Michael Atighetchi

Comparing and contrasting adaptive middleware support in wide-area and embedded distributed object applications

The Quality Objects (QuO) middleware is a set of extensions to standard distributed object computing middleware that is used to control and adapt the quality of service in a number of distributed application environments, from wide-area to embedded distributed applications. This paper compares and contrasts the characteristics of key use cases and the variations in QuO implementations that have emerged to support them. We present these variations in the context of several actual applications being developed using the QuO middleware.

Adaptive cyberdefense for survival and intrusion tolerance

While providing some resistance against cyberattacks, current approaches to securing networked and distributed information systems are mainly concerned with static prevention measures. For example, signature-based systems can only detect known attacks and tend to provide brittle, all-or-nothing protection. New work in survivability and intrusion tolerance focuses on augmenting existing information systems with adaptive defenses. A middleware-based survivability toolkit lets applications use network-and host-based mechanisms in their own defense.

Integrated Adaptive QoS Management in Middleware: A Case Study

Distributed real-time and embedded (DRE) systems in which application requirements and environmental conditions may not be known a priori—or which may vary at run-time—can benefit from an adaptive approach to management of quality-of-service (QoS) to meet key constraints, such as end-to-end timeliness. Moreover, coordinated management of multiple QoS capabilities across multiple layers of applications and their supporting middleware can help to achieve necessary assurances of meeting these constraints.This paper offers two contributions to the study of adaptive DRE computing systems: (1) a case study of our integration of multiple middleware QoS management technologies to manage quality and timeliness of imagery adaptively within a representative DRE avionics system and (2) empirical results and analysis of the impact of that integration on key trade-offs between timeliness and image quality in that system.

Building auto-adaptive distributed applications: the QuO-APOD experience

Exploiting autonomic adaptation in defending a distributed application is a relatively new research area. We describe how the QuO adaptive middleware was used to implement auto-adaptive defenses ranging from simple rapid response sensor-actuator tactics to more sophisticated containment and outrun strategies. In addition, we report on two experiments where live red team attacks were used to evaluate our auto-adaptive defense technology.

Attribute-Based Prevention of Phishing Attacks

This paper describes a set of innovative attribute based checks for defending against phishing attacks. We explain a number of anti-phishing algorithms implemented as plugins and highlight which attributes of phishing sites they consider.To assess the effectiveness and applicability of this prototype,we performed extensive experimental testing. We present a fully automated crawling framework that we developed for testing,along with the main experimental results.

An architecture for adaptive intrusion‐tolerant applications

Applications that are part of a mission‐critical information system need to maintain a usable level of key services through ongoing cyber‐attacks. In addition to the well‐publicized denial of service (DoS) attacks, these networked and distributed applications are increasingly threatened by sophisticated attacks that attempt to corrupt system components and violate service integrity. While various approaches have been explored to deal with DoS attacks, corruption‐inducing attacks remain largely unaddressed. We have developed a collection of mechanisms based on redundancy, Byzantine fault tolerance, and adaptive middleware that help distributed, object‐based applications tolerate corruption‐inducing attacks. In this paper, we present the ITUA architecture, which integrates these mechanisms in a framework for auto‐adaptive intrusion‐tolerant systems, and we describe our experience in using the technology to defend a critical application that is part of a larger avionics system as an example. We also motivate the adaptive responses that are key to intrusion tolerance, and explain the use of the ITUA architecture to support them in an architectural framework. Copyright

Use of machine learning in big data analytics for insider threat detection

In current enterprise environments, information is becoming more readily accessible across a wide range of interconnected systems. However, trustworthiness of documents and actors is not explicitly measured, leaving actors unaware of how latest security events may have impacted the trustworthiness of the information being used and the actors involved. This leads to situations where information producers give documents to consumers they should not trust and consumers use information from non-reputable documents or producers. The concepts and technologies developed as part of the Behavior-Based Access Control (BBAC) effort strive to overcome these limitations by means of performing accurate calculations of trustworthiness of actors, e.g., behavior and usage patterns, as well as documents, e.g., provenance and workflow data dependencies. BBAC analyses a wide range of observables for mal-behavior, including network connections, HTTP requests, English text exchanges through emails or chat messages, and edit sequences to documents. The current prototype service strategically combines big data batch processing to train classifiers and real-time stream processing to classifier observed behaviors at multiple layers. To scale up to enterprise regimes, BBAC combines clustering analysis with statistical classification in a way that maintains an adjustable number of classifiers.

Federated Access to Cyber Observables for Detection of Targeted Attacks

Current DoD enterprise networks routinely face targeted cyber attacks, and even though attack-related information is recorded in various places, this information is often left unexamined until after attacker objectives have been achieved. This is especially true for large networks consisting of continuously changing networked devices, including laptops, servers, printers, IP phones, and more. This paper describes the design of Gestalt, a next-generation cyber information management platform that simplifies access to cyber event data stored in the nooks and crannies of a distributed enterprise. The ready and secure access to cyber information provided by Gestalt is a key enabler for a new set of techniques that can detect and mitigate targeted cyber attacks within hours instead of months. Current state-of-the-art approaches to automated and operator assisted cyber defense are ill-suited to counter targeted cyber attacks because these technol-ogies (1) focus only on aggregated one-dimensional features across multiple devices, (2) do not provide the required coverage over all networked devices and observables accessible on those devices, and (3) lack the expressiveness and deeper semantic backing required to detect targeted attacks across a sea of low-level observables. Gestalt provides innovations in (1) automati-cally discovering devices and useful data sources in the enterprise (beyond simple IP connectivity), (2) maintaining a metadata in-dex of devices and observable information (even of devices with-out schemas and connectors), and (3) transparently decomposing and federating semantic graph queries to devices (rather than extracting and aggregating information in a central store), and integrating the results back into a well-defined ontology.

From Auto-adaptive to Survivable and Self-Regenerative Systems Successes, Challenges, and Future

This paper charts the course of adaptive behavior in intrusion tolerance, starting from pre-programmed and user-controlled reactive adaptation to highly sophisticated autonomic and cognitively driven adaptation. The goal of intrusion-tolerance is to provide mission continuity even under conditions of sustained cyber attacks. We describe key themes of our previous work in adaptive cyber defense and introduction of autonomic response capabilities and discuss challenges that warrant further research. We also discuss the potential impact of new trends in distributed systems, e.g., service-oriented architecture and cloud computing, on future survivable systems, and point out new opportunities for developing sophisticated auto-adaptive capabilities for increased survivability .

Trust Assessment from Observed Behavior: Toward and Essential Service for Trusted Network Computing

Modern distributed information systems handle increasingly critical data and computation, but there is no systematic way to assess whether a given part of the system can be entrusted with such data and computation on a continuous basis. In a highly interconnected networked environment, components with varying levels of trustworthiness must interact with each other. Occurrence and spread of attack induced failure imply that hosts once trusted cannot remain equally trusted all the time. System components and human operators can benefit from a scheme that assesses the trustworthiness of hosts i.e., the confidence that individual hosts are not corrupt, on a continuous basis by adjusting and adapting their behavior when a hosts trustworthiness diminishes. In this work in progress report we present an accusation based trust assessment scheme