Georgia Tech Research Horizons
Winter 2004
Under Attack
Georgia Tech Research Highlights
Making Cyberspace Safer

Cover Story
Georgia Tech

Researchers explore potential solutions
to information security problems.


PDF format

RESEARCH AT THE Georgia Tech Information Security Center (GTISC) is divided into three areas – basic, applied and policy research.
photo by Nicole Cappello

Professor of Computing Richard Lipton, right, and Assistant Professor of Computing Wenke Lee realized that most spam e-mail contains a URL or Web address for a Web site for potential customers to visit. So, they have created a filter application based on looking for unwanted URL addresses in e-mails. (300-dpi JPEG version - 1.1mb)

Researchers develop and test systems, devices, strategies, policies, practical concepts and techniques. Faculty members in the colleges of Computing and Management, Georgia Tech Research Institute (GTRI), and the School of Electrical and Computer Engineering and School of International Affairs conduct research that covers a gamut of information security issues, including database security, secure networks, cryptography, intrusion detection, quality of information, and policies on unsolicited e-mail, privacy, passive and active defense, and international cooperation to deal with cyber crime and terrorism.

Here are some highlights of GTISC research:

Misinformation – the “pushed misinformation” that spam e-mail represents and the “pulled” misinformation from Web searches that yield irrelevant or offensive material – is an increasing problem. “Both techniques for obtaining information can be manipulated with the motive of disrupting service or for profit. So you get information that is poor quality,” explains Professor of Computing Mustaque Ahamad, GTISC co-director of technology.
photo by Nicole Cappello

Professor of Computing Mustaque Ahamad is co-director of technology for the Georgia Tech Information Security Center. (300-dpi JPEG version - 384k)

He and Professor of Computing Calton Pu are leading research to understand what sort of attacks can be mounted to degrade the quality of information (QoI) and how researchers can design defenses against those attacks.

Now in the second year of a five-year project funded by the National Science Foundation (NSF), the researchers are building a prototype system that is smart enough to determine which e-mail messages should be tagged as spam and which are useful messages.

The interface is similar to currently available spam filters, but the underlying principles are very different, Ahamad says. The prototype also will deliver a trust rating – similar to the currently available relevance ratings – when Internet surfers submit a search engine query.

Professor of Computing Richard Lipton and Assistant Professor of Computing Wenke Lee are working on a different set of techniques to address spam e-mail. Lee and Lipton realized that most spam e-mail contains a URL or Web address for a Web site for potential customers to visit. So, they have created a filter application based on looking for unwanted URL addresses in e-mails.

“This approach and application is elegant and incredibly computer cheap and fast,” Lipton says. “It seems to work better than the existing commercial products, and the end user can customize it easily.” For more information, see

Ahamad adds: “Spam is a huge problem, and there is no one solution that would take care of it all. We’re working on a variety of different techniques. If we’re going to use e-mail as a medium of communication, clearly we have to find ways to counter the information degradation attacks that spam represents.”

How to store private information securely, while making it easily accessible to authorized users when they need it, is the focus of another NSF-funded research project led by Ahamad. He and colleagues Wenke Lee and H. Venkateswaran in the College of Computing and Doug Blough in the School of Electrical and Computer Engineering are approaching this problem within the context of the Aware Home, an information-aware, sensing- and computing-rich residential laboratory on the Georgia Tech campus. The laboratory is a prototype of future homes.

Researchers have dubbed their new prototype system the Agile Store. In this context, agility means dealing with problems as they arise, rather than making constant demands on computing performance to deal with hacking. Agile systems can detect and then adapt to deal with attacks.

“The Agile Store uses distributed multiple components in case some fail. So its design includes a lot of redundancy,” Ahamad explains. “The Agile Store uses protocols to adapt to change requirements or conditions. When it goes into a defense mode, it may perhaps temporarily degrade performance to deal with the attack.”
courtesy of DEA

The U.S. Drug Enforcement Agency confiscated these cocaine bricks from drug trade suspects. GTRI researchers are assisting law enforcement agencies in sharing criminal intelligence information regarding the illegal drug trade in border states of the southwestern United States.

Ultimately, the researchers will build a system where users can store information and get to it when they need it. “Those who are not authorized will not be able to get the information, even if some of the machines where the information is stored are compromised,” Ahamad adds. The Agile Store’s protocols don’t rely on any one computer for correct operation of the system. Duties are shared and duplicated across a network of computers, such as those that operate in the Aware Home or a much larger network.

A team of researchers led by Professor John Copeland in the School of Electrical and Computer Engineering is developing techniques for tracing information security attackers through the Internet. Although data packets sent via the Internet carry identification numbers, these IDs can be easily spoofed, Copeland says. His team is studying how data routers can add postmarks that would enable people to determine where electronic attacks are originating – a technique called “statistical packet postmarking.”

Using this technique, Internet backbone routers would randomly add a postmark (12 bytes of data to about 2 percent of data packets). Trace-back could be performed even in the case of intentional spoofing because a new postmark will overwrite a previous one. This will keep packet length from building up, but also allow for the determination of actual routes when an adequate number of packets have been received.

“For example, someone could fake a return address on a piece of mail, but its postmark would remain valid,” Copeland adds.

Many information security issues include policy components, and researchers led by Seymour Goodman, GTISC co-director of policy and professor of computing and international affairs, are actively examining those and other aspects of the problems.
photo by Stanley Leary

Seymour Goodman is the GTISC co-director of policy and a professor of computing and international affairs. (300-dpi JPEG version - 306k)

Goodman’s research – conducted under the auspices of the International Telecommunications Union and the National Academies of Science and Engineering – focuses on policies to address cyber terrorism and cyber crime. These are international legal problems that don’t recognize legal boundaries. “Mapping malicious behavior where the bad guys think in a borderless way is really hard to do,” Goodman says. “In a physical space, there are clear walls of jurisdiction.”

Cyber crime is also borderless to an extent in the United States as it crosses state boundaries, Goodman explains. “Somebody in one state can commit a crime in another state (via the Internet),” he says. “How to deal with this is not clear. Do you extradite the suspect to the state where the cyber crime victim is located? The law is a strong form of policy, but many issues are not worked out yet.

“Technology is changing faster than the law,” Goodman adds. “In many ways, this is a good thing. But there are dangers in not thinking far enough ahead about how technology can be misused. As we move faster, we’re doing the best we can, but the law is still not keeping up with the malicious use of technology…. This will be a real struggle for some time to come.”

Also under the GTISC umbrella, Goodman and his colleagues, along with the White House Office of Science and Technology Policy, co-hosted a March 2003 meeting of the President’s National Security Telecommunications Advisory Committee (NSTAC). John Marburger, the President's science advisor, and Duane Ackerman, CEO of BellSouth and vice chairman of NSTAC, were keynote speakers and participants.

More than 150 prominent researchers and practitioners from the telecommunications industry, government and academia discussed the trustworthiness of national security and emergency preparedness telecommunications systems. Specifically, they examined trustworthiness related to cyber security and software, human factors, physical security and integration of innovative research and development to build trusted tools and systems. The proceedings of the meeting are available at

In the Georgia Tech Research Institute, researchers are contributing to the GTISC effort with five major programs. In the Signature Technology Laboratory, the Secure Information Systems Division has two major research and development efforts stressing enterprise-level computer security. Program manager William Borland leads researchers investigating innovative applications of commercial software tools to instill systematic defense in depth. Database expert Rob Zimmer contributes by hardening his Oracle databases, designing specialized functions for enhanced server security. Working with software architect Ben Lowers, Zimmer weaves an intricate web of layered security design, assembling strong assurances against information leaks and inappropriate access.
U.S. Army photo by Spc. Daniel Ernst

U.S. Army soldiers wait in the rain by their Humvees as their fellow soldiers search for automatic weapons in a Kosovo town in 1999. GTRI researchers are developing ways to identify electronic attacks against mobile ad hoc networks (MANET), a collection of wirelessly connected information systems – which, for the Army, operate in a battlefield environment including moving vehicles such as Humvees and aircraft.

“Whenever security is just an after-thought, it has no hope of being robust enough to withstand attack,” Borland says. “With an emphasis on rigorous assurance managed on the server side, these systems present users with a Web-browser experience that feels familiar and comfortable.”

A GTRI project led by Senior Research Scientist John Wandelt assists law enforcement agencies in sharing criminal intelligence information regarding the illegal drug trade in border states of the southwestern United States. “Now we have an extremely secure network infrastructure to support law enforcement agencies in sharing criminal intelligence and communicating seamlessly,” says GTRI researcher Jim Cannady, the GTISC co-director of applied research. “They don’t have to pick up the phone. We’ve integrated the whole system. Officials can now share information in real time. This effort has been especially successful in light of the emphasis on homeland security.”

In a third effort, GTRI researchers led by Senior Research Scientist George Thurmond and faculty members in the School of Electrical and Computer Engineering are collaborating to help the U.S. Department of Defense identify objective measures of information security. Researchers are quantifying and establishing metrics to define the necessary level of information security. “In the past, to achieve security requirements, officials used a lot of ad hoc methods,” Cannady says. “They would tape up the system with two or three methods and then go home – based on the available tools and the level of the personnel’s expertise.” This multi-level, long-term research effort is evaluating the military’s information security systems and how they are used. They are testing these systems in large-scale military exercises.

Finally, Cannady leads a consortium of industry groups and universities in an information security study for the U.S. Army Research Lab. He describes it as basic research aimed at developing ways to identify attacks against mobile ad hoc networks (MANET), a collection of wirelessly connected information systems – which, for the Army, operate in a battlefield environment including moving vehicles such as Humvees and aircraft. “If the network is attacked, how do you know? And what type of attack is it?” Cannady’s team is asking in this study – now in its third of eight years. Since 1995, GTRI researchers have worked to develop methods of network intrusion detection, and researchers at GTRI and elsewhere still haven’t completely solved this problem. “Now, we have new problems because of wireless networks. We need new solutions, such as artificial intelligence techniques,” Cannady says.

For more information, contact Mustaque Ahamad, 404-894-2593 or;    or Seymour Goodman, 404-385-1461 or;    or Jim Cannady, 404-894-9730 or

Contents    Research Horizons    GT Research News    GTRI    Georgia Tech

Send questions and comments regarding these pages to
Last updated: March 31, 2004