Visible to the public SoS Lablet Annual Report - UIUC

Submitted by awhitesell on Wed, 08/30/2017 - 4:08pm

Lablet Annual Report
Purpose: To highlight progress made within the reporting year. Information is generally at a higher level which is accessible to the interested public. This will be published in an overall SoS Annual Report to be shared with stakeholders to highlight the accomplishments the Lablets have made over the past year.

A). Lablet Introduction
Please include each of the following:

  • General introduction about the Lablet - 1 paragraph
  • Team description (universities that are Lablets, Sub-Lablets, and any collaborators) - 1 paragraph
  • Overall viewpoint of the progress made over the past year - 1-2 paragraphs

The UIUC Lablet is contributing broadly to the development of security science while leveraging Illinois expertise in resiliency, which in this context means a system's demonstrable ability to maintain security properties even during ongoing cyber attacks. The Lablet's work draws on several fundamental areas of computing research. Some ideas from fault-tolerant computing can be adapted to the context of security. Strategies from control theory are being extended to account for the high variation and uncertainty that may be present in systems when they are under attack. Game theory and decision theory principles are being used to explore the interplay between attack and defense. Formal methods are being applied to develop formal notions of resiliency. End-to-end system analysis is being employed to investigate resiliency of large systems against cyber attack. The Lablet's work also draws upon ideas from other areas of mathematics and engineering as well.

The team is comprised of faculty and researchers from the University of Illinois at Urbana-Champaign and sub-awards from other universities. A Monitoring Fusion and Response Framework to Provide Cyber Resiliency and Anonymous Messaging in Networks are two new projects added this year. Project by project details of the personnel are listed under the Fundamental Research section of the report. The current list of projects is as follows:

  • A Hypothesis of Testing and Framework for Network Security: Illinois and Illinois Institute of Technology
  • A Monitoring Fusion and Response Framework to Provide Cyber Resiliency: Illinois
  • Anonymous Messaging in Networks: Illinois
  • Data-Driven-Model-Based Decision-Making: Illinois and Newcastle University, UK
  • Data Driven Security Models and Analysis: Illinois and University of California, Berkeley
  • Science of Human Circumvention of Security: Illinois, University of Southern California, University of Pennsylvania and Dartmouth College
  • Static-Dynamic Analysis of Security Metrics for Cyber-Physical Systems: Illinois and Rice University

The Science of Security has many attributes that range from use and development of scientific techniques in experimental security work, to modeling/mathematical foundations of systems where security and security properties are the object of the reasoning. UIUC contributes principally to the latter category with research that also supports the former category. We study how security properties are shaped by policy at different layers of the network stack, and use that to help define hypotheses that might be empirically tested. We are defining models of cyber-physical systems that allow us to analyze how closely the system is allowed to skirt disaster, a measure of the system's resilience to disturbance. We are developing mathematical models of systems under attack, the attackers, and the defenders, to better understand how well the system is able to maintain required service levels through the attack, and to aid defensive decision-makers. We are applying sophisticated stochastic modeling techniques to describe vast volumes of data within which there are attacks; the models describe correlations between observations that might suggest attacks, and unobservable state that describes the attack. Finally, we are developing models of human behavior that seek to explain the how and why of humans circumventing security mechanisms. In short, the UIUC Science of Security research is exploring foundational mathematical modeling formalisms that quantitatively describe security attributes, and seek to predict those attributes as a function of context and environment.

B). Fundamental Research
High level report of results for each project that helped move security science forward -- in most cases it should point to a "hard problem". - 1 paragraph per project

A Hypothesis of Testing and Framework for Network Security

Project team:

  • Illinois PIs: Brighten Godfrey, Matt Caesar, David Nicol, and Bill Sanders
  • Illinois PhD Student: Soudeh Ghorbani
  • Illinois Institute of Technology PI: Dong (Kevin) Jin
  • Illinois Institute of Technology PhD Students: Jiaqi Yan, Xin Liu, and Christopher Hannon

Hard problems addressed:

  • Scalability and composability
  • Policy-governed secure collaboration
  • Predictive security metrics
  • Resilient architectures

This project is developing the analysis methodology needed to support scientific reasoning about the security of networks, with a particular focus on information and data flow security. The core of this vision is Network Hypothesis Testing Methodology (NetHTM), a set of techniques for performing and integrating security analyses applied at different network layers, in different ways, to pose and rigorously answer quantitative hypotheses about the end-to-end security of a network. While our work touches on several hard problems, over the last year, our key accomplishments focused on the hard problems of (1) resilient architectures, (2) scalability, and (3) predictive security metrics.

We have made progress on developing predictive security metrics with focus on predicting and verifying future behavior of networks including temporal properties. In real-world networks, correctness policies may be violated only through a particular combination of environment events and protocol actions, possibly in a non-deterministic sequence. However, tools in existence today are not capable of reasoning about all the possible network events, and all the subsequent execution paths that are enabled by those events. We developed Plankton, a verification platform for identifying undesirable evolutions of networks. By combining symbolic modeling of data plane and control plane with explicit state exploration, Plankton performs a goal-directed search on a finite-state transition system that captures the behavior of the network as well as the various events that can influence it. In this way, Plankton can automatically find policy violations that can occur due to a sequence of network events, starting from the current state. An example use of the system would be verifying whether there exists a failure that could cause routes to change and circumvent a security control point or monitoring point, thus evading forensics. The system can prove whether such a dynamic event could occur, and if so, give an example.

We completed work on our project which ensures correct network virtualization. Current implementations lead to race conditions where, for example, a virtualized firewall, implemented behind the scenes at multiple physical locations, could erroneously block flows. We designed a system, COCONUT, which enables network elements to be automatically virtualized, i.e., implemented by a set of multiple physical elements which may be dynamic, while provably guaranteeing security properties.

We began work on two projects to automate improvements to software-defined networks, making them more robust and efficient. First, we developed an early implementation of NEAt, a system that performs on-the-fly repair of updates that violate policies such as reachability, service chaining, and segmentation. NEAt ("Network Error Auto-correct") sits between an SDN controller and the forwarding devices, intercepts updates proposed by SDN applications, and transforms a violating update into one that complies with the policy. Second, recognizing that commercial networks today have diverse security policies, we developed a framework that factors out the complexity of implementing security policies from the complexity of implementing performance optimizations, in the context of SDN controllers. Specifically, we are developing Oreo, a transparent performance enhancement layer for SDNs which guarantees that end-to-end reachability characteristics are preserved so security policies defined by the controller are not violated. Oreo performs these optimizations by using network modeling and verification mechanisms developed earlier in the NetHTM project.

To fully realize NetHTM, we need effective evaluation methodologies for large-scale and complex networked systems. We made advances in scalable evaluation methodology and platform using virtual-machine-based emulation and parallel simulation. We developed DSSNet (https://github.com/annonch/DSSnet), and utilized it to evaluate the SDN-based self-healing ability in critical energy systems and study the impact of various cyber-attacks on network behavior.

We have also investigated resilient architectures for industrial control systems (ICS), in particular, take infrastructure-level and application-level approaches to apply SDN technologies in ICSes to make them more cyber secure and resilient. For example, we designed an SDN-based communication network architecture for microgrid operations; we investigated multiple microgrid security applications, such as self-healing PMU, network verification, and by leveraging the global visibility, direct networking controllability and programmability offered by SDN.

Several manuscripts describing our work in those two topics have been submitted, including 11 papers (ACM SIGSIM-PADS'16, JoS'16, WSC'16, SDN-NFV Security'17, HotSoS'17, SOSR'17, EuroSys'17, ACM SIGSIM-PADS'17, APNet'17, ACM TOMACS'17, IEEE TSG'17) that were published in the leading journal and conference in networking, security, and modeling and simulation in Year 3. We received two best poster awards and a best paper candidate recognition (ACM SIGSIM-PADS'16). We have been actively working on dissemination of knowledge through (1) organizing a two-day Workshop on Science of Security through Software-Defined Networking (SoSSDN'16) in Chicago, (2) tutorials on network verification, and (3) a Coursera online course on Cloud Networking with 3000+ students enrolled. In addition, Kevin Jin received the Young Investigator Program (YIP) Award from Air Force Office of Scientific Research, and the Junior Faculty Research Award at Illinois Institute of Technology.

A Monitoring Fusion and Response Framework to Provide Cyber Resiliency

Project team:

  • Illinois PI: Bill Sanders
  • Illinois Researcher: Brett Feddersen
  • Illinois PhD Students: Atul Bohara, Carmen Cheh, Ahmed Fawaz, Mohamad Noureddine, Uttam Thakore, and Benjamin E. Ujcich

Hard problems addressed:

  • Resilient architectures
  • Policy-governed secure collaboration

Resilience has become a key strategy for protecting cyber systems. Although traditional cyber security protection mechanisms are an important component of an overall cybersecurity strategy, they are no longer sufficient for systems that must provide continuous service when under attack. Resiliency mechanisms offer a synergistic approach to securing systems based the realization that protection mechanisms are not perfect. We have developed a methodology for deploying a diverse set of monitors within a system, at different locations and at different levels in the system architecture, to serve as input to fusion and alert correlation algorithms whose goal is to detect attacks. We have also developed several fusion algorithms that could provide attack alerts to a set of response selection algorithms. We are exploring response selection algorithms that utilize game theory and control theory to find good or optimal response strategies. To evaluate our developed response algorithms, we have use a two-pronged strategy using real data and discrete event simulation. In particular, we intend to simulate attacker behavior with models learned using real attack data, where the attacker model is pitted against the response selection algorithms in a simulated environment.

Anonymous Messaging in Networks

Project team:

  • Illinois Pis: Pramod Viswanath and Carl Gunter
  • Illinois Researchers: Giulia Fanit
  • Illinois PhD Students: Hyun Bin Lee, Ashok Makkuva, Jiaqi Mu, and Shaileshh Venkatakrishnan

Hard problems addressed:

  • Scalability and composability

This project is focused on the foundations of algorithms that broadcast information on networks efficiently and anonymously. We are particularly interested in applications to social networks and cryptocurrency networks.

Social networks: Anonymous social media platforms like Secret, Yik Yak, and Whisper have emerged as important tools for sharing ideas without the fear of judgment. Such anonymous platforms are also important in nations under authoritarian rule, where freedom of expression and the personal safety of message authors may depend on anonymity. Whether for fear of judgment or retribution, it is sometimes crucial to hide the identities of users who post sensitive messages. In this research, we consider a global adversary who wishes to identify the author of a message; it observes either a snapshot of the spread of a message at a certain time, sampled timestamp metadata, or both. Recent advances in rumor source detection show that existing messaging protocols are vulnerable against such an adversary.

Our main technical contribution is the introduction of a novel messaging protocol, which we call adaptive diffusion, and show that under the snapshot adversarial model, adaptive diffusion spreads content fast and achieves perfect obfuscation of the source when the underlying contact network is an infinite regular tree. That is, all users with the message are nearly equally likely to have been the origin of the message. When the contact network is an irregular tree, we characterize the probability of maximum likelihood detection by proving a concentration result over Galton-Watson trees. Experiments on a sampled Facebook network demonstrate that adaptive diffusion effectively hides the location of the source even when the graph is finite, irregular and has cycles. An Android implementation of our algorithm (titled WILDFIRE) is publicly available.

Cryptocurrency networks: Bitcoin and other cryptocurrencies have surged in popularity over the last decade. Although Bitcoin does not claim to provide anonymity for its users, it enjoys a public perception of being a `privacy-preserving' financial system. In reality, cryptocurrencies publish users' entire transaction histories in plaintext, albeit under a pseudonym; this is required for transaction validation. Therefore, if a user's pseudonym can be linked to their human identity, the privacy fallout can be significant. Recently, researchers have demonstrated deanonymization attacks that exploit weaknesses in the Bitcoin network's peer-to-peer (P2P) networking protocols. In particular, the P2P network currently forwards content in a structured way that allows observers to deanonymize users. In this work, we redesign the P2P network from first principles with the goal of providing strong, provable anonymity guarantees. We propose a simple networking policy called Dandelion, which achieves nearly-optimal anonymity guarantees at minimal cost to the network's utility.

We also provide a practical implementation of Dandelion which is freely available on Github and is in the process of being implemented inside Bitcoin Core (which is the most popular version of Bitcoin).

Data-Driven-Model-Based Decision-Making

Project team:

  • Illinois PIs: Bill Sanders, Masooda Bashir, and David Nicol
  • Illinois Researchers: Ken Keefe
  • Illinois PhD Students: Mohamad Noureddine
  • Newcastle University PI: Aad van Moorsel
  • Newcastle University Researchers: Rob Cain and Charles Morriset

Hard problems addressed:

  • Predictive security metrics
  • Human behavior

Security analysis of complex systems is a challenging task, made especially difficult by the behavior of humans engaging the system. Rigorous mathematical models must be developed to capture the behavior of not only the autonomous aspects of these systems, but also the human users participants. We have developed and refined the HITOP modeling formalism to create models of human user behaviors and decision-making. HITOP considers each human participant's opportunity, willingness, and capability to perform individual tasks throughout their typical daily routine. By studying HITOP models, we can better understand the critical role that good humans in the system impact the overall system performance and security. As with any model study, the quality of its results are heavily dependent on the quality of its input parameters. We have also developed a strategy for determining the data observation requirements necessary to ensure that useful, accurate quantitative metrics are produced.

Data Driven Security Models and Analysis

Project Team:

  • Illinois PIs: Ravi Iyer, Zbigniew Kalbarczyk and Adam Slagell
  • Illinois PhD Students: Phuong Cao and Key-whan Chung
  • University of California, Berkeley PI: Robin Sommer

Hard problems addressed:

  • Predictive security metrics
  • Resilient architectures
  • Human behavior

We have continued work on development of scientifically sound data-driven methods and tools with the goal of recognizing, mitigating, and containing attacks. The challenge is to capture and identify attackers' actions from the measurements, develop predictive models of attacker behavior before and during an attack, and thus, create a framework within which to reason about attacks, independently of the vulnerability exploited or the adopted attack pattern. This year we focused on:

A novel application of Factor Graphs (probabilistic graphical models) to represent real-world multi-stage security incidents and develop methods for preemptive detection of attacks, i.e., before the system misuse.

Augment the factor graph model based on analysis of recent credential stealing and infrastructure abuse attacks targeting Blue Waters, a petascale supercomputer hosted at the University of Illinois at Urbana-Champaign.

Evaluate detection capabilities of random factor functions (functions that return a random value when invoked in the factor graph evaluation) and factor functions defined based on the system knowledge and insights from the security experts. We found that detection performance of random factor functions has a substantially lower performance as compared to factor functions defined using system and domain experts.

Introduce mathematical underpinnings for automatic learning of factor functions. Specifically, we: (i) modelled multi-stage attacks, (ii) classified factor functions by the number of input variables (univariate, bivariate, and multivariate) and the function body, and (iii) developed a case study to demonstrate feasibility of automatic generation of factor functions.

Indirect Cyber Attacks. We investigated indirect cyber-attacks against a large computing infrastructure through alteration of the CPS responsible for the cooling of the computing assets. We showed that a malicious user can attack a large computing infrastructure by compromising the environmental control systems in the facilities that host the compute nodes. We described real cases of failures due to problems in the cooling system of Blue Waters. We demonstrated, using real data, that the control systems that provide chilled water can be used as entry points by an attacker to indirectly compromise the computing functionality through the orchestration of clever alterations of sensing and control devices. In this way, the attacker does not leave any trace of his/her malicious activity on the nodes of the cluster. Failures of the cooling systems can trigger failure modes that can be recovered only after service interruption (including system reboot) and manual intervention.

Science of Human Circumvention of Security

Project team:

  • Illinois PI: Tao Xie
  • Illinois PhD Students: Dengfeng Li, Wing Lam, and Wei Yang
  • University of Southern California PI: Jim Blythe
  • University of Pennsylvania PI: Ross Koppel
  • Dartmouth College PI: Sean Smith
  • Dartmouth PhD Student: Vijay Kothari
  • Dartmouth Undergraduate Students: Jasper Bingham, Dylan Scandinaro, Bruno Korbar, Nicolaas B. Moolenijzer, Ryan Amos, David Harmon, Christopher Novak, Galen Brown, and Adam Rinehouse
  • Vassar Undergraduate Student: Jasmine Martinez

Hard problems addressed:

  • Scalability and composability
  • Policy-governed secure collaboration
  • Predictive security metrics

We continue to study people's approaches to cyber security, and their use of authentication methods for accessing websites, their organization's databases, and the Internet (primarily hard problem 5, "Understanding and Accounting for Human Behavior," but also pertaining to problems 1, 2, and 3). We focus especially on passwords as a prime method in the context of this trust (or suspicion or distrust). Use of passwords, adherence to password guidelines, and circumvention of password rules (e.g., sharing, writing them down on available files) are also excellent reflections of people's understanding, misunderstandings, and beliefs about personal and organizational efforts to protect individual and enterprise-level information. In addition, we are building and testing DASH agent models and beginning to test a mechanical Turk experiment/simulation to further examine users' use of passwords, workarounds, cyber trust, and strategies---measurements from the Turk experiment provide base calibration for the DASH model. We have developed a new version of DASH in python that improves ease of development. We are also working with researchers at the University of Pennsylvania who have developed methods to learn agent behavior from observational data. To date, our results include constructing a semiotic frameowork for circumvention, validating our basic DASH model by reproducing behavior found in ground-truth human surveys, and duplication in our simulation of a version of "uncanny descent", in which making constraints on passwords more complex can decrease overall security. Last, we continue to administer two surveys: one on users' understanding of cybersecurity processes and their modes of circumvention; and one on security administrators' understanding of cybersecurity processes and their rationales for security policies and decisions. Also, to study people's trust in cyber security, especially mobile app security, we focus on collecting and analyzing UI text information faced by mobile app users to enable them to make informed decisions on mobile app security.

Static-Dynamic Analysis of Security Metrics for Cyber-Physical Systems

Project team:

  • Illinois PIs: Sayan Mitra and Geir Dullerud
  • Illinois PhD Students: Zhenqi Huang and Yu Wang
  • Rice University PI: Swarat Chaudhuri

Hard problems addressed:

  • Scalability and composability
  • Predictive security metrics

Addressing the hard problem of developing predictive security metrics and composition for scalability, in this collaborative project, we have formulated the general problem of controller synthesis in the presence of resource constrained adversaries and using crowd-sourced data; namely, given an adversary of a certain class, parametrized according to the quantifiable resources available to them, we are creating a methodology to assess the worst-case potential impact and performance degradation of a control system from a threat of this class. We also consider privacy implications for systems where the performance of the control system is optimized using from participants. Indeed, cyber-physical systems (CPS) that contain physical agents have much more demanding and subtle security requirements than purely cyber-based systems, due to their significantly larger attack surface; that is, they can be attacked using all the approaches aimed at purely cyber-systems, but also in ways that are based on a deeper understanding of their physical dynamics and objectives, as well physically attacking agents and sensors themselves. Thus, new approaches for designing CPS need to take these potential attacks into account.

We have developed a sound and complete algorithm for solving this problem, for the special case of control systems with linear and monotonic dynamics and adversary resources characterized by their signal energy. The approach used to develop the algorithms brings together ideas from robust control and recent developments in syntax-guided program synthesis. Using our algorithms we are able to synthesize controllers that are provably resilient to certain threat classes; in addition, we are also able to characterize the states of the systems in terms of their vulnerability levels.

We have considerably expanded our work on characterizing the trade-off between privacy and performance in cyber-physical systems, particularly in cases where strategic preferences which govern dynamics are to be protected. In cyber-physical systems, individual agents can interact through cloud-based distributed optimization, where each agent has an individualized objective function that is to be concealed to some level, while agents seek to minimize local objective functions and maintain global constraints. In this case, there are two challenges: the objective functions are used repeatedly in every iteration thus giving adversaries the possibility of a stream of measurements for estimating these objective functions, which once found accurately predict agent behavior. Secondly, the influence of perturbing objective functions in a traditional manner affects global system performance for all future times. During the past year we have completed sig nificant work on this class of problems, and have developed analysis results on the propagation of perturbations on objective functions over time, and show how to derive upper bounds. With this a noise-adding mechanism can be designed that randomizes the cloud-based distributed optimization algorithm to keep the individual objective function concealed. In addition, we have considered the trade-off between the secrecy of objective functions and the performance of the new cloud-based distributed optimization algorithms with noise. Such distributed optimization problems appear in various applications including energy systems, communications, signal processing, sensor networks, and machine learning, as well as in mobile robotics involving autonomous agents. In some of these applications it is common to have agents in a network directly share information with each other in the process of optimizing. However, in systems in which nefarious parties may be acting, when the agents share information with each other, a major concern is the concealing of their objectives and current situational states.

Our work, sponsored by this lablet, on security and differential privacy constituted the very first published research in this area for cyber-physical systems (IEEE TCNS'17, WPES'12). There is now an entire sub community with the field of control theory working on these issues for cyber-physical systems, and importantly, the security variants. To help support this growing community activity, at the IEEE Decision and Control Conference 2016, we were central participants in the tutorial session Differential Privacy in Control and Network Systems. This follows on last year's community-cultivating Workshop on Science of Security of Cyber-Physical Systems (SOSCPS) as a part of the CPSWeek event held in Vienna.

C). Publications
Please list all publications published in the reporting year.

A Hypothesis Testing Framework for Network Security

  • Santhosh Prabhu, Mo Dong, Tong Meng, P. Brighten Godfrey, and Matthew Caesar, "Let Me Rephrase That: Transparent Optimization in SDNs", ACM Symposium on SDN Research (SOSR 2017), Santa Clara, CA, April 3-4, 2017.
  • Soudeh Ghorbani and P. Brighten Godfrey, "COCONUT: Seamless Scale Out of Network Elements", Twelfth European Conference on Computer Systems (EuroSys 2017), Belgrade, Serbia, April 23-26, 2017.
  • Jiaqi Yan, Xin Liu, and Dong Jin, "Simulation of a Software-Defined Network as One Big Switch", 2017 ACM SIGSIM Conference on Principles of Advanced Discrete Simulation (ACM SIGSIM PADS), Singapore, May 24-26, 2017.
  • Santhosh Prabhu, Ali Kheradmand, Brighten Godfrey, and Matthew Caesar, "Predicting Network Futures with Plankton", 1st Asia-Pacific Workshop on Networking (APNet'17), Hong Kong, China, August 3-4, 2017.
  • Ning Liu, Adnan Haider, Dong Jin and Xian He Sun, "A Modeling and Simulation of Extreme-Scale Fat-Tree Networks for HPC Systems and Data Centers", ACM Transactions on Modeling and Computer Simulation (TOMACS), to appear.
  • Dong Jin, Zhiyi Li, Christopher Hannon, Chen Chen, Jianhui Wang, Mohammad Shahidehpour, Cheol Won Lee and Jong Cheol Moon, "Towards a Resilient and Secure Microgrid Using Software-Defined Networking", IEEE Transactions on Smart Grid, Special section on Smart Grid Cyber-Physical Security, to appear.

A Monitoring Fusion and Response Framework to Provide Cyber Resiliency

  • Benjamin E. Ujcich, Andrew Miller, Adam Bates, and William H. Sanders, "Towards an Accountable Software-Defined Networking Architecture", 3rd IEEE Conference on Network Softwarization (NetSoft 2017), Bologna, Italy, July 3-7, 2017.
  • C. Cheh, B. Chen, W. G. Temple, and W. H. Sanders, "Data-Driven Model-Based Detection of Malicious Insiders via Physical Access Logs", 14th International Conference on Quantitative Evaluation of Systems (QEST 2017), Berlin, Germany, September 5-7, 2017, to appear.
  • Atul Bohara, Mohammad A. Noureddine, Ahmed Fawaz, and William H. Sanders, "An Unsupervised Multi-Detector Approach for Identifying Malicious Lateral Movement", 36th IEEE International Symposium on Reliable Distributed Systems (SRDS 2017), Hong Kong, September 26-29, 2017, to appear.
  • Anonymous Messaging in Networks
  • Giulia Fanti, Peter Kairouz, Sewoong Oh, Kannan Ramchandran and Pramod Viswanath, "Rumor Source Obfuscation on Irregular Trees", ACM SIGMETRICS, Antibes Juan-les-Pins, June 14-18, 2016.
  • Giulia Fanti, Peter Kairouz, Sewoong Oh, Kannan Ramchandran and Pramod Viswanath, "Metadata-conscious Anonymous Messaging", International Conference on Machine Learning, New York, NY, June 19-24, 2016.
  • Giulia Fanti, Shaileshh Venkatakrishnan, and Pramod Viswanath, "Dandelion: Redesigning BitCoin Networking for Anonymity", ACM SIGMETRICS, Urbana, IL, June 5-9, 2017.

Data-Driven Model-Based Decision-Making

  • Hoang Hai Nguyen, Kartik Palani, and David Nicol, "An Approach to Incorporating Uncertainty in Network Security Analysis", Symposium and Bootcamp in the Hot Topics in Science of Security (HotSoS 2017), Hanover, MD, April 4-5, 2017.
  • John C. Mace, Nippun Thekkummal, Charles Morisset, and Aad van Moorsel, "ADaCS: A tool for Analysing Data Collection Strategies", 14th European Performance Engineering Workshop (EPEW 2017), Berlin, Germany, September 7-8, 2017, to appear.

Data Driven Security Models and Analysis

  • Phuong Cao, Eric Badger, Zbigniew Kalbarczyk, and Ravishankar Iyer, "A Framework for Generation, Replay and Analysis of Real-World Attack Variants", Symposium and Bootcamp on the Science of Security (HotSoS 2016), Pittsburgh, PA, April 20-21, 2016.
  • Hui Lin, Homa Alemzadeh, Daniel Chen, Zbigniew Kalbarczyk, and Ravishankar K. Iyer, "Safety-critical Cyber-physical Attacks: Analysis, Detection, and Mitigation", Symposium and Bootcamp on the Science of Science (HotSoS 2016), Pittsburgh, PA, April 20-21, 2016.
  • Keywhan Chung, Valerio Fromicola, Zbigniew T. Kalbarczyk, and Ravishankar K. Iyer, "Attacking Supercomputers Through Targeted Alteration of Environmental Control: A Data Driven Case Study", IEEE Conference on Communications and Network Security (CNS 2016), Philadelphia, PA, October 17-19, 2016.

Science of Human Circumvention of Security

  • Sihan Li, Xusheng Xiao, Blake Bassett, Tao Xie, and Nikolai Tillmann, "Measuring Code Behavioral Similarity for Programming and Software Engineering Education", 38th International Conference on Software Engineering (ICSE 2016), Software Education and Training track, Austin, TX, May 14-22, 2016.
  • Benjamin Andow, Adwait Nadkarni, Blake Bassett, William Enck, and Tao Xie, "A Study of Grayware on Google Play", Workshop on Mobile Security Technologies (MoST 2016), held in conjunction with IEEE Symposium on Security and Privacy, San Jose, CA, May 26, 2016.
  • Ross Koppel, Jim Blythe, Vijay Kothari, and Sean Smith, "Beliefs about Cybersecurity Rules and Passwords: A Comparison of Two Survey Samples of Cybersecurity Professionals Versus Regular Users", 12th Symposium On Usable Privacy and Security (SOUPS 2016), Denver, CO, June 22-24, 2016.
  • Pierre McCauley, Brandon Nsiah-Ababio, Joshua Reed, Faramola Isiaka, and Tao Xie, "Preliminary Analysis of Code Hunt Data Set from a Contest", 2nd International Code Hunt Workshop on Educational Software Engineering (CHESE 2016), Seattle, WA, November 14, 2016.
  • Xia Zeng, Dengfeng Li, Wuijie Zheng, Fan Xia, Yuetang Deng, Wing Lam, and Tao Xie, "Automated Test Input Generation for Android: Are We Really There Yet in an Industrial Case?", 24th ACM SIGSOFT International Symposium on the Foundations of Software Engineering (FSE 2016), Seattle, WA, November 13-18, 2016.
  • Ross Koppel, Vijay Kothari, Sean W. Smith, and Jim Blythe, "Beyond Pleading With or Restricting Users to Achieve Cyber Security Goals: Approaches to Understanding and Responding to Circumvention", CRA CCC Sociotechnical Cybersecurity Workshop, College Park, MD, December 12-13, 2016.
  • Sean W. Smith, Vijay Kothari, Jim Blythe, and Ross Koppel, "Flawed Mental Models Lead to Bad Cyber Security Decisions: Let's Do a Better Job", CRA CCC Sociotechnical Cybersecurity Workshop, College Park, MD, December 12-13, 2016.
  • Ross Koppel, Jim Blythe, Vijay Kothari, and Sean Smith, "Password Logbooks and What Their Amazon Reviews Reveal About the Users' Motivations, Beliefs, and Behaviors", 2nd European Workshop on Useable Security (EuroUSEC 2017), Paris, France, April 29, 2017. [full text]
  • Ross Koppel and Harold Thimbleby, "Lessons from the 100 Nation Ransomware Attack", The Healthcare Blog (THCB), May 14, 2017.
  • Haibing Zheng, Dengfeng Li, Xia Zeng, Beihai Liang, Wujie Zheng, Yuetang Deng, Wing Lam, Wei Yang, and Tao Xie, "Automated Test Input Generation for Android: Towards Getting There in an Industrial Case", 39th International Conference on Software Engineering (ICSE 2017), Software Engineering in Practice (SEIP), Buenos Aires, Argentina, May 20-28, 2017.
  • Christopher Novak, Jim Blythe, Ross Koppel, Vijay Kothari, and Sean Smith, "Modeling Aggregate Security with User Agents that Employ Password Memorization Techniques", Who Are You?! Adventures in Authentication (WAY 2017), workshop in conjunction with Symposium On Usable Privacy and Security (SOUPS 2017), July 12-14, 2017, Santa Clara, CA.
  • Benjamin Andow, Akhil Acharya, Dengfeng Li, William Enck, Kapil Singh, and Tao Xie, "UiRef: Analysis of Sensitive User Inputs in Android Applications", 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2017), Boston, MA, July 18-20, 2017.

Static-Dynamic Analysis of Security Metrics for Cyber-Physical Systems

  • Yu Wang, Zhenqi Huang, Sayan Mitra, and Geir Dullerud, "Differential Privacy in Linear Distributed Control Systems: Entropy Minimizing Mechanisms and Performance Tradeoffs", IEEE Transactions on Control of Network Systems, volume 4, issue 1, January 25, 2017.
  • Zhenqi Huang, Yu Wang, Sayan Mitra, and Geir Dullerud. "Differential Privacy and Entropy in Distributed Feedback Systems: Minimizing Mechanisms and Performance Trade-offs", IEEE Transactions on Network Control Systems, volume 4, issue 1, March 2017.
  • Hussein Sibae and Sayan Mitra, "Optimal Data Rate for Estimation and Mode Detection of Switched Nonlinear Systems", 20th ACM International Conference on Hybrid Systems: Computation and Control (HSCC 2017) in conjunction with CPS Week 2017, Pittsburgh, PA, April 18-21, 2017.
  • Joao Jansch Porto and Geir E. Dullerud, "Decentralized Control with Moving-Horizon Linear Switched Systems: Synthesis and Testbed Implementation", American Control Conference 2017, Seattle, WA, May 24-26, 2017.
  • Yu Wang, Sayan Mitra, and Gier Dullerud, "Differential Privacy and Minimum Variance Unbiased Estimation in Multi-agent Control Systems", 20th World Congress of the International Federations of Automatic Control (IFAC 2017 World Congress), Toulouse, France, July 9-14, 2017.

D). Community Engagements

Briefly describe your Lablets community outreach efforts to extend scientific rigor in the community/culture. For example, list workshops, seminars, competitions, etc. that your Lablet has accomplished during the reporting year.

A Hypothesis Testing Framework for Network Security

  • July 2016, NSA SoS Quarterly Meeting, poster session, Brighten Godfrey, Matthew Caesar, David Nicol, William Sanders, Kevin Jin, Xin Liu, Christopher Hannon and Jiaqi Yan: A Hypothesis Testing Framework for Network Security
  • August 2016, Fermi Lab, invited technical seminar: Uncertainty-Aware Network Verification in Software-Defined Networks
  • October 2016, ITI Joint Trust and Security/Science of Security Seminar, Santhosh Prabhu: Oreo: Transparent Optimization to Enable Flexible Policy Enforcement in Software Defined Networks
  • November 2016, NSA SoS Quarterly Meeting, poster session, Brighten Godfrey, Matthew Caesar, David Nicol, William Sanders, Kevin Jin, Xin Liu, Christopher Hannon and Jiaqi Yan: A Hypothesis Testing Framework for Network Security
  • January 2017, Monthly UIUC/R2 Presentation, Kevin Jin: Enabling a Cyber-Resilient and Secure Energy Infrastructure with Software-Defined Networking
  • March 2017, technical presentation, ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization (SDN-NFV Security 2017), Christopher Hannon: Ultimate Forwarding Resilience in OpenFlow Networks
  • August 2017, Monthly UIUC/R2 Presentation, Christopher Hannon: Securing the Smart Grid with Software Defined Networking

A Monitoring Fusion and Response Framework to Provide Cyber Resiliency

  • November 2016, Monthly UIUC/R2 Presentation, Ahmed Fawaz: PowerAlert: An Integrity Checker using Power Measurement
  • December 2016, Monthly UIUC/R2 Presentation, Atul Bohara: A Framework for Detection and Containment of Lateral Movement-Based Attacks
  • January 2017, Monthly UIUC/R2 Presentation, Carmen Cheh: Data-Driven Model-Based Detection of Malicious Insiders via Physical Access Logs
  • March 2017, Monthly UIUC/R2 Presentation, Uttam Thakore: Prioritization of Cloud System Monitoring for Incident Response
  • March 2017, Monthly UIUC/R2 Presentation, Benjamin Ujcich: Accountable SDNs for Cyber Resiliency
  • April 2017, Monthly UIUC/R2 Presentation, Mohammad Noureddine: A Comprehensive Framework for DDoS Resiliency in the Cloud
  • June 2017, Monthly UIUC/R2 Presentation, Ahmed Fawaz: Lateral Movement Detection and Response

Anonymous Messaging for Networks

  • July 2016, NSA SoS Quarterly Meeting, poster session, Peter Kairouz, Sewoong Oh, Kannan Ramchandran, Giulia Fanti, and Pramond Viswanath: Metadata Conscious Anonymous Messaging
  • September 2016, ITI Joint Trust and Security/Science of Security Seminar, Giulia Fanti: Spy vs. Spy: Anonymous Messaging over Networks
  • November 2016, NSA SoS Quarterly Meeting, poster session, Giulia Fanti, Peter Kairouz, Sewoong Oh, Kannen Ramohandran, and Pramod Viswanath: Spy vs. Spy: Anonymous Broadcasting over Networks
  • February 2017, NSA SoS Quarterly Meeting, lablet presentation, Giulia Fanti: Anonymity in the Bitcoin Peer-to-Peer Network
  • February 2017, NSA SoS Quarterly Meeting, lablet presentation, Nitin Vaidya: Privacy & Security in Machine Learning/Optimization
  • February 2017, ITI Joint Trust and Security/Science of Security Seminar, Giulia Fanti: Anonymity in the Bitcoin Peer-to-Peer Network
  • February 2017, Illinois Bitcoin Meetup, Jump Labs at Research Park, University of Illinois of Illinois at Urbana-Champaign, Giulia Fanti: Anonymity in the Bitcoin Peer-to-Peer Network
  • March 2017, Security Seminar, Computer Science, University of California Berkeley, Giulia Fanti: Anonymity in the Bitcoin Peer-to-Peer Network
  • March 2017, Security Seminar, MIT, Shaileshh Venkatakrishnan: Dandelion: Redesigning the Bitcoin Peer-to-Peer Network for Anonymity
  • March 2017, ISL Colloquium, EE Department, Stanford University, Giulia Fanti: Anonymity in the Bitcoin Peer-to-Peer Network
  • March 2017, EE Department Seminar, University of Wisconsin, Giulia Fanti: Anonymity in the Bitcoin Peer-to-Peer Network

Data-Driven Model-Based Decision-Making

  • July 2016, NSA SoS Quarterly Meeting, Bill Sanders: A Quantitative Methodology for Security Monitor Deployment
  • July 2016, NSA SoS Quarterly Meeting, poster session, Ken Keefe and Bill Sanders: ADVISE - Adversary View Security Evaluation: Practical Metrics for Enterprise Security Engineering
  • July 2016, NSA SoS Quarterly Meeting, poster session, John C. Mace, Nipun Thekkummal, and Aad van Moorsel: Sensitivity Analysis of Probabilistic Workflow Models with Security Constraints
  • April 2017, Symposium and Bootcamp in the Science of Security (HotSoS 2017), poster session, Kelly Greeling, Alex Withers, and Masooda Bashir: Factors for Differentiating Human from Automated Attacks

Data Driven Security Models and Analysis

  • May 2016, ITI Joint Trust and Security/Science of Security Seminar, Phuong Cao: Preemptive Intrusion Detection - Practical Experience and Detection Framework
  • July 2016, NSA SoS Quarterly Meeting, poster session, Zachary Estrada, Phuong Cao, Zbigniew Kabarczyk, and Ravishankar Iyer: Detection of Malicious Keyloggers in Virtual Desktop Environments
  • July 2016, NSA SoS Quarterly Meeting, poster session, Hui Lin, Homa Alemzadeh, Daniel Chen, Zbigniew Kalbarczyk, and Ravishankar Iyer: Safety-critical Cyber-physcial Attacks: Analysis, Detection, and Mitigation
  • September 2016, Assured Cloud Computing Weekly Research Seminar, Key-whan Chung: An Indirect Attack on Computing Infrastructure through Targeted Alteration on Environment Control
  • November 2016, Joint Trust and Security/Science of Security Seminar, Phuong Cao: Automated Generation of Attack Signatures in Attack Graphs
  • April 2017, Symposium and Bootcamp in the Science of Security (HotSoS 2017), poster session, Esther Amullen, Hui Lin, and Zbigniew Kalbarczyk: Multi-Agent System for Detecting False Data Injection Attacks Against the Power Grid
  • April 2017, Symposium and Bootcamp in the Science of Security (HotSoS 2017), poster session, Phuong Cao, Alexander Withers, Zbigniew Kalbarczyk, and Ravishankar Iyer: Learning Factor Graphs for Preempting Multi-Stage Attacks in Cloud Infrastructure

Science of Human Circumvention of Security

  • January 2016, ITI Joint Trust and Security/Science of Security Seminar, Tao Xie: User Expectations in Mobile App Security
  • March 2016, ITI Joint Trust and Security/Science of Security Seminar, Wing Lam: Towards Preserving Mobile Users' Privacy in the Context of Utility Apps
  • April 2016, Symposium and Bootcamp on the Science of Security (HotSoS 2016), invited tutorial, Tao Xie and William Enck: Text Analytics for Security
  • May 2016, 38th International Conference on Software Engineering (ICSE 2016), Tao Xie: Measuring Code Behavioral Similarity for Programming and Software Engineering
  • June 2016: University of Central Florida, invited talk, Tao Xie: User Expectations in Mobile App Security
  • July 2016, NSA SoS Quarterly Meeting, poster presentation, Jim Blythe, Vijay Kothari, Ross Koppel, and Sean Smith: Modeling Human Security Behavior: Recent Results on Understanding Compliance
  • July 2016, NSA SoS Quarterly Meeting, poster presentation, Ross Koppel, Jim Blythe, Vijay Kothari, and Sean Smith: Beliefs about Cybersecurity Rules and Passwords: A Comparison of Two Survey Samples of Cybersecurity Professionals Verses Regular Users
  • July 2016, NSA SoS Quarterly Meeting, poster presentation, Sean Smith, Ross Koppel, Jim Blythe, and Vijay Kothari: Reasons for Cybersecurity Circumvention: A Study and a Model
  • July 2016, NSA SoS Quarterly Meeting, poster presentation, Wing Lam, Dengfeng Li, Wei Yang, and Tao Xie: User-Centric Mobile Security Assessment
  • November 2016, NSA SoS Quarterly Meeting, poster presentation, Jim Blythe, Christopher Novak, Vijay Kothari, Ross Koppel, and Sean Smith: Modeling Human Security Behavior: Recent Results on Understanding Compliance
  • November 2016, NSA SoS Quarterly Meeting, poster presentation, Ross Koppel, David Harmon, Sean Smith, Jim Blythe, and Vijay Kothari: Beliefs about Cybersecurity Rules and Passwords: Comparing Two Survey Samples of Cybersecurity Professionals and General Users and Future Data Collection Experiments
  • November 2016, NSA SoS Quarterly Meeting, poster presentation, Sean Smith, Ross Koppel, Jim Blythe, and Vijay Kothari: Flawed Mental Models Lead to Bad Cyber Security Decisions: Let's Do a Better Job!
  • November 2016, NSA SoS Quarterly Meeting, poster presentation, Dengfeng Li, Wei Yang, Wing Lam, and Tao Xie: User-Centric Mobile Security Assessment
  • February 2017, invited seminar, University of Buffalo, Jim Blythe: Modeling Human Behavior to Improve Cyber Security
  • February 2017, Monthly UIUC/R2 Presentation, Wing Lam, Dengfeng Li, and Wei Yang: Towards Privacy-Preserving Mobile Utility Apps: A Balancing Act
  • March 2017, invited seminar, IEEE Rochester Section CS/CIS Joint Chapters/Department of Computing Security, Rochester Institute of Technology, Tao Xie: User Expectations in Mobile App Security
  • March 2017, Monthly UIUC/R2 Presentation, Jim Blythe, Ross Koppel, Sean Smith, Vijay Kothari, David Harmon, and Christopher Novak: A Cross-Disciplinary Study of User Circumvention of Security
  • April 2017, Symposium and Bootcamp in the Science of Security (HotSoS 2017), poster session, Jim Blythe, Sean Smith, Ross Koppel, Christopher Novak, and Vijay Kothari: FARM: Finding the Appropriate level of Realism for Modeling
  • April 2017, Symposium and Bootcamp in the Science of Security (HotSoS 2017), poster session, Dengfeng Li, Wing Lam, Wei Yang, Zhengkai Wu, Xusheng Xiao, and Tao Xie: Towards Privacy-Preserving Mobile Apps: A Balancing Act
  • April 2017, Symposium and Bootcamp in the Science of Security (HotSoS 2017), poster session, Jim Blythe, Ross Koppel, Sean Smith, and Vijay Kothari: Analysis of Two Parallel Surveys on Cybersecurity: Users and Security Administrators -- Notable Similarities and Differences
  • April 2017, Symposium and Bootcamp in the Science of Security (HotSoS 2017), poster session, Sean Smith, Ross Koppel, Jim Blythe, and Vijay Kothari: Flawed Mental Models Lead to Bad Cybersecurity Decisions: Let's Do a Better Job!

Static-Dynamic Analysis of Security Metrics for Cyber-Physical Systems

  • April 2016, Sayan Mitra and Geir Dullerud, Science of Security for Cyber-Physical Systems Workshop (SoSCYPS), CPS Week 2016, lead panel: Cyberphysical Systems Security
  • April 2016, Joint Trust and Security/Science of Security Seminar, Zhenqi Huang and Yu Wang: Differential Privacy, Entropy and Security in Distributed Control of Cyber Physical Systems
  • June 2016, Geir Dullerud, European Control Conference (ECC), keynote: Lyapunov Constructions, Formal Proof Frameworks, and Computation-based Verification for Complex Systems
  • July 2016, International Workshop on Operator Theory and Applications (IWOTA 2016), plenary talk, Geir Dullerud: Operators and Feedback Control Theory: Linear Switched Systems
  • July 2016, NSA SoS Quarterly Meeting, poster session, Zhenqi Huang, Chuchu Fan, Alexandru Mereacre, Sayan Mitra and Marta Kwiatkoska: Automatic Safety Verification of Implantable Medical Devices
  • July 2016, NSA SoS Quarterly Meeting, poster session, Yu Wang, Zhenqi Huang, Sayan Mitra, and Geir Dullerud: Differentially Private and Efficient Sequential Learning Algorithms
  • December 2016, Frontiers Seminar, Master of Technology Management Program, University of Illinois at Urbana-Champaign Business School, Sayan Mitra: Auditing Algorithms
  • December 2016, 55th Conference on Decision and Control, invited tutorial, George Pappas, Jerome Le Ny, Geir Dullerud, and Jorge Cortes: Differential Privacy in Control and Network Systems

Workshops Hosted

  • Science of Security for Cyber-Physical Systems (SoSCYPS 2016), April 11, 2016 in conjunction with CPS Week 2016, Vienna, Austria.
  • Workshop on Science of Security through Software-Defined Networking (SoSSDN 2016), June 16-17 at the Illinois Institute of Technology in Chicago, IL.

Conference Panel and Committee Members

  • Brighten Godfrey, Panelist, Software Defined Security Services, Open Networking Users Group Conference (ONUG), 2016
  • Pramod Viswanath, Session Chair, Allerton Conference, 2016
  • Jim Blythe, Panelist, Challenges and Pitfalls in the Design and Execution of Human-Technology Based Experiments, Learning from Authoritative Security Experiment Results (LASER), 2016
  • Ross Koppel, Panelist, On Developing Authentication Solutions for Healthcare Settings, SOUPS WAY Workshop, 2017
  • Vijay Kothari, Panel Moderator, On Developing Authentication Solutions for Healthcare Settings, SOUPS WAY Workshop, 2017
  • Kevin Jin, Program CO-Chair, ACM SIGSIM Conference on Principles of Advanced Discrete Simulation (PADS), 2017
  • Brighten Godfrey, Program Committee Member, ACM SIGMETRICS, 2017
  • Brighten Godfrey, Program Committee Member, ACM HoTNets, 2017
  • Brighten Godfrey, Program Committee Member, ACM SIGCOMM, 2017: Workshop on Virtual Reality and Augmented Reality Network (VR/AR Network 2017)

E). Educational
Briefly describe any changes to curriculum at your school or elsewhere that indicates an increased training or rigor in security research that your Lablet has accomplished during the reporting year.

A Hypothesis Testing Framework for Network Security

Our Coursera online course on Cloud Networking re-launched in a new continuous operation mode on October 24, 2016. When this was taught last fall, roughly 30,000 students enrolled. This course included a segment on network security for the cloud, particularly with respect to network virtualization.

Brighten Godfrey covered network security in his graduate course, Advanced Computer Networking, including quantitative aspects of BGP security and formal verification of networks. These topics span lectures, reading, and student research projects developing new techniques for formal reasoning about networks.

This project team has been actively working on dissemination of knowledge through tutorials on network verification. Brighten Godfrey developed and presented a half-day tutorial at a workshop at Hebrew University. Santhosh Prabhu and Brighten Godfrey submitted a proposal to present an expanded tutorial at the IEEE/ACM International Conference on Software Engineering (ASE) in October 2017; this proposal was accepted.

Anonymous Messaging in Networks

A set of notes summarizing the Bit Coin networking protocols is being developed, with the goal of using the notes in an upcoming privacy and anonymity course at the graduate level.

Giulia Fanti and Pramod Viswanath gave a tutorial, "Information Limits on Finding and Hiding Message Sources on Networks: Social Media and Cryptocurrencies" at the IEEE International Symposium on Information Theory (ISIT) in Aachen, Germany on June 25, 2017.

Science of Human Circumvention of Security

Tao Xie attended the 2017 National Society of Black Engineers (NSBE) Convention during March 30-April 1, 2017, where he held discussions to a large number of black students (including his mentees) on various exciting computer science problems including security problems

UIUC SoS Lablet

We have held two successful internship programs programs over the last two summers. The have been from Tennessee State University, North Texas University, University of Arkansas, University of Maryland, and the University of Illinois at Urbana-Champaign. The internship program included educational programming in conjunction with other summer internship programs within the Illinois College of Engineering. This summer the interns presented to the NSA R2 group, SoS Program Manager, and concluded the summer program with a poster session.

Groups: