* Research Sites *
Dr. Dipankar Dasgupta
333 Dunn Hall
Memphis, TN 38152-3240
phone: (901) 678-4147
fax: (901) 678-1506
dasgupta@memphis.edu

     

Elevated to IEEE Fellow(Batch of 2015)
Distinguished ACM Speaker
Recipient of 2012 Willard R. Sparks Eminent Faculty Award.


Advisory Board Member of MIT in Cyber Security

Editorial Board of journals


Announcement:

* Principal Investigator *
Dr. Dasgupta will Organize IEEE Symposium on Computational Intelligence in Cyber Security (CICS 2017) at Hawaii, USA from November 27-December 1, 2017. Program Committee Member of the 1st IEEE International Workshop on Cyber Resiliency Economics (CRE 2016) , Vienna, Austria, August 1-3, 2016. Prof. Dasgupta will give an invited talk at the Computer Science Department, University of Tennessee, Knoxville, TN, April 7, 2016     Prof. Dasgupta will present a research paper at 11th Annual Cyber and Information Security Research (CISR) Conference will be held at the conference center at Oak Ridge National Laboratory, Oak Ridge, TN, April 4 - 6, 2016.     Prof. Dasgupta will give invited talk at Regional Symposium "Graduate Education and Research in Information Security",'GERIS'16, on March 8, 2016, at Binghamton University,Binghamton, New York.     Announcement for the available position in Research Assitant Professor (in Cyber Security)     Prof. Dasgupta was interviewed by a local TV Channel (FOX 13) and telecast on Feb. 19, 2016. Click here for Video.     Organized "Cybersecurity Certificate Course" foundational program at FedEx Institute of Technology,UofM, February 1-5, 2016.     Prof. Dasgupta gave an invited talk on 5th International Conference on Fuzzy and Neural Computing, FANCCO-2015, December 16-19, 2015.     Cluster to Advance Cyber Security & Testing (CAST) hosted Cybersecurity Lightning Talks at the FedEx Institute of Technology, afternoon of December 3, 2015     CfIA Receives Cyber Security Training Grant from FEMA     UofM's CfIA Will Develop Course for Mobile Device Security and Privacy Issues     Prof. Dasgupta gave an invited talk on Adaptive Multi-Factor Authentication at the Department of Electrical Engineering and Computer Science and CASE Center, Syracuse University, Syracuse, NY 13224-5040 November 18, 2015     Organize a Symposium on Computational Intelligence in Cyber Security (CICS) at IEEE Symposium Series on Computational Intelligence (SSCI,), December 7-10, 2015 at Cap Town, South Africa     Gave keynote speech at St. Louis at Cyber Security workshop (STL-CyberCon), University of Missouri-St. Louis, November 20, 2015     Prof. Dasgupta attended the NIST-NICE conference at San Diego from November 1-4, 2015     Prof. Dasgupta gave an invited talk at 9th International Research Workshop on Advances and Innovations in Systems Testing at FedEx Institute of Technology, the University of Memphis, October 20, 2015     Our Cyber Security Team got a second position on Cyber Defense Competition @CANSec 2015, held on 24th October at University of Arkansas at Little Rock
From: Nick Day
Sent: Friday, December 12, 2008 9:53 AM
Subject: Password Immunizer - Questions

I found it quite interesting and had some questions regarding it that you or Dr. Dasgupta might be able to answer.

Q1: Why generate a (potentially very large) table of all the things that aren't valid passwords? Not only would the set of 'Anti-P' be tediously large, but the animation suggests that it would be incomplete. I can't see the value in spending the time to check if input is one of many, many different possibilities versus a check to see if it is or isn't just one thing.
Answer: In an ordinary sense, the non-self (Anti-password) space is very large. However, this space can be controlled by preprocessing (e.g. mapping the 64 character hashed passwords to other representation such as n-dimensional real number). Second point is, our generated AntiPs are clusters (not a single point in space) of varying sizes so the bigger clusters are first generated occupying most of the empty space, and smaller are then generated to occupy in between areas. Our empirical results suggests that with proper parameter tuning, it is possible to have significant coverage (95%) for a reasonable size password data set (5000-10000) with an AntiP set of 20% to 30% of password file size. This is a very significant result in terms of performance measure. Yes, we intentionally like to have the AntiP set incomplete (found 95% coverage of the negative password space is good enough) for two reasons: we don't want the AntiP set is a total complementary of the password space, also we generate different shaped AntiPs (such as spherical, hypercube, elliptic) to obfuscate.
Even there are some misses (about 5%), the hackers/crackers will be blocked by the layer 2 positive authentication system. As ours is an additional layer of protection.


Q2: I can appreciate a 2-layered approach to authentication to do things like attack monitoring and data gathering. While the actual authentication layers are typically unaware of things like brute-force attempts and other malicious usage patterns the 2nd layer can be more stateful and log this kind of behavior. Is that the primary purpose of The Password Immunizer, to act as behavior-analysis?
Answer: The goal is to keep the AntiP checking as the first line of Authentication (invisible to users) and should be kept in a separate machine (probably outside the secure perimeter), while the positive authentication system should be inside the highly secure region) and AntiPs should be generated in the secured region and pushed to the insecure outer NA server so the AntiP generation strategy not exposed.


Q3: The slides address the risk of having your password hash data stolen which the attacker can crack on their own time before entering a system. How would The Password Immunizer address the possibility of having the non-matching hashes stolen and used as a filter for their brute-force attempts to ensure they always get past the first level of security?
Answer: The transformation of password space (will make it harder to reverse engineer) and recycling the AntiPs regularly make the system more secure even if the AntiPs are compromised (let me know if you would like more clarification on this), these will not be in use if we recycle in some time interval. It will also be possible to use is as honeypot to understand the cracking tools better. We will put some result slides in the demo soon. The bottom line is, you have an additional protection in a very different way and hopefully many cracking tools will be ineffective, I am sure as the NA system will be in use more benefit will be discovered.