TR 32054; 2011-2014
prof. dr Milan Milosavljević
This project is devoted to development of systems for digital signal processing which satisfy the requirements arising from new trends in information security in modern computer and communications systems. Special care will be given to the development and implementation of four classes of security systems: system for extraction of cryptographic keys from biometric signals of the iris, speech, finger prints and images of faces (KEB - Key Extraction from Biometrics), system for extraction of cryptographic keys on the basis of mutual randomness originated from the physical layer of wired and wireless communication networks (KECR - Key Extraction from Common Randomness), systems for the control of the distribution of digital content and hidden transmission of information (DDCH - Digital Distribution Control and Hiding) and system for intrusion detection in computer networks based on biologically inspired algorithms for detection of anomalies in behaviour (BIIDS - Biologically Inspired Intrusion Detection Systems). Common methodological framework for development of these systems are application of advanced signal processing methods, cryptology, steganography and biometrics, leading to a significant increase in quality and reliability of basic security services, such as secrecy, non - repudiation, authentication and integrity.
It is believed that the entire field of information security will witness a radical jump in quality in the upcoming period and will shift the basic paradigm of computer security towards a paradigm of theoretical informational security. This shift could allow a synthesis of whole classes of security mechanisms, whose security would no longer depend on the computing power of the attacker. It is interesting to note that the precondition for this endeavour lies in the development of new methods of digital processing of signals on the physical layer of modern IT communication networks that extract sufficient numbers of random bits which are suitable for application in new protocols for establishing and exchanging cryptographic keys of maximal length and randomness. In the domain of reliable and practically acceptable authentication, biometry is becoming a significant source of cryptographic parameters. Digital processing of raw biometrical signals is of decisive significance in both establishing and extracting authentication codes of maximal entropy. In the domain of managing intellectual property of digital content, digital signal processing and watermarking, both visible and hidden, also presents an unavoidable building block. All of this indicates a new place for this discipline in the framework of general theory and practice for the synthesis of information security systems. Classes of subsystems for digital signal processing which satisfy the new requirements arising from these new trends in information security in modern communications systems are identified, analyzed and developed in the proposed project. Special care will be given to the development and implementation of four classes of security systems:
- Extraction of cryptographic keys from biometric signals of the iris, speech, finger prints and images of faces (KEB - Key Extraction from Biometrics)
- Extraction of cryptographic keys on the basis of mutual randomness originated from the physical layer of wired and wireless communication networks (KECR - Key Extraction from Common Randomness).
- Design of systems for the control of the distribution of digital content and hidden transmission of information (DDCH - Digital Distribution Control and Hiding)
- Design of the system for detection of intrusion in computer networks based on biologically inspired algorithms for detection of anomalies in behaviour (BIIDS - Biologically Inspired Intrusion Detection Systems)
The KEB Subsystem. Joining biometrics and cryptography as a consequence of need from both disciplines is a phenomenon that is signalled out in the project. There exists an ever present requirement in cryptography for generating quality cryptographic keys which can be easily distributed and memorised, while the wider practical use of biometry takes with it the requirement of safe memorization and recall of biometric data. Both requirements are met in systems for generating cryptographic keys based on biometric data. The development and implementation of new classes of algorithms for forming biometric templates based on iris scans that will in turn generate corresponding cryptographic keys is foreseen. Daugman's standard method give an entropy in the order of 250 bits per template, whereas an entropy up to 10 times higher is expected from the development of this system. Basic changes compared to the standard approach are envisioned in iris segmentation and the choice of transformational domain. KCER Subsystem. Maurer's research in the last fifteen years has demonstrated a real possibility for the construction of a protocol for the exchange of cryptographic keys via public networks, without prior sharing of secret information. The key part of this procedure is the possession of correlated random strings in network points who wish to establish a common secret key, independent of the computing power of the opponent who has access to the entire conversation between these two points. The development of the KCER subsystem will enable an implementation of Maurer's protocols based on random signals available on the physical layer of modern computer networks. The generated cryptographic keys will used in different models of refinement and distribution or as secret keys of symmetric key systems, or directly as one time keys in absolutely secret Varnam cipher. DDCH Subsystem. Managing intellectual property in the digital economic age is no longer a technical question, but rather one of existential value for whole industrial divisions such as the production of multimedia content (audio, video, text, imaging) and software development. One of the standard procedures in solving this problem is steganography (digital stamps and hidden information). The performance of these systems definitively relies on the digital processing of signals and applied coding procedures. In this project, it is suggested that an online monitoring system for the control and distribution of audiovisual content is developed, using on steganographic methods based on perceptively indiscernible manipulation of carrier signals by applying the 'dirty paper' codes . Preliminary research shows that it is possible to achieve a secret channel capacity more than 300 bit/second in the framework of standard audio range without violating the carrier signal. It is possible to imprint identification codes in digital multimedia content efficiently and solve the problem of monitoring the distributing and copyright of such material. BIIDS Subsystem. Modern systems for intrusion detection in computer networks are based on detecting internal anomalies and comprise of two key components: a subsystem for extracting the most characteristic behavioural features of the users of the network and a subsystem for detecting and acting upon rare anomalies in behaviour. This project proposes the development of a system that can be described as analogous to a biological, genetic and immunological defence mechanism, along with detection capabilities based on Support Vector Machine (SVM) classification, and will be included in both of the above mentioned components. The optimization criteria of the SVM classifier is doubly regularized. As such, good generalization properties are obtained which are important where only small training sets are available. Also it is able to separating correlated groups of highly discriminative features, which matches the natural features of anomalies in behaviour in modern computer networks.
Key Expected Results
Two groups of results are expected from this project. The first group relates to getting a better understanding of the new requirements of modern security services, as well as the development of four concrete subsystems: KEB (Key Extraction from Biometrics), KECR (Key Extraction from Common Randomness), DDCH (Digital Distribution Control and Hiding) i BIIDS (Biologically Inspired Intrusion Detection Systems). The second group of results relates to the nurturing of new generations of young researchers (the 5 researchers on this project are currently doctoral students on the "Advanced security systems" program at Singidunum University) in researching and developing systems for information security, which are understandably unavailable to the wider academic and professional communities. While developing the KEB subsystem, a solution that satisfies opposing requirements is expected: safeguarding the accuracy of biometric verification under conditions of ciphered biometric templates. We note that existing solutions do not offer a satisfactory compromise. The sought after result would be a system that allows extraction of cryptographic keys whose length conforms to that of standard algorithms (128 or 256 bit) with insignificant loss of verification accuracy. Preliminary analysis shows that this class of solution could be obtained for iris or fingerprint biometrics. While developing the KECR subsystem, a speed of cryptographic key extraction between any two nodes in a wireless or wired computer network is expected that would allow a practical application of the establishment of secret symmetric keys in the standard algorithms such as AES or 3DES. We note that wireless networks theoretically allow greater possibilities in the form of high cryptographic key extraction, but this remains to be verified practically. Developing the DDCH system would result in a complete technical solution for online monitoring of audiovisual content and the detection and decoding of identification codes which are imprinted in the audio channel in the production phase. Based on the decoded data, reliable information about the origin (copyright) of the content, time of broadcast, quality of transmission and reception, eventual violation of intellectual property (illegal copying), as well as additional information contained within the identification codes can be obtained. As an added benefit, the system can be used for establishing secret communication channels within public networks, with capacities of several hundred bits/second. The development of an algorithm based on double regularization SVMs (Support Vector Machines) for detecting anomalies in behaviour, which correspond to the behaviour of the attacker in computer networks is expected within the framework of the BIIDS system. It becomes possible to get better insight into the discriminatory characteristics of network traffic as well as a better understanding of working features by using this system.
The Significance of the project
he technological advance of the Internet and global communication networks raises the question of security of saved and transmitted data through these media. The question of secure authentication methods of participants in the global network, which has become the infrastructure of digital economy through which transaction are processed whose total is comparable to the GDP of some nations, the falls in the same category. Security Mechanisms that rely on high computational complexity in order to be decripted have opened the door to theoretical security criteria that clearly define the necessary conditions to unconditional security. Systems with this property are invariant to the computational power of the attacker. Theoretical results in the last decade form a solid basis for the practical realisation of certain segments of security services such as secrecy. The proposed project tends to an accumulation of experience in designing and realising the building blocks of this new class of security system. Two proposed systems fall into this category: KEB - Key Extraction from Biometrics, and KECR –Key Extraction from Common Randomness. The implementation of these methods will greatly increase the applicability of biometrics as an ideal mechanism for authentication while simultaneously eliminating the inherent problems related to biometrics such as the impossibility of recall and theft of digital identity. One of the additional benefits of the KEB system would be the potential possibility of replacing PIN codes with smart cards with biometric signatures, which would have a huge impact on the quality of all modern services related to smart cards. Safeguarding the high accuracy of biometric verification would ensure a heightened security of throughput of electronic transactions and personal mobility in today's world of heightened danger from global terrorism and crime. Implementing the KECR system would allow for the practical application of absolutely secret systems of information transmission based on Varnamov's chipher for one-time-use of symmetric secret keys. It is interesting to note that absolute secrecy cannot be achieved by any other cipher transformation. Practical implementation of mechanisms that can generate large number of completely random strings, symmetrically for given nodes in the global communication network, is a necessary first step in the realisation of this class of cipher system. The basic idea of the KECR system is to use the random processes that are present on the physical layer of communication networks for this purpose. The management and protection of copyright is of utmost importance in the modern age of the digital economy. The distribution of digital multimedia content sets a very serious condition on being able to irrevocably prove the delivery of audio and video content in agreed upon time intervals and duration. A good example is in proving that a given commercial has been broadcast in whole in the agreed upon time interval. The price of one second of a commercial in peak TV broadcasting timeslots economically justifies the development of reliable monitoring systems which work continuously with a high degree of precision. The DDCH fully solves this problem, which is currently solved manually with a large team of people and results in large number of errors. It's economic justification is obvious from this observation. In addition, the mass application of this system would in a simple way resolve the issue of payment of appropriate taxes, which is in transitional countries such as Serbia, to a large extent avoided. Intrusion detection systems in computer networks are promising yet still evolving and have not reached technological maturity for mass use in the fight against computer crime and hacking. One reason lies in the difficulty of creating good detectors of anomalous behavior in computer networks. Any progress in this direction is of great importance to the replacement of modern vulnerable networks, reliable infrastructure of the digital economy, and secure use of information resources in general. Successful development of the BIIDS system represents a significant contribution to these efforts. In theoretical and practical terms, progress in this area can not be expected without the use of modern methods of machine learning and theory of decision making under uncertainty, which is the basic idea of the synthesis of the BIIDS system.
cryptology, cipher keys, steganography, biometrics, intrusion detection, copyright