- Data-at-rest and on-the-fly Security
- Secure Efficient Cross-domain Data Sharing
- Automatic Mobile Authentication & Access Control
- Access Control Policy and Validation
- Assured Information Sharing in Clouds
Cybersecurity Secure Efficient Cross-domain Protocols
Coordinating and sharing information across multi-level security (MLS) networks are of great interest in many military applications. However, it is very challenging to accomplish those goals due to the heterogeneous security classifications of different network domains. The recent proposed cross-domain solutions (CDS) provide initial steps to make such applications possible. However, there are still several issues in the existing solutions, and some of them are:
- inefficient authentication;
- privacy leakage;
- unlimited capacity covert channel.
InfoBeyond advocates an Efficient, Secure, and Covert Channel Capacity Bounded (ESC3B) algorithms for the MLS cross-domain environments to address these challenges. First, ESC3B provides an efficient and secure fine-grained authentication scheme which requires each user to store only one key. The key can be used to authenticate several services across the networks. Secondly, an anonymous authentication protocol is provided to the users for the service request. The service provider or other third parties cannot infer the user identity and other privacy information. Finally, ESC3B enables reliable communication between network domains by providing a feedback channel. The capacity of potential covert channels created by the feedback channel is upper bounded by an arbitrary small value determined by the network designer.
Assured Information Sharing in Clouds
Numerous military database, documentation, and mission-critical information systems are migrated to the clouds, due to cloud cost-efficiency and accessing flexibility. However, the cloud servers are generally untrusted either for data owners or users. InfoBeyond advocates A3IS (Attribute-based Algorithms for Assured Information Sharing) for dynamically and securely data storage, query, and access in a policy-based manner. Basically, A3IS transfers all DoD policies into the corresponding attributes in such a way to validate whether the security policy is enforced for any data manipulation. All the data are encrypted on the cloud servers. The confidentiality and privacy of the owner are protected. On the other hands, only the user satisfying the predefined policies can fetch and decrypt the data with the corresponding keys. For flexible data access, A3IS has a secure fuzzy searching algorithm for users to search the data of his interest from the encrypted data in the cloud. The cloud server is unable to access the decrypted data or infer any additional information. Furthermore, A3IS achieves a fine-granted and flexible access control on the data, having the functions of authentication, authorization, and key distribution for of data owner and users.
Access Control Policy Tool
Access Control (AC) determines the permission of a request in an attempt to access certain resources in a software system. It has been greatly used for financial, security, privacy, safety, defense, and many other applications. However, there is no commercial‐ready tool to conveniently and thoroughly compose, test, and verify the policies against potential vulnerabilities. In this project, InfoBeyond advocates the development of a user‐friendly, efficient, reliable, and generic Access Control Policy modeling, verification, and Testing (ACPT) Tool. Our ACPT enhances the NIST’s ACPT design and add several advanced features for achieving high-security confidence AC levels such that it can be commercialized. It provides user‐friendly GUI templates for user to compose attributes, enables property tests by a model checker, performs combinatorial tests, and generate XACMAL policies. It specifically improves the NIST’s ACPT design to provide a robust, unified, and generic model checker in an ABAC (Attributed‐based Access Control) framework. Our ACPT will be developed as a standalone software package and web‐based services. The standalone software package can be run in a private server for government and enterprise customers. The web service design facilitates the ACPT webification and evolution in a distributed computing environment for a large number of customers.
Real-time and Continuously Monitoring of the HPC Cybersecurity using Bayesian Attack Graph
High-Performance Computing (HPC) security has the practical challenge to continuously monitor cybersecurity status. It is essential to develop software tools that enable continuous monitoring of the security status of the system in real-time so that the effectiveness of current security control can be evaluated. InfoBeyond advocates the R&D of HPC2M technology. Specifically, HPC2M is a scalable HPC Continuous Monitoring for Real-time Risk Assessment Using Distributed Bayesian Attack Graph to address the technical challenges of continuous monitoring of large-scale HPC networks for cybersecurity.
- By using Bayesian attack graph (BAG), the HPC2M system is designed as software to perform collection, aggregation, analysis, and presentation of security-related data of the large-scale HPC network for real-time risk assessment in a distributed manner. In other words, this tool enables automatic data collection and analysis to achieve real-time security risk assessments and effective evaluation of current security controls in a large-scale HPC system.
- Security risk metrics are calculated based on the Bayesian attack graph, then visualized to enable in-depth awareness of cybersecurity situation of the entire HPC system. This offers the capability to maintain the ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions in the HPC network.
HPC2M enables information security professionals and others to see a continuous stream of near real-time snapshots of the state of risk to their security, data, and network. In an HPC network, HPC2M can be deployed in a distributed way and can be easily scaled up to accommodate large-scale HPC network in a cost-effective way. By leveraging the automated data feeds and analysis, it reduces the manpower required for collection and analysis of security-related information for risk assessment.
InfoBeyond conducted many research on network security, data security, multi-level security, authentication, assurance, security trustworthiness, distributed keying algorithms, covert channel, and cross-domain security.