Dr. Ou and the Argus Group work on the analysis of computer system attacks and security metrics. The Argus group was founded by Dr. Simon Ou in 2006 to carry out cyber security research. Our focus is on the defense aspect of the cyber warfare, and our philosophy is that successful cyber defense can only be achieved through automated coordination of various observation and action points in an enterprise environment. "Point solutions" like firewalls and traditional IDS systems are limited in effectiveness since they only look at one aspect of the system and lack the capability of "connecting the dots" among various information sources to gain a global picture of a system's security status. Our research aims at providing the enabling technologies for such automated correlation and analysis, with solid theoretical foundation and empirical study. The group is named after the giant Argus in Greek mythology, who has a hundred eyes that constantly watch for enemies.
We have extensive collaboration relationships with government labs and industry for IA research. We work with Idaho National Laboratory to apply attack-graph research to critical infrastructure protection. We are working with Defense Research and Development Canada-Ottawa on effective techniques for prioritizing security hardening in enterprise networks. We are collaborating with HP Labs to investigate reasoning techniques for intrusion analysis from large amounts of system monitoring data. We also work with NIST on security metrics of enterprise networks. Dr. Ou's MulVAL attack graph toolkit is being widely used and extended by researchers in both academia and industry, including Stony Brook University, University of Illinois of Urbana Champaign, NATO, IAI Inc., Motorola, etc. It has been invited to participate in the AFRL evaluation of state-of-the-art attack-graph tools. Dr. Ou is actively involved in serving the IA research community. He has served as reviewers for numerous journals and conferences in the IA area. He has been invited as field experts to attend workshops hosted by NSF and ARO to explore future directions of research in security configuration management and situation awareness. He was one of the invited speakers in the Configuration Management workshop affiliated with LISA, a large conference for system administrators. He has been invited to give speeches in MITRE, Telcordia Technologies, Carleton University, HP Labs, DRDC-Ottawa, and INL. Dr. Ou has given speeches to CERNER on potential security problems in medical plug-and-play devices. He also extends his cyber-security research and education activities to middle school age-girls through the K-State GROW program.
- MulVAL: A logic-based network security analyzer. Xinming Ou, Sudhakar Govindavajhala, and Andrew W. Appel. In 14th USENIX Security Symposium, Baltimore, Maryland, U.S.A., August 2005.
- SAT-Solving Approaches to Context-Aware Enterprise Network Security Management. John Homer and Xinming Ou, In IEEE JSAC Special Issue on Network Infrastructure Configuration, To appear.
- A Practical Approach to Modeling Uncertainty in Intrusion Analysis Xinming Ou, Raj Rajagopalan, and Sakthiyuvaraja Sakthivelmurugan Technical report, Kansas State University, Computing and Information Sciences Department. November 2008.
- Identifying Critical Attack Assets in Dependency Attack Graphs. Reginald Sawilla and Xinming Ou. In 13th European Symposium on Research in Computer Security (ESORICS 2008), Malaga, Spain, October 2008
- Improving Attack Graph Visualization through Data Reduction and Attack Grouping. John Homer, Ashok Varikuti, Xinming Ou, and Miles A. McQueen. In 5th International Workshop on Visualization for Cyber Security (VizSEC 2008), Cambridge, MA, U.S.A., September 2008.
- From Attack Graphs to Automated Configuration Management - An Iterative Approach. John Homer, Xinming Ou, and Miles A. McQueen. Technical report, Kansas State University, Computing and Information Sciences Department. January 2008.
- Googling attack graphs. Reginald Sawilla and Xinming Ou. Technical report, Defence R & D Canada -- Ottawa TM 2007-205, September 2007.
- A scalable approach to attack graph generation. Xinming Ou, Wayne F. Boyer, and Miles A. McQueen. In 13th ACM Conference on Computer and Communications Security (CCS 2006), Alexandria, VA, U.S.A., October 2006.
- Automatic Control-Network Security Management Using Attack Graphs. Department of Energy. $35K, 3/20/2007 - 8/17/2007.
- CT-ISG: Model-Based, Automatic Network Security Management. National Science Foundation. $245K, 8/1/2007 -7/31/2009.
- REU:CT-ISG: Model-Based, Automatic Network Security Management. National Science Foundation. $6K, 8/1/2007 -7/31/2009.
- John Homer (PhD): Attack graph-based techniques for enterprise network security management. (supported by NSF)
- Abhishek Rakshit (MS): An Architecture of Host-based Security Scanning for Efficiently Leveraging Shared Knowledge (supported by NSF)
- Sakthiyuvaraja Sakthivelmurugan (MS): Intrusion analysis
- Hussain Almohri (MS): Security Risk Prioritization for Logical Attack Graphs (hyperlink), Dec 2008.
- Ashok Reddy Varikuti (MS): Attack graph visualization techniques
- Undergraduate research supervised by Dr. Ou:
- Robert Christie: Security of online games (supported by NSF REU).
- Cory Hardman: An analysis of National Vulnerability Database (supported by the K-State Campus Internship program)
- Bart Carroll: An analysis of tools that check for web-script vulnerabilities
A study of botnets using low-interactive honeypots. (supported by NSF)
Systems and/or Software Artifacts:
MulVAL is a logic-based, data-driven enterprise security analyzer. It encodes expert knowledge in the form of Datalog clauses and uses a logic engine to analyze the configuration of an enterprise network to find potential multi-stage attack paths in the system. It has scalable polynomial time complexity and provides the capability to specify a wide range of security reasoning knowledge in a generic language. It can output an attack graph showing the causality relationship among configuration settings and potential attacker privileges. Such an attack graph can be further utilized in computing security metrics and automated decision making on how to best address the discovered security problems.