Contributions & accomplishments
Research Contributions and Accomplishments on Security and Resiliency
of Cyber and Cyber-Physical Systems
Overview Professor Al-Shaer has established an outstanding research record as a leading expert in the area of analytics and automation for cyber and cyber-physical security and resiliency. Professor Al-Shaer’s contributions in this area have advanced the state-of-the-art by developing innovative techniques for automating “sense-making” and “decision-making” with provable and measurable security and resiliency properties. This includes large-scale enterprise systems, Software Defined Networks (SDN), cloud, and Wireless Sensor Networks (WSN), as well as cyber-physical systems such as energy delivery systems (EDS), industrial control systems (ICS), systems of Internet-of-things (IoT), and structural health monitoring (SHM) systems for physical infrastructures. To develop models for sense-making and decision, Prof. Al-Shaer research analyzes many different cyber artifacts including millions of configurations such as policy rules and system parameters, historic vulnerability data (e.g., CVE, XCCDF), traffic traces (e.g., NetFlow, DHS PREDICT/IMPACT), audit and system logs (e.g., meters logs, sensor measurements), provenance information, structured and unstructured cyber threat intelligence information (e.g., Symantec and STIX respectively), and incident reports (e.g., VERIS).
Formal-driven Analytics In his research, Prof. Al-Shaer developed novel formal-driven analytics techniques, metrics and tools using various theories including model checking, Satisﬁability Modulo Theories (SMT), probabilistic and plausible reasoning, game theory, to verify the trustworthiness of the system configuration, measure the system resiliency, characterize attack surface based on adversary profile, estimate the potential impact of attacks, and generate cost-effective risk mitigation plans dynamically.
Metric-driven Cyber Defense Automation His research has significantly contributed to the foundation of science of cyber security and resiliency by developing metrics and methodologies for measuring the effectiveness of cyber defense techniques in term of the following capabilities:
Cyber-Physical Security and Resiliency In cyber-physical systems research, my contributions have contributed to the advancement of the science and engineering of security and resiliency of cyber-physical systems by developing formal- and data-driven analytics, metrics and for measuring the potential and impact of coordinated stealthy attacks on interdependent CPS such as EDS and systems of IoT, and synthesizing cost-effective mitigation countermeasures with provable security and resiliency properties.
Research Areas Overview
Security Configuration Analytics and Automation Prof. Al-Shaer is recognized as a world-class research leader in the area of security configuration analytics and automation. He was from the early researchers in the field who have formally defined cyber misconfigurations, quantified their impact on cyber mission, provided comprehensive classification of network access control misconfiguration, and developed formal methods and tools to verify, diagnose and synthesize security policies and configurations for large-scale cyber and cyber-physical systems that contain complex inter-dependent components [ICNP09, JSAC09, JSAC05, INFOCOM04, INFOCOM10, SACMAT07, SCC13-1, SCC13-2, INFOCOM12, TSG13, DSN14, ICDCS14, ICCPS14, TDSC16, SafeConfig14]. Prof. Al-Shaer was designated as a Subject Matter Expert on Security Analytics and Automation by DoD in the Information Assurance Newsletter, 2011. Early in his career, Prof. Al-Shaer developed automated security policy analytics for detecting configuration inconsistencies and rules anomalies in distributed firewalls, with soundness and completeness guarantees [IM03, JSAC05, INFOCOM04]. His tool (Security Policy Advisor [SPA]) was widely used by more than 90 organizations. Then he has extended his models and tools to consider all access control devices including IP routers/switches, IPSec, wireless access point, firewalls, IDS/IPS, NAT, proxies, host-based RBAC, for traditional networks, OpenFlow switches and controller for SDN, Cloud security groups, Advanced Metering Infrastructure, and Energy Management Systems (EMS) for smart grids [SACMAT07, ICNP09, JSAC09, INFOCOM10, SCC13-1, SCC13-2, SafeConfig14]. His work results in the development of a number of security configuration verification and synthesis tools, namely, ConfigChecker, SDNChecker, CloudChecker, ACDChecker, ActiveSDN for cyber systems; AMIAnalyzer, and EMSThreatAnalyzer for smart grid; IoTChecker for validating the IoT configurations across a system of IoT systems; SensorChecker and WSNPlanner for verification and synthesis of sensor configurations including sensing schedule, orientation, power, location, topology, and actuation to satisfy the WSN mission integrity and operational (energy and topology) constraints [SensorChecker, CNSM12-2]. These tools and projects will be described in the sections below.
Resilience of Energy Management System of Smart Grids Prof. Al-Shaer has several well-established contributions in the area of proactive cyber-physical security and resiliency. He developed a number of novel formal- and data-driven techniques for automated risk analytics and mitigation for cyber-physical systems. In collaboration with Duke Energy, Prof. Al-Shaer has developed new techniques and tool to identify proactively misconfigurations, predict unknown attacks, and estimate the potential impact on the Advanced Metering Infrastructure (AMI) and Energy Management Systems (EMS) including optimal power flow, contingency analysis, topology mapper, automatic generation control (AGC). Our contribution to the science of CPS security comes in many folds. First, we propose formal foundations for measuring the potential of stealthy coordinated attacks on smart grid control systems exploiting its components' interdependency. Second, we developed formal analytics approached to characterize the attackers' capabilities required to launch a successful attack on energy delivery systems. Third, we present models to quantify explicit and hidden impacts of stealthy attacks on the functional integrity of Optimal Power Flow and AGC, the most critical components of smart grids. Fourth, we developed automated techniques for provable threat mitigation planning.
Verification of IoT Security Configuration In his recent research, Prof. Al-Shaer has investigated the development of a formal framework for verifying security and resiliency properties of Internet of Things (IoT) system of systems, while considering the inter-dependency between various inter-related IoT systems in one side, and with cyber systems in the other side. We developed a new SMT-based model checker, IoTChecker, to detect and resolve conflicts within or between IoT systems, verify the functional integrity of IoT systems according to the device configuration, and reconfigure the IoT system to avoid potentially bad consequences or malicious activities [IoTChecker]. We use smart buildings and smart city IoT systems as a case study for IoTChecker.
Automated Course-of-Action Mitigation Generation In addition to the proactive security analytics described above, Prof. Al-Shaer has profoundly contributed to advancing the resiliency of cyber by enabling dynamic resist and recover successful attacks. Prof. Al-Shaer has developed a new reactive security policy called CLIPS that allows for initiating the appropriate course of investigation and configuration actions to respond to active attacks. CLIPS is currently developed for NSA and will be demonstrated during IACD Community meeting. We developed CLIPS to be provably safe policy language, which means it guarantees no conflicts or inconsistencies despite the large number of actions that can be executed simultaneously. Prof. Al-Shaer has also developed a cyber agility engine as an application on OpenDaylight called ActiveSDN that can orchestrate thousands of cyber course-of-action (CoA) to deter, resist, respond, and recover attacks at real-time.
Dynamic and Adaptive Firewall and IDS Optimization
Cyber Agility and Moving Target Defense Prof. Al-Shaer has also contributed profoundly to the scientific foundation and development of cyber agility for moving target defense (MTD) and cyber deception for both cyber and cyber-physical systems. Prof. Al-Shaer has developed novel techniques for enabling CPS agility and increasing the attack deterrence, and resistance in cyber, smart grid and IoT systems. He developed several moving target techniques to defeat scanning, fingerprinting, worm propagating, APT and stealthy DDoS attacks. He also created metrics to quantify benefit-cost and identify the limitations of MTD techniques. The following is a summary of our developed MTD mechanisms:
Active Cyber Deception Professor Al-Shaer has a solid contribution in the area of cyber deception. His proposed a new model based on Attribution-Temptation-Engagement active cyber deception model that enables deception infrastructure to be dynamically orchestrated to adapt to adversary intent and actions. He published several papers in this area in top-tier venues. For example, his systems MoveNet [INFOCOM15-movenet] enables the migration of virtual network (VN) seamlessly and intelligently, in order to frequently change the network physical footprint of the VN and deceive reconnaissance and DDoS adversaries. Also, his FingerDeceiver establishes a game to learn from attackers and deplete their energy without jeopardizing the system integrity [CNS13-2]. Moreover, his HonyeBug system can dynamically enable new weakness in a shadow web service program to tune to adversary intent and capability and learning his tactics. Prof. Al-Shaer hosted an ARO Workshop on Active Cyber Deception (HomeyThings) in January 2018 to explore the state of the art challenges and the research directions in this area.