Ongoing Cyber Security Projects Salim Hariri, Director The - - PowerPoint PPT Presentation

Ongoing Cyber Security Projects

NSF Industry/University Cooperative Research (I/UCRC) Program

Salim Hariri, Director

The University of Arizona nsfcac.arizona.edu email: hariri@ece.arizona.edu (520) 977-7954

NSF IUCRC in US

2

Advanced Electronics and Photonics (7 centers) Advanced Manufacturing 6 Advanced Materials 11 Biotechnology 6 Civil Infrastructure Systems 1 Energy and Environment 12 Health and Safety 6 IT, Communication, and Computing 24 (CAC) + CAC@Mexico System Design and Simulation 3

75+ IUCRC Centers 225 University sites, 876 Industry/government members

Broad Research Themes

3

Emerging Technologies/Services: Problems and Opportunities

4

Presentation Outline

Autonomic Monitoring, Analysis and Protection (AMAP) Tactical Cyber Immune System (TCIS)

Multi-Level Anomaly Behavior Analysis (MLABA) Autonomic Cyber Security (ACS) Methodology Resilient and Intelligent Smart City Services Cybersecurity Lab as a Service (CLaaS)

Autonomic Monitoring, Analysis and Protection (AMAP)

SBIR Phase II

AVIRTEK & University of Arizona CAC Sponsor: US Air Force Research Laboratory (AFRL)

AMAP Development Approach

Dynamic Analysis Approach

HTML File Attacks

Hidden Iframes

– <iframe src="http://www.MaliciousWebsite.com" width="1" height="1"> </iframe>

Malicious Reference

– <a href=”http://www.maliciousSite.com”?>Wonderful Website</a>

Malicious Scripts

» Reading files from local drive » Fill up a local drive » Access or replace files on the local machine » Launch an application » If the browser will allow it, JavaScript can look at browser history or cookies. » Exploit bugs in a browser

Iframe model

– Hidden or misplaced Iframes – Iframes can be larger than normal to contain a malicious replication of a legitimate webpage

Static Analysis Approach

Normal HTML File

This is a non-malicious HTML file that is properly formatted.

Malicious HTML File

This file contains a malicious obfuscated JavaScript. Obfuscation is the deliberate act of encoding the text to make if difficult for humans to understand. It doesn’t have to be malicious, but this

• ne creates a hidden iframe to a website.

Data Analytics Results

AMAP Prototype Login Screen

14

AMAP Dashboard

15

AMAP Prototype Dashboard: This dashboard has 6 tabs. The Input File tab is used to input files into the system for both training and analysis, the Anomaly Structure Analysis tab is used to request and see the results of structural behavior analysis for files, the Anomaly Dynamic Analysis tab is used to request and see the results of dynamic behavior analysis for files, the Signature-Based Analysis tab is used to request and see the results of signature- based analysis for files, the Training tab is used to start, stop and see training status of the system and the Settings tab contains additional settings to fine tune the system.

Input File Tap

16

Input File Tab: This tab is used to input files into the system for both training and

• analysis. The files can be uploaded to the system from the local machine or can be

retrieved by the system from a specified URL.

Anomaly Structural Analysis

17

AMAP Analysis Results Page: This page shows the results of an analysis performed by AMAP. In this specific instance it’s the results of structural analysis. AMAP will report statistics about the analysis performed, the specific files that were detected as abnormal/malicious, detection reason and recommended action for each.

AMAP Universal Access

18 The AMAP prototype web interface is highly responsive and can be used on any device including mobile phones.

Tactical Cyber Immune System (TCIS) STTR Phase I ($150,000)

UA CAC and Sponsor: US Army CERDEC

19

TCIS Architecture

Development of Innate Immunity and Surveillance Adaptive Immunity & Control Layer Optimizing & Learning Immunity

Application: Program + DATA Virtual OS: Embedded Observer Agents Innate Immunity & Surveillance Layer Hardware OS + TPM checks AppFlow Adaptive Immunity & Control Layer Optimizing & Learning Immunity D-Agent

B-Cell T-Helper Cell Memory Cell Killer T-Cell Dendritic cell 1. 2.

Layered Self Protection Engine (SPE) Layered Computing Stack

Tactical Cyber Immune System (TCIS) Development Approach

Innate Surveillance Self Protection Agents (SPAs)

CONTROLLER knowle dge OBSERVER

Self Recognition Agents (SRAs)

SRA (Users) SRA (apps) SRA (server) SRA (protocol) SRA (device)

Users Apps Protocols Devices Servers Users Apps Protocols Devices Servers

Action 1 Action m Action 1 Action m Action 1 Action m Action 1 Action m Action 1 Action m

21

Self Recognition Flows (SRFs)

22

Multi-Layer Anomaly Behavior Analysis (MLABA) Methodology

NAVY STTR Phase I Project (Starts June 4, 2018) Phase I ($125,000, 6 months)

AIM SDN Controller OF Switch

Resilient Communication Anomaly Behavior Analysis (ABA Network Model Monitoring Service Resilient Computation

Wired/Wireless Network (Radio, Cellular, WiFi, Internet) OF Switch

Command and Control Center

Resilient Servers

OF Switch

ARMY SBIR Phase I: (Sept. 2016- March 2017) – Resilient Middleware Services for Cyber Physical Systems (RMS) Phase I ($150,000), Phase II ($750,000 Pending)

Autonomic Cyber Security (ACS) Platform Controller Observer

Anomaly Sensors

Knowledge

Packet Sensor Aflow Sensor

Analyzers

MAC BAU Network BAU Transport BAU DNS BAU HTTP BAU ModBus BAU

Group Policy 1 Group Policy 2 Group Policy N

Policy 1 Action M1 Action N1 Policy 2 Action M2 Action N2 Policy 3 Action M3 Action N3 Policy Y Action MY Action NY Policy X Action MX Action NX Policy Z Action MZ Action NZ

Anomaly Behavior Analysis Units (BAUs)

Autonomic Security Compliance

DFARS – Defense Federal Acquisition Regulation Supplement

– DoD-specific acquisition regulations

December 30, 2015, the U.S. Department of Defense (DoD) published a three-page interim rule:

– Implement all of the requirements of NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. – Deadline is December 31, 2017.

[https://www.gpo.gov/fdsys/pkg/FR-2015-12-30/pdf/2015-32869.pdf]

ASC Objectives

Supply chain security management techniques are

– Manual and labor intensive, – Not flexible to handle the complexity, dynamism, and heterogeneity – Infeasible to create a secure organization boundary

• Continuous attacks
• Malicious insiders
• Wrong configurations
• System failures

Goal: Autonomic security compliance

• Continuous monitor of computers, systems, devices, applications, etc.
• Compliance requirements are met based on NIST SP-800-171?
• Create a compliance report and report the critical issues
• Suggestions to fix the problems (automated/semi-automated actions)

Objectives - Baselines

United States Government Configuration Baseline (USGCB) to create security configuration baselines for IT products

– Provides guidance to agencies on what should be done to improve and maintain effective configuration settings focusing primarily on security

Examples based on USGCB-Windows-Setting.xls (under Computer Configuration\Administrative Templates for Win):

– Turn Off Microsoft Peer-to-Peer Networking Services à To prevent users from utilizing the P2P features included with Windows. – Minimum password length (12 chars) à To make brute force password guessing attacks more difficult. – Network security: Force logoff when logon hours expire à To prevent users from remaining connected after their logon hours have expired. – Inbound connections (Block) à To minimize the risk of exploiting a vulnerable application with an inbound network port.

[https://usgcb.nist.gov/usgcb_faq.html]

ASC Architecture

Autonomic Security Compliance Engine

Supply Chain 1

The security control requirements

Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

NIST SP 800-171

Supply Chain 2

Physical Resource Operating System VM-1 Apps vResource Hypervisor VM-N Apps vResource

Server Systems Devices

ASC Reporting Scheme

NIST SP 800-171

1. Access Control 2. Awareness and Training 3. Audit and Accountability 4.

• Conf. Mng.

5. Identification and Authentication 6. Incident Response 7. Maintenance 8. Media Protection 9. Personnel Security

• 10. Physical Protection
• 11. Risk Assessment
• 12. Security Assessment
• 13. System and Comm.

Protection

• 14. System & Info. Integrity

United States Government

• Conf. Baseline (USGCB)
• Minimum password length (12

chars) à To make brute force password guessing attacks more difficult.

• Network security: Force logoff

when logon hours expire à To prevent users from remaining connected after their logon hours have expired.

• Inbound connections (Block)

à To minimize the risk of exploiting a vulnerable application with an inbound network port.

Metric (0-1) Report 3.1 Access Control 0.45 Security controls do not pass ý 3.1.8 Limit unsuccessful logon attempts. Failed the tests þ 3.1.9 Provide privacy and security notices consistent with applicable CUI rules. 0.9 90% of the security tests passed þ 3.2 Awareness and Training 1 PASS 3.3 Audit and Accountability 0.6 Not all the security controls are effectively applied ý 3.3.4 Alert in the event of an audit process failure. 0.3 The tests failed mostly ý 3.4 Configuration Management 0.55 The tests failed ý 3.5 Identification and Authentication 1 PASS þ 3.6 Incident Response 0.9 PASS ý 3.7 Maintenance 1 PASS þ 3.8 Media Protection 1 PASS ý 3.9 Personnel Security 0.4 More work is needed þ 3.10 Physical Protection 1 PASS þ 3.11 Risk Assessment 1 PASS þ 3.12 Security Assessment 1 PASS 3.13 System and Comm. Protection 0.7 Not all the security controls are effectively applied ý 3.13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e. deny all, permit by exception). 0.2 Failed the tests þ 3.14 System & Info. Integrity 0.95 PASS NIST SP 800-171 Security Control

Company Policy Compliance Program Configuration Report Critical Issues Compliance Report Action

30

ASC Development Approach

NIST SP 800-171

Guidelines to protect Controlled Unclassified Information (CUI) in nonfederal information systems and organizations 14 security categories

• 1. Access Control
• 2. Awareness and Training
• 3. Audit and Accountability
• 4. Configuration Management
• 5. Identification and Authentication
• 6. Incident Response
• 7. Maintenance
• 8. Media Protection
• 9. Personnel Security

10.Physical Protection 11.Risk Assessment 12.Security Assessment 13.System and Communications Protection 14.System and Information Integrity

ASC Prototype Controls (SP-800 171)

3.1.11 – Terminate (automatically) a user session after a defined condition.

– Script name: check_created_accounts_SP800_171_3.1.11 – Checks the created accounts – Uses a given argument to detect if there is any unauthorized created accounts; if yes, gives critical warning (error) – It can also include a list of service accounts

3.1.12 – Monitor and control remote access sessions.

– Script name: check_current_users_SP800_171_3.1.12 – Monitors the currently active users – It evaluates the currently active user number based on a threshold – It uses a given list to check if there is any unauthorized active users

ASC Prototype Controls (SP-800 171)

3.1.8 – Limit unsuccessful logon attempts.

– Script name: check_login_attempts_SP800_171_3.1.8 – Checks the auth.log to see if the number of unsuccessful attempts are beyond a limit

3.1.8 – Limit unsuccessful logon attempts.

– Script name: check_ssh_login_attempt_limit_SP800_171_3.1.8 – Checks the SSH configuration to see the current setting if there is any limitation for login attempts – It also checks if the found login attempts is below the threshold or not.

ASC Prototype Controls (SP-800 171)

3.1.6 – Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

– Script name: check_open_ports_SP800_171_3.13.6 – Checks the open ports – It uses a given authorized port list to compare the ports – If there are any unauthorized ports, it gives a critical error to the admin.

3.1 Access Control: Security Controls Monitoring

3.1 Access Control: Security Controls Monitoring

3.1 Access Control: Security Controls Monitoring

3.13 System and Communications Protection: Network Host Intrusion Detection System

3.12 Security Assessment: Vulnerability Reports

3.12 Security Assessment: Vulnerability Reports

3.12 Security Assessment: Vulnerability Reports

3.1 Access Control - Historical Usage Graphs

3.3 Audit and Accountability - E-mail Notifications

3.3 Audit and Accountability - E-mail Notifications

Smart Services Smart Government Smart Healthcare Smart Grid Smart Homes Smart Auto Services Smart Critical Infrastructure Command/Cont rol Center

Data Command

Smart Building

Smart Cities

45

IP Fluxing Resilient Communication System (RCS) Resilient Server

Resilient Command and Control System (RCCS)

Engineering workstation Database Server

HM I

Data Acquisition Server Historian Reports

Actuators/Effe ctors Sensors Physical System IP Fluxing

Resilient and Intelligent City Ecosystem (RICE)

Resilient Computations

47

Moving Target Defense Strategies

Address Space Randomization Instruction Set Randomization Data Randomization Execution Environment Randomization

– Change Programming Language – Change OS and Middleware – Change Resources

Diversity

– Hot Shuffling software variants at runtime – Variants are functionally equivalent, behaviorally different

Redundancy

– Multiple replicas on different physical hardware

Random Selection and Shuffling of Variants

Software Behavior Encryption (SBE)

49

How SBE achieve resiliency?

50

Input Output Resilient Algorithm Autonomic Management

Resilient Server

VM App 1 Primary: Version 1 Secondary: Version 2

Smart City Applications

VM App 2 Primary: Version 1 Secondary: Version 2

Application Repository

App 1 Version 1, 2, .. App n Version 1, 2, ..

VM Image Repository

VM Type 1 2, .. VM Type n

Configuration Engine Diversity Level Redundancy Level Shuffling Rate

Resilient Computations/Applications

52

Application Execution Env. 1

VM3 (V6) VM2 (V4) VM1 (V1)

Applications/Resources

Application Repository VM Images Repository

Diversit y Level

Resilient Cloud Middleware

Configuration Engine

Redunda ncy Level Shuffling Rate

Observer Analyzer

Application Supervisor

Application Resilient Editor User’s Application

Application Execution Env. 2

VM3 (V5) VM2 (V7) VM1 (V2)

Application Execution Env.n

VM3 (V2) VM2 (V4) VM1 (V3)

Resilient Cloud Services Architecture

Controller Supervisor 1 Physical Node 1 Master 1 Worker 2 [V7] Worker 1 [V4] Worker 3 [V2] Supervisor 3 Physical Node 3 Master 3 Worker 8 [V5] Worker 7 [V3] Worker 9 [V8] Supervisor 2 Physical Node 2 Master 2 Worker 5 [V1] Worker 4 [V9] Worker 6 [V6] Data store for VM images Invoking Virtual Machins Check Pointing Supervisor Selection Worker Selection

RCS Experimental Results and Evaluation

• Developed an experimental environment
• MapReduce Application
• Linear Equation Solver Application
• Mibench
• G. Dsouza, G. Rodríguez, Y. B. Al-Nashif, S. Hariri, “Building resilient cloud

services using DDDAS and moving target defence”, IJCC 2(2/3): 171-190, 2013

Resilient Communications

55

AIM SDN Controller

OF Switch

Resilient Communication Anomaly Behavior Analysis (ABA Network Model Monitoring Service Resilient Computation

Wired/Wireless Network (Radio, Cellular, WiFi, Internet) OF Switch

Command and Control Center

Resilient Servers

OF Switch

Tactical Operation Center

MTD Node Transmitter Module Receiver Module Modulation- BPSK

Frequency- 1 Ghz Packet size - 30 B Modulation- MSK Frequency -2 Ghz Packet size – 15B Modulation- QAM

F r e q u e n c y

• 1

. 5 G h z P a c k e t s i z e

• 2

5 B Modulation-QPSK Frequency- 2 Ghz

Packet size- 20

Modulation- BPSK

Frequency- 1 Ghz Packet size - 30 B

Modulation- MSK Frequency -2 Ghz Packet size – 15B

Modulation- QAM

F r e q u e n c y

• 1

. 5 G h z P a c k e t s i z e

• 2

5 B Modulation- MSK Frequency -2 Ghz Packet size – 15B

MTD Node Logical Link

Legend

Active Stand by Attacked

Link 1 L i n k 2 Link 4 L i n k 3

Resilience Radio Communications

57

WiFi Cellular Cellular WiFi

Normal Behavior with no attack

Radio Radio Radio Cellular WiFi WiFi Radio Cellular

Primary link Secondary link Attacked link Time Normal Behavior with attack

T1 T3 T2

Education/Training

59

CLaaS: Cybersecurity Lab as a Service

Cognitive Cybersecurity Support (future) Cybersecurity Lab as a Service (CLaaS) Cybersecurity Knowledgebase Repository Training and Teaching Programs (ongoing) Cybersecurity Tools (ongoing) Cybersecurity Research Repository (ongoing)

60

CLaaS Architecture

XSS Exp. VMs DNS Attack Exp. VMs DDOS Exp. VMs Buffer Overflow Exp. VMs

61

62

Federated Cybersecurity Testbed as a Service

Researchers, and Warfighter Trainees

Internet

International Collaborative Test Beds

64

VIRTUAL DATA ANALYTICS PLATFORM

65