-
PyOED: An Extensible Suite for Data Assimilation and Model-Constrained Optimal Design of Experiments
Authors:
Abhijit Chowdhary,
Shady E. Ahmed,
Ahmed Attia
Abstract:
This paper describes PyOED, a highly extensible scientific package that enables developing and testing model-constrained optimal experimental design (OED) for inverse problems. Specifically, PyOED aims to be a comprehensive Python toolkit for model-constrained OED. The package targets scientists and researchers interested in understanding the details of OED formulations and approaches. It is also…
▽ More
This paper describes PyOED, a highly extensible scientific package that enables developing and testing model-constrained optimal experimental design (OED) for inverse problems. Specifically, PyOED aims to be a comprehensive Python toolkit for model-constrained OED. The package targets scientists and researchers interested in understanding the details of OED formulations and approaches. It is also meant to enable researchers to experiment with standard and innovative OED technologies with a wide range of test problems (e.g., simulation models). OED, inverse problems (e.g., Bayesian inversion), and data assimilation (DA) are closely related research fields, and their formulations overlap significantly. Thus, PyOED is continuously being expanded with a plethora of Bayesian inversion, DA, and OED methods as well as new scientific simulation models, observation error models, and observation operators. These pieces are added such that they can be permuted to enable testing OED methods in various settings of varying complexities. The PyOED core is completely written in Python and utilizes the inherent object-oriented capabilities; however, the current version of PyOED is meant to be extensible rather than scalable. Specifically, PyOED is developed to enable rapid development and benchmarking of OED methods with minimal coding effort and to maximize code reutilization. This paper provides a brief description of the PyOED layout and philosophy and provides a set of exemplary test cases and tutorials to demonstrate the potential of the package.
△ Less
Submitted 19 December, 2023; v1 submitted 19 January, 2023;
originally announced January 2023.
-
A Survey of Moving Target Defenses for Network Security
Authors:
Sailik Sengupta,
Ankur Chowdhary,
Abdulhakim Sabur,
Adel Alshamrani,
Dijiang Huang,
Subbarao Kambhampati
Abstract:
Network defenses based on traditional tools, techniques, and procedures fail to account for the attacker's inherent advantage present due to the static nature of network services and configurations. To take away this asymmetric advantage, Moving Target Defense (MTD) continuously shifts the configuration of the underlying system, in turn reducing the success rate of cyberattacks. In this survey, we…
▽ More
Network defenses based on traditional tools, techniques, and procedures fail to account for the attacker's inherent advantage present due to the static nature of network services and configurations. To take away this asymmetric advantage, Moving Target Defense (MTD) continuously shifts the configuration of the underlying system, in turn reducing the success rate of cyberattacks. In this survey, we analyze the recent advancements made in the development of MTDs and define categorizations that capture the key aspects of such defenses. We first categorize these defenses into different sub-classes depending on what they move, when they move and how they move. In trying to answer the latter question, we showcase the use of domain knowledge and game-theoretic modeling can help the defender come up with effective and efficient movement strategies. Second, to understand the practicality of these defense methods, we discuss how various MTDs have been implemented and find that networking technologies such as Software Defined Networking and Network Function Virtualization act as key enablers for implementing these dynamic defenses. We then briefly highlight MTD test-beds and case-studies to aid readers who want to examine or deploy existing MTD techniques. Third, our survey categorizes proposed MTDs based on the qualitative and quantitative metrics they utilize to evaluate their effectiveness in terms of security and performance. We use well-defined metrics such as risk analysis and performance costs for qualitative evaluation and metrics based on Confidentiality, Integrity, Availability (CIA), attack representation, QoS impact, and targeted threat models for quantitative evaluation. Finally, we show that our categorization of MTDs is effective in identifying novel research areas and highlight directions for future research.
△ Less
Submitted 20 March, 2020; v1 submitted 2 May, 2019;
originally announced May 2019.
-
Markov Game Modeling of Moving Target Defense for Strategic Detection of Threats in Cloud Networks
Authors:
Ankur Chowdhary,
Sailik Sengupta,
Dijiang Huang,
Subbarao Kambhampati
Abstract:
The processing and storage of critical data in large-scale cloud networks necessitate the need for scalable security solutions. It has been shown that deploying all possible security measures incurs a cost on performance by using up valuable computing and networking resources which are the primary selling points for cloud service providers. Thus, there has been a recent interest in developing Movi…
▽ More
The processing and storage of critical data in large-scale cloud networks necessitate the need for scalable security solutions. It has been shown that deploying all possible security measures incurs a cost on performance by using up valuable computing and networking resources which are the primary selling points for cloud service providers. Thus, there has been a recent interest in developing Moving Target Defense (MTD) mechanisms that helps one optimize the joint objective of maximizing security while ensuring that the impact on performance is minimized. Often, these techniques model the problem of multi-stage attacks by stealthy adversaries as a single-step attack detection game using graph connectivity measures as a heuristic to measure performance, thereby (1) losing out on valuable information that is inherently present in graph-theoretic models designed for large cloud networks, and (2) coming up with certain strategies that have asymmetric impacts on performance. In this work, we leverage knowledge in attack graphs of a cloud network in formulating a zero-sum Markov Game and use the Common Vulnerability Scoring System (CVSS) to come up with meaningful utility values for this game. Then, we show that the optimal strategy of placing detecting mechanisms against an adversary is equivalent to computing the mixed Min-max Equilibrium of the Markov Game. We compare the gains obtained by using our method to other techniques presently used in cloud network security, thereby showing its effectiveness. Finally, we highlight how the method was used for a small real-world cloud system.
△ Less
Submitted 27 February, 2019; v1 submitted 23 December, 2018;
originally announced December 2018.
-
SUPC: SDN enabled Universal Policy Checking in Cloud Network
Authors:
Ankur Chowdhary,
Adel Alshamrani,
Dijiang Huang
Abstract:
Multi-tenant cloud networks have various security and monitoring service functions (SFs) that constitute a service function chain (SFC) between two endpoints. SF rule ordering overlaps and policy conflicts can cause increased latency, service disruption and security breaches in cloud networks. Software Defined Network (SDN) based Network Function Virtualization (NFV) has emerged as a solution that…
▽ More
Multi-tenant cloud networks have various security and monitoring service functions (SFs) that constitute a service function chain (SFC) between two endpoints. SF rule ordering overlaps and policy conflicts can cause increased latency, service disruption and security breaches in cloud networks. Software Defined Network (SDN) based Network Function Virtualization (NFV) has emerged as a solution that allows dynamic SFC composition and traffic steering in a cloud network. We propose an SDN enabled Universal Policy Checking (SUPC) framework, to provide 1) Flow Composition and Ordering by translating various SF rules into the OpenFlow format. This ensures elimination of redundant rules and policy compliance in SFC. 2) Flow conflict analysis to identify conflicts in header space and actions between various SF rules. Our results show a significant reduction in SF rules on composition. Additionally, our conflict checking mechanism was able to identify several rule conflicts that pose security, efficiency, and service availability issues in the cloud network.
△ Less
Submitted 1 November, 2018;
originally announced November 2018.
-
SDN based Network Function Parallelism in Cloud
Authors:
Ankur Chowdhary,
Dijiang Huang
Abstract:
Network function virtualization (NFV) based service function chaining (SFC) allows the provisioning of various security and traffic engineering applications in a cloud network. Inefficient deployment of network functions can lead to security violations and performance overhead. In an OpenFlow enabled cloud, the key problem with current mechanisms is that several packet field match and flow rule ac…
▽ More
Network function virtualization (NFV) based service function chaining (SFC) allows the provisioning of various security and traffic engineering applications in a cloud network. Inefficient deployment of network functions can lead to security violations and performance overhead. In an OpenFlow enabled cloud, the key problem with current mechanisms is that several packet field match and flow rule action sets associated with the network functions are non-overlapping and can be parallelized for performance enhancement. We introduce Network Function Parallelism (NFP) SFC-NFP for OpenFlow network. Our solution utilizes network function parallelism over the OpenFlow rules to improve SFC performance in the cloud network. We have utilized the DPDK platform with an OpenFlow switch (OVS) for experimental analysis. Our solution achieves a 1.40-1.90x reduction in latency for SFC in an OpenStack cloud network managed by the SDN framework.
△ Less
Submitted 1 November, 2018;
originally announced November 2018.
-
Adaptive MTD Security using Markov Game Modeling
Authors:
Ankur Chowdhary,
Sailik Sengupta,
Adel Alshamrani,
Dijiang Huang,
Abdulhakim Sabur
Abstract:
Large scale cloud networks consist of distributed networking and computing elements that process critical information and thus security is a key requirement for any environment. Unfortunately, assessing the security state of such networks is a challenging task and the tools used in the past by security experts such as packet filtering, firewall, Intrusion Detection Systems (IDS) etc., provide a re…
▽ More
Large scale cloud networks consist of distributed networking and computing elements that process critical information and thus security is a key requirement for any environment. Unfortunately, assessing the security state of such networks is a challenging task and the tools used in the past by security experts such as packet filtering, firewall, Intrusion Detection Systems (IDS) etc., provide a reactive security mechanism. In this paper, we introduce a Moving Target Defense (MTD) based proactive security framework for monitoring attacks which lets us identify and reason about multi-stage attacks that target software vulnerabilities present in a cloud network. We formulate the multi-stage attack scenario as a two-player zero-sum Markov Game (between the attacker and the network administrator) on attack graphs. The rewards and transition probabilities are obtained by leveraging the expert knowledge present in the Common Vulnerability Scoring System (CVSS). Our framework identifies an attacker's optimal policy and places countermeasures to ensure that this attack policy is always detected, thus forcing the attacker to use a sub-optimal policy with higher cost.
△ Less
Submitted 1 November, 2018;
originally announced November 2018.
-
TRUFL: Distributed Trust Management framework in SDN
Authors:
Ankur Chowdhary,
Adel Alshamrani,
Dijiang Huang,
Myong Kang,
Anya Kim,
Alexander Velazquez
Abstract:
Software Defined Networking (SDN) has emerged as a revolutionary paradigm to manage cloud infrastructure. SDN lacks scalable trust setup and verification mechanism between Data Plane-Control Plane elements, Control Plane elements, and Control Plane-Application Plane. Trust management schemes like Public Key Infrastructure (PKI) used currently in SDN are slow for trust establishment in a larger clo…
▽ More
Software Defined Networking (SDN) has emerged as a revolutionary paradigm to manage cloud infrastructure. SDN lacks scalable trust setup and verification mechanism between Data Plane-Control Plane elements, Control Plane elements, and Control Plane-Application Plane. Trust management schemes like Public Key Infrastructure (PKI) used currently in SDN are slow for trust establishment in a larger cloud environment. We propose a distributed trust mechanism - TRUFL to establish and verify trust in SDN. The distributed framework utilizes parallelism in trust management, in effect faster transfer rates and reduced latency compared to centralized trust management. The TRUFL framework scales well with the number of OpenFlow rules when compared to existing research works.
△ Less
Submitted 15 March, 2019; v1 submitted 1 November, 2018;
originally announced November 2018.
-
SDFW: SDN-based Stateful Distributed Firewall
Authors:
Ankur Chowdhary,
Dijiang Huang,
Adel Alshamrani,
Abdulhakim Sabur,
Myong Kang,
Anya Kim,
Alexander Velazquez
Abstract:
SDN provides a programmable command and control networking system in a multi-tenant cloud network using control and data plane separation. However, separating the control and data planes make it difficult for incorporating some security services (e.g., firewalls) into SDN framework. Most of the existing solutions use SDN switches as packet filters and rely on SDN controllers to implement firewall…
▽ More
SDN provides a programmable command and control networking system in a multi-tenant cloud network using control and data plane separation. However, separating the control and data planes make it difficult for incorporating some security services (e.g., firewalls) into SDN framework. Most of the existing solutions use SDN switches as packet filters and rely on SDN controllers to implement firewall policy management functions, which is impractical for implementing stateful firewalls since SDN switches only send session's initial packets and statistical data of flows to their controllers. For a data center networking environment, applying a Distributed FireWall (DFW) system to prevent attacker's lateral movements is highly desired, in which designing and implementing an SDN-based Stateful DFW (SDFW) demand a scalable distributed states management solution at the data plane to track packets and flow states. Our performance results show that SDFW achieves scalable security against data plane attacks with a marginal performance hit ~ 1.6% reduction in network bandwidth.
△ Less
Submitted 1 November, 2018;
originally announced November 2018.
-
Laser Actuated Presentation System
Authors:
Atul Chowdhary,
Vivek Agrawal,
Subhajit Karmakar,
Sandip Sarkar
Abstract:
We present here a pattern sensitive PowerPoint presentation scheme. The presentation is actuated by simple patterns drawn on the presentation screen by a laser pointer. A specific pattern corresponds to a particular command required to operate the presentation. Laser spot on the screen is captured by a RGB webcam with a red filter mounted, and its location is identified at the blue layer of each…
▽ More
We present here a pattern sensitive PowerPoint presentation scheme. The presentation is actuated by simple patterns drawn on the presentation screen by a laser pointer. A specific pattern corresponds to a particular command required to operate the presentation. Laser spot on the screen is captured by a RGB webcam with a red filter mounted, and its location is identified at the blue layer of each captured frame by estimating the mean position of the pixels whose intensity is above a given threshold value. Measured Reliability, Accuracy and Latency of our system are 90%, 10 pixels (in the worst case) and 38 ms respectively.
△ Less
Submitted 28 November, 2009;
originally announced November 2009.
