ua cac technews - nsf cac - homeacl.ece.arizona.edu/ua_tech_news/ua_tech_news_vol1issue4.pdf ·...

Spring 2014

UA CAC TechnewsUA CAC TechnewsUA CAC Technews

Update from the Director It is my pleasure to communicate with you through the Technews of the UA site of the NSF Center

on Autonomic Computing (NSF CAC). The NSF CAC is a center funded through the NSF Industry/

University Cooperative Research Centers program, industry, government agencies and matching

funds from member universities, which currently include the University of Florida (Lead), the Univer-

sity of Arizona, Rutgers, The State University of New Jersey and the Mississippi State University

(MSU).

I am pleased with the quality of the ongoing research projects and the strong support from our in-

dustrial and government members. We have built state of the art test-beds to support our research

activities in Cyber infrastructure security, critical infrastructure protection, and high performance cloud computing and

data centers that are critically important to develop and demonstrate the capabilities of our projects.

As we move forward, we would like to invite you to join the center so together we can develop innovative autonomic

technologies that will revolutionize how to design and deploy next generation information and communications services.

Salim Hariri, UA Site Director

Volume 2, Issue 4 Visit our website: http://nsfcac.arizona.edu

Inside this issue

About the center……………….1

Autonomic Cloud Management System…………………..3

Securing Smart Grids and Buildings Infrastructures and Services……………………..5

AskCypert: Programs to support cybersecurity Education and Training…………………….8

Wireless Autonomic Protection System……………………10

Cybersecurity Lab as a Service (CLaaS)………11

Intrusion Resilient Cloud Services…………………………....13

Quantification of Resiliency…………………….16

Hacker Web (Securing Cyber Space): Understanding the Cyber Attackers and Attacks via So-cial Media Analytics ………..18

Insider Threat Detection And Protection…………………….20

All Eyes on International Cybersecurity…………….22

Recent Graduates…………….26

Alumni Corner……….………27

Center Correspondences………….30

3

Autonomic Cloud Management System Project PIs: Drs. Salim Hariri, Youssif AlProject PIs: Drs. Salim Hariri, Youssif AlProject PIs: Drs. Salim Hariri, Youssif Al---Nashif, Ali Akoglu Nashif, Ali Akoglu Nashif, Ali Akoglu

Graduate Students: Farah Fargo, Cihan Tunc Graduate Students: Farah Fargo, Cihan Tunc Graduate Students: Farah Fargo, Cihan Tunc Webpage: http://acl.ece.arizona.edu/projects/current/acms/index.htmlWebpage: http://acl.ece.arizona.edu/projects/current/acms/index.htmlWebpage: http://acl.ece.arizona.edu/projects/current/acms/index.html

With the rapid growth of data centers and clouds, the power consumption and power cost for such systems have become critically important to be managed efficiently. Several research studies have shown that data servers typi-cally operate at a low utilization of 10% to 15%, while their power consumption is close to those at peak loads. With this significant fluctuation in the workloads, an elastic delivery of computing services with an efficient power provi-sioning mechanism becomes an important design goal. Live workload migrations and virtualization are important techniques to optimize power and performance in large-scale data centers. Our work presents an application spe-cific autonomic power and performance management system that utilizes AppFlow-based reasoning to configure datacenter resources and workload allocations dynamically during runtime (Figure 1). Our approach continuously monitors the workload to determine the current operating point of both workloads and the virtual machines (VMs) running these workloads and then predict the next operating points for these VMs. This enables the system to allo-cate the appropriate amount of hardware resources that can run efficiently the VM workloads with minimum power consumption. We have experimented with and evaluated our approach to manage the VMs running RUBiS bidding application. Our experimental results showed that our approach can reduce the VMs’ power consumption up to 84% compared to static resource allocation and up to 30% compared to other methods with minimum performance degradation.

Figure 1: Autonomic Cloud Management Architecture

4

Our framework is shown in the figure below: Tt contains two parts as offline training phase (Figure 2.a) and online plan execution phase where the VM resources are configured (Figure 2.b). During the offline training phase, we train using different possible workloads. We monitor the systems and collect information about the runtime system behavior. Then we use an offline workload analysis to identify and characterize different workload types. We also map the workloads to different AppFlow types in this phase. Finally, we decide which configurations to use for each AppFlow type in the Plan Generation module in order to reduce power consumption without sacrificing performance. In the Plan Generation mod-ule, we also need the Application SLA documentation (which is prepared by the application users or providers) to know the allowable additional execution time.

During the online plan execution phase (Figure 2.b), the MS are monitored at runtime to decide current AppFlow

types by mapping each workload behavior to an AppFlow sub-cubes. Once the AppFlow type is identified, using Plan Selec-tion module the right configuration will be determined associated with the selected AppFlow type. Next Plan Execution module will be invoked to apply the decided configuration for that AppFlow type. The current configuration will only be changed if it is determined that the previously selected AppFlow type does not accurately model the current workload.

Figure 2: Framework

Farah Fargo

PhD student

Cihan Tunc

PhD student

Dr. Salim Hariri Dr. Ali Akoglu

Figure 2

Securing Smart Grids and Buildings Infrastructures and Services

Project PIs: Drs. Salim Hariri, Youssif AlProject PIs: Drs. Salim Hariri, Youssif AlProject PIs: Drs. Salim Hariri, Youssif Al---Nashif Nashif Nashif

Graduate Students: Jesus Horacip Pacheco Ramirez Graduate Students: Jesus Horacip Pacheco Ramirez Graduate Students: Jesus Horacip Pacheco Ramirez Bilal Albaalbaki ,Jin Bai , Zhiwen PanBilal Albaalbaki ,Jin Bai , Zhiwen PanBilal Albaalbaki ,Jin Bai , Zhiwen Pan

Webpage: http://acl.ece.arizona.edu/projects/current/aimsg/index.htmlWebpage: http://acl.ece.arizona.edu/projects/current/aimsg/index.htmlWebpage: http://acl.ece.arizona.edu/projects/current/aimsg/index.html

The development of Smart Grids is strongly linked to the utilization of technology that has the capa-bility of enhancing system performance, reduce costs, and introduce new services by interconnecting (e.g. ZigBee, Wi-Fi, DNP3, BACNET) with internet (IoT). The problem arises when the system is directly exposed to attacks. Our goal is to build an effective intrusion detection system that can proactively de-tect anomalous actions generated by malicious devices from inside or outside networks.

Approach:

To automate any software module or resource, we add two software modules: Observer and Con-troller. The Observer is used for sensing and analyzing the current state of managed system and predict its

behavior. The controller executes recommended actions to keep the managed system operating normally (self-

manage).

5

BACnet The networking technology develop-

ment and increasing practical demand has led to extensive interconnection between Building Automation and Control (BAC) networks and external networks. The in-formation flow coming from the public networks massively elevates the risk of the networks being attacked by both in-side and outside intruders. This project proposes a framework for a rule based anomaly detection of Building Automation and Control Networks. We deploy anoma-ly detection approach to the building net-work by training the IDS with dataflow which is dynamically captured from Smart laboratory testbed through BACnet Protocol Observer module. The powerful rules acquired from the offline data mining procedure are capable to work with an extremely low false positive rate. A demonstration of detecting attacks which target Generic vulnerabilities of BACnet Protocol is made; a classification of detected attacks is done at the end. Our approach is summarized as following

Build a Smart Laboratory Testbed (SLT) using BACnet hardware devices.

Simulate a spoofed client which target Generic vulnerabilities of BACnet Protocol.

Feed the database with BACnet-Flow captured &decoded from real-time traffic.

Select suitable data mining algorithm to generate statistical rules.

Integrate rules into the intrusion detection system then test its performance.

DNP3 Due to the huge expansion in the deployment of intelligent devices in the critical infrastructures sector and the dependency of these devices on the internet, attackers with diverse motivations started targeting communication and control protocols of the theses devices. DNP3 over TCP/IP is one of those protocols, which is largely used in power industry. Since security was not one of the goals in designing DNP3, attackers can easily succeed in penetrating the DNP3 over TCP/IP communication system. In this paper, we pro-pose a novel rule-based anomaly detection tech-nique that is able to detect attacks that can’t be

prevented by the security layer of the DNP3. We show the effectiveness of the rules in detecting abnormal packets through both offline and online testing. The false posi-tive and false negative rates are both very low. We also propose a classification mech-anism for our detection tech-nique.

6

ZigBee This research aims to build an anoma-

ly Intrusion Detection System (IDS) for ZigBee wireless protocol. Our approach is summarized in the following “Provide the system with the required intelligence to protect itself from any insider or outsider attack. The detection is based on com-plete knowledge about the system, the normal and abnormal behaviors.” Our testbed consists of Advanced Meter Read-ing (AMR), Programmable Control Ther-mostat (PCT), Load Control Device (LCD), and In-Premise Display (IPD); these devic-es are managed through Digi commercial platform. To add a Smart Grid concept to our work, we are using a renewable ener-gy source (wind-turbine) beside the conventional power source. The traffic in the testbed consist of two parts: First, between ZigBee gateway and Digi web platform using Ethernet. Second, inside our Personal Area Network (PAN) using ZigBee mesh technology. Digi platform is used also to generate different types of normal packets as ZigBee beacon, ZigBee command, ZigBee data, IEEE802.15.4 ack, IEEE802.15.4 data, etc. To generate abnormal traffic we are using killerbee firmware as a ZigBee attack library. To launch the attacks we are using Arduino xbee shield with xbee pro transceivers.

Our Development Research is done under Linux environment. Ubisys radio receivers are being used to listen to ZigBee channels and sniff the traffic. We are using Wireshark protocol analyzer to show ZigBee packets. To store the normal and abnormal packets PSQL database are being used. After that we used Weka as a data mining tool to get the rules about the normal and abnormal traffic, and we used JRIP as a classifying algorithm. Our system is able to detect flooding attack with zero false negative alerts and zero false positive alerts. Our future work is divid-ed into three parts: 1- Develop a classifying tool for the tested attacks. 2- Develop a protection model based on our rule based intrusion detection system.

7

Jesus Horacip

Pacheco Ramirez

PhD student

Bilal Al baalbaki

Masters Student Zhiwen Pan

Masters Student

Jin Bai

Masters Student

AskCypert: Programs to support cybersecurity Education and Training

Project PIs: Drs. Salim Hariri, Youssif AlProject PIs: Drs. Salim Hariri, Youssif AlProject PIs: Drs. Salim Hariri, Youssif Al---Nashif Nashif Nashif

Graduate Students: Kowsik KrishnanGraduate Students: Kowsik KrishnanGraduate Students: Kowsik Krishnan Webpage: http://www.askcypert.org/Webpage: http://www.askcypert.org/Webpage: http://www.askcypert.org/

Motivation of the project

Cyber attacks may disrupt or even completely stop the operations of large computer networks, factories and

chemical plants. They may also cause total collapse of financial systems and power grids. Economic catastrophes,

societal panic and disasters or even loss of life may accrue.

This prototype project will integrate research, education, and training programs to provide critically needed

testbeds, tools, and educational/training programs to allow students, researchers, professionals, and educators to

have hands-on experience in cybersecruity fundamentals, and how to detect vulnerabilities, and attacks, and also

protect our cybersecurity resources and services.

Project goal

The goal of this project is to develop an innovative and interactive cyber assistant, the we refer to as Ask Cy-

pert, to answer frequently asked questions by students and educators about cybersecurity issues, well as educa-

tional and training programs. Ask Cypert will provide Cybersecurity Laboratory as a Service (CLaaS) that will deliv-

er virtual cybersecurity laboratory, testbeds, attack libraries, monitoring and analysis tools. The capabilities that

will be provided by Ask Cypert site will allow to educate and train the next generation of the critically needed

skilled workforce to secure and protect the operations of our cyber resources and services.

Ask CyPert will provide the following capabilities:

Cybersecurity Laboratory as a Service (CLaaS). We will exploit virtual technologies and cloud services to allow

students to build any virtual cyberspace, and carry out any cybersecurity experiment. By providing easy to use

and available 24/7 monitoring, attack libraries, configurable cybersecurity virtual laboratory, analysis and visuali-

zation tools, students, and trainees will be able to see clearly how cyberattacks are launched, and the vulnerabili-

ties that are exploited.

Ask Cypert for Cybersecurity assistant in educational and training programs. All the knowledge, knows how

will be put into a cyber robot we refer to as Ask Cypert to provide 24 by seven support to any educational ques-

tion related to teaching cybersecurity at undergraduate and graduate levels. The Ask Cypert portal will have edu-

cational programs to teach, train and mentor cybersecurity fundamentals and hands on.

Cybersecurity Training and Educational Camps during the summer to train undergraduate students with em-

phasis on under representative groups on cybersecurity tools to detect and protect cyber resources and services.

Current State of the project

The development of the website, askCypert is almost complete. We have used a free open source content

management framework called Drupal which is written in PHP. Currently our website features common to content

8

management systems. These include user account registration and maintenance, menu management, RSS feeds,

page layout customization, and system administration.

The Drupal core installation can be used as a simple website, a single- or multi-user blog, an Internet forum,

or a community website providing for user-generated content.

Research tasks / Goals:

Class material is needed to teach Cyber Security

Need virtual experiments to show how certain types of network attacks work

Need to build virtual experiments online in order to test in a simulated environment

Use cyber security visualization tools to demonstrate the states of the networks

Need tools to simulate network attacks

9

Kowsik Krishnan Dr. Youssif Al Nashif

Research Professor

Wireless Autonomic Protection System Project PIs: Drs. Salim Hariri, Youssif AlProject PIs: Drs. Salim Hariri, Youssif AlProject PIs: Drs. Salim Hariri, Youssif Al---

Nashif Nashif Nashif

Graduate Students: Pratik SatamGraduate Students: Pratik SatamGraduate Students: Pratik Satam Webpage: http://acl.ece.arizona.edu/projects/current/waps/Webpage: http://acl.ece.arizona.edu/projects/current/waps/Webpage: http://acl.ece.arizona.edu/projects/current/waps/

index.htmlindex.htmlindex.html

Motivation: Fast, easy and inexpensive deployment of wireless networks has made them one of the most popular communication environments. Wireless networks are becoming ubiquitous and widely used to transfer critical information such as banking accounts, credit cards , e-mails and social network credentials. The current security protocols for wireless net-

works have failed to address security attributes such as availability and integrity (e.g. denial of service, session hijacking and MAC address spoofing attacks). More over the current attack detection systems are signature based, and are not effective against new or modified attacks. We propose to develop a detection system for the Wi-Fi that not only has the ability to detect new or modified attacks but also has low false positives.

Goals:

Build a state of the art anomaly based wireless detection system.

Detect insider and outsider attacks.

Achieve low false positive and negative alarm.

Classify the attacks that are detected by the system.

Use the power of the received signal to identify the attacker and take preventive measures.

10

Current

State:

11

Cybersecurity Lab as a Service (CLaaS) Project PIs: Drs. Salim Hariri and Youssif AlProject PIs: Drs. Salim Hariri and Youssif AlProject PIs: Drs. Salim Hariri and Youssif Al---Nashif Nashif Nashif

Graduate Student: ShrivatsaGraduate Student: ShrivatsaGraduate Student: Shrivatsa Webpage: http://www.askcypert.org/node/5Webpage: http://www.askcypert.org/node/5Webpage: http://www.askcypert.org/node/5

Motivation: The exponential growth of Internet usage and the proportional increase in the cyber-attacks and security threats may affect the critical infrastructure, computer networks and financial systems. There is a severe shortage of workforce who are experts in the field of cybersecurity. This has encouraged us to develop educational and training programs to support students, professionals and teachers by offering them as cloud services.

Cyber security Lab as a Service (CLaaS), will allow the trainee to perform cyber security experiments and under-stand the underlying principles behind these attacks without the need of a physical lab by exploiting cloud virtual services and Software Defined Networks (SDN).

Goals: To develop an innovative and interactive cyber assistant on the fly to perform virtual cybersecurity ex-periments. CLaaS will support a wide range of virtual security experiments to learn about how attackers can launch DDoS, DNS attacks, wireless attacks and many more.

It will provide the user with attack libraries, configurable experiments along with analysis and virtualization tools. It will further educate students about the causes for these attacks and how these can be exploited. Students will also learn different protection techniques that can be implemented by using CLaaS tools.

Project Methodology: Our approach involves setting up of a cloud, specifically an OpenStack Cloud, with multi-ple services that will be utilized to facilitate the cybersecurity lab. Software Defined Networks will be used to initiate the creation of various network topologies. This infrastructure will essentially contain a request from the user that specifies the resources needed like number of virtual machines, the network to which VMs are connected, memory for each VM, etc.

An example of such request is shown below.

Typical CLaaS Request: I need a virtual experiment to learn about WiFi attacks.

Support Personnel Response: Guides how to build Experiment with attack libraries and virtual components that are already available.

Current State of the Project: We have built a private OpenStack Cloud with a single controller and multiple

compute nodes. We are capable of launching VMs as per the demand of the users with the necessary modifica-

tions to each of them. Various experiments related to cybersecurity attacks are being designed and developed to

suit the architecture of CLaas and provide maximum knowledge to the user.

Research Tasks:

We will implement various experiments on DoS, wireless security and also provide tools to analyze these

threats. Techniques to gain more protection from these attacks will be elucidated to the users. A resource man-

agement system will be developed to keep track of resources in the Cloud. Also, users will be able to launch their

own experiments on demand.

12

13

Intrusion Resilient Cloud Services Project PIs: Drs. Salim Hariri, Youssif AlProject PIs: Drs. Salim Hariri, Youssif AlProject PIs: Drs. Salim Hariri, Youssif Al---Nashif Nashif Nashif

Graduate Students: Hemayamini Kurra, Xiaoran LiGraduate Students: Hemayamini Kurra, Xiaoran LiGraduate Students: Hemayamini Kurra, Xiaoran Li Webpage: http://acl.ece.arizona.edu/projects/current/mtdm/index.htmlWebpage: http://acl.ece.arizona.edu/projects/current/mtdm/index.htmlWebpage: http://acl.ece.arizona.edu/projects/current/mtdm/index.html

Cloud Computing is an emerging paradigm that aims at delivering computing, information services, and data storage as a utility service over a network or Internet. There is a strong interest in cloud computing due to their perfor-mance and cost reduction, but their rapid deployment will exacerbate the security problem. In addition, cloud com-puting integrates many technologies including virtualization, Web technologies, utility computing, and distributed data management, each with its own set of vulnerabilities. The adoption and proliferation of cloud computing will be severely impacted if cloud security is not adequately addressed. Traditional approaches to security will not work well in a cloud environment and it is widely believed that we cannot deliver cloud services that are 100% immune against cyber attacks and exploitations.

Figure 1: Architecture of RCS (Resilient Cloud Services)

With the advance of cloud computing technologies, there is a huge demand for computing resources and stor-age. Many organizations prefer to outsource their storage and other resources. As the data reside on the third par-ties data centers, security is becoming a major concern. Storage Dynamic Encryption (SDE) addresses the major secu-rity issues for cloud storage such as access control confidentiality, integrity, and secure communications. Our resili-ent approach is based on moving target defense and key hopping techniques. Data is partitioned into a random number of partitions where different keys are used to encrypt each partition. We also show that by using key hop-ping technique, we can reduce smaller key length that is normally used to improve performance without compro-mising the security.

Figure 2: Architecture for Resilient Data Storage services.

14

Hemayamini Kurra

Masters Student Xiaoran Li

Masters Student

The resilient cloud storage services are implemented as shown in the above figure. The secure communications and self-management modules presented in the RCS (Resilient cloud services) architecture play a vital role in resilient storage services. When a client requests to use the cloud data storage services such as reading, writing a file, the SM (Self Management) module initiates the communication by checking the authentication of the client. The CA certifi-cates are verified both by client and the SM module. This proves the 1st level of authentication of the client to the SM server. Then SM module initiates the DH key generation algorithm between the SMA (Storage management agent) and the SM module. Once the key is generated it is distributed to the client. The client uses the key for encrypting the whole file or a portion of the file depending on resilience requirement for the storage service. The key will be active for a period of time, that can be a random period, and after that a new key must be generated in a similar manner to fre-quency hopping in wireless networks. The length of the time window to be used for each key is decided by the SM module. When a small key is used, the time window should be small and it can be hopped (key hopping is discussed in Section E) several times in order to make the system secure and resilient to attacks; the attackers will have less time to figure out the key and by the time they know it, it will be changed since the time window is small in this case.

The encryption algorithm used here is DES (Data Encryption Standard) in CFB mode (Cipher Feedback). The main characteristics are: Key hopping Moving target defense File partitioning Current State: The storage servers are implemented using a cluster of virtual machines on different nodes on the IBM Blade cen-

ter that is used a private cloud test-bed. The storage 1 is using Ubuntu 10.04 Linux operating system that runs on all its virtual machines that use the Hadoop Distributed File system. Storage 2 is using Windows server 2008 Operating sys-tem with Windows File system. OpenSSL is used for establishing secure communication channel between SMA and storage systems.

Results:

Figure 3: File Size Vs overhead time for different keys.

The performance improvement factors for file sizes 256 MB, 64 MB and 1 MB are 65.5%, 73.9% and 73.01% respective-ly.

15

16

Quantification of Resiliency Project PIs: Drs. Salim Hariri and Youssif AlProject PIs: Drs. Salim Hariri and Youssif AlProject PIs: Drs. Salim Hariri and Youssif Al---Nashif Nashif Nashif

Graduate Student: Avinash K Gudagi Graduate Student: Avinash K Gudagi Graduate Student: Avinash K Gudagi Webpage: http://acl.ece.arizona.edu/projects/current/mtdm/index.htmlWebpage: http://acl.ece.arizona.edu/projects/current/mtdm/index.htmlWebpage: http://acl.ece.arizona.edu/projects/current/mtdm/index.html

Motivation: A widespread interest in resilient computing cloud system has emerged in the recent past to the recent advancement in complex computational systems. In the past, these systems were designed to be defect-free as to eliminate the vulnerabilities to attackers and chances of failures; however, it is now widely accepted that malicious attacks are unavoidable, and with the ability to penetrate the system. The process of quantifying the resilience of the cloud is a difficult process due to the heterogeneity of the environment, so a general and quantitative set of metrics for the resilience of cyber systems is impractical. Resilient computing systems should therefore be adaptive in nature with the ability to not only thwart and recover from these attacks but perform to function normally in spite of these attacks

Goals/Objective: The main objective of the project is to develop a methodology in order to quantify a system's re-siliency factor which could be used for a multitude of analytical comparisons. We define a model where in, we quan-tify the vulnerabilities based on the score and the corresponding vulnerability found in the system. Our model will then assist in the selection of the optimal system amongst competing alternatives, by using industry recognized ter-minology and definitions. In this method, we intend to quantify resiliency by taking into consideration important metrics such as confidentiality, availability, integrity and exposure which together constitute the security parame-ters of a system.

Project Methodology: The attack surface of a software system is an indicator of the system’s security. So the higher the attack surface for a system, the lower the security is for that system. The attack surface represents the area in which adversaries can exploit or attack the system through attack vectors. In a SBO enabled environment, the attack surface measurement can be used to quantify the resilience of that environment. We will show that using SBO algo-rithm will decrease the attack surface, and therefore, increase the resilience compared to a static execution envi-ronment. The first step in quantifying the attack surface is identifying the metric for the software system; this in-cludes the operating systems, programming languages, and the network. The application will always have an attack surface less than or equal to the system attack surface because the application while it is running will have a subset of the system attack surface; not all of the system attack vectors will apply to the application execution environ-ment.

CVE (Common Vulnerabilities and Exposures) which is a public reference for information security vulnerability and exposures, is used to determine the confidentiality, integrity, and availability of the software system. CVSS (Common Vulnerability Scoring System) is used as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulnerability impact scores. Cyber resilience depends on main-tainability, dependability, safety, reliability, performability, and survivability which are all functions of Confidentiali-ty, Integrity, and Availability. In SBE, the execution time of the application is divided into phases and multiple oper-ating systems are used in each stage. By the time the attacker tries to exploit the systems, the application check-points are transferred on to another system. This in turn will result in the attacker to have less time to exploit the vulnerabilities.

17

Figure 1: Framework of quantification of resiliency

Figure 2: components of CVSS score obtained for each vulnerability

Research tasks:

Need to quantify Availability, Reliability, and Performance of the system

Decide the required optimum number of:

- Versions

- Number of replicas

- Frequency of version change

Hacker Web (Securing Cyber Space): Understand-ing the Cyber Attackers and Attacks via Social

Media Analytics Project PIs: Drs. Salim Hariri and Youssif AlProject PIs: Drs. Salim Hariri and Youssif AlProject PIs: Drs. Salim Hariri and Youssif Al---

Nashif Nashif Nashif

Collob. Faculty: Dr. Hsinchun Chen , Ronald Collob. Faculty: Dr. Hsinchun Chen , Ronald Collob. Faculty: Dr. Hsinchun Chen , Ronald Breiger, Tom HoltBreiger, Tom HoltBreiger, Tom Holt

Graduate Student: Karan ChadhaGraduate Student: Karan ChadhaGraduate Student: Karan Chadha Webpage: http://acl.ece.arizona.edu/projects/current/scs/Webpage: http://acl.ece.arizona.edu/projects/current/scs/Webpage: http://acl.ece.arizona.edu/projects/current/scs/

index.htmlindex.htmlindex.html

Motivation: Cyber security is an important challenge in today's world as corporations, governments, and indi-viduals have increasingly become victims of cyber-attacks. Such attacks exploit weaknesses in technical infra-structures and human behavior. Understanding the motivation and incentives of individuals and institutions, both as attackers and defenders, can aid in creating a more secure and trustworthy cyberspace. Instead of taking a reactive approach to infrastructure protection and damage control, proactive cyber security attribution and situa-tional awareness of the sources of attacks will allow researchers and practitioners to better understand the com-munity of cyber attackers (and the closely affiliated hacker community), their profiles and incentives, and the as-sociated vast underground cyber-criminal networks and ecosystems. Developing “methods to model adversaries” is one of the critical but unfulfilled research needs recommended in the “Trustworthy Cyberspace” report by the National Science and Technology Council (2011).

Goals: Our research team will address important social science research questions of relevance to cyber attacker or hacker skills, community structure and ecosystem, contents and artifacts, and cultural differences. We will develop automated hacker forums and IRC (Internet Relay Chat) collection techniques for the international (US, Russian and Chinese) hacker communities. We will also deploy scalable honeypot platforms to collect mal-ware in the wild and generate feature representation for malware attribution. The proposed integrated computa-tional framework and the resulting algorithms and software will allow social science researchers and security practitioners to: (1) detect, classify, measure and track the formation, development and spread of topics, ideas, and concepts in cyber attacker social media communication; (2) identify important and influential cyber criminals and their interests, intent, sentiment, and opinions in online discourses; and (3) induce and recognize hacker identities, online profiles/styles, communication genres, and interaction patterns

RESEARCH GOALS / FUTURE TASKS:

Using the Automatic semantic role labelling which automates the FrameNet approach (a lexical database of

English that is both human- and machine-readable, based on annotating examples of how words are used in

actual texts) for feature extraction and reduction from IRC messages

Deploying open source malware analysis tools.

Developing the System Control and Management component.

Developing the Autonomic Bot Generator module.

Testing and Evaluation of the previous task

18

19

Dr. Hsinchun Chen

Ronald Breiger

Tom Holt

Meta Data Extraction

Semantic Role Parser

Mapping Aggregate Correlate

Message Stream Processing

Cluster Classify associate

Text Extraction

Translate if not English

Statistical Natural Lan-guage Parser

Language Detection

Keyword Extraction

Noise Reduction

20

Insider threats Detection And Protection (ITDP) Project PIs: Drs. Salim Hariri and Youssif AlProject PIs: Drs. Salim Hariri and Youssif AlProject PIs: Drs. Salim Hariri and Youssif Al---Nashif Nashif Nashif

Graduate Student: Nishanth PrakashGraduate Student: Nishanth PrakashGraduate Student: Nishanth Prakash Webpage: http://acl.ece.arizona.edu/projects/current/idtp/index.htmlWebpage: http://acl.ece.arizona.edu/projects/current/idtp/index.htmlWebpage: http://acl.ece.arizona.edu/projects/current/idtp/index.html

Motivation: An Insider Threat is a malicious threat to an organization that comes from people within the organi-zation, such as employees, former employees, contractors or business associates, who have inside information con-cerning the organization's security practices, data and computer systems. The threat may involve fraud, the theft of confidential or commercially valuable information, the theft of intellectual property, or the sabotage of computer systems. Insiders may have accounts giving them legitimate access to computer systems, with this access originally having been given to them to serve in the performance of their duties; these permissions could be abused to harm the organization. Insiders are often familiar with the organization's data and intellectual property as well as the methods that are in place to protect them. This makes it easier for the insider to circumvent any security controls of which they are aware. Physical proximity to data means that the insider does not need to hack into the organiza-tional network through the outer perimeter by traversing firewalls, rather they are in the building already, often with direct access to the organization's internal network. Insider threats are harder to defend against than attacks from outsiders, since the insider already has legitimate access to the organization's information and assets.

An insider may attempt to steal property or information for personal gain, or to benefit another organization or country. The threat to the organization could also be through malicious software left running on its computer sys-tems by former employees, a so-called Logic bomb.

Often cited as the greatest security threat to an organization – Cost US $13B alone – 87% of identified intruders at DOD were insiders – 46% of identified data breaches were from insiders (90% were malicious) (U.S.S.S.) Thus re-sulting in data leakage, espionage, sabotage

About the Tool

Nagios is an open source computer system monitoring, network monitoring and infrastructure monitoring soft-ware application. Nagios offers monitoring and alerting services for servers, switches, applications, and services. It alerts the users when things go wrong and alerts them a second time when the problem has been resolved.

By using Nagios, you can:

Plan for infrastructure upgrades before outdated systems cause failures

Respond to issues at the first sign of a problem

Automatically fix problems when they are detected

Coordinate technical team responses

Ensure your organization's SLAs are being met

Ensure IT infrastructure outages have a minimal effect on your organization's bottom line

Monitor your entire infrastructure and business processes

The below diagram shows the Operating principle of Nagios.

Present Work Monitoring of Windows System Using NRPE

The NRPE addon is designed to allow you to execute Nagios plugins on remote Linux/Unix machines. The main reason for doing this is to allow Nagios to monitor "local" resources (like CPU load, memory usage, etc.) on re-mote machines. Since these public resources are not usually exposed to external machines, an agent like NRPE must be installed on the remote Windows machines.

The NRPE addon consists of two pieces: – The check_nrpe plugin, which resides on the local monitoring machine – The NRPE daemon, which runs on the remote Linux/Unix machine

When Nagios needs to monitor a resource of service from a remote Linux/Unix machine: – Nagios will execute the check_nrpe plugin and tell it what service needs to be checked – The check_nrpe plugin contacts the NRPE daemon on the remote host over an (optionally) SSL-protected connection – The NRPE daemon runs the appro-priate Nagios plugin to check the service or resource – The results from the service check are passed from the NRPE daemon back to the check_nrpe plugin, which then returns the check results to the Nagios process.

21

All Eyes on International Cybersecurity Principal investigators: French partner — Mohand-Said Hacid

American partner — Salim Hariri http://liris.cnrs.fr/cyber/http://liris.cnrs.fr/cyber/http://liris.cnrs.fr/cyber/

As pervasive cyberservices, like cloud computing, revolutionize the way we communicate and do business, working together to know when and how hackers will strike and collaborating with other nations to prevent and defend against cyberattacks is becoming more and more essential to keeping our world safe.

The Second Franco-American Workshop on CyberSecurity, held on Jan. 20 and 21, 2014 at the UA, gave more than 40 participants a comprehensive look at the state of cybersecurity threats and solutions and was a big step in the direction of international understanding.

Highlighting ongoing cybersecurity efforts and research in the United States and Europe, the workshop helped identify the evolving threat landscape, suggested new approaches for security, and explored ways to better equip students with workforce skills to combat cybersecurity attacks.

Alongside industry experts and faculty from the University of Illinois at Chicago and France’s University of Lyon, UA faculty presented research about resilient cloud services, securing smart grids, and human-centric predictive ana-lytics of cyberthreats, among other topics.

Experts from IBM and Cloud Security Alliance added to the discussion with presentations about training students and helping everyday computer users think differently about online safety.

Motivations for cyberthreats and sophistication in creating these threats are rapidly evolving, said Sadu Bajekal, IBM senior technical staff member. Hackers are taking advantage of the human factor and becoming even better at attacking the everyday user.

Said Salim Hariri, ECE professor and director of the UA’s National Science Foundation Center for Cloud and Auto-nomic Computing, “In order to understand all threats regarding cybersecurity, it is critical to collaborate with in-dustry partners like IBM and Cloud Security Alliance, who help us have a fuller picture.”

UA researchers identified three research areas – data security, resource management and resilient service-oriented architectures – on which they will work with the University of Lyon.

“It is my hope that we will have more collaborations with our partner universities, and this workshop allows us to strengthen those ties,” said Hariri, who directs the cybersecurity training project AskCyPert, a portal for teaching stu-dents and educators about cybersecurity and part of the AZSecure project.

AZSecure, a scholarship-for-service program that will support about 40 students over the next five years, and Hack-er Web, which focuses on understanding cyberattackers via social media analytics, are among the newest UA cy-bersecurity projects. Both are funded by the National Science Foundation.

Workshop sponsors included the Partner University Fund, UA NSF Center for Cloud and Autonomic Computing, NSF Cybersecurity Scholarship for Service, and the University of Illinois Cooperative Information Systems and Organiza-tional Research and Services Lab.

Ernesto Damiani, lead of the

SESAR research lab and the Head of

the Universita degli Studi di Milano's

Ph.D. program in Computer Science,

talking about Cloud Security Certifica-

tion at first franco American workshop.

Sonia Benmokhtar, a

CNRS researcher at the

LIRIS lab , talking about

Robust Byzantine Fault

Tolerant State Machine

Replication Protocols at

first franco American

workshop.

Dr. Tamal Bose, Head of the

department of ECE at University

of Arizona, talking about the

university of Arizona at the sec-

ond franco American workshop

Hamid was graduated from the Electrical and Computer Engineering Depart-

ment at the University of Arizona with Ph.D. in computer engineering in August

2013 under supervision of Dr. Salim Hariri. He joined the Autonomic Computing

Lab at the University of Arizona when he started his Ph.D. in January 2010, and

has been also collaborating with Center for Cloud and Autonomic Computing

(CAC) since then. As an active ACL and CAC member his research focus has been

on cybersecurity and autonomic protection systems. Hamid has conducted re-

search on developing autonomic network protection systems based on protocol

behavior analysis. The major outcomes of his research in ACL lab have been the

design and implementation of a DNS Autonomic Protection System (DNS-APS)

and the Wireless Autonomic Protection System (WAPS). He has also been in-

volved in other cloud cybersecurity projects as a CAC and ACL member. His

Ph.D. dissertation topic is “An anomaly behavior analysis methodology for net-

work centric systems”.

Hamid spent two summers at an internship with Microsoft working on Office

365 and Active directory services.

Currently he is part of the Microsoft Windows Azure Multi-Factor Authentication (MFA) team, which he is

working as a Software Developer to provide the windows Azure services with more secure authentication

through adding more authentication factors (e.g. phone calls and mobile apps, smart cards, biometrics, etc.).

Glynis Dsouza was graduated from the Electrical and Computer Engineering Department at

the University of Arizona with Masters Degree in computer engineering in May 2013 under

supervision of Dr. Salim Hariri. She was the research assistant at Autonomic Computing

Lab. Her research areas are mainly Software Resiliency, resilient computing systems and

cloud security. She worked on Moving target defense strategies for software and DDDAS

systems. Currently she is a part of IBM software development group in Tucson.

Recent Graduates

26

Name: Weiming Wang Visiting Scholar: 2001-2002

Affiliation: Dean, Zhejiang Gongshang

University Contact : [email protected]

Name: Dong xiangdong Visiting Scholar: 2001-2002

Affiliation: Beijing, China

Contact : [email protected]

Name: Subhra Saha

Year of Graduation: M.S., 2003

Affiliation: Adtran Inc


Name: Fahd Rasul


Affiliation: MBA 2010-2011, Cranfield

School of Management


Name: Byoung Uk Kim

Year of Graduation: Ph.D, 2008

CAffiliation: Senior Research Engineer,

Ridgetop Group, Inc.


Name: Jang-Geun Ki

Visiting Scholar: 2002-2003 & 2010-2011

Affiliation: Konglu National University,

South Korea


Name: Ishtiaq Hossain


Affiliation: Telenav


Name: Mohamed Djunaedi


Affiliation: EMC Corporation

Contact: [email protected]

Name: Huoping Chen

Year of Graduation: Ph.D., 2008

Affiliation: Microsoft/Research Software

Design Engineer


Name: Traian Avram


Affiliation: EXL Service ROMANIA


27

We are very pleased to know that the graduates from our Autonomic Computing Laboratory (previously known as High Performance Distributed Computing (HPDC) Lab, and Internet Technology Laboratory) are do-ing very well and to connect with them and let them know that we are proud of their achievements and suc-cesses. I am sure I missed some of our graduates, please forward this newsletter to those that we missed. Hopefully, they will email me their information so we can accurately account for all our Almnis. We will update the list in the next issue and we will put your information on our website at http://nsfcac.arizona.edu

Alumni Corner

Name: Warren Zhang

Year of Graduation: Ph.D, 2007

Affiliation: Google


Name: Youssif Al-Nashif


Affiliation: the Univ. of Arizona

Assistant Research Professor


28

Name: George Zantis


Affiliation: Network Security Engineer


Name: Prasad Nellipudi


Affiliation: Technical Marketing

Engineer, CISCO


Name: Prasad Vadlamani


Affiliation: Texas Medicaid, Data/BI

Architect


Name: Samantha Quadros


Affiliation: NetFlix, Sr. Software

Engineer


Name: Samer Fayssal Year of Graduation: Ph.D., 2008

Affiliation: World Avenue Inc., Florida


Name: Sridhar H Year of Graduation: M.S., 2001

Affiliation: Sr. Engr. at Silicon Labs,

Austin, TX Contact : [email protected]

Name: Tushneem Dharmagadda Year of Graduation: M.S., 2003

Affiliation: Sr. Intellectual Property

Design and Software Applications

Engineer, Analog Devices Inc. Contact : [email protected]

Name: Bihika Khargharia


Affiliation: CISCO


Name: Kiran Kumar Modukuri

Year of Graduation: M.S., ?

Affiliation: NetApp Inc.


Name: Aarthi Arun Kumar Year of Graduation: M.S., 2007

Affiliation: Program Manager,

Microsoft Corp Contact : [email protected]

Name: Jingmei Yang


Affiliation: Care Everywhere


Name: Radhakrishnan Vijay


Affiliation: Nokia Siemens Networks,

Development Manager


Name: Richard Wang Visiting Scholar: 1998-2002

Affiliation: ITPOINTS Contact : [email protected]

Name: Yan Wang


Affiliation: Qualcom


Name: Yaser Jararweh,


Affiliation: Computer Science Department,

Jordan Univ. of Science and Technology


29

Name: Srividhya Subramanian


Affiliation: UMG Firmware Development

Engineer, Intel Corp.

Name: Sri Harsha


Affiliation: University of Arizona


Name: Mohamed Tabris


Affiliation: Test Engineer, Texas Instru-

ments, Tucson.


Name: Glynis dsouza Year of Graduation: M.S., 2012.

Affiliation: IBM, Tucson.


Name: Venkata Krishna Nimmagadda Year of Graduation: M.S., 2011

Affiliation: Firmware Engineer at Intel

Corporation, Hillsboro, Oregon.


Name: Hamid Reza Alipour Year of Graduation: Ph.D., 2012

Affiliation: Software Developer, Mi-

crosoft, Seattle. Contact : [email protected]

Name: Haoting Luo


Affiliation: Design Engineer at Marvell

Semiconductor.


Name: Don P Cox Year of Graduation: Ph.D., 2011

Affiliation: Raytheon


Name: Sankaranarayanan Veeramoni

Mythili


Affiliation: University of Arizona, CS,

PhD student


Name: Ram P Viswanathan


Affiliation: Software Engineer at Qual-

comm

Contact : www.linkedin.com/in/rampv

Name: Yeliang Zhang


Affiliation: Software Engineer, Yahoo.

Name: Guangzhi Qu


Affiliation: Associate Professor, Depart-

ment of Computer Science and Engineer-

ing, Oakland University.


Name: Srinivas Singavarapu


Affiliation: Sr. MTS at VMware

Contact : www.linkedin.com/pub/srinivas-

singavarapu/2/6ba/505

Benefits of NSF CAC Membership CAC members will have access to leading-edge developments in autonomic

computing and to knowledge accumulated by academic researchers and other

industry partners. New members will join a growing list of members that in-

cludes Intel, Microsoft, Northrop-Grumman, NEC, Raytheon, Xerox, Air Force/

Ball, and AVIRTEK. Benefits of membership include:

Collaboration with faculty, graduate students, post-doctoral researchers

and other center partners;

Choice of project topics to be funded by members’ own contributions;

Formal periodic project reviews along with continuous informal interac-

tion and timely access to reports, papers and intellectual property gener-

ated by the center.

Access to unique world-class equipment, facilities, and other CAC infra-

structure;

Internships and recruitment opportunities among excellent graduate stu-

dents.

Leveraging of investments, projects and activities by all CAC members.

Spin-off initiatives leading to new partnerships, customers or teaming for

competitive proposals to funded programs

Funding Per NSF guidelines, industry and government contributions in the form of annual CAC memberships ($35K/year

per regular membership), coupled with baseline funds from NSF and university matching funds, directly support the

Center's expenses for personnel, equipment, travel, and supplies. Memberships provide funds to support the Center's

graduate students on a one-to-one basis, and thus the size of the annual membership fee is directly proportional to

the cost of supporting one graduate student, while NSF and university funds support various other costs of operation.

Multiple annual memberships may be contributed by any organization wishing to support multiple students and/or

projects. The initial operating budget for CAC is projected to be approximately $1.5M/year, including NSF and univer-

sities contributions, in an academic environment that is very cost effective. Thus, a single regular membership is an

exceptional value. It represents less than 3% of the projected annual budget of the Center yet reaps the full benefit of

Center activities, a research program that could be significantly more expensive in an industry or government facility.

Universities To Become a Member Contact us at Director: Salim Hariri (520) 621-4378 [email protected]

Research Director: Youssif Al-Nashif (520)-621-9915 [email protected]

ECE Dept. 1230 E. Speedway Tucson, AZ 85721-0104

http://nsfcac.arizona.edu

Members

The mission of the

NSF-CAC is to advance

the knowledge of

designing Information

systems and services

that are self-managed

with minimal involve-

ment of users and

administrators.

ua cac technews - nsf cac - homeacl.ece.arizona.edu/ua_tech_news/ua_tech_news_vol1issue4.pdf ·...

Documents