2020 IEEE Conference on Communications and Network Security, CNS 2020
Soroush, Hamed; Albanese, Massimiliano; Mehrabadi, Milad A.; Iganibo, Ibifubara; Mosko, Marc; Gao, Jason H.; Fritz, David J.; Rane, Shantanu; Bier, Eric
Addressing security misconfiguration in complex distributed systems, such as networked Industrial Control Systems (ICS) and Internet of Things (IoT) is challenging. Owners and operators must go beyond tuning parameters of individual components and consider the security implications of configuration changes on entire systems. Given the growing scale of cyber systems, this task must be highly automated. Unfortunately, prior work on configuration errors has largely ignored the security impact of configurations of connected components. To address this gap, we present SCIBORG, a framework that improves the security posture of distributed systems by examining the impact of configuration changes across interdependent components using a graph-based model of the system and its vulnerabilities. It formulates a Constraint Satisfaction Problem from the graph-based model and uses an SMT solver to find optimal configuration parameter values that minimize the impact of attacks while preserving system functionality. SCIBORG also provides supporting evidence for the proposed configuration changes. We evaluate SCIBORG on an IoT testbed.
Today’s networked systems utilize advanced security components such as Next Generation Firewall (NGFW), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and methods for network traffic classification. A fundamental aspect of these security components and methods is network packet visibility and packet inspection. To achieve packet visibility, a compute mechanism used by these security components and methods is Deep Packet Inspection (DPI). DPI is used to obtain visibility into packet fields by looking deeper inside packets, beyond just IP address, port, and protocol. However, DPI is considered extremely expensive in terms of compute processing costs and very challenging to implement on high speed network systems. The fundamental scientific paradigm addressed in this research project is the application of greater network packet visibility and packet inspection at data rates greater than 40Gbps to secure computer network systems. The greater visibility and inspection will enable detection of advanced content-based threats that exploit application vulnerabilities and are designed to bypass traditional security approaches such as firewalls and antivirus scanners. Greater visibility and inspection are achieved through identification of the application protocol (e.g., HTTP, SMTP, Skype) and, in some cases, extraction and processing of the information contained in the packet payload. Analysis is then performed on the resulting DPI data to identify potentially malicious behavior. In order to obtain visibility and inspect the application protocol and contents at high speed data rates, advanced DPI technologies and implementations are developed.