Visible to the public An Automated Synthesis Framework for Network Security and Resilience - January 2023Conflict Detection Enabled

Submitted by mikeprosise on Thu, 01/12/2023 - 1:43pm

PI: Matthew Caesar

Co-PI: Dong (Kevin) Jin

Researchers: Matthew Caesar, Dong (Kevin) Jin, Bingzhe Liu, Santhosh Prabhu, Xiaoliang Wu

HARD PROBLEM(S) ADDRESSED
This refers to Hard Problems, released November 2012.

This project is developing the analysis methodology needed to support scientific reasoning about the resilience and security of networks, with a particular focus on network control and information/data flow. The core of this vision is an automated synthesis framework (ASF), which will automatically derive network state and repairs, from a set of specified correctness requirements and security policies. ASF consists of a set of techniques for performing and integrating security and resilience analyses applied at different layers in a real-time and automated fashion. This project is building both theoretical underpinnings and a practical realization of Science of Security. The proposed project covers four hard problems: (1) resilient architectures (primary), (2) scalability and composability, (3) policy-governed secure collaboration, and (4) security-metrics-driven evaluation, design, development and deployment.

PUBLICATIONS
Papers written as a result of your research from the current quarter only.

  • O. Piramuthu and M. Caesar. VANET Authentication Protocols: Security Analysis and a Proposal. Journal of Supercomputing, Springer, December 2022
  • Dong Jin, Yanfeng Qu, Xin Liu, Christopher Hannon, Jiaqi Yan, Alex Aved, Philip Morrone. Dynamic Data-Driven Approach for Cyber Resilient and Secure Critical Energy Systems, Book Chapter, Handbook of Dynamic Data Driven Applications Systems, Volume 2, Springer
  • Reuben Samson Raj and Dong Jin. A Framework to Evaluate PMU Networks for Resiliency Under Network Failure Conditions. IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm), October 2022.
  • Umar Farooq, Mubashir Anwar, Haris Noor, Rashid Tahir, Santhosh Prabhu, Ali Kheradmand, Matthew Caesar, Fareed Zaffar, FORTIFY: Software Defined Data Plane Resilience, IEEE NFV-SDN, November 2022. (Received best paper award)

KEY HIGHLIGHTS
Each effort should submit one or two specific highlights. Each item should include a paragraph or two along with a citation if available. Write as if for the general reader of IEEE S&P.
The purpose of the highlights is to give our immediate sponsors a body of evidence that the funding they are providing (in the framework of the SoS lablet model) is delivering results that "more than justify" the investment they are making.

In the current quarter, our project progress is centered on addressing SoS lablet hard problems primarily in resilient architecture. Key highlights are listed as follows.

  • We continue to develop a simulation-based platform for cyber-physical system resilience and security evaluation, which addresses the resilient architecture and scalability hard problem. In the current quarter, we further improved our lightweight virtual time system, VT-IO, that integrates precise I/O time for container-based network emulation. In particular, we modeled and analyzed the temporal error during I/O operations and developed a barrier-based time compensation mechanism in the Linux kernel. We also designed and implemented a dynamic load monitor to mitigate the temporal error during I/0 resource contention. VT-IO enables accurate virtual time advancement with precise I/O time measurement and compensation. The experimental results show that the temporal error is reduced from 7.888 seconds to 0.006 seconds with the new dynamic load monitor, by only introducing around 2% overhead of the total execution time. A paper describing the work has been submitted to ACM TOMACS.
  • We have developed a design and evaluation framework for a self-driving "service provider infrastructure" that leverages our prior work on verification and synthesis to address the resilient architecture hard problem. In the current quarter, we worked with AT&T to develop an application of our approach to Radio Access Networks (RANs). AT&T has expressed interest in the work to improve operational security and reliability of their RANs. As part of our efforts, we developed models of key components within a RAN, including their preconditions and postconditions. We constructed implementations of these models in the Planning Domain Definition Language (PDDL). We also constructed a simulation framework for a RAN using the ns-3 simulation platform. We are working with AT&T to gain access to relevant workload (traffic, workload, and event/failure logs), which we will use to replay against our implementation to study performance.
  • We continue to apply programmable networks (P4) to enhance cyber security and resilience of energy systems to address the resilient architecture hard problem. In the current quarte, we have developed a general programmatic framework to enable operators to encode constraints on message ordering, packet header and payload values, and path attributes in intuitive ways based on regular expressions. We have developed new algorithms to automatically compile these supplied constraints into P4 programs, obviating the need for human operators to take the more complex and error-prone process of programming their goals directly into P4. To validate our approach, we have undertaken a study of 12 known high-profile attacks on energy grid infrastructures, and investigated the ability of our model to detect and constrain these attacks.

COMMUNITY ENGAGEMENTS

  • Matthew Caesar is serving as the Vice Chair for ACM SIGCOMM
  • Matthew Caesar is serving on the Steering Committees for ACM CoNEXT and ACM SOSR
  • Kevin Jin is serving as an Associate Editor for ACM TOMACS.
  • Kevin Jin is serving as a Program Co-chair for ACM SIGSIM-PADS 2023.
  • Kevin Jin is serving as a guest editor for TOMACS-PADS special issue 2022/2023
  • Matthew Caesar is serving on the Program Committee for USENIX NSDI 2023 and ACM CoNEXT 2023. He will serve on the Program Committee for USENIX NSDI 2024..
  • Matthew Caesar is serving as a co-chair for the Networking Channel (https://networkingchannel.eu/), an online talk series for computer networking, systems, and security topics that is a joint initiative between EU's Empower initiative, the National Science Foundation's PAWR office, and ACM SIGCOMM. Talks are held online and are open to all, to provide broad reach into the community.

EDUCATIONAL ADVANCES

  • Matthew Caesar has run a summer camp on the Security of Internet of Things in summer of 2022 through UIUC's WYSE program, which admits diverse and underrepresented high school students from across the United States. The program exposed students to technology and career opportunities in the realm of cyber security, and featured talks by industry professionals and experts. Matthew and Kevin plan to work together to expand the camp for 2023, incorporating novel applications and laboratory exercises, as well as an on-site visit to UIUC's TCIP center, which houses testbeds and demonstrative infrastructures for power grid cybersecurity.
  • Kevin Jin is advising three undergraduate Honor's theses with the topic on cyber secure and resilient energy systems. In the current quarter, Jack Norris received the State Undergraduate Research Fellowship (SURF), and Luke Waind received the Honors College Research Grant.
  • Kevin Jin has developed a new graduate class "Advanced Network Security" at the University of Arkansas. This class aims to provide a thorough grounding in cyber-security for students who are interested in conducting research and development work on network security and for students who are more broadly interested in real-world security issues and techniques. The class will be offered in Spring 2023.
  • Neil Getty successfully defended his Ph.D. dissertation in July 2022. He joined Argonne National Lab as a Computational Scientist.
  • Matthew Caesar has undertaken substantial work to update his Internet of Things MOOC, which reaches over 17,000 students, including development of two new laboratory assignments allowing students to explore cybersecurity of Cisco IOS and core networks, as well as AWS IoT and cloud IoT platforms.
  • Matthew Caesar is also teaching CS 437: Internet of Things at the University of Illinois, which covers advanced concepts and security practices in IoT, and which will be taught to about 150 on-campus graduates/undergraduates, as well as about 150 graduate students who are part of the Illinois Masters in Computer Science program, many of whom are software development professionals working in companies across many sectors.
Groups: