Dr. Salamah Salamah
Office phone: (915)-747-6671 Email: isalamah@utep.edu
CS 5389 Software Engineering Practicum
Course Description
Capstone software project in which the student applies concepts learned in the program. The practicum can be completed in a course in which the instructor oversees teams of students, or through an arrangement with an industry partner in which a manager evaluates the work of a student on a particular project. Enrollment in the course requires prior department approval.Course Material
Past Projects
Over the past three years, we have developed multiple tools to be used by members of the Army Research Lab (ARL). In particular, working with reserachers at the CyWAR Lab we have developed tools that assist members of ARL's Survivability/Lethality Analysis Directorate (SLAD) in conducting cybersecurity assessments and to develop strategies prior to assessment missions.Scenario Execution Data Analysis Platform (SEDAP)
The SEDAP tool enables analysts to design and execute network scenarios for several popular emulation and simulation platforms. The executed scenarios allow the generation of models that can be used to conduct multiple types of analysis. The scenarios are composed of a large number of different combinations of 1) network topologies, e.g., chain topology, 2) routing protocols, e.g., NRL OLSR, and 3) a particular type of a network attack, e.g., spoofing attack. SEDAP allows analysts to run different combinations of the aforementioned scenarios and logs scenario data such as packet arrival statistics, route states, and attack start and end times. The tool converts collected data to formats used by multiple statistical analysis tools, such as WEKA, which then generates analysis models. The generated models aid analysts to perform efficient analysis of computer networks.
SEDAP includes an analysis component that contains a visualization feature for viewing results of running statistical and comparison algorithms on node states (e.g., position of the node, and status such as compromised or not), packet transmission, and routing. The focus of this component is to facilitate the task of viewing differences between similar scenarios and the different emulation and simulation tool outputs resulting from running these scenarios.
Practical Application and Use
The SEDAP system is currently used by the ARL as part of the cybersecurity assessments methodology to develop strategies prior to assessment missions. The tool is also used to provide customers with a deeper, more complete analysis after assessments. This use of the tool reduces the time and efforts associated with assessment missions, which is critical to the functions of ARL as these missions are time-constrained.Network Layer Analysis Systems
Together, ARL and UTEP have developed a characterization of impacts on the network layer and datalink layer of the network stack. This work has been used to augment MulVAL, a popular attack graph generator that has been used to assess risk by organizations such as the ARL and NIST. This work has also attracted collaborations with Abilene Christian University and the University of South Florida that has been published in several conference proceedings and journals.
Practical Application and Use
Aside from several publications in the academic field, including the Cyber Security and Information Systems Information Analysis Center (CSIAC) journal and the Military communication conference (MILCOM), the Network Layer Analysis System is currently being used by several Army organizations in the field of modeling and simulation as well as network system evaluation.Analyst-Centric Data Acquisition
ARL and UTEP have collaboratively developed a unified framework that allows analysts the ability to capture various behavioral elements during cybersecurity assessments. The Evaluator-Centric and Extensible Logger (ECEL) framework is built using a plugin architecture to facilitate extensibility and flexibility. The plugins are data collectors that can track computer usage such as keystrokes, mouse clicks, time screenshots, network "pcap" files, tool-specific data (e.g., nmap, nessus) and others. Alongside the plugins are the parsers that interpret the captured raw data information into a filtered output that is used for analytics including visualization and for future decision support system model development. The visualization component reads the JSON-formatted log data from the collected raw log data. The data is parsed into JSON format by external software written in Java. The tool reads the JSON data and displays an interactive timeline (including search, filter, and export) using technologies such as D3 and VIS_JS that is used by the ARL for reporting penetration testing results to stakeholders.
Practical Application and Use
Together the ECEL software and its accompanying Visualization component provide the security analysis community (both those focused on defensive and offensive technologies) the unique ability to capture and analyze information from the attacker’s perspective. The ECEL tool has been presented to senior leaders in the Cross-Service Community, to include the Army, Navy, Marine Corps, and the Air Force. In addition, ECEL is the basis for several external grants efforts by ARL, including an OSD funded collaboration between the ARL, MIT-LL, and CYBERCOM. This work has made a significant contribution in a primary issue in the field of cybersecurity: data sharing and availability. Using ECEL, ARL has published several publicly available datasets that researchers and engineers can use for analysis and development of better cyber systems. In addition, analysts from the Survivability & Lethality Analysis Directorate (SLAD) within ARL use the ECEL framework on a daily basis during cybersecurity assessments to ensure that all user actions are captured and to develop models for decision support.Traffic-Based Model Generation
Identifying and mitigating network service issues is a difficult problem due to the ever growing and evolving technology space. A common problem associated with in-depth testing of network protocols is the availability of software that communicates across disparate protocols. Many times, the software required to communicate with these services is not publicly available. Developing this software is a time-consuming undertaking that requires expertise and understanding of the protocol specification. For this purpose, the MSSwE Practicum courses have contributed significantly to the development of the Traffic-Based Model Generation (TBMG) prototype tool. TBMG allows for ways to automate the testing of the aforementioned protocols by developing theories and models associated with protocol reverse engineering.
Practical Application and Use
The TBGM tool provides ARL and cybersecurity analysts, including those from other federal agencies, with a unique, previously unavailable capability, to quickly develop protocol software prototypes in the form of network simulator-3 (ns-3) models and scapy protocol modules. This work greatly reduces the time taken to test network services that use non-standard and non-IP protocols.The Emulation Sandbox (EmuBox)
The EmuBox is a lightweight, open source testbed that is at the foundation for the Center for Cyber Analysis and Assessment workshop delivery mechanism. It is written in Python and has been tested on Windows 7+, Kali Linux 2016.1, 2016.2, and Ubuntu 14.04 LTE (32 and 64 bit). The EmuBox leverages VirtualBox and CORE to support mixed virtual/physical systems, virtual remote desktop connection (VRDP), and heterogeneous (e.g., mixed MANET and wired) networks. The EmuBox can host up to 8 simultaneous workshop units (individually accessible cybersecurity scenarios) on a laptop with an Intel i7 processor and 16GB of memory. A unique feature of EmuBox is its ability to provide all participants with an isolated network environment, free of extraneous network traffic and requiring only a remote desktop client application (pre-installed on all Windows and most Linux, and MacOS operating systems). Additionally, the EmuBox has a backend subsystem that provides a web frontend to show all available workshops and to restore VMs from snapshots once participants disconnect.
