Building Damage-Resilient Dominating Sets in Complex Networks against Random and Targeted Attacks

We study the vulnerability of dominating sets against random and targeted node removals in complex networks. While small, cost-efficient dominating sets play a significant role in controllability and observability of these networks, a fixed and intact network structure is always implicitly assumed. We find that cost-efficiency of dominating sets optimized for small size alone comes at a price of being vulnerable to damage; domination in the remaining network can be severely disrupted, even if a small fraction of dominator nodes are lost. We develop two new methods for finding flexible dominating sets, allowing either adjustable overall resilience, or dominating set size, while maximizing the dominated fraction of the remaining network after the attack. We analyze the efficiency of each method on synthetic scale-free networks, as well as real complex networks

On the Stability of Distribution Topologies in Peer-to-Peer Live Streaming Systems

Peer-to-Peer Live-Streaming-Systeme sind ständigen Störungen ausgesetzt.Insbesondere ermöglichen unzuverlässige Teilnehmer Ausfälle und Angriffe, welche überraschend Peers aus dem System entfernen. Die Folgen solcher Vorfälle werden großteils von der Verteilungstopologie bestimmt, d.h. der Kommunikationsstruktur zwischen den Peers.In dieser Arbeit analysieren wir Optimierungsprobleme welche bei der Betrachtung von Stabilitätsbegriffen für solche Verteilungstopologien auftreten. Dabei werden sowohl Angriffe als auch unkoordinierte Ausfälle berücksichtigt.Zunächst untersuchen wir die Berechnungskomplexität und Approximierbarkeit des Problems resourcen-effiziente Angriffe zu bestimmen. Dies demonstriert Beschränkungen in den Planungsmöglichkeiten von Angreifern und zeigt inwieweit die Topologieparameter die Schwierigkeit solcher Angriffsrobleme beeinflussen. Anschließend studieren wir Topologieformationsprobleme. Dabei sind Topologieparameter vorgegeben und es muss eine passende Verteilungstopologie gefunden werden. Ziel ist es Topologien zu erzeugen, welche den durch Angriffe mit beliebigen Parametern erzeugbaren maximalen Schaden minimieren.Wir identifizieren notwendige und hinreichende Eigenschaften solcher Verteilungstopologien. Dies führt zu mathematisch fundierten Zielstellungen für das Topologie-Management von Peer-to-Peer Live-Streaming-Systemen.Wir zeigen zwei große Klassen effizient konstruierbarer Verteilungstopologien, welche den maximal möglichen, durch Angriffe verursachten Paketverlust minimieren. Zusätzlich beweisen wir, dass die Bestimmung dieser Eigenschaft für beliebige Topologien coNP-vollständig ist.Soll die maximale Anzahl von Peers minimiert werden, bei denen ein Angriff zu ungenügender Stream-Qualität führt, ändern sich die Anforderungen an Verteilungstopologien. Wir zeigen, dass dieses Topologieformationsproblem eng mit offenen Problemen aus Design- und Kodierungstheorie verwandt ist.Schließlich analysieren wir Verteilungstopologien die den durch unkoordinierte Ausfälle zu erwartetenden Paketverlust minimieren. Wir zeigen Eigenschaften und Existenzbedingungen. Außerdem bestimmen wir die Berechnungskomplexität des Auffindens solcher Topologien. Unsere Ergebnisse liefern Richtlinien für das Topologie-Management von Peer-to-Peer Live-Streaming-Systemen und zeigen auf, welche Stabilitätsziele effizient erreicht werden können.The stability of peer-to-peer live streaming systems is constantly challenged. Especially, the unreliability and vulnerability of their participants allows for failures and attacks suddenly disabling certain sets of peers. The consequences of such events are largely determined by the distribution topology, i.e., the pattern of communication between the peers.In this thesis, we analyze a broad range of optimization problems concerning the stability of distribution topologies. For this, we discuss notions of stability against both attacks and failures.At first, we investigate the computational complexity and approximability of finding resource-efficient attacks. This allows to point out limitations of an attacker's planning capabilities and demonstrates the influence of the chosen system parameters on the hardness of such attack problems.Then, we turn to study topology formation problems. Here, a set of topology parameters is given and the task consists in finding an eligible distribution topology. In particular, it has to minimize the maximum damage achievable by attacks with arbitrary attack parameters.We identify necessary and sufficient conditions on attack-stable distribution topologies. Thereby, we give mathematically sound guidelines for the topology management of peer-to-peer live streaming systems.We find large classes of efficiently-constructable topologies minimizing the system-wide packet loss under attacks. Additionally, we show that determining this feature for arbitrary topologies is coNP-complete.Considering topologies minimizing the maximum number of peers for which an attack leads to a heavy decrease in perceived streaming quality, the requirements change. Here, we show that the corresponding topology formation problem is closely related to long-standing open problems of Design and Coding Theory.Finally, we study topologies minimizing the expected packet loss due to uncoordinated peer failures. We investigate properties and existence conditions of such topologies. Furthermore, we determine the computational complexity of constructing them.Our results provide guidelines for the topology management of peer-to-peer live streaming systems and mathematically determine which goals can be achieved efficiently

Identifying and Detecting Attacks in Industrial Control Systems

The integrity of industrial control systems (ICS) found in utilities, oil and natural gas pipelines, manufacturing plants and transportation is critical to national wellbeing and security. Such systems depend on hundreds of field devices to manage and monitor a physical process. Previously, these devices were specific to ICS but they are now being replaced by general purpose computing technologies and, increasingly, these are being augmented with Internet of Things (IoT) nodes. Whilst there are benefits to this approach in terms of cost and flexibility, it has attracted a wider community of adversaries. These include those with significant domain knowledge, such as those responsible for attacks on Iran’s Nuclear Facilities, a Steel Mill in Germany, and Ukraine’s power grid; however, non specialist attackers are becoming increasingly interested in the physical damage it is possible to cause. At the same time, the approach increases the number and range of vulnerabilities to which ICS are subject; regrettably, conventional techniques for analysing such a large attack space are inadequate, a cause of major national concern. In this thesis we introduce a generalisable approach based on evolutionary multiobjective algorithms to assist in identifying vulnerabilities in complex heterogeneous ICS systems. This is both challenging and an area that is currently lacking research. Our approach has been to review the security of currently deployed ICS systems, and then to make use of an internationally recognised ICS simulation testbed for experiments, assuming that the attacking community largely lack specific ICS knowledge. Using the simulator, we identified vulnerabilities in individual components and then made use of these to generate attacks. A defence against these attacks in the form of novel intrusion detection systems were developed, based on a range of machine learning models. Finally, this was further subject to attacks created using the evolutionary multiobjective algorithms, demonstrating, for the first time, the feasibility of creating sophisticated attacks against a well-protected adversary using automated mechanisms

Methods for improving resilience in communication networks and P2P overlays

Resilience to failures and deliberate attacks is becoming an essential requirement in most communication networks today. This also applies to P2P Overlays which on the one hand are created on top of communication infrastructures, and therefore are equally affected by failures of the underlying infrastructure, but which on the other hand introduce new possibilities like the creation of arbitrary links within the overlay. In this article, we present a survey of strategies to improve resilience in communication networks as well as in P2P overlay networks. Furthermore, our intention is to point out differences and similarities in the resilience-enhancing measures for both types of networks. By revising some basic concepts from graph theory, we show that many concepts for communication networks are based on well-known graph-theoretical problems. Especially, some methods for the construction of protection paths in advance of a failure are based on very hard problems, indeed many of them are in NP and can only be solved heuristically or on certain topologies. P2P overlay networks evidently benefit from resilience-enhancing strategies in the underlying communication infrastructure, but beyond that, their specific properties pose the need for more sophisticated mechanisms. The dynamic nature of peers requires to take some precautions, like estimating the reliability of peers, redundantly storing information, and provisioning a reliable routing

Active Re-identification Attacks on Periodically Released Dynamic Social Graphs

Active re-identification attacks pose a serious threat to privacy-preserving social graph publication. Active attackers create fake accounts to build structural patterns in social graphs which can be used to re-identify legitimate users on published anonymised graphs, even without additional background knowledge. So far, this type of attacks has only been studied in the scenario where the inherently dynamic social graph is published once. In this paper, we present the first active re-identification attack in the more realistic scenario where a dynamic social graph is periodically published. The new attack leverages tempo-structural patterns for strengthening the adversary. Through a comprehensive set of experiments on real-life and synthetic dynamic social graphs, we show that our new attack substantially outperforms the most effective static active attack in the literature by increasing the success probability of re-identification by more than two times and efficiency by almost 10 times. Moreover, unlike the static attack, our new attack is able to remain at the same level of effectiveness and efficiency as the publication process advances. We conduct a study on the factors that may thwart our new attack, which can help design graph anonymising methods with a better balance between privacy and utility

Attacks against intrusion detection networks: evasion, reverse engineering and optimal countermeasures

Intrusion Detection Networks (IDNs) constitute a primary element in current cyberdefense systems. IDNs are composed of different nodes distributed among a network infrastructure, performing functions such as local detection --mostly by Intrusion Detection Systems (IDS) --, information sharing with other nodes in the IDN, and aggregation and correlation of data from different sources. Overall, they are able to detect distributed attacks taking place at large scale or in different parts of the network simultaneously. IDNs have become themselves target of advanced cyberattacks aimed at bypassing the security barrier they offer and thus gaining control of the protected system. In order to guarantee the security and privacy of the systems being protected and the IDN itself, it is required to design resilient architectures for IDNs capable of maintaining a minimum level of functionality even when certain IDN nodes are bypassed, compromised, or rendered unusable. Research in this field has traditionally focused on designing robust detection algorithms for IDS. However, almost no attention has been paid to analyzing the security of the overall IDN and designing robust architectures for them. This Thesis provides various contributions in the research of resilient IDNs grouped into two main blocks. The first two contributions analyze the security of current proposals for IDS nodes against specific attacks, while the third and fourth contributions provide mechanisms to design IDN architectures that remain resilient in the presence of adversaries. In the first contribution, we propose evasion and reverse engineering attacks to anomaly detectors that use classification algorithms at the core of the detection engine. These algorithms have been widely studied in the anomaly detection field, as they generally are claimed to be both effective and efficient. However, such anomaly detectors do not consider potential behaviors incurred by adversaries to decrease the effectiveness and efficiency of the detection process. We demonstrate that using well-known classification algorithms for intrusion detection is vulnerable to reverse engineering and evasion attacks, which makes these algorithms inappropriate for real systems. The second contribution discusses the security of randomization as a countermeasure to evasion attacks against anomaly detectors. Recent works have proposed the use of secret (random) information to hide the detection surface, thus making evasion harder for an adversary. We propose a reverse engineering attack using a query-response analysis showing that randomization does not provide such security. We demonstrate our attack on Anagram, a popular application-layer anomaly detector based on randomized n-gram analysis. We show how an adversary can _rst discover the secret information used by the detector by querying it with carefully constructed payloads and then use this information to evade the detector. The difficulties found to properly address the security of nodes in an IDN motivate our research to protect cyberdefense systems globally, assuming the possibility of attacks against some nodes and devising ways of allocating countermeasures optimally. In order to do so, it is essential to model both IDN nodes and adversarial capabilities. In the third contribution of this Thesis, we provide a conceptual model for IDNs viewed as a network of nodes whose connections and internal components determine the architecture and functionality of the global defense network. Such a model is based on the analysis and abstraction of a number of existing proposals for IDNs. Furthermore, we also develop an adversarial model for IDNs that builds on classical attack capabilities for communication networks and allow to specify complex attacks against IDN nodes. Finally, the fourth contribution of this Thesis presents DEFIDNET, a framework to assess the vulnerabilities of IDNs, the threats to which they are exposed, and optimal countermeasures to minimize risk considering possible economic and operational constraints. The framework uses the system and adversarial models developed earlier in this Thesis, together with a risk rating procedure that evaluates the propagation of attacks against particular nodes throughout the entire IDN and estimates the impacts of such actions according to different attack strategies. This assessment is then used to search for countermeasures that are both optimal in terms of involved cost and amount of mitigated risk. This is done using multi-objective optimization algorithms, thus offering the analyst sets of solutions that could be applied in different operational scenarios. -------------------------------------------------------------Las Redes de Detección de Intrusiones (IDNs, por sus siglas en inglés) constituyen un elemento primordial de los actuales sistemas de ciberdefensa. Una IDN está compuesta por diferentes nodos distribuidos a lo largo de una infraestructura de red que realizan funciones de detección de ataques --fundamentalmente a través de Sistemas de Detección de Intrusiones, o IDS--, intercambio de información con otros nodos de la IDN, y agregación y correlación de eventos procedentes de distintas fuentes. En conjunto, una IDN es capaz de detectar ataques distribuidos y de gran escala que se manifiestan en diferentes partes de la red simultáneamente. Las IDNs se han convertido en objeto de ataques avanzados cuyo fin es evadir las funciones de seguridad que ofrecen y ganar así control sobre los sistemas protegidos. Con objeto de garantizar la seguridad y privacidad de la infraestructura de red y de la IDN, es necesario diseñar arquitecturas resilientes para IDNs que sean capaces de mantener un nivel mínimo de funcionalidad incluso cuando ciertos nodos son evadidos, comprometidos o inutilizados. La investigación en este campo se ha centrado tradicionalmente en el diseño de algoritmos de detección robustos para IDS. Sin embargo, la seguridad global de la IDN ha recibido considerablemente menos atención, lo que ha resultado en una carencia de principios de diseño para arquitecturas de IDN resilientes. Esta Tesis Doctoral proporciona varias contribuciones en la investigación de IDN resilientes. La investigación aquí presentada se agrupa en dos grandes bloques. Por un lado, las dos primeras contribuciones proporcionan técnicas de análisis de la seguridad de nodos IDS contra ataques deliberados. Por otro lado, las contribuciones tres y cuatro presentan mecanismos de diseño de arquitecturas IDS robustas frente a adversarios. En la primera contribución se proponen ataques de evasión e ingeniería inversa sobre detectores de anomalíaas que utilizan algoritmos de clasificación en el motor de detección. Estos algoritmos han sido ampliamente estudiados en el campo de la detección de anomalías y son generalmente considerados efectivos y eficientes. A pesar de esto, los detectores de anomalías no consideran el papel que un adversario puede desempeñar si persigue activamente decrementar la efectividad o la eficiencia del proceso de detección. En esta Tesis se demuestra que el uso de algoritmos de clasificación simples para la detección de anomalías es, en general, vulnerable a ataques de ingeniería inversa y evasión, lo que convierte a estos algoritmos en inapropiados para sistemas reales. La segunda contribución analiza la seguridad de la aleatorización como contramedida frente a los ataques de evasión contra detectores de anomalías. Esta contramedida ha sido propuesta recientemente como mecanismo de ocultación de la superficie de decisión, lo que supuestamente dificulta la tarea del adversario. En esta Tesis se propone un ataque de ingeniería inversa basado en un análisis consulta-respuesta que demuestra que, en general, la aleatorización no proporciona un nivel de seguridad sustancialmente superior. El ataque se demuestra contra Anagram, un detector de anomalías muy popular basado en el análisis de n-gramas que opera en la capa de aplicación. El ataque permite a un adversario descubrir la información secreta utilizada durante la aleatorización mediante la construcción de paquetes cuidadosamente diseñados. Tras la finalización de este proceso, el adversario se encuentra en disposición de lanzar un ataque de evasión. Los trabajos descritos anteriormente motivan la investigación de técnicas que permitan proteger sistemas de ciberdefensa tales como una IDN incluso cuando la seguridad de algunos de sus nodos se ve comprometida, así como soluciones para la asignación óptima de contramedidas. Para ello, resulta esencial disponer de modelos tanto de los nodos de una IDN como de las capacidades del adversario. En la tercera contribución de esta Tesis se proporcionan modelos conceptuales para ambos elementos. El modelo de sistema permite representar una IDN como una red de nodos cuyas conexiones y componentes internos determinan la arquitectura y funcionalidad de la red global de defensa. Este modelo se basa en el análisis y abstracción de diferentes arquitecturas para IDNs propuestas en los últimos años. Asimismo, se desarrolla un modelo de adversario para IDNs basado en las capacidades clásicas de un atacante en redes de comunicaciones que permite especificar ataques complejos contra nodos de una IDN. Finalmente, la cuarta y última contribución de esta Tesis Doctoral describe DEFIDNET, un marco que permite evaluar las vulnerabilidades de una IDN, las amenazas a las que están expuestas y las contramedidas que permiten minimizar el riesgo de manera óptima considerando restricciones de naturaleza económica u operacional. DEFIDNET se basa en los modelos de sistema y adversario desarrollados anteriormente en esta Tesis, junto con un procedimiento de evaluación de riesgos que permite calcular la propagación a lo largo de la IDN de ataques contra nodos individuales y estimar el impacto de acuerdo a diversas estrategias de ataque. El resultado del análisis de riesgos es utilizado para determinar contramedidas óptimas tanto en términos de coste involucrado como de cantidad de riesgo mitigado. Este proceso hace uso de algoritmos de optimización multiobjetivo y ofrece al analista varios conjuntos de soluciones que podrían aplicarse en distintos escenarios operacionales.Programa en Ciencia y Tecnología InformáticaPresidente: Andrés Marín López; Vocal: Sevil Sen; Secretario: David Camacho Fernánde

Achieving cyber resiliency against lateral movement through detection and response

Systems and attacks are becoming more complex, and classical cyber security methods are failing to protect and secure those systems. We believe that systems must be built to be resilient to attacks. Cyber resilience is a dynamic protection strategy that aims to stop cyber attacks while maintaining an acceptable level of service. The strategy monitors a system to detect cyber incidents, and dynamically changes the state of the system to learn about the incidents, contain an attack, and recover. Thus, instead of being perfectly protected, a cyber-resilient system survives a cyber incident by containing the attack and recovering while maintaining service. Cyber resiliency has the potential to secure the modern systems that control our critical infrastructure. However, several practical and theoretical challenges hinder the development of cyber-resilient architectures. In particular, an architecture needs to support and make use of a large amount of monitoring; the problem is especially serious for a large network in which hosts send low-level information for fusion. The problem is not only computational; the semantics of the data also creates a challenge. In combining information from multiple sources and across multiple abstractions, we need to realize that the sources are describing different events in the system which are occurring at varying time scales. Moreover, the system is dependent on the integrity of the monitoring data when estimating the state of the system. The estimated state is used to detect malicious activities and to drive responses. The integrity of the monitoring data is critical to making “correct” decisions that are not influenced by the attacker. In addition, choosing an appropriate response to specific attacks requires knowledge of the at- tackers’ behavior, i.e., an attacker model. If the attacker model is wrong, then the responses selected by the mechanism will be ineffective. Finally, the response mechanisms need to be proven effective in maintaining the resilience of the system. Proving such properties is particularly challenging when the systems are highly complex. In this dissertation, we propose a resiliency architecture that uses a model of the system to deploy monitors, estimates the state of the system using monitor data, and selects responses to contain and recover from attacks while maintaining service. Then we describe our design for the essential components of the said resiliency architecture for a multitude of systems including operating systems, hosts, and enterprise net- works, to address lateral movement attacks. Specifically, we have built components that address monitor design, fusion of monitoring data, and response. Our pieces address the challenges that face cyber-resilient architectures. We set out to provide resilience against lateral movement. Lateral movement is a step taken by an attacker to shift his or her position from an initial compromised host into a target host with high value. First, we designed a host-level monitor Kobra that generates different estimations of the state of a host. Kobra combines the various aspects of application behavior into multiple views: (1) a discrete time signal used for anomaly detection, and (2) a host-level process communication graph to correlate events that happen in a network. We use the host correlations to generate chains of network events that correspond to suspicious lateral movement behavior. We use a novel fusion framework that enables us to fuse monitoring events for different sources over a hierarchy. Finally, we respond to lateral movement by changing the topology and healing rates in the network. The changes are enacted by a feedback controller to slow down and stop the spread of the attack. Since our cyber resiliency architecture depends on the integrity of the monitoring data, we propose PowerAlert, an out-of-box integrity checker, to establish the “trustworthiness” of a machine. PowerAlert is resilient to attacker evasion and adaptation. It uses the current drawn by the CPU, measured using an external probe, to confirm that the machine executed the check as expected. To prevent an attacker from evading PowerAlert, we use an optimal initiation strategy, and to resist adaptation, we use randomly generated integrity-checking programs. We pick the optimal initiation strategy by modeling the problem of low-cost integrity checking when an attacker is attempting to evade detection as a continuous-time game called Tireless. The optimal strategy is the Nash equilibrium that optimizes the defender’s cost of checking and utility of detection against an adaptive attacker

Network resilience

Many systems on our planet are known to shift abruptly and irreversibly from one state to another when they are forced across a "tipping point," such as mass extinctions in ecological networks, cascading failures in infrastructure systems, and social convention changes in human and animal networks. Such a regime shift demonstrates a system's resilience that characterizes the ability of a system to adjust its activity to retain its basic functionality in the face of internal disturbances or external environmental changes. In the past 50 years, attention was almost exclusively given to low dimensional systems and calibration of their resilience functions and indicators of early warning signals without considerations for the interactions between the components. Only in recent years, taking advantages of the network theory and lavish real data sets, network scientists have directed their interest to the real-world complex networked multidimensional systems and their resilience function and early warning indicators. This report is devoted to a comprehensive review of resilience function and regime shift of complex systems in different domains, such as ecology, biology, social systems and infrastructure. We cover the related research about empirical observations, experimental studies, mathematical modeling, and theoretical analysis. We also discuss some ambiguous definitions, such as robustness, resilience, and stability.Comment: Review chapter