Matthew C. Elder

Advances in Topological Vulnerability Analysis

Currently, network administrators must rely on labor-intensive processes for tracking network configurations and vulnerabilities, which requires a great deal of expertise and is error prone. The organization of networks and the inter dependencies of vulnerabilities are so complex as to make traditional vulnerability analysis inadequate. We describe a Topological Vulnerability Analysis (TVA) approach that analyzes vulnerability dependencies and shows all possible attack paths into a network. From models of the network vulnerabilities and potential attacker exploits, we discover attack paths (organized as graphs) that convey the impact of individual and combined vulnerabilities on overall security. We provide sophisticated attack graph visualizations, with high-level overviews and detail drill down. Decision support capabilities let analysts make optimal tradeoffs between safety and availability, and show how to best apply limited security resources. We employ efficient algorithms that scale well to larger networks.

Cloud resiliency and security via diversified replica execution and monitoring

The Information Technology industry heavily relies on the cloud computing paradigm for large-scale infrastructures, and more military and critical infrastructure systems are moving towards cloud platforms as well. Leveraging the cloud can reduce the total cost of ownership and allocates resources on demand in order to cope with load. Two key expectations when shifting to cloud-based services are availability and security. However, recent outages with major Platform as a Service (PaaS) providers reportedly widely in the press have proven that even a cloud platform cannot provide perfect availability. In addition, a 2013 Defense Science Board report on “Cyber Security and Reliability in a Digital Cloud” finds that while some security practices can be improved in a cloud environment, some threats are different or exacerbated. In this paper we present an approach to leverage the elasticity and on-demand provisioning features of the cloud to improve resilience to availability concerns and common attacks. Our approach utilizes diversification of lightweight virtualized application servers for redundancy and protection against both application errors and network-based attacks.

Endpoint Configuration Compliance Monitoring via Virtual Machine Introspection

We describe a system for externally monitoring endpoint configuration compliance of an end user system that provides a high assurance monitoring function and data. Typical approaches to monitoring for endpoint configuration compliance rely on the integrity of the endpoints operating system and do not protect the monitoring function from subversion or spoofing by threats from within the monitored system. Our approach utilizes (1) a virtual machine architecture on the endpoint system to protect the monitoring function and (2) virtual machine introspection of the end users environment. In this paper we describe our approach to external monitoring of endpoint configuration compliance, present the technical details of our monitoring system, provide a description of some experimentation and observations, and discuss some of the issues associated with external monitoring.

NICE: Network Introspection by Collaborating Endpoints

NICE, or Network Introspection by Collaborating Endpoints, is a research project that explores novel approaches to network discovery and topology mapping in enterprise networks. The goal of NICE is to develop and demonstrate a capability for mapping networks without relying on traditional network management tools and protocols (such as SNMP), which presume some knowledge of the network topology a priori and require administrative credentials to managed network devices in order to collect their data. NICE targets the security administrator - who does not have either the knowledge or authority to manage the network infrastructure - as opposed to the network administrator. The security administrator does have authority to manage client security software on every managed endpoint. By leveraging this presence on the endpoints, NICE attempts to extract the security-relevant network information that the security administrator needs in order to prevent, ameliorate, and respond to security incidents. The NICE project consists of research and development in multiple areas. NICE uses low-level network switch properties to locate and map all the switches on a subnet and then associate rogue systems with specific physical switches. NICE also captures a wealth of information about rogue systems, authorized systems/devices, and topology simply by listening to broadcast traffic. Lastly, NICE explores techniques for having pairs of endpoints talk across the network to infer the presence of intermediate devices and processing. We have produced a NICE integrated system prototype addressing these research areas and conducted some experimentation to evaluate the effectiveness and scalability of the approach.

NICE: endpoint-based topology discovery

We present a novel method of layer 2 network topology discovery for Ethernet LANs through the coordinated operation of endpoints/hosts, part of a research project called NICE (Network Introspection by Collaborating Endpoints). Networks are constantly changing, including Ethernet LANs -- machines come and go, network hardware fails, switches are rewired, equipment is reconfigured. The layer 2 network represents a moving target, both for the attacker and the defender alike. It is necessary to understand the network, both before and during these changes. Existing network management approaches based on collecting and correlating SNMP data from managed layer 2 devices cannot see the complete picture of the network and cannot see all changes as they occur, in particular changes related to unmanaged devices. NICE is able discover more information about the topology, including unmanaged devices, without the assistance of traditional network management tools and protocols. NICE requires no administrative access to networking hardware, is multi-platform, and discovers both consumer and enterprise layer 2 devices. The novel contributions of this paper include a layer 2 mapping protocol that does not require SNMP access nor MAC address spoofing, and a working method to discover and locate non-NICE devices in the topology, improving upon existing research. We have performed extensive experimentation to validate our techniques and provide a comparison to existing research.

External monitoring of endpoint configuration compliance

We describe a system for externally monitoring endpoint configuration compliance of an end user system that provides a high assurance monitoring function and data. Typical approaches to monitoring for endpoint configuration compliance rely on the integrity of the endpoints operating system and do not protect the monitoring function from subversion or spoofing by threats from within the monitored system. Our approach utilizes (1) a virtual machine architecture on the endpoint system to protect the monitoring function and (2) virtual machine introspection of the end users environment. In this paper we describe our approach to external monitoring of endpoint configuration compliance, present the technical details of our monitoring system, and discuss some of the issues associated with external monitoring.