Showing papers by "Charles A. Kamhoua published in 2016"

Game Theory with Learning for Cyber Security Monitoring

Abstract: Recent attacks show that threats to cyber infrastructureare not only increasing in volume, but are getting moresophisticated. The attacks may comprise multiple actions that arehard to differentiate from benign activity, and therefore commondetection techniques have to deal with high false positive rates. Because of the imperfect performance of automated detectiontechniques, responses to such attacks are highly dependent onhuman-driven decision-making processes. While game theory hasbeen applied to many problems that require rational decisionmaking, we find limitation on applying such method on securitygames when the defender has limited information about theopponent's strategies and payoffs. In this work, we propose Q-Learning to react automatically to the adversarial behavior ofa suspicious user to secure the system. This work comparesvariations of Q-Learning with a traditional stochastic game. Simulation results show the possibility of Naive Q-Learning, despite restricted information on opponents.

A Game-Theoretic Approach for Testing for Hardware Trojans

Abstract: The microcircuit industry is witnessing a massive outsourcing of the fabrication of ICs (Integrated Circuit), as well as the use of third party IP (Intellectual Property) and COTS (Commercial Off-The-Shelf) tools during IC design. These issues raise new security challenges and threats. In particular, it brings up multiple opportunities for the insertion of malicious logic, commonly referred to as a hardware Trojan, in the IC. Testing is typically used along the IC development lifecycle to verify the functional correctness of a given chip. However, the complexity of modern ICs, together with resource and time limitations, makes exhaustive testing commonly unfeasible. In this paper, we propose a game-theoretic approach for testing digital circuits that takes into account the decision-making process of intelligent attackers responsible for the infection of ICs with hardware Trojans. Testing for hardware Trojans is modeled as a zero-sum game between malicious manufacturers or designers (i.e., the attacker) who want to insert Trojans, and testers (i.e., the defender) whose goal is to detect the Trojans. The game results in multiple possible mixed strategy Nash equilibria that allow to identify optimum test sets that increase the probability of detecting and defeating hardware Trojans in digital logic. Results also show that the minimum number of Trojan classes tested by the defender and the fines imposed to the attacker can deter rational as well as irrational attackers from infecting circuits with Trojans.

Translating circuit behavior manifestations of hardware Trojans using model checkers into run-time Trojan detection monitors

Abstract: It is a consensus among the researchers, although not proven, that it is close to impossible to guarantee completely secure hardware design. Therefore, it is desired to have run-time hardware Trojan detection techniques. This paper is toward developing a framework of how to achieve run-time hardware Trojan detection units. Although it is difficult to predict the stage of circuit design at which hardware intruder would insert Trojan as well as the hardware Trojan detection methodology that should be applied, behavior patterns of certain design units in the hardware can indicate malicious activities in the design. We propose to translate such behavior patterns using formal verification approaches to establish run-time hardware Trojan detection technique leading which can improve the resiliency of hardware designs against hardware Trojan. We examine the possibility of malicious intrusions in both combinational and sequential circuits that may result in functional incorrectness, and applied our methodology in two example circuits.

Probabilistic Inference on Twitter Data to Discover Suspicious Users and Malicious Content

Abstract: While the power of social media on the Internet is undeniable, it has become a major weapon for launching cyberattacks against an organization and its people. Today, there is a growing number of cyberattacks being launched through social media such as posting of false content from hacked accounts, posting malicious URLs to spread malware, and others. In this paper, we present a simple and flexible unified framework called SocialKB for modeling social media posts and reasoning about them to ascertain their veracity, a first step towards discovering emerging cyber threats. SocialKB is based on Markov Logic Networks (MLNs), a popular representation in statistical relational learning. It learns a knowledge base (KB) on the social media posts and users' behavior in a unified manner. By conducting probabilistic inference on the KB, SocialKB can identify suspicious users and malicious content. In this work, we specifically focus on tweets posted by users on Twitter. Finally, we report an evaluation of SocialKB on 20,000 tweets and discuss our early inference results.

RECORD: Temporarily Randomized Encoding of COmbinational Logic for Resistance to Data Leakage from hardware Trojan

Abstract: Many design companies have gone fabless and rely on external fabrication facilities to produce chips due to increasing cost of semiconductor manufacturing. However, not all of these facilities can be considered trustworthy; some may inject hardware Trojans and jeopardize the security of the system. One common objective of hardware Trojans is to a establish side channel for data leakage. While extensive literature exists on various defensive measures, almost all of them focus on preventing the establishment of side channels, and can be compromised if attackers gain access to the physical chip and can perform reverse engineering between multiple fabrication runs. In this paper, we propose RECORD: Temporarily Randomized Encoding of COmbinational Logic for Resistance to Data Leakage. RECORD a novel scheme of temporarily randomized encoding for combinational logic that, with the aid of Quilt Packaging, aims to prevent attackers from interpreting the data. Experimental results on a 45 nm 8-bit Advanced Encryption Standard (AES) Substitution Box (Sbox) showed that RECORD can effectively hide information with 2.3× area overhead, 2.77× dynamic power increase and negligible delay overhead.

Quick eviction of virtual machines through proactive live snapshots

Abstract: Cloud computing platforms routinely use virtualization to improve service availability, resiliency, and flexibility. Live migration of Virtual Machines (VM) is a key technique to quickly migrate workloads in response to events such as impending failure or load changes. Despite extensive research, state-of-the-art live migration approaches take a long time to migrate a VM (in the order of tens of seconds for moderately sized VMs) which in turn negatively impacts the application performance during migration. We present Quick Eviction, a new approach to significantly speed up the eviction of a VM from the source host with low impact on VM's performance during migration. Our approach can also improve the effectiveness of VM resilience tools that back up a VM's state in anticipation of system failures. The insight behind Quick Eviction is that the majority of time to evict a VM during migration is due to the transfer of memory contents over the network, sometimes repeatedly. Before migration, Quick Eviction regularly snapshots the VM's memory to a destination or a failover node. During the actual migration, Quick Eviction has to transfer only a small amount of dirtied memory resulting in a very short time to completely evict the VM out of the source. The key challenge is to dynamically adapt the snapshot intervals so as to have minimal impact on application performance during migration. We show that our implementation of Quick Eviction in the KVM/QEMU platform reduces the eviction time of a VM by significant factors for both idle and write-intensive VMs compared to traditional pre-copy algorithm, while maintaining low overheads on application performance and network.

Quick Eviction of Virtual Machines through Proactive Snapshots

Abstract: Live migration of Virtual Machines (VMs) is a key technique to quickly migrate workloads in response to events such as impending failure or load changes. Despite extensive research, state-of-the-art live migration approaches take a long time to migrate a VM, which in turn negatively impacts the application performance during migration. We present, Quick Eviction, a new approach to significantly speed up the eviction of a VM from the source host with low impact on VM's performance during migration. Before migration, Quick Eviction regularly snapshots the VM's memory to a destination or a failover node. During the actual migration, Quick Eviction has to transfer only a small amount of dirtied memory resulting in a very short time to completely evict the VM out of the source. Our experimental results show that Quick Eviction in the KVM/QEMU platform significantly reduces the eviction time.

Connectivity and rendezvous in distributed DSA networks

Abstract: In this paper, we use concepts and results from percolation theory to investigate and characterize the effects of multi-channels on the connectivity of Dynamic Spectrum Access networks. In particular, we focus on the scenario where the secondary nodes have plenty of vacant channels to choose from-a phenomenon which we define as channel abundance. To cope with the existence of multi-channels, we use two types of rendezvous protocols: naive ones which do not guarantee a common channel and advanced ones which do. We show that, with more channel abundance, even with the use of either type of rendezvous protocol, it becomes difficult for two nodes to agree on a common channel, thereby potentially remaining invisible to each other. We model this invisibility as a Poisson thinning process and show that invisibility is even more pronounced with channel abundance. Following the disk graph model, we define and characterize connectivity of the secondary network in terms of the available number of channels, deployment densities, number of transceivers per node, and communication range. When primary users are absent, we derive the critical number of channels which maintains super-criticality of the secondary network. When primary users are present, we characterize and analyze the connectivity for all the regions: channel abundance, optimal, and channel deprivation. Our results can be used to decide on the goodness of any channel rendezvous algorithm by computing the expected resultant connectivity.1

CSRS: Cyber Survive and Recover Simulator

Abstract: It has been argued that systems that are comprised of similar components (i.e., a monoculture) are more prone to attacks than a system that exhibits diversity. But it is not currently clear how much diversity is needed and how to leverage the underlying diversity in the design space. In this paper, we present a game theoretic model to analyze strategic attack-defense scenarios as well as present our research and development effort to develop a software tool that facilitates analysis of strategic use of redundancy and diversity techniques for cyber survivability and recoverability by leveraging the developed game theoretic model. The simulator shows the potential of using game theoretic approaches for exploiting diversity for cyber survivability. The game theoretic model illustrates how the concept of the Nash Equilibrium provides a theoretical framework for designing strategic security solutions and how the mixed strategy solution space provides a conceptual basis for defining optimal randomization techniques that can exploit the underlying diversity. The simulator provides capabilities to simulate various attack-defense scenarios, analyze defense tactics, and provide feasible security solutions to help adopt appropriate defense strategies.

Design Diversity for Mitigating Monoculture Induced Threats

Abstract: Monoculture induced threats such as "pass the hash" attacks can spread more easily through a system of similar components. Introducing a few different and more robust components in the system has the potential to mitigate such situations. In this paper, we propose a constrained resource allocation optimization framework exploring the binary decision diagram (BDD) and mixed integer linear programming techniques. An illustrative example is provided.