Visible to the public Lablet Research: Resilient Architecture

SoS Newsletter- Advanced Book Block

SoS Logo

Lablet Research

Resilient Architecture

EXECUTIVE SUMMARY:  Over the past year the, NSA Science of Security Lablets engaged in NSA-approved research projects addressing the hard problem of Resilient Architectures.  All but one of the eleven research projects done against this hard problem addressed other hard problems as well.  CMU collaborated with Cornell, NCSU collaborated with UNCC and UVA, and UIUC collaborated with Illinois Institute of Technology. The projects are in various stages of maturity, and several have led to publications and/or conference presentations.  Summaries of the projects, highlights and publications are presented below.

1. Geo-Temporal Characterization of Security Threats (CMU)

SUMMARY:  Addresses the hard problems of Policy-Governed Secure Collaboration and Resilient Architectures; provides an empirical basis for assessment and validation of security models; provides a global model of flow of threats and associated information.


  • Technical Report submitted
  • Identified central core network
  • Identified key actors attacking country of interest and being attacked by country of interest by type of attack
  • Technical Report: Ghita Mezzour, L. Richard Carley, Kathleen M. Carley, 2014, Global Mapping of Cyber Attacks, School of Computer Science, Institute for Software Research, Technical Report CMU-ISR-14-111

2. Multi-Modal Run-time Security Analysis (CMU)

SUMMARY:  Hard Problems Addressed:

  • Composability through multiple semantic models (here, architectural, organizational, and behavioral), which provide separation of concerns, while supporting synergistic benefits through integrated analyses.
  • Scalability to large complex distributed systems using architectural models.
  • Resilient architectures through the use of adaptive models that can be used at run-time to predict, detect and repair security attacks.
  • Predictive security metrics by adapting social network-based metrics to the problem of architecture-level anomaly detection.


  • Participated in poster session of the quarterly Lablet meeting July 1st, 2014

3. Security Reasoning for Distributed Systems with Uncertainty (CMU/Cornell Collaborative Proposal)

SUMMARY: Addresses the hard problems of scalability and composability and resilient architecture.  We are interested in answering the question "Is my system sufficiently robust to both stochastic failures and deliberate attack"? Our methods will be helpful in designing and analyzing security polices for complicated systems.


  • Studied approximation procedures and error bounds for a class of linear complementarity problems (LCPs). Complementarity problems unify problems from many different domains including convex optimization, machine learning, game theory, and planning.
  • LCPs can find Nash equilibria in sequential and simultaneous two-player games with multiple rounds of interaction and uncertainty. LCPs can also find optimal policies of MDPs (Markov Decision Processes).  Our new approximation techniques and bounds are based on learning theory such as Rademacher complexity and Fourier basis representations.
  • Khalil Ghorbal, Jean-Baptiste Jeannin, Erik W. Zawadzki, Andre Platzer, Geoffrey J. Gordon, and Peter Capell. Hybrid theorem proving of aerospace systems: Applications and challenges. Journal of Aerospace Information Systems. 2014. This paper addresses the formal verification of an aerospace controller set in a noisy environment. While this domain does not involve security, this paper also involves trying to certify probabilistic behavior in complicated learned system. Many of the same techniques are applicable.

4.  Attack Surface and Defense-in-Depth Metrics (NCSU)

SUMMARY:  Hard Problems Addressed:   

  • Security Metrics and Models - The project is to develop and analyze metrics that quantify the "shape" of a system's attack surface.
  • Scalability & Composability - The project delves uses call graph data beyond the attack surface to determine the risk of a given entry point.
  • Resilient Architectures - The project can be used to analyze large systems in terms of their inputs and outputs, providing information on the architecture of the system


  • We are in process of implementing and experimenting with new, actionable metrics for attack surfaces. Our focus is on metrics that are easy to interpret for developers, easy to track over time, and with the ability to drill down to a change in source code and all the way up to the status of an entire project. We have designed these metrics. They are in the process of implementation, and new empirical results on their effectiveness are expected in the coming months
  • We are investigating a technique to identify those areas believed to be most susceptible areas of the attack surface through the analysis of crash dumps. The goal of this research is to aid developers in narrowing the set of potentially vulnerable code artifacts by mining stack traces and building a set of these artifacts for targeted security activities.  They are in the process of implementation, and new empirical results on their effectiveness are expected in the coming months.

5. Resilience Requirements, Design and Testing (NCSU, UNCC, UVA)

SUMMARY: Characterization of attack-resiliency of software needs to be done from its very inception because without such characterization attack resiliency is not properly testable or implementable. Resilient Architectures - vulnerability avoidance, evaluation and tolerance strategies and architectures. Security Metrics and Models - development of metrics and models for static and dynamic assessment of resilience of software.


  • Taxonomy of formal definitions and  metrics related to attack resilience
  • New metric: We define attack resiliency as the ability of the system to maintain a sublinear growth in damage with the increasing attack resources/scale. The attack scale is measure of the magnitude of various attributes of the attack including the attack probability, intensity, extent, distribution, severity, diversity (different types), etc. The potential damage (or risk) is estimated based on (1) the likelihood of successful attack, and (2) the attack impact on the system mission or requirements such as confidentiality, integrity and availability.
  • Shweta Subramani, "A Study of Fedora Security Profile," M.S., NC State University, July 2014

 6. Smart Isolation in Large-Scale Production Computing Infrastructures (NCSU)

SUMMARY: Resilient Architectures - Our current focus is the creation and validation of a taxonomy to study of existing isolation techniques, through which we will identify underlying principles that will lead to the design of next generation smart isolation techniques to support resilient architectures.


  • We have gone through more than 60 papers to understand the existing isolation techniques. We classify those techniques into different categories to create a taxonomy of existing isolation techniques. 
  • The created taxonomy allows us to understand the limitation of existing isolation techniques. 

7. Systematization of Knowledge from Intrusion Detection Models (NCSU)

SUMMARY: Security Metrics and Models - The project aims to establish common criteria for evaluating and systematizing knowledge contributed by research on intrusion detection models. Resilient Architectures - Robust intrusion detection models serve to make large systems more resilient to attack. Scalability and Composability - Intrusion detection models deal with large data sets every day, so scale is always a significant concern. Humans - A key aspect of intrusion detection is interpreting the output and acting upon it, which inherently involves humans. Furthermore, intrusion detection models are ultimately simulations of human behavior.


  • We have collected and have begun analysis on nearly 300 technical papers on intrusion detection. We are in the process of classifying major quantitative metrics used in existing intrusion detection models and systems. We are also refining our research questions to explore how researchers currently evaluate their intrusion detection models.

8. Understanding Effects of Norms and Policies on the Robustness, Liveness, and Resilience of Systems (NCSU)

SUMMARY:  Hard Problems Addressed:

  • Policy-Governed Secure Collaboration: Norms provide a standard of correctness for collaborative behavior, with respect to which policies of the participants can be evaluated individually or in groups.
  • Resilient Architectures: The study of robustness and resilience of systems modeled in terms of norms would provide a basis for understanding resilient social architectures.


  • We have developed prototype multiagent systems of simple structure on which to build more complex simulations of norms and policies on system properties.
  • We have developed a simplified model for an academic security setting that identifies the main stakeholders, norms that promote security, internal policies by which parties may autonomously decide to comply with (or not) different norms. We have realized this model in our multiagent simulation framework and are using the model not only to refine our understanding of the robustness, liveness, and resilience of norms as they pertain to security but also as a basis for understanding the requirements on a sufficiently expressive simulation framework.

9. Vulnerability and Resilience Prediction Models (NCSU)

SUMMARY: Hard Problems Addressed:

  • Security Metrics and Model
  • Resilient Architectures
  • Scalability and Composability
  • Resilience of software to attacks is an open problem. Resilience depends on the science behind the approach used, as well as our engineering abilities. The scope of interests includes recognition of attacks through metrics and models we use to describe and recognize software vulnerabilities, and predict resilience to attacks in the field (Security Metrics and Models). It also depends on the software (and system) architecture(s) used (Resilient Architectures), and their scalability (Scalability and Composability). For example, if one has a number of highly attack-resilient components and appropriate attack sensors, is it possible to compose a resilient system from these parts, and how does that solution scale and age?


  • A model of cyber-attack process
  • A survey of SaaS vulnerabilities and countermeasures
  • Rivers, Anthony T.; Vouk, Mladen A.; Williams, Laurie A., "On Coverage-Based Attack Profiles," Software Security and Reliability-Companion (SERE-C), 2014 IEEE Eighth International Conference on, San Francisco, CA, pp 5-6.
  • Donghoon Kim and Mladen A. Vouk, "A survey of common security vulnerabilities and corresponding countermeasures for SaaS," IEEE Globecom 2014 Workshop on  Cloud Computing Systems, Networks, and Applications (CCSNA), 8-12 December 2014, Austin, Texas, USA, to appear in proceedings.
  • Roopak Venkatakrishnan,"Redundancy-Based Detection of Security Anomalies in Web-Server Environments," M.S., NC State University, 2014.

10. A Hypothesis-Testing Framework for Network Security (UIUC and Illinois Institute of Technology)

 SUMMARY:  Addresses four hard problems:

  • Scalability and Composability
  • Policy-Governed Secure Collaboration
  • Predictive Security Metrics
  • Resilient Architectures


  • A key part of our strategy is to test hypotheses within a model of a live network. We continued our work on the foundational rigorous network model along three dimensions: 1) network behavior under timing uncertainty, 2) modeling virtualized networks and 3) database model of network behavior.
  • Our workshop paper on modeling virtualized networks received the best paper award at HotSDN 2014.
  • Soudeh Ghorbani and Brighten Godfrey, "Towards Correct Network Virtualization", ACM Workshop on Hot Topics in Software Defined Networks (HotSDN), August 2014.
  • Dong Jin and Yi Ning, "Securing Industrial Control Systems with a Simulation-based Verification System", 2014 ACM SIGSIM Conference on Principles of Advanced Discrete Simulation, Denver, CO, May 2014 (Work-in-Progress Paper)

11.  Data-Driven Security Models and Analysis (UIUC)

SUMMARY: Hard Problems Addressed:

  • Predictive security metrics - design, development, and validation
  • Resilient architectures - in the end we want to use the metrics to achieve a measurable enhancement in system resiliency, i.e., the ability to withstand attacks
  • Human behavior - data contain traces of the steps the attacker took, and hence inherently include some aspects of the human behavior (of both users and miscreants)


This quarter we focused on broadening our knowledge-base on attacks. Because our investigation is based on data-driven methodologies to create models and metrics used for monitoring, with the goal of recognizing, mitigating, and containing attacks. 

  • Cuong Pham, Zachary Estrada, Phuong Cao, Zbigniew Kalbarczyk, and Ravishankar Iyer, "Building Reliable and Secure Virtual Machines using Architectural Invariants", IEEE Security and Privacy Magazine 2014 Vol. 12, Issue No. 5 Sept.-Oct. 2014.Paper addresses: Resilient architectures.
  • C. Pham, Z. Estrada, Z. Kalbarczyk, R. Iyer, "Reliability and Security Monitoring of Virtual Machines Using Hardware Architectural Invariants", 44th Int'l Conference on Dependable Systems and Networks, (DSN), Atlanta, GA, 2014, (William C. Carter Award for the Best Paper based on Ph.D. Work; and Best Paper Award voted by the conference participants).Paper addresses: Resilient architectures.
  • G. Wang, Z. Estrada, C. Pham, Z. Kalbarczyk, R. Iyer, "Hypervisor Introspection: Exploiting Timing Side-Channels against VM Monitoring", 44th International Conference on Dependable Systems and Networks (DSN), Fast Abstract, Atlanta, GA, 2014.Paper addresses: Resilient architectures and attack knowledge-base.


Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.