Data Driven Security Models and Analysis

shutterstock_228555685Investigators: Ravishankar Iyer, Zbigniew Kalbarczyk, and Adam Slagell

Researchers: Phuong Cao and Key-whan Chung

This project develops a science of deriving from data certain models and metrics suitable for recognizing, mitigating, and containing attacks with a network. Our approach uses production scale data; our initial study of 2005-2012 security incidents at NCSA motivates methods for discovering relationships and time sequences of events in vast amounts of log data, research from which we’ve gained insight and basis for monitoring, and analyzing secure systems. The challenge is to capture and identify attackers’ actions from the measurements, develop predictive models of attacker behavior before and during an attack, and thus develop a framework within which to reason about attacks, independently of the vulnerability exploited or the adopted attack pattern. Our project looks at models and metrics driving (1) cross-layer monitoring and detection, (2) attack containment, and (3) situational awareness.

Hard Problems Addressed

Publications

  1. Cuong Pham, Zachary Estrada, Phuong Cao, Zbigniew Kalbarczyk, and Ravishankar Iyer, “Building Reliable and Secure Virtual Machines using Architectural Invariants”, IEEE Security and Privacy Magazine, volume 12, issue 5, September – October 2014. [full text]
  2. Cuong Pham, Zachary Estrada, Zbigniew Klabarczyk, and Ravishankar Iyer, “Reliability and Security Monitoring of Virtual Machines using Hardware Architectural Invariants”, 44th International Conference on Dependable Systems and Networks, Atlanta, GA, June 23-26, 2014. William C. Carter Award for Best Paper based on PhD work and Best Paper Award voted by conference participants. [full text]
  3. G. Wang, Zachary Estrada, Cuong Pham, Zbigniew Klabarczyk, and Ravishankar Iyer, “Hypervisor Introspection: Exploiting Timing Side-Channels against VM Monitoring”, 44th International Conference on Dependable Systems and Networks, Atlanta, GA, June 23-26, 2014. [abstract]
  4. Phuong Cao, Eric Badger, Zbigniew Kalbarczyk, Ravishankar Iyer and Adam Slagell, “Preemptive Intrusion Detection: Theoretical Framework and Real-World Measurements”, Symposium and Bootcamp for the Science of Security (HotSoS 2015), April 21-22, 2015. [full text]
  5. Phuong Cao, Eric Badger, Zbigniew Kalbarczyk, Ravishankar Iyer, Alexander Withers and Adam Slagell, “Towards an Unified Security Testbed and Security Analytics Framework”, Symposium and Bootcamp for the Science of Security (HotSoS 2015), April 21-22, 2015. [abstract]
  6. Phuong Cao, “An Experiment Using Factor Graph for Early Attack Detection”, Master of Science Thesis, University of Illinois at Urbana-Champaign, May 2015. [full text]
  7. Zachary J. Estrada, Cuong Pham, Fei Deng, Zbigniew Kalbarczyk, Ravishankar K. Iyer, and Lok Yan, “Dynamic VM Dependability Monitoring Using Hypervisor Probes”, 11th European Dependable Computing Conference-Dependability in Practice (EDCC 2015), Paris, France, September 7-11, 2015. [full text]
  8. Key-whan Chung, Charles A. Kamhoua, Kevin A. Kwiat, Zbigniew T. Kalbarczyk and Ravishankar K. Iyer, “Game Theory with Learning for Cyber Security Monitoring”, IEEE High Assurance Systems Engineering Symposium (HASE 2016), Orlando, FL, January 7-9, 2016. [full text]
  9. Phuong Cao, Eric Badger, Zbigniew Kalbarczyk, and Ravishankar Iyer, “A Framework for Generation, Replay and Analysis of Real-World Attack Variants”, Symposium and Bootcamp on the Science of Security (HotSoS 2016), Pittsburgh, PA, April 20-21, 2016. [full text]
  10. Hui Lin, Homa Alemzadeh, Daniel Chen, Zbigniew Kalbarczyk, and Ravishankar K. Iyer, “Safety-critical Cyber-physical Attacks: Analysis, Detection, and Mitigation”, Symposium and Bootcamp on the Science of Science (HotSoS 2016), Pittsburgh, PA, April 20-21, 2016. [full text]
  11. Keywhan Chung, Valerio Fromicola, Zbigniew T. Kalbarczyk, and Ravishankar K. Iyer, “Attacking Supercomputers Through Targeted Alteration of Environmental Control: A Data Driven Case Study”, IEEE Conference on Communications and Network Security (CNS 2016), Philadelphia, PA, October 17-19, 2016. [full text]

Presentations

  1. October 2014, NSA SoS Quarterly Lablet Meeting, Ravi Iyer, Survey on Resilience [slides]
  2. November 2014, NSA SoS Bi-weekly Meeting, Ravi Iyer, Resiliency Survey: Challenges Going Forward [slides]
  3. January 2015, NSA SoS Quarterly Lablet Meeting, Ravi Iyer, Preemptive Intrusion Detection: Theoretical Framework and Real-world Measurements [slides]
  4. February 2015, NSA SoS Bi-weekly Meeting, Phuong Cao, Preemptive Intrusion Detection: Theoretical Framework and Real-world Measurements [slides]
  5. April 2015, Symposium and Bootcamp on the Science of Security (HotSoS 2015), Zbigniew Kalbarczyk, invited tutorial: Resilience of Cyber Physical Systems and Technologies [slides]
  6. September 2015, 11th European Dependable Computing Conference-Dependability in Practice (EDCC 2015), Zackary Estrada: Dynamic VM Dependability Monitoring Using Hypervisor Probes [slides]
  7. October 2015, ITI Joint Trust and Security/Science of Security Seminar, Eric Badger: Scalable Data Analytics Pipeline for Real-Time Attack Detection; Design, Validation, and Deployment in a Honey Pot Environment [video & slides]
  8. October 2015, NSA SoS Quarterly Lablet Meeting, Eric Badger: Scalable Data Analytics Pipeline for Validation of Real-Time Attack Detection [slides]
  9. November 2015, demonstration of the security testbed for attack replay and testing of attack detection techniques at The International Conference for High Performance Computing, Networking, Storage and Analysis (SC 2015).
  10. May 2016, ITI Joint Trust and Security/Science of Security Seminar, Phuong Cao: Preemptive Intrusion Detection – Practical Experience and Detection Framework [video & slides]
  11. July 2016, NSA SoS Quarterly Meeting, poster session, Zachary Estrada, Phuong Cao, Zbigniew Kabarczyk, and Ravishankar Iyer: Detection of Malicious Keyloggers in Virtual Desktop Environments [poster]
  12. July 2016, NSA SoS Quarterly Meeting, poster session, Hui Lin, Homa Alemzadeh, Daniel Chen, Zbigniew Kalbarczyk, and Ravishankar Iyer: Safety-critical Cyber-physcial Attacks: Analysis, Detection, and Mitigation [poster]
  13. September 2016, Assured Cloud Computing Weekly Research Seminar, Key-whan Chung: An Indirect Attack on Computing Infrastructure through Targeted Alteration on Environment Control [video & slides]
  14. November 2016, Joint Trust and Security/Science of Security Seminar, Phuong Cao: Automated Generation of Attack Signatures in Attack Graphs [video & slides]
  15. April 2017, Symposium and Bootcamp in the Science of Security (HotSoS 2017), poster session, Esther Amullen, Hui Lin, and Zbigniew Kalbarczyk: Multi-Agent System for Detecting False Data Injection Attacks Against the Power Grid [poster]
  16. April 2017, Symposium and Bootcamp in the Science of Security (HotSoS 2017), poster session, Phuong Cao, Alexander Withers, Zbigniew Kalbarczyk, and Ravishankar Iyer: Learning Factor Graphs for Preempting Multi-Stage Attacks in Cloud Infrastructure [poster]