UIUC SoS Lablet Quarterly Executive Summary - July 2020

A. Fundamental Research
High level report of result or partial result that helped move security science forward-- In most cases it should point to a "hard problem". These are the most important research accomplishments of the Lablet in the previous quarter.

[Project: An Automated Synthesis Framework for Network Security Resilience] We continued working with Veriflow and VMWare to target enhancement of our verification technology to operate on real-time traffic data, as well as on developing a “high-speed” variant of our approach that can perform verification and quickly answer queries on large environments while requiring only small footprints in terms of memory and CPU. Current collaborations target enhancement of our verification technology to operate on real-time traffic data. We continue to investigate of automated synthesis of network control to preserve desired security policies and network invariants. We have begun a collaboration with a security company (Censys) to perform wide-area verification of networked services, and have begun discussions on approaches to incorporate their data into our synthesis frameworks. We continued the exploration of self-healing network management to address the resilient architecture hard problem and application of the methods to applications in cyber-physical energy systems. This work has been submitted to the 2020 IEEE SmartGridComm conference. We continue to study the interdependence between the power system and the communication network with the goal of improving resilience in critical energy infrastructures. We are conducting evaluation experiments and preparing a manuscript targeting the IEEE Transactions on Smart Grid. We continue to develop a simulation/emulation-based platform for cyber-physical system resilience and security evaluation. The platform combines physical computing and networking hardware for the cyber presence while allowing for offline simulation and computation of the physical world. This work has been submitted to ACM Transactions on Modeling and Computer Simulation (TOMACS). We have continued our collaboration with AT&T, which operates one of the largest networks in the world, to customize and deploy our technology in their environments. We have focused our efforts on a particular use case of automating capacity provisioning. We have continued our collaborations with Boeing on constructing a resilient IoT platform for the battlefield. We have also made progress constructing a real drone implementation which we will use to evaluate our design, though this work has been somewhat delayed due to the lockdown. Most recently, we have been focusing on improving the attack resilience of our algorithms. We have developed new deep learning mechanisms that are resilient to data sets that are “constructed” by adversaries, and our early simulation results show come benefits to these approaches in practical settings.

[Project: A Monitoring Fusion and Response Framework to Provide Cyber Resiliency] Our RRE work incorporates modules to monitor current state of a system, detect intrusions, and respond to achieve resilience-specific goals.  Intrusion detection in large-scale distributed systems, which is a necessary precondition for intrusion tolerance and resilience, is highly susceptible to malicious manipulation of system data used for detection (e.g., using rootkits and log tampering), which we term “monitor compromise”. Existing literature attempts to counteract the problem using reputation systems, which weight the trustworthiness of monitor data based on past trustworthiness of the data, but such systems are themselves subject to “betrayal attacks” and “sleeper attacks”. We instead propose the use of data-driven methods for detecting potential monitor compromise. We leverage the insight that systems usually contain multiple monitors that provide redundant information about system activity, so we can use discrepancies between observations of system activity across different monitors to identify potential monitor compromise.

[Project: Uncertainty in Security Analysis] Our research focuses on understanding the network security risk and the uncertainty associated with the estimate when security properties of the network components are not exactly known. In previous study, we used Bernoulli random variables to model the existence of a link between two immediate hosts in the network, which indicates the possibility of a lateral movement [1]. Our current investigation generalized this model by modeling the uncertainty in the link existence using Beta distribution, a more versatile class of distributions that takes one of many different shapes depending on its two parameters. Computing the existence of a pathway between two specifically chosen hosts (i.e. reachability analysis) in the generalized model reduces to identifying the reachability distribution, in the form of a multivariate reliability polynomial of Betas. This is a hard problem. However, our initial results highly suggest that in many cases, the reliability distribution can be well-approximated by another beta distribution. This observation aligns with several results from previous studies [2] [3] regarding approximating Betas. Our finding however applies to a much more general setup. The implication of this result is that under conditions in which the approximation is sufficiently good, the computational cost of reachability analysis can be significantly reduced.

[Project: Resilient Control of Cyber-Physical Systems with Distributed Learning] Two PhD students are dedicating their research time to the project.  We have formulated a new direction of scientific enquiry into safety and security analysis of systems. The approach relies on distributed and sample-efficient optimization techniques that have been developed in the context of the Multi-armed bandit problem. We have shown how these optimization algorithms can be used effectively for statistical model checking of markov decision processes. We have built a suite of benchmarks related to online safety analysis of autonomous and semi-autonomous vehicles. Our initial results are very promising as the data usage and the running time of our algorithms can be several orders of magnitude better than existing model checking approaches such as Storm and Prism. The prototype tool has been made available online.

[Project: A Human-Agent-Focused Approach to Security Modeling] This quarter, we investigated two ways to solve an issue with applying our metamodeling approach to certain models that contained a mix of quantitative and qualitative input variables. The two approaches were one-hot encoding and splitting.  We implemented the two approaches and evaluated them on an AMI ADVISE model, and found that at least in that one case that splitting substantially outperformed one-hot encoding. We wrote a paper based on our results and submitted it to SmartGridComm. This work can help modelers apply the metamodeling approach we developed to a broader class of security models. The metamodeling approach helps modelers perform sensitivity analysis and uncertainty quantification on complex slow-running security models that contain uncertain input variables.

B. Community Engagement(s)
Research interaction in the community including workshops, seminars, competitions, etc.

Publications

1. Hoang Hai Nguyen, Kartik Palani, and David M. Nicol, "Extensions of Network Reliability Analysis", 49th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2019), Portland, OR, June 24-27, 2019.

C. Educational Advances
Impact to courses or curriculum at your school or elsewhere that indicates an increased training or rigor in security research.

• Christopher Hannon, a former Ph.D. student of Kevin Jin, graduated in May 2020, and started to work in CRCL GmbH in June 2020. Umar Farooq, an M.S. student of Matthew Caesar, graduated in May 2020, and will join Amazon, participating in the design of their cloud networking environments. Bella Lee, an M.S. student of Matthew Caesar, also graduated in May 2020, and will join Google. 
• Kevin Jin and Kyle Hale developed a new graduate-level cyber security class “CSP544 System and Network Security” for Spring 2020 at Illinois Institute of Technology (IIT); and the TA, Gong Chen (one of Kevin’s Ph.D. student) received the 2020 Best TA award in Computer Science at IIT.
• Kevin Jin organized a virtual Ph.D. colloquium as part of the ACM SIGSIM-PADS conference in June 2020. The Ph.D. colloquium included a keynote speech and multiple student presentations with 99 attendees.
• Matthew Caesar was elected to become the Director of Education for ACM SIGCOMM. As part of his tenure, Matthew will work with universities across the United States to further rigorous education on cybersecurity.