This project develops a scientific approach to testing hypotheses about network security when those tests must consider layers of complex interacting policies within the network stack. The work is motivated by observation that the infrastructure of large networks is hideously complex, and so is vulnerable to various attacks on services and data. Coping with these vulnerabilities consumes significant human management time, just trying to understand the network’s behavior. Unfortunately, even very simple behaviors – such as whether it is possible for any packet (however unusual) to flow between two devises – are difficult for operators to test, and synthesizing these low-level behaviors into a high-level quantitative understanding of network security has been beyond reach.

We propose to develop the analysis methodology needed to support scientific reasoning about the security of networks, with a particular focus on information and data flow security. The core of this vision is Network Hypothesis Testing Methodology (NetHTM), a set of techniques for performing and integrating security analyses applied at different network layers, in different ways, to pose and rigorously answer quantitative hypotheses about the end-to-end security of a network.

In security more than in other computing disciplines, professionals depend heavily on rapid analysis of voluminous streams of data gathered by a combination of network-, file-, and system-level monitors. The data are used both to maintain a constant vigil against attacks and compromises on a target system and to improve the monitoring itself. While the focus of the security engineer is on ensuring operational security, it is our experience that the data are a gold mine of information that can be used to develop greater fundamental insight and hence a stronger scientific basis for building, monitoring, and analyzing future secure systems. The challenge lies in being able to extract the underlying models and develop methods and tools that can be the cornerstone of the next generation of disruptive technologies.

This project is taking an important step in addressing that challenge by developing scientific principles and data-driven formalisms that allow construction of dynamic situation-awareness models that are adaptive to system and environment changes (specifically, malicious attacks and accidental errors). Such models will be able (i) to identify and capture attacker actions at the system and network levels, and hence provide a way to reason about the attack independently of the vulnerabilities exploited; and (ii) to assist in reconfiguring the monitoring system (e.g., placing and dynamically configuring the detectors) to adapt detection capabilities to changes in the underlying infrastructure and to the growing sophistication of attackers. In brief, the continuous measurements and the models will form the basis of what we call execution under probation technologies.

The goal of this project is to develop quantitative, scientifically grounded, decision-making methodologies to guide information security investments in private or public organizations, combining human and technological concerns, to demonstrate their use in two or more real-life case studies, prototype tools and demonstrate their proof of concept on those case studies. It is our hypothesis that quantitative security models, augmented by collected data, can be used to make credible business decisions about the use of particular security technologies to protect an organization’s infrastructure. The key output of this research will be a data-driven, model-based methodology for security investment decision-making, with associated software tool support, and a validation of the usefulness of the tool in a realistic setting. The main scientific contributions will be new abstractions for modeling human behavior, and techniques and tools for optimization of the associated data collection strategy.

This project is a collaboration between the University of Illinois at Urbana-Champaign and Newcastle University.

Cyber-Physical Systems (CPS) are vulnerable to elusive dynamics-aware attacks that subtly change local behaviors in ways that lead to large deviations in global behavior, and to system instability. The broad agenda for this project is to classify attacks on different classes of CPS based on detectability. In particular, we are identifying attacks that are impossible to detect in a given class of CPS (with reasonable resources), and we are developing detection algorithms for those that are possible. The methods developed will primarily be aimed at scenarios in which attackers have some ability to intermittently disrupt either the timing or the quality-of-service of software or communication processes, even though the processes may not have been breached in the traditional sense. Much of the work will also apply to cases where such limited disruptions are introduced physically. Our approach is based on a set of powerful technical tools that draw from and combine ideas from robust control theory, formal methods, and information theory.

Abstract:

Cyber-Physical Systems are converging towards a component-oriented and platform-based implementation. The community-driven Robotic Operating Systems and the proprietary Residential Operating System (of Prodea) are just two examples that indicate this trend. We envision that the software of the CPS is frequently updated and reconfigured, yet it cannot be guaranteed that security vulnerabilities are completely absent in the deployed systems. Clearly, there is a need to incorporate appropriate security features in these platforms so that they exhibit the necessary resilience properties and continue providing services even if parts of the larger system are compromised. In this project we develop a model-driven approach to system architecting for these component-based CPS that results in analysis techniques to determine the resilience of the systems, and in synthesis techniques that assist with the implementation. Prototypes and experimental studies will provide the vehicle for evaluation.

Hard Problems Addressed:

• Develop means to design and analyze system architectures that deliver required service in the face of compromised components
• Formal and informal domain-specific modeling languages to represent properties of CPS relevant for resilience
• Scalable and composable analysis approaches to determine the resilience metrics for the system of CPS against security attacks
• Requirements for trustworthy and dependable component-based software platforms that provide support for resilience

This research thrust focuses on the design and development of a highly accessible and scalable testbed environment for supporting the evaluation and experimentation efforts across the entire SURE research portfolio. This work is based on our existing technologies and previous results with the Command and Control Windtunnel (C2WT), a large-scale simulation integration platform and WebGME, a metaprogrammable web-based modeling environment with special emphasis
on on-line collaboration, model versioning and design-reuse. We are utilizing these core technologies and other third-party tools (e.g. Emulab) to provide a web-based interface for designing, executing and evaluating testbenches on a cloud-based simulation infrastructure. The metaprogramable environment enables us to develop and provide modeling languages, which specifically target each research thrust. Furthermore, by leveraging built-in prototypical inheritance we are building re-usable library components in the target domains.

First, the developed visual/modeling languages will be used to capture the physical, computational and communication infrastructure. Also, the simulation models will describe the deployment, configuration and/or the concrete strategies of security measures and algorithms. Third, the environment will provide entry points for injecting various attack or failure events from an existing library of components or by providing a model-based description of the algorithm.

For stimulating the experimentation and validation efforts in the SURE research thrusts and to motivate students and outside contributors to participate we are developing "Red Team" vs "Blue Team" simulation scenarios, where a using a given CPS infrastructure model each team is tasked to develop and/or configure security and fail-over measures while the other team develops an attack model. After the active design phase--when both teams are working in parallel and in isolation--the simulation is executed with no external user interaction, potentially several times. The winner is decided based on the scoring weights and rules which are captured by the infrastructure model. If successful, we may organize championships and maintain a leader board for each infrastructure model.

In security, our concern is typically with securing a particular network, or eliminating security holes in a particular piece of software.  These are important, but they miss the fact that being secure is fundamentally about security of all constituent parts, rather that any single part in isolation. In principle, if we can control all the pieces of a system, we can secure all possible channels of attack.  Typically, system and security design of various components are performed by different agents, having varying and often conflicting interests. Our goal is to develop this framework, and associated computational tools to address security holistically, accounting for incentives of all the parties.

In particular, the project aspires to investigate the many facets of decentralization in security. The overarching aim is to answer the following three questions in a variety of relevant settings: 1) what does decentralization of security decisions and associated incentive misalignment imply for overall system security; 2) in the world of decentralized security decisions, how should an organization optimally secure itself; and 3) how can one design incentives or constraints to improve the overall system security.  Much of the project focus will be on interdependence of security decisions, giving rise to competing decision externalities: positive externalities, where securing one’s system reduces exposure risk for others, and negative externalities, where security of one system incentivizes the attacker to attack another. The former will tend to lead to under-investment in security; the latter are expect to push organizations to invest too much.