Security Testbed for Preempting Attacks against Supercomputing Infrastructure

TL;DR

This paper presents a security testbed embedded in live supercomputing traffic at NCSA, aimed at preempting attacks like ransomware by analyzing attack patterns, visualizing threats, and deploying novel detection models.

Contribution

It introduces a real-world security testbed for supercomputers, characterizes attack patterns from two decades of logs, and demonstrates preemptive attack detection using innovative models.

Findings

Characterized attack patterns from 200+ incidents

Developed an attack visualization tool for HPC security

Validated preemptive detection of ransomware using novel models

Abstract

Securing HPC has a unique threat model. Untrusted, malicious code exploiting the concentrated computing power may exert an outsized impact on the shared, open-networked environment in HPC, unlike well-isolated VM tenants in public clouds. Therefore, preempting attacks targeting supercomputing systems before damage remains the top security priority. The main challenge is that noisy attack attempts and unreliable alerts often mask \emph{real attacks}, causing permanent damages such as system integrity violations and data breaches. This paper describes a security testbed embedded in live traffic of a supercomputer at the National Center for Supercomputing Applications (NCSA). The objective is to demonstrate attack \textit{preemption}, i.e., stopping system compromise and data breaches at petascale supercomputers. Deployment of our testbed at NCSA enables the following key contributions: 1) Insights from characterizing unique \textit{attack patterns} found in real security logs of more than 200 security incidents curated in the past two decades at NCSA. 2) Deployment of an attack visualization tool to illustrate the challenges of identifying real attacks in HPC environments and to support security operators in interactive attack analyses. 3) Demonstrate the utility of the testbed by running novel models, such as Factor-Graph-based models, to preempt a real-world ransomware family.