To be completed by PI and submitted by the Center Directors at least 6 weeks prior to the
semi-annual IAB meeting at which the project is proposed to the IAB for funding. Limit to 5 pages max.
Continuing Project Proposal to NCSS I/UCRC
Project Name:
Principal Investigator:
Originating University:
NEMESIS: Automated architecture for thread modeling and risk assessment
for cloud computing
Krishna Kavi and Mahadevan Gomathisankaran
University of North Texas
Problem Statement: (Limit to 1 page)
Why is this research needed?
What is the specific problem it is attempting to solve?
Assessing the security of software services in Clouds is challenging because of vulnerabilities in the
shared technologies comprising infrastructure, platform and applications. In a recent report by the Cloud
Security Alliance, shared technology vulnerabilities were ranked among the top threats facing Cloud
computing: "A compromise of an integral piece of shared technology such as the hypervisor, a shared
platform component, or an application in a SaaS environment exposes more than just the compromised
customer; rather, it exposes the entire environment to a potential of compromise and breach." Thus small
businesses that hope to take advantage of Cloud computing's pay-as-you-go model are exposed to the
security threats which were not directly aimed at them. In most cases, the small business has little ability
to demand or afford higher levels of security. However, the ability to assess one's risk will permit
businesses to plan their migration to Cloud computing.
Currently risk assessment is conducted semi-manually by experts which is very expensive. Automated
tools that provide a qualitative assessment of threats faced by small business services can be very
valuable.
Problem Scope and Description: (Limit to 2 pages)
Summarize how this project will address the stated problem.
Include any preliminary results from this or previous projects.
Despite the numerous advantages of Cloud computing, some organizations (e.g., Health care providers)
hesitate to embrace the cloud model of computing. One of the main impediments is the sense of a "loss of
control" over one’s operations, particularly, of data, and the need to trust other parties such as the
infrastructure, platform and service providers. Loss of control over resources (by migrating to the cloud)
coupled with lack of trust (in the service provider) poses numerous concerns about data integrity (will
service provider serve my data correctly? Can my data get corrupted?), availability (will I have access to
my data and service at any time?), security, privacy and confidentiality (will sensitive data remain
confidential? Will my data be vulnerable to misuse? By other tenants? By service provider?) to name a
few. The first step in alleviating some of these concerns is the ability to assess the risks to operations and
data. We approach our research with the belief that IT systems cannot be protected 100% of the time
against 100% of the possible threats.
There is no dearth of expert opinions, advice and even vendors that claim to provide Cloud-based threat
intelligence, predictive threat detection and security event management. There are organizations and
alliances that define standards, which may help companies in conducting cloud provider security
assessment. However, there is yet no simple mechanism to understand the risks a company's IT services
would face, in order make business decisions.
Our model is based on the STRIDE model developed by Microsoft corporation. The model is based on
understanding key attack categories: Spoofing identity, Tampering with data, Repudiation, Information
January 8, 2016
1
Document1
To be completed by PI and submitted by the Center Directors at least 6 weeks prior to the
semi-annual IAB meeting at which the project is proposed to the IAB for funding. Limit to 5 pages max.
disclosure, Denial of service, and Elevation of privilege. We use a Bayesian probability approach to
combine threat probabilities for each of the above attack categories. We have previously developed
ontologies for known security vulnerabilities recorded in several national databases, as well as ontologies
for known attacks that can expose the vulnerabilities. A third part of our evaluation system is the
ontology of known patches or attack mitigation approaches (see figure below).
Utilizing these components (models, ontologies and Bayesian theory), we proposed to develop a
framework that assesses the security threat faced by an IT system. Our plan is to search for all known
vulnerabilities associated with underlying infrastructure, the software platform and the software services
on which the IT system is deployed, evaluate the threat level due to known attacks, and the availability of
defenses, to provide a qualitative threat assessment. The framework will be designed to provide detailed
reports on all known vulnerabilities, threats and defenses, as well as threat probabilities used by the
model. The NEMESIS architecture is shown below.
Initial implementation will not attempt to optimize the search mechanisms and the analysis may take
several minutes to hours based on the complexity of the IT system (such as different hardware systems,
operating systems, data base system, web services used in the system). In a future project, we will utilize
Google like ranking system to create indexed databases for vulnerabilities, threats and defenses,
benefiting from our previous VULCAN system.
Statement of Work:
Briefly describe the work to be performed, task budgets, and deliverables for the 5 most important tasks
planned for this project.
Task#
Description
Budget
Deliverable
January 8, 2016
2
Document1
To be completed by PI and submitted by the Center Directors at least 6 weeks prior to the
semi-annual IAB meeting at which the project is proposed to the IAB for funding. Limit to 5 pages max.
Task-1
Understand STRIDE model
$10K (3 mos)
Detailed report on our Ontologies and
Vulcan framework
Task-2
Build a prototype of NEMESIS
framework using VULCAN
ontology system
$25K (9 mos)
Bayesian model used to define threat
probabilities
Task-3
Evaluate NEMEISIS system with
sponsor provided system
configurations
(included in
Task-2)
Demonstrations to show the capabilities
of NEMESIS
Task-4
Explore optimizations to the
search process
$10K (3 mos)
Report on suggested optimizations and
formal review with sponsor
How this Project is Different from Related Work:
What results does this project seek that are different (better) than others?
What specific innovations or insights are sought by this research that distinguish it from related work?
(identify the related work)
To our knowledge there is no single framework that bring together vulnerability data bases, attack
databases, available patches and probability of attack into a single model and provide both quantitative
and qualitative assessment of security threats to a given system or service configuration.
[Other related works to come soon]
Potential Member Company Benefits:
What specific benefits are sought for the industry members?
What leverage does the research provide to industry member R&D plans? (identify interested members)
Our framework can be utilized by small, medium and large corporations with an interest in creating
private or hybrid cloud systems or migrating to public Cloud systems, to assess the potential security
threats and risk levels.
The framework can be expanded into a web-service, leading to commercialization of the service.
Connection to NCSS Roadmap:
What competencies does this project demonstrate? (refer to competency chart
What new capabilities are being developed?
What existing capabilities are being matured?
Demonstrated competencies:
Net-Centric Solutions → Cloud Computing,
Information Assurance → Data Security and Threat Assessment
New capability: Ontology models and mathematical models for security threat probabilities
Multi-company Sponsorship:
Describe efforts to involve multiple companies in sponsorship of the proposed research (whether or not they
were successful).
Enter text here.
January 8, 2016
3
Document1
To be completed by PI and submitted by the Center Directors at least 6 weeks prior to the
semi-annual IAB meeting at which the project is proposed to the IAB for funding. Limit to 5 pages max.
Multi-university Collaboration:
Describe efforts to involve multiple universities in sponsorship of the proposed research (whether or not they
were successful).
Exploring collaborations with UTD faculty, particularly with I-Ling Yen.
Project Quality Attribute Self-Assessment:
PI’s assessment of the extent to which the proposed project demonstrates each Quality Attribute.
Scale: 5=To a LARGE extent, 4=To a MODERATE extent, 3=To SOME extent, 2=To LITTLE extent, 1=NOT AT ALL, 0=Not Rated)
To what extent does the project demonstrate each
Quality Attribute?
Rating
Comments
(Required if Rating < 3)
Alignment with Center Competencies
5
Sponsor-acknowledged Leverage to R&D
3
In the past, Boeing has expressed interest
in similar ideas.
Multi-company Sponsorship
3
There is a potential interest in similar
ideas from Boeing and Samsung.
Multi-university Collaboration
2
We are exploring collaboration with UTD.
Compliance with NSF Operations Requirements
5
Objective Deliverables
4
Innovation & Technology Evolution
2
Too early to assess, but the framework
can lead to a commercial product.
Potential for Derivative Services
2
Too early to assess, but other avenues of
research could include risk vs cost based
approach to security policies.
Commercialization Opportunities
3
Too early to assess, but the framework
can lead to a commercial product.
Past Performance
4
Several publications
January 8, 2016
4
Document1