In my research on various security topics I kept running across the work of Professor Al-Shaer, whether I was investigating SDN and security, security automation and orchestration, network resiliency, IoT security, autonomous security, and much more. So I was delighted to meet him in person when we both attended the same conference this fall. His significant body of work and expansive knowledge have helped shape some of my thoughts when it comes to the future of security automation solutions, and so I was particularly interested to learn about the latest research efforts he has underway. I was not disappointed. Learn more about autonomous cyber defenses and the research efforts of the Cyber Defense and Network Assurability Center (CyberDNA) that is led by Professor Al-Shaer in the interview with ActiveCyber below.

Spotlight on Professor Ehab Al-Shaer

» Title: Professor and Director of Cyber Defense and Network Assurability Center (CyberDNA)
» Email:
» Website
» Linkedin

Read his bio below.

December 21, 2017

Chris Daly, ActiveCyber: What are academia and research doing in the area of Security Automation and Orchestration / Configuration Management (SA&O/CM)? What are some key challenges they are tackling? What is lacking in your view in the push to security automation? What is needed that will help accelerate acceptance and adoption by users?

Professor Al-Shaer, Director of Cyber Defense and Network Assurability (CyberDNA) Research Center, UNC Charlotte: First, the state of the art of the industry so far provides short-term cybersecurity automation and orchestration solutions by allowing users for manually composing known procedures/tools/techniques in order to respond to known threat actions. I call this the “stitching” approach. The academic research community tries to look at long-term security automation challenges that enable creating and adapting new strategies automatically to counter novel attacks tactics and techniques proactively by dynamically analyzing the cyber threat intelligence, and reactively by analyzing the cyber artifacts. This long-term approach includes automatic generation of course of action of new defense strategies by utilizing or adaptation the existing cyber defense capabilities. I call this approach the “autonomous” cyber defense for auto-resiliency that enable cyber to intelligently observe, analyze, understand, react, and adapt at real-time and with a minimal human assistant. The autonomous approach makes defense automation as an inherent in-designed capability of cyber systems, rather an added-on glued services.

Second, the current state of the art of security orchestration focuses solely on including/integrating of a wide range of defense technologies in the defense fabric, but no effort has been made to ensure that these different technologies will be integrated cohesively and operate consistently based on cyber mission. Considering a large number of various defense action that can be potentially executed simultaneously, security automation should provide safety guarantees by assuring the mission integrity will be preserved. Users’ confidence and adoption of cybersecurity automation are highly dependent on the ability of these systems to provide provable safety properties of cybersecurity automation.

ActiveCyber: One of your recent research efforts involves the development of an auto-resiliency policy language (CLIPS) for active cyber defense. What do you mean by “auto-resiliency?” Please describe the objectives of this project and some of the results you have obtained to date.

Professor Al-Shaer: Auto-resiliency is the ability to automatically creating new defense strategies to defend against novel attacks proactively and reactively by enabling the cyber to intelligently observe, analyze, understand, react, and adapt at real-time and with a minimal human assistant.

CLIPS is a novel approach to offer adaptive cyber defense policies that enable cyber to observe and analyze cyber events, and then investigate the cyber states, in order to dynamically understand the situation and respond to active attacks in the systems. As a result, CLIPS identifies in real-time the most appropriate defense strategies that are passed to ActiveSDN (integrated component with CLIPS) to translate this to the most appropriate tactics using OpenFlow configuration. A prototype of CLIPS and ActiveSDN was implemented and demonstrated against a large number of scenarios of Distributed Denial of Service (DDoS) attacks. CLIPS/ActoveSDN can automatically characterize the DDoS strategies and initiate the appropriate defense strategies which include traffic blocking, limiting, redirecting-fir-inspection, splitting, rerouting, path mutation and service migration, and then translate these into configuration tactics that are provably correct and consistent with the mission requirements.

CLIPS can respond to aggressive as well as slow and low DDoS attacks that target to cause link or server flooding. The deployment plan of CLIPS/ActiveSDN configuration tactics guarantees reachability, services continuity, and QoS requirements.  This was in part implemented by APL engineers in the IACD/APL testbed. My group worked jointly with them to get the basic capability demonstrated.

ActiveCyber: Intel-informed courses of action are key methods of enabling active cyber defenses. What types of capabilities do you feel are essential to high-performing threat analytics and threat intelligence sharing platforms? What types of research have you conducted in this area?

Professor Al-Shaer: The Holy Grail is automating analysis and actuation of cyber threat intelligence (CTI) coming from unstructured text sources. First, the research tasks must include the extraction of the low-level threat actions and inferring attack patter automatically from unstructured text of CTI sources such as reports, blogs, websites etc, and then create rich STIX report without the involvement of human. Second, automatically create the course of action mitigation based on CTI analytics.

ActiveCyber: Idempotent configuration management tools would seem to be ideal choices for helping to enable proactive defenses. What is your view on the secure use of these tools, what types of research is being formed around the concepts embodied by these types of tools, and are there practical means to use them in establishing active cyber defenses?

Professor Al-Shaer: Idempotent configuration is an important property for safe configuration. However, cyber configurations are inherently non-idempotent in operation. Tools like ConfigChecker (implemented by our team) can help providing this verifiability feature to cyber configuration operation in large-scale enterprises. Active cyber defense is in a big need of this because it involves dynamic and active reconfiguration of the network.

ActiveCyber: Hierarchical or interacting orchestrators may create conflicts and inconsistencies among COAs. For example, there are temporal and spatial correlation of executing actions and other types of action conflicts. How does your research in auto-resiliency relate to this issue and what are you proposing as a solution?

Professor Al-Shaer: I talked about this issue before; this is exactly what CLIPS is for. CLIPs considers all logical relationships that might cause temporal, spatial of functional dependencies between a course of actions. CLIPS resolves these conflict on two levels:

– Static analysis: detect and resolve any potential conflict or inconsistency due to the logical correlation between rules in the same or different orchestration.  This is done offline to purify the orchestration policies.

– Dynamic analysis: for detecting conflicts that can be verified during the static analysis because it is time-dependent.

ActiveCyber: How do you foresee security automation being applied to IoT? What are some key considerations in the application of security automation in these environments? Will sensors and analytics that produce physics-based IOCs mature to measurably improve anomaly detection and security protection of ICS / IoT environments? How will safety and security needs co-exist as part of the execution of COAs in the ICS and IoT environments?

Professor Al-Shaer: IoT and ICS will fundamentally benefit the most from the advances in cybersecurity automation, simply because of these systems usually operation real-time environment and human in the loop defense will not useful. A system of IoT systems are usually deployed in the same operational environment. Therefore, IoT systems might exhibit complex interdependency due to spatial and function correlation, which makes discovering the complete attack surface infeasible. Detection bad actuation in an IoT system of systems will require automated real-time sense-making and decision-making across the entire system; otherwise, it will be too late to defend. Safety becomes more critical for these system. Using trust-but-verify paradigm in the security automation of IoT and ICS systems looks very effective because it provides a semi-automated approach that will involve human in the decision-loop without being a bottleneck to balance between security and safety.

BTW, we are developing an extension of CLIPS and ActiveSDN for IOT. CLIPS can provide policies to detect and investigate suspicious activities in order to predict and prevent malicious actuation. ActiveSDN can orchestrate the communication and interaction between various comments of IoT system to maintain the system operation.

ActiveCyber: A couple of areas where there seems to be some confusion around the use and interoperation of orchestration and controllers are SDN and NFV. Describe your work in integrating SDN controllers, NFV orchestrators, and security orchestration.

Professor Al-Shaer: We have extensive experience in developing cyber defense applications on SDN controller, specifically OpenDaylight, which one the most reliable commercial grade controller. OpenDaylight is a complex controller platform that requires extensive development experience to use. We developed an intelligent wrapper around OpenDaylight for cyber defense called ActiveSDN that enables users to develop their own active/adaptive defense not only quickly but also correctly. ActiveSDN provides cyber defense APIs and primitives to allow users to integrate their cyber deterrence, deception, detection, and response with minimal effort. ActiveSDN also uses constraint solver technology to plan for re-configuration correctly and consistently.  ActiveSDN supports the use of NFV technology by providing automated planning of what, where and when NFV will be deployed.

ActiveCyber: Cars are becoming autonomous – when will we see autonomous SOCs? What about self-protecting endpoints?

Professor Al-Shaer: This is the main theme of my previous discussion on “autonomous” cyber defense. We conduct more research in this area base on nature-inspired systems to build inherently resilient and immune cyber. I guess it is long way to go but the key is to consider safety assurance while we design the innovative defense capabilities

Unfortunately, it seems that cyber automation (awareness and adoption) is growing but slowing. I am a strong believer that we will soon realize that we will have no option except to adopt automated cyber defense (auto-resiliency) as a principal component in cyber, while accepting to manage its risk. Otherwise, the alternative is the risk of completely losing control of the cyber defense.

ActiveCyber: The use of AI and ML in security automation seems to be growing. Do you believe that decision-making and sense-making aspects of security automation are best served through semantic technologies and AI approaches or via machine learning or a combination of both? What are the differences and what are the advantages of each approach (AI vs ML/DL)?

Professor Al-Shaer: Both AI and ML are needed. In fact, the can be integrated very well to complete and complement each other. ML provides powerful predictive power but with the high false positive of ML the practical use become questionable. The AI techniques can be used to address this limitation by minimizing false positive and leveraging the ML prediction to develop correct-by-construction dense planning. AI and ML techniques are sometimes misused in cybersecurity by not selecting the appropriate technique for the desired goal. And many are often neglect the power of integrating both.

Thank you Professor Al-Shaer for sharing your wealth of knowledge and your on-going research efforts. As an advocate for security automation, I look forward to the day when our cyber defenses are integrated, resilient, and predictive – even autonomous – like our own body’s immune systems. I am sure that all of your students and stakeholders of your research as well as the community at large will benefit tremendously from your research efforts.

And thanks for checking out! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, PQ cryptography, risk assessment and modeling, securing the Internet of Things, or other security topics. Also, email if you’re interested in interviewing or advertising with us at ActiveCyber.

About Professor Ehab Al-Shaer

Ehab Al-Shaer is a Professor in Computer Science, the director of the Cyber Defense and Network Assurability (CyberDNA) Center, and the director of NSF IUCRC Center on Security Configuration Analytics and Automation in UNC Charlotte. His area of research expertise includes security analytics and automation, auto-resiliency, configuration verification and hardening for enterprise and cloud computing, cyber agility & moving target defense, security & resiliency of smart grid and IoT systems, security & resiliency metrics, and next-generation intrusion detection. Dr. Al-Shaer has edited/co-edited more than 9 books, and published about 190 refereed journals and conferences papers in his area. He was designated as a Subject Matter Expert (SME) in the area of security analytics and automation in DoD Information Assurance Newsletter published in 2011. He received the IBM Faculty Award in 2012. He was the General Chair of ACM Computer and Communication in 2009 and 2010 and NSF Workshop in Assurable and Usable Security Configuration in 2008. Dr. Al-Shaer was also the PC chair for many other conferences and workshops including ACM/IEEE SafeConfig 2009 and 2013, IEEE Integrated Management 2007, IEEE POLICY 2008, and others. Since he joined UNC Charlotte in 2009, Dr. Al-Shaer has received a total research funding of more than $8M from various government and industry sources including NSF, NSA, AFRL, ARO, Duke Energy, IBM, Bank of America, Wells Fargo, BB&T, RTI, DTCC and others.