Wednesday, April 28, 2021

Transition to practice success story: Pablo Moriano - technology readiness & understanding critical security issues in large-scale networked systems

Pablo Moriano is a research scientist in the Computer Science and Mathematics Division at Oak Ridge National Laboratory (ORNL). He received Ph.D. and M.S. degrees in Informatics from Indiana University (IU). Previously, he received M.S. and B.S. degrees in Electrical Engineering from Pontificia Universidad Javeriana in Colombia.

Moriano’s research lies at the intersection of data science, network science, and cybersecurity. In particular, he develops data-driven and analytical methods to discover and understand critical security issues in large-scale networked systems. He relies on this approach to design and develop innovative solutions to address these. Applications of his research range across multiple disciplines, including the detection of exceptional events in social media, internet route hijacking, and insider threat behavior in version control systems. His research has been published in Computer Networks, Scientific Reports, Computers & Security, Europhysics Letters, and the Journal of Statistical Mechanics: Theory and Experiments as well as the ACM CCS International Workshop on Managing Insider Security Threats.

In the past, he interned at Cisco with the Advanced Security Group. He is a member of IEEE, ACM, and SIAM and has received funding from Cisco Research.

Trusted CI sat down with Moriano to discuss his transition to practice journey, what he has learned, and his experience with the Technology Readiness Level Assessment tool.

Trusted CI: Tell us about your background and your broader research interests.

My background is in electrical engineering.

I was born and grew up in Colombia. I attended Pontificia Universidad Javeriana to pursue a degree in electrical engineering. I remember enjoying so much math-related and physics classes, which are the foundations of electrical engineering. I did pretty well on those topics.

In my engineering classes, at the end of the semester, we had the same kinds of final projects as in the US, called capstones. The idea of these projects was to integrate the learnings from different subjects to solve a real engineering challenge. In these types of activities, you usually measure the impact a technology has on solving a real problem.

In general, I enjoyed going beyond what I learned in classes. I participated in math-related contests, which allowed me to sharpen my analytical skills. By the end of my undergraduate studies, I had a professor that always was encouraging me to try research and go to grad school. I worked under his supervision to complete my undergraduate thesis. In my undergraduate thesis, I developed real-time control algorithms for a non-linear laboratory plant that used magnetic levitation. That was a starting point to be involved with research and pursuing opportunities in that direction later during grad school.

Currently at Oak Ridge National Laboratory (ORNL), I am a researcher in the computer science and mathematics division. I develop data-driven and analytical models for understanding and identifying anomalies in large-scale networked systems such as cyber-physical systems, communication systems, and socio-technological systems like social media.

This is broad, but common to these systems, also known as complex systems, is that they are made of a large number of elements and that these elements interact in non-linear ways, often producing collective behavior. This collective behavior cannot be explained by analyzing the aggregated behavior of the individual parts. For example, on the internet, a large number of independent and autonomous networks, also known as Autonomous Systems (ASes), such as internet service providers, corporations, and universities are constantly interacting between each other to share reachability of information with respect to where to find destination IP addresses. To do so, ASes communicate using a protocol called Border Gateway Protocol (BGP). The details of the protocol and the interactions between Ases are complex and subject to engineering and economic constraints. However, their aggregated behavior allows users around the globe to navigate the web—and use many other services—by allowing them to find the resources they need every time they search online.

In these networked systems such as the internet, their emergent behavior may sometimes be anomalous or substantially different. This idea in the cybersecurity space is really important because it may be an indication of a problem or in the worst case scenario an indication of an upcoming attack. A similar approach as described in the case of the internet may be used to study other real-world networked systems.

Trusted CI: Tell us about your experience using the Technology Readiness Level (TRL) assessment.

When I was finishing my studies at IU, I had the chance to participate in a Trusted CI workshop in Chicago. At that time Florence [Hudson] was leading that effort.

In addition to getting to interact with other researchers, the intention of the workshop was to provide an opportunity to share the latest research efforts in the cybersecurity space. The emphasis was also to showcase previous academic research that was subsequently translated to practice, delivering a solution to a practical need. That event was very fruitful and allowed me to interact with other peers, have a fresh perspective into transition to practice, and grow my network.

Later, I was invited to participate in the [Trusted CI] cohort. The intention of the cohort is to bring together researchers interested in solving real-world problems in cybersecurity and help them do so. During the process, you get mentorship through the process of transition to practice. In addition, the experience allows you to foster interactions with external stakeholders to receive feedback and support during the process.

The cohort, under the leadership of Ryan [Kiser] has been developing different useful tools like the TRL assessment and canvas proposition.

The TRL assessment idea is not new. In fact, it came from NASA in the 70s. However, it has not been widely used as a resource for transition to practice by cybersecurity researchers. In particular, the TRL assessment provides a tool—similar to a decision tree—to help classify the level of maturity of a technology. Originally, it was conceived using a nine-level scale (from one to nine) with nine being the most mature technology. The TRL assessment is super helpful, for example, to identify the next steps in the transition to practice journey. The fundamental assumption of the tool is that by recognizing where you are at the moment, you will have a clearer picture on how to proceed next.

For instance, when searching for funding opportunities, having a clear picture of where you are (with respect to the maturation of the technology) will allow you to better target specific sources of funding, enabling next steps in the transition to practice journey. In my experience at ORNL, it is an important decision element when deciding which funding steps to pursue in the overall R&D pipeline across several federal agencies.

Trusted CI: Talk about your experience with the funding you were pursuing.

Here at ORNL, there are different opportunities for funding, including specific ones for transitioning to practice your research. One of the fundamental advantages of working in a national laboratory is that it is an environment that bridges academia and industry. In that sense, the work we do is mission-driven and has real-world impact—often with some component of transition to practice as a measure of impact. That means that both research and development are tied together and highly appreciated.

I already applied to an internal funding opportunity for transition to practice. The main purpose of the solicitation was to look for technologies at a minimum of TRL 5 (requiring a working high-fidelity prototype which is beyond basic research) to support the necessary steps for technology maturation. The final goal was to help convert the prototype into an actual usable system that may open the door to commercialization opportunities.

By the time I applied, my technology was not at TRL 5 and of course that was the basis of the feedback that I received. I, however, enjoyed and learned during the process and realized that there are other solicitations that may be more adequate to help me to increase the TRL of my technology (from proof-of-concept to prototype). Throughout the process, I had the chance to talk with practitioners out there and learn about the practical challenges they faced with current deployed systems. I also learned about other federal agencies such as DOE, DHS, and DARPA (and people there) looking for proposals with the focus on transition to practice. That was encouraging.

Trusted CI: Tell us more about your technology.

It's a technology that aims to detect and inform network operators in near real-time about routing incidents (of different severity) by leveraging update messages transmitted in BGP. The fundamental characteristic of the intended system is that it is somehow automatic (leveraging AI/ML methods), detects incidents as soon as possible (allowing quick turnaround), and is able to detect subtle attacks in which only a small fraction of IP prefixes are affected (usually the ones performed through man-in-the-middle).

Trusted CI: Describe where you’d say you are in your transition to practice.

Through the Trusted CI cohort, I had the opportunity to use that TRL tool to evaluate the current state of my technology. By using the tool and the decision criteria behind it, I am pretty confident that the technology at this stage is on what is called Level 3 or proof-of-concept.

The next step will be to mature the technology to build a high-fidelity working prototype that can be used to detect routing incidents using real-time data.

This particular BGP project came from my dissertation research. I recently published a paper about it. However, beyond this project, I see that tools like the TRL assessment are essential to guide my next steps. For that reason, this experience easily translates to other ongoing research projects that go through the whole R&D pipeline.

Trusted CI: Where do you see your research heading down the road?

I'm pursuing the idea of maturing the BGP technology. The problem of BGP incident detection has been in the community for many years. BGP anomaly detection is a difficult space with little room for improvement. For that reason, you need to be very precise about the added value the technology is offering. I also started new projects in the cybersecurity space where I see a clear path between research and development. Currently, these are in earlier stages but may benefit from early consideration through the use of tools like the TRL assessment and the Trusted CI cohort experience.


Monday, April 12, 2021

Trusted CI webinar: Arizona State's Science DMZ, Mon April 26th @11am Eastern

Members of Arizona State University are presenting on their Science DMZ on Monday April 26th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.

Drawing upon its mission to enable access to discovery and scholarship, Arizona State University is deploying an advanced research network employing the Science DMZ architecture. While advancing knowledge of managing 21st-century cyberinfrastructure in a large public research university, this project also advances how network cyberinfrastructure supports research and education in science, engineering, and health.

Replacing existing edge network equipment and installing an optimized, tuned Data Transfer Node provides a friction-free wide area network path and streamlined research data movement. A strict router access control list and intrusion detection system provide security within the Science DMZ, and end-to-end network performance measurement via perfSONAR guards against issues such as packet loss.

Recognizing that the operation of the Science DMZ must not compromise the university’s network security profile, while at the same time avoiding the performance penalty associated with perimeter firewall devices, data access and transfer services will be protected by access control lists on the Science DMZ border router as well as host-level security measures. Additionally, the system architecture employs the anti-IP spoofing tool Spoofer, the Intrusion Detection System (IDS) Zeek, data-sharing honeypot tool STINGAR, traditional honeypot/darknet/tarpit tools, as well as other open-source software.

Finally, Science data flows are supported by a process incorporating user engagement, iterative technical improvements, training, documentation, and follow-up.

Speaker Bios:

Douglas Jennewein is Senior Director for Research Computing in the Research Technology Office at Arizona State University. He has supported computational and data-enabled science since 2003 when he built his first supercomputer from a collection of surplus-bound PCs. He currently architects, funds, and deploys research cyberinfrastructure including advanced networks, supercomputers, and big data archives. He has also served on the NSF XSEDE Campus Champions Leadership Team since 2016 and has chaired that group since 2020. Jennewein is a certified Software Carpentry instructor and has successfully directed cyberinfrastructure projects funded by the National Science Foundation, the National Institutes of Health, and the US Department of Agriculture totaling over $4M.

Chris Kurtz is the Senior Systems Architect for the Research Technology Office in the Office of Knowledge Enterprise at Arizona State University. Previously Chris was the Director of Public Cloud Engineering as well as the Splunk System Architect (and Evangelist) at ASU. He has been appointed as Splunk Trust Community MVP since its inception. Chris is a regular speaker on Splunk and Higher Education, including multiple presentations at Educause, Educause Security Professionals,  and Splunk’s yearly “.conf" Conference. Prior to architecting Splunk, he was the Systems Manager of the Mars Space Flight Facility at ASU, a NASA/JPL funded research group, where he supported numerous Mars Missions including TES, THEMIS, and the Spirit and Opportunity Rovers. Chris lives in Mesa, Arizona along with his wife, rescue dogs, and cat.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

 

Wednesday, April 7, 2021

Michigan State University Engages with Trusted CI to Raise Awareness of Cybersecurity Threats in the Research Community

Cybersecurity exploits are on the rise across university communities, costing valuable resources, and loss of productivity, research data, and personally identifiable information. In a DXC report, it was estimated that an average ransomware attack can take critical systems down for 16 days, and the overall worldwide cost of ransomware in 2020 was predicted to cost $170 billion.   Additional reputational impacts of cybersecurity attacks, although hard to measure, regularly weigh in the minds of scientists and researchers.

An event of this nature occurred at Michigan State University (MSU), which experienced a ransomware attack in May 2020. While many organizations attempt to keep the public from finding out about cyberattacks for fear of loss of reputation or follow-up attacks, MSU has decided to make elements of its attack public in the interests of transparency, to encourage disclosure of similar types of attacks, and perhaps more importantly, to educate the open-science community about the threat of ransomware and other destructive types of cyberattacks. The overarching goal is to raise awareness about rising cybersecurity threats to higher education in hopes of driving safe cyberinfrastructure practices across university communities. 

To achieve this, the CIO’s office at MSU has engaged with Trusted CI, the NSF Cybersecurity Center of Excellence, in a collaborative review and analysis of the ransomware attack suffered by MSU last year.  The culmination of the engagement will be a report focusing on lessons learned during the analysis; these ‘Lessons Learned’ would then be disseminated to the research community.  We expect the published report to be a clear guide for researchers and their colleagues who are security professionals to help identify, manage, and mitigate the risk of ransomware and other types of attacks.

Thursday, April 1, 2021

Trusted CI Engagement Application Deadline Extended

 

Trusted CI Engagement Application Deadline

 Extended till April 9, 2021

 

Apply for a one-in-one engagement with Trusted CI for early 2021

  

Trusted CI is accepting applications for one-on-one engagements to be executed in July-Dec 2021. Applications are due April 9, 2021

To learn more about the process and criteria, and to complete the application form, visit our site: 

http://trustedci.org/application


During Trusted CI’s first 5 years, we’ve conducted
 more than 24 one-on-one engagements with NSF-funded projects, Large Facilities, and major science service providers representing the full range of NSF science missions.  We support a variety of engagement types including: assistance in developing, improving, or evaluating an information security program; software assurance-focused efforts; identity management; technology or architectural evaluation; training for staff; and more.   

As the NSF Cybersecurity Center of Excellence, Trusted CI’s mission is to provide the NSF community a coherent understanding of cybersecurity’s role in producing trustworthy science and the information and know-how required to achieve and maintain effective cybersecurity programs.