Sponsored by the National Science Foundation The Hive Mind: Applying a Security Sensor Network to GENI Spiral 2 Year-end Project Review University of California, Davis PI: Sean Peisert Co-PIs: Carrie Gates (CA Labs), Deb Frincke (Battelle) Senior Personnel: Matt Bishop (UC Davis), Glenn Fink (Battelle), Errin Fulp (Wake Forest) Students: Michael Crouse (Wake Forest), Steven Templeton (UCD) 8/27/2010
Sponsored by the National Science Foundation 2 Project Summary Primary Goal: Define and prototype a security layer underlying GENI to allow providers to defend against attacks and misuse. Investigate GENI reporting requirements to provide support for networking and security experiments. Use collaborative, decentralized, security algorithm known as a “swarm” model to communicate between sensors, simulating the function of an ant hive. The result of this will enable GENI to support experiments where there is communication between internal nodes (sensors or routers). –For networking, experiments can test if usage can be improved by communicating of capacity and usage information between routers. –For security, experiments can test the tradeoffs among approaches to exchanging security information between sensors, and where that information might affect firewall or IDS rules. August 27, 2010
Sponsored by the National Science Foundation 3 Milestone & QSR Status IDMilestoneStatusOn Time? On Wiki? GPO signoff? S2. a Selection of control framework for initial development of Hive Mind security software. ProtoGENI selected.On timeNo? S2. b Report describing design specification for security framework In progress On schedule Non/a S2. c Very early prototype of monitoring software and distributed sensors. In progress On schedule Non/a August 27, 2010
Sponsored by the National Science Foundation 4 Accomplishments 1: Advancing GENI Spiral 2 Goals Continuous Experimentation: The early Hive Mind prototypes are not ready for consumption by other developers, but later prototypes are planned to be robust enough to be usable by other GENI developers and users. Integration: For GENI security to be effective, it is essential that security, including the Hive Mind, become a core part of the GENI infrastructure and architecture. We will be talking with ProtoGENI and DETER administrators to tightly integrate the Hive Mind. Instrumentation and Measurement: The Hive Mind project captures information that is of particular relevance to other security projects, but also has relevance to networking projects running on GENI to monitor, test, and improve network efficiency. Interoperability: ProtoGENI has been selected as the initial target control framework for the Hive Mind, and will likely make use of certain features of DETER, as well. We hope for a limited deployment on PlanetLab in Year 3. Identity management: The Hive Mind project will not manage user credentials, but it can be configured to monitor per-user usage patterns and, thus, validate if a user is behaving similarly to how they usually behave, or very differently. Thus, this approach can augment ordinary authentication. August 27, 2010
Sponsored by the National Science Foundation 5 Accomplishments 2: Other Project Accomplishments Have early prototypes of Java-based implementations of some agents and sergeants. Investigating whether some or all of these can/should be moved to faster implementations. Running experiments to compare efficacy and latency to regular IDSs. August 27, 2010
Sponsored by the National Science Foundation 6 Issues There is some question as to how close to the “bare metal” we will be able to get on ProtoGENI and DETER. The closer we get, the better the assurance against compromise. Hardware assurance is optimal, but even aside from that, we may wish to get beneath the VM layer to the control layer provided by the testbed. (Note: hardware integration is one of the expectations behind Intel’s recent acquisition of McAfee.) August 27, 2010
Sponsored by the National Science Foundation 7 Plans Plans for the remainder of Spiral 2: –Develop prototypes of monitoring software and distributed sensors –Develop demonstrations for GECs –Develop experimental methodologies and conduct experiments –Investigate the possibility of expanding to PlanetLab –Analyze variations of effectiveness for sensors on varying architectures and topologies The GPO is starting to formulate goals for Spiral 3. What are your thoughts regarding potential Spiral 3 work? –I would like to see some integration and interaction with other testbeds, including DARPA’s National Cyber Range (NCR), DOE’s National SCADA Testbed (NSTB), and Sandia’s NNSA/ASC testbed. I realize that at least two of these testbeds involve large classified components, but I think researchers working with GENI would like to see broader use of their own work, and I think SCADA & NNSA researchers could benefit from work done on GENI. There should be a way of describing needs, tossing tools “over the fence,” and iterating with “cleared” personnel to obtain useful results. –I’d like to see more complete integration of the available testbeds (ProtoGENI, PlanetLab, DETER, etc…) to obtain the best of all worlds (e.g., real traffic from PlanetLab, containment from DETER, etc..) August 27, 2010