In my research on various security topics I kept running across the work of Professor Al-Shaer, whether I was investigating SDN and security, security automation and orchestration, network resiliency, IoT security, autonomous security, and much more. So I was delighted to meet him in person when we both attended the same conference this fall. His significant body of work and expansive knowledge have helped shape some of my thoughts when it comes to the future of security automation solutions, and so I was particularly interested to learn about the latest research efforts he has underway. I was not disappointed. Learn more about autonomous cyber defenses and the research efforts of the Cyber Defense and Network Assurability Center (CyberDNA) that is led by Professor Al-Shaer in the interview with ActiveCyber below.

Spotlight on Professor Ehab Al-Shaer

» Title: Professor and Director of Cyber Defense and Network Assurability Center (CyberDNA)
» Email:
» Website
» Linkedin

Read his bio below.

December 21, 2017

Chris Daly, ActiveCyber: What are academia and research doing in the area of Security Automation and Orchestration / Configuration Management (SA&O/CM)? What are some key challenges they are tackling? What is lacking in your view in the push to security automation? What is needed that will help accelerate acceptance and adoption by users?

Professor Al-Shaer, Director of Cyber Defense and Network Assurability (CyberDNA) Research Center, UNC Charlotte: First, the state of the art of the industry so far provides short-term cybersecurity automation and orchestration solutions by allowing users for manually composing known procedures/tools/techniques in order to respond to known threat actions. I call this the “stitching” approach. The academic research community tries to look at long-term security automation challenges that enable creating and adapting new strategies automatically to counter novel attacks tactics and techniques proactively by dynamically analyzing the cyber threat intelligence, and reactively analyzing the cyber artifacts. This long-term approach includes automatic generation of course of actions of new defense strategies by utilizing or adaptation the existing cyber defense capabilities. I call this approach the “autonomous” cyber defense for auto-resiliency that enable cyber to intelligently observe, analyze, understand, react, and adapt at real-time and with a minimal human assistant. The autonomous approach makes defense automation as an inherent in-designed capability of cyber systems, rather added-on glued services.

Second, the current state of the art of security orchestration focuses solely on integrating of a wide range of defense technologies in the defense fabric, but no effort has been made to ensure that these different technologies will be integrated cohesively and operate consistently based on cyber mission. Considering a large number of various defense action that can be potentially executed simultaneously, security automation should provide safety guarantees by assuring the mission integrity will be preserved. Users’ confidence and adoption of cybersecurity automation are highly dependent on the ability of these systems to provide provable safety properties of cybersecurity automation.

ActiveCyber: One of your recent research efforts involves the development of an auto-resiliency policy language (CLIPS) for active cyber defense. What do you mean by “auto-resiliency?” Please describe the objectives of this project and some of the results you have obtained to date.

Professor Al-Shaer: Auto-resiliency is the ability to automatically creating new defense strategies to defend against novel attacks proactively and reactively by enabling the cyber to intelligently observe, analyze, understand, react, and adapt at real-time and with a minimal human assistant.

CLIPS is a novel approach to offer adaptive cyber defense policies that enable cyber to observe and analyze cyber events, and then investigate the cyber states, in order to dynamically understand the situation and respond to active attacks in the systems. As a result, CLIPS identifies in real-time the most appropriate defense strategies that are passed to ActiveSDN (integrated component with CLIPS) to translate this to the most appropriate tactics using OpenFlow configuration. A prototype of CLIPS and ActiveSDN was implemented and demonstrated against a large number of scenarios of Distributed Denial of Service (DDoS) attacks. CLIPS/ActiveSDN can automatically characterize the DDoS strategies and initiate the appropriate defense strategies which include traffic blocking, limiting, redirecting-for-inspection, splitting, rerouting, path mutation and service migration, and then translate these into configuration tactics that are provably correct and consistent with the mission requirements.

CLIPS can respond to aggressive as well as slow and low DDoS attacks that target critical resources in the network to cause link or server flooding. The deployment plan of CLIPS/ActiveSDN configuration tactics guarantees reachability, services continuity, and QoS requirements. This was in part implemented by APL engineers in the IACD/APL testbed. My group worked jointly with them to get the basic capability demonstrated.

ActiveCyber: Intel-informed courses of action are key methods of enabling active cyber defenses. What types of capabilities do you feel are essential to high-performing threat analytics and threat intelligence sharing platforms? What types of research have you conducted in this area?

Professor Al-Shaer: The Holy Grail is automating analysis and actuation of cyber threat intelligence (CTI) coming from unstructured text sources. First, the research tasks must include the extraction of the low-level threat actions and automatically inferring attack patterns from unstructured text of CTI sources such as reports, blogs, websites etc, and then create rich STIX report without the involvement of human. Second, automatically creation of the course of action mitigation based on CTI analytics is the next important research task in our agenda.

ActiveCyber: Idempotent configuration management tools would seem to be ideal choices for helping to enable proactive defenses. What is your view on the secure use of these tools, what types of research is being formed around the concepts embodied by these types of tools, and are there practical means to use them in establishing active cyber defenses?

Professor Al-Shaer: Idempotent configuration is an important property for safe configuration. However, cyber configuration operations are inherently non-idempotent. Tools like ConfigChecker and SDNChecker (implemented by our team) can help provide assurability by verifying cyber configuration operation in large-scale enterprises. The deployment of active cyber defense will significantly require the verifiability capability because it involves dynamic reconfiguration of network services.

ActiveCyber: Hierarchical or interacting orchestrators may create conflicts and inconsistencies among COAs. For example, there are temporal and spatial correlations of executing actions and other types of action conflicts. How does your research in auto-resiliency relate to this issue and what are you proposing as a solution?

Professor Al-Shaer: I talked about this issue before; this is exactly what CLIPS is for. CLIPS considers all logical relationships that might cause temporal, spatial or functional dependencies between the course of actions. CLIPS can automatically detect and resolves these conflicts in two steps:
– Static analysis: to detect and resolve any potential conflict or inconsistency due to the logical correlation between rules in the same or different orchestration engines. This is done offline to purify the orchestration policies.
– Dynamic analysis: to detect conflicts that can be verified during the static analysis because it is time-dependent.

ActiveCyber: How do you foresee security automation being applied to IoT? What are some key considerations in the application of security automation in these environments? Will sensors and analytics that produce physics-based IOCs mature to measurably improve anomaly detection and security protection of ICS / IoT environments? How will safety and security needs co-exist as part of the execution of COAs in the ICS and IoT environments?

Professor Al-Shaer: IoT and ICS will fundamentally benefit the most from the advances in cybersecurity automation, basically because such systems usually operate at real-time and human-in-the-loop defense will not be sufficient. A system of IoT systems is usually deployed in the same operational environment. Therefore, IoT systems might exhibit complex interdependencies due to spatial and functional correlation, which makes discovering the complete attack surface very hard or infeasible. Detection of bad actuation in an IoT system of systems will require automated real-time sense-making and decision-making across the entire set of interconnected systems. Otherwise, the response will be too late. Safety problems due to security vulnerabilities are the major concern in these systems (e.g., Autonomous Vehicles). Using the trust-but-verify paradigm in the security automation of IoT and ICS systems looks to be a very promising approach because it can provide semi-automated solutions that will involve human in the decision-loop to achieve both security and safety.

BTW, we are developing an extension of CLIPS and ActiveSDN for IoT. CLIPS can provide policies to detect and investigate suspicious activities in order to predict and prevent malicious actuation. ActiveSDN can orchestrate the communication and interaction between various components of IoT systems to maintain the system operation.

ActiveCyber: A couple of areas where there seems to be some confusion around the use and interoperation of orchestration and controllers are SDN and NFV. Describe your work in integrating SDN controllers, NFV orchestrators, and security orchestration.

Professor Al-Shaer: We have extensive experience in developing cyber defense applications on open source SDN controller such as OpenDaylight which one the most reliable commercial grade controller. OpenDaylight is a complex controller platform that requires extensive development experience to use. We developed an intelligent wrapper around OpenDaylight for cyber defense called ActiveSDN that enables users to develop their own active and adaptive defense strategies not only quickly but also correctly. ActiveSDN provides cyber defense APIs and primitives to allow users to integrate their cyber deterrence, deception, detection, and response with minimal effort.

ActiveSDN also uses constraint solver and optimization technologies to plan for re-configuration correctly and consistently. ActiveSDN can potentially support the use of NFV technology by providing automated planning of what, where, how and when NFV will be deployed.

ActiveCyber: Cars are becoming autonomous – when will we see autonomous SOCs? What about self-protecting endpoints?

Professor Al-Shaer: This is the main theme of my previous discussion on “autonomous” cyber defense. We have recently conducted research studies on biological systems to build inherently resilient and immune cyber systems. I guess it will be a long way to go before we see a “real” deployment but the key is to integrate security/safety assurance as well as resilience as core capabilities in the design of cyber system capabilities.

Unfortunately, it seems that the interest of cyber automation has been growing tremendously in the past few years. In order to gain an advanced front in Cyberwarfare, I strongly believe that we will have to soon realize that we will have no option except to employing autonomous cyber defense (auto-resiliency) , while carefully managing the induced risk.

ActiveCyber: The use of AI and ML in security automation seems to be growing. Do you believe that decision-making and sense-making aspects of security automation are best served through semantic technologies and AI approaches or via machine learning or a combination of both? What are the differences and what are the advantages of each approach (AI vs ML/DL)?

Professor Al-Shaer: Both AI and ML are needed. In fact, they can be integrated very well to complete and complement each other. ML provides powerful predictive power but with the high false positive rate of ML, the practical use becomes limited. The AI techniques (e.g., using reasoning and intelligent planning) can be used to address this limitation by minimizing false positives and minimizing adversary evasion while leveraging the ML prediction using correct-by-construction reasoning and planning. AI and ML techniques are sometimes misused in cybersecurity by not selecting the appropriate technique for the desired goal. And many often neglect the power of integrating both.

Thank you Professor Al-Shaer for sharing your wealth of knowledge and your on-going research efforts. As an advocate for security automation, I look forward to the day when our cyber defenses are integrated, resilient, and predictive – even autonomous – like our own body’s immune systems. I am sure that all of your students and stakeholders of your research as well as the community at large will benefit tremendously from your research efforts.

And thanks for checking out! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, PQ cryptography, risk assessment and modeling, securing the Internet of Things, or other security topics. Also, email if you’re interested in interviewing or advertising with us at ActiveCyber.

About Professor Ehab Al-Shaer

Ehab Al-Shaer is a Professor in Computer Science, the director of the Cyber Defense and Network Assurability (CyberDNA) Center, and the director of NSF IUCRC Center on Security Configuration Analytics and Automation in UNC Charlotte. His area of research expertise includes security analytics and automation, auto-resiliency, configuration verification and hardening for enterprise and cloud computing, cyber agility & moving target defense, security & resiliency of smart grid and IoT systems, security & resiliency metrics, and next-generation intrusion detection. Dr. Al-Shaer has edited/co-edited more than 9 books, and published about 190 refereed journals and conferences papers in his area. He was designated as a Subject Matter Expert (SME) in the area of security analytics and automation in DoD Information Assurance Newsletter published in 2011. He received the IBM Faculty Award in 2012. He was the General Chair of ACM Computer and Communication in 2009 and 2010 and NSF Workshop in Assurable and Usable Security Configuration in 2008. Dr. Al-Shaer was also the PC chair for many other conferences and workshops including ACM/IEEE SafeConfig 2009 and 2013, IEEE Integrated Management 2007, IEEE POLICY 2008, and others. Since he joined UNC Charlotte in 2009, Dr. Al-Shaer has received a total research funding of more than $8M from various government and industry sources including NSF, NSA, AFRL, ARO, Duke Energy, IBM, Bank of America, Wells Fargo, BB&T, RTI, DTCC and others.