Visible to the public Automated Synthesis Framework for Network Security and Resilience - October 2021Conflict Detection Enabled

Submitted by mikeprosise on Mon, 10/11/2021 - 10:57am

PI: Matthew Caesar

Co-PI: Dong (Kevin) Jin

Researchers: Matthew Caesar, Dong (Kevin) Jin, Bingzhe Liu, Santhosh Prabhu, Xiaoliang Wu

HARD PROBLEM(S) ADDRESSED
This refers to Hard Problems, released November 2012.

This project is developing the analysis methodology needed to support scientific reasoning about the resilience and security of networks, with a particular focus on network control and information/data flow. The core of this vision is an automated synthesis framework (ASF), which will automatically derive network state and repairs, from a set of specified correctness requirements and security policies. ASF consists of a set of techniques for performing and integrating security and resilience analyses applied at different layers in a real-time and automated fashion. This project is building both theoretical underpinnings and a practical realization of Science of Security. The proposed project covers four hard problems: (1) resilient architectures (primary), (2) scalability and composability, (3) policy-governed secure collaboration, and (4) security-metrics-driven evaluation, design, development and deployment.

PUBLICATIONS
Papers written as a result of your research from the current quarter only.

Bingzhe Liu, Kuan-Yen Chou, Pramod Jamkhedkar, Bilal Anwer, Rakesh Sinha, Kostas Oikonomou, Matthew Caesar, Brighten Godfrey, Practical Automation for Management Planes of Service Provider Infrastructure, Workshop on Flexible Networks (FlexNets), August 2021.

Abstract: Managing service provider infrastructures (SPI) is ever more challenging with increasing scale and complexity. Network and container orchestration systems alleviate some manual tasks, but they are generally narrow solutions, with controllers for specific subsystems that do not coordinate on high-level goals and fall far short of automating the full range of tasks that engineers face day to day. We seek to highlight the need for "practical automation" to manage SPIs. Via realistic examples, we argue that practical automation should provide cross-controller coordination and should work within the reality that many tasks will involve humans. We describe a proof-of-concept system that leverages AI planning to synthesize management steps to move the system towards a goal state. A preliminary implementation shows that our approach can accurately generate plans for complex management tasks, while scalability and modeling diverse controllers remain as future challenges.

Hard problem(s) addressed: resilient architectures

KEY HIGHLIGHTS
Each effort should submit one or two specific highlights. Each item should include a paragraph or two along with a citation if available. Write as if for the general reader of IEEE S&P.
The purpose of the highlights is to give our immediate sponsors a body of evidence that the funding they are providing (in the framework of the SoS lablet model) is delivering results that "more than justify" the investment they are making.

In the current quarter, our project progress is centered on addressing SoS lablet hard problems primarily in resilient architecture. Key highlights are listed as follows.

  • We published one paper in FlexNets 2021. A book chapter "Dynamic Data-Driven Approach for Cyber Resilient and Secure Critical Energy Systems" has been accepted and will appear in the Handbook on Dynamic Data Driven Application Systems (DDDAS) Vol. II.
  • We continue to study the interdependence between the power system and the communication network to improve resilience in critical energy infrastructures, which addresses the resilient architecture hard problem. In the current quarter, we conducted a literature review of recent publications on power-communication interdependency and the impact on system resilience. We revised the current restoration optimization model and the network generation algorithm. We also analyzed the existence of solutions of the updated optimization model. We identified that the model works well for most cases but may not generate a solution in time for certain large-scale systems. Currently, we are investigating ways to effectively reduce the problem size. Finally, we submitted a revision of the paper describing this work to the IEEE Transactions of Smart Grid.
  • We continue to develop a simulation-based platform for cyber-physical system resilience and security evaluation, which addresses the resilient architecture and scalability hard problem. In the current quarter, we discovered through experiments that the existing virtual time system lacks proper control of process waiting time. The current design affected not only the disk I/O time, but also the network I/O time and the GPU computational time. To address the problem, we proposed a compensation mechanism and modified the Linux kernel to precisely control time advancement not only during execution burst by also during waiting time. We are conducting experiments for error analysis. We are also working on a large-scale case study to demonstrate the effectiveness of the updated virtual time system. Finally, we are preparing a manuscript describing this work targeting the 2022 ACM SIGSIM-PADS conference.
  • We have developed a design and evaluation framework for a self-driving "service provider infrastructure" that leverages our prior work on verification and synthesis to automatically self-configure to become resilient to attacks. Our initial focus Is on network and container orchestration systems, and our first implementation will target Kubernetes. Our platform leverages AI planning algorithms to synthesize steps the system needs to take to protect itself against incoming attacks from an intelligent adversary.

COMMUNITY ENGAGEMENTS

  • Matthew Caesar will serve as the Sponsor Chair for ACM SIGCOMM 2022.
  • Matthew Caesar will serve on the Program Committee for USENIX NSDI 2022.
  • Matthew Caesar served as a Juror in the ACM SIGCOMM Student Research Competition, 2021
  • Matthew Caesar was elected as the Vice Chair for ACM SIGCOMM, and will serve a four-year term. In his position, he will be responsible for leading initiatives in the SIGCOMM community, with an emphasis on education and cybersecurity.
  • Matthew Caesar served as an invited panelist in the 39th Brazilian Symposium on Computer Networks and Distributed Systems (2021)
  • Kevin Jin will serve as the Program Co-chair for ACM SIGSIM-PADS conference in 2022.
  • Kevin Jin will serve as a panelist in the "Dynamic Data-Driven Application Systems" track at the 2021 INFORMS annual conference.
  • Matthew Caesar co-founded and serves on the organizing committee of theNetworkingChannel, an online channel to discuss topics related to computer networking, systems, and security.
  • Yanfeng Qu and Kevin Jin gave an NSA seminar talk "Cyber-Resilience Enhancement of PMU Networks Using Software-Defined Networking" in March 2021.
  • Kevin Jin is organizing a track on Dynamic Data-Driven Application Systems for 2021 INFORMS.
  • Matthew Caesar was listed as a Teacher Ranked as Excellent, At Highest Rank of Outstanding, in both 2020 and 2021. He was also nominated for the 2021 Rose Award for Teaching Excellence.
  • Matthew Caesar is working with Serge Fdida and Jim Kurose on creating a community "channel" for computer networking and security. The channel will feature speakers and provide interactive content students across the world stuck home during the pandemic, and beyond.
  • Matthew Caesar was selected to serve as the General Chair for ACM SIGCOMM 2021, the flagship conference for ACM's SIG on computer networking. As part of his duties, he is working towards creating a rich and vibrant environment for discussions and exchanges of ideas in the community, including emphases on network security. He also served on the program committee for the conference.
  • Matthew Caesar created and operates a new Slack workspace for the SIGCOMM community. The platform serves as a mechanism for participants to discuss security and networking topics with other participants. The platform has a channel to discuss a variety of topics, and includes a channel to discuss topics related to the science of security. The platform now has over 1,400 members.
  • Kevin Jin organized a virtual Ph.D. colloquium as part of the ACM SIGSIM-PADS conference in June 2020. The Ph.D. colloquium included a keynote speech and multiple student presentations with 99 attendees. We applied and received the NSF student travel grant for the event. The grant has been extended to SIGSIM-PADS'2021 as the COVID-19 pandemic made this year's conference online.
  • Kevin Jin was selected to serve on the program committee for IEEE SmartGridComm 2020
  • Kevin Jin was selected to serve on the program committee for ACM SIGSIM-PADS 2021
  • Kevin Jin served as the web chair for the 2020 ACM SIGCOMM Symposium on SDN Research (SOSR)
  • Matthew Caesar helped create and served as co-chair for an ACM SIGCOMM workshop on "Teaching and Learning Computer Networking During the Pandemic". The workshop will provide support to the many universities who suddenly had to move online during the pandemic, and the many students who are grappling and facing many new challenges with working online. The workshop was a great success, attracting over 200 participants across academia and industry.
  • Matthew Caesar was selected to serve as the mentoring chair for ACM SIGCOMM 2021. As part of his duties, he is helping to design the conference to be the first "virtual" SIGCOMM conference ever held.
  • Matthew Caesar was selected to serve on the program committee for ACM CCS 2021, a top conference in computer security.
  • Matthew Caesar was selected to serve on the program committee for ACM NSDI 2021, a top conference in computer systems.
  • Matthew Caesar was selected as an Editor for IEEE/ACM Transactions on Networking.
  • Matthew Caesar served as Chief Science Officer of Veriflow, a company commercializing technology spun out of our Science of Security lablet work. Matthew has worked with Veriflow to undertake multiple new deployments of our earlier technology at top commercial-sector firms this quarter. The most recent news about Veriflow is available on the Veriflow web site (http://www.veriflow.net). Veriflow was recently sold to VMware, who will use Veriflow to improve the security of its product lines.
  • Matthew Caesar has continued an engagement with the University of Illinois Center for Digital Agriculture towards securing our nation's food supply. His work leverages machine learning to detect anomalies in supply-chain operations. He is in the process of conducting a prototype deployment of his work within the ISRL farm on the University of Illinois at Urbana-Champaign campus.

EDUCATIONAL ADVANCES

  • Kevin Jin is developing a new graduate-level network security class for the University of Arkansas Global Campus. The class will be offered in Spring 2022.
  • Yanfeng Qu, a Ph.D. student of Kevin Jin, received the College of Computing Excellence in Dissertation Award at IIT.
  • Bo Zhang, a master student of Kevin Jin will be a Ph.D. candidate at Nanyang Technological University starting in May 2021.
  • Umar Farooq, an MS student of Matthew Caesar, graduated in December 2020, and will join Amazon, working on cloud network security and virtualization. Bella Lee, an MS student of Matthew Caesar, also graduated in December 2020, and will join Google, working on core network infrastructure.
  • Xin Liu, a Ph.D. student of Kevin Jin, graduated in December 2020, and will join Facebook, working on network emulation and evaluation.
  • Christopher Hannon, a Ph.D. student of Kevin Jin, graduated in May 2020, and started to work in CRCL GmbH in June 2020.
  • Kevin Jin and Kyle Hale developed a new graduate-level cyber security class "CSP544 System and Network Security" for Spring 2020 at Illinois Institute of Technology (IIT); and the TA, Gong Chen (one of Kevin's Ph.D. student) received the 2020 Best TA award in Computer Science at IIT.
  • Kevin organized a virtual Ph.D. colloquium as part of the ACM SIGSIM-PADS conference in June 2020. The Ph.D. colloquium included a keynote speech and multiple student presentations with 99 attendees. We applied and received the NSF student travel grant for the event. The grant has been extended to SIGSIM-PADS'2021 as the COVID-19 pandemic made this year's conference online.
  • Jiaqi Yan, a former Ph.D. student of Kevin Jin, graduated in Dec 2019, and started to work in Microsoft in Jan 2020.
  • Christopher Hannon, a Ph.D. student of Kevin Jin, received the College of Science Excellence in Dissertation Award at IIT.
  • Matthew Caesar was elected to become the Vice Chair for ACM SIGCOMM. As part of his tenure, Matthew will work universities across the United States to further rigorous education and other initiatives on cybersecurity.
  • Kevin Jin served as the Director of the new Master of Cybersecurity Program in the College of Science at Illinois Institute of Technology (https://www.iit.edu/academics/programs/cybersecurity-mas). The program will serve as one more platform to disseminate the educational and research outcomes of our Science of Security project.
  • Matthew Caesar has created a new class on Internet of Things at UIUC. The class contains extensive coverage of security in this important domain. The class is slated for public release this fall on Coursera's Massive Online Open Course (MOOC) platform. The course will be open for enrollment by anyone, even people not attending the University of Illinois. Based on the success of the first offerings of this class, Matthew has developed an entire IoT online course sequence, which covers how to design and build resilient and secure IoT infrastructures. This course sequence will be offered to business professionals across the nation, and it is our hope it will have substantial impact in teaching our nation's workforce in building secure and resilient computing systems.
  • Matthew Caesar also continues to refine his Networking Laboratory class. He has developed a new set of Cybersecurity lectures for his class, covering important topics, and educating students on how to improve security of common networking deployments.
  • Matthew Caesar is currently constructing an online platform for working with IoT devices in the cloud. The platform virtualizes IoT devices, internally leveraging a new technology that extends virtual machines into the IoT domain. This work will probably take another year to develop, but when it is released, we hope to grow from small pilots to a platform that can allow students across the world to learn about and work with IoT security in a manner that greatly accelerates their ability to experiment and learn.
Groups: