GEC14 - GENI "Hive Mind" Report =============================== Period: March 1, 2012 - July 1, 2013 I. Major accomplishments this period ------------------------------------- ### A. Milestones achieved this period Hive: Year 3.b Security Experimentation & Hive Mind based monitoring. Due 3/16/12. -Completed. Hive: Year S4.c Report on Experimentation and Hive Mind demo. Due 7/27/12 -Completed ### B. Deliverables made this period Hive Year 3.b Security Experimentation & Hive Mind based monitoring. Due 3/16/12. - Demonstrate how the Hive Mind based monitoring system can be used to collect information on an experiment's environment. (Completed) - Plan for making information about the environment available to experimenters/others though a portal such as the one being developed by NICTA. (Completed) - Organize and lead a workshop/session on security experiments in GENI. (Completed) Hive: Year S4.c Report on Experimentation and Hive Mind demo. Due 7/27/12 - Written report on Security Experimentation in GENI. (Completed) - Demonstration of monitoring system being used to collect information about an experiment's environment and making this information available through the portal identified in Milestone b. (Completed) II. Description of work performed during this period ---------------------------------------------------- ### A. Activities and findings We demonstrated our Hive Mind prototype at GEC14. Concurrently, we have also implemented a user portal for controlling, configuring and monitoring the Hive Mind system. Specifically, we have created a web-based interface to interact with these scripts and the logs that are output by the Hive Mind, which drive the monitoring dashboard. Additionally, we have created a framework to allow inclusion of arbitrary sensor functions to detect both violations of policy and unexpected deviation from a baseline configuration. Given the importance of detecting compromised systems, particulary those involving "Advanced Persistent Treats", Zero-Day vulnerabilities or "rootkits", we have initiated an effort to implement a large collection of sensor functions derived from techniques used by expert cyber security auditors and forensics analysts to identify compromised systems. This is an extension of the argument that any compromised system must have been in some way changed and is a departure from traditional techniqus that employ signatures or other methods to identify attemtps to compromise a system or the overt misbehavior of a compromised system. We are on track to deliver working software and user documentation for the Hive Mind monitoring system by the deadline of September 14, 2012, specified in the SOW. User documentation will include information needed by experimenters to set up the monitoring system, specify what information is to be collected, and accessing the information collected. ### B. Current project participants PI: Sean Peisert (UC Davis) Senior Personnel: Matt Bishop (UC Davis) Steven Templeton (UC Davis) Students: Julian Fuchs (UC Davis) Vishak Muthukumar (UC Davis) ### C. Publications (individual and organizational) this period N/A ### D. Outreach activities this period We have demonstrated the Hive Mind for personnel at the Department of Homeland Security, who has expressed interest in transitioning the results of the work to practice, outside of GENI. As part of this we hope to be running additional experiments on a million-node Linux cluster in the near future. Prof. Peisert is again serving as program co-chair of the 5th Workshop on Cyber Security Experimentation and Test (CSET '12) on August 6, 2012: https://www.usenix.org/conference/cset12 This workshop will have considerable discussion of and focus on testbeds, including GENI. Prof. Peisert presented at the "Workshop on Future Modeling and Simulation (M & S) for Cyber-Security and Cyber-Physical Applications," sponsored by Lawrence Livermore National Laboratory, on March 2, 2012; and will be presenting at the "Lawrence Livermore National Laboratory 2012 Workshop on Current Challenges in Computing (C3): Network Science," on August 27–29, 2012. These discussions both include discussions of our GENI activities. https://nsic.llnl.gov/?q=education_and_outreach-professional_development-past_events-m_s_for_cyber_workshop ### E. Collaborations this period Our project is now collaborating closely with the "Attribution for GENI" project (PI: M. Bishop, UC Davis). Together, we are working toward shared goals, using shared project resources. We also are working with staff at the DETER project, who are facilitating our implementation and experimental work on DETER, and with Rob Ricci, who is facilitating our implementation and experimental work on ProtoGENI. We are grateful to the staff at both projects for their valuable help. ### F. Other Contributions N/A