A Monitoring Fusion and Response Framework to Provide Cyber Resiliency

Secure icon in human head chalk drawingInvestigator: William Sanders

Researchers: Brett Feddersen, Atul Bohara, Carmen Cheh, Ahmed Fawaz, Mohamad Noureddine, Uttam Thakore, and Benjamin E. Ujcich

Our RRE work incorporates modules to monitor current state of a system, detect intrusions, and respond to achieve resilience-specific goals. In the area of intrusion detection, we proposed data-driven model-based frameworks to detect abnormal movement in a system. We have used lateral movement within an enterprise network and physical movement within railway transit stations as examples. For the physical movement case, we have developed a framework that uses the building topology and historical user movement data in order to build models that describe normal user movement behavior. During system operation, physical accesses are compared to the models and those that deviate from the model are labeled as malicious. In that work, we use real-world physical data to show that our approach can detect malicious movement in an online manner.

For lateral movement within an enterprise network, we have developed an approach to correlate lateral movement behavior with command and control indicators to identify infected hosts. The approach uses an ensemble of anomaly detectors to have an accurate detection even when attacker deviates from assumed threat model. As an example, we modelled lateral movement within the network using a virus spread model. RRE takes as input information about which host are part of the lateral movement. RRE responds by first allowing the attack to proceed to learn more about it, and then by designing an optimal response (changing connectivity and healing events) to stop the spread. In this work, we prove that the response results in a stable disease-free equilibrium.

We tackled the problem of ensuring cloud application resiliency against application distributed denial of service attacks (DDoS). We proposed an engine that uses OpenStack’s cloud telemetry infrastructure to monitor the cloud applications and uses change point detection to differentiate periods of high load from DDoS attacks. Once an attack has been detected, the engine bootstraps a resiliency response module that use proof of work client puzzles to rate limit attackers in a stateless fashion. Finally, we suggest that the monitoring information can be used to perform horizontal scaling of the cloud application when under attack.

Hard Problems Addressed


  1. Benjamin E. Ujcich, Andrew Miller, Adam Bates, and William H. Sanders, “Towards an Accountable Software-Defined Networking Architecture”, 3rd IEEE Conference on Network Softwarization (NetSoft 2017), Bologna, Italy, July 3-7, 2017. [full text]
  2. C. Cheh, B. Chen, W. G. Temple, and W. H. Sanders, “Data-Driven Model-Based Detection of Malicious Insiders via Physical Access Logs”, 14th International Conference on Quantitative Evaluation of Systems (QEST 2017), Berlin, Germany, September 5-7, 2017. [full text]
  3. Atul Bohara, Mohammad A. Noureddine, Ahmed Fawaz, and William H. Sanders, “An Unsupervised Multi-Detector Approach for Identifying Malicious Lateral Movement”, 36th IEEE International Symposium on Reliable Distributed Systems (SRDS 2017), Hong Kong, China, September 26-29, 2017, to appear.


  1. November 2016, Monthly UIUC/R2 Presentation, Ahmed Fawaz: PowerAlert: An Integrity Checker using Power Measurement [slides]
  2. December 2016, Monthly UIUC/R2 Presentation, Atul Bohara: A Framework for Detection and Containment of Lateral Movement-Based Attacks [slides]
  3. January 2017, Monthly UIUC/R2 Presentation, Carmen Cheh: Data-Driven Model-Based Detection of Malicious Insiders via Physical Access Logs [slides]
  4. March 2017, Monthly UIUC/R2 Presentation, Uttam Thakore: Prioritization of Cloud System Monitoring for Incident Response [slides]
  5. March 2017, Monthly UIUC/R2 Presentation, Benjamin Ujcich: Accountable SDNs for Cyber Resiliency [slides]
  6. April 2017, Monthly UIUC/R2 Presentation, Mohammad Noureddine: A Comprehensive Framework for DDoS Resiliency in the Cloud [slides]
  7. June 2017, Monthly UIUC/R2 Presentation, Ahmed Fawaz: Lateral Movement Detection and Response [slides]
  8. September 2017, Monthly UIUC/R2 Presentation, Benjamin Ujcich: Securing SDNs with App Provenance [slides]