NSF Industry/University Cooperative Research (I/UCRC) Program Ongoing Cyber Security Projects Salim Hariri, Director The University of Arizona nsfcac.arizona.edu email: hariri@ece.arizona.edu (520) 977-7954
NSF IUCRC in US 2
75+ IUCRC Centers 225 University sites, 876 Industry/government members Broad Research Themes Advanced Electronics and Photonics (7 centers) Advanced Manufacturing 6 Advanced Materials 11 Biotechnology 6 Civil Infrastructure Systems 1 Energy and Environment 12 Health and Safety 6 IT, Communication, and Computing 24 (CAC) + CAC@Mexico System Design and Simulation 3 3
Emerging Technologies/Services: Problems and Opportunities 4
Presentation Outline Autonomic Monitoring, Analysis and Protection (AMAP) Tactical Cyber Immune System (TCIS) Multi-Level Anomaly Behavior Analysis (MLABA) Autonomic Cyber Security (ACS) Methodology Resilient and Intelligent Smart City Services Cybersecurity Lab as a Service (CLaaS)
Autonomic Monitoring, Analysis and Protection (AMAP) SBIR Phase II AVIRTEK & University of Arizona CAC Sponsor: US Air Force Research Laboratory (AFRL)
AMAP Development Approach
Dynamic Analysis Approach
HTML File Attacks Hidden Iframes – <iframe src="http://www.MaliciousWebsite.com" width="1" height="1"> </iframe> Malicious Reference – <a href=”http://www.maliciousSite.com”?>Wonderful Website</a> Malicious Scripts » Reading files from local drive » Fill up a local drive » Access or replace files on the local machine » Launch an application » If the browser will allow it, JavaScript can look at browser history or cookies. » Exploit bugs in a browser Iframe model – Hidden or misplaced Iframes – Iframes can be larger than normal to contain a malicious replication of a legitimate webpage
Static Analysis Approach
Normal HTML File This is a non-malicious HTML file that is properly formatted.
Malicious HTML File This file contains a malicious obfuscated JavaScript. Obfuscation is the deliberate act of encoding the text to make if difficult for humans to understand. It doesn’t have to be malicious, but this one creates a hidden iframe to a website.
Data Analytics Results
14 AMAP Prototype Login Screen
15 AMAP Dashboard AMAP Prototype Dashboard: This dashboard has 6 tabs. The Input File tab is used to input files into the system for both training and analysis, the Anomaly Structure Analysis tab is used to request and see the results of structural behavior analysis for files, the Anomaly Dynamic Analysis tab is used to request and see the results of dynamic behavior analysis for files, the Signature-Based Analysis tab is used to request and see the results of signature- based analysis for files, the Training tab is used to start, stop and see training status of the system and the Settings tab contains additional settings to fine tune the system.
16 Input File Tap Input File Tab: This tab is used to input files into the system for both training and analysis. The files can be uploaded to the system from the local machine or can be retrieved by the system from a specified URL.
17 Anomaly Structural Analysis AMAP Analysis Results Page: This page shows the results of an analysis performed by AMAP. In this specific instance it’s the results of structural analysis. AMAP will report statistics about the analysis performed, the specific files that were detected as abnormal/malicious, detection reason and recommended action for each.
18 AMAP Universal Access The AMAP prototype web interface is highly responsive and can be used on any device including mobile phones.
Tactical Cyber Immune System (TCIS) STTR Phase I ($150,000) UA CAC and Sponsor: US Army CERDEC 19
TCIS Architecture Development of Innate Immunity and Surveillance Adaptive Immunity & Control Layer Optimizing & Learning Immunity Layered Self Protection Engine (SPE) Layered Computing Stack Dendritic cell Optimizing & Application: Learning Immunity Program + DATA 2. 1. Virtual OS: Adaptive T-Helper Embedded Immunity & Control Layer Cell Observer Agents B-Cell Hardware OS + Innate Immunity & TPM checks AppFlow Surveillance Layer D-Agent Memory Cell Killer T-Cell
21 Tactical Cyber Immune System (TCIS) Development Approach Innate Surveillance Self Recognition Flows (SRFs) OBSERVER Users Apps Servers Devices Protocols Self Recognition Agents (SRAs) SRA SRA SRA SRA SRA knowle (Users) (apps) (server) (device) (protocol) dge Self Protection Agents (SPAs) Users Apps Servers Protocols Devices CONTROLLER Action 1 Action 1 Action 1 Action 1 Action 1 Action m Action m Action m Action m Action m
Multi-Layer Anomaly Behavior Analysis (MLABA) Methodology NAVY STTR Phase I Project (Starts June 4, 2018) Phase I ($125,000, 6 months) 22
ARMY SBIR Phase I: (Sept. 2016- March 2017) – Resilient Middleware Services for Cyber Physical Systems (RMS) Phase I ($150,000), Phase II ($750,000 Pending) AIM SDN Controller Resilient Communication Resilient Computation Network Monitoring Anomaly Behavior Model Service Analysis (ABA (Radio, Cellular, WiFi, Internet) Command and Wired/Wireless Network Control Center OF Switch Resilient Servers OF Switch OF Switch
Autonomic Cyber Security (ACS) Platform Anomaly Sensors Packet Sensor Aflow Sensor Observer Analyzers ModBus MAC HTTP DNS Network Transport BAU BAU BAU BAU BAU BAU Anomaly Behavior Analysis Units (BAUs) Knowledge Group Policy 1 Action M1 Action M2 Policy 1 Policy 2 Controller Action N1 Action N2 Group Policy 2 Action M3 Policy 3 Action N3 Group Policy N Action MY Action MZ Action MX Policy Y Policy Z Policy X Action NY Action NZ Action NX
Autonomic Security Compliance DFARS – Defense Federal Acquisition Regulation Supplement – DoD-specific acquisition regulations December 30, 2015, the U.S. Department of Defense (DoD) published a three-page interim rule: – Implement all of the requirements of NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations . – Deadline is December 31, 2017. [https://www.gpo.gov/fdsys/pkg/FR-2015-12-30/pdf/2015-32869.pdf]
ASC Objectives Supply chain security management techniques are – Manual and labor intensive, – Not flexible to handle the complexity, dynamism, and heterogeneity – Infeasible to create a secure organization boundary • Continuous attacks • Malicious insiders • Wrong configurations • System failures Goal: Autonomic security compliance • Continuous monitor of computers, systems, devices, applications, etc. • Compliance requirements are met based on NIST SP-800-171? • Create a compliance report and report the critical issues • Suggestions to fix the problems (automated/semi-automated actions)
Objectives - Baselines United States Government Configuration Baseline (USGCB) to create security configuration baselines for IT products – Provides guidance to agencies on what should be done to improve and maintain effective configuration settings focusing primarily on security Examples based on USGCB-Windows-Setting.xls (under Computer Configuration\Administrative Templates for Win): – Turn Off Microsoft Peer-to-Peer Networking Services à To prevent users from utilizing the P2P features included with Windows. – Minimum password length (12 chars) à To make brute force password guessing attacks more difficult. – Network security: Force logoff when logon hours expire à To prevent users from remaining connected after their logon hours have expired. – Inbound connections (Block) à To minimize the risk of exploiting a vulnerable application with an inbound network port. [https://usgcb.nist.gov/usgcb_faq.html]
ASC Architecture Protecting Controlled Unclassified Server Systems Devices Information in Nonfederal Information Systems and Organizations VM-1 VM-N NIST SP 800-171 Apps Apps vResource vResource The security control Hypervisor Operating requirements System Physical Resource Supply Chain 1 Autonomic Security Compliance Supply Chain 2 Engine
Recommend
More recommend
