|
Thank you for dropping by. My name is Daniel Bilar and I enjoy poking my nose in code and networks and trying novel ways to solve problems. My research areas revolve around highly evolved malicous software, as well as quantitative risk analysis of networks.
In Fall 2006, I am co-teaching a security class CS342 with Lyn Turbak at Wellesley College (MA).
Spring 2007, I am teaching my Science of Networks course CS249B
Falll 2007, I am teaching a Computer Networks course CS242
I hope to teach a Quantum Computing course CS249C
(1 min intro here)
My area of interest is information security (specifically network security), which is a fascinating, young field spanning different dimensions such as people, technology, computer science, operations research, law, sociology and economics) with plenty of opportunities to make contributions.
The questions I am trying to answer are (in order of results, preliminary results, bleeding edge):
My 2003 PhD thesis addressed the technical risk opacity of software running on computer networks, for which Dartmouth filed a provisional patent.
I developed a methodology to systematically assess the vulnerabilities introduced by the software on a network, propose a configurable, granular risk calculation framework with which to rank these vulnerabilities and associated risks and to transparently present specific management options with which to mitigate these risks. This approach focused on the vulnerabilities present in 'good' software. However, the 'people' side of the problem, as well as multi-stage attacks are not addressed in a satisfactory way, so there is much room for improvement.
Malware is 'bad' software like worms, viruses and trojans. Anti-virus software
uses signature matching and checksums to detect them, this tends to be too
rigid because variations just change some lines of code. A more comprehensive
approach, with heuristics and emulation may take too long a time, with worms
you have a small time window measured in minutes.
One approach for metamorphic malware is to find a sweet
spot: Find structural classifiers (‘structural fingerprints’) that are statistical in nature, ‘fuzzier’ metrics
between static signatures and dynamic emulation and heuristics. I investigated opcode distribution, Win32 system call sequences and structural callgraph properties.
Even more worrisome is k-ary malware. K-ary malware partition functionality into k distinct parts, with
each part containing merely an innocuous subset of the total instructions. In serial or parallel combination, they release their noxiousness. Current AV models seem unable to detect (or disinfect when detected) this threat, also due to theoretical model limitations.
In light of the new metamorphic and k-ary threats, I am moving towards new dynamic
detection and containment techniques. This may entail (horribile dictu!)
moving beyond Turing machine models premised on the (strong) Church-Turing thesis
(computation-as-functions) towards interactive computations, foreshadowed already
by Turing in his 1936 paper with
his choice "c-machine" (as opposed to the standard automatic 'a-machine'). See
my HGI 2007 talk and the references by Wegner.
Over the summer, I read Into The Cool: Energy Flow, Thermodynamics and: Life (U. Chicago Press) and was immediately taken by the "Second Law" approach to systems theory: How energy flow and gradient reduction imperatives create and maintain non-equilibrium thermodynamic systems (NETs).
His argument is that in order to degrade gradients in the most efficient manner possible, complex systems will emerge. Increased complexity enhance the system's dissipative properties, hence such open systems tend to grow as long as a gradient is present. The book mentions several examples of NET: Bernard cells, Taylor vortices, hurricanes, life itself, larger ecosystems.
I trying to figure out whether this approach can be fruitfully applied to the analysis of complex software systems. Does software behave like other NET systems? What gradients, if any are, reduced by software systems? How do the concepts of exergy, energy dissemination and entropy production map to software systems? Is there a link between increased software structure complexity and more effective energy dissipation? And how can we use this approach in the domain of information security?
Tryfonas, T. and Bilar, D. : Forensic aspects of type 0-3 malware. In preparation: Digital Evidence Journal (Bedfordshire, UK) (April 2008)
Filiol, E. and Bilar, D. (Eds.): On self-reproducing programs. Submitted: Special Issue of the Journal In Computer Virology (Springer, Paris) (March 2008)
Endicott-Popovsky, B. and Bilar, D. and Taylor, C.: Practical gender-aware pedagogy for introductory CS classes. In preparation: ACM Journal on Educational Resources in Computing (ACM Press, NY)
Bilar, D.: Misleading Modern Malware. Submitted: Journal In Computer Virology (Springer, Paris) (October 2007)
Bilar, D.: On Callgraphs and Generative Mechanisms. Journal In Computer Virology Vol. 3, No. 4 (Springer, Paris) (December 2007)
Bilar, D.: Opcode as predictors for malware.International Journal of Electronic Security and Digital Forensics Vol. 1, No. 2 (InderScience, Geneva) (December 2007)
Bilar, D.: Callgraph structure of executables. AI Communications Vol 20, No. 4, Special Issue on ``Network Analysis in Natural Sciences and Engineering" (IOS, Amsterdam) (November 2007)
Bilar. D, Burroughs, D.: Introduction to State of the Art in Intrusion Detection Systems. In: Proceedings of the SPIE International Symposium on Law Enforcement Technologies, Vol. 4232 (December 2000)
Cybenko G., Jiang G., Bilar D.: Machine Learning Applications in Grid Computing. In: Proceedings of the 37th Allerton Conference on Communication, Control, and Computing (September 1999)
Bilar, D. : Minimizing Error in DNA Computing. Technical Report. Thayer School of Engineering at Dartmouth College (January 1998)
Bilar, D.: Approaching Information-gain Adversarial Malware. BBN Technologies (Cambridge, MA) (November 2007)
Bilar, D.: Back to the Future: From Dortmund to present and future malware challenges given at DAT '07 (Dortmund, D): Third Dortmunder Alumni Tag an der Universitaet Dortmund (October 2007)
Bilar, D.: Flying below the Radar: What modern malware tells us given at Horst Görtz Institut für Sicherheit in der Informationstechnik (Bochum, D): Seminar an der Ruhr-Universitaet Bochum (October 2007)
Bilar, D.: Looking ahead towards metamorphic, k-ary malware and modern models given at DIMVA '07 (Lucerne, CH): GI International Conference on Detection of Intrusions and Malware and Vulnerability Assessment (July 2007)
Bilar, D.: Malware Analysis as Science: A Primer given at IPICS '07 (Wales, UK): Intensive Programme on Information and Communication Security (July 2007)
Bilar, D.: Statistical Opcode Analysis given at ICGeS '07 (London, UK): International Conference on Global E-Security (April 2007)
Bilar, D.: Statistical Structures: Tolerant Fingerprinting for Classification and Analysis given at BH '06 (Las Vegas, NV): Blackhat Briefings USA (August 2006)
My CV
I came from Brown University (BA, Computer Science), Cornell University (MEng, Operations Research and Industrial Engineering) and Dartmouth College (PhD, Engineering Sciences).
At Dartmouth, I was a founding member of the Institute for Security and Technology Studies and worked on devising new methods to protect the nation's communication infrastructure. ISTS conducts counter-terrorism technology research, development, and assessment for the Department of Homeland Security.
My PhD thesis was "Quantitative Risk Analysis of Computer Networks". My thesis advisors included George Cybenko (Dorothy and Walter Gramm Professor at Dartmouth, my primary advisor), Robert Morris Sr (Former Chief Scientist of NSA's National Computer Security Center), Susan McGrath (Director, Emergency Readiness and Response Research Center, ISTS at Dartmouth) and Robert Gray (BAE Systems, Arlington (VA))
Page navigation
Useful (external) links
|
|
|
Daniel Bilar, Computer Science Department, Wellesley College
Last modified: January 2008 Template gratefully aknowledged from Jesper Rasmussen, DTU, Denmark |
|
