UIUC SoS Lablet Quarterly Executive Summary - January 2020

A. Fundamental Research
High level report of result or partial result that helped move security science forward-- In most cases it should point to a "hard problem". These are the most important research accomplishments of the Lablet in the previous quarter.

[Project: An Automated Synthesis Framework for Network Security Resilience] We continued the transfer of our technology to industry through interactions with Veriflow and VMWare. Current collaborations target enhancement of our verification technology to operate on real-time traffic data. We continue to investigate of automated synthesis of network control to preserve desired security policies and network invariants. We continued the exploration of self-healing network management to address the resilient architecture hard problem and application of the methods to applications in cyber-physical energy systems. We continue to study the interdependence between the power system and the communication network with the goal of improving resilience in critical energy infrastructures. Our review paper on power grid resilience enhancement has been accepted by IET smart grid journal. We continue to develop a simulation/emulation-based platform for cyber-physical system resilience and security evaluation. The platform combines physical computing and networking hardware for the cyber presence while allowing for offline simulation and computation of the physical world. We have continued our collaboration with AT&T, which operates one of the largest networks in the world, to customize and deploy our technology in their environments; and we have continued our collaborations with Boeing on constructing a resilient IoT platform for the battlefield.

[Project: A Monitoring Fusion and Response Framework to Provide Cyber Resiliency] Our RRE work incorporates modules to monitor current state of a system, detect intrusions, and respond to achieve resilience-specific goals.  Intrusion detection in large-scale distributed systems, which is a necessary precondition for intrusion tolerance and resilience, is highly susceptible to malicious manipulation of system data used for detection (e.g., using rootkits and log tampering), which we term “monitor compromise”. Existing literature attempts to counteract the problem using reputation systems, which weight the trustworthiness of monitor data based on past trustworthiness of the data, but such systems are themselves subject to “betrayal attacks” and “sleeper attacks”. We instead propose the use of data-driven methods for detecting potential monitor compromise. We leverage the insight that systems usually contain multiple monitors that provide redundant information about system activity, so we can use discrepancies between observations of system activity across different monitors to identify potential monitor compromise.

[Project: Uncertainty in Security Analysis] Our research focuses on understanding the network security risk and the uncertainty associated with the estimate when security properties of the network components are not exactly known. In previous study, we used Bernoulli random variables to model the existence of a link between two immediate hosts in the network, which indicates the possibility of a lateral movement [1]. Our current investigation generalized this model by modeling the uncertainty in the link existence using Beta distribution, a more versatile class of distributions that takes one of many different shapes depending on its two parameters. Computing the existence of a pathway between two specifically chosen hosts (i.e. reachability analysis) in the generalized model reduces to identifying the reachability distribution, in the form of a multivariate reliability polynomial of Betas. This is a hard problem. However, our initial results highly suggest that in many cases, the reliability distribution can be well-approximated by another beta distribution. This observation aligns with several results from previous studies [2] [3] regarding approximating Betas. Our finding however applies to a much more general setup. The implication of this result is that under conditions in which the approximation is sufficiently good, the computational cost of reachability analysis can be significantly reduced.

 [Project: Resilient Control of Cyber-Physical Systems with Distributed Learning] Three PhD students have been recruited and are dedicating their research time to the project.  We have formulated a new direction of scientific enquiry into safety and security analysis of systems. The approach relies on distributed and sample-efficient optimization techniques that have been developed in the context of the Multi-armed bandit problem. We have shown how these optimization algorithms can be used effectively for statistical model checking of markov decision processes. We have build a suite of benchmarks related to online safety analysis of autonomous and semi-autonomous vehicles. Our initial results are very promising as the data usage and the running time of our algorithms can be several orders of magnitude better than existing model checking approaches such as Storm and Prism. The prototype tool has been made available online.

 [Project: A Human-Agent-Focused Approach to Security Modeling] We focused on our metamodeling based approach to sensitivity analysis and uncertainty quantification in complex security models. Many realistic security models run slowly and have input variables whose values are uncertain, which makes it difficult to conduct sensitivity analysis and uncertainty quantification. It is possible to create metamodels of the base security model that trade some accuracy for speed using machine learning techniques. We investigated this method by applying it to a previously-published work that modeling the growth of peer-to-peer botnets. We found that all metamodels that we evaluated could be run much more quickly than the base model (the most accurate metamodel ran several times faster than the base model). We found that there was little difference in metamodel quality regardless of the data acquisition strategy used, whether random sampling, Latin hypercube sampling, or sampling based on Sobol sequences. The most accurate metamodel used the stacking technique, and was able to emulate the base model fairly well. We wrote our findings and submitted a paper for review for Dependable and Secure Networks 2020 (DSN’2020).

B. Community Engagement(s)
Research interaction in the community including workshops, seminars, competitions, etc.

Publications

1. Benjamin E. Ujcich, Samuel Jero, Richard Skowyra, Steven R. Gomez, Adam Bates, William H. Sanders, and Hamed Okhravi, "Automated Discovery of Cross-Plane Event-Based Vulnerabilities in Software-Defined Networking", to appear in the 2020 Internet Society's Network and Distributed System Security Symposium (NDSS '20)
    
2. Hoang Hai Nguyen, Kartik Palani, and David M. Nicol, "Extensions of Network Reliability Analysis", 49th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2019), Portland, OR, June 24-27, 2019.
3. Santhosh Prabhu, Kuan Yen Chou, Ali Kheradmand, Brighten Godfrey, Matthew Caesar, Plankton: "Scalable Network Configuration Verification Through Model Checking," NSDI, February 2020
4. Musavi, Sun, Mitra, Shakkottai, and Dullerud: "Optimistic Optimization for Statistical Model Checking with Regret Bounds," Jan 2020. Available online from https://arxiv.org/abs/1911.01537

C. Educational Advances
Impact to courses or curriculum at your school or elsewhere that indicates an increased training or rigor in security research.

• Mohammad Noureddine, Uttam Thakore and Ben Ujcich have all passed their preliminary exams this quarter.
   
• Matthew Caesar was elected to become the Director of Education for ACM SIGCOMM. As part of his tenure, Matthew will work with universities across the United States to further rigoros education on cybersecurity.
   
• Kevin Jin is serving as the Ph.D. colloquium chair of the 2020 ACM SIGSIM-PADS Conference and has submitted a student travel grant proposal to NSF in December 2019.
   
• Kevin Jin and Kyle Hale are developing a new graduate-level cyber security class “CSP544 System and Network Security” for Spring 2020 at Illinois Institute of Technology.
   
• Kevin Jin has been appointed as the Director of the new Master of Cybersecurity Program in the College of Science at Illinois Institute of Technology (https://science.iit.edu/programs/graduate/master-cybersecurity-mcybcode).  The program will serve as one more platform to disseminate the educational and research outcomes of our Science of Security projects.
   
• Kevin Jin and Chen Chen (Argonne National Lab) are preparing a tutorial titled "Electric Power System Resilience" at the 2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm) in October 2019.
   
• We organized a Ph.D. colloquium as part of the ACM SIGSIM-PADS conference in June 2019. The Ph.D. colloquium include a career panel, poster session, student presentations, and a meeting with editors. We received 20+ submissions and 15 students were selected to present their work, among which 5 US-based Ph.D. students received the NSF student travel grant. The event has provided mentoring and educational opportunities to the young researchers, thus contributing to equipping them with tools that support their career success.
   
• Kevin Jin gave a full-day tutorial on “Cyber Security and Resilience of Cyber-Physical Systems” in the Internet of Things (IoT) Systems Research Center at the University of Wisconsin Madison, June 2019
   
• Matthew Caesar has created a new class on Internet of Things at UIUC. The class contains extensive coverage of security in this important domain. The class is slated for public release this fall on Coursera’s Massive Online Open Course (MOOC) platform. The course will be open for enrollment by anyone, even people not attending the University of Illinois. Development of a beta version of this class has been completed and its inaugural enrollment is open now for Spring 2020. The class has filled to capacity.
   
• Matthew Caesar also continues to refine his Networking Laboratory class, targeting release for Spring 2020. He has developed a new set of Cybersecurity lectures for his class, covering important topics, and educating students how to improve security of common networking deployments.
   
• Matthew Caesar is currently constructing an online platform for working with IoT devices in the cloud. The platform virtualizes IoT devices, internally leveraging a new technology that extends virtual machines into the IoT domain. This work will probably take another year to develop, but when it is released, we hope to grow from small pilots to a platform that can allow students across the world to learn about and work with IoT security in a manner that greatly accelerates their ability to experiment and learn.