UIUC SoS Lablet Quarterly Executive Summary - January 2019

A. Fundamental Research
High level report of result or partial result that helped move security science forward-- In most cases it should point to a "hard problem". These are the most important research accomplishments of the Lablet in the previous quarter.

[Project: An Automated Synthesis Framework for Network Security Resilience] We studied the network intrusion detection system with various deep learning models with the goal of enhancing network security and resilience. We designed and implemented a TensorFlow-based deep learning library, called NetLearner. We made the software code of NetLearner publicly available at https://github.com/littlepretty/NetLearner

We continue to investigate of automated synthesis of network control to preserve desired security policies and network invariants. Specific invariants include (i) reduction of reaction time to fix problems, (ii) avoidance if introduction of errors in the repair process, and (iii) prevention of vulnerabilities. We are also exploring of how to synthesize patches to automatically fix critical invariants that were violated by the network controller application. The candidate approach under consideration models both the forwarding behavior of data through the network, control operations conducted on the network, as well as operations between the two. We have formulated a simplified solution for OSPF based network using SMT constraints and executed it using a Z3 solver. The project team at UIUC and IIT have regular bi-weekly meetings to discuss the research collaboration progress.

[Project: A Monitoring Fusion and Response Framework to Provide Cyber Resiliency] We have improved upon the evidential reasoning-based online monitor compromise detection approach that we presented at the 2018 Symposium and Bootcamp on the Science of Security (HotSoS 2018). We have devised an approach to identify likely monitor compromise using association rule mining that is complementary to our existing evidential reasoning-based approach. We have defined an ensemble method to detect likely monitor compromise that uses the two approaches we have devised to improve overall efficacy. We are currently evaluating the efficacy of the overall approach and preparing a paper submission based on the results.

We construct a framework to analyze the safety of a system under threat by various attacker models. This work has been accepted into PRDC 2018. We develop generic parameterizable state automaton templates that model the effects of an attack. For a given attacker model and system, we can then generate the full state automaton that models the normal system operations under the threat of the specified attacker model. We model the system using network of timed automaton which is suitable for modeling concurrent processes, the progression of time, and physical processes. We consider attacks on network protocols and device commands. More precisely, we assume the attacker has the capabilities of a Dolev-Yao attacker in that he or she can delay, inject, modify, and remove network packets. We develop state automaton templates for each of those capabilities that can be executed either probabilistically or in a deterministic fashion. These templates can be composed and combined together based on the given scenarios. We can then generate a full state automaton that models the normal system operation under a particular set of attacks. We apply our approach to a railway system use case to analyze the safety of the signaling system given a variety of attacker models. We considered both insiders and outsiders as our threat model. Outsiders had the capability of delaying and jamming communication to and from the trainborne system and trackside equipment to the system servers. Insiders had the capability of manipulating packets within the system networks. We also considered several safety countermeasures that can potentially deter such threat vectors. We used statistical model checking to verify the safety of the system and our results show that while less skilled outsiders are unable to affect system safety, outsiders who can target vulnerabilities in the network protocol are able to bring the system to an unsafe state even with current modern security protection mechanisms. Insiders are also able to easily affect system state. The safety countermeasures we introduce are able to deter some or all of those attacks although at the added cost of maintenance. 

[Project: Uncertainty in Security Analysis] We have completed the design of simulation-based experiments to support the observations made above. The simulations make use of a parameterized model to approximate the reachability polynomial, where the approximation relies on bivariate copula functions and cubic Bezier fitting curves. We use several methods in the literature (method of moments, MLE, etc.) to estimate the two parameters of the approximating Beta distribution, then compare it with the actual reachability distribution using several goodness-of-fit metrics (Kolmogorov-Smirnov, Cramer-von Mises, etc). We proposed a better way of representing uncertainty in a security model using beta distributions. Our observation suggests that in many cases, the reachability distribution of the new model is approximately beta distributed. By knowing the class of the distribution beforehand, the complexity of reachability analysis (in particular) and security analysis (in general) can be greatly reduced.

B. Community Engagement(s)
Research interaction in the community including workshops, seminars, competitions, etc.

Publications

[1] B. E. Ujcich, S. Jero, A. Admundson, Q. Wang, R. Skowyra, J. Landry, A. Bates, W. H. SandersC. Nita-Rotaru, and H. Okhravi, "Cross-App Poisoning in Software-Defined Networking", 2018 ACM Conference on Computer and Communications Security (CSS '18), Toronto, Canada, October 15-19, 2018.

[2] Carmen Cheh, Ahmed Fawaz, Mohammad A. Noureddine, Binbin Chen, William G. Temple, and William H. Sanders, "Determining the Tolerable Attack Surface that Preserves Safety of Cyber-Physical Systems",  IEEE Pacific Rim International Symposium on Dependable Computing, Taipei, Taiwan, December 4-7, 2018.

[3] U Christopher Hannon, Nandakishore Santhi, Stephan Eidenbenz, Jason Liu, and Dong Jin. "Just-In-Time Parallel Simulation," 2018 Winter Simulation Conference (WSC), Gothenburg, Sweden, December 9-12, 2018.

C. Educational Advances
Impact to courses or curriculum at your school or elsewhere that indicates an increased training or rigor in security research.

Matthew Caesar is taught a Networking Laboratory class this semester. This semester, he has developed a new Cybersecurity module for his class. This module gives students the opportunity to set up and configure security features of routers and switches in a virtualized environment. Students configure ACLs and VLANs to ensure desirable security properties such as segmentation and access control The lab is structured to give students direct hands-on experience with these techniques, making them confident to use these techniques in the field.