​  Research Contributions and Accomplishments on Security and Resiliency
                                           of Cyber and Cyber-Physical Systems 

Overview Professor Al-Shaer has established an outstanding research record as a leading expert in the area of analytics and automation for cyber and cyber-physical security and resiliency. Professor Al-Shaer’s contributions in this area have advanced the state-of-the-art by developing innovative techniques for automating “sense-making” and “decision-making” with provable and measurable security and resiliency properties. This includes large-scale enterprise systems, Software Defined Networks (SDN), cloud, and Wireless Sensor Networks (WSN), as well as cyber-physical systems such as energy delivery systems (EDS), industrial control systems (ICS), systems of Internet-of-things (IoT), and structural health monitoring (SHM) systems for physical infrastructures. To develop  models for sense-making and decision, Prof. Al-Shaer research analyzes many different cyber artifacts including millions of configurations such as policy rules and system parameters, historic vulnerability data (e.g., CVE, XCCDF), traffic traces (e.g., NetFlow, DHS PREDICT/IMPACT), audit and system logs (e.g., meters logs, sensor measurements), provenance information, structured and unstructured cyber threat intelligence information (e.g., Symantec and STIX respectively), and incident reports (e.g., VERIS).
 
Formal-driven Analytics In his research, Prof. Al-Shaer developed novel formal-driven analytics techniques, metrics and tools using various theories including model checking, Satisfiability Modulo Theories (SMT), probabilistic and plausible reasoning, game theory, to verify the trustworthiness of the system configuration, measure the system resiliency, characterize attack surface based on adversary profile, estimate the potential impact of attacks, and generate cost-effective risk mitigation plans dynamically.

• More specifically, Prof. Al-Shaer used the configuration or traffic traces of complex cyber and cyber-physical systems to construct scalable logic-based models that can symbolically represent the complete behavior of these systems for formal verification of security and resiliency properties expressed in temporal logic.
• Prof. Al-Shaer developed bounded BDD- and SMT-based model checking integrated with various novel model reduction and decomposition techniques to optimize our model for scalability while guaranteeing model soundness and completeness. Examples of these properties include characterizing the attack surface and assessing the quality of the system countermeasure resistance against dynamic arbitrary adversaries attributed by their capabilities and resources [ICNP09, INFOCOM12, TSG13, DSN14, ICDCS14, ICCPS14, TDSC16, SafeConfig14].
• Prof. Al-Shaer also developed various adaptive optimization techniques using SMT, game theory, and partially observable markov decision process (POMDP) to enable autonomous, and agile novel cyber defense including deterrence, deception and automated response [MTD14-sg, MTD14-storm].

 Date-driven Analytics Prof. Al-Shaer has extensively experience in developing novel data-driven analytics techniques and tools using text mining, information retrieval, entropy-based information theoretic analysis, machine learning and statistical analysis. The objectives of his data-driven analytics were to extract threat actions from unstructured text [ACSAC17], infer attack patterns automatically from cyber threat intelligence reports [ACSAC17], detect slow and low stealthy DDoS [Patent1], spam bots [AsiaCCS12, ICC09], predict smart meter predict normal behavior [CCS13, TISSEC15], predict unknown software vulnerability based on existing CVEs [NOMS12], predict bad IPs [SafeConfig17] and phishing URLs [ISI17], map novel CVEs to CWEs, and others.

• More specifically, Prof. Al-Shaer and his team developed novel approaches using natural language processing, text mining and information retrieval to extract low-level specific threat actions from unstructured text (such as reports, blogs or news), and then use machine learning to classify threat actions to the appropriate tactics and techniques in the killchain [ACSAC17]. The outcome of this work can significantly impact on cyber defense analytics and automation.
• Also, Prof. Al-Shaer used statistical machine learning to developed new techniques for associating an arbitrary CVE (vulnerability description) to the appropriate CWE (weakness), and CAPEC (attack pattern). Considering the large number of unpatchable CVEs created every day, this technique can be used to automatically infer the expected impact/damage and appropriate mitigation course of actions for any new CVE.
• In addition, Prof. Al-Shaer use information-theoretic for extracting the most important features for developing anomaly-based detectors for low and slow DDoS [Patent1], and spam botnet attacks[AsiaCCS12, JNCA16].

 
Metric-driven Cyber Defense Automation His research has significantly contributed to the foundation of science of cyber security and resiliency by developing metrics and methodologies for measuring the effectiveness of cyber defense techniques in term of the following capabilities:

1. The ability to continuously identifying and mitigating cyber risk proactively,
2. The potential of cyber agility including attack deterrence and deception techniques (e.g., randomization, deflection, mutation etc) to effectively confuse attackers, increase the cost and decrease the damage of attacks,
3. The ability of the attack resistance techniques (e.g., dynamic isolation, diversity etc) to dynamically identify threats the respond to active attacks at various stages in the Killchain [ATT&CK]  at real-time, with minimal human assistance, and
4. The ability of the cyber system to automatically regenerate itself to recovery from partially or completely successful attacks.

Cyber-Physical Security and Resiliency In cyber-physical systems research, my contributions have contributed to the advancement of the science and engineering of security and resiliency of cyber-physical systems by developing formal- and data-driven analytics, metrics and for measuring the potential and impact of coordinated stealthy attacks on interdependent CPS such as EDS and systems of IoT, and synthesizing cost-effective mitigation countermeasures with provable security and resiliency properties.
 
                                                 Research Areas Overview 
​
Security Configuration Analytics and Automation Prof. Al-Shaer is recognized as a world-class research leader in the area of security configuration analytics and automation. He was from the early researchers in the field who have formally defined cyber misconfigurations, quantified their impact on cyber mission, provided comprehensive classification of network access control misconfiguration, and developed formal methods and tools to verify, diagnose and synthesize security policies and configurations for large-scale cyber and cyber-physical systems that contain complex inter-dependent components  [ICNP09, JSAC09, JSAC05, INFOCOM04, INFOCOM10, SACMAT07, SCC13-1, SCC13-2, INFOCOM12, TSG13, DSN14, ICDCS14, ICCPS14, TDSC16, SafeConfig14]. Prof. Al-Shaer was designated as a Subject Matter Expert on Security Analytics and Automation by DoD in the Information Assurance Newsletter, 2011. Early in his career, Prof. Al-Shaer developed automated security policy analytics for detecting configuration inconsistencies and rules anomalies in distributed firewalls, with soundness and completeness guarantees [IM03, JSAC05, INFOCOM04]. His tool (Security Policy Advisor [SPA]) was widely used by more than 90 organizations. Then he has extended his models and tools to consider all access control devices including IP routers/switches, IPSec, wireless access point, firewalls, IDS/IPS, NAT, proxies, host-based RBAC, for traditional networks, OpenFlow switches and controller for SDN, Cloud security groups, Advanced Metering Infrastructure, and Energy Management Systems (EMS) for smart grids [SACMAT07, ICNP09, JSAC09, INFOCOM10, SCC13-1, SCC13-2, SafeConfig14]. His work results in the development of a number of security configuration verification and synthesis tools, namely, ConfigChecker, SDNChecker, CloudChecker, ACDChecker, ActiveSDN for cyber systems; AMIAnalyzer, and EMSThreatAnalyzer for smart grid; IoTChecker for validating the IoT configurations across a system of IoT systems; SensorChecker and WSNPlanner for verification and synthesis of sensor configurations including sensing schedule, orientation, power, location, topology, and actuation to satisfy the WSN mission integrity and operational (energy and topology) constraints [SensorChecker, CNSM12-2]. These tools and projects will be described in the sections below.
 
Resilience of Energy Management System of Smart Grids Prof. Al-Shaer has several well-established contributions in the area of proactive cyber-physical security and resiliency. He developed a number of novel formal- and data-driven techniques for automated risk analytics and mitigation for cyber-physical systems. In collaboration with Duke Energy, Prof. Al-Shaer has developed new techniques and tool to identify proactively misconfigurations, predict unknown attacks, and estimate the potential impact on the Advanced Metering Infrastructure (AMI) and Energy Management Systems (EMS) including optimal power flow, contingency analysis, topology mapper, automatic generation control (AGC). Our contribution to the science of CPS security comes in many folds. First, we propose formal foundations for measuring the potential of stealthy coordinated attacks on smart grid control systems exploiting its components' interdependency. Second, we developed formal analytics approached to characterize the attackers' capabilities required to launch a successful attack on energy delivery systems. Third, we present models to quantify explicit and hidden impacts of stealthy attacks on the functional integrity of Optimal Power Flow and AGC, the most critical components of smart grids. Fourth, we developed automated techniques for provable threat mitigation planning.
 
Verification of IoT Security Configuration In his recent research, Prof. Al-Shaer has investigated the development of a formal framework for verifying security and resiliency properties of Internet of Things (IoT) system of systems, while considering the inter-dependency between various inter-related IoT systems in one side, and with cyber systems in the other side. We developed a new SMT-based model checker, IoTChecker, to detect and resolve conflicts within or between IoT systems, verify the functional integrity of IoT systems according to the device configuration, and reconfigure the IoT system to avoid potentially bad consequences or malicious activities [IoTChecker].  We use smart buildings and smart city IoT systems as a case study for IoTChecker.
 
Automated Course-of-Action Mitigation Generation In addition to the proactive security analytics described above, Prof. Al-Shaer has profoundly contributed to advancing the resiliency of cyber by enabling dynamic resist and recover successful attacks. Prof. Al-Shaer has developed a new reactive security policy called CLIPS that allows for initiating the appropriate course of investigation and configuration actions to respond to active attacks. CLIPS is currently developed for NSA and will be demonstrated during IACD Community meeting. We developed CLIPS to be provably safe policy language, which means it guarantees no conflicts or inconsistencies despite the large number of actions that can be executed simultaneously. Prof. Al-Shaer has also developed a cyber agility engine as an application on OpenDaylight called ActiveSDN that can orchestrate thousands of cyber course-of-action (CoA) to deter, resist, respond, and recover attacks at real-time.

Dynamic and Adaptive Firewall and IDS Optimization

• Prof. Al-Shaer has also proposed highly novel techniques for dynamic adaptation of firewall policies based on real-time traffic statistics to optimize packet filtering and respond to DDoS attacks automatically [INFOCOM06, INFOCOM09, JSAC06, CommMag13].
• Moreover, Prof. Al-Shaer has developed an on-line adaptive technique for dynamically adjusting intrusion detection thresholds to optimize the detection accuracy without increasing the false positive [TISSEC13].  
• In his smart grid research, Prof. Al-Shaer has developed novels technique for intrusion detection and deterrence in AMI and AGC components of smart grids [TISSEC15, CCS13, CNS14]. Our configuration-based AMI intrusion detection approach set a new direction for anomaly detection for industrial control systems. We capitalize on the predictability characteristic of AMI behavior as inferred from the smart meter log history to construct a stochastic model checking that can validate system activities at real-time based on the smart meter configuration. Unlike other approaches, our solution offers highly cost-effective and non-intrusive intrusion detection for AMI [TISSEC15, CCS13]. In our extended approach, we proposed a new robust technique to randomly mutate the AMI configuration to decrease potential evasion and maximize detection accuracy [TISSEC15].
• We developed an anomaly-based IDS for AGC that employs multi-tier intrusion detection to balance between real-time detection and computation complexity, to maintain high detection accuracy and low false positive [CNS14].

 
Cyber Agility and Moving Target Defense Prof. Al-Shaer has also contributed profoundly to the scientific foundation and development of cyber agility for moving target defense (MTD) and cyber deception for both cyber and cyber-physical systems. Prof. Al-Shaer has developed novel techniques for enabling CPS agility and increasing the attack deterrence, and resistance in cyber, smart grid and IoT systems. He developed several moving target techniques to defeat scanning, fingerprinting, worm propagating, APT and stealthy DDoS attacks. He also created metrics to quantify benefit-cost and identify the limitations of MTD techniques. The following is a summary of our developed MTD mechanisms:

• Adaptive Random Host Mutation (A-RHM) randomly mutates hosts’ IP addresses to defeat reconnaissance and scanning worms attacks [SecureComm12, HotSDN12, INFOCOM15-arhm, TIFS16-rhm],
• Fingerprinting Deception uses a game-theoretic approach to generate a fake fingerprint for deceiving fingerprinting attackers while minimizing the impact on benign clients [CNS13-2],
• Random Route Mutation (RRM) randomly mutates the route paths of active flows in the network dynamically to disrupt DoS and route reconnaissance attacks without jeopardizing network QoS performance or security properties [CNS13-1, ESORICS13].
• Virtual Network Mutation (MoveNet) randomly mutates the physical network footprint (e.g., critical links) mapped to a virtual network by frequently migrating virtual networks to different substrate and avoid stealthy DDoS attacks to critical links [INFOCOM15-movenet],
• Spatial-Temporal Random Mutation (STORM) for virtually mutating the IP address randomly based on the attacker’s location and time to deceive APT (or stepping stone) attackers during propagation [MTD14-storm],
• MutableGrids for providing the following two agility capabilities in smart grid: (a) EMS agility that frequently randomizes the state estimation measurements, and the topology (e.g., line admittances) to minimize the potential bad data injection attacks [MTD14-sg], and (b) AMI agility that randomizes the smart meter configurations to change the communication pattern and pairing/association frequently and synchronously to maximize the detectability even with evasive worms or malicious actors [TISSEC15].

 MTD Metrics In the above work, we developed metrics, evaluation methodology and rigorous experimentation to measure the benefit-cost and evaluate the effectiveness of each MTD mechanism. For example, we showed analytically and experimentally that that non-adaptive RHM can defeat intelligent cooperative scanning worms by decreasing the number of infected hosts to maximum 80%, and slowing down the propagation speed by at least 50% [SecureComm12, TIFS16-rhm]. However, in A-RHM, the infection ratio is less than 6% for all worms [INFOCOM15-arhm]. Prof. Al-Shaer has also proposed techniques for dynamic mutation of virtual networks, AMI configuration, state estimation sensor configuration and Javescripts in web servers to counter stealthy denial-of-service, worms’ propagation, bad data injection, cross-site web injection attacks, respectively.  Moreover, Prof. Al-Shaer has proposed and formulated a new concept, called agility-in-depth, for composing different MTD mechanisms to increase the defense benefit nonlinearly, while the overall cost is bounded [ARO15].
 
Active Cyber Deception Professor Al-Shaer has a solid contribution in the area of cyber deception. His proposed a new model based on Attribution-Temptation-Engagement active cyber deception model that enables deception infrastructure to be dynamically orchestrated to adapt to adversary intent and actions. He published several papers in this area in top-tier venues. For example, his systems MoveNet [INFOCOM15-movenet] enables the migration of virtual network (VN) seamlessly and intelligently, in order to frequently change the network physical footprint of the VN and deceive reconnaissance and DDoS adversaries. Also, his FingerDeceiver establishes a game to learn from attackers and deplete their energy without jeopardizing the system integrity [CNS13-2]. Moreover, his HonyeBug system can dynamically enable new weakness in a shadow web service program to tune to adversary intent and capability and learning his tactics. Prof. Al-Shaer hosted an ARO Workshop on Active Cyber Deception (HomeyThings) in January 2018 to explore the state of the art challenges and the research directions in this area.