Colorado State University is home to a new National Science Foundation research center focused on innovative ways to protect large, networked systems from cyberattacks.

CSU’s Center for Configuration Analytics and Automation (CCAA) was established earlier this year through a two-year NSF startup grant of about $300,000. The new center, a partnership among CSU researchers in the Department of Computer Science and Department of Electrical and Computer Engineering, will join existing research programs at the University of North Carolina Charlotte and George Mason University that were established through the NSF’s Industry-University Cooperative Research Centers Program.

The CCA’s director is Indrakshi Ray, professor in the Department of Computer Science, whose expertise is in access control and software security verification. She has existing research collaborations with Indrajit Ray, professor of computer science who will co-direct the center, and University Distinguished Professor V. “Chandra” Chandrasekar, professor of electrical engineering, who will serve as senior personnel and contribute to center research.

The CSU center brings academia and industry together to solve the challenges of protecting information technology environments, the Internet of Things, cloud and data centers, critical infrastructure and more. Industry partners pay $50,000 per year to be center members. Industry partners who have signed on as members thus far are CableLabs, Furuno Electric Company, SecureNOK and the Air Force Research Laboratory.

Connectivity remains a vulnerability

The last two decades have seen strides in protecting large enterprises from security breaches arising from misconfiguration, human error and other weaknesses. But the problem remains, particularly with increasing focus on connectivity and cooperation of sophisticated systems. The probability of a material data breach involving more than 10,000 records is 22 percent as of 2014, according to the CSU researchers, and can cost organizations hundreds of millions of dollars to fix.

“The way that attacks are launched in the security world is by exploiting vulnerabilities in systems,” said Indrajit Ray. “The attacker has to exploit just one vulnerability, but the defender has to defend against all possible vulnerabilities.” The researchers are working on the design of resilient systems that, when attacked, can continue to function with minimal disruption, Ray said.

Research directions

The CCAA has four main research directions: predictive analytics for learning of potential risk and threat to enterprise IT environments; automation of the configuration design process to determine cost-effective security and resiliency; integration of formal, provable analytics for verifying system requirements; and holistic evaluation of system security and resiliency using formal quantifiable metrics.

The CSU researchers will engage in projects that are chosen by a board of industry partners. The researchers have already proposed projects focusing on the Internet of Things; oil and natural gas security; and the security of networked weather radars.

Once the first round of projects is complete, the researchers will be eligible to apply for NSF Phase II funding. Eventually, the collaboration is expected to become self-sustaining.