Robert F. Erbacher

Comparing Different Moving Target Defense Techniques

Moving Target Defense techniques have been proposed to increase uncertainty and apparent complexity for attackers. When more than one Moving Target Defense techniques are effective to limit opportunities of an attack, it is required to compare these techniques and select the best defense choice. In this paper, we propose a three-layer model to evaluate and compare effectiveness of different Moving Target Defenses. This model is designed as an attempt to fill a gap among existing evaluation methods and works as a systematic framework for Moving Target Defense comparison.

Visualization design for immediate high-level situational assessment

We present the design of a visualization technique based on the results of a human in the loop process, which relied on network managers and network analysts. This visualization design was directly targeted at supporting tasks identified by the domain experts. This was the need for the ability to provide rapid and immediate assessment of the state of the network and associated hosts. This visualization technique, the Cyber Command Gauge Cluster (CCGC), allows analysts to review the state of the network and locate potentially problematic anomalies, drill down into those anomalies, and prioritize the anomalies for detailed analysis and remediation. By providing a summary representation combined with independent representations of critical parameters, the technique is unique in its ability to aid decision makers in making rapid assessments and prioritization of identified anomalies. While the prototype focuses on network analysis, the technique is devised to provide generalized support for situational awareness in any domain. The generalized parameter mapping allows the technique to be applicable to any level of decision making, from the front-line network analyst to the CIO.

Encryption and Fragmentation for Data Confidentiality in the Cloud

Cloud computing has emerged as a successful paradigm allowing individual users as well as companies to resort to external providers for storing/processing data or making them available to others. Together with the many benefits, cloud computing introduces however new security and privacy risks. A major issue is that the data owner, storing data at external providers, loses control over them, leaving them potentially exposed to improper access, use, or dissemination. In this chapter, we consider the problem of protecting confidentiality of sensitive information when relying on external cloud providers for storing and processing data. We introduce confidentiality requirements and then illustrate encryption and data fragmentation as possible protection techniques. In particular, we discuss different approaches that have been proposed using encryption (with indexing) and fragmentation, either by themselves or in combination, to satisfy confidentiality requirements.

Extending Case-Based Reasoning to Network Alert Reporting

A substantial amount of cyber security analyst time is spent handling well-known and naïve threats and policy violations on the local network. This includes both the time spent actually identifying and analyzing the activity as well as generating and filing reports associated with the activity. With increasing concern over advanced persistent threats, there is an interest in the development of techniques to automatically handle well-known threats and policy violations. We propose extensions to existing case-based reasoning approaches to support the unique requirements of cyber security report generation. Specifically, we consider the fact that we are reporting on hostile actors that will attempt to game the system or manipulate the system to actually aid the actors in obfuscating their activity. In this paper, we describe the need for automated reporting, the applicability of case-based reasoning, our proposed extension to the standard case-based reasoning system model, and provide examples of the modified case-based reasoning system as applied to example cyber security scenarios.

Studying Analysts’ Data Triage Operations in Cyber Defense Situational Analysis

Cyber defense analysts are playing a critical role in Security Operations Centers (SOCs) to make sense of the immense amount of network monitoring data for detecting and responding to cyber attacks, including large-scale cyber attack campaigns involving advanced persistent threats. The network data continuously generated by multiple cyber defense systems, which may contain many false alerts, are overwhelming to the analysts. Analysts often need to make quick decisions/responses in a very short time based on their awareness of the situation at that moment. Data triage is the first and the most fundamental step performed routinely by the analysts — it filters a massive network monitoring data to identify known malicious events. Due to the high noise-to-signal ratio of network monitoring data, this steps accounts for a very significant portion of the time and attention of intrusion detection analysts. Therefore, a smart human-machine system that improves the performance of data triage operation in SOC is highly desirable. In this chapter, we describe a human-centered smart data triage system that leverages the cognitive trace of intrusion detection analysts. Our approach is based on a dynamic cyber-human system that integrates three dimensions: cyber defense analysts, network monitoring data, and attack activities. The approach leverages recorded analytic processes of intrusion detection analysts, which we refer to as “cognitive traces”. These traces of the analysts capture the examples of malicious events detected from the network monitoring data. Such traces from senior analysts provide a powerful opportunity for training junior analysts in performing data triage operations. To realize this potential, we also developed a smart retrieval framework that automatically retrieves traces of other senior analysts based on their similarity to the events already identified by a junior analyst. The traces from analysts, as demonstrated by a case study, also enable us to better understand their analytic processes in a systematic, yet minimum-reactive way. We summarize this chapter by discussing limitations of the proposed framework and the directions of future research regarding improving the data triage operations of cyber defense analysts.

On simulation studies of jamming threats against LTE networks

In this paper, we investigate the impact of jamming threats on the performance of LTE networks. First, we develop a three dimensional theoretical space to explore various jamming attacks. Next, we construct a set of attack scenarios by utilizing the dimensions of this space. To observe the impact on LTE network performance, we use ns-3 to implement the scenarios and to evaluate the attacks based on standard network metrics. The results demonstrate that our investigated jamming attacks can introduce significant performance degradation into LTE networks.

Using security policies to automate placement of network intrusion prevention

System administrators frequently use Intrusion Detection and Prevention Systems (IDPS) and host security mechanisms, such as firewalls and mandatory access control, to protect their hosts from remote adversaries. The usual techniques for placing network monitoring and intrusion prevention apparatuses in the network do not account for host flows and fail to defend against vulnerabilities resulting from minor modifications to host configurations. Therefore, despite widespread use of these methods, the task of security remains largely reactive. In this paper, we propose an approach to automate a minimal mediation placement for network and host flows. We use Intrusion Prevention System (IPS) as a replacement for certain host mediations. Due to the large number of flows at the host level, we summarize information flows at the composite network level, using a conservative estimate of the host mediation. Our summary technique reduces the number of relevant network nodes in our example network by 80% and improves mediation placement speed by 87.5%. In this way, we effectively and efficiently compute network-wide defense placement for comprehensive security enforcement.

Monitor placement for large-scale systems

System administrators employ network monitors, such as traffic analyzers, network intrusion prevention systems, and firewalls, to protect the networks hosts from remote adversaries. The problem is that vulnerabilities are caused primarily by errors in the host software and/or configuration, but modern hosts are too complex for system administrators to understand, limiting monitoring to known attacks. Researchers have proposed automated methods to compute network monitor placements, but these methods also fail to model attack paths within hosts and/or fail to scale beyond tens of hosts. In this paper, we propose a method to compute network monitor placements that leverages commonality in available access control policies across hosts to compute network monitor placement for large-scale systems. We introduce an equivalence property, called flow equivalence, which reduces the size of the placement problem to be proportional to the number of unique host configurations. This process enables us to solve mediation placement problems for thousands of hosts with access control policies containing of thousands of rules in seconds (less than 125 for a network of 9500 hosts). Our method enables administrators to place network monitors in large-scale networks automatically, leveraging the actual host configuration, to detect and prevent network-borne threats.

Recognizing Unexplained Behavior in Network Traffic

Intrusion detection and alert correlation are valuable and complementary techniques for identifying security threats in complex networks. Intrusion detection systems monitor network traffic for suspicious behavior, and trigger security alerts. Alert correlation methods can aggregate such alerts into multi-step attacks scenarios. However, both methods rely on models encoding a priori knowledge of either normal or malicious behavior. As a result, these methods are incapable of quantifying how well the underlying models explain what is observed on the network. To overcome this limitation, we present a framework for evaluating the probability that a sequence of events is not explained by a given a set of models. We leverage important properties of this framework to estimate such probabilities efficiently, and design fast algorithms for identifying sequences of events that are unexplained with a probability above a given threshold. Our framework can operate both at the intrusion detection level and at the alert correlation level. Experiments on a prototype implementation of the framework show that our approach scales well and provides accurate results.

Network coding and coding-aware scheduling for multicast in wireless networks

Network coding is a network layer technique to improve transmission efficiency. Coding packets is especially beneficial in a wireless environment where the demand for radio spectrum is high. However, to fully realize the benefits of network coding two challenging issues that must be addressed are: (1) Guaranteeing separation of coded packets at the destination, and (2) Mitigating the extra coding/decoding delay. If the destination has all the needed packets to decode a coded packet, then separation failure can be averted. If the scheduling algorithm considers the arrival time of coding pairs, then the extra delay can be mitigated. In this paper, we develop a network coding method to address these two issues, i.e., decodability and delay, for multi-source multi-destination unicast and multicast sessions. We use linear programming to find the most efficient coding design solution with guaranteed decodability. To reduce network relay, we develop a scheduling algorithm to minimize the extra coding/decoding delay and store-and-forward delay. Our coding design method and scheduling algorithm are validated through experiments. Simulation results show improved transmission efficiency and reduced network delay.