computer systems are used, one has to delve a bit deeper into how those issues occur and what they mean for the people who use computers. Addressed here will be a critique of two articles addressing DNS attacks and network intrusion detection, in order to determine the severity of the issues these attacks are causing and what can be done in order to lessen the risks and protect the data of more individuals and companies.

Jackson, C., Barth, A., Bortz, A., Shao, W., & Boneh, D., (2009). Protecting browsers from DNS rebinding attacks. ACM Transactions on the Web, 3(1): 1-26.

Jackson, et al. (2009), provides information on the use of DNS rebinding attacks, which are generally unexpected by the users who experience them and can be very devastating. Many firewalls and other protection options do not work against DNS rebinding attacks, because the browser is fooled into thinking that the website it is being asked to access is safe from malicious software or other problems (Jackson, et al., 2009). The main goals of these DNS rebinding attacks are to defraud pay-per-click advertisers, get around personal and organizational firewalls, and send spam emails (Jackson, et al., 2009). One of the reasons these attacks are becoming so popular is that they cost very little to create. For around $100, the study found that 100,000 IP addresses could be hacked (Jackson, et al., 2009).

There are defenses to these attacks, however, including the classic “DNS pinning” and improvements made to it (Jackson, et al., 2009). Web servers, firewalls, and plug-ins are all vulnerable, and there are recommended changes that can be made to these in order to better protect them from DNS attacks (Jackson, et al., 2009). Many of the defenses suggested by the authors of the study have been used by open-source firewall implementers and vendors who provide plug-ins, so they can provide extra measures of safety.

Analysis

The main contributions and strengths of this article relate to the way the researchers provide information regarding not only what the issue is but how to correct the issue and reduce the risk to those who might otherwise be affected by it. It is one thing to discuss an issue and point out that there are problems, but it is a completely different thing to take those issues and show how they can be solved or at least mitigated (Dean, Felten, & Wallach, 1996). Addressing an issue and putting thought into how to solve it properly is far different — and far more valuable — than simply stating that one has discovered an issue that can and should be dealt with. Solutions are available for the majority of problems seen with computers and with other facets of life, but until solutions are provided and implemented, and until their value is truly shown, they remain only speculation and do not provide options for improvement.

There are weaknesses and limitations to every article, and this one is no exception. The main limitation of the study is that it focuses only on DNS attacks, and there are many other types of attacks that regularly occur on computers. While the article does help solve a problem, there is more that could be addressed and solved in order to make computing safer overall (Karlof, et al., 2007). The weaknesses seen in this article are not significant, really, based on what the authors are presenting. The suggestions they have made have already been implemented by a number of companies that provide plug-ins and other Web services, so the suggestions are acceptable and do work properly.

The improvements to the article that could be made would be an ease of readability. While this is a complex topic, the article is confusing for those who are not clear on what DNS attacks are or how computer information actually works. It would not be expected that all of that information would be provided by the authors because there would not be room for that in the study, but more “layman’s terms” in the article would make it accessible and understandable to a larger number of readers who may have an interest in the subject but have not yet developed a high level of understanding regarding it.

The article compares well with other articles that have been read so far. It is explanatory and provides something of real value, which is not always seen in studies that simply address what the issue is but that do not provide information on how any of the problems can be corrected. At times it may not be possible to truly correct an issue, but there are usually at least options for mitigation that can be considered (Gajek, Schwenk, & Xuan, 2008). The article is important because it does not ignore the fact that people want answers to their problems, not just information on the severity of those problems. This article is also strengthened because of information provided in other papers and textbooks that address the severity of DNS attacks and how they can be snuck into a large number of areas when it comes to computing (Gajek, Schwenk, & Xuan, 2008; Karlof, et al., 2007). It is clear that the authors realize the severity, and that they have paid attention to others who have written on the issue so they could develop ways to protect against DNS attacks.

The bibliography that comes with the paper provides ample opportunity for information that can help others understand the topic. The most important sources the authors provide include:

Dean, D., Felten, E.W., & Wallach, D.S. (1996). Java security: From HotJava to Netscape and beyond. In IEEE Symposium on Security and Privacy.

Gajek, S., Schwenk, J., & Xuan, C. (2008). On the insecurity of Microsoft’s identity metasystem. Tech. Rep. HGI-TR-2008-003, Horst Gortz Institute for IT Security, Ruhr University Bochum.

Karlof, C.K., Shankar, U., Tygar, D., & Wagner, D. (2007). Dynamic pharming attacks and the locked same-origin policies for Web browsers. In Proceedings of the ACM Conference on Computer and Communications Security (CCS).

Discussion and Conclusion

Overall, the information provided in the article is quite valuable to the majority of businesses and individuals who are working to keep themselves safe from DNS attacks. Many end users do not even realize that these types of attacks are possible, so they rely on others to protect them. This is done primarily through firewalls, but also through a reduction in spam emails and the mitigation of pay-per-click fraud. Because these are the areas on which DNS attacks focus, it is highly important that these areas are the ones on which the authors focus. It is particularly impressive that the study’s authors are aware of the seriousness of the problem and that they have already created ways in which they can help. Those ways have been provided to companies that have put them into use, and they have provided more value and more security to a number of individuals and companies that may have otherwise been at risk. This is the true value of the article.

Critique: Paper Two

Sommer, R., & Paxson, V. (2003). Enhancing byte-level network intrusion detection signatures with context. Proceedings of the 10th ACM Conference on Computer and Communication Security: 262-271.

Summary

The article written by Sommer and Paxson (2003), addresses the issue of network intrusion and how best to detect it in order stop it from happening before it can cause damage to what the end user is engaged in. There are, currently, a number of network intrusion detection systems (NIDS). They use specific byte sequences as signatures, in an effort to detect whether there is malicious activity taking place (Sommer & Paxson, 2003). They are efficient in keeping out attacks, but they also return a level of false positives that is too high for the comfort of most individuals. In an effort to avoid that, Sommer and Paxson (2003) developed the use of contextual signatures. This improves the string-based signatures that are being used, and makes it harder for a false positive to appear.

The NIDS Bro was designed to provide both high-level and low-level context, which work well with regular expressions and semantic information in the scripting language. The expressiveness of the signature is greatly enhanced by the addition of context, so the number of false positives drops dramatically (Sommer & Paxson, 2003). By leveraging freeware like NIDS Snort into Bro’s language, the authors also created a base upon which they could build. That also allows for the work to be better evaluated, as it can be compared to Snort and the issues with the comparison of NIDS can also be considered. Since it can be difficult to truly compare NIDS with one another, that point has to be addressed in order to keep the study on the right track and remaining logical.

Analysis

The main strengths and contributions of the article relate to the in-depth information regarding intrusion detection. Since the authors understand how important this detection is, they see the value in protecting individuals and companies from it as they browse the Web for either business or pleasure. The realization that intrusion detection has a number of false positives is a significant one (Bace, 2000; Coit, Staniford, & McAlerney, 2001). Until that was realized, there was little advancement in the way intrusion detection worked or how it was changed or adjusted. In short, the technology was “stuck” in that particular area, with little advancement seen (Haines, et al., 2001). Fortunately, with studies and articles like the one critiqued here, it is easy to see the proper and valuable advancement of technology.

The limitations of the study are small, as are the weaknesses. The most significant of the issues in that capacity revolve around the understanding that it is not possible to really compare NIDS with one another (Bace, 2000). That can make the study less conclusive in that it is possible to show the value of context when it comes to NIDS, but it is not possible to compare one style of contextual advancement to another to see how they measure up where value is concerned (Haines, et al., 2001). Despite this, however, the value of what was done in the study is very important to the overall quality of NIDS that is seen in computing applications today, and can provide companies and individuals with a higher level of security and a lower level of false positives.

The study could be improved if there were better ways to compare NIDS, because that would provide another benchmark to study. As it stands, however, that is not possible, and the study feels very complete in its present form. It compares well with other papers and articles that have been read, because it focuses on more than writing about the problem. Many studies address problems, but they do not all find clear solutions — or even suggested solutions — to those problems. In some cases this is because solutions are not possible, or because there are too many variables that would have to be considered in order to determine whether a solution would be viable. In other cases, the authors are not focused on exploring how to fix the problems they have detailed in their study, and that can lead to frustration for the reader who wants to know what can be done about the problem.

This paper is strengthened by other studies that verify the lack of viability in comparing NIDS with one another (Coit, Staniford, & McAlerney, 2001). The inability to compare these in an significant way is frustrating, but it is not something the authors of the paper can control. They are limited by what is realistic in their chosen field, and that does not include being able to take one form or application of NIDS and compare it across the board with another one. Instead, the authors of the paper have to focus their efforts on the changes they have made and whether those changes are successful in improving the situation for people and companies that need NIDS protection.

There are several pieces of information in the article’s bibliography that provide a great deal of knowledge about the subject at hand, and that provide it in such a way as to be easily understood. These include:

Bace, R.G. (2000). Intrusion Detection. Macmillan Technical Publishing, Indianapolis, IN, USA.

Coit,, C.J., Staniford, S., & McAlerney, J. (2001). Towards Faster Pattern Matching for Intrusion Detection or Exceeding the Speed of Snort. In Proc. 2nd DARPA Information Survivability Conference and Exposition.

Haines, J., Rossey, L, Lippmann, R., & Cunningham, R. (2001). Extending the 1999 Evaluation. In Proc. 2nd DARPA Information Survivability Conference and Exposition.

Discussion and Conclusion

The article, overall, provides a great deal of strong, valuable information on intrusion detection and how it can be improved. It is only logical that adding more context to the NIDS system would provide a better rate of accurate return. Of course, false positives are not as serious as false negatives, because it is still not allowing attacks and hacks to go through. False negatives would mean that hackers were getting into the system, which would naturally be a serious consideration for any company dealing with that issue, and also for the end users whose information could be put at risk. However, false positives are still a poor choice because they can prevent access to needed and desired information.

While it is important to protect people, those same people must also be able to access what they need. That is why articles like this provide so much value — because they reduce the occurrence of false positives without compromising any form of safety for everyone involved. They also provide a basis off of which others can work, so more options for protecting the Web and avoiding false positives can be created. The context in which the authors are working may need to be adjusted in order to provide maximum effectiveness, but that does not mean that what they have already created does not have strong merit for their field of study.

References

Bace, R.G. (2000). Intrusion Detection. Macmillan Technical Publishing, Indianapolis, IN, USA.

Coit,, C.J., Staniford, S., & McAlerney, J. (2001). Towards Faster Pattern Matching for Intrusion Detection or Exceeding the Speed of Snort. In Proc. 2nd DARPA Information Survivability Conference and Exposition.

Dean, D., Felten, E.W., & Wallach, D.S. (1996). Java security: From HotJava to Netscape and beyond. In IEEE Symposium on Security and Privacy.

Gajek, S., Schwenk, J., & Xuan, C. (2008). On the insecurity of Microsoft’s identity metasystem. Tech. Rep. HGI-TR-2008-003, Horst Gortz Institute for IT Security, Ruhr University Bochum.

Haines, J., Rossey, L, Lippmann, R., & Cunningham, R. (2001). Extending the 1999 Evaluation. In Proc. 2nd DARPA Information Survivability Conference and Exposition.

Jackson, C., Barth, A., Bortz, A., Shao, W., & Boneh, D., (2009). Protecting browsers from DNS rebinding attacks. ACM Transactions on the Web, 3(1): 1-26.

Karlof, C.K., Shankar, U., Tygar, D., & Wagner, D. (2007). Dynamic pharming attacks and the locked same-origin policies for Web browsers. In Proceedings of the ACM Conference on Computer and Communications Security (CCS).

Sommer, R., & Paxson, V. (2003). Enhancing byte-level network intrusion detection signatures with context. Proceedings of the 10th ACM Conference on Computer and Communication Security: 262-271.