fool intruders) and Intrusion Detection Systems (IDS) will be submitted to Decision Support Systems.
To support this work, a security research laboratory was built to allow testing and calibration of security models. The lab can be quarantined so that viruses and worms can be propagated on the isolated network without infecting the University. A test bed has also been developed using standard network traffic data collected by the Defense Advanced Research Projects Agency (DARPA). This allows for the examination of other intrusion detection models. We are currently examining the use of complexity metrics in detection of malicious traffic.
Resilient Self-Organizing Networks
The Internet today is mainly based on the client-server model where clients (users) connect to servers (e.g. amazon.com) in order to conduct business. The fundamental problem is that if the server fails because of malicious attacks or hardware failure, the user does not get service. Thus, such failures can lead to disruption of business processes which can create long lasting damage to business reputation and relationships. We have developed an alternate computing model that resists such failures. This architecture consists of services that can be easily discovered on the network in real-time so that if one service fails, another can take its place. This architecture was used to support engineering design at General Electric. I am working with Dr. Shashi Talya from GE Global Research and Dr. Michael Sobolewski from Texas Tech University in developing this architecture. A paper on this novel service-oriented grid architecture has been published in the Decision Support Systems Journal. A paper on the security of this architecture is under review at the Decision Support Systems Journal. I am also working with Dr. S.S. Ravi and Dr. Dan Rosenkrantz from the Computer Science department and Dr. Jagdish Gangolly from the Accounting and Law department, in developing analytic metrics for resilience of such networks. A paper on this work is under review at the IEEE Transactions on Service-Oriented Computing.
Information is typically scanned for the presence of security threats on computers and servers before it is released on the network. However, this method is slow, dependent on personal user action, and inefficient in dealing with the fast spread of computer pathogens. Through an active network framework, the security burden can be distributed from personal computers and servers to the network itself. This framework allows for packets that normally carry data to also carry instructions (code). Using this framework, security threats can be discovered before they reach individual machines providing early detection of faults or attacks developing on the network. Coupled with our work in intrusion detection, this model will help in improving the ability of detecting and controlling attacks on the network. On this research, I am working with Dr. Stephen Bush from GE Global Research and a doctoral student. One article on this work has been published in the IEEE Journal on Selected Areas in Communications.
Economics of Security
Security breaches can cause significant losses in organization and may impact the stock valuation of publicly traded firms. This risk analysis often forms the basis for implementation of security in an organization. Unfortunately, existing information security risk models are cumbersome and vague and the data used in the analysis is of poor quality. In addition, organizations typically enact policies that provide enforcement guidelines and procedures to implement security, however, organizations are unable to directly measure the impact of these policies on their security. My work on economics of security focuses on three aspects: 1) Information security risk modeling, 2) Development of security policy metrics and, 3) Valuating the impact of security breaches on financial returns.
The new risk model developed as part of this work simplifies the risk analysis process and makes it more transparent. In addition, it allows the analysis to be gradually improved by adding data as it becomes available instead of having to completely restart the risk analysis process. The model allows use of both quantitative and qualitative analyses. This is useful because it may be difficult to obtain accurate quantitative data and therefore users can begin with a more subjective analysis. However, due to the limited data available on the predictability of threats occurring and resulting costs, there is some uncertainty in the calculations. Uncertainty in the model is incorporated with Bayesian Modeling and Monte Carlo Simulation. I am working with Eitel Laurķa from Marist College in the development of the analytic risk models, and with a doctoral student, Vicki Chen, who works at General Electric Power Generation, in finding practical applications of this model. I am also working with a doctoral student Damira Pon and two MBA graduates from UAlbany in evaluating catastrophic risks to develop Business Continuity and Disaster Recovery plans. Two papers based on using security risk analysis for business process reengineering have been published in the International Journal of Production Economics. One paper on qualitative risk analysis based on the model is under review at Decision Support Systems. Another paper detailing the matrix-based approach for quantitative risk analysis is under revision for submission to Decision Support Systems. One paper on analysis analyzing catastrophic failures for disaster recovery is in progress.
Research on security policies is focused on developing metrics to characterize policies. The work is using natural language processing to determine the attributes of the security policies. These metrics can then be correlated with the success and failure of policies. This work is receiving support from the New York State Office for Cyber Security and Critical Infrastructure Coordination (CSCIC). I am working with Dr. Shobha Chengalur-Smith from the Information Technology Management department on this research. A paper with a preliminary set of metrics is under review at the Journal of Strategic Information Systems.
The work on measuring the impact of security on market valuations of publicly traded companies involves data collection of security breaches and performing event studies of these incidents. For this work data on security breaches in publicly traded companies was collected and an event study was performed to determine the impact on the market valuation of firms. This work involves Dr. Hany Shawky from the Finance department and an ex-doctoral student Christopher Brown. In a similar vein we are also examining the financial impact of music piracy on the media firms. This research blends ethics, finance, strategy, and information technology. This work is being done in collaboration with Dr. Paul Miesing and Dr. Uday Chandra in the School of Business at UAlbany. This work uses the event study methodology to examine the impact of emergence of P2P music sharing software and the subsequent enactment of copyright legislation for electronic media on firms. A paper on this work is under review at the California Management Review.
This work involves developing innovative models for information security education. A "teaching hospital" model was created. This model envisages using information security problems from industry and abstracting them into living-cases to be used for education of students and public workforce. Partnerships with government and industry is a source of such cases and an active research program in information security involving faculty and students is the source of manpower in this model. My main collaborator in this work is Damira Pon a doctoral student at UAlbany, however, several faculty from the entire university were involved in this effort. A paper on this was published in the ACM Journal of Educational Resources in Computing. A case on this work has been published in an edited book Tools for Teaching Computer Networking and Hardware Concepts. Research is currently being done in analyzing the model further and to develop a new model that will address the issues with this model.
- Bush, S. F., & Goel, S. (2005). The Atropos Framework for Inline Communication Model Self-Assembly. Journal of Special Areas in Communication, Special Issue on Recent Advances in Managing Enterprise Network Services, 23(10), 2049-2057. (J)
- Goel, S., Talya, S., & Sobolewski, M. (2005). Service-Based P2P Overlay Network for Collaborative Problem Solving. Decision Support Systems. In Press. (J)
- Goel, S., & Pon, D. (June 15-17, 2005). Distribution of Patches within Vulnerable Systems: A Distributed Model. In the Proceedings of the 6th IEEE Information Assurance Workshop, USMA, West Point, NY. (C)
- Goel, S., Talya, S.S., & Sobolewski, M. (July 25-29, 2005). Preliminary Design Using Distributed Service-Based Computing. Proceedings of the 12th ISPE International Conference on Concurrent Engineering: Research and Applications, Fort Worth/Dallas, TX. (C)
- Goel, S., & Sobolewski, M. (December 2003). Trust and Security in Enterprise Grid Computing Environment, Proceedings of the IASTED Conference, New York City, NY. (C)
- Goel, S., & Gangolly, J. (August 4-5, 2003). Model for Trust Among Peers in Electronic Multiparty Transactions, Proceedings of the AMCIS Conference. (C)
- Rosenkrantz, D., Goel, S., Ravi, S.S., & Gangolly, J. (April 20-22, 2005). Structure-Based Resilience Metrics for Service-Oriented Networks. Proceedings of the 5th European Dependable Computing Conference, Budapest, Hungary. (C)
- Goel, S., Belardo, S., & Iwan, L. (January 5-8, 2004). A Resilient Network that Can Operate Under Duress: To Support Communication between Government Agencies during Crisis Situations, Hawaii International Conference on System Sciences (HICSS-37), Big Island, HW. (C)
- Goel, S. (Sept. 22-23, 2006). Blueprint of a Security Glossary: A Common Language for Creating International Security Policies. Proceedings of the Advanced Research Workshop: A Process for Developing a Common Vocabulary in the Information, sponsored by NATO-Russia Council Science Committee, Lomonosov University, Russia.
- Goel, S., & Chengalur-Smith, IN. (2006). Metrics for Characterization of Security Policies - A Complexity-Based Approach. Strategic Information Systems. Revise & Resubmit.(A preliminary version in the Proceedings of the Softwars Conference, 2006)
- Goel, S. & Chengalur-Smith, IN. (December 10-11, 2005). An Innovative Approach to Security Policy Metric Development: A Foundation for Research in Security Policy Management, SoftWars, Imperial Palace, Las Vegas, NV.
- Goel, S., & Gangolly, J.S. (2006). On Decision Support for Distributed Systems Protection: A Perspective Based on the Human Immune Response System and Epidemiology. Accepted January 2006 in the International Journal on Information Management. (J)
- Goel, S., & Bush, S.F. (2005). Biological Models of Security in Computer Networks Based on Cellular Mechanisms. Accepted for publication 2005 in ;login: (J)
- Lessner, L., & Goel, S. (2005). Modeling a Computer Virus Epidemic. Proceedings of the American Statistical Association Joint Statistical Meetings (JSM).
- Goel, S., & Bush, S.F. (December 2004). Biological Models of Security for Virus Propagation in Computer Networks. ;login:, 29(6), 49-56. (J)
- Goel, S., & Bush, S. F., (2003). Kolmogorov Complexity Estimates for Detection of Viruses in Biologically Inspired Security Systems: A Comparison with Traditional Approaches.Complexity Journal 9(2), 54-73. (J)
- Goel, S., & Bush, S.F. (November 2-3, 2005). RNAi Inspired Model of Computer Network Security. SFI Workshop on Adaptive and Resilient Computing Security (ARCS), Santa Fe Institute, Santa Fe, NM. (C)
- Goel, S., & Bush, S. F., (2003). Kolmogorov Complexity Estimates for Detection of Viruses in Biologically Inspired Security Systems: A Comparison with Traditional Approaches. Complexity Journal 9(2), 54-73. (J)
- Goel, S., Baykal, A., & Pon, D. (2006). Botnets: The Anatomy of a Case. Journal of Information Systems Security, 1(3), 45-60.
- Goel, S., & Crnkovic, Y. (May 21-24, 2006). RFID: Risks to the Supply Chain. Proceedings of the Information Resource Management Association (IRMA) International Conference, Washington, D.C. (C)
- Goel, S., & Allen, MB. (July 10-13, 2005). A Risk Analysis Model to Predict Financial Loss Due to Cyber Attacks. Proceedings of the Symposium on Risk Management and Cyber-Informatics (RMCI'05), Orlando, FL. (C)
- Goel, S. (April 27-28, 2005). Innovative Model for Simplifying Information Security Risk Analysis. In the Proceedings of Working Together: R&D Partnerships in Homeland Security, a R&D Partnering Conference Sponsored by the Department of Homeland Security, Boston, MA. (C)
- Goel, S. & Chen, V. (May 23-26, 2005). Information Security Risk Analysis - A Matrix-Based Approach. Proceedings of the Information Resource Management Association (IRMA) International Conference, San Diego, CA. (C)
- Goel, S., Pon, D., & Bloniarz, P., Bangert-Drowns, R., Berg, G., Delio, V., Iwan, L., Hurbanek, T., Schuman, S., Gangolly, J., Baykal, A., Hobbs, J. (2006). Innovative Model for Information Assurance Curriculum: A Teaching Hospital. ACM Journal on Educational Resources in Computing, Special Issue on Support for the Computer Security Curriculum. In Press. (A preliminary version in proceedings of the Information Resource Management Association Conference, 2005)
- Goel, S., & Pon, D. (May 23-26, 2005). An Innovative Model for Information Assurance Curriculum: A Teaching Hospital. Proceedings of the Information Resource Management Association (IRMA) International Conference, San Diego, CA. (C)
- Goel, S., Pon, D., & Menzies, J. (2007). Managing Information Security: Demystifying the Audit Process for Security Officers. Journal on Information Systems Security (JISSEC), 2(2), 25-45.
- Goel, S., & Pon, D. (2006).Information Security Risk Analysis: A Pedagogic Model Based on a Teaching Hospital. In N. Sarkar (Ed.), Tools for Teaching Computer Networking and Hardware Concepts. Hershey, PA: Information Science Publishing, 179-199.