Automated Synthesis Framework for Network Security and Resilience - April 2022

PI: Matthew Caesar

Co-PI: Dong (Kevin) Jin

Researchers: Matthew Caesar, Dong (Kevin) Jin, Bingzhe Liu, Santhosh Prabhu, Xiaoliang Wu

HARD PROBLEM(S) ADDRESSED
This refers to Hard Problems, released November 2012.

This project is developing the analysis methodology needed to support scientific reasoning about the resilience and security of networks, with a particular focus on network control and information/data flow. The core of this vision is an automated synthesis framework (ASF), which will automatically derive network state and repairs, from a set of specified correctness requirements and security policies. ASF consists of a set of techniques for performing and integrating security and resilience analyses applied at different layers in a real-time and automated fashion. This project is building both theoretical underpinnings and a practical realization of Science of Security. The proposed project covers four hard problems: (1) resilient architectures (primary), (2) scalability and composability, (3) policy-governed secure collaboration, and (4) security-metrics-driven evaluation, design, development and deployment.

PUBLICATIONS
Papers written as a result of your research from the current quarter only.

• Xin Liu, Bo Zhang, Bo Chen, Alex Aved, and Dong Jin. "Towards Optimal and Executable Distribution Grid Restoration Planning with a Fine-Grained Power-Communication Interdependency Model." IEEE Transactions on Smart Grid, February 2022. Abstract: Distribution service restoration (DSR) under natural disasters is always a critical and challenging problem for utility companies. An effective solution must not ignore the power-communication interdependency as various systems are getting increasingly connected in the Smart Grid era. In this paper, we propose a two-layer distribution system model with both power and communication components. Based on this model, we formulate the restoration process as a routing problem that schedules the path and action sequence of utility crews that involves repairing damaged components, closing power switches, and enabling communication paths between the control center and remote field devices. We develop a simulation-based method to quantitatively evaluate the restoration process with public reference models of large-scale power systems. The experimental results show that our method improves the total restored energy up to 57.6% and reduces the recovery time up to 63% by considering the power-communication interdependency.
• Otto Piramuthu, Matthew Caesar, Towards a Lightweight VANET Authentication Protocol, ACM SIGAPP Symposium on Applied Computing, April 2022. Abstract: Security and privacy of vehicles, occupants of such vehicles, roadside infrastructure, and other entities that are part of Vehicular Ad hoc NETwork (VANET) cannot be overstated. Cryptography is commonly used to authenticate and to secure communication among VANET entities. As vehicles are mobile, it is essential for authentication protocols to be lightweight, quick, and with minimal number of passed messages. It is also necessary to ensure that these protocols are secure against attacks. However, extant authentication protocols are not necessarily lightweight and almost all of them are vulnerable to relay attacks. We propose secure and truly lightweight authentication protocols for the VANET environment.
• Otto Piramuthu, Matthew Caesar, Ling Ren, UAV/VANET Authentication for Real Time Highway Surveillance, ACM SIGAPP Symposium on Applied Computing, April 2022. Abstract: Unmanned aerial vehicles (UAVs) or drones have the potential to supplant helicopters in real-time highway surveillance applications due to cost, form factor, and other considerations. The wireless medium used for communication has the potential to expose a fleet of drones en route to surveillance to link failures and attacks on passed messages. Given the sparse topology, messages among UAVs, vehicles, and trusted authority could be transmitted through collaboration among UAVs and vehicles. Since vehicles and drones in a highway environment are mobile, related ad hoc network is continuously updated to account for reachability of transmitted signals. It is also necessary to authenticate the drones and vehicles to ensure that the transmitted messages are uncorrupted and trusted. To accommodate processing power and mobility constraints, we develop lightweight authentication protocols that facilitate secure message transfer. We also evaluate the security properties of these protocols.

KEY HIGHLIGHTS
Each effort should submit one or two specific highlights. Each item should include a paragraph or two along with a citation if available. Write as if for the general reader of IEEE S&P.
The purpose of the highlights is to give our immediate sponsors a body of evidence that the funding they are providing (in the framework of the SoS lablet model) is delivering results that "more than justify" the investment they are making.

In the current quarter, our project progress is centered on addressing SoS lablet hard problems primarily in resilient architecture. Key highlights are listed as follows.

• We continue to study the interdependence between the power system and the communication network to improve resilience in critical energy infrastructures, which addresses the resilient architecture hard problem. In the current quarter, our paper "Towards Optimal and Executable Distribution Grid Restoration Planning with a Fine-Grained Power-Communication Interdependency Model" has been published in IEEE Transactions of Smart Grid. In the paper, we formulated the restoration process as a routing problem that schedules the path and action sequence of utility crews that involves repairing damaged components, closing power switches, and enabling communication paths between the control center and remote field devices. We developed a simulation-based method to quantitatively evaluate the restoration process with public reference models of large-scale power systems (e.g., IEEE 123-node system, Ckt-7 system). The experimental results show that our method improves the total restored energy up to 57.6% and reduces the recovery time up to 63% by considering the power-communication interdependency.
• We continue to develop a simulation-based platform for cyber-physical system resilience and security evaluation, which addresses the resilient architecture and scalability hard problem. In the current quarter, we developed a lightweight virtual time system that integrates precise I/O time for container-based network emulation. We modeled and analyzed the temporal error during I/O operations and develop a barrier-based time compensation mechanism in the Linux kernel. The experimental results show that the temporal error can be reduced from 87.31% to 3.6% and the new system only introduces around 2% overhead of the total execution time. We submitted a manuscript describing this work to ACM SIGSIM-PADS 2022 in March 2022.
• We continue to explore methods to detect and mitigate attacks caused by IoT botnets in the context of smart grid to address the resilient architecture hard problem. In the current quarter, we formulated a mixed-integer linear programming model to minimize the cost of the IoT bots mitigation by considering the constraints of power supply and demand, hardware resources, and power network topology. We also developed a testbed integrating OpenDSS and Mininet and used it for MAD attack simulation, detection model training, and mitigation method evaluation. Finally, we are working on a case study based on the IIT Campus microgrid to evaluate the effectiveness of the proposed detection and mitigation mechanisms.
• We have developed a design and evaluation framework for a self-driving "service provider infrastructure" that leverages our prior work on verification and synthesis to address the resilient architecture hard problem. In the current quarter, we continue to focus on network and container orchestration systems (e.g., Kubernetes). Our platform leverages AI planning algorithms to synthesize steps the system needs to take to protect itself against incoming attacks from an intelligent adversary. The team has a collaborative research project on applying model checking to embedded devices and networks. One application is to verify the power system's full observability policy in phasor measurement unit network design under cyber-attacks and link/device failures.

COMMUNITY ENGAGEMENTS

• Matthew Caesar will serve on the Program Committee for USENIX NSDI 2023.
• Matthew Caesar is serving on the Program Committee for USENIX NSDI 2022.
• Matthew Caesar is serving as a co-chair for the Networking Channel (https://networkingchannel.eu/), an online talk series for computer networking, systems, and security topics that is a joint initiative between EU's Empower initiative, the National Science Foundation's PAWR office, and ACM SIGCOMM. Talks are held online and are open to all, to provide broad reach into the community.
• Matthew Caesar is serving as the Sponsor Chair for ACM SIGCOMM 2022.
• Kevin Jin will serve as a Program Co-chair for ACM SIGSIM-PADS 2023.
• Kevin Jin is serving on the Program Committee for the International Conference on Computer Communications and Networks (ICCCN) 2022.
• Kevin Jin is serving on the Program Committee for Workshop on ns-3 (WNS3) 2022.
• Kevin Jin is serving as a Program Co-chair for ACM SIGSIM-PADS 2022.

EDUCATIONAL ADVANCES

• Matthew Caesar co-organized an online event on the Networking Channel (https://www.networkingchannel.eu): Open educational resources for teaching and learning networking in March 2022. He previously co-chaired an event on improving diversity and inclusion in the systems and networking community on February 2022. He will also co-chair an event on network programmability in April 2022.
• Kevin Jin, Xiaoliang Wu, and Neil Mcglohon are organizing a Ph.D. colloquium as part of the ACM SIGSIM-PADS conference in June 2022. The Ph.D. colloquium will include a keynote speech, student presentations, and best student paper award competition.
• Matthew Caesar has undertaken substantial work to update his Internet of Things MOOC, which reaches over 17,000 students, including development of two new laboratory assignments allowing students to explore cybersecurity of Cisco IOS and core networks, as well as AWS IoT and cloud IoT platforms.
• Matthew Caesar is also teaching CS 437: Internet of Things at the University of Illinois, which covers advanced concepts and security practices in IoT, and which will be taught to about 150 on-campus graduates/undergraduates, as well as about 150 graduate students who are part of the Illinois Masters in Computer Science program, many of whom are software development professionals working in companies across many sectors.