CIPART: CLOUD INTELLIGENT PROTECTION AT RUN-TIME
Lead Research Organisation:
Imperial College London
Department Name: Computing
Abstract
Organisations, small and large, increasingly rely upon cloud environments to supply their ICT needs because clouds provide a better incremental cost structure, resource elasticity and simpler management. This trend is set to continue as increasingly information collected from mobile devices and smart environments including homes, infrastructures and smart-cities is uploaded and processed in cloud environments. Services delivered to users are also deployed in the cloud as this provides better scaleability and in some cases permits migration closer to the point of access for reduced latency.
Clouds are therefore an attractive target for organised and skilled cyber-attacks. They are also more vulnerable as they host environments from multiple tenant organisations with different interests and different risk aversion profiles. Yet clouds also offer opportunities for better protection both pro-actively and reactively in response to a persistent attack.
This project aims to develop novel techniques for intelligent cloud protection by advancing the state of the art in system modelling at run time, attack scenarios based analysis, novel techniques for selecting countermeasures and remedial actions and novel techniques for re-perimeterisation of the cloud environment. The methodology adopted combines fundamental research on knowledge representation, probabilistic analysis and machine learning with empirical and experimental studies in an industrial test-bed environment.
Additionally, the project also aims to achieve a better understanding of the business models and incentives involved in the relationships between cloud tenants and hosting organisations in the provision of security services based on measures of cost, risk and value and to propose new models that facilitate sharing of risk and exchange of security relevant information, which would in turn allow to simplify security management and provide better protection.
Clouds are therefore an attractive target for organised and skilled cyber-attacks. They are also more vulnerable as they host environments from multiple tenant organisations with different interests and different risk aversion profiles. Yet clouds also offer opportunities for better protection both pro-actively and reactively in response to a persistent attack.
This project aims to develop novel techniques for intelligent cloud protection by advancing the state of the art in system modelling at run time, attack scenarios based analysis, novel techniques for selecting countermeasures and remedial actions and novel techniques for re-perimeterisation of the cloud environment. The methodology adopted combines fundamental research on knowledge representation, probabilistic analysis and machine learning with empirical and experimental studies in an industrial test-bed environment.
Additionally, the project also aims to achieve a better understanding of the business models and incentives involved in the relationships between cloud tenants and hosting organisations in the provision of security services based on measures of cost, risk and value and to propose new models that facilitate sharing of risk and exchange of security relevant information, which would in turn allow to simplify security management and provide better protection.
Planned Impact
The project will deliver tangible outputs that are directly applicable to the security of cloud environments in terms of their resilience to compromise, efficient management at run-time, protection of assets and the relation of cloud protection environments to the business models.
These outputs impact directly a broad range of companies including: cloud service providers, providers of security services and software for cloud infrastructures and cloud users. Amongst cloud users, it will impact in particular SMEs who rely on public clouds, their incremental cost structure and elasticity in order to host part of their computing infrastructure and delivery, and cannot afford significant investments in security management. Improving the resiliency of the cloud infrastructure will enable not only to reduce risks increased through co-tenancy but also to share the risk between tenants as well as between tenants and provider and to manage them better.
The results from the project will also benefit directly organisations focussing on promoting standards and best practice in cloud environments such as the Cloud Security Alliance and ENISA amongst others.
The project will also benefit the increasingly large open source community (Open Stack, Open Nebula) working towards the development of cloud environments as the results of this project will lead to tools and techniques that are more broadly applicable than the target environment in which they are tested, and we aim to release as many of the components of the framework as open source software. The BT environment has itself a large degree of compatibility with open environments (see BT Letter of Support).
Finally we expect the results of the project to contribute to open standards and in particular to a closer alignment between network and systems management standards, grid standards and security standards including amongst others DMTF, TM Forum, Open Grid Forum, OASIS and NIST.
These outputs impact directly a broad range of companies including: cloud service providers, providers of security services and software for cloud infrastructures and cloud users. Amongst cloud users, it will impact in particular SMEs who rely on public clouds, their incremental cost structure and elasticity in order to host part of their computing infrastructure and delivery, and cannot afford significant investments in security management. Improving the resiliency of the cloud infrastructure will enable not only to reduce risks increased through co-tenancy but also to share the risk between tenants as well as between tenants and provider and to manage them better.
The results from the project will also benefit directly organisations focussing on promoting standards and best practice in cloud environments such as the Cloud Security Alliance and ENISA amongst others.
The project will also benefit the increasingly large open source community (Open Stack, Open Nebula) working towards the development of cloud environments as the results of this project will lead to tools and techniques that are more broadly applicable than the target environment in which they are tested, and we aim to release as many of the components of the framework as open source software. The BT environment has itself a large degree of compatibility with open environments (see BT Letter of Support).
Finally we expect the results of the project to contribute to open standards and in particular to a closer alignment between network and systems management standards, grid standards and security standards including amongst others DMTF, TM Forum, Open Grid Forum, OASIS and NIST.
Organisations
- Imperial College London (Lead Research Organisation)
- University of Pisa (Collaboration)
- University of Cyprus (Collaboration)
- Btexact Technologies Limited (Collaboration)
- Technical University of Crete (Collaboration)
- Agency for Science, Technology and Research (A*STAR) (Collaboration)
- BT Group (United Kingdom) (Project Partner)
Publications
Arunkumar S
(2017)
Next generation firewalls for dynamic coalitions
Barrere M
(2017)
Naggen: A network attack graph generation tool - IEEE CNS 17 poster
Karafili E
(2017)
Improving data sharing in data rich environments
Karafili E
(2017)
Enabling Data Sharing in Contextual Environments
Karafili E
(2017)
Verification techniques for policy based systems
Karafili E
(2017)
Argumentation-based policy analysis for drone systems
| Description | Attack graphs describe the attack paths that an attacker can follow to compromise networks by exploiting network vulnerabilities and topology. Bayesian attack graph representations are a powerful tool for security risk assessment. Whilst static analysis considers the risk posture at rest, dynamic analysis allows to calculate the risk to different system components when evidence of compromise is found in a part of the system. However Bayesian inference techniques for risk assessment over attack graphs do not scale well and this has significantly hampered the use of tools for risk assessment. In this project we have: a) demonstrated how probabilistic graphical algorithms can be applied for scaleable inference over attack graphs for both exact and approximate inference - approximate inference techniques scale linearly in the number of nodes for both static and dynamic analysis, b) designed new tools for attack graph generation and analysis and introduce the notion of core graphs representing the unavoidable steps that an attacker needs to go through to achieve a specific objective, c) shown how this can be used to deploy countermeasures to an attack and applied this in cloud environments and d) evaluated the factors driving adoption of cloud services and security in cloud services. |
| Exploitation Route | Our findings show that methodologies based on attack graph representations can scale to larger systems and thus be applied in practice for risk assessment. Scalability is the main factor that has limited the adoption of such tools for cloud and enterprise security. Our findings have also demonstrated the multiple uses of attack graph analysis in the protection of a system including: risk assessment, counter measure deployment, forensic investigation, network hardening and attribution. |
| Sectors | Digital/Communication/Information Technologies (including Software),Security and Diplomacy |
| URL | http://www.rissgroup.org |
| Description | The findings of the project have influenced R&D at collaborating organisations and more broadly studies of resilience and policy in the security area. Amongst others, we were invited to present our findings at a NATO workshop on Cyber Resilience and approached by many organisations for further collaborations in this area. Beyond the original remit of the project, which focussed on cloud and enterprise environments, our findings have applicability for the protection of industrial control and IoT systems which we are pursuing e.g., in the PETRAS IoT Hub. Insights from this project have also influenced some of the policy recommendations put forward through PETRAS reports. |
| First Year Of Impact | 2018 |
| Sector | Digital/Communication/Information Technologies (including Software) |
| Impact Types | Policy & public services |
| Description | Cyber security cOmpeteNCe fOr Research anD InnovAtion |
| Amount | € 15,998,737 (EUR) |
| Funding ID | 830927 |
| Organisation | European Commission |
| Sector | Public |
| Country | European Union (EU) |
| Start | 01/2019 |
| End | 03/2023 |
| Description | EU Marie-Curie Programme |
| Amount | € 183,454 (EUR) |
| Funding ID | 746667 - AF-Cyber |
| Organisation | European Union |
| Sector | Public |
| Country | European Union (EU) |
| Start | |
| Description | Logic-based Attribution and Forensics in Cyber Security |
| Amount | € 18,345,480 (EUR) |
| Funding ID | 746667 |
| Organisation | European Commission |
| Sector | Public |
| Country | European Union (EU) |
| Start | 02/2018 |
| End | 01/2020 |
| Description | PETRAS 1st Strategic Research Fund Call for Proposals |
| Amount | £160,747 (GBP) |
| Funding ID | SECRIS |
| Organisation | PETRAS |
| Sector | Public |
| Country | United Kingdom |
| Start | 02/2018 |
| End | 02/2019 |
| Description | A*STAR |
| Organisation | Agency for Science, Technology and Research (A*STAR) |
| Department | Institute of Infocomm (I2R) |
| Country | Singapore |
| Sector | Academic/University |
| PI Contribution | Imperial has contributed with expertise on attack graph reasoning and IoT Security. Dr. Lupu is formally involved as a collaborator in one of A*STAR's projects funded by NRF. |
| Collaborator Contribution | A*STAR has contributed with expertise in mobile security and network security |
| Impact | Formal collaboration on funded projects. |
| Start Year | 2016 |
| Description | BT |
| Organisation | Btexact Technologies Limited |
| Country | United Kingdom |
| Sector | Private |
| PI Contribution | Imperial brought to this collaboration expertise on security in Cloud environments, attack graph generation and risk analysis using attack graphs as well as expertise on adoption of cloud services. We have analysed BT's cloud environment, ran experiments on their cloud environment, discussed with their technical experts and interviewed their commercial staff and collaborators. |
| Collaborator Contribution | BT provided access to their technical staff, acess to their testbed and access to their commercial staff. |
| Impact | Most of the outputs of the project including several papers submitted are attributable to this collaboration. |
| Start Year | 2014 |
| Description | Pisa |
| Organisation | University of Pisa |
| Department | Department of Computer Science |
| Country | Italy |
| Sector | Academic/University |
| PI Contribution | This collaboration has led us to exchange expertise on attack graph analysis and models for total network defense. As a result of this collaboration Dr. Lupu has been involved in the PhD committee of Federico Tonelli at the University of Pisa. |
| Collaborator Contribution | We have received useful comments and contributions from our collaborators on our work as well as insights into the benefits and limitations of related approaches to ours. |
| Impact | Dr. Lupu has been involved in the PhD committee of Federico Tonelli at the University of Pisa. |
| Start Year | 2015 |
| Description | Univ. of Cyprus |
| Organisation | University of Cyprus |
| Department | Department of Computer Science |
| Country | Cyprus |
| Sector | Academic/University |
| PI Contribution | The collaboration concerned the use of argumentation reasoning for cybersecurity. A number of applications were investigated including the application to data protection in cloud environment, distributed firewall configuration and attribution. Prof. Kakas contributed with expertise on argumentation reasoning as well as their GORGIAS tool for logic programming with priorities. |
| Collaborator Contribution | Imperial Contributed with expertise on security and attack graph reasoning. |
| Impact | One paper (see paper section) was published and others are in the process of being written up. A EU Marie-Curie Fellowship hosted at Imperial College was awarded to Dr. Karafili for use of argumentation towards automating attribution reasoning. |
| Start Year | 2014 |
| Description | University of Crete |
| Organisation | Technical University of Crete |
| Country | Greece |
| Sector | Academic/University |
| PI Contribution | Imperial brought to this collaboration expertise on cybersecurity and attack graph reasoning. |
| Collaborator Contribution | The collaboration concerned the use of argumentation reasoning for data security and distributed firewalls configuration. Dr. Spanoudakis brought expertise on the use of argumentation and the use of the GORGIAS software. |
| Impact | One paper has been published and others are in preparation. An EU Marie-Curie Fellowship was awarded to Dr Karafili as a direct result of this collaboration. |
| Start Year | 2015 |
| Title | NAGGEN |
| Description | NAGGEN is a software tool for the generation and visualisation of Attack Graphs. |
| Type Of Technology | Software |
| Year Produced | 2016 |
| Impact | The software allows the generation and visualisation of attack graphs. It was used within simulated test environments, real academic network environments and commercial testbed facilities. |
| Description | Business Reporter IT Security Hub Breakfast Briefing Future Trends in Cyber Security |
| Form Of Engagement Activity | A formal working group, expert panel or dialogue |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | Invited participation to A Business Reporter/IT Security Hub Breakfast briefing on future trends in cyber security. The event was attended by practitioners from organisations covering a broad spectrum of industries. |
| Year(s) Of Engagement Activity | 2016 |
| Description | Invited Plenary Talk KTH Conference on Security for Industry |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Other audiences |
| Results and Impact | Invited Plenary Talk KTH Conference on Security for Industry - How to avoid a Cyber attack |
| Year(s) Of Engagement Activity | 2021 |
| URL | https://www.kth.se/en/forskning/forskningsplattformar/digitalisering/news/watch-the-conference-secur... |
| Description | Invited Presentation at COMIT Conference |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Industry/Business |
| Results and Impact | Invited presentation to a broad audience covering cybersecurity risks to the built environment, research results and techniques which may be applicable. |
| Year(s) Of Engagement Activity | 2016 |
| URL | http://www.comit.org.uk/comit2016-speakers |
| Description | Invited Talk CODEX "Top 50 Innovators from the Industries of the future" |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Other audiences |
| Results and Impact | This was an invited talk on the trustworthiness of cyber physical systems in a panel session on cyber security which also featured as speakers, Mikko Hypponen, Chief Research Officer, F-Secure, Andrew Rubin, CEO and Founder, Illumio, and Dave Palmer, Director of Technology, Darktrace. The talk and panel were recorded and CODEX plan to make them available on line. The event was intended to reach a broad audience of thought leaders including practitioners, academics, scientists and the general public. |
| Year(s) Of Engagement Activity | 2017 |
| URL | https://www.codex.com/?p=4947 |
| Description | Presentation and Participation at NATO IST-153 Workshop |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Other audiences |
| Results and Impact | Participation and presentation at NATO IST 153 Workshop on cyber-resilience. The event was attended by representatives from Universities, Companies and Defence research establishments across both US and Europe. |
| Year(s) Of Engagement Activity | 2017 |
| Description | Talk ABI Event Banks Cyber-Physical Security |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Industry/Business |
| Results and Impact | The "Banche e Sicurezza" (Banks and Security) conference in Italy is organised by ABI the main industry organisation of financial institutions and is their annual event focussing on Security. It is attended by 300-400 people in positions of responsibility for security in banks and government. I was invited to speak on a panel entitled "From Physical Security to Cyber Security" and my talk included insights from several EPSRC funded projects including CIPART and the PETRAS Hub. |
| Year(s) Of Engagement Activity | 2018 |
| URL | http://banchesicurezza.abieventi.it |