Projects – In Progress
A Hypothesis Testing Framework for Network Security
P. Brighten Godfrey, Matthew Caesar, David Nicol, William Sanders, and Dong (Kevin) Jin
This project develops a scientific approach to testing hypotheses about network security when those tests must consider layers of complex interacting policies within the network stack. The work is motivated by observation that the infrastructure of large networks is hideously complex, and so is vulnerable to various attacks on services and data. Coping with these vulnerabilities consumes significant human management time, just trying to understand the network’s behavior. Unfortunately, even very simple behaviors – such as whether it is possible for any packet (however unusual) to flow between two devises – are difficult for operators to test, and synthesizing these low-level behaviors into a high-level quantitative understanding of network security has been beyond reach.
We propose to develop the analysis methodology needed to support scientific reasoning about the security of networks, with a particular focus on information and data flow security. The core of this vision is Network Hypothesis Testing Methodology (NetHTM), a set of techniques for performing and integrating security analyses applied at different network layers, in different ways, to pose and rigorously answer quantitative hypotheses about the end-to-end security of a network.
Our RRE work incorporates modules to monitor current state of a system, detect intrusions, and respond to achieve resilience-specific goals. In the area of intrusion detection, we proposed data-driven model-based frameworks to detect abnormal movement in a system. We have used lateral movement within an enterprise network and physical movement within railway transit stations as examples. For the physical movement case, we have developed a framework that uses the building topology and historical user movement data in order to build models that describe normal user movement behavior. During system operation, physical accesses are compared to the models and those that deviate from the model are labeled as malicious. In that work, we use real-world physical data to show that our approach can detect malicious movement in an online manner.
Anonymity is a basic right and a core aspect of Internet. Recently, there has been tremendous interest in anonymity and privacy in social networks, motivated by the natural desire to share one’s opinions without the fear of judgment or personal reprisal (by parents, authorities, and the public). We propose to study the fundamental questions associated with building such a semi-distributed, anonymous messaging platform, which aims to keep anonymous the identity of the source who initially posted a message as well as the identity of the relays who approved and propagated the message.
Data-Driven Model-Based Decision-Making
William Sanders, Masooda Bashir, David Nicol, and Aad Van Moorsel
The goal of this project is to develop quantitative, scientifically grounded, decision-making methodologies to guide information security investments in private or public organizations, combining human and technological concerns, to demonstrate their use in two or more real-life case studies, prototype tools and demonstrate their proof of concept on those case studies. It is our hypothesis that quantitative security models, augmented by collected data, can be used to make credible business decisions about the use of particular security technologies to protect an organization’s infrastructure. The key output of this research will be a data-driven, model-based methodology for security investment decision-making, with associated software tool support, and a validation of the usefulness of the tool in a realistic setting. The main scientific contributions will be new abstractions for modeling human behavior, and techniques and tools for optimization of the associated data collection strategy.
This project is a collaboration between the University of Illinois at Urbana-Champaign and Newcastle University.
This project develops a science of deriving from data certain models and metrics suitable for recognizing, mitigating, and containing attacks with a network. Our approach uses production scale data; our initial study of 2005-2012 security incidents at NCSA motivates methods for discovering relationships and time sequences of events in vast amounts of log data, research from which we’ve gained insight and basis for monitoring, and analyzing secure systems. The challenge is to capture and identify attackers’ actions from the measurements, develop predictive models of attacker behavior before and during an attack, and thus develop a framework within which to reason about attacks, independently of the vulnerability exploited or the adopted attack pattern. Our project looks at models and metrics driving (1) cross-layer monitoring and detection, (2) attack containment, and (3) situational awareness.
Well-intentioned human users continually circumvent security controls. The pandemic/ubiquitous fact of this circumvention undermines the effectiveness of security designs that implicitly assume circumvention never happens. We seek to develop metrics to enable security engineers and other stakeholders to make meaningful, quantifiable comparisons, decisions, and evaluations of proposed security controls in light of what really happens when these controls are deployed.
This project builds on foundations of human-computer-interface in security and the preliminary research the investigators have been working on already: Blythe, Koppel, and Smith, studying workers’ reasons for and methods of circumvention along with Xie, studying techniques for assisting mobile-app users (who can be enterprise workers) to conduct security controls on apps to be installed on their mobile devices. Research conducted in large enterprise systems increasingly finds that such apps are a major source of malware invasions into those larger systems. Similarly, with the expanded use of BYOD (bring your own device), such dangers are pandemic without security controls and without users’ ability to understand and follow those controls. Security-control circumvention by enterprise workers as mobile app users is reflected by their acceptance to install apps without sufficiently assessing their risk.
Static-Dynamic Analysis of Security Metrics for Cyber-Physical Systems
Sayan Mitra, Geir Dullerud, and Swarat Chaudhuri
Cyber-physical system (CPS) security lapses may lead to catastrophic failure. We are interested in the scientific basis for discovering unique CPS security vulnerabilities to dynamics-aware attacks that alter behaviors of components in ways that lead to instability, unsafe behavior, and ultimately diminished availability. Our project advances this scientific basis through security-metrics-driven design and evaluation of CPS, based on formalization of adversary classes and security metrics. We propose to define metrics, and then develop and study static and dynamic analysis algorithms that provide formal guarantees on them with respect to different adversary classes.