Publications
Dedicated vs. distributed: a study of mission survivability metrics
November 7, 2011
Conference Paper
Published in:
MILCOM 2011, IEEE Military Communications Conf., 7-10 November 2011, pp. 1345-1350.
Topic:
R&D area:
R&D group:
Summary
A traditional trade-off when designing a mission critical network is whether to deploy a small, dedicated network of highly reliable links (e.g. dedicated fiber) or a largescale, distributed network of less reliable links (e.g. a leased line over the Internet). In making this decision, metrics are needed that can express the reliability and security of these networks. Previous work on this topic has widely focused on two approaches: probabilistic modeling of network reliabilities and graph theoretic properties (e.g. minimum cutset). Reliability metrics do not quantify the robustness, the ability to tolerate multiple link failures, in a distributed network. For example, a fully redundant network and a single link can have the same overall source-destination reliability (0.9999), but they have very different robustness. Many proposed graph theoretic metrics are also not sufficient to capture network robustness. Two networks with identical metric values (e.g. minimum cutset) can have different resilience to link failures. More importantly, previous efforts have mainly focused on the source-destination connectivity and in many cases it is difficult to extend them to a general set of requirements. In this work, we study network-wide metrics to quantitatively compare the mission survivability of different network architectures when facing malicious cyber attacks. We define a metric called relative importance (RI), a robustness metric for mission critical networks, and show how it can be used to both evaluate mission survivability and make recommendations for its improvement. Additionally, our metric can be evaluated for an arbitrarily general set of mission requirements. Finally, we study the probabilistic and deterministic algorithms to quantify the RI metric and empirically evaluate it for sample networks.
Summary
A traditional trade-off when designing a mission critical network is whether to deploy a small, dedicated network of highly reliable links (e.g. dedicated fiber) or a largescale, distributed network of less reliable links (e.g. a leased line over the Internet). In making this decision, metrics are needed that can express...
READ MORE
Achieving cyber survivability in a contested environment using a cyber moving target
May 1, 2011
Journal Article
Published in:
High Frontier, Vol. 7, No. 3, May 2011, pp. 9-13.
Topic:
R&D area:
R&D group:
Summary
We describe two components for achieving cyber survivability in a contested environment: an architectural component that provides heterogeneous computing platforms and an assessment technology that complements the architectural component by analyzing the threat space and triggering reorientation based on the evolving threat level. Together, these technologies provide a cyber moving target that dynamically changes the properties of the system to disadvantage the adversary and provide resiliency and survivability.
Summary
We describe two components for achieving cyber survivability in a contested environment: an architectural component that provides heterogeneous computing platforms and an assessment technology that complements the architectural component by analyzing the threat space and triggering reorientation based on the evolving threat level. Together, these technologies provide a cyber moving...
READ MORE
Creating a cyber moving target for critical infrastructure applications
March 19, 2011
Conference Paper
Published in:
5th IFIP Int. Conf. on Critical Infrastructure Protection, ICCIP 2011, 19-21 March 2011.
Topic:
R&D area:
R&D group:
Summary
Despite the significant amount of effort that often goes into securing critical infrastructure assets, many systems remain vulnerable to advanced, targeted cyber attacks. This paper describes the design and implementation of the Trusted Dynamic Logical Heterogeneity System (TALENT), a framework for live-migrating critical infrastructure applications across heterogeneous platforms. TALENT permits a running critical application to change its hardware platform and operating system, thus providing cyber survivability through platform diversity. TALENT uses containers (operating-system-level virtualization) and a portable checkpoint compiler to create a virtual execution environment and to migrate a running application across different platforms while preserving the state of the application (execution state, open files and network connections). TALENT is designed to support general applications written in the C programming language. By changing the platform on-the-fly, TALENT creates a cyber moving target and significantly raises the bar for a successful attack against a critical application. Experiments demonstrate that a complete migration can be completed within about one second.
Summary
Despite the significant amount of effort that often goes into securing critical infrastructure assets, many systems remain vulnerable to advanced, targeted cyber attacks. This paper describes the design and implementation of the Trusted Dynamic Logical Heterogeneity System (TALENT), a framework for live-migrating critical infrastructure applications across heterogeneous platforms. TALENT permits...
READ MORE
Design, implementation and evaluation of covert channel attacks
November 8, 2010
Journal Article
Published in:
2010 IEEE Int. Conf. on Technologies for Homeland Security, 8 November 2010, pp. 481-487.
Topic:
R&D area:
R&D group:
Summary
Covert channel attacks pose a threat to the security of critical infrastructure and key resources (CIKR). To design defenses and countermeasures against this threat, we must understand all classes of covert channel attacks along with their properties. Network-based covert channels have been studied in great detail in previous work, although several other classes of covert channels (hardware based and operating system-based) are largely unexplored. One of our contributions is investigating these classes by designing, implementing, and experimentally evaluating several specific covert channel attacks. We implement and evaluate hardware-based and operating system-based attacks and show significant differences in their properties and mechanisms. We also present channel capacity differences among the various attacks, which span three orders of magnitude. Furthermore, we present the concept of hybrid covert channel attacks which use two or more communication categories to transport data. Hybrid covert channels can be qualitatively harder to detect and counter than traditional covert channels. Finally, we summarize the lessons learned through covert channel attack design and implementation, which have important implications for critical asset protection and risk analysis. The study also facilitates the development of countermeasures to protect CIKR systems against covert channel attacks.
Summary
Covert channel attacks pose a threat to the security of critical infrastructure and key resources (CIKR). To design defenses and countermeasures against this threat, we must understand all classes of covert channel attacks along with their properties. Network-based covert channels have been studied in great detail in previous work, although...
READ MORE
TALENT: dynamic platform heterogeneity for cyber survivability of mission critical applications
October 29, 2010
Conference Paper
Published in:
Proc. Secure and Resilient Cyber Architecture Conf., SRCA, 29 October 2010.
Topic:
R&D area:
R&D group:
Summary
Despite the significant amount of effort that often goes into securing mission critical systems, many remain vulnerable to advanced, targeted cyber attacks. In this work, we design and implement TALENT (Trusted dynAmic Logical hEterogeNeity sysTem), a framework to live-migrate mission critical applications across heterogeneous platforms. TALENT enables us to change the hardware and operating system on top of which a sensitive application is running, thus providing cyber survivability through platform diversity. Using containers (a.k.a. operating system-level virtualization) and a portable checkpoint compiler, TALENT creates a virtual execution environment and migrates a running application across different platforms while preserving the state of the application. The state, here, refers to the execution state of the process as well as its open files and sockets. TALENT is designed to support a general C application. By changing the platform on-the-fly, TALENT creates a moving target against cyber attacks and significantly raises the bar for a successful attack against a critical application. Our measurements show that a full migration can be completed in about one second.
Summary
Despite the significant amount of effort that often goes into securing mission critical systems, many remain vulnerable to advanced, targeted cyber attacks. In this work, we design and implement TALENT (Trusted dynAmic Logical hEterogeNeity sysTem), a framework to live-migrate mission critical applications across heterogeneous platforms. TALENT enables us to change...
READ MORE
Data diodes in support of trustworthy cyber infrastructure
April 21, 2010
Journal Article
Published in:
6th Annual Cyber Security and Information Intelligence Research Workshop, Cyber Security and Information Intelligence Challenges and Strategies, CSIIRW10, 21 April 2010.
Topic:
R&D area:
R&D group:
Summary
Interconnections between process control networks and enterprise networks has resulted in the proliferation of standard communication protocols in industrial control systems which exposes instrumentation, control systems, and the critical infrastructure components they operate to a variety of cyber attacks. Various standards and technologies have been proposed to protect industrial control systems against cyber attacks and to provide them with confidentiality, integrity, and availability. Among these technologies, data diodes provide protection of critical systems by the means of physically enforcing traffic direction on the network. In order to deploy data diodes effectively, it is imperative to understand the protection they provide, the protection they do not provide, their limitations, and their place in the larger security infrastructure. In this work, we briefly review the security challenges in an industrial control system, study data diodes, their functionalities and limitations, and propose a scheme for their effective deployment in trusted process control networks (TPCNs.)
Summary
Interconnections between process control networks and enterprise networks has resulted in the proliferation of standard communication protocols in industrial control systems which exposes instrumentation, control systems, and the critical infrastructure components they operate to a variety of cyber attacks. Various standards and technologies have been proposed to protect industrial control...
READ MORE