Ehab Al-Shaer

FlowChecker: configuration analysis and verification of federated openflow infrastructures

It is difficult to build a real network to test novel experiments. OpenFlow makes it easier for researchers to run their own experiments by providing a virtual slice and configuration on real networks. Multiple users can share the same network by assigning a different slice for each one. Users are given the responsibility to maintain and use their own slice by writing rules in a FlowTable. Misconfiguration problems can arise when a user writes conflicting rules for single FlowTable or even within a path of multiple OpenFlow switches that need multiple FlowTables to be maintained at the same time. In this work, we describe a tool, FlowChecker, to identify any intra-switch misconfiguration within a single FlowTable. We also describe the inter-switch or inter-federated inconsistencies in a path of OpenFlow switches across the same or different OpenFlow infrastructures. FlowChecker encodes FlowTables configuration using Binary Decision Diagrams and then uses the model checker technique to model the inter-connected network of OpenFlow switches.

Network configuration in a box: towards end-to-end verification of network reachability and security

Recent studies show that configurations of network access control is one of the most complex and error prone network management tasks. For this reason, network misconfiguration becomes the main source for network unreachablility and vulnerability problems. In this paper, we present a novel approach that models the global end-to-end behavior of access control configurations of the entire network including routers, IPSec, firewalls, and NAT for unicast and multicast packets. Our model represents the network as a state machine where the packet header and location determines the state. The transitions in this model are determined by packet header information, packet location, and policy semantics for the devices being modeled. We encode the semantics of access control policies with Boolean functions using binary decision diagrams (BDDs). We then use computation tree logic (CTL) and symbolic model checking to investigate all future and past states of this packet in the network and verify network reachability and security requirements. Thus, our contributions in this work is the global encoding for network configurations that allows for general reachability and security property-based verification using CTL model checking. We have implemented our approach in a tool called ConfigChecker. While evaluating ConfigChecker, we modeled and verified network configurations with thousands of devices and millions of configuration rules, thus demonstrating the scalability of this approach.

Randomizing AMI configuration for proactive defense in smart grid

Smart grids are capable of bi-directional communication between smart meters and headend systems. It is a core feature of smart grid provided by the underlying Advanced Metering Infrastructure (AMI). Due to the critical nature of AMI, threats have been targeted towards it and a need of tailored defense mechanism has been highlighted in the recent studies. Since limited number of protocols and applications are supported in the AMI, it exhibits a predictable and deterministic behavior. This predictability makes it easier for an attacker to learn the network behavior and launch an evasion attack by generating similar traffic. To combat this, we present a mutable AMI configuration technique for Proactive Defense. We randomize three different configuration parameters in order to make the AMI behavior unpredictable.While providing the randomization, the approach stays deterministic for the AMI devices like smart collector in order to detect any evasion attempts. We use real-world dataset comprising of approximately 2000 meters collected at an AMI of a leading utility provider for analysis. We also use smart grid testbed to show the effectiveness of our mutation technique.

Random Host Mutation for Moving Target Defense

Exploiting static configuration of networks and hosts has always been a great advantage for design and launching of decisive attacks. Network reconnaissance of IP addresses and ports is prerequisite to many host and network attacks. At the same time, knowing IP addresses is required for service reachability in IP networks, which makes complete concealment of IP address for servers infeasible. In addition, changing IP addresses too frequently may cause serious ramifications including service interruptions, routing inflation, delays and security violations. In this paper, we present a novel approach that turns end-hosts into untraceable moving targets by transparently mutating their IP addresses in an intelligent and unpredictable fashion and without sacrificing network integrity, manageability or performance. The presented technique is called Random Host Mutation (RHM). In RHM, moving target hosts are assigned virtual IP addresses that change randomly and synchronously in a distributed fashion over time. In order to prevent disruption of active connections, the IP address mutation is managed by network appliances and totally transparent to end-host. RHM employs multi-level optimized mutation techniques that maximize uncertainty in adversary scanning by effectively using the whole available address range, while at the same time minimizing the size of routing tables, and reconfiguration updates. RHM can be transparently deployed on existing networks on end-hosts or network elements. Our analysis, implementation and evaluation show that RHM can effectively defend against stealthy scanning, many types of worm propagation and attacks that require reconnaissance for successful launching. We also show the performance bounds for moving target defense in a practical network setup.

A Noninvasive Threat Analyzer for Advanced Metering Infrastructure in Smart Grid

Advanced Metering Infrastructure (AMI) is the core component in a smart grid that exhibits a highly complex network configuration. AMI comprises heterogeneous cyber-physical components, which are interconnected through different communication media, protocols, and security measures. They are operated using different data delivery modes and security policies. The inherent complexity and heterogeneity in AMI significantly increases the potential of security threats due to misconfiguration or absence of defense, which may cause devastating damage to AMI. Therefore, there is a need for creating a formal model that can represent the global behavior of AMI configuration in order to verify the potential threats. In this paper, we present SmartAnalyzer, a security analysis tool, which offers manifold contributions: (i) formal modeling of AMI configuration that includes device configurations, topology, communication properties, interactions among the devices, data flows, and security properties; (ii) formal modeling of AMI invariants and user-driven constraints based on the interdependencies among AMI device configurations, security properties, and security control guidelines; (iii) verifying the AMI configurations compliance with security constraints using a Satisfiability Modulo Theory (SMT) solver; (iv) reporting of potential security threats based on constraint violations, (v) analyzing the impact of potential threats on the system; and (vi) systematic diagnosing of SMT unsatisfiable traces and providing necessary remediation plans. The accuracy and scalability of the tool are evaluated on an AMI testbed and various synthetic test networks.

Efficient Random Route Mutation considering flow and network constraints

In the current network protocol infrastructure, forwarding routes are mostly static except in case of failures or performance issues. However, static route selection offers a significant advantage for adversaries to eavesdrop, or launch DoS attacks on certain network flows. Previous works on multipath routing in wireless networks propose using random forwarding to avoid jamming and blackhole attacks [18]. However, this work is far from being practical for wired network because of many topological and QoS constraints. Moreover, the potential of finding a significant number of disjoint paths in wired networks is extremely low, which consequently decreases the value of RRM. In this paper we present a proactive Random Route Mutation (RRM) technique that enables changing randomly the route of the multiple flows in a network simultaneously to defend against reconnaissance, eavesdrop and DoS attacks, while preserving end-to-end QoS properties. Our contributions in this paper are three-fold: (1) modeling RRM as a constraint satisfaction problem using Satisfiability Modulo Theories (SMT) to identify efficient practical route mutations, (2) proposing a new overlay placement technique that can maximize the effectiveness of RRM in visualized networks, and (3) developing analytical and experimental models to measure the effectiveness of RRM under different adversary models and network parameters. We develop a prototype RRM implementation in Software Defined Networks (SDNs). Our analysis, simulation and preliminary implementation show that RRM can protect at least 90% of the packet flow from being attacked against realistic attackers, as compared with static routes. Our evaluation study also shows that RRM can be efficiently deployed on both conventional networks and SDNs without causing any significant disruption for active flows.

Efficient fault diagnosis using incremental alarm correlation and active investigation for internet and overlay networks

Fault localization is the core element in fault management. Symptom-fault map is commonly used to describe the symptom-fault causality in fault reasoning. For Internet service networks, a well-designed monitoring system can effectively correlate the observable symptoms (i.e., alarms) with the critical network faults (e.g., link failure). However, the lost and spurious symptoms can significantly degrade the performance and accuracy of a passive fault localization system. For overlay networks, due to limited underlying network accessibility, as well as the overlay scalability and dynamics, it is impractical to build a static overlay symptom-fault map. In this paper, we firstly propose a novel active integrated fault reasoning (AIR) framework to incrementally incorporate active investigation actions into the passive fault reasoning process based on an extended symptom-fault-action (SFA) model. Secondly, we propose an overlay network profile (ONP) to facilitate the dynamic creation of an overlay symptom-fault-action (called O-SFA) model, such that the AIR framework can be applied seamlessly to overlay networks (called O-AIR). As a result, the corresponding fault reasoning and action selection algorithms are elaborated. Extensive simulations and Internet experiments show that AIR and O-AIR can significantly improve both accuracy and performance in the fault reasoning for Internet and overlay service networks, especially when the ratio of the lost and spurious symptoms is high.

An Effective Address Mutation Approach for Disrupting Reconnaissance Attacks

Network reconnaissance of addresses and ports is prerequisite to a vast majority of cyber attacks. Meanwhile, the static address configuration of networks and hosts simplifies adversarial reconnaissance for target discovery. Although the randomization of host addresses has been suggested as a proactive disruption mechanism against such reconnaissance, the proposed approaches do not exploit the full potentials of address randomization in provision of unpredictability and attack adaptability. Moreover, these approaches do not provide thorough analysis on effectiveness and limitations of address randomization against relevant threat models, including stealthy scanning and worms. In this paper, we present an effective address randomization technique, called random host address mutation (RHM), that turns end-hosts into untraceable moving targets. This technique achieves maximum efficacy by allowing address randomization to be highly unpredictable and fast, and adaptive to adversarial behavior, while incurring low operational and reconfiguration overhead. Our approach achieves the following objectives: (1) it achieves high uncertainty in adversary scanning by modeling address mutation randomization as a multi-level satisfiability problem; (2) it adapts the mutation scheme by fast characterization of adversarial reconnaissance patterns; (3) it achieves high mutation rate by separating mutation from end-hosts and managing it via network appliances; and (4) it preserves network integrity, manageability and performance by bounding the size of routing tables, preserving end-to-end reachability, and efficient handling of reconfiguration updates. Our extensive analyses and simulation show that the RHM distorts adversarial reconnaissance, slows down (deters) the attack, and increases its detectability. Consequently, the RHM is effective in countering a significant number of sophisticated threat models, including reconnaissance, stealthy/evasive scanning methods, and targeted attacks. We also address limitations of our approach in terms of effectiveness and applicability.

SmartAnalyzer: A noninvasive security threat analyzer for AMI smart grid

The Advanced Metering Infrastructure (AMI) is the core component in smart grid that exhibits highly complex network configurations comprising of heterogeneous cyber-physical components. These components are interconnected through different communication media, protocols, and secure tunnels, and they are operated using different data delivery modes and security policies. The inherent complexity and heterogeneity in AMI significantly increase the potential of security threats due to misconfiguration or absence of defense, which may cause devastating damage to AMI. Therefore, there is a need of creating a formal model that can represent the global behavior of AMI configuration in order to verify the potential threats. In this paper, we present SmartAnalyzer, a formal security analysis tool, which offers manifold contributions: (i) formal modeling of AMI configuration including device configurations, topology, communication properties, interactions between the devices, data flows, and security properties; (ii) formal modeling of AMI invariant and user-driven constraints based on the interdependencies between AMI device configurations, security properties, and security control guidelines; (iii) verifying the AMI configurations compliances with security constraints using Satisfiability Modulo Theory (SMT) solver; (iv) generating a comprehensive security threat report with possible remediation plan based on the verification results. The accuracy, scalability, and usability of the tool are evaluated on real smart grid environment and synthetic test networks.

Agile virtualized infrastructure to proactively defend against cyber attacks

DDoS attacks have been a persistent threat to network availability for many years. Most of the existing mitigation techniques attempt to protect against DDoS by filtering out attack traffic. However, as critical network resources are usually static, adversaries are able to bypass filtering by sending stealthy low traffic from large number of bots that mimic benign traffic behavior. Sophisticated stealthy attacks on critical links can cause a devastating effect such as partitioning domains and networks. In this paper, we propose to defend against DDoS attacks by proactively changing the footprint of critical resources in an unpredictable fashion to invalidate an adversarys knowledge and plan of attack against critical network resources. Our present approach employs virtual networks (VNs) to dynamically reallocate network resources using VN placement and offers constant VN migration to new resources. Our approach has two components: (1) a correct-by-construction VN migration planning that significantly increases the uncertainty about critical links of multiple VNs while preserving the VN placement properties, and (2) an efficient VN migration mechanism that identifies the appropriate configuration sequence to enable node migration while maintaining the network integrity (e.g., avoiding session disconnection). We formulate and implement this framework using SMT logic. We also demonstrate the effectiveness of our implemented framework on both PlanetLab and Mininet-based experimentations.