Automated Synthesis Framework for Network Security and Resilience - January 2022

PI: Matthew Caesar

Co-PI: Dong (Kevin) Jin

Researchers: Matthew Caesar, Dong (Kevin) Jin, Bingzhe Liu, Santhosh Prabhu, Xiaoliang Wu

HARD PROBLEM(S) ADDRESSED
This refers to Hard Problems, released November 2012.

This project is developing the analysis methodology needed to support scientific reasoning about the resilience and security of networks, with a particular focus on network control and information/data flow. The core of this vision is an automated synthesis framework (ASF), which will automatically derive network state and repairs, from a set of specified correctness requirements and security policies. ASF consists of a set of techniques for performing and integrating security and resilience analyses applied at different layers in a real-time and automated fashion. This project is building both theoretical underpinnings and a practical realization of Science of Security. The proposed project covers four hard problems: (1) resilient architectures (primary), (2) scalability and composability, (3) policy-governed secure collaboration, and (4) security-metrics-driven evaluation, design, development and deployment.

PUBLICATIONS
Papers written as a result of your research from the current quarter only.

• Otto Piramuthu, Matthew Caesar, Towards a Lightweight VANET Authentication Protocol, ACM SIGAPP Symposium on Applied Computing, April 2022. Abstract: Security and privacy of vehicles, occupants of such vehicles, roadside infrastructure, and other entities that are part of Vehicular Ad hoc NETwork (VANET) cannot be overstated. Cryptography is commonly used to authenticate and to secure communication among VANET entities. As vehicles are mobile, it is essential for authentication protocols to be lightweight, quick, and with minimal number of passed messages. It is also necessary to ensure that these protocols are secure against attacks. However, extant authentication protocols are not necessarily lightweight and almost all of them are vulnerable to relay attacks. We propose secure and truly lightweight authentication protocols for the VANET environment. This work addresses the hard problem of Resilient Architectures by developing methods to analyze and design vehicular network architectures.
• Otto Piramuthu, Matthew Caesar, Ling Ren, UAV/VANET Authentication for Real Time Highway Surveillance, ACM SIGAPP Symposium on Applied Computing, April 2022. Abstract: Unmanned aerial vehicles (UAVs) or drones have the potential to supplant helicopters in real-time highway surveillance applications due to cost, form factor, and other considerations. The wireless medium used for communication has the potential to expose a fleet of drones en route to surveillance to link failures and attacks on passed messages. Given the sparse topology, messages among UAVs, vehicles, and trusted authority could be transmitted through collaboration among UAVs and vehicles. Since vehicles and drones in a highway environment are mobile, related ad hoc network is continuously updated to account for reachability of transmitted signals. It is also necessary to authenticate the drones and vehicles to ensure that the transmitted messages are uncorrupted and trusted. To accommodate processing power and mobility constraints, we develop lightweight authentication protocols that facilitate secure message transfer. We also evaluate the security properties of these protocols.This work addresses the hard problem of Resilient Architectures by developing means to design and analyze architectures for UAVs, as well as joint UAV-vehicle systems.
• Otto Piramuthu, Matthew Caesar, How Effective are Identification Technologies in Autonomous Self-Driving Vehicles?, IEEE CommNet, December 2021. Abstract: Autonomous driving necessarily involves timely awareness of surrounding environmental conditions to facilitate safe navigation. Vision is therefore of paramount importance in these vehicles. Cameras, LiDAR, RADAR, and GNSS provide a reasonable amount of necessary environmental input in a majority of current autonomous driving initiatives. Several published studies vouch for the advantages of autonomous vehicles over their human-driven counterparts, in principle. However, extant literature does not provide clear guidance on the extent of dominance, if any, of autonomous vehicles in terms of accident avoidance. We consider 'vision' inputs in autonomous vehicles and compare their performance to that of human-driven vehicles based on recent accident data and show that current state-ofthe-art of vision technology in automated vehicles are grossly insufficient for truly autonomous vehicles. Specifically, our results illustrate the extent of deficit that must be addressed in state-ofthe-art machine learning algorithms and vision sensors that are used in autonomous driving vehicles. This work addresses the hard problems of Security Metrics Driven Evaluation, Design, Development, and Deployment, by developing methods to express and check requirements for the secure functioning of autonomous self-driving vehicles; it also advances the hard problem of Understanding and Accounting for Human Behavior, as it develops models of human behavior, and how a human interacts with an autonomous or semi-autonomous vehicle.

KEY HIGHLIGHTS
Each effort should submit one or two specific highlights. Each item should include a paragraph or two along with a citation if available. Write as if for the general reader of IEEE S&P.
The purpose of the highlights is to give our immediate sponsors a body of evidence that the funding they are providing (in the framework of the SoS lablet model) is delivering results that "more than justify" the investment they are making.

In the current quarter, our project progress is centered on addressing SoS lablet hard problems primarily in resilient architecture. Key highlights are listed as follows.

• We continue to study the interdependence between the power system and the communication network to improve resilience in critical energy infrastructures, which addresses the resilient architecture hard problem. In the current quarter, we validated our simulation model. We used power grid models following the standard systems (e.g., IEEE 123-node system, Ckt-7 system) and the associated communication network model following an industry documentation. We measured the load pickup time and amount and observed that the restoration time and load of each node block is the same. Our paper "Distribution Grid Restoration with Power-Communication Interdependency" received the second-round review comments (minor revision) from IEEE Transactions on Smart Grid. Currently, we are addressing the review comments and plan to submit a revised manuscript in January 2022.
• We continue to develop a simulation-based platform for cyber-physical system resilience and security evaluation, which addresses the resilient architecture and scalability hard problem. In the current quarter, we formulated an analytical model of the virtual time advancement mechanism and proposed a time compensation mechanism to improve temporal fidelity of the testbed. We implemented the mechanism in Linux kernel to precisely control time advancement by considering the non-CPU task waiting time. We also conducted extensive experiments for error analysis and system evaluation. We are currently working on a large-scale case study on a block chain application for demonstration. We are preparing a manuscript describing this work, and plan to submit it to ACM SIGSIM-PADS in January 2022.
  
• We start a new project to explore methods to detect and mitigate attacks caused by IoT botnet in the context of smart grid to address the resilient architecture hard problem. In the current quarter, we propose an SDN-based IoT network architecture and a machine learning based detection model to identify the suspicious attack packets generated from the bots. We are also developing an optimization-based mitigation scheme to isolate IoT bots and to recover the power system from potential power system failures.
• We have developed a design and evaluation framework for a self-driving "service provider infrastructure" that leverages our prior work on verification and synthesis to automatically self-configure to become resilient to attacks. Our initial focus Is on network and container orchestration systems, and our first implementation will target Kubernetes. Our platform leverages AI planning algorithms to synthesize steps the system needs to take to protect itself against incoming attacks from an intelligent adversary. The team is also actively looking for research collaboration of applying verification and synthesis to IoT devices and networks.

COMMUNITY ENGAGEMENTS

• Matthew Caesar will serve on the Program Committee for USENIX NSDI 2023.
• Matthew Caesar is serving on the Program Committee for USENIX NSDI 2022.
• Matthew Caesar is serving as a co-chair for the Networking Channel (https://networkingchannel.eu/), an online talk series for computer networking, systems, and security topics that is a joint initiative between EU's Empower initiative, the National Science Foundation's PAWR office, and ACM SIGCOMM. Talks are held online and are open to all, to provide broad reach into the community.
• Kevin Jin will serve on the Program Committee for Workshop on ns-3 (WNS3) 2022.
• Matthew Caesar is serving as the Sponsor Chair for ACM SIGCOMM 2022.
• Kevin Jin is serving as a Program Co-chair for ACM SIGSIM-PADS 2022.
• Kevin Jin served as a panelist in the "Dynamic Data-Driven Application Systems" track at the 2021 INFORMS Annual Meeting, October 2021.

EDUCATIONAL ADVANCES

• Kevin Jin has developed a new graduate-level class, CSCE5655 Network Security, for the University of Arkansas Global Campus. The class is being offered in Spring 2022.
• Xiaoliang Wu, a Ph.D. student of Kevin Jin, graduated in December 2021, and will join Facebook, working on data center network design and performance evaluation.
• Xiaoliang Wu and Kevin Jin is organizing a Ph.D. colloquium as part of the ACM SIGSIM-PADS conference in June 2022. The Ph.D. colloquium will include a keynote speech, multiple student presentations and a poster session.
• Matthew Caesar has undertaken substantial work to update his Internet of Things MOOC, which reaches over 17,000 students, including development of two new laboratory assignments allowing students to explore cybersecurity of Cisco IOS and core networks, as well as AWS IoT and cloud IoT platforms.
• Matthew Caesar is also teaching CS 437: Internet of Things at the University of Illinois, which covers advanced concepts and security practices in IoT, and which will be taught to about 150 on-campus graduates/undergraduates, as well as about 150 graduate students who are part of the Illinois Masters in Computer Science program, many of whom are software development professionals working in companies across many sectors.