Youssif B. Al-Nashif

A testbed for analyzing security of SCADA control systems (TASSCS)

The critical infrastructures of our society are in the process of being modernized. Most significantly impacted are the industrial control systems through replacement of old electromechanical systems with advanced computing and communication technologies. This modernization has introduced new vulnerabilities to those infrastructures. Securing critical infrastructures is a challenging research problem, as these control systems were not designed with security in mind. This paper presents a testbed designed to study and simulate the various available techniques for securing and protecting Supervisory Control and Data Acquisition (SCADA) systems against a wide range of cyber attacks. The testbed is also used to evaluate the detection rate, false alerts and effectiveness of the protection techniques. We present preliminary results on using the testbed to detect a selected set of cyber attacks and the impact of the protection techniques on the operations of the system.

Multi-Level Intrusion Detection System (ML-IDS)

As the deployment of network-centric systems increases, network attacks are proportionally increasing in intensity as well as complexity. Attack detection techniques can be broadly classified as being signature-based, classification-based, or anomaly-based. In this paper we present a multi level intrusion detection system (ML-IDS) that uses autonomic computing to automate the control and management of ML-IDS. This automation allows ML-IDS to detect network attacks and proactively protect against them. ML-IDS inspects and analyzes network traffic using three levels of granularities (traffic flow, packet header, and payload), and employs an efficient fusion decision algorithm to improve the overall detection rate and minimize the occurrence of false alarms. We have individually evaluated each of our approaches against a wide range of network attacks, and then compared the results of these approaches with the results of the combined decision fusion algorithm.

Game Theory Based Network Security

The interactions between attackers and network administrator are modeled as a non-cooperative non-zero-sum dynamic game with incomplete information, which considers the uncertainty and the special properties of multi-stage attacks. The model is a Fictitious Play approach along a special game tree when the attacker is the leader and the administrator is the follower. Multi-objective optimization methodology is used to predict the attacker’s best actions at each decision node. The administrator also keeps tracking the attacker’s actions and updates his knowledge on the attacker’s behavior and objectives after each detected attack, and uses it to update the prediction of the attacker’s future actions. Instead of searching the entire game tree, appropriate time horizons are dynamically determined to reduce the size of the game tree, leading to a new, fast, adaptive learning algorithm. Numerical experiments show that our algorithm has a significant reduction in the damage of the network and it is also more efficient than other existing algorithms.

Anomaly-Based Behavior Analysis of Wireless Network Security

The exponential growth in wireless network faults, vulnerabilities, and attacks make the wireless local area network (WLAN) security management a challenging research area. Newer network cards implemented more security measures according to the IEEE recommendations [14]; but the wireless network is still vulnerable to denial of service attacks or to other traditional attacks due to existing wide deployment of network cards with well-known security vulnerabilities. The effectiveness of a wireless intrusion detection system (WIDS) relies on updating its security rules; many current WIDSs use static security rule settings based on expert knowledge. However, updating those security rules can be time-consuming and expensive. In this paper, we present a novel approach based on multi-channel monitoring and anomaly analysis of station localization, packet analysis, and state tracking to detect wireless attacks; we use adaptive machine learning and genetic search to dynamically set optimal anomaly thresholds and select the proper set of features necessary to efficiently detect network attacks. We present a self-protection system that has the following salient features: monitor the wireless network, generate network features, track wireless network state machine violations, generate wireless flow keys (WFK), and use the dynamically updated anomaly and misuse rules to detect complex known and unknown wireless attacks. To quantify the attack impact, we use the abnormality distance from the trained norm and multivariate analysis to correlate multiple selected features contributing to the final decision. We validate our wireless self protection system (WSPS) approach by experimenting with more than 20 different types of wireless attacks. Our experimental results show that the WSPS approach can protect from wireless network attacks with a false positive rate of 0.1209% and more than 99% detection rate.

Wireless Anomaly Detection Based on IEEE 802.11 Behavior Analysis

Wireless communication networks are pervading every aspect of our lives due to their fast, easy, and inexpensive deployment. They are becoming ubiquitous and have been widely used to transfer critical information, such as banking accounts, credit cards, e-mails, and social network credentials. The more pervasive the wireless technology is going to be, the more important its security issue will be. Whereas the current security protocols for wireless networks have addressed the privacy and confidentiality issues, there are unaddressed vulnerabilities threatening their availability and integrity (e.g., denial of service, session hijacking, and MAC address spoofing attacks). In this paper, we describe an anomaly based intrusion detection system for the IEEE 802.11 wireless networks based on behavioral analysis to detect deviations from normal behaviors that are triggered by wireless network attacks. Our anomaly behavior analysis of the 802.11 protocols is based on monitoring the n-consecutive transitions of the protocol state machine. We apply sequential machine learning techniques to model the n-transition patterns in the protocol and characterize the probabilities of these transitions being normal. We have implemented several experiments to evaluate our system performance. By cross validating the system over two different wireless channels, we have achieved a low false alarm rate (<;0.1%). We have also evaluated our approach against an attack library of known wireless attacks and has achieved more than 99% detection rate.

A game theory based risk and impact analysis method for Intrusion Defense Systems

An enormous amount of functions in our everyday life became dependent on computer networks. Network attacks become more sophisticated and perplexing. Defending against multi-stage attacks is a challenging process in Intrusion Defense Systems (IDS) due to their complexity. This paper presents a game theory method to analyze the risk and impact of multi-stage attacks in IDS. In this method, the interactions between the attacker and the administrator are modeled as a non-cooperative zero-sum multi-stage game and it is modeled as a min-max game tree where the attacker is the leader and the administrator is the follower. Alternating the actions between the administrator and the attacker forms the game tree, each of them will be allowed to play a single action at any given time. In this work, a new multi-stage attacker defender (MAD) algorithm is developed to help the administrator in defending against multi-stage attacks. The believes of the attacker and the administrator are updated based on the analysis of the life-cycle for the multi-stage attacks to reduce the horizon effect.

Self-Configuration of Network Security

The proliferation of networked systems and services along with their exponential growth in complexity and size has increased the control and management complexity of such systems and services by several orders of magnitude. As a result, management tools have failed to cope with and handle the complexity, dynamism, and coordination among network attacks. In this paper, we present a self-configuration approach to control and manage the security mechanisms of large scale networks. Self-configuration enables the system to automatically configure security system and change the configuration of its resources and their operational policies at runtime in order to manage the system security. Our self-configuration approach is implemented using two software modules: component management interface (CMI) to specify the configuration and operational policies associated with each component that can be a hardware resource or a software component; and component runtime manager (CRM) that manages the component operations using the policies defined in CMI. We have used the self-configuration framework to experiment with and evaluate different mechanisms and strategies to detect and protect against a wide range of network attacks.

Autonomic Resilient Cloud Management (ARCM) Design and Evaluation

Cloud Computing is emerging as a new paradigm that aims delivering computing as a utility. For the cloud computing paradigm to be fully adopted and effectively used, it is critical that the security mechanisms are robust and resilient to faults and attacks. Securing cloud systems is extremely complex due to the many interdependent tasks such as application layer firewalls, alert monitoring and analysis, source code analysis, and user identity management. It is strongly believed that we cannot build cloud services that are immune to attacks. Resiliency to attacks is becoming an important approach to address cyber-attacks and mitigate their impacts. Resiliency for mission critical systems is demanded higher. In this paper, we present a methodology to develop an Autonomic Resilient Cloud Management (ARCM) based on moving target defense, cloud service Behavior Obfuscation (BO), and autonomic computing. By continuously and randomly changing the cloud execution environments and platform types, it will be difficult especially for insider attackers to figure out the current execution environment and their existing vulnerabilities, thus allowing the system to evade attacks. We show how to apply the ARCM to one class of applications, Map/Reduce, and evaluate its performance and overhead.

Static Versus Dynamic Data Information Fusion Analysis Using Dddas for Cyber Security Trust

Abstract Information fusion includes signals, features, and decision -level analysis over various types of data including imagery, te xt, and cyber security detection. With the maturity of data processing, the e xplosion of big data, and the need fo r user acceptance; the Dynamic Data-Driven Application System (DDDAS) philosophy fosters insights into the usability of information systems solutions. In this paper, we e xp lore a notion of an adaptive adjustment of secure communication trust analysis that seeks a balance between standard static solutions versus dynamic -data driven updates. A use case is provided in determin ing trust for a cyber security scenario exp loring comparisons of Bayesian versus evidential reasoning for dynamic security detection updates. Using the evidential reasoning proportional conflict redistribution (PCR) method, we demonstrate improved trust for dynamically changing detections of denial of service attacks.

Building resilient cloud services using DDDAS and moving target defence

It is widely accepted that we cannot build cloud systems that are free from vulnerabilities and cannot be penetrated or attacked. Our approach to address cloud security challenges is based on using the dynamic data driven application system (DDDAS) and moving target defence (MTD) strategies to develop resilient cloud services (RCS). The use of the MTD strategy makes it extremely difficult for an attacker to exploit existing vulnerabilities by varying different aspects of the system execution environment. By continuously changing the execution environment based on the DDDAS paradigm to meet the dynamic changes in system and application security requirements, we can reduce the attack surface and consequently, the attackers will have very limited time to figure out the current execution environment and what vulnerabilities are to be exploited. The DDDAS-based resilient cloud services (DRCS) implementation utilises the following capabilities: software behaviour encryption (SBE), replication, diversity, automated checkpointing and recovery.