UIUC SoS Lablet Quarterly Executive Summary - April 2019

A. Fundamental Research
High level report of result or partial result that helped move security science forward-- In most cases it should point to a "hard problem". These are the most important research accomplishments of the Lablet in the previous quarter.

[Project: An Automated Synthesis Framework for Network Security Resilience] We continue to explore deep learning techniques for malware classification. We build a system that extend a special type of graph kernel-based deep neural network, Deep Graph Convolutional Neural Network (DGCNN) for classifying CFG-represented malware programs. DGCNN enables embedding high-dimensional structural information into vectors that are amenable to efficient classification. We use two large independent datasets that contain more than 20K malware samples to evaluate our system and the experimental results are comparable to those of the state-of-the-art methods applied with handcrafted malware features. A paper describing this work has been accepted to DSN’19. We will also present this work in the coming SoS research seminar at UIUC in April 30^th, 2019.

[Project: A Monitoring Fusion and Response Framework to Provide Cyber Resiliency] Our RRE work incorporates modules to monitor current state of a system, detect intrusions, and respond to achieve resilience-specific goals.  Intrusion detection in large-scale distributed systems, which is a necessary precondition for intrusion tolerance and resilience, is highly susceptible to malicious manipulation of system data used for detection (e.g., using rootkits and log tampering), which we term “monitor compromise”. Existing literature attempts to counteract the problem using reputation systems, which weight the trustworthiness of monitor data based on past trustworthiness of the data, but such systems are themselves subject to “betrayal attacks” and “sleeper attacks”. We instead propose the use of data-driven methods for detecting potential monitor compromise. We leverage the insight that systems usually contain multiple monitors that provide redundant information about system activity, so we can use discrepancies between observations of system activity across different monitors to identify potential monitor compromise.

For monitor compromise detection, we have developed a data-driven ensemble method for detecting potential monitor compromise using evidential reasoning and data mining. To construct the model for our approach, we have devised a method to mine meaningful correlations between system activity (i.e., events) and the discrete data points produced by monitors (i.e., alerts) and between alerts of different types from heterogeneous historical system data. We have applied our mining method to real data from an enterprise system with meaningful results. We implemented our monitor compromise detection approach using Storm, a real-time stream processing framework, such that it runs in real-time on online monitor data and ran experiments on enterprise network and host data from the National Center for Supercomputing Applications (NCSA) with different, injected compromise scenarios.

[Project: Uncertainty in Security Analysis] Our research focuses on understanding the network security risk and the uncertainty associated with the estimate when security properties of the network components are not exactly known. In previous study, we used Bernoulli random variables to model the existence of a link between two immediate hosts in the network, which indicates the possibility of a lateral movement [1]. Our current investigation generalized this model by modeling the uncertainty in the link existence using Beta distribution, a more versatile class of distributions that takes one of many different shapes depending on its two parameters.

Computing the existence of a pathway between two specifically chosen hosts (i.e. reachability analysis) in the generalized model reduces to identifying the reachability distribution, in the form of a multivariate reliability polynomial of Betas. This is a hard problem. However, our initial results highly suggest that in many cases, the reliability distribution can be well-approximated by another beta distribution. This observation aligns with several results from previous studies [2] [3] regarding approximating Betas. Our finding however applies to a much more general setup. The implication of this result is that under conditions in which the approximation is sufficiently good, the computational cost of reachability analysis can be significantly reduced.

[Project: Resilient Control of Cyber-Physical Systems with Distributed Learning] Two PhD students have been recruited and are dedicating their research time to the project.  We have formulated a new direction of scientific enquiry into safety and security analysis of systems. The point of departure from existing literature is that we explore the relative value of data and models in assessing how well a system meets its requirements.

[Project: A Human-Agent-Focused Approach to Security Modeling] We are currently conducting a literature review with the goal of constructing a high-quality case study to exercise the human-centric cyber security modeling formalism that we are developing. Our case study will focus on comparing the security and usability of different password policies (e.g. password length, time until password expires, etc.) which a hypothetical institution may enact. Our case study will construct submodels of the institutions, its employees and customers, and the adversaries. We shall compose these submodels and study the interaction to give insight into the relative strengths and weaknesses of the password policies. We will validate our model by using previously-conducted studies of human behavior with regard to passwords.

B. Community Engagement(s)
Research interaction in the community including workshops, seminars, competitions, etc.

Publications

1. C. Cheh, U. Thakore, A. Fawaz, B. Chen, W. G. Temple, and W. H. Sanders, “Data-Driven Model-Based Detection of Malicious Insiders via Physical Access Logs” (Extended paper), to appear in ACM Transactions on Modeling and Computer Simulation.
2. Hoang Hai Nguyen, Kartik Palani, and David M. Nicol, "Extensions of Network Reliability Analysis", 49th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2019), Portland, OR, June 24-27, 2019, to appear.

C. Educational Advances
Impact to courses or curriculum at your school or elsewhere that indicates an increased training or rigor in security research.

• PI Mitra is designing and teaching a brand new course called Principles of Safe Autonomy. The course takes a deep dive into the seminal topics in object recognition, learning, localization, decision making, path planning, control, and safety verification. Around 25 students from ECE and CS are currently enrolled in this senior and graduate course. The course team has designed 6 New programming assignments involving topics such as lane detection, road-sign recognition with deep neural networks, localization with particle filters, decision making with reinforcement learning, path planning with rapidly expanding random trees, and safety verification using simulation-driven proofs. The students use a high-fidelity, commercial-grade vehicle simulator (Righthook) for testing their programming assignments. The university has recently acquired a electric GolfCart with LIDARS and cameras as a research platform and this platform will be made availebel to the students for their project. Galois Inc. has kindly agreed to sponsor prizes for student projects. Find out more about the safe autonomy course at https://publish.illinois.edu/safe-autonomy/

• Kevin Jin and Gady Agam are leading the effort of creating a new CS Master of Cyber Security program in at IIT. The program has been approved by the university, which will serve as one more platform to disseminate the educational and research outcomes of our Science of Security projects.
   
• Kevin Jin and Chen Chen (Argonne National Lab) submitted a tutorial titled "Electric Power System Resilience" to the 2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm)
   
• We received an NSF student travel grant award to support 5 US-based students ($1000 per student) to attend the ACM SIGSIM-PADS conference held in Chicago, June 2019.
   
• Matthew Caesar is in the process of creating a new class on Internet of Things. The class will contain extensive coverage of security in this important domain. The class is slated for public release this fall on Coursera’s Massive Online Open Course (MOOC) platform. The course will be open for enrollment by anyone, even people not attending the University of Illinois.
   
• Matthew Caesar also continues to refine his Networking Laboratory class, targeting release for Spring 2020. He has developed a new set of Cybersecurity lectures for his class, covering important topics, and educating students how to improve security of common networking deployments.