cv

Overview of Scott Campbell
scampbell@lbl.gov

Other

Papers And Writeups

Detection and Analysis of Fast-Flux Service Networks. Scott Campbell, Steve Chan Paper for CS 294-28 Class at Cal, Spring 2008
Initial exploration of Fast Flux network detection based on the Holz algogithm and some general analysis of the larger inter-network organization.

Characterizing Structure in Cross Site Scanning Dynamics. Scott Campbell, Craig Lant Paper for CS 294 Class at Cal, Fall 2007
Characterization and description of structure found when looking at large scale scanning activity using high time resolution data.

Scott Campbell, How to Think About Security Failures. Scott Campbell Communications of the ACM, January 2006, Vol 49 No 1
Overview of changing attac patterns as well as failure modes in large scale computer security.

Kurt Stockinger, Kesheng Wu, et al. Network Traffic Analysis with Query Driven Visualization, SC 2005 HPC Analytics Results. IEEE Supercomputing 2005.
Interactive use of billions of conection records for security analysis.

E. Wes Bethel, Scott Campbell, et al. “ Accelerating Network Traffic Analysis Using Query Driven Visualization”, IEEE VAST 2006, Baltimore, MD

Kurt Stockinger, Kesheng Wu, et al. “Efficient Analysis of Large-Scale Network Traffic Data using Parallel Multi-Dimensional Bitmap Indices”, Submission to SIGMOD 2006

Scott Campbell, Bad Neighborhoods Near Hostile Addresses,
Looking at host behavior near known hostile addresses to see if it can be characterized as dangerous. RAID 2006 submission.

ICMP Covert Channel Detection via Protocol and Entropy Anomalies
An overview of several methods of detecting the presence of ICMP based covert channels is presented.

Network Scanning Evaluation Based on Weighted Measurement
Modifying a router ACL can have significant impact on high bandwidth data transfers when an otherwise well behaved TCP connection is forced into congestion control. An alternate method of scan evaluation is presented which addresses background radiation.

Comparing Classic Intrusion Detection Data Against Data Found in the Wild (Word Doc)
Paper presented by an undergraduate student that I mentored that examines problems with synthetic intrusion detection test data based on the 'classic' Lincoln Labs test suite.

Identification of 'Anonymous' users based on SSH keystroke timing (work in progress)
Outline of a project which looks at inter-packet timing in SSH streams to identify users.

Software Projects

Bro Intrusion Detection System
The Bro intrusion detection system is one of the principle tools used for securing the network at a Department of Energy high performance computing facility. These are a series of modifications which have allowed me to conduct a series of experiments with data analysis.

Connection Characterization - algorithms to infer intent based on connection characteristics, used to help automate analysis
Generic Client - take text based data, such as syslog, and tie it into the Bro framework. Based on the Broccoli protocol.
Event correlation across multiple Bro instances - architecture for large scale analysis with multiple nodes at different locations

Entropy measurement for data streams - calculate entropy for individual packets or associated streams

SSL connection analysis - extract SSL connection details
DNS Analyzer - rework basic analyzer and state engine to work with newer DNS types, and monitor response consistency

GSI authentication validator - engine to digest GSI authentication tokens and check against a Certificate Revocation List, integrated into Gatekeeper and GSIFtp tools

Some of these ideas have been put into the main Bro source, while other more specialized ones have not. Look here for notes and a few sample scripts, or feel free to contact me for any of the source modifications.

Snort Intrusion Detection System
I have also written a number of additions to the Snort IDS system.

DNS protocol analysis tools - Tool to write rules for DNS behavior and protocol analysis

Stream Depth plugin - Allow logging to a given stream depth to occur

Administrative tools

Secure Application Proxy - written several years ago. My first attempt at a 'real' Java program.

Presentations

OpenSSH Monitoring and Analysis (PPT)
Presentation at DOE Cybersecurity Analysts Gathering, 2008 describing an instrumented version of OpenSSHD which we are planning to release.

Exploring the Structure and Dynamics of Inter-Site Network Scanning (PPT)
Presentation at DOE Cybersecurity Analysts Gathering, 2008 describing some research that we have been doing which looks at the large scale behavior of scanners across multiple sites.

Keeping Ahead of the Bad Guys: High Performance Computing Protection
Tutorial Presented at IEEE Supercomputing 2005 with Bill Kramer and Stephen Q. Lau. http://sc05.supercomputing.org/schedule/event_detail.php?evid=5116

Making Intrusion Detection Systems Interactive and Collaborative (PPT)
Presentation outlining the addition of an interactive shell to Bro, as well as using a chat mechanism for both real time monitor (with the IDS as a active member) and as a teaching tool. Presented at USENIX Security '05 WIP.

Host and User Level Security: Issues and Integrations (PPT)
Overview of large scale rends in computer security, and what can be done to address these changes, in particular the integration of host and network based security data. Presented at 2005 DOE Cyber Security training conference.

Network IDS (Bro, Snort, etc), USENIX Security ’05 BOF
How to deal with the various open source IDS systems in high performance open computing environments.

The Suckit Rootkit: Building a Better Mouse, Building a Better Mousetrap / (PDF version)
Detailed analysis of the Linux SK rootkit, including how it works and operational examples. Presented for the Future Technologies Group seminar on Linux Kernel Internals. Presentation format in Open Office 1.0

Intrusion Detection Tools for GRID Applications
Presented for GlobusWorld 2004 BOF group on firewall issues and GRID security. [PDF] [PPT]

Characterizing Malicious Traffic on the Internet (PPT)
Presentation for 2004 DOE Cyber Security training conference which analyzed hostile vs. non-hostile traffic found on the Internet, and compared it to synthetic attack data.

Panel member for 2004 NSF Cyber Security Summit
Panel member at discussion on large scale intrusions into high performance computing facilities and university facilities in 2004.

Bro IDS Class - Discussion of changes that NERSC has made with regard to Bro maintenance, administration and functionality additions.

Analysis

Summaries of problems or network data that has proved to be interesting, but not substantive enough to be considered complete research projects.

Analysis of ICMP redirect traffic - (DOC) This is an initial report on the analysis of a large volume of unusual traffic that crossed NERSC's network. It was later decided that the traffic was caused by a misconfigured router.

Methods of monitoring, and hiding from, user space applications.

Visualization of connection data - getting a feel for the ratio of 'good' to 'bad' TCP connections NERSC receives in a typical day.

Phase space representation of TCP connections which shows an unusual degree of structure within the data.

Other

Technical Editor for "Intrusion Detection and Prevention", by Carl Endorf, Eugene Schultz and Jim Mellander. The McGraw-Hill Companies, 2004 (to be released end of year). ISBN: 222954-3.

Mentor for Summer Student in Science Undergraduate Laboratory Internship, 2003.