Experts dealing up cybersecurity air defences with blackjack

New research has shown that a cybersecurity technique that shuffles network addresses, similar to a blackjack dealer shuffling cards, could effectively thwart hackers attempting to take control of a military jet, commercial airliner, or spacecraft. However, the research also reveals that these defences must be designed to counter increasingly sophisticated algorithms that can break them.

Aircraft, spacecraft, and weapons systems typically have an onboard computer network called military standard 1553, also known as MIL-STD-1553. This protocol allows communication of critical systems like radar, flight controls, and heads-up displays. Securing these networks against a cyberattack is a national security priority. A hacker gaining control of MIL-STD-1553 midflight could cause the pilot to lose control of critical aircraft systems, resulting in devastating consequences.

Chris Jenkins, a Sandia cybersecurity scientist, partnered with researchers at Purdue University in West Lafayette, Indiana, to test an idea to secure these critical networks. Their results, recently published in the scientific journal IEEE Transactions on Dependable and Secure Computing, demonstrate that a technique already known in cybersecurity circles, called moving target defence, can effectively protect MIL-STD-1553 networks against machine-learning algorithms.

Jenkins emphasised the significance of securing these networks, stating that it is a national security imperative. The research was funded by Sandia's Laboratory Directed Research and Development program. While moving target defence has proved effective, the study suggests that defences must be designed to counter increasingly sophisticated algorithms that break them.

“When we talk about protecting our computer systems, frequently there are two main pieces we rely on,” says Eric Vugrin, a Sandia cybersecurity senior scientist who also worked on the project. “The first approach is just keeping the bad guy out and never permitting access to the system. The physical analogue is to build a big wall and don’t let him in in the first place. And the backup plan is, if the wall doesn’t work, we rely on detection. Both of those approaches are imperfect. And so, what moving target defence offers as a complementary strategy is, even if those two approaches fail, moving target confuses the attacker and makes it more difficult to do damage.”

Inspiration from con artist games

The research compares moving target defence to the game of three-card monte, in which a con artist uses sleight of hand to shuffle cards side-to-side and requires randomness for its effectiveness. The research aimed to determine whether a moving target defence would be useful in constantly changing network addresses and unique numbers assigned to each device on a network. 

Researchers were uncertain if the strategy would work due to the small address space of MIL-STD-1553 compared to other network types. This protocol only has 31 network addresses, making it challenging to randomise.

“Someone looked me in the face and said it’s not possible because it was just 31 addresses,” says Jenkins. “And because the number is so small compared to millions or billions or trillions, people just felt like it wasn’t enough randomness.”

The challenge with randomising a small set of numbers is that “nothing in computer software is truly random, it’s always pseudorandom,” says Sandia computer scientist Indu Manickam. Everything must be programmed, she said, so there’s always a hidden pattern that can be discovered. With enough time and data a human with an Excel sheet should be able to get it.

“We’re using machine-learning techniques to better defend our systems,” says Vugrin. “We also know the bad guys are using machine learning to attack the systems. And so, one of the things that Jenkins identified early on was that we do not want to set up a moving target defence where somebody might use a machine-learning attack to break it and render the defence worthless.”

Sophisticated algorithms do not necessarily indicate the end of this type of cybersecurity defence. Cybersecurity designers can create a program that modifies the randomisation pattern before a machine can recognise it.

To test the efficacy of their defence, the Sandia team collaborated with Bharat Bhargava, a computer science professor at Purdue University. Bhargava's team had previously researched moving target defences, and the research fields of cybersecurity and machine learning have been intersecting for the past seven years, resulting in new cybersecurity concepts.

Bhargava's team trained a machine-learning algorithm called long short-term memory to forecast the next set of addresses after the Sandia team established two devices to communicate back and forth on a 1553 network. The network addresses occasionally changed when one device slipped in a coded message, modifying both addresses. The Sandia team sent Bhargava's team logs of these communications utilising distinct randomisation routines.

The Sandia team needed to determine how quickly machine learning could break their defence. The findings indicate that randomisation routines can be frequently modified to maintain the defence's effectiveness, even against machine learning algorithms.

The first randomisation routine was not very effective, the researchers report. “We were not only able to just detect the next set of addresses that is going to appear, but the next three addresses,” says Ganapathy Mani, a former member of the Purdue team who contributed to the research.

The algorithm scored 0.9 out of a perfect 1.0 on a Matthews correlation coefficient, which rates how well a machine-learning algorithm performs.

But the second set of logs, which used a more dynamic routine, resulted in a radically different story. The algorithm scored just 0.2. “0.2 is pretty close to random, so it didn’t really learn anything,” says Indu.

The test showed that moving target defence can fundamentally work. Still, more importantly, it gave both teams insights into how cybersecurity engineers should design these defences to withstand a machine-learning-based assault, a concept the researchers call threat-informed codesigns.

Defenders, for example, could “Add fake data into it so that the attackers cannot learn from it,” says Mani. The findings could help improve the security of other small, cyber-physical networks beyond MIL-STD-1553, such as those used in critical infrastructure.

“Being able to do this work for me, personally, was somewhat satisfying because it showed that given the right type of technology and innovation, you can take a constrained problem and still apply moving target defence to it,” says Jenkins.