ua cac technews - nsf cac - homeacl.ece.arizona.edu/ua_tech_news/ua_tech_news_vol1issue4.pdf ·...
TRANSCRIPT
Spring 2014
UA CAC TechnewsUA CAC TechnewsUA CAC Technews
Update from the Director It is my pleasure to communicate with you through the Technews of the UA site of the NSF Center
on Autonomic Computing (NSF CAC). The NSF CAC is a center funded through the NSF Industry/
University Cooperative Research Centers program, industry, government agencies and matching
funds from member universities, which currently include the University of Florida (Lead), the Univer-
sity of Arizona, Rutgers, The State University of New Jersey and the Mississippi State University
(MSU).
I am pleased with the quality of the ongoing research projects and the strong support from our in-
dustrial and government members. We have built state of the art test-beds to support our research
activities in Cyber infrastructure security, critical infrastructure protection, and high performance cloud computing and
data centers that are critically important to develop and demonstrate the capabilities of our projects.
As we move forward, we would like to invite you to join the center so together we can develop innovative autonomic
technologies that will revolutionize how to design and deploy next generation information and communications services.
Salim Hariri, UA Site Director
Volume 2, Issue 4 Visit our website: http://nsfcac.arizona.edu
Inside this issue
About the center……………….1
Autonomic Cloud Management System…………………..3
Securing Smart Grids and Buildings Infrastructures and Services……………………..5
AskCypert: Programs to support cybersecurity Education and Training…………………….8
Wireless Autonomic Protection System……………………10
Cybersecurity Lab as a Service (CLaaS)………11
Intrusion Resilient Cloud Services…………………………....13
Quantification of Resiliency…………………….16
Hacker Web (Securing Cyber Space): Understanding the Cyber Attackers and Attacks via So-cial Media Analytics ………..18
Insider Threat Detection And Protection…………………….20
All Eyes on International Cybersecurity…………….22
Recent Graduates…………….26
Alumni Corner……….………27
Center Correspondences………….30
3
Autonomic Cloud Management System Project PIs: Drs. Salim Hariri, Youssif AlProject PIs: Drs. Salim Hariri, Youssif AlProject PIs: Drs. Salim Hariri, Youssif Al---Nashif, Ali Akoglu Nashif, Ali Akoglu Nashif, Ali Akoglu
Graduate Students: Farah Fargo, Cihan Tunc Graduate Students: Farah Fargo, Cihan Tunc Graduate Students: Farah Fargo, Cihan Tunc Webpage: http://acl.ece.arizona.edu/projects/current/acms/index.htmlWebpage: http://acl.ece.arizona.edu/projects/current/acms/index.htmlWebpage: http://acl.ece.arizona.edu/projects/current/acms/index.html
With the rapid growth of data centers and clouds, the power consumption and power cost for such systems have become critically important to be managed efficiently. Several research studies have shown that data servers typi-cally operate at a low utilization of 10% to 15%, while their power consumption is close to those at peak loads. With this significant fluctuation in the workloads, an elastic delivery of computing services with an efficient power provi-sioning mechanism becomes an important design goal. Live workload migrations and virtualization are important techniques to optimize power and performance in large-scale data centers. Our work presents an application spe-cific autonomic power and performance management system that utilizes AppFlow-based reasoning to configure datacenter resources and workload allocations dynamically during runtime (Figure 1). Our approach continuously monitors the workload to determine the current operating point of both workloads and the virtual machines (VMs) running these workloads and then predict the next operating points for these VMs. This enables the system to allo-cate the appropriate amount of hardware resources that can run efficiently the VM workloads with minimum power consumption. We have experimented with and evaluated our approach to manage the VMs running RUBiS bidding application. Our experimental results showed that our approach can reduce the VMs’ power consumption up to 84% compared to static resource allocation and up to 30% compared to other methods with minimum performance degradation.
Figure 1: Autonomic Cloud Management Architecture
4
Our framework is shown in the figure below: Tt contains two parts as offline training phase (Figure 2.a) and online plan execution phase where the VM resources are configured (Figure 2.b). During the offline training phase, we train using different possible workloads. We monitor the systems and collect information about the runtime system behavior. Then we use an offline workload analysis to identify and characterize different workload types. We also map the workloads to different AppFlow types in this phase. Finally, we decide which configurations to use for each AppFlow type in the Plan Generation module in order to reduce power consumption without sacrificing performance. In the Plan Generation mod-ule, we also need the Application SLA documentation (which is prepared by the application users or providers) to know the allowable additional execution time.
During the online plan execution phase (Figure 2.b), the MS are monitored at runtime to decide current AppFlow
types by mapping each workload behavior to an AppFlow sub-cubes. Once the AppFlow type is identified, using Plan Selec-tion module the right configuration will be determined associated with the selected AppFlow type. Next Plan Execution module will be invoked to apply the decided configuration for that AppFlow type. The current configuration will only be changed if it is determined that the previously selected AppFlow type does not accurately model the current workload.
Figure 2: Framework
Farah Fargo
PhD student
Cihan Tunc
PhD student
Dr. Salim Hariri Dr. Ali Akoglu
Figure 2
Securing Smart Grids and Buildings Infrastructures and Services
Project PIs: Drs. Salim Hariri, Youssif AlProject PIs: Drs. Salim Hariri, Youssif AlProject PIs: Drs. Salim Hariri, Youssif Al---Nashif Nashif Nashif
Graduate Students: Jesus Horacip Pacheco Ramirez Graduate Students: Jesus Horacip Pacheco Ramirez Graduate Students: Jesus Horacip Pacheco Ramirez Bilal Albaalbaki ,Jin Bai , Zhiwen PanBilal Albaalbaki ,Jin Bai , Zhiwen PanBilal Albaalbaki ,Jin Bai , Zhiwen Pan
Webpage: http://acl.ece.arizona.edu/projects/current/aimsg/index.htmlWebpage: http://acl.ece.arizona.edu/projects/current/aimsg/index.htmlWebpage: http://acl.ece.arizona.edu/projects/current/aimsg/index.html
The development of Smart Grids is strongly linked to the utilization of technology that has the capa-bility of enhancing system performance, reduce costs, and introduce new services by interconnecting (e.g. ZigBee, Wi-Fi, DNP3, BACNET) with internet (IoT). The problem arises when the system is directly exposed to attacks. Our goal is to build an effective intrusion detection system that can proactively de-tect anomalous actions generated by malicious devices from inside or outside networks.
Approach:
To automate any software module or resource, we add two software modules: Observer and Con-troller. The Observer is used for sensing and analyzing the current state of managed system and predict its
behavior. The controller executes recommended actions to keep the managed system operating normally (self-
manage).
5
BACnet The networking technology develop-
ment and increasing practical demand has led to extensive interconnection between Building Automation and Control (BAC) networks and external networks. The in-formation flow coming from the public networks massively elevates the risk of the networks being attacked by both in-side and outside intruders. This project proposes a framework for a rule based anomaly detection of Building Automation and Control Networks. We deploy anoma-ly detection approach to the building net-work by training the IDS with dataflow which is dynamically captured from Smart laboratory testbed through BACnet Protocol Observer module. The powerful rules acquired from the offline data mining procedure are capable to work with an extremely low false positive rate. A demonstration of detecting attacks which target Generic vulnerabilities of BACnet Protocol is made; a classification of detected attacks is done at the end. Our approach is summarized as following
Build a Smart Laboratory Testbed (SLT) using BACnet hardware devices.
Simulate a spoofed client which target Generic vulnerabilities of BACnet Protocol.
Feed the database with BACnet-Flow captured &decoded from real-time traffic.
Select suitable data mining algorithm to generate statistical rules.
Integrate rules into the intrusion detection system then test its performance.
DNP3 Due to the huge expansion in the deployment of intelligent devices in the critical infrastructures sector and the dependency of these devices on the internet, attackers with diverse motivations started targeting communication and control protocols of the theses devices. DNP3 over TCP/IP is one of those protocols, which is largely used in power industry. Since security was not one of the goals in designing DNP3, attackers can easily succeed in penetrating the DNP3 over TCP/IP communication system. In this paper, we pro-pose a novel rule-based anomaly detection tech-nique that is able to detect attacks that can’t be
prevented by the security layer of the DNP3. We show the effectiveness of the rules in detecting abnormal packets through both offline and online testing. The false posi-tive and false negative rates are both very low. We also propose a classification mech-anism for our detection tech-nique.
6
ZigBee This research aims to build an anoma-
ly Intrusion Detection System (IDS) for ZigBee wireless protocol. Our approach is summarized in the following “Provide the system with the required intelligence to protect itself from any insider or outsider attack. The detection is based on com-plete knowledge about the system, the normal and abnormal behaviors.” Our testbed consists of Advanced Meter Read-ing (AMR), Programmable Control Ther-mostat (PCT), Load Control Device (LCD), and In-Premise Display (IPD); these devic-es are managed through Digi commercial platform. To add a Smart Grid concept to our work, we are using a renewable ener-gy source (wind-turbine) beside the conventional power source. The traffic in the testbed consist of two parts: First, between ZigBee gateway and Digi web platform using Ethernet. Second, inside our Personal Area Network (PAN) using ZigBee mesh technology. Digi platform is used also to generate different types of normal packets as ZigBee beacon, ZigBee command, ZigBee data, IEEE802.15.4 ack, IEEE802.15.4 data, etc. To generate abnormal traffic we are using killerbee firmware as a ZigBee attack library. To launch the attacks we are using Arduino xbee shield with xbee pro transceivers.
Our Development Research is done under Linux environment. Ubisys radio receivers are being used to listen to ZigBee channels and sniff the traffic. We are using Wireshark protocol analyzer to show ZigBee packets. To store the normal and abnormal packets PSQL database are being used. After that we used Weka as a data mining tool to get the rules about the normal and abnormal traffic, and we used JRIP as a classifying algorithm. Our system is able to detect flooding attack with zero false negative alerts and zero false positive alerts. Our future work is divid-ed into three parts: 1- Develop a classifying tool for the tested attacks. 2- Develop a protection model based on our rule based intrusion detection system.
7
Jesus Horacip
Pacheco Ramirez
PhD student
Bilal Al baalbaki
Masters Student Zhiwen Pan
Masters Student
Jin Bai
Masters Student
AskCypert: Programs to support cybersecurity Education and Training
Project PIs: Drs. Salim Hariri, Youssif AlProject PIs: Drs. Salim Hariri, Youssif AlProject PIs: Drs. Salim Hariri, Youssif Al---Nashif Nashif Nashif
Graduate Students: Kowsik KrishnanGraduate Students: Kowsik KrishnanGraduate Students: Kowsik Krishnan Webpage: http://www.askcypert.org/Webpage: http://www.askcypert.org/Webpage: http://www.askcypert.org/
Motivation of the project
Cyber attacks may disrupt or even completely stop the operations of large computer networks, factories and
chemical plants. They may also cause total collapse of financial systems and power grids. Economic catastrophes,
societal panic and disasters or even loss of life may accrue.
This prototype project will integrate research, education, and training programs to provide critically needed
testbeds, tools, and educational/training programs to allow students, researchers, professionals, and educators to
have hands-on experience in cybersecruity fundamentals, and how to detect vulnerabilities, and attacks, and also
protect our cybersecurity resources and services.
Project goal
The goal of this project is to develop an innovative and interactive cyber assistant, the we refer to as Ask Cy-
pert, to answer frequently asked questions by students and educators about cybersecurity issues, well as educa-
tional and training programs. Ask Cypert will provide Cybersecurity Laboratory as a Service (CLaaS) that will deliv-
er virtual cybersecurity laboratory, testbeds, attack libraries, monitoring and analysis tools. The capabilities that
will be provided by Ask Cypert site will allow to educate and train the next generation of the critically needed
skilled workforce to secure and protect the operations of our cyber resources and services.
Ask CyPert will provide the following capabilities:
Cybersecurity Laboratory as a Service (CLaaS). We will exploit virtual technologies and cloud services to allow
students to build any virtual cyberspace, and carry out any cybersecurity experiment. By providing easy to use
and available 24/7 monitoring, attack libraries, configurable cybersecurity virtual laboratory, analysis and visuali-
zation tools, students, and trainees will be able to see clearly how cyberattacks are launched, and the vulnerabili-
ties that are exploited.
Ask Cypert for Cybersecurity assistant in educational and training programs. All the knowledge, knows how
will be put into a cyber robot we refer to as Ask Cypert to provide 24 by seven support to any educational ques-
tion related to teaching cybersecurity at undergraduate and graduate levels. The Ask Cypert portal will have edu-
cational programs to teach, train and mentor cybersecurity fundamentals and hands on.
Cybersecurity Training and Educational Camps during the summer to train undergraduate students with em-
phasis on under representative groups on cybersecurity tools to detect and protect cyber resources and services.
Current State of the project
The development of the website, askCypert is almost complete. We have used a free open source content
management framework called Drupal which is written in PHP. Currently our website features common to content
8
management systems. These include user account registration and maintenance, menu management, RSS feeds,
page layout customization, and system administration.
The Drupal core installation can be used as a simple website, a single- or multi-user blog, an Internet forum,
or a community website providing for user-generated content.
Research tasks / Goals:
Class material is needed to teach Cyber Security
Need virtual experiments to show how certain types of network attacks work
Need to build virtual experiments online in order to test in a simulated environment
Use cyber security visualization tools to demonstrate the states of the networks
Need tools to simulate network attacks
9
Kowsik Krishnan Dr. Youssif Al Nashif
Research Professor
Wireless Autonomic Protection System Project PIs: Drs. Salim Hariri, Youssif AlProject PIs: Drs. Salim Hariri, Youssif AlProject PIs: Drs. Salim Hariri, Youssif Al---
Nashif Nashif Nashif
Graduate Students: Pratik SatamGraduate Students: Pratik SatamGraduate Students: Pratik Satam Webpage: http://acl.ece.arizona.edu/projects/current/waps/Webpage: http://acl.ece.arizona.edu/projects/current/waps/Webpage: http://acl.ece.arizona.edu/projects/current/waps/
index.htmlindex.htmlindex.html
Motivation: Fast, easy and inexpensive deployment of wireless networks has made them one of the most popular communication environments. Wireless networks are becoming ubiquitous and widely used to transfer critical information such as banking accounts, credit cards , e-mails and social network credentials. The current security protocols for wireless net-
works have failed to address security attributes such as availability and integrity (e.g. denial of service, session hijacking and MAC address spoofing attacks). More over the current attack detection systems are signature based, and are not effective against new or modified attacks. We propose to develop a detection system for the Wi-Fi that not only has the ability to detect new or modified attacks but also has low false positives.
Goals:
Build a state of the art anomaly based wireless detection system.
Detect insider and outsider attacks.
Achieve low false positive and negative alarm.
Classify the attacks that are detected by the system.
Use the power of the received signal to identify the attacker and take preventive measures.
10
Current
State:
11
Cybersecurity Lab as a Service (CLaaS) Project PIs: Drs. Salim Hariri and Youssif AlProject PIs: Drs. Salim Hariri and Youssif AlProject PIs: Drs. Salim Hariri and Youssif Al---Nashif Nashif Nashif
Graduate Student: ShrivatsaGraduate Student: ShrivatsaGraduate Student: Shrivatsa Webpage: http://www.askcypert.org/node/5Webpage: http://www.askcypert.org/node/5Webpage: http://www.askcypert.org/node/5
Motivation: The exponential growth of Internet usage and the proportional increase in the cyber-attacks and security threats may affect the critical infrastructure, computer networks and financial systems. There is a severe shortage of workforce who are experts in the field of cybersecurity. This has encouraged us to develop educational and training programs to support students, professionals and teachers by offering them as cloud services.
Cyber security Lab as a Service (CLaaS), will allow the trainee to perform cyber security experiments and under-stand the underlying principles behind these attacks without the need of a physical lab by exploiting cloud virtual services and Software Defined Networks (SDN).
Goals: To develop an innovative and interactive cyber assistant on the fly to perform virtual cybersecurity ex-periments. CLaaS will support a wide range of virtual security experiments to learn about how attackers can launch DDoS, DNS attacks, wireless attacks and many more.
It will provide the user with attack libraries, configurable experiments along with analysis and virtualization tools. It will further educate students about the causes for these attacks and how these can be exploited. Students will also learn different protection techniques that can be implemented by using CLaaS tools.
Project Methodology: Our approach involves setting up of a cloud, specifically an OpenStack Cloud, with multi-ple services that will be utilized to facilitate the cybersecurity lab. Software Defined Networks will be used to initiate the creation of various network topologies. This infrastructure will essentially contain a request from the user that specifies the resources needed like number of virtual machines, the network to which VMs are connected, memory for each VM, etc.
An example of such request is shown below.
Typical CLaaS Request: I need a virtual experiment to learn about WiFi attacks.
Support Personnel Response: Guides how to build Experiment with attack libraries and virtual components that are already available.
Current State of the Project: We have built a private OpenStack Cloud with a single controller and multiple
compute nodes. We are capable of launching VMs as per the demand of the users with the necessary modifica-
tions to each of them. Various experiments related to cybersecurity attacks are being designed and developed to
suit the architecture of CLaas and provide maximum knowledge to the user.
Research Tasks:
We will implement various experiments on DoS, wireless security and also provide tools to analyze these
threats. Techniques to gain more protection from these attacks will be elucidated to the users. A resource man-
agement system will be developed to keep track of resources in the Cloud. Also, users will be able to launch their
own experiments on demand.
12
13
Intrusion Resilient Cloud Services Project PIs: Drs. Salim Hariri, Youssif AlProject PIs: Drs. Salim Hariri, Youssif AlProject PIs: Drs. Salim Hariri, Youssif Al---Nashif Nashif Nashif
Graduate Students: Hemayamini Kurra, Xiaoran LiGraduate Students: Hemayamini Kurra, Xiaoran LiGraduate Students: Hemayamini Kurra, Xiaoran Li Webpage: http://acl.ece.arizona.edu/projects/current/mtdm/index.htmlWebpage: http://acl.ece.arizona.edu/projects/current/mtdm/index.htmlWebpage: http://acl.ece.arizona.edu/projects/current/mtdm/index.html
Cloud Computing is an emerging paradigm that aims at delivering computing, information services, and data storage as a utility service over a network or Internet. There is a strong interest in cloud computing due to their perfor-mance and cost reduction, but their rapid deployment will exacerbate the security problem. In addition, cloud com-puting integrates many technologies including virtualization, Web technologies, utility computing, and distributed data management, each with its own set of vulnerabilities. The adoption and proliferation of cloud computing will be severely impacted if cloud security is not adequately addressed. Traditional approaches to security will not work well in a cloud environment and it is widely believed that we cannot deliver cloud services that are 100% immune against cyber attacks and exploitations.
Figure 1: Architecture of RCS (Resilient Cloud Services)
With the advance of cloud computing technologies, there is a huge demand for computing resources and stor-age. Many organizations prefer to outsource their storage and other resources. As the data reside on the third par-ties data centers, security is becoming a major concern. Storage Dynamic Encryption (SDE) addresses the major secu-rity issues for cloud storage such as access control confidentiality, integrity, and secure communications. Our resili-ent approach is based on moving target defense and key hopping techniques. Data is partitioned into a random number of partitions where different keys are used to encrypt each partition. We also show that by using key hop-ping technique, we can reduce smaller key length that is normally used to improve performance without compro-mising the security.
Figure 2: Architecture for Resilient Data Storage services.
14
Hemayamini Kurra
Masters Student Xiaoran Li
Masters Student
The resilient cloud storage services are implemented as shown in the above figure. The secure communications and self-management modules presented in the RCS (Resilient cloud services) architecture play a vital role in resilient storage services. When a client requests to use the cloud data storage services such as reading, writing a file, the SM (Self Management) module initiates the communication by checking the authentication of the client. The CA certifi-cates are verified both by client and the SM module. This proves the 1st level of authentication of the client to the SM server. Then SM module initiates the DH key generation algorithm between the SMA (Storage management agent) and the SM module. Once the key is generated it is distributed to the client. The client uses the key for encrypting the whole file or a portion of the file depending on resilience requirement for the storage service. The key will be active for a period of time, that can be a random period, and after that a new key must be generated in a similar manner to fre-quency hopping in wireless networks. The length of the time window to be used for each key is decided by the SM module. When a small key is used, the time window should be small and it can be hopped (key hopping is discussed in Section E) several times in order to make the system secure and resilient to attacks; the attackers will have less time to figure out the key and by the time they know it, it will be changed since the time window is small in this case.
The encryption algorithm used here is DES (Data Encryption Standard) in CFB mode (Cipher Feedback). The main characteristics are: Key hopping Moving target defense File partitioning Current State: The storage servers are implemented using a cluster of virtual machines on different nodes on the IBM Blade cen-
ter that is used a private cloud test-bed. The storage 1 is using Ubuntu 10.04 Linux operating system that runs on all its virtual machines that use the Hadoop Distributed File system. Storage 2 is using Windows server 2008 Operating sys-tem with Windows File system. OpenSSL is used for establishing secure communication channel between SMA and storage systems.
Results:
Figure 3: File Size Vs overhead time for different keys.
The performance improvement factors for file sizes 256 MB, 64 MB and 1 MB are 65.5%, 73.9% and 73.01% respective-ly.
15
16
Quantification of Resiliency Project PIs: Drs. Salim Hariri and Youssif AlProject PIs: Drs. Salim Hariri and Youssif AlProject PIs: Drs. Salim Hariri and Youssif Al---Nashif Nashif Nashif
Graduate Student: Avinash K Gudagi Graduate Student: Avinash K Gudagi Graduate Student: Avinash K Gudagi Webpage: http://acl.ece.arizona.edu/projects/current/mtdm/index.htmlWebpage: http://acl.ece.arizona.edu/projects/current/mtdm/index.htmlWebpage: http://acl.ece.arizona.edu/projects/current/mtdm/index.html
Motivation: A widespread interest in resilient computing cloud system has emerged in the recent past to the recent advancement in complex computational systems. In the past, these systems were designed to be defect-free as to eliminate the vulnerabilities to attackers and chances of failures; however, it is now widely accepted that malicious attacks are unavoidable, and with the ability to penetrate the system. The process of quantifying the resilience of the cloud is a difficult process due to the heterogeneity of the environment, so a general and quantitative set of metrics for the resilience of cyber systems is impractical. Resilient computing systems should therefore be adaptive in nature with the ability to not only thwart and recover from these attacks but perform to function normally in spite of these attacks
Goals/Objective: The main objective of the project is to develop a methodology in order to quantify a system's re-siliency factor which could be used for a multitude of analytical comparisons. We define a model where in, we quan-tify the vulnerabilities based on the score and the corresponding vulnerability found in the system. Our model will then assist in the selection of the optimal system amongst competing alternatives, by using industry recognized ter-minology and definitions. In this method, we intend to quantify resiliency by taking into consideration important metrics such as confidentiality, availability, integrity and exposure which together constitute the security parame-ters of a system.
Project Methodology: The attack surface of a software system is an indicator of the system’s security. So the higher the attack surface for a system, the lower the security is for that system. The attack surface represents the area in which adversaries can exploit or attack the system through attack vectors. In a SBO enabled environment, the attack surface measurement can be used to quantify the resilience of that environment. We will show that using SBO algo-rithm will decrease the attack surface, and therefore, increase the resilience compared to a static execution envi-ronment. The first step in quantifying the attack surface is identifying the metric for the software system; this in-cludes the operating systems, programming languages, and the network. The application will always have an attack surface less than or equal to the system attack surface because the application while it is running will have a subset of the system attack surface; not all of the system attack vectors will apply to the application execution environ-ment.
CVE (Common Vulnerabilities and Exposures) which is a public reference for information security vulnerability and exposures, is used to determine the confidentiality, integrity, and availability of the software system. CVSS (Common Vulnerability Scoring System) is used as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulnerability impact scores. Cyber resilience depends on main-tainability, dependability, safety, reliability, performability, and survivability which are all functions of Confidentiali-ty, Integrity, and Availability. In SBE, the execution time of the application is divided into phases and multiple oper-ating systems are used in each stage. By the time the attacker tries to exploit the systems, the application check-points are transferred on to another system. This in turn will result in the attacker to have less time to exploit the vulnerabilities.
17
Figure 1: Framework of quantification of resiliency
Figure 2: components of CVSS score obtained for each vulnerability
Research tasks:
Need to quantify Availability, Reliability, and Performance of the system
Decide the required optimum number of:
- Versions
- Number of replicas
- Frequency of version change
Hacker Web (Securing Cyber Space): Understand-ing the Cyber Attackers and Attacks via Social
Media Analytics Project PIs: Drs. Salim Hariri and Youssif AlProject PIs: Drs. Salim Hariri and Youssif AlProject PIs: Drs. Salim Hariri and Youssif Al---
Nashif Nashif Nashif
Collob. Faculty: Dr. Hsinchun Chen , Ronald Collob. Faculty: Dr. Hsinchun Chen , Ronald Collob. Faculty: Dr. Hsinchun Chen , Ronald Breiger, Tom HoltBreiger, Tom HoltBreiger, Tom Holt
Graduate Student: Karan ChadhaGraduate Student: Karan ChadhaGraduate Student: Karan Chadha Webpage: http://acl.ece.arizona.edu/projects/current/scs/Webpage: http://acl.ece.arizona.edu/projects/current/scs/Webpage: http://acl.ece.arizona.edu/projects/current/scs/
index.htmlindex.htmlindex.html
Motivation: Cyber security is an important challenge in today's world as corporations, governments, and indi-viduals have increasingly become victims of cyber-attacks. Such attacks exploit weaknesses in technical infra-structures and human behavior. Understanding the motivation and incentives of individuals and institutions, both as attackers and defenders, can aid in creating a more secure and trustworthy cyberspace. Instead of taking a reactive approach to infrastructure protection and damage control, proactive cyber security attribution and situa-tional awareness of the sources of attacks will allow researchers and practitioners to better understand the com-munity of cyber attackers (and the closely affiliated hacker community), their profiles and incentives, and the as-sociated vast underground cyber-criminal networks and ecosystems. Developing “methods to model adversaries” is one of the critical but unfulfilled research needs recommended in the “Trustworthy Cyberspace” report by the National Science and Technology Council (2011).
Goals: Our research team will address important social science research questions of relevance to cyber attacker or hacker skills, community structure and ecosystem, contents and artifacts, and cultural differences. We will develop automated hacker forums and IRC (Internet Relay Chat) collection techniques for the international (US, Russian and Chinese) hacker communities. We will also deploy scalable honeypot platforms to collect mal-ware in the wild and generate feature representation for malware attribution. The proposed integrated computa-tional framework and the resulting algorithms and software will allow social science researchers and security practitioners to: (1) detect, classify, measure and track the formation, development and spread of topics, ideas, and concepts in cyber attacker social media communication; (2) identify important and influential cyber criminals and their interests, intent, sentiment, and opinions in online discourses; and (3) induce and recognize hacker identities, online profiles/styles, communication genres, and interaction patterns
RESEARCH GOALS / FUTURE TASKS:
Using the Automatic semantic role labelling which automates the FrameNet approach (a lexical database of
English that is both human- and machine-readable, based on annotating examples of how words are used in
actual texts) for feature extraction and reduction from IRC messages
Deploying open source malware analysis tools.
Developing the System Control and Management component.
Developing the Autonomic Bot Generator module.
Testing and Evaluation of the previous task
18
19
Dr. Hsinchun Chen
Ronald Breiger
Tom Holt
Meta Data Extraction
Semantic Role Parser
Mapping Aggregate Correlate
Message Stream Processing
Cluster Classify associate
Text Extraction
Translate if not English
Statistical Natural Lan-guage Parser
Language Detection
Keyword Extraction
Noise Reduction
20
Insider threats Detection And Protection (ITDP) Project PIs: Drs. Salim Hariri and Youssif AlProject PIs: Drs. Salim Hariri and Youssif AlProject PIs: Drs. Salim Hariri and Youssif Al---Nashif Nashif Nashif
Graduate Student: Nishanth PrakashGraduate Student: Nishanth PrakashGraduate Student: Nishanth Prakash Webpage: http://acl.ece.arizona.edu/projects/current/idtp/index.htmlWebpage: http://acl.ece.arizona.edu/projects/current/idtp/index.htmlWebpage: http://acl.ece.arizona.edu/projects/current/idtp/index.html
Motivation: An Insider Threat is a malicious threat to an organization that comes from people within the organi-zation, such as employees, former employees, contractors or business associates, who have inside information con-cerning the organization's security practices, data and computer systems. The threat may involve fraud, the theft of confidential or commercially valuable information, the theft of intellectual property, or the sabotage of computer systems. Insiders may have accounts giving them legitimate access to computer systems, with this access originally having been given to them to serve in the performance of their duties; these permissions could be abused to harm the organization. Insiders are often familiar with the organization's data and intellectual property as well as the methods that are in place to protect them. This makes it easier for the insider to circumvent any security controls of which they are aware. Physical proximity to data means that the insider does not need to hack into the organiza-tional network through the outer perimeter by traversing firewalls, rather they are in the building already, often with direct access to the organization's internal network. Insider threats are harder to defend against than attacks from outsiders, since the insider already has legitimate access to the organization's information and assets.
An insider may attempt to steal property or information for personal gain, or to benefit another organization or country. The threat to the organization could also be through malicious software left running on its computer sys-tems by former employees, a so-called Logic bomb.
Often cited as the greatest security threat to an organization – Cost US $13B alone – 87% of identified intruders at DOD were insiders – 46% of identified data breaches were from insiders (90% were malicious) (U.S.S.S.) Thus re-sulting in data leakage, espionage, sabotage
About the Tool
Nagios is an open source computer system monitoring, network monitoring and infrastructure monitoring soft-ware application. Nagios offers monitoring and alerting services for servers, switches, applications, and services. It alerts the users when things go wrong and alerts them a second time when the problem has been resolved.
By using Nagios, you can:
Plan for infrastructure upgrades before outdated systems cause failures
Respond to issues at the first sign of a problem
Automatically fix problems when they are detected
Coordinate technical team responses
Ensure your organization's SLAs are being met
Ensure IT infrastructure outages have a minimal effect on your organization's bottom line
Monitor your entire infrastructure and business processes
The below diagram shows the Operating principle of Nagios.
Present Work Monitoring of Windows System Using NRPE
The NRPE addon is designed to allow you to execute Nagios plugins on remote Linux/Unix machines. The main reason for doing this is to allow Nagios to monitor "local" resources (like CPU load, memory usage, etc.) on re-mote machines. Since these public resources are not usually exposed to external machines, an agent like NRPE must be installed on the remote Windows machines.
The NRPE addon consists of two pieces: – The check_nrpe plugin, which resides on the local monitoring machine – The NRPE daemon, which runs on the remote Linux/Unix machine
When Nagios needs to monitor a resource of service from a remote Linux/Unix machine: – Nagios will execute the check_nrpe plugin and tell it what service needs to be checked – The check_nrpe plugin contacts the NRPE daemon on the remote host over an (optionally) SSL-protected connection – The NRPE daemon runs the appro-priate Nagios plugin to check the service or resource – The results from the service check are passed from the NRPE daemon back to the check_nrpe plugin, which then returns the check results to the Nagios process.
21
All Eyes on International Cybersecurity Principal investigators: French partner — Mohand-Said Hacid
American partner — Salim Hariri http://liris.cnrs.fr/cyber/http://liris.cnrs.fr/cyber/http://liris.cnrs.fr/cyber/
As pervasive cyberservices, like cloud computing, revolutionize the way we communicate and do business, working together to know when and how hackers will strike and collaborating with other nations to prevent and defend against cyberattacks is becoming more and more essential to keeping our world safe.
The Second Franco-American Workshop on CyberSecurity, held on Jan. 20 and 21, 2014 at the UA, gave more than 40 participants a comprehensive look at the state of cybersecurity threats and solutions and was a big step in the direction of international understanding.
Highlighting ongoing cybersecurity efforts and research in the United States and Europe, the workshop helped identify the evolving threat landscape, suggested new approaches for security, and explored ways to better equip students with workforce skills to combat cybersecurity attacks.
Alongside industry experts and faculty from the University of Illinois at Chicago and France’s University of Lyon, UA faculty presented research about resilient cloud services, securing smart grids, and human-centric predictive ana-lytics of cyberthreats, among other topics.
Experts from IBM and Cloud Security Alliance added to the discussion with presentations about training students and helping everyday computer users think differently about online safety.
Motivations for cyberthreats and sophistication in creating these threats are rapidly evolving, said Sadu Bajekal, IBM senior technical staff member. Hackers are taking advantage of the human factor and becoming even better at attacking the everyday user.
Said Salim Hariri, ECE professor and director of the UA’s National Science Foundation Center for Cloud and Auto-nomic Computing, “In order to understand all threats regarding cybersecurity, it is critical to collaborate with in-dustry partners like IBM and Cloud Security Alliance, who help us have a fuller picture.”
UA researchers identified three research areas – data security, resource management and resilient service-oriented architectures – on which they will work with the University of Lyon.
“It is my hope that we will have more collaborations with our partner universities, and this workshop allows us to strengthen those ties,” said Hariri, who directs the cybersecurity training project AskCyPert, a portal for teaching stu-dents and educators about cybersecurity and part of the AZSecure project.
AZSecure, a scholarship-for-service program that will support about 40 students over the next five years, and Hack-er Web, which focuses on understanding cyberattackers via social media analytics, are among the newest UA cy-bersecurity projects. Both are funded by the National Science Foundation.
Workshop sponsors included the Partner University Fund, UA NSF Center for Cloud and Autonomic Computing, NSF Cybersecurity Scholarship for Service, and the University of Illinois Cooperative Information Systems and Organiza-tional Research and Services Lab.
Ernesto Damiani, lead of the
SESAR research lab and the Head of
the Universita degli Studi di Milano's
Ph.D. program in Computer Science,
talking about Cloud Security Certifica-
tion at first franco American workshop.
Sonia Benmokhtar, a
CNRS researcher at the
LIRIS lab , talking about
Robust Byzantine Fault
Tolerant State Machine
Replication Protocols at
first franco American
workshop.
Dr. Tamal Bose, Head of the
department of ECE at University
of Arizona, talking about the
university of Arizona at the sec-
ond franco American workshop
Hamid was graduated from the Electrical and Computer Engineering Depart-
ment at the University of Arizona with Ph.D. in computer engineering in August
2013 under supervision of Dr. Salim Hariri. He joined the Autonomic Computing
Lab at the University of Arizona when he started his Ph.D. in January 2010, and
has been also collaborating with Center for Cloud and Autonomic Computing
(CAC) since then. As an active ACL and CAC member his research focus has been
on cybersecurity and autonomic protection systems. Hamid has conducted re-
search on developing autonomic network protection systems based on protocol
behavior analysis. The major outcomes of his research in ACL lab have been the
design and implementation of a DNS Autonomic Protection System (DNS-APS)
and the Wireless Autonomic Protection System (WAPS). He has also been in-
volved in other cloud cybersecurity projects as a CAC and ACL member. His
Ph.D. dissertation topic is “An anomaly behavior analysis methodology for net-
work centric systems”.
Hamid spent two summers at an internship with Microsoft working on Office
365 and Active directory services.
Currently he is part of the Microsoft Windows Azure Multi-Factor Authentication (MFA) team, which he is
working as a Software Developer to provide the windows Azure services with more secure authentication
through adding more authentication factors (e.g. phone calls and mobile apps, smart cards, biometrics, etc.).
Glynis Dsouza was graduated from the Electrical and Computer Engineering Department at
the University of Arizona with Masters Degree in computer engineering in May 2013 under
supervision of Dr. Salim Hariri. She was the research assistant at Autonomic Computing
Lab. Her research areas are mainly Software Resiliency, resilient computing systems and
cloud security. She worked on Moving target defense strategies for software and DDDAS
systems. Currently she is a part of IBM software development group in Tucson.
Recent Graduates
26
Name: Weiming Wang Visiting Scholar: 2001-2002
Affiliation: Dean, Zhejiang Gongshang
University Contact : [email protected]
Name: Dong xiangdong Visiting Scholar: 2001-2002
Affiliation: Beijing, China
Contact : [email protected]
Name: Subhra Saha
Year of Graduation: M.S., 2003
Affiliation: Adtran Inc
Contact : [email protected]
Name: Fahd Rasul
Year of Graduation: M.S., 2005
Affiliation: MBA 2010-2011, Cranfield
School of Management
Contact : [email protected]
Name: Byoung Uk Kim
Year of Graduation: Ph.D, 2008
CAffiliation: Senior Research Engineer,
Ridgetop Group, Inc.
Contact : [email protected]
Name: Jang-Geun Ki
Visiting Scholar: 2002-2003 & 2010-2011
Affiliation: Konglu National University,
South Korea
Contact : [email protected]
Name: Ishtiaq Hossain
Year of Graduation: M.S., 2010
Affiliation: Telenav
Contact : [email protected]
Name: Mohamed Djunaedi
Year of Graduation: M.S., 2001
Affiliation: EMC Corporation
Contact: [email protected]
Name: Huoping Chen
Year of Graduation: Ph.D., 2008
Affiliation: Microsoft/Research Software
Design Engineer
Contact: [email protected]
Name: Traian Avram
Year of Graduation: M.S., 2006
Affiliation: EXL Service ROMANIA
Contact: [email protected]
27
We are very pleased to know that the graduates from our Autonomic Computing Laboratory (previously known as High Performance Distributed Computing (HPDC) Lab, and Internet Technology Laboratory) are do-ing very well and to connect with them and let them know that we are proud of their achievements and suc-cesses. I am sure I missed some of our graduates, please forward this newsletter to those that we missed. Hopefully, they will email me their information so we can accurately account for all our Almnis. We will update the list in the next issue and we will put your information on our website at http://nsfcac.arizona.edu
Alumni Corner
Name: Warren Zhang
Year of Graduation: Ph.D, 2007
Affiliation: Google
Contact : [email protected]
Name: Youssif Al-Nashif
Year of Graduation: Ph.D., 2008
Affiliation: the Univ. of Arizona
Assistant Research Professor
Contact: [email protected]
28
Name: George Zantis
Year of Graduation: M.S., 2007
Affiliation: Network Security Engineer
Contact : [email protected]
Name: Prasad Nellipudi
Year of Graduation: M.S., 2000
Affiliation: Technical Marketing
Engineer, CISCO
Contact : [email protected]
Name: Prasad Vadlamani
Year of Graduation: M.S., 2004
Affiliation: Texas Medicaid, Data/BI
Architect
Contact : [email protected]
Name: Samantha Quadros
Year of Graduation: M.S., 2001
Affiliation: NetFlix, Sr. Software
Engineer
Contact : [email protected]
Name: Samer Fayssal Year of Graduation: Ph.D., 2008
Affiliation: World Avenue Inc., Florida
Contact : [email protected]
Name: Sridhar H Year of Graduation: M.S., 2001
Affiliation: Sr. Engr. at Silicon Labs,
Austin, TX Contact : [email protected]
Name: Tushneem Dharmagadda Year of Graduation: M.S., 2003
Affiliation: Sr. Intellectual Property
Design and Software Applications
Engineer, Analog Devices Inc. Contact : [email protected]
Name: Bihika Khargharia
Year of Graduation: Ph.D., 2008
Affiliation: CISCO
Contact : [email protected]
Name: Kiran Kumar Modukuri
Year of Graduation: M.S., ?
Affiliation: NetApp Inc.
Contact : [email protected]
Name: Aarthi Arun Kumar Year of Graduation: M.S., 2007
Affiliation: Program Manager,
Microsoft Corp Contact : [email protected]
Name: Jingmei Yang
Year of Graduation: M.S., 2006
Affiliation: Care Everywhere
Contact : [email protected]
Name: Radhakrishnan Vijay
Year of Graduation: M.S., 2002
Affiliation: Nokia Siemens Networks,
Development Manager
Contact : [email protected]
Name: Richard Wang Visiting Scholar: 1998-2002
Affiliation: ITPOINTS Contact : [email protected]
Name: Yan Wang
Year of Graduation: M.S., 2006
Affiliation: Qualcom
Contact : [email protected]
Name: Yaser Jararweh,
Year of Graduation: Ph.D., 2010
Affiliation: Computer Science Department,
Jordan Univ. of Science and Technology
Contact : [email protected]
29
Name: Srividhya Subramanian
Year of Graduation: M.S., 2007
Affiliation: UMG Firmware Development
Engineer, Intel Corp.
Name: Sri Harsha
Year of Graduation: M.S., 2010
Affiliation: University of Arizona
Contact : [email protected]
Name: Mohamed Tabris
Year of Graduation: M.S., 2010
Affiliation: Test Engineer, Texas Instru-
ments, Tucson.
Contact : [email protected]
Name: Glynis dsouza Year of Graduation: M.S., 2012.
Affiliation: IBM, Tucson.
Contact : [email protected]
Name: Venkata Krishna Nimmagadda Year of Graduation: M.S., 2011
Affiliation: Firmware Engineer at Intel
Corporation, Hillsboro, Oregon.
Contact : [email protected]
Name: Hamid Reza Alipour Year of Graduation: Ph.D., 2012
Affiliation: Software Developer, Mi-
crosoft, Seattle. Contact : [email protected]
Name: Haoting Luo
Year of Graduation: M.S., 2011
Affiliation: Design Engineer at Marvell
Semiconductor.
Contact : [email protected]
Name: Don P Cox Year of Graduation: Ph.D., 2011
Affiliation: Raytheon
Contact : [email protected]
Name: Sankaranarayanan Veeramoni
Mythili
Year of Graduation: M.S., 2009
Affiliation: University of Arizona, CS,
PhD student
Contact : [email protected]
Name: Ram P Viswanathan
Year of Graduation: M.S., 2009
Affiliation: Software Engineer at Qual-
comm
Contact : www.linkedin.com/in/rampv
Name: Yeliang Zhang
Year of Graduation: Ph.D., 2007
Affiliation: Software Engineer, Yahoo.
Name: Guangzhi Qu
Year of Graduation: Ph.D., 2005
Affiliation: Associate Professor, Depart-
ment of Computer Science and Engineer-
ing, Oakland University.
Contact : [email protected]
Name: Srinivas Singavarapu
Year of Graduation: M.S., 2003
Affiliation: Sr. MTS at VMware
Contact : www.linkedin.com/pub/srinivas-
singavarapu/2/6ba/505
Benefits of NSF CAC Membership CAC members will have access to leading-edge developments in autonomic
computing and to knowledge accumulated by academic researchers and other
industry partners. New members will join a growing list of members that in-
cludes Intel, Microsoft, Northrop-Grumman, NEC, Raytheon, Xerox, Air Force/
Ball, and AVIRTEK. Benefits of membership include:
Collaboration with faculty, graduate students, post-doctoral researchers
and other center partners;
Choice of project topics to be funded by members’ own contributions;
Formal periodic project reviews along with continuous informal interac-
tion and timely access to reports, papers and intellectual property gener-
ated by the center.
Access to unique world-class equipment, facilities, and other CAC infra-
structure;
Internships and recruitment opportunities among excellent graduate stu-
dents.
Leveraging of investments, projects and activities by all CAC members.
Spin-off initiatives leading to new partnerships, customers or teaming for
competitive proposals to funded programs
Funding Per NSF guidelines, industry and government contributions in the form of annual CAC memberships ($35K/year
per regular membership), coupled with baseline funds from NSF and university matching funds, directly support the
Center's expenses for personnel, equipment, travel, and supplies. Memberships provide funds to support the Center's
graduate students on a one-to-one basis, and thus the size of the annual membership fee is directly proportional to
the cost of supporting one graduate student, while NSF and university funds support various other costs of operation.
Multiple annual memberships may be contributed by any organization wishing to support multiple students and/or
projects. The initial operating budget for CAC is projected to be approximately $1.5M/year, including NSF and univer-
sities contributions, in an academic environment that is very cost effective. Thus, a single regular membership is an
exceptional value. It represents less than 3% of the projected annual budget of the Center yet reaps the full benefit of
Center activities, a research program that could be significantly more expensive in an industry or government facility.
Universities To Become a Member Contact us at Director: Salim Hariri (520) 621-4378 [email protected]
Research Director: Youssif Al-Nashif (520)-621-9915 [email protected]
ECE Dept. 1230 E. Speedway Tucson, AZ 85721-0104
http://nsfcac.arizona.edu
Members
The mission of the
NSF-CAC is to advance
the knowledge of
designing Information
systems and services
that are self-managed
with minimal involve-
ment of users and
administrators.