Research-Oriented Project in Network Security: Formulating a Research Project and Project Milestones

ECE 18731 Network Security Project Overview Vyas Sekar 1

Research-oriented Class Project Project groups of 3-4 students Any group of different size has to get OK-ed Start forming groups early Project grading criteria Research component Implementation component Project presentation/poster Project report 2

Formulating a research project Problem statement What problem, does it matter Who will benefit Proposed approach What method or idea Hypothesis Do you have specific expectations? What is known? Evaluation plan What tools? What resources? Results What are the metrics of success? What is the deliverable? Milestones 3

Project Logistics Project proposal Project description Related work Outline of research contribution Timeline of implementation milestones Evaluation metrics (how do you know that you were successful) Template posted on blackboard 4

Project milestones Group sign up! (Posted on piazza) https://docs.google.com/spreadsheets/d/1dsNABAEa8qulTWh8njQjZZWdGgRL5 OgD6FBkMBpuHdk/edit#gid=0 3-4 milestones A (written) proposal phase Due Feb 17 (9 days from now) Form groups, submit pre-proposal to make sure your project is feasible Describe the proposed work Motivation behind it Schedule to completion One mid-semester emails (tentatively March 15 and week of April 7) One page report where you will describe the status of your project instructors may follow up with an interview with the team if needed. Final presentation (in class) and report (early May/finals week) Highly encouraged to communicate with the instructors outside of the mandatory milestones Communicate! We will not run after you to get information, you are in complete control 5

Some example topics .. 6

Behavioral modeling for IoT devices (i.e., Alembic for IoT) Contact: Milind Srivastava (milindsr@andrew.cmu.edu) IoT introduces new security challenges. The cross-device interactions and cyber- physical natures also make the problem rather unique compared to traditional sec problems. For example, a networked thermostat can control the AC in a smart home and even coupled through the physical environment leading to implicit dependencies. For instance, a temperature sensor can be connected to open windows to cool down if AC is not on. Thus, an attacker could compromise the smart plug (e.g., Belkin Wemo) to turn off AC and trigger a temperature increase and use that to create a physical security breach. In this project, we want to investigate whether we can model individual IoT devices. As a first step, we will investigate whether using a recently released tool called Alembic (https://www.usenix.org/conference/nsdi19/presentation/moon) that can enable the modeling behavior of network devices can be used to model IoT devices. 7

IoT/CPS Honeypots Contact: Milind Srivastava (milindsr@andrew.cmu.edu) Honeypots are a good defensive measure to deceive attackers, waste their time and resources, and lead them to believe an actual attack is occuring when it really isn t. With the proliferation of IoT, it is interesting to explore whether we can build honeypots to emulate IoT/CPS devices. We want these honeypots to be highly interactive and sensitive to user inputs. These honeypots should also be high-fidelity i.e. they should model the state space of the IoT device as accurately as possible. For instance, consider a honeypot emulating a 3D printer. Any commands that work with an actual 3D printer should receive the same output from the honeypot but there will be no effects on the physical environment as the honeypot is not connected to a physical printer. Starting points: Survey paper - https://arxiv.org/pdf/2108.02287.pdf Examples of IoT honeypots https://www.blackhat.com/docs/us-17/thursday/us-17-Luo-Iotcandyjar-Towards-An-Intelligent-Interaction- Honeypot-For-IoT-Devices-wp.pdf https://dl.acm.org/doi/pdf/10.1145/3372297.3420023 Why CPS honeypots are non-trivial - https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7676152 8

A stealthier network attack via buffer-exploitation Contact: Maria Apostolaki (mapostol@andrew.cmu.edu) Attacks that target the network infrastructure have been shown able to cut off the Internet connections of a targeted enterprise (e.g., a university campus, a military base, a set of energy distribution stations)[1]. Traditionally such attacks flood a particular link by sending traffic from a botnet to carefully-selected public servers whose Internet paths contain the targeted link. While effective such attacks can be dealt with by performing benign BGP hijacks[2]. In this work, we will investigate the feasibility of an attack that aims at disconnecting a victim host or network but exploits the algorithm that controls the shared buffer in the device. Such an attack, if possible, would be stealthier than link-flooding as the utilization of the targeted link will below. Milestone I: Design and implement s toy attack in ns3 (single switch multiple senders, single victim & and complete sharing of the buffer) Milestone II: Implement a framework that allows one to check the feasibility of an attack for configurable buffer size, capacity, number of ports, buffer management configuration and Botnet-traffic budget Milestone III: Develop a tool to infer the buffer management configuration via probing and find the attack that minimizes Botnet-traffic budget [1]The Crossfire Attack https://www.ieee-security.org/TC/SP2013/papers/4977a127.pdf [2]Routing Around Congestion Defeating DDoS Attacks and Adverse Network Conditions via Reactive BGP Routing https://web.eecs.utk.edu/~mschucha/doc/nyx18.pdf 9

Microservice Attack Simulation Contact: Brian Singer (briansin@andrew.cmu.edu) Microservices are a popular and emerging paradigm in distributed computing. In these systems, services (i.e payments, users, UI) are separated into logical units; their generation, deletion, and placement are fluid and managed by a cluster (such as Kubernetes). Microservices change the communication model in a system, what would previously be an internal API call is now performed as a network call, meaning that such information is visible in the network traffic logs. Similar to a networked system, microservice architectures are subject to attack. DoS attacks, data exfiltration attacks, intrusions, and cryptojacking are all common issues faced by these systems. The goal of this project is to simulate attacks on microservices to create a large dataset. The dataset will be used to train machine learning classifiers to detect the attacks. 10

fficient anonymous blocklisting via recursive zero-knowledge proofs Contact: Riad Wahby (riad@cmu.edu) Network service providers commonly use blocklists to deny service to users with a history of misbehavior. But the standard approach to blocklisting---giving users long-lived identities that can be revoked in response to abuse---is difficult to implement while giving strong guarantees of user privacy, since enforcing the blocklist appears to require the provider's knowing the user's identity. In response, Tsang et al. (2008) introduce the notion of anonymous blocklisting, which uses cryptographic techniques to let users establish that their identity has not been blocked, without revealing any other information about their identity. Recently, Rosenberg et al. (2021) revisit this problem, developing more efficient techniques based on advances in succinct zero-knowledge proofs (zkSNARKs). Their approach, SNARKblock, improves on prior work using a clever mix of systems and cryptographic techniques, but two problems remain. First, proofs are large (hundreds of kilobytes), making this approach impractical for, e.g., anonymous microblogging. Second, clients must perform expensive computations in response to changing blocklists. A promising alternative that addresses those shortcomings is to use a recursive proving strategy, i.e., asking users to prove a statement of the form "I am not the most recently blocked user, and I know a proof of this statement applied to the tail of the blocklist". The SNARKblock authors consider this approach but leave efficient construction as an open problem. The goal of this project is to solve that problem via a simple tweak to the logical statement being proved in zero knowledge. 11

High-quality, privacy-preserving synthetic data generation using Generative Adversarial Networks Contact: Yucheng Yin (yyin4@andrew.cmu.edu) Limited data access has been a barrier for data-driven research for quite a long time. Due to privacy concerns and policy restrictions, data holders are usually reluctant to share the valuable raw data (e.g., PCAPs, system logs, automobile traces) which could have sigfnicantly benefited the research community. One alternative is to share the high-quality, privacy-preserving synthetic data which satisfies the privacy guarantees while still preserving great utilities, e.g., capturing key statistical properties and serving as input to numerous downstream tasks. Recent advances of Generative Adversarial Networks (GANs) [1] have shown promise in generating high-fidelity, realistic images as well as synthetic networking timeseries data [2]. However, whether such methods could been generalized to other domains and datasets are unknown and to be explored further. In this work, we would like to build on the-state-of-art GAN frameworks and apply it to multiple areas/datasets (e.g., system logs, IoT traces, automobile data, or even finance customer traces) for synthetic data generation (both codebase and datasets are available upon request). The overarching goal of our evaluation is to show four key aspects of metrics: Fidelity: how well does the synthetic data capture the key statistical properties of raw data (e.g., measured as JS divergence between raw and synthetic data)? Utility: can the generated synthetic data be practically used for downstream tasks with an accuracy/error rate close to the raw data? Scalability: can the framework generate a reasonably large dataset with a reasonable amount of time and resources? Privacy: under moderate privacy guarantees (\epsilon in differential privacy), can the synthetic data maintain a good level of fidelity/utility? Reference paper: [1] Ian Goodfellow s 2014 GAN paper: https://arxiv.org/pdf/1406.2661.pdf [2] DoppelGANger: https://arxiv.org/pdf/1909.13403.pdf 12

Framework to develop ML algorithms for Network Anomaly Detection for IoT devices Contact: Rahul Anand Sharma (rahulans@andrew.cmu.edu) The Internet-of-Things (IoT) has quickly moved from the realm of hype to reality with estimates of over 25 billion devices deployed as of 2020. While IoT has huge potential for societal impact, it comes with several key security chal- lenges IoT devices can become the entry points into critical infrastructures and can be exploited to leak sensitive information. Traditional host-centric security solutions in today s IT ecosystems (e.g., an- tivirus, software patches) are fundamentally at odds with the realities of IoT (e.g., poor vendor security practices and constrained hardware). To mitigate this problem we have seen a plethora of ML based anomaly detection methods that try to mitigate the vulnerabilities of heterogeneous IoT devices without altering their operations. We have developed a framework that allows anyone to easily design their algorithm for the task of anomaly detection and compare it against a variety of other algorithms under various settings. We are looking for students to implement either existing or new algorithms using our framework. 13

Data Augmentation for ML for Network Anomaly Detection for IoT devices Contact: Rahul Anand Sharma (rahulans@andrew.cmu.edu) We have limited labeled data for training ML models for anomaly detection task. Moreover, most of the available data is from benign traffic and attack data is even more limited. To make sure that a ML model can generalize we need to provide sufficient data for model training. Recent advances of Generative Adversarial Networks (GANs) have shown promise in generating high-fidelity, realistic images as well as synthetic networking timeseries data . In this work, we would like to apply the-state-of-art GAN frameworks and apply it for synthetic data generation (specially synthetic attack traffic). We would like to evaluate these frameworks on metrics of accuracy, training time, testing time etc. 14

Hijacking X-coin Contact: Maria Apostolaki (mapostol@andrew.cmu.edu) Blockchains systems have received a lot of attention in the academic and industrial world. Oftentimes, Blockchains systems such as Bitcoin and Ethereum operate over the Internet. Unfortunately, such systems were designed in isolation i.e., ignoring known vulnerabilities of the Internet. In effect, multiple network-layer attacks have been revealed[1,2] and performed in practice[4,5]. For instance, a malicious or compromised AS can use BGP hijacking to split the Bitcoin network into two disjoint components, leaving the system vulnerable to all sorts of exploits[1]. Notably, BGP hijacking has enabled attackers to steal thousands of dollars from Bitcoin mining pools [5] and an online wallet [4]. Network-layer attacks against blockchain are, of course, not limited to BGP hijacking. Previous work has also shown that a passive AS-level adversary can delay blocks [1] and deanonymize users [2]. Despite their practical effectiveness, network-layer attacks have not been systematically studied across various systems, due to the lack of a scalable and realistic cross-layer simulator. The goal of this project is to turn the mini-Internet simulator[3] into a Blockchain simulator that can realistically simulate the effect of network adversaries on various systems. The concrete features we will aim for are the following (i) nodes will run the real system s code; (ii) network links will have realistic network delays; and (iii) an attacker will be able to perform both passive (observing traffic) and active attacks (performing a BGP hijack). [1]Hijacking Bitcoin: Routing Attacks on Cryptocurrencies. https://nsg.ee.ethz.ch/fileadmin/user_upload/publications/nsg_vanbever_bitcoin_routing_attacks_oakland_2017.pdf [2]PERIMETER: A Network-Layer Attack on the Anonymity of Cryptocurrencies https://nsg.ee.ethz.ch/fileadmin/user_upload/publications/fc21final97.pdf [3] An Open Platform to Teach How the Internet Practically Works https://github.com/nsg-ethz/mini_internet_project [4]Hackers emptied Ethereum wallets by breaking the basic infrastructure of the internet 15

Security Policy Modelling For Web Applications Contact: Ao Li (aoli@andrew.cmu.edu) Access management for web applications is a critical component for web applications. Many web frameworks provide DSLs to specify security policies for APIs [2, 3] but the developer still mixes the access control of the data with other application logics. For example, the following Java code shows a simple endpoint which can only be access by INDIVIDUAL and ADMIN. The method first check the role of the requester and return different portion of the data based on its role. In this project, we want to design a simple modeling language that describes security policies and use static/dynamic analysis techniques to synthesize the security policies of the analyzed system [1]. Checkpoint 1: design a DSL to describe the security policy of the target system Checkpoint 2: implement a static/dynamic taint analysis framework to synthesize security policies of the target system Checkpoint 3: Use the synthesized security policies to identify potential security vulnerabilities of the target system [1]https://yanniss.github.io/enterprise-pldi20.pdf [2]https://www.baeldung.com/spring-security-expressions [3]https://docs.gitlab.com/ee/development/policies.html 16

Choosing your own project Anything related to this course and appropriately challenging should be doable Most important factor: your own motivation Talk to us! 17

Todo Read the project how to Set up meeting with Vyas and/or Project Contacts Internalize this! 18