Publications

Abstract not provided.

Today’s networked systems utilize advanced security components such as Next Generation Firewall (NGFW), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and methods for network traffic classification. A fundamental aspect of these security components and methods is network packet visibility and packet inspection. To achieve packet visibility, a compute mechanism used by these security components and methods is Deep Packet Inspection (DPI). DPI is used to obtain visibility into packet fields by looking deeper inside packets, beyond just IP address, port, and protocol. However, DPI is considered extremely expensive in terms of compute processing costs and very challenging to implement on high speed network systems. The fundamental scientific paradigm addressed in this research project is the application of greater network packet visibility and packet inspection at data rates greater than 40Gbps to secure computer network systems. The greater visibility and inspection will enable detection of advanced content-based threats that exploit application vulnerabilities and are designed to bypass traditional security approaches such as firewalls and antivirus scanners. Greater visibility and inspection are achieved through identification of the application protocol (e.g., HTTP, SMTP, Skype) and, in some cases, extraction and processing of the information contained in the packet payload. Analysis is then performed on the resulting DPI data to identify potentially malicious behavior. In order to obtain visibility and inspect the application protocol and contents at high speed data rates, advanced DPI technologies and implementations are developed.

Abstract not provided.

Adversary sophistication in the cyber domain is a constantly growing threat. As more systems become accessible from the Internet, the risk of breach, exploitation, and malice grows. To thwart reconnaissance and exploitation, Moving Target Defense (MTD) has been researched and deployed in various systems to modify the threat surface of a system. Tools are necessary to analyze the security, reliability, and resilience of their information systems against cyber-Attack and measure the effectiveness of the MTD technologies. Today's security analyses utilize (1) real systems such as computers, network routers, and other network equipment; (2) computer emulations (e.g., virtual machines); and (3) simulation models separately. In this paper, we describe the progress made in developing and utilizing hybrid Live, Virtual, Constructive (LVC) environments for the evaluation of a set of MTD technologies. The LVC methodology has been most rooted in the Modeling Simulation (MS) work of the Department of Defense. With the recent advances in virtualization and software-defined networking, Sandia has taken the blueprint for LVC and extended it by crafting hybrid environments of simulation, emulation, and human-in-The-loop. Furthermore, we discuss the empirical analysis of MTD technologies and approaches with LVC-based experimentation, incorporating aspects that may impact an operational deployment of the MTD under evaluation.

Adversary sophistication in the cyber domain is a constantly growing threat. As more systems become accessible from the Internet, the risk of breach, exploitation, and malice grows. To thwart reconnaissance and exploitation, Moving Target Defense (MTD) has been researched and deployed in various systems to modify the threat surface of a system. Tools are necessary to analyze the security, reliability, and resilience of their information systems against cyber-Attack and measure the effectiveness of the MTD technologies. Today's security analyses utilize (1) real systems such as computers, network routers, and other network equipment; (2) computer emulations (e.g., virtual machines); and (3) simulation models separately. In this paper, we describe the progress made in developing and utilizing hybrid Live, Virtual, Constructive (LVC) environments for the evaluation of a set of MTD technologies. The LVC methodology has been most rooted in the Modeling Simulation (MS) work of the Department of Defense. With the recent advances in virtualization and software-defined networking, Sandia has taken the blueprint for LVC and extended it by crafting hybrid environments of simulation, emulation, and human-in-The-loop. Furthermore, we discuss the empirical analysis of MTD technologies and approaches with LVC-based experimentation, incorporating aspects that may impact an operational deployment of the MTD under evaluation.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Wireless networking and mobile communications is increasing around the world and in all sectors of our lives. With increasing use, the density and complexity of the systems increase with more base stations and advanced protocols to enable higher data throughputs. The security of data transported over wireless networks must also evolve with the advances in technologies enabling more capable wireless networks. However, means for analysis of the effectiveness of security approaches and implementations used on wireless networks are lacking. More specifically a capability to analyze the lower-layer protocols (i.e., Link and Physical layers) is a major challenge. An analysis approach that incorporates protocol implementations without the need for RF emissions is necessary. In this research paper several emulation tools and custom extensions that enable an analysis platform to perform cyber security analysis of lower layer wireless networks is presented. A use case of a published exploit in the 802.11 (i.e., WiFi) protocol family is provided to demonstrate the effectiveness of the described emulation platform.

Abstract not provided.

The ability to simulate wireless networks at large-scale for meaningful amount of time is considerably lacking in today's network simulators. For this reason, many published work in this area often limit their simulation studies to less than a 1,000 nodes and either over-simplify channel characteristics or perform studies over time scales much less than a day. In this report, we show that one can overcome these limitations and study problems of high practical consequence. This work presents two key contributions to high fidelity simulation of large-scale wireless networks: (a) wireless simulations can be sped up by more than 100X in runtime using ideas from spatial indexing algorithms and clipping of negligible signals and (b) clustering and task-oriented programming paradigm can be used to reduce inter- process communication in a parallel discrete event simulation resulting in a better scaling efficiency.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Moving Target Defense (MTD) is based on the notion of controlling change across various system attributes with the objective of increasing uncertainty and complexity for attackers; the promise of MTD is that this increased uncertainty and complexity will increase the costs of attack efforts and thus prevent or limit network intrusions. As MTD increases complexity of the system for the attacker, the MTD also increases complexity and cost in the desired operation of the system. This introduced complexity may result in more difficult network troubleshooting and cause network degradation or longer network outages, and may not provide an adequate defense against an adversary in the end. In this work, the authors continue MTD assessment and evaluation, this time focusing on application performance monitoring (APM) under the umbrella of Defensive Work Factors, as well as the empirical assessment of a network-based MTD under Red Team (RT) attack. APM provides the impact of the MTD from the perspective of the user, whilst the RT element provides a means to test the defense under a series of attack steps based on the LM Cyber Kill Chain.

Abstract not provided.

Wireless systems and networks have experienced rapid growth over the last decade with the advent of smart devices for everyday use. These systems, which include smartphones, vehicular gadgets, and internet-of-things devices, are becoming ubiquitous and ever-more important. They pose interesting research challenges for design and analysis of new network protocols due to their large scale and complexity. In this work, we focus on the challenging aspect of simulating the inter-connectivity of many of these devices in wireless networks. The quantitative study of large scale wireless networks, with counts of wireless devices in the thousands, is a very difficult problem with no known acceptable solution. By necessity, simulations of this scale have to approximate reality, but the algorithms employed in most modern-day network simulators can be improved for wireless network simulations. In this report, we present advances that we have made and propositions for continuation of progress towards a framework for high fidelity simulations of wireless networks. This work is not complete in that a final simulation framework tool is yet to be produced. However, we highlight the major bottlenecks and address them individually with initial results showing enough promise.

Moving Target Defense (MTD) has received significant focus in technical publications. The publications describe MTD approaches that periodically change some attribute of the computer network system. The attribute that is changed, in most cases, is one that an adversary attempts to gain knowledge of through reconnaissance and may use its knowledge of the attribute to exploit the system. The fundamental mechanism an MTD uses to secure the system is to change the system attributes such that the adversary never gains the knowledge and cannot execute an exploit prior to the attribute changing value. Thus, the MTD keeps the adversary from gaining the knowledge of attributes necessary to exploit the system. Most papers conduct theoretical analysis or basic simulations to assess the effectiveness of the MTD approach. More effective assessment of MTD approaches should include behavioral characteristics for both the defensive actor and the adversary; however, limited research exists on running actual attacks against an implemented system with the objective of determining the security benefits and total cost of deploying the MTD approach. This paper explores empirical assessment through experimentation of MTD approaches. The cyber-kill chain is used to characterize the actions of the adversary and identify what classes of attacks were successfully thwarted by the MTD approach and what classes of attacks could not be thwarted In this research paper, we identify the experiment environments and where experiment fidelity should be focused to evaluate the effectiveness of MTD approaches. Additionally, experimentation environments that support contemporary technologies used in MTD approaches, such as software defined networking (SDN), are also identified and discussed.

Abstract not provided.

Moving Target Defense (MTD) is the concept of controlling change across multiple information system dimensions with the objective of increasing uncertainty and complexity for attackers. Increased uncertainty and complexity will increase the costs of malicious probing and attack efforts and thus prevent or limit network intrusion. As MTD increases complexity of the system for the attacker, the MTD also increases complexity in the desired operation of the system. This introduced complexity results in more difficult network troubleshooting and can cause network degradation or longer network outages. In this research paper the authors describe the defensive work factor concept. Defensive work factors considers in detail the specific impact that the MTD approach has on computing resources and network resources. Measuring impacts on system performance along with identifying how network services (e.g., DHCP, DNS, in-place security mechanisms) are affected by the MTD approach are presented. Also included is a case study of an MTD deployment and the defensive work factor costs. An actual experiment is constructed and metrics are described for the use case.

Abstract not provided.