Ritu Chadha

Cyber Deception: Virtual Networks to Defend Insider Reconnaissance

Advanced targeted cyber attacks often rely on reconnaissance missions to gather information about potential targets and their location in a networked environment to identify vulnerabilities which can be exploited for further attack maneuvers. Advanced network scanning techniques are often used for this purpose and are automatically executed by malware infected hosts. In this paper we formally define network deception to defend reconnaissance and develop RDS (Reconnaissance Deception System), which is based on SDN (Software Defined Networking), to achieve deception by simulating virtual network topologies. Our system thwarts network reconnaissance by delaying the scanning techniques of adversaries and invalidating their collected information, while minimizing the performance impact on benign network traffic. We introduce approaches to defend malicious network discovery and reconnaissance in computer networks, which are required for targeted cyber attacks such as Advanced Persistent Threats (APT). We show, that our system is able to invalidate an attackers information, delay the process of finding vulnerable hosts and identify the source of adversarial reconnaissance within a network, while only causing a minuscule performance overhead of 0.2 milliseconds per packet flow on average.

TimeSync: enabling scalable, high-fidelity hybrid network emulation

In this paper, we discuss a time synchronization approach to the time divergence problem in hybrid network emulation. Such emulation comprises primarily a discrete-event simulated network and virtual machines that send and receive traffic through the simulated network. For slower than real-time network simulations, the rate of time advance on virtual machines (real time) is faster than that of the discrete-event time. Consequently, packet transmission latency and other metrics in such hybrid network emulations will be distorted. As a result, e.g., TCP sessions between virtual machines may unduly time out. To address this problem, we have developed TimeSync, which tracks discrete-event simulation time to control time advance on virtual machines for slower than real time simulations so that time perception in the hybrid network emulation system is synchronized. We describe how TimeSync works and present our experimental evaluation and analysis.

CyberVAN: A Cyber Security Virtual Assured Network testbed

In this paper we describe CyberVAN, a Cyber Security Virtual Assured Network testbed. CyberVAN enables speedy and flexible setup of high-fidelity cyber security scenarios to evaluate the effectiveness of both novel existing cyber technologies. CyberVAN provides many features needed by cyber security researchers, developers and practitioners alike, and can be used for both verification and validation purposes. We provide an overview of CyberVANs functionality and a blueprint of the envisioned roadmap. Currently CyberVAN is available to ARL Cyber Security CRA (Collaborative Research Alliance) members. It is being used to evaluate CRA-developed cyber defense technologies and assess their applicability to the military strategic and tactical network environments.

ACyDS: An adaptive cyber deception system

In this paper we describe ACyDS, an adaptive cyber deception system. ACyDS provides a unique virtual network view to each host in an enterprise network. That is, a hosts view of its network, including subnet topology and IP address assignments of reachable hosts and servers, does not reflect physical network configurations and is different than the view of any other host in the network. ACyDS generates network views with the desired properties dynamically; it also changes every hosts network view on-the-fly. ACyDSs deception approach (i) deters reconnaissance if an intruder has compromised a host in the network, (ii) prevents collusion if multiple hosts have been compromised, and (iii) increases the likelihood and confidence of detecting the presence of intruders.

Towards network invariant fault diagnosis in MANETs via statistical modeling: The global strength of local weak decisions

Due to its obvious importance, fault detection and localization is a well-studied problem in communication networks, as attested by the many techniques designed to address this problem. The inherent variability, limited component reliability, and constrained resources of MANETs (Mobile Ad hoc Networks) make the problem not just more important, but also critical. Practical development and deployment considerations imply that fault detection and localization methods must i) avoid relying on overly detailed models of network protocols and traffic assumptions and instead rely on actual cross-layer measurements/observations, and ii) be applicable across different network scales and topologies with minimum adjustments. This paper demonstrates the feasibility of such goals, and proposes an important and as yet unexplored approach to fault management in MANETs: network-invariant fault detection, localization and diagnosis with limited knowledge of the underlying network and traffic models. We show how fault management methods can be derived by observing statistical network/traffic measurements in one network, and subsequently applied to other networks with satisfactory performance. We demonstrate that a carefully designed but widely applicable set of local and weak global indicators of faults can be efficiently aggregated to produce highly sensitive and specific methods that perform well when applied to MANETs with varying sizes, topologies, and traffic matrices.

Policy-based spectrum management architecture

The Department of Defense (DoD) is developing policy-based spectrum management (PBSM) concepts, architectures, and capabilities to improve DoDs use of the electromagnetic spectrum, particularly in the area of edge networking. This use of PBSM is a paradigm shift in the way DoD will manage the use of the electromagnetic spectrum in support of Dynamic Spectrum Access (DSA) enabled Policy Based Radios (PBRs). The multifaceted implications of PBSM need to be understood so that required changes to spectrum-related business processes (and the data and automated capabilities used within these processes) can be identified and coordinated with stakeholders. A major element of PBSM is the generation, distribution, and consumption of Digital Spectrum Policy (DSP) by DSA-enabled PBRs. The US Army Communications Electronics Research Development Engineering Center (CERDEC) is developing a broad set of DSA/PBSM-related capabilities including tools to generate DSP. The Defense Information Systems Agency Defense Spectrum Organization (DSO) is developing enterprise solutions for DSA/PBSM. CERDEC and DSO collaborated with BAE Systems and Applied Communication Sciences on the development of an end-to-end PBSM architecture called DSA Policy Management Architecture (DPMA). This paper presents a summary of the architecture development.

Detecting communication anomalies in tactical networks via graph learning

A widely practiced approach for detecting suspicious communication in a network is to formulate the problem as statistical anomaly detection. However, the communication patterns in mission-oriented tactical networks are highly variable and have a much richer structure than incorporated by existing anomaly detection methods. For instance, the legitimacy of a communication may depend on who sends the message to who, when and under what circumstances. Existing anomaly detection methods insensitively aggregate data losing critical contextual information about the structure of communication and as a consequence, they either fail to detect suspicious communication or produce excessive amount of false positives. We have developed an extended graph based anomaly detection method that allows us to incorporate the context and rich structure of communication in a mission-oriented tactical network to model and detect suspicious patterns. We use a vector-weighted multidigraph representation to model communication and use a given data to learn the graph, i.e., to determine the nodes, the edges, and their statistical attributes corresponding to normal communication. We then use deviations from the attributes of normal communications to detect the suspicious ones. We have applied the proposed approach to detect suspicious communication in a MANET comprising of USRP2 radios and successfully demonstrated the approach in TRL-6 demonstration of the TITAN project at Fort Dix. While our proposed approach is very general, only a part of it applies to the MANET under consideration and we used it to successfully detect various types of illegal messages, congestion, and the DDoS attack.

TREND: Trust estimation system for wireless networks via multi-pronged detection

We describe a system developed for the DARPA Wireless Network Defense (WND) program for detecting attacks against the control plane at the link and network layers in a mobile ad hoc network. The goal of our system is for each node to independently assess the trustworthiness of other nodes in its neighborhood, and to disseminate these assessments to other nodes. We have developed a cross-layer invariant-based technique for detecting control plane attacks that exploits the readily observable nature of the wireless medium. Nodes listen to the transmissions of other nodes in their neighborhood and compare their observed behavior with expected behavior. Opinions formed by nodes are shared with other nodes and are combined at each node to form a consolidated opinion about other nodes in the network. We tested our approach in a realistic environment using a high fidelity ns-2 simulation of a 50-node scenario provided by ARL and running 802.11 and OLSR that included multiple subnets, realistic tactical traffic, wireless channels and ranges, propagation models, and variations of mobility. We injected a wide range of attacks and a varied number of attackers, with attacks that included a randomized and variable number of false advertisements for the above protocols as well as malicious forwarding behaviors with varying drop rates, with and without colluding attackers. Our results show that we exceeded all of the WND metrics, namely: (i) We achieved a detection rate of greater than 95% for all attacks; (ii) Probability of false alarms <;0.0005%; (iii) Additional network overhead due to reliability estimation <;1% of network capacity.

Testing android devices for tactical networks: A hybrid emulation testbed approach

Commercial cellular phones, such as Android-based smart phones, are being introduced into the U.S. military battlefield. The use of such devices in the military contexts, however, often assumes different networking structures (e.g., mobile ad hoc networks) and uses different communication paradigms (e.g., IP multicast) than the commercial deployment. Testing Android-based applications for military scenarios using tethered military radios is laborious and expensive with respect to both time and resources. A laboratory testbed allowing for such testing at high fidelity is therefore much desired at both development and testing stages, prior to actual field tests such as the ongoing Network Integration Evaluation (NIE) events. This paper describes a hybrid emulation testbed approach that enables the creation of a laboratory test environment for testing military applications using both real and emulated Android devices under customizable and repeatable network scenarios. We present multiple approach variations that were designed to overcome the issues and constraints associated with different test needs.

Modular natural language interfaces to logic-based policy frameworks

Abstract We have developed a translation system that maps sentences of Attempto Controlled English to predicates of many-sorted first-order logic, which can be directly imported into a logic-based policy management framework. Our translation achieves broader coverage than prior work that uses ACE, by a novel application of modern compositional semantics. This translation also natively supports question answering. The system significantly features a modular architecture, enabling semi-automated porting to new policy domains. We initially developed the system for cognitive radio policies, then generalized and ported it to two other policy vocabularies. The system interoperates with policies written in the XACML language.