High-Performance Computing (HPC) security has the practical challenge to continuously monitor cybersecurity status. It is essential to develop software tools that enable continuous monitoring of the security status of the system in real-time so that the effectiveness of current security control can be evaluated. InfoBeyond advocates the R&D of HPC2M technology. Specifically, HPC2M is a scalable HPC Continuous Monitoring for Real-time Risk Assessment Using Distributed Bayesian Attack Graph to address the technical challenges of continuous monitoring of large-scale HPC networks for cybersecurity.

• By using Bayesian attack graph (BAG), the HPC2M system is designed as software to perform collection, aggregation, analysis, and presentation of security-related data of the large-scale HPC network for real-time risk assessment in a distributed manner. In other words, this tool enables automatic data collection and analysis to achieve real-time security risk assessments and effective evaluation of current security controls in a large-scale HPC system.
• Security risk metrics are calculated based on the Bayesian attack graph, then visualized to enable in-depth awareness of cybersecurity situation of the entire HPC system. This offers the capability to maintain the ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions in the HPC network.

HPC2M enables information security professionals and others to see a continuous stream of near real-time snapshots of the state of risk to their security, data, and network. In an HPC network, HPC2M can be deployed in a distributed way and can be easily scaled up to accommodate large-scale HPC network in a cost-effective way. By leveraging the automated data feeds and analysis, it reduces the manpower required for collection and analysis of security-related information for risk assessment.

Coordinating and sharing information across multi-level security (MLS) networks are of great interest in many military applications. However, it is very challenging to accomplish those goals due to the heterogeneous security classifications of different network domains. The recent proposed cross-domain solutions (CDS) provide initial steps to make such applications possible. However, there are still several issues in the existing solutions, and some of them are:

• inefficient authentication;
• privacy leakage;
• unlimited capacity covert channel.

InfoBeyond advocates Efficient, Secure, and Covert Channel Capacity Bounded (ESC3B) algorithms for the MLS cross-domain environments to address these challenges. First, ESC3B provides an efficient and secure fine-grained authentication scheme which requires each user to store only one key. The key can be used to authenticate several services across the networks. Secondly, an anonymous authentication protocol is provided to the users for the service request. The service provider or other third parties cannot infer the user identity and other privacy information. Finally, ESC3B enables reliable communication between network domains by providing a feedback channel. The capacity of potential covert channels created by the feedback channel is upper bounded by an arbitrary small value determined by the network designer.

A Battlefield Air Operations (BAO) kit is a ruggedized, wearable command and control system for enhancing airman ground and air tactical capabilities. However, the current BAO kit utilizes local password-based authentication (e.g., an airman types a password to yield a match against a local copy) with which security is a problem, such as brute-forcing, keylogger, hashing attacks, etc. Meanwhile, BAO kit should be explored with minimal manual complexity, simple, and time-effective (e.g., login, request a service).

TIAC (Transparent Combat Identification, Authentication, and Access Control with Multilevel Security (MLS) Capabilities) is a technology for BAO kit mobile authentication and secure services. It provides new operational and security capabilities for BAO kit:

• Continuous authentication that uses opportunistic biometrics to prevent an active BAO kit to be hijacked or other compromises
• BAO kit service integrity that validates if authorized services are correctly presented to the intended airman without data tampering
• MLS hierarchical keys to effectively reduce the heavy burden of BAO and airman key management
• MLS access control (ABAC, RBAC, PBAC) that effectively interoperates with the BAO kit J-message of service requests with XACML policies

TIAC allows a BAO kit to continuously request Combat Identification or other tactical services. It not only provides BAO kit authentication and security, but also minimizes the operational burden of the airman such that he/she can focus on the mission operations. For example, the continuous and opportunistic BAO kit and airman authentication during a session is conducted in a transparent way without needing conscious engagement from the airman. This is different from the current approach that is a session-based authorization of services to minimize the airman operations for quick and reliable MLS services.

Access Control (AC) determines the permission of a request in an attempt to access certain resources in a software system. It has been greatly used for financial, security, privacy, safety, defense, and many other applications. However, there is no commercial‐ready tool to conveniently and thoroughly compose, test, and verify the policies against potential vulnerabilities. In this project, InfoBeyond advocates the development of a user‐friendly, efficient, reliable, and generic Access Control Policy modeling, verification, and Testing (ACPT) Tool. Our ACPT enhances the NIST's ACPT design and adds several advanced features for achieving high-security confidence AC levels such that it can be commercialized. It provides user‐friendly GUI templates for user to compose attributes, enables property tests by a model checker, performs combinatorial tests, and generate XACMAL policies. It specifically improves the NIST’s ACPT design to provide a robust, unified, and generic model checker in an ABAC (Attributed‐based Access Control) framework. Our ACPT will be developed as a standalone software package and web‐based services. The standalone software package can be run on a private server for government and enterprise customers. The web service design facilitates the ACPT webification and evolution in a distributed computing environment for a large number of customers.

Learn More

Nowadays, cybersecurity attackers are well resourced to perform multistage attacks to a target. For defending these attacks, it is desirable to conduct reactions to an ongoing cyber-attack in a paradigm of Moving Target Defense to automatically reconfigure protected, complex, multi-tiered applications of mission assets, which can make the protected assets' attack surface rapidly unrecognizable.

InfoBeyond conducts research to develop a tool that advocates Automated Cloud Network Reconfiguration for Moving Target Defense of Mission Assets to systematically assess the cloud risks and automatically reconfigure the Cloud network effectively in a real-time and dynamic fashion. For such a purpose, the tool leverages OpenFlow SDN programming APIs to perform automated network reconfiguration over distributed programmable software switches to protect the mission assets residing in the cloud. It provides algorithms to automatically perform dynamic reconfiguration on the mission assets for defending against the ongoing attack:

• Automated trigger mechanism for invoking the dynamic reconfiguration
• Automated and rapid reconfiguration selection mechanism for finding the optional action in response to different ongoing attacks
• Effective and rapid reconfiguration algorithms based on cloud porting and address changing that allow mission operation to run seamlessly in the new configuration
• Compatible design with FISMA, NIST, NVD standardizations in a workflow and deployment of the DoD approved cloud

All these technical features are not provided in the current approaches. In addition, we showcase the applicability in the DoD N-tier applications, such as Mission Planning System, to illustrate the system workflow and deployment under the dynamic reconfiguration environment of the DoD approved cloud.