Shishir Nagaraja

I am a Lecturer of Computer Security in the School of Computer Science at the University of Birmingham, UK.

Email: s.nagaraja at cs [dot] bham [dot] ac [dot] uk Phone: +1-217-705-4205 Phone: +44-121 414 3877 Office: Room 141, School of Computer Science University of Birmingham Edgbaston Birmingham B15 2TT UK

Research Interests

My main interest is network security and privacy. I work on anonymous communications, privacy and graph theory, and network resilience. These extend into various other areas such as botnets, social networks, adhoc networks, the economics of information security, and usable security.

Teaching

Spring 2013 -- Network Security
Spring 2012 -- Network Security
Fall 2011 -- Introduction to Programming

Spring 2011 -- CSE549 Privacy Enhancing Technologies
Fall 2010 -- CSE539 Distributed Systems Security
CSE595 Topics in Computer Security

Spring 2010 -- ECE428 (at UIUC) Distributed Systems

Service

Program committee member for Privacy Enhancing Technologies Symposium 2010, PETS 2011, HotWisec2011, ISPEC 2012, and EuroPKI 2012
External reviewer for ACM CCS 2009,2010, 2011 ,
IEEE S&P 2010, ACM Usenix Security 2010 ,
PET 2004.

What's new

Photographer anonymity accepted at WPES 2011 (slides)
Photographer anonymity is a new problem in anonymity and privacy that I recently defined. The problem is as follows: Alice is a citizen journalist who's gained entry into a secret conference of politicians and donors of illegal election money. Alice wants to do a sting operation to expose the nexus. However the event security detail ensure that no cameras or recording devices are allowed in the meeting area. They have also installed CCTVs but as usual there's no one actively monitoring the footage, but it is being recorded. Given this threat model, how does Alice expose the collusion between politicians and illegal donors?
Naive defence: Alice carries a hidden camera device to capture images which are then published. Attack: attacker analyses the published images to see where the photographer was standing, then consults the CCTV footage to identify Alice, who then faces a risk to personal safety.
Better defence: Alice captures a number of images of the subject from different angles (a,b,c) and combines them together to form a new image that appears to have been taken from a randomly chosen angle. Upon consulting the CCTV the attackers' assessment of the potential photographer will be wrong. Does this work? We have a few initial pictures in the slides above, and a full paper on an anonymity framework and metrics will follow soon. See press coverage in the Guardian and New Scientist.

Stegobot: a covert social network botnet accepted at the Information Hiding 2011 (slides).
Stegobot is a proof of concept new-generation botnet where bots communicate over unobservable communication channels. It is designed to spread via social-malware attacks and steal information from its victims. Unlike conventional botnets, Stegobot traffic does not introduce new communication endpoints between bots. Command and control information as well as stolen sensitive information are relayed using steganographic techniques piggybacking over the image sharing behavior of users in a social network. Hence stolen information travels along the edges of the victims' social network. The current implementation is based on a simple routing algorithm called restricted flooding. The tuning of the steganographic channels is a key security parameter. It works surprisingly well in real world experimental deployments; even when tuned very conservatively (against detection) it is capable of channeling sensitive payloads of close to 100MB to the botmaster. See press coverage in the New Scientist, MSNBC, Times of India, and a few others.

P3CA: Private Anomaly Detection across ISP Networks accepted at the 11th Privacy Enhancing Technologies Symposium (PETS 2011).
P3CA is an ongoing project where we are trying to balance privacy requirements of ISPs with their desire to cooperatively detect malicious traffic. Often the trail of attack traffic is distributed across ISPs such that a single ISP might not be able to perform the job of classifying malicious traffic effectively. This is because a single small ISP analyzing local traffic trends, would not have enough information about the 'normal' subspace to make confident classification decisions. However multiple collaborating small ISPs can come together to share traffic information and determine common global trends that helps them to clearly delineate 'normal' traffic from malicious traffic. A poster on this project appeared at NSDI (the 7th USENIX Symposium on Networked Systems Design and Implementation).

Publications

Botgrep: Finding P2P Bots with Structured Graph Analysis accepted at the USENIX Security 2010 Symposium.
This is a paper on botnet detection that I co-authored with Prateek Mittal, Chi-Yao Hong, Matt Caesar and Nikita Borisov. Starting with the Storm botnet a few years ago, a number of new botnets have moved away from a centralized command and control (C&C) design to a P2P design. This lets them carry out sophisticated coordination activities whilst being resilient to the loss of infected machines. However the use of structured P2P design can also be used to defend against botnets. We show that this increase is resilience also leads to a loss of stealth. This allows one to localize a majority of botnet traffic with low false positive rate.

The impact of unlinkability on adversarial community detection: effects and countermeasures accepted at the Privacy Enhancing Technologies Symposium(PETS) 2010.
This is a paper on community detection and anonymity where I consider the threat model of a mobile adversary. The adversary gathers information by spying on victims' address books whilst being limited by the number of people she can simultaneously spy on. The attackers goal is to carry out community detection i.e. detect clusters of users that are more densely connected among themselves than with the rest of the network. For an attacker faced with the task of analyzing hundreds of terabytes of traffic, this would be an important pre-analysis exercise in order to concentrate traffic analysis efforts on a subset of data rather than grappling with the entire mass of data at once. I show that such attacks are devastatingly effective even when the victims are communicating using an anonymous communications network such as Tor. Finally I propose and analyze community hiding techniques that allow a privacy conscious community of users to induce unacceptably high rates of error in in the adversary's detection efforts.

Social Malware Surveillance of the Tibetan Movement ( Slides )
This is a paper on social-malware surveillance that I co-authored with Ross Anderson. We introduce the term social malware to refer to malware attacks where the dispersion mechanism involves masquerading as an entity in the close proximity of the intended target's social network. The attacks are devastatingly effective and in this report. The implications are significant, for the corporate world, for governments, for non-governmental organisations and for individuals too. Developing low cost measures for resisting these attacks is a serious information security challenge.

The economics of community hiding presented at the Workshop on the Economics of Information Security 2008 A paper on the economics of surveillance and counter-surveillance, that examines the extent of network topology information an attacker must gather, in order to uncover the existence of communities within a network. Our results support the assertion that while the privacy of the general public is easily compromised with a small surveillance budget, a covert group that makes a small investment in counter-surveillance can escape detection even when the adversary has a very high surveillance budget covering a majority of the population. Hence, government initiatives on detecting terrorist networks with large scale privacy invasion of the public are doomed to failure.

Anonymity in the wild: Mixes on unstructured networks ( slides ) at PET 2007
Current anonymous communication systems suffer from a vital incentive design failure. How you design a robust mix network where the mix operator has incentives to keep her mixes running in the face of direct adversarial challenges in the form of cease and desist. Previous approaches have incorporated the property of plausible deniability in order to design compulsion resistant systems. We take an alternate approach of having "friends mix traffic for friends", whose main advantage is that the incentive model is very well understood by the public. This paper establishes the theoretical anonymity bounds of various low latency mix network topologies with expander graph topology as a baseline to compare with. We established the feasibility and detail the challenges thrown up by a mix deployment on the Live-Journal network of friendship ties.

Incentives and Information Security in Algorithmic Game Theory, N. Nisan, T. Roughgarden, E. Tardos, and V. Vazirani (editors), ISBN-13: 9780521872829, Cambridge University Press, 2007. Along with Ross Anderson, Tyler Moore and Andy Ozment, I co-authored a book chapter that surveys several live research challenges in the economics of information security. We discuss the persistent problem of misaligned incentives, how network topology has a significant impact on emerging user incentives, auctions as a way of measuring security risk, and finally, asymmetric information and the capacity for hidden action.

the topology of covert conflict (slides) published at Workshop on the Economics of Information Security 2006

In this paper we illustrate how network structure can influence the evolution of user incentives in the context of security economics. This work shows several rounds of interplay between attack and defence strategies, between an attacker out to minimize the value of the network by reducing the average shortest path length or the size of the biggest connected component and defenders fighting back by reorganizing themselves to maximize the same parameters. Also available as Technical Report 637 .

On a dynamic topology of covert groups presented this year at Sunbelt XXVII , a social networks conference.
Suppose you are designing a covert network that is hidden in a large social network, with incomplete knowledge of the host network's topology. What should your covert group's topology look like? This paper discusses the interplay of attack and defense in the context of detection and hiding of covert groups in large networks. The global passive adversary uses a series of high level traffic analysis measures in the form of graph partitioning algorithms while the covert group must rewire/add a small number of edges. We analyze a number of strategies of hiding covert networks and offer suggestions on how to protect your secret group from the eyes of the "global passive adversary".

New Strategies for Revocation in Ad-Hoc Networks won the best paper award at ESAS 2007.
This paper discusses decentralized strategies for removing misbehaving nodes in adhoc-networks. It turns out that reelection turns out to be a better strategy than blackballing. We then propose a more radical strategy, namely suicide where both the alleged misbehavior and the behavior detector die, which we find to be even more efficient.

Privacy amplification with social networks ( slides ) at SPW 2007
Often, users in a network wishing to communicate, share a weak secret. We propose protocols for privacy amplification based on exploiting the topological properties of the social network connecting the users. After presenting an initial scheme based on random walks, we propose a number of modifications that exploit the presence of communities in such networks to make our protocols efficient with practical bounds. This paper is currently undergoing substantial revision currently, a new version should be available soon.

Evaluation Framework of Location Privacy of Wireless Mobile Systems with Arbitrary Beam Pattern was published in Communication Networks and Services Research Conference (CNSR 2007).
In this paper, we counter location privacy compromise by proposing a low level countermeasure that we call adaptive beam-forming, to prevent position location of transmitters in mobile wireless systems. We propose a new antenna design, discuss its radio characteristics and perform a high level security analysis to measure the privacy enhancing features as compared to previous antenna designs.

Time-sync independent Kerberos Authentication Protocol is a standards draft of a time synchronization independent kerberos protocol suite. This was originally written for Novell's directory services in order to provide alternate access to the proprietary nonce based challenge response protocol, however I left the company soon after to pursue my PhD and don't know what actually happened to it.

An Algorithm to cluster directory users into user communities based on similarity in access is a patent on a dynamic clustering technique I proposed with Ravi Kiran UVS, a former colleague at Novell . The basic idea is that you can group one or more interesting objects in a directory server based on corresponding access patterns with regard to other objects, instead of an administrator coming along and performing complex manual configuration and often getting it wrong. This leads to a storage cache management system that massively improves access times on remote filtered replica servers while reducing administrator effort.

Security and Policy Integrity in multilateral authorization systems was a patent issued in November 2006, is a system for implementing multilateral authorization using quorums. First, stakeholders of a directory object split a quorum private key, the shares of which for each stakeholder in all access sets is determined. The shares of the private key held by the stakeholders in any one access set add up to a number directly related to the private key. One or more secret keys of the stakeholders are further determined for each access set. One or more polynomials for the access sets are then generated by using the shares of the private key and the secret keys of the object's stakeholders.

Method and System for Amassed Authorization and An adaptive method and system for user empowered management based on Dynamic Quorums are still pending with the US patent office.

Previous Work

I obtained my B.E. majoring in computer science from Bangalore University in 1999. I joined the network security group at Novell Research at Bangalore, and worked there for about four years in various secure distributed computing projects. Some of the patents related to those pieces of work were issued recently, which you can see in the list above.

Personal

I play the Sitar an instrument popular in India, Pakistan, Afghanistan and Bangladesh. I belong to the Maihar Gharana of Hindustani classical music. Mountaineering is also an active hobby, my previous practise grounds were the lovely fourteerners of the Colorado Rockies of which I've successfully hiked up around twelve, following the 3000ft rule. My current practise grounds are the mountains in the Daulagiri range. Previously, I played tennis in the 3rd team at Cambridge LTC and was on the varsity mens second team at the University of Cambridge Gymnastics Club. I love cycling, my favourite bicycle is the classic Dawes Galaxy Tour capable of taking you hundreds of kilometers out of town before you realise it.

© 2013 Shishir Nagaraja Page last updated on January 2013