Monitoring, Fusion, and Response for Cyber Resilience - April 2020

PI: William Sanders

Researchers: Brett Feddersen, Carmen Cheh, and Uttam Thakore

HARD PROBLEM(S) ADDRESSED
This refers to Hard Problems, released November 2012.

• HARD PROBLEM(S) ADDRESSED
  Resilient Architectures - Experience suggests that even heavily defended systems can be breached by attackers given enough time, resources and talent. We propose the concept of a response and recovery engine (RRE) so that a system could "tolerate" an intrusion and provide a base level of service. RRE incorporates modules to monitor current state of a system, detect intrusions, and respond to achieve resilience-specific goals. Our work focuses on a few example attacks. These attacks include lateral movement within a network as part of an Advanced Persistent Threat (APT), tampering with monitoring data to hide attacker activity, and application-level distributed denial of service attacks (DDoS).
• Policy-Governed Secure Collaboration - We analyzed the issues surrounding the software-defined networking (SDN) architecture from an accountability standpoint, considering various principals involved (e.g., controller software, network applications, administrators, end users, organizations), mechanisms for assurance about past network state (e.g., data provenance, replicated data stores, roots of trust), thoughts on judging and assessing standards for accountability (e.g., legal, contractual, regulatory), and mechanisms for decentralized enforcement (e.g., blockchain-based smart contracts). We motivated the need for accountability though a network application use case, and we argued that an assured understanding of the past for attribution can help lead to taking better responses for resiliency.

PUBLICATIONS
Papers written as a result of your research from the current quarter only.

Policy-Governed Secure Collaboration

Benjamin E. Ujcich, Adam Bates, William H. Sanders, "Provenance for Intent-Based Networking", IEEE Conference on Network Softwarization (NetSoft '20)



Abstract: Intent-based networking (IBN) promises to simplify the network management and automated orchestration of high-level policies in future networking architectures such as software-defined networking (SDN). However, such abstraction and automation creates new network visibility challenges. Existing SDN network forensics and diagnostics tools operate at a lower level of network abstraction, which makes intent-level reasoning difficult. We present ProvIntent, a framework extension for SDN control plane tools that accounts for intent semantics. ProvIntent records the provenance and evolution of intents as the network's state and apps' requests change over time and enables reasoning at multiple abstractions. We define an intent provenance model, we implement a proof-of-concept tool, and we evaluate the efficacy of ProvIntent's explanatory capabilities by using a representative intent-driven network application.

KEY HIGHLIGHTS
Each effort should submit one or two specific highlights. Each item should include a paragraph or two along with a citation if available. Write as if for the general reader of IEEE S&P.
The purpose of the highlights is to give our immediate sponsors a body of evidence that the funding they are providing (in the framework of the SoS lablet model) is delivering results that "more than justify" the investment they are making.

Our RRE work incorporates modules to monitor current state of a system, detect intrusions, and respond to achieve resilience-specific goals. Intrusion detection in large-scale distributed systems, which is a necessary precondition for intrusion tolerance and resilience, is highly susceptible to malicious manipulation of system data used for detection (e.g., using rootkits and log tampering), which we term "monitor compromise". Existing literature attempts to counteract the problem using reputation systems, which weight the trustworthiness of monitor data based on past trustworthiness of the data, but such systems are themselves subject to "betrayal attacks" and "sleeper attacks". We instead propose the use of data-driven methods for detecting potential monitor compromise. We leverage the insight that systems usually contain multiple monitors that provide redundant information about system activity, so we can use discrepancies between observations of system activity across different monitors (sometimes referred to as differential observability in literature) to identify potential monitor compromise.

For monitor compromise detection, we have developed a data-driven ensemble method for detecting potential monitor compromise using evidential reasoning and data mining. To construct the model for our approach, we have devised a method to mine meaningful correlations between system activity (i.e., events) and the discrete data points produced by monitors (i.e., alerts) and between alerts of different types from heterogeneous historical system data. We have trained our models for evidential reasoning and association rule mining on real data from an enterprise system, and applied our detection ensemble method to the real data with meaningful results. We implemented our monitor compromise detection approach using Storm, a real-time stream processing framework, such that it runs in real-time on online monitor data and ran experiments on enterprise network and host data from the National Center for Supercomputing Applications (NCSA) with different, injected compromise scenarios.

To support coordinated analysis of heterogeneous monitor data (which spans numerical metrics to unstructured, textual log data) that is present in large-scale distributed systems, such as enterprise and cloud systems, we have developed a framework to semi-automatically process monitor data from multiple levels of said systems into a manageable set of meaningful time series features for further intrusion or incident analysis. Based on an analysis of how incident response teams in industry utilize monitor data, we have come up with a taxonomy of monitor data fields and devised an approach in which we can take monitor data for which fields have been annotated using our taxonomy, automatically unstack and aggregate them into meaningful time series features, and group together redundant features across all monitors in the system. We have evaluated our approach on experimental PaaS cloud data from an industry partner containing eight different monitor types.

To improve the resilience of intrusion and incident detection against monitor compromise in a manner that does not require changing the detection mechanisms already in place, we have developed a model-based approach to quantify the resilience of a system's monitoring and incident detection infrastructure against monitor compromise and to maximize resilience under monitoring cost constraints. Our approach uses constraint programming to quantify the effect of monitor compromise on incident detection capabilities, and formulates the problem of maximizing resilience against monitor compromise as a cost-constrained optimization problem searching over the space of monitor deployments. We have implemented our approach using state-of-the-art tools for constraint programming and constrained, nonlinear optimization. We have evaluated our approach using randomly-generated models of varying sizes and structures, and compared its performance against our previous work published in DSN 2016 titled "A Quantitative Methodology for Security Monitor Deployment.". We demonstrate how our analysis can help system administrators make more effective monitoring decisions in line with their incident detection objectives and priorities.

COMMUNITY ENGAGEMENTS

No community engagements this quarter.

EDUCATIONAL ADVANCES:

Mohammad Noureddine, Uttam Thakore and Ben Ujcich have all passed their preliminary exams this quarter.