A Monitoring Fusion and Response Framework to Provide Cyber Resiliency

Investigator: William Sanders

Researchers: Brett Feddersen, Ken Keefe, Carmen Cheh, Uttam Thakore, and Ben Ujcich

There exists a basic asymmetry between the attacker and the defender in cyber-security. The attacker needs to find a single weakness, whereas the defender has to consider all attack scenarios. Although traditional perimeter-based security strategies are necessary, they fall short of shifting the balance in this asymmetry towards the defender. Resilience, i.e., the system’s ability to maintain operation in the presence of attacks, is key to reinforcing the security of cyber systems. The goal of this project is to develop scientifically grounded and practically feasible techniques to build resilient systems that can detect and respond to malicious activities. It is our hypothesis that a data-driven, autonomous, and adaptive response engine is of tremendous importance to protecting digital assets and infrastructure. The key output of this research will be a cyber-resilience framework founded on sound premises such as game theory, control theory, and machine learning. This framework will serve to (1) disrupt attackers’ abilities to achieve their goals, (2) reduce the security response teams’ information overload while delegating tasks to the response engine, and (3) incrementally improve the monitoring and system configurations.

Designing our resilience framework will entail four main tasks. First, we will develop an in-depth system modeling approach that captures relevant knowledge about the system while balancing usability and richness. Second, to generate actionable data, we will design and implement data-driven and learning-based techniques to integrate events originating from strategically deployed security monitors. Next, we will devise and implement efficient and scalable decision-making tools for response. Finally, we will validate the proposed tools by deploying an OpenStack private cloud testbed to simulate and evaluate prototype implementations of our solutions in real-world scenarios.

We will validate the resilience techniques both at the functional level (validating our algorithms and design) and at the system level (validating a prototype implementation). We will make use of an
OpenStack testbed in which we will build scenarios to implement and test the proposed solutions. We will evaluate the monitoring and fusion techniques for efficiency, scalability, and improved attack detection, and the response techniques for scalability and ability to achieve resilience. In all cases, we will replay attack steps using publicly available datasets and resort to discrete-event simulation and synthesized attack steps when datasets are not available. We will consider several adversary profiles, including distributed denial-of-service, lateral movement, and malicious insiders. We will use insights from the evaluation to drive improvements to our theoretical models and assumptions.

Hard Problems Addressed


  1. Benjamin E. Ujcich, Andrew Miller, Adam Bates, and William H. Sanders, “Towards an Accountable Software-Defined Networking Architecture”, 3rd IEEE Conference on Network Softwarization (NetSoft 2017), Bologna, Italy, July 3-7, 2017. [full text]
  2. C. Cheh, B. Chen, W. G. Temple, and W. H. Sanders, “Data-Driven Model-Based Detection of Malicious Insiders via Physical Access Logs”, 14th International Conference on Quantitative Evaluation of Systems (QEST 2017), Berlin, Germany, September 5-7, 2017. [full text]
  3. Atul Bohara, Mohammad A. Noureddine, Ahmed Fawaz, and William H. Sanders, “An Unsupervised Multi-Detector Approach for Identifying Malicious Lateral Movement”, 36th IEEE International Symposium on Reliable Distributed Systems (SRDS 2017), Hong Kong, China, September 26-29, 2017. [full text].


  1. November 2016, Monthly UIUC/R2 Presentation, Ahmed Fawaz: PowerAlert: An Integrity Checker using Power Measurement [slides]
  2. December 2016, Monthly UIUC/R2 Presentation, Atul Bohara: A Framework for Detection and Containment of Lateral Movement-Based Attacks [slides]
  3. January 2017, Monthly UIUC/R2 Presentation, Carmen Cheh: Data-Driven Model-Based Detection of Malicious Insiders via Physical Access Logs [slides]
  4. March 2017, Monthly UIUC/R2 Presentation, Uttam Thakore: Prioritization of Cloud System Monitoring for Incident Response [slides]
  5. March 2017, Monthly UIUC/R2 Presentation, Benjamin Ujcich: Accountable SDNs for Cyber Resiliency [slides]
  6. April 2017, Monthly UIUC/R2 Presentation, Mohammad Noureddine: A Comprehensive Framework for DDoS Resiliency in the Cloud [slides]
  7. June 2017, Monthly UIUC/R2 Presentation, Ahmed Fawaz: Lateral Movement Detection and Response [slides]
  8. September 2017, Monthly UIUC/R2 Presentation, Benjamin Ujcich: Securing SDNs with App Provenance [slides]