Illinois Science of Security (SoS) Lablet

Formal Verification of End-to-End Deep Reinforcement Learning  slides | video
Yasser Shoukry, Assistant Professor, Resilient Cyber-Physical Systems Lab, Department of Electrical Engineering & Computer Science, University of California, Irvine
November 19, 2019, 3:00 p.m., CSL Auditorium (B02)

Abstract: From simple logical constructs to complex deep neural network models, Artificial Intelligence (AI)-agents are increasingly controlling physical/mechanical systems. Self-driving cars, drones, and smart cities are just examples of such systems to name a few. However, regardless of the explosion in the use of AI within a multitude of cyber-physical systems (CPS) domains, the safety, and reliability of these AI-enabled CPS is still an understudied problem. Mathematically based techniques for the specification, development, and verification of software and hardware systems, also known as formal methods, hold the promise to provide appropriate rigorous analysis of the reliability and safety of AI-enabled CPS. In this talk, I will discuss our work on applying formal verification techniques to provide formal verification of the safety of autonomous vehicles controlled by end-to-end machine learning models and the synthesis of certifiable end-to-end neural network architectures.

Predictable Autonomy for Cyber-Physical Systems  slides | video
Dr. Stanley Bak, Senior Research Scientist, Safe Sky Analytics
December 10, 2019, 3:00 p.m., CSL Auditorium (B02)

Abstract: Cyber-physical systems combine complex physics with complex software. Although these systems offer significant potential in fields such as smart grid design, autonomous robotics and medical systems, verification of CPS designs remains challenging. Model-based design permits simulations to be used to explore potential system behaviors, but individual simulations do not provide full coverage of what the system can do. In particular, simulations cannot guarantee the absence of unsafe behaviors, which is unsettling as many CPS are safety-critical systems. The goal of set-based analysis methods is to explore a system’s behaviors using sets of states, rather than individual states. The usual downside of this approach is that set-based analysis methods are limited in scalability, working only for very small models. This talk describes our recent process on improving the scalability of set-based reachability computation for LTI hybrid automaton models, some of which can apply to very large systems (up to one billion continuous state variables!). Lastly, we’ll discuss the significant overlap of techniques used for our scalable reachability analysis methods with set-based input/output analysis of neural networks.

Extensions of Network Reliability Analysis  slides | video
Hoang Hai Nguyen, Graduate Research Assistant, Electrical and Computer Engineering, University of Illinois at Urbana-Champaign
April 02, 2019, 3:00 p.m., CSL Auditorium (B02)

Abstract: Network reliability studies properties of networks subjected to random failures of their components. It has been widely adopted to modeling and analyzing real-world problems across different domains. Two practical situations that usually arise from such problems are (i) the correlation between component failures and (ii) the uncertainty in the failure probabilities, both of which are often overlooked from the literature. In this seminar, I will talk about recent developments in the theory of network reliability that aims at addressing both problems. For the first problem, we assign components with random variables while allowing the variables to be jointly distributed; for the second, we model component failure probabilities using Beta distributions. We study properties of the resulting reliability polynomials as polynomials of Beta random variables and demonstrate the use of model on two real-world systems.

Classifying Malware Represented as Control Flow Graphs using Deep Graph Convolution Neural Network  slides | video
Jiaqi Yan, Graduate Research Assistant, Illinois Institute of Technology
April 30, 2019, 3:00 p.m., CSL Auditorium (B02)

Abstract: Malware have been one of the biggest cyber threats in the digital world for a long time. Existing machine learning-based malware classification methods rely on handcrafted features extracted from raw binary files or disassembled code. The diversity of such features created has made it hard to build generic malware classification systems that work effectively across different operational environments. To strike a balance between generality and performance, we explore new machine learning techniques to classify malware programs represented as their control flow graphs (CFGs). To overcome the drawbacks of existing malware analysis methods using inefficient and non-adaptive graph matching techniques, in this work, we build a new system that uses deep graph convolutional neural network to embed structural information inherent in CFGs for effective yet efficient malware classification. We use two large independent datasets that contain more than 20K malware samples to evaluate our proposed system and the experimental results show that it can classify CFG-represented malware programs with performance comparable to those of the state-of-the-art methods applied on handcrafted malware features.

Paulo Esteves-Verissimo, University of Luxembourg
April 28, 2017, 4:00 p.m., B02 Coordinated Science Laboratory

slides | video

Abstract: Computing and communications infrastructures have become commodities which societies largely depend on, transacting huge quantities of data and exhibiting pervasive interconnections, sometimes in critical conditions. However, the actual magnitude that security and dependability risks may assume, is often misperceived. The information society has been assuming risk behaviours, without the adequate protection. Many stakeholders, not only end-users but vendors, service providers, public administrations and — what may be surprising — even governments, seem to ignore those risks, in different ways.

Yet, as will be shown in the talk, the problem should be obvious from the symptoms that have lately seen the light. Threats are everyday more powerful, massive or targeted attacks and advanced persistent threats entered the situational awareness agenda of nations. However, systems remain flaky, sometimes seemingly intentionally, vulnerabilities persist, and partial and/or specific fixes imperfectly mend what are sometimes global problems. Grand challenges deserve grand solutions, and so the talk will conclude along two lines of discussion, as a contribution to the debate on science of cybersecurity: effective strategies for cybersecurity are in dire need; advanced research breaking with traditional paradigms is required.

Bio: Paulo Esteves-Veríssimo is a Professor and FNR PEARL Chair at the University of Luxembourg Faculty of Science, Technology and Communication (FSTC), since fall 2014, and head of the CritiX lab (Critical and Extreme Security and Dependability) at SnT, the Interdisciplinary Centre for Security, Reliability and Trust at the same University (http://wwwen.uni.lu/snt). He is adjunct Professor of the ECE Dept., Carnegie Mellon University. Previously, he has been a Professor of the Univ. of Lisbon, member of the Board of the same university and Director of LaSIGE (http://lasige.di.fc.ul.pt). Veríssimo is Fellow of the IEEE and Fellow of the ACM, and he is associate editor of the IEEE Transactions on Computers. He is currently Chair of the IFIP WG 10.4 on Dependable Computing and Fault-Tolerance and vice-Chair of the Steering Committee of the IEEE/IFIP DSN conference. He is currently interested in secure and dependable distributed architectures, middleware and algorithms for: resilience of large-scale systems and critical infrastructures, privacy and integrity of highly sensitive data, and adaptability and safety of real-time networked embedded systems. He is author of over 180 peer-refereed publications and co-author of 5 books.

Peter Popov, City, University of London
March 23, 2017, 2:00 p.m., 141 Coordinated Science Laboratory

slides

Abstract: This talk will present an approach to modelling the effect of cyber-attacks on reliability of software used in industrial control applications. The model is based on the view that successful cyber-attacks introduce failure regions, which are not present in non-compromised software. The model is then extended to cover a fault tolerant architecture such as the 1-out-of-2 software, popular to build industrial protection systems. The model is used to study the effectiveness of software maintenance policies such as patching and “cleansing” under different adversary models ranging from independent attacks on the channels to sophisticated synchronized attacks on the channels. The studies demonstrate that the effect of attacks on reliability of diverse software is significantly affected by the adversary model. Under synchroniz ed attacks system reliability may be more than an order of magnitude worse than under independent attacks on the channels. These findings, although not surprising, highlight the importance of using an adequate adversary model in the assessment of the effectiveness of cyber-security controls.

Bio: Peter Popov is Reader in the Centre for Software Reliability, City, University of London, United Kingdom. He joined the Centre in 1997 after a career in industry and in Bulgarian Academy of Sciences. He was a visiting scientist at LAAS, Toulouse, France and at the University of Illinois at Urbana-Champaign and currently at Duke University.

Anonymity in the Bitcoin Peer-to-Peer Network  slides | video
Giulia Fanti, Postdoctoral Research Associate, Coordinated Science Lab, University of Illinois at Urbana-Champaign
February 21, 2017, 4:00 p.m., CSL Auditorium (B02)

Abstract: Bitcoin enjoys a public perception of being a ‘privacy-preserving’ financial system. In reality, Bitcoin has a number of privacy vulnerabilities, including the well-studied fact that transactions can be linked through the public blockchain. More recently, researchers have demonstrated deanonymization attacks that exploit a lower-layer weakness: the Bitcoin peer-to-peer (P2P) networking stack. In particular, the P2P network currently forwards content in a structured way that allows observers to deanonymize users by linking their transactions to the originating IP addresses. In this work, we first demonstrate that current protocols exhibit poor anonymity guarantees, both theoretically and in practice. Then, we consider a first-principles redesign of the P2P network, with the goal of providing strong, provable anonymity guarantees. We propose a simple networking policy called Dandelion, which achieves nearly-optimal anonymity guarantees at minimal cost to the network’s utility.

CANCELLED: Combining Simulation and Emulation Systems for Smart Grid Planning and Evaluation 
Christopher Hannon, Graduate Research Assistant, Computer Science, Illinois Institute of Technology
February 28, 2017, 4:00 p.m., CSL Auditorium (B02)

Abstract: The successful operations of modern power grids are highly dependent on a reliable and efficient underlying communication network. Researchers and utilities have started to explore the opportunities and challenges of applying the emerging software-defined networking (SDN) technology to enhance efficiency and resilience of the Smart Grid. This trend calls for a simulation-based platform that provides sufficient flexibility and controllability for evaluating network application designs, and facilitating the transitions from in-house research ideas to real productions. In this paper, we present DSSnet, a hybrid testing platform that combines a power distribution system simulator with an SDN emulator to support high fidelity analysis of communication network applications and their impacts on power systems. Our contributions lay in the design of a virtual time system with the tight controllability on the execution of the emulation system, i.e., pausing and resuming any specified container processes in the perception of their own virtual clocks, with little overhead scaling to 500 emulated hosts with an average of 70 ms overhead; and also lay in the efficient synchronization of the two sub-systems based on the virtual time. We evaluate the system performance of DSSnet, and also demonstrate the usability through a case study by evaluating a demand response application.

Optimal Data Rate for State Estimation of Switched Nonlinear Systems  slides | video
Hussein Sibai, Graduate Research Assistant, Coordinated Science Lab, University of Illinois at Urbana-Champaign
April 11, 2017, 4:00 p.m., CSL Auditorium (B02)

Abstract: State estimation is a fundamental problem for monitoring and controlling systems. Engineering systems interconnect sensing and computing devices over a shared bandwidth-limited channels, and therefore, estimation algorithms should strive to use bandwidth optimally. We present a notion of entropy for state estimation of switched nonlinear dynamical systems, an upper bound for it and a state estimation algorithm for the case when the switching signal is unobservable. Our approach relies on the notion of topological entropy and uses techniques from the theory for control under limited information. We show that the average bit rate used is optimal in the sense that, the efficiency gap of the algorithm is within an additive constant of the gap between estimation entropy of the system and its known upper-bound. We apply the algorithm to two system models and discuss the performance implications of the number of tracked modes.

Nathaniel Gleicher, Illumio
January 17, 2017, 4:00 p.m., B02 Coordinated Science Laboratory

video

Abstract: Since the Secret Service began protecting the President full time in 1906, only 7 attackers have reached the President. From a cybersecurity defender’s perspective, the President is the ultimate high-value asset – incredibly important, but impossible to lock away in a sealed vault. But despite the similarity, the cybersecurity industry’s record is nowhere close to the Secret Service’s record. This talk will focus on what cybersecurity experts can learn from the Secret Service’s approach.

Bio: Nathaniel Gleicher is trained as a computer scientist and a lawyer, and works at the intersection of technology, policy, and law. He is currently the Head of Cybersecurity Strategy at Illumio, where he heads the company’s thought leadership and public engagement and oversees its cybersecurity technology strategy. Nathaniel is a regular speaker at leading industry events, and his writing has appeared in industry publications, the popular press, and academic journals.

Prior to Illumio, Nathaniel investigated and prosecuted domestic and international cybercrime at the U.S. Department of Justice, advised the South Korean Government on technology policy, and served as Director for Cybersecurity Policy on the National Security Council at the White House. He has also taught computer programming, designed and developed custom e-commerce and database solutions, and built and secured computer networks. Nathaniel received a B.S. in computer science from the University of Chicago, and a J.D. from Yale Law School.

Franziska Roesner, University of Washington
October 18, 2016, 2:00 p.m., B02 Coordinated Science Laboratory

slides | video

Abstract: As our world becomes more computerized and interconnected, computer security and privacy will continue to increase in importance. My work focuses on investigating computer security and privacy challenges for end users of existing and emerging technologies, and designing and building new systems that better match user expectations. This talk will describe two case studies. First, I will discuss our work on studying the web tracking ecosystem, including a longitudinal study from 1996-2016 and the design of a new defense. I will then describe user-driven access control, a model for granting permissions to applications in modern operating systems that works by extracting permission information from natural user actions. Our recent work enables user-driven access control even for unmodified operating systems. Finally, I will briefly describe our ongoing work on security for emerging augmented reality platforms and security for journalist-source communications.

Bio: Franziska (Franzi) Roesner is an Assistant Professor in Computer Science and Engineering at the University of Washington, where she co-directs the Security and Privacy Research Lab. Her research focuses on understanding and improving computer security and privacy for end users of existing and emerging technologies, including the web, smartphones, and emerging augmented reality and IoT platforms. Her work on application permissions in modern operating systems received the Best Practical Paper Award at the IEEE Symposium on Security and Privacy, her early work on security and privacy for augmented reality was featured on the cover of the Communications of the ACM magazine, and her defense for tracking by social media widgets on the web was incorporated into the Electronic Frontier Foundation’s Privacy Badger tool. She received her PhD from the University of Washington in 2014 and her BS from the University of Texas at Austin in 2008.

David Stern, DISA
September 14, 2016, 1:30 p.m., 3403 Siebel Center for Computer Science

Abstract: Advances and innovation in traditional networks have resulted in new approaches to the employment of the network, compute, storage, and security within the DoD. With the overwhelming operational requirement to provide and secure information capabilities for the warfighter within minutes, a new paradigm that collapses the organizational boundaries between network, compute, storage, and security is occurring. This session will discuss capabilities such as automated provisioning that are currently moving towards production and newer defensive cyber operations innovations such as on demand movement of live compute and storage applications, on demand composition changes to the footprint of DoD networks, on demand connections to commercial cloud and private endpoints, and methods that DISA is exploring to singularly command and control service orchestration, delivery, and visibility within a converged information core.

David Stern is Network Evolution Architect at DISA, which is the network service provider for the U.S. Department of Defense.

Nadia Heninger, University of Pennsylvania
October 6, 2016, 4:00 p.m., B02 Coordinated Science Laboratory

slides

Abstract: To comply with 1990s-era US export restrictions on cryptography, early versions of SSL/TLS supported reduced-strength ciphersuites that were restricted to 40-bit symmetric keys and 512-bit RSA and Diffie-Hellman public values.  Although the relevant export restrictions have not been in effect since 2000, modern implementations often maintain support for these cipher suites along with old protocol versions.

In this talk, I will discuss recent attacks against TLS (FREAK, Logjam, and DROWN) demonstrating how server-side support for these insecure ciphersuites harms the security of users with modern TLS clients.  These attacks exploit a combination of clever cryptanalysis, advances in computing power since the 1990s, previously undiscovered protocol flaws, and implementation vulnerabilities.

Bio: Nadia Heninger is an assistant professor in the Computer and Information Science department at the University of Pennsylvania. Her research focuses on security, applied cryptography, and algorithms. Previously, she was an NSF Mathematical Sciences Postdoctoral Fellow at UC San Diego and a visiting researcher at Microsoft Research New England. She received her Ph.D. in computer science in 2011 from Princeton and a B.S. in electrical engineering and computer science in 2004 from UC Berkeley.

Spy vs. Spy: Anonymous Messaging over Networks slides | video
Giulia Fanti, Postdoctoral Research Associate, Coordinated Science Lab, University of Illinois at Urbana-Champaign
August 30, 2016, 4:00 p.m., CSL Auditorium (B02)

Abstract: Anonymous microblogging platforms, such as Whisper, Yik Yak, and Secret have emerged as important tools for sharing one’s thoughts without fear of judgment by friends, the public, or authorities. These platforms provide anonymity by allowing users to share content (e.g., short messages) with their peers without revealing authorship information to other users. However, recent advances in rumor source detection show that existing messaging protocols, including those used in the mentioned anonymous microblogging applications, leak authorship information when the adversary has global access to metadata. For example, if an adversary can see which users of a messaging service received a particular message, or the timestamps at which a subset of users received a given message, the adversary can infer the message author’s identity with high probability. We introduce a novel anonymous messaging protocol, which we call adaptive diffusion, that is designed to resist such adversaries. We show that adaptive diffusion spreads messages quickly while achieving provably-optimal anonymity guarantees for specific classes of connectivity networks. Simulations on real social network data show that adaptive diffusion effectively hides the location of the source on real-world networks.

Oreo: Transparent Optimization to Enable Flexible Policy Enforcement in Software Defined Networks  slides | video
Santhosh Prabhu, Research Assistant, Computer Science, University of Illinois at Urbana-Champaign
October 11, 2016, 4:00 p.m., CSL Auditorium (B02)

Abstract: Commercial networks today have diverse security policies, defined by factors such as the type of traffic they carry, nature of applications they support, access control objectives, organizational principles etc. Ideally, the wide diversity in SDN controller frameworks should prove helpful in correctly and efficiently enforcing these policies. However, this has not been the case so far. By requiring the administrators to implement both security as well as performance objectives in the SDN controller, these frameworks have made the task of security policy enforcement in SDNs a challenging one. We observe that by separating security policy enforcement from performance optimization, we can facilitate the use of SDN for flexible policy management. To this end, we propose Oreo, a transparent performance enhancement layer for SDNs. Oreo allows SDN controllers to focus entirely on a correct security policy enforcement, and transparently optimizes the dataplane thus defined, reducing path stretch, switch memory consumption etc. Optimizations are performed while guaranteeing that end-to-end reachability characteristics are preserved – meaning that the security policies defined by the controller are not violated. Oreo performs these optimizations by first constructing a network-wide model describing the behavior of all traffic, and then optimizing the paths observed in the model by solving a multi-objective optimization problem. Initial experiments suggest that the techniques used by Oreo is effective, fast, and can scale to commercial-sized networks.

Automated Generation of Attack Signatures in Attack Graphs  slides | video
Phuong Cao, Research Assistant, Electrical and Computer Engineering, University of Illinois at Urbana-Champaign
November 1, 2016, 4:00 p.m., CSL Auditorium (B02)

Abstract: In this talk, we investigate applications of Factor Graphs to automatically generate attack signatures from security logs and domain expert knowledge. We demonstrate advantages of Factor Graphs over traditional probabilistic graphical models such as Bayesian Networks and Markov Random Fields in modeling security attacks. We illustrate Factor Graphs models using case studies of real attacks observed in the wild and at the National Center for Supercomputing Applications. Finally, we investigate how factor functions, a core component of Factor Graphs, can be constructed automatically to potentially improve detection accuracy and allow generalization of trained Factor Graph models in a variety of systems.

Towards Privacy-Preserving Mobile Utility Apps: A Balancing Act  slides | video
Dengfeng Li, Research Assistant, Computer Science, University of Illinois at Urbana-Champaign
November 29, 2016, 4:00 p.m., CSL Auditorium (B02)

Abstract: Among various types of mobile apps, mobile utility apps are increasingly becoming data-driven, and these apps tend to collect a significant amount of app usage data to carry out their promised utilities and enhance user experiences. A part of such app usage data often contains security-sensitive information. Thus, an important and challenging issue arises: how to balance between the user’s privacy and the utility app’s utility functionality. We propose techniques to enable users to determine what original values to keep in sanitized data in order to deliver a desirable level of utility efficacy. To accomplish our goal, we (1) incorporate user assistance for app exploration and abnormal-behavior detection, (2) support user validation of malicious-app candidates via program-repair techniques, and (3) sanitize users’ app usage data to balance between privacy preservation and utility efficacy.

Behavioral Analysis for Cyber Resilience  slides | video
Ahmed Fawaz, Research Assistant, Electrical and Computer Engineering, University of Illinois at Urbana-Champaign
December 6, 2016, 4:00 p.m., CSL Auditorium (B02)

Abstract: Systems and attacks are becoming more sophisticated; classical security methods are failing to protect and secure those systems. We believe that systems should be built to be resilient to attacks.  Cyber Resiliency is the protection strategy that will secure modern systems that control our critical infrastructure. Instead of perfectly protecting the system, a resilient system survives a cyber incident by detecting and containing attacks while maintaining service.

In this talk, we describe our proposed resiliency architecture that uses a model of the system to deploy monitors, estimate the state of the system using monitor data, and selects responses to maintain service during attacks. Then we design the essential components of the said resiliency architecture for a multitude of systems including operating systems and hosts and enterprise networks. The components we build are monitor design, monitor view generation, fusion, and response.  However, several practical and theoretical challenges hinder a cyber-resilient architecture. In particular, the architecture needs to deal with the plethora of monitoring with different semantics and time scales. Moreover, the system is dependent on the integrity of the monitoring data when estimating the state of the system. The integrity of the monitoring data is critical to making “correct” decisions that are not influenced by the attacker. Finally, the response mechanisms need to be proven effective in maintaining the resilience of the system. Proving such properties is particularly challenging because of the complexity of the systems. Our pieces address the challenges that face the cyber resiliency architecture.

First, we designed a host-level monitor, Kobra, that combines the various views of application behaviors into a signal, then learns the baseline of acceptable behaviors. We use the baseline for anomaly detection. Since our cyber resiliency architecture depends on the integrity of the monitoring data, we designed PowerAlert, an out-of-box integrity checker. PowerAlert uses CPU power measurements, measured using an external probe, to verify that the machine executed the check as expected. To prevent an attacker from evading PowerAlert, we use random initiation times and random integrity checking programs. Finally, we use Kobra’s host-level views to correlate events that happen in a network. First, we propose a fusion framework that enables us to fuse monitoring events for different sources. Then using the framework, we collect lateral movement chains across the network.  We form the chain using network causation events. Those causations are inferred using Kobra’s process communications view.