Monitoring, Fusion, and Response for Cyber Resilience - October 2018

PI(s), Co-PI(s), Researchers: William Sanders, Brett Feddersen, Carmen Cheh, Uttam Thakore, and Benjamin E. Ujcich

HARD PROBLEM(S) ADDRESSED
This refers to Hard Problems, released November 2012.

• Resilient Architectures - Experience suggests that even heavily defended systems can be breached by attackers given enough time, resources and talent. We propose the concept of a response and recovery engine (RRE) so that a system could "tolerate" an intrusion and provide a base level of service. RRE incorporates modules to monitor current state of a system, detect intrusions, and respond to achieve resilience-specific goals. Our work focuses on a few example attacks. These attacks include lateral movement within a network as part of an Advanced Persistent Threat (APT) and application-level distributed denial of service attacks (DDoS).
• Policy-Governed Secure Collaboration - We analyzed the issues surrounding the software-defined networking (SDN) architecture from an accountability standpoint, considering various principals involved (e.g., controller software, network applications, administrators, end users, organizations), mechanisms for assurance about past network state (e.g., data provenance, replicated data stores, roots of trust), thoughts on judging and assessing standards for accountability (e.g., legal, contractual, regulatory), and mechanisms for decentralized enforcement (e.g., blockchain-based smart contracts). We motivated the need for accountability though a network application use case, and we argued that an assured understanding of the past for attribution can help lead to taking better responses for resiliency.

PUBLICATIONS
Papers written as a result of your research from the current quarter only.

Resilient Architectures

Policy-Governed Secure Collaboration

[1] B. E. Ujcich, A. Bates, and W. H. Sanders, "A Provenance Model for the European Union General Data Protection Regulation", 7th International Provenance and Annotation Workshop (IPAW '18), London, UK, July 9-13, 2018.

Abstract: The European Union (EU) General Data Protection Regulation (GDPR) has expanded data privacy regulations regarding personal data for over half a billion EU citizens. Given the regulation's effectively global scope and its significant penalties for non-compliance, systems that store or process personal data in increasingly complex workflows will need to demonstrate how data were generated and used. In this paper, we analyze the GDPR text to explicitly identify a set of central challenges for GDPR compliance for which data provenance is applicable; we introduce a data provenance model for representing GDPR workflows; and we present design patterns that demonstrate how data provenance can be used realistically to help in verifying GDPR compliance. We also discuss open questions about what will be practically necessary for a provenance-driven system to be suitable under the GDPR.

[2] B. E. Ujcich, A. Bates, and W. H. Sanders. "Data Provenance for Accountability Mechanisms and Properties", First Workshop on Supporting Algorithm Accountability Using Provenance: Opportunities and Challenges, London, UK, July 12, 2018.

Abstract: Data provenance has been proposed in the information security community as a component of accountable systems design because it attributes system events to system agents and captures how processes use and generate data. However, achieving "accountability" as part of a mechanism design or as a system property remains imprecise since no consensus exists on the term's definition. In this paper, we synthesize prior accountability formalisms to understand their amenability to data provenance, we show how accountability is related to assessing responsibility and blame, and we also consider future challenges in building provenance-driven accountability systems.

[3] B. E. Ujcich, S. Jero, A. Edmundson, Q. Wang, R. Skowyra, J. Landry, A. Bates, W. H. Sanders, C. Nita-Rotaru, and H. Okhravi, "Cross-App Poisoning in Software-Defined Networking", 2018 ACM Conference on Computer and Communications Security (CCS '18), Toronto, Canada, October 15-19, 2018, to appear.

Abstract: Software-defined networking (SDN) continues to grow in popularity because of its programmable and extensible control plane realized through network applications (apps). However, apps introduce significant security challenges that can systemically disrupt network operations, since apps must access or modify data in a shared control plane state. If our understanding of how such data propagate within the control plane is inadequate, apps can co-opt other apps, causing them to poison the control plane's integrity. We present a class of SDN control plane integrity attacks that we call cross-app poisoning (CAP), in which an unprivileged app manipulates the shared control plane state to trick a privileged app into taking actions on its behalf. We demonstrate how role-based access control (RBAC) schemes are insufficient for preventing such attacks because they neither track information flow nor enforce information flow control (IFC). We also present a defense, ProvSDN, that uses data provenance to track information flow and serves as an online reference monitor to prevent CAP attacks. We implement ProvSDN on the ONOS SDN controller and demonstrate that information flow can be tracked with low-latency overheads.

Resilient Architectures

[4] Carmen Cheh, Ahmed Fawaz, Mohammad A. Noureddine, Binbin Chen, William G. Temple, and William H. Sanders, "Determining the Tolerable Attack Surface that Preserves Safety of Cyber-Physical Systems", IEEE Pacific Rim International Symposium on Dependable Computing, Taipei, Taiwan, December 4-7, 2018, to appear.

Abstract: As safety-critical systems become increasingly interconnected, a system's operations depend on the reliability and security of the computing components and the interconnections among them. Therefore, a growing body of research seeks to tie safety analysis to security analysis. Specifically, it is important to analyze system safety under different attacker models. In this paper, we develop generic parameterizable state automaton templates to model the effects of an attack. Then, given an attacker model, we generate a state automaton that represents the system operation under the threat of the attacker model. We use a railway signaling system as our case study and consider threats to the communication protocol and the commands issued to physical devices. Our results show that while less skilled attackers are not able to violate system safety, more dedicated and skilled attackers can affect system safety. We also consider several countermeasures and show how well they can deter attacks.

KEY HIGHLIGHTS
Each effort should submit one or two specific highlights. Each item should include a paragraph or two along with a citation if available. Write as if for the general reader of IEEE S&P.
The purpose of the highlights is to give our immediate sponsors a body of evidence that the funding they are providing (in the framework of the SoS lablet model) is delivering results that "more than justify" the investment they are making.

Our RRE work incorporates modules to monitor current state of a system, detect intrusions, and respond to achieve resilience-specific goals. Intrusion detection in large-scale distributed systems, which is a necessary precondition for intrusion tolerance and resilience, is highly susceptible to malicious manipulation of system data used for detection (e.g., using rootkits and log tampering), which we term "monitor compromise". Existing literature attempts to counteract the problem using reputation systems, which weight the trustworthiness of monitor data based on past trustworthiness of the data, but such systems are themselves subject to "betrayal attacks" and "sleeper attacks". We instead propose the use of data-driven methods for detecting potential monitor compromise. We leverage the insight that systems usually contain multiple monitors that provide redundant information about system activity, so we can use discrepancies between observations of system activity across different monitors to identify potential monitor compromise.

For monitor compromise detection, we have developed a data-driven ensemble method for detecting potential monitor compromise using evidential reasoning and data mining. To construct the model for our approach, we have devised a method to mine meaningful correlations between system activity (i.e., events) and the discrete data points produced by monitors (i.e., alerts) and between alerts of different types from heterogeneous historical system data. We have trained our models for evidential reasoning and association rule mining on real data from an enterprise system, and applied our detection ensemble method to the real data with meaningful results. We implemented our monitor compromise detection approach using Storm, a real-time stream processing framework, such that it runs in real-time on online monitor data and ran experiments on enterprise network and host data from the National Center for Supercomputing Applications (NCSA) with different, injected compromise scenarios.

COMMUNITY ENGAGEMENTS

No community engagements this quarter.

EDUCATIONAL ADVANCES:

No educational advances this quarter.