Lablet Research on Policy-Governed Secure Collaboration

---

EXECUTIVE SUMMARY: Over the past year the, NSA Science of Security lablets engaged in 7 NSA-approved research projects addressing the hard problem of Policy-Governed Secure Collaboration. All of the work done against this hard problem addressed other hard problems as well. UIUC's research involved other universities including Illinois Institute of Technology, USC, UPenn, and Dartmouth. The projects are in various stages of maturity, and several have led to publications and/or conference presentations. Summaries of the projects, highlights and publications are presented below.

1. Geo-Temporal Characterization of Security Threats (CMU)

SUMMARY: Addresses the hard problems of Policy-Governed Secure Collaboration and Resilient Architectures; provides an empirical basis for assessment and validation of security models; provides a global model of flow of threats and associated information.

HIGHLIGHTS AND PUBLICATIONS

• Technical Report submitted
• Identified central core network
• Identified key actors attacking country of interest and being attacked by country of interest by type of attack
• Technical Report: Ghita Mezzour, L. Richard Carley, Kathleen M. Carley, 2014, Global Mapping of Cyber Attacks, School of Computer Science, Institute for Software Research, Technical Report CMU-ISR-14-111

2. Scientific Understanding of Policy Complexity (NCSU)

SUMMARY: Addresses the hard problems of Policy-Governed Secure Collaboration and Human Behavior

• Policy-Governed Secure Collaboration: Security policies can be very complex. The same policy can also be expressed in ways of different complexity. It is desirable to have a scientific understanding of measuring how complex a policy and a policy encoding is. Part of this work includes breaking down complex vulnerabilities into their constituent parts
• Human Behavior: Our policy complexity is based on how easy for humans to understand and write policies. There is thus a human behavior aspect to it.

HIGHLIGHTS and PUBLICATIONS:

• In an effort to break down complex policies, we have investigated ways to break down NIST's Common Weakness Enumeration (CWE), including experimenting with the Protege taxonomy tool (http://protege.stanford.edu/). It appears that the most fruitful route will be to take each vulnerability (there are about 1000), extract one or more code samples from it, then tag it using Protege. This will give an idea of what concepts are necessary to understand the vulnerability.

3. Formal Specification and Analysis of Security-Critical Norms and Policies (NCSU)

SUMMARY: Addresses the hard problems of Policy-Governed Secure Collaboration and Scalability and Composability

• Policy-Governed Secure Collaboration: This project addresses how to specify and analyze norms (standards of correct collaborative behavior) and policies (ways of achieving different collaborative behaviors) to determine important properties, such as their mutual consistency.
• Scalability and Composability: This project can facilitate the composition of new collaborative systems by combining sets of norms and policies, and verifying whether such combinations satisfy desired properties.

HIGHLIGHTS and PUBLICATIONS:

• We are addressing our first research hypothesis, which is that norm and preference specification languages can be constructed that both adequately express typical collaboration scenarios as well as enable tractable checking of consistency, composability, and realizability via policies.
• We have introduced a new notion of accountability that formulates accountability in normative terms, which will provide a connection between norms and policies and security properties, especially in the academic IT domain.
• *We are formulating the problems of consistency and realizability in mathematical terms with a view toward producing criteria for designing algorithms for consistency and realizability of norms, policies, and preferences. To this end, we are investigating whether a set of norms is consistent and realizable through the policies and preferences of the collaborators and whether a set of norms achieves specified security properties with reference to the healthcare domain.
• Amit K. Chopra and Munindar P. Singh, The Thing Itself Speaks: Accountability as a Foundation for Requirements in Sociotechnical Systems, Proceedings of the IEEE International Workshop on Requirements Engineering and Law (RELAW), Extended Abstract, Karlskrona, Sweden, IEEE Computer Society, 2014.

4. Understanding Effects of Norms and Policies on the Robustness, Liveness, and Resilience of Systems (NCSU)

SUMMARY: Addresses the hard problems of Policy-Governed Secure Collaboration and Resilient Architectures

• Policy-Governed Secure Collaboration: Norms provide a standard of correctness for collaborative behavior, with respect to which policies of the participants can be evaluated individually or in groups.
• Resilient Architectures: The study of robustness and resilience of systems modeled in terms of norms would provide a basis for understanding resilient social architectures.

HIGHLIGHTS and PUBLICATIONS:

• We have developed prototype multiagent systems of simple structure on which to build more complex simulations of norms and policies on system properties.
• We have developed a simplified model for an academic security setting that identifies the main stakeholders, norms that promote security, internal policies by which parties may autonomously decide to comply with (or not) different norms. We have realized this model in our multiagent simulation framework and are using the model not only to refine our understanding of the robustness, liveness, and resilience of norms as they pertain to security but also as a basis for understanding the requirements on a sufficiently expressive simulation framework.

5. A Hypothesis Testing Framework for Network Security (UIUC and Illinois Institute of Technology)

SUMMARY: Addresses four hard problems:

• Scalability and Composability
• Policy-Governed Secure Collaboration
• Predictive Security Metrics
• Resilient Architectures

HIGHLIGHTS and PUBLICATIONS:

• A key part of our strategy is to test hypotheses within a model of a live network. We continued our work on the foundational rigorous network model along three dimensions: 1) network behavior under timing uncertainty, 2) modeling virtualized networks and 3) database model of network behavior.
• Our workshop paper on modeling virtualized networks received the best paper award at HotSDN 2014.
• Soudeh Ghorbani and Brighten Godfrey, "Towards Correct Network Virtualization", ACM Workshop on Hot Topics in Software Defined Networks (HotSDN), August 2014.
• Dong Jin and Yi Ning, "Securing Industrial Control Systems with a Simulation-based Verification System", 2014 ACM SIGSIM Conference on Principles of Advanced Discrete Simulation, Denver, CO, May 2014 (Work-in-Progress Paper)

6. Science of Human Circumvention of Security (UIUC, USC, UPenn, Dartmouth)

SUMMARY: Our project most closely aligns with problem 5 (Understanding and Accounting for Human Behavior). However, it also pertains to problems 1 (Scalability and Composability), 2 Policy-Governed Secure Collaboration), and 3 (Predictive Security Metrics).

• Scalability and Composability: We want to understand not just the drivers of individual incidents of human circumvention, but also the net effect of these incidents. Included here are measures of the environment (physical, organizational, hierarchical, embeddedness within larger systems.)
• Policy-Governed Secure Collaboration: In order to create policies that in reality actually enable secure collaboration among users in varying domains, we need to understand and predict the de facto consequences of policies, not just the de juro ones.
• Security-Metrics-Driven Evaluation, Design, Development, and Deployment: Making sane decisions about what security controls to deploy requires understanding the de facto consequences of these deployments---instead of just pretending that circumvention by honest users never happens.

HIGHLIGHTS and PUBLICATIONS:

• Via fieldwork in real-world enterprises, we have been identifying and cataloging types and causes of circumvention by well-intentioned users. We are using help desk logs, records of security-related computer changes, analysis of user behavior in situ, and surveys---in addition to interviews and observations. We then began to build and validate models of usage and circumvention behavior, for individuals and then for populations within an enterprise.
• The JAMIA paper by Smith and Koppel on usability problems with health IT (pre-SHUCS, but related) received another accolade, this time from the International Medical Informatics Association, which also named it one of best papers of 2014. We are updating that paper to include discoveries from our analysis of the workaround corpora above.
• J. Blythe, R. Koppel, V. Kothari, and S. Smith. "Ethnography of Computer Security Evasions in Healthcare Settings: Circumvention as the Norm". HealthTech' 14: Proceedings of the 2014 USENIX Summit on Health Information Technologies, August 2014. Abstract: Healthcare professionals have unique motivations, goals, perceptions, training, tensions, and behaviors, which guide workflow and often lead to unprecedented workarounds that weaken the efficacy of security policies and mechanisms. Identifying and understanding these factors that contribute to circumvention, as well as the acts of circumvention themselves, is key to designing, implementing, and maintaining security subsystems that achieve security goals in healthcare settings. To this end, we present our research on workarounds to computer security in healthcare settings without compromising the fundamental health goals. We argue and demonstrate that understanding workarounds to computer security, especially in medical settings, requires not only analyses of computer rules and processes, but also interviews and observations with users and security personnel. In addition, we discuss the value of shadowing clinicians and conducting focus groups with them to understand their motivations and tradeoffs for circumvention. Ethnographic investigation of workflow is paramount to achieving security objectives. (This publication addresses Problems 5,1,2, and 3.)
• R. Koppel. "Software Loved by its Vendors and Disliked by 70% of its Users: Two Trillion Dollars of Healthcare Information Technology's Promises and Disappointments". HealthTech'14: Keynote talk at the 2014 USENIX Summit on Health Information Technologies, August 2014. (This keynote talk addresses Problem 5.)
• R. Koppel, J. Blythe, and S. Smith. "Ethnography of Computer Security Evasions in Healthcare Organizations: Circumvention of Cyber Controls". Talk at the European Sociological Association Midterm Conference, August 2014. (This talk addresses Problems 5 and 3.)

7. Trust, Recommendation Systems and Collaboration (UMD)

SUMMARY: Addresses Policy-Governed Secure Collaboration; Scalability and Composability, and Understanding and Accounting for Human Behavior

HIGHLIGHTS and PUBLICATIONS:

• Our goal is to develop a transformational framework for a science of trust, and its impact on local policies for collaboration, in networked multi-agent systems. The framework will take human behavior into account from the start by treating humans as integrated components of these networks, interacting dynamically with other elements. The new analytical framework will be integrated, and validated, with empirical methods of analyzing experimental data on trust, recommendation, and reputation, from several datasets available to us, in order to capture fundamental trends and patterns of human behavior, including trust and mistrust propagation, confidence in trust, phase transitions in the dynamic graph models involved in the new framework, stability or instability of collaborations.
• We developed new algorithms that effectively and provably use trust in distributed consensus problems in the presence of adversaries. Such problems are of interest in distributed fusion in sensor networks. We showed that a trust mechanism allows correct consensus to occur whereby without the trust mechanism this would not be possible.
• We developed new mathematical models for networks that carry opinions (beliefs) in their nodes, while the interaction between the nodes (agents) can be positive (friends) or negative (enemies). We analyzed the dynamics of belief evolution and emergence in such signed networks and discovered new laws governing these dynamics.
• We developed a novel model and an efficient solution algorithm to the so called "Advertisement Allocation Problem" in large social networks, using a new and innovative embedding of the graph in hyperbolic space. The new algorithm obtains the same results as other algorithms albeit with complexity lower by two orders of magnitude.
• We demonstrated how physical layer security schemes can be successfully employed to create a trusted core and provide privacy protection in distributed control and inference schemes.
• We investigated several problems in crowdsourcing, by developing novel methods and algorithms that can handle multiple domains of knowledge, multi-dimensional trust in the knowledge of people or experts, and budget constraints. We investigated analytically these problems and obtained new algorithms and results on their performance.
• X. Liu and J.S. Baras, "Using Trust in Distributed Consensus With Adversaries in Sensor and Other Networks," invited paper, Proceedings of 17th International Conference on Information Fusion (FUSION 2014), Salamanca, Spain, July 7-10, 2014. Abstract: Extensive research efforts have been devoted to distributed consensus with adversaries. Many diverse applications drive this increased interest in this area including distributed collaborative sensor networks, sensor fusion and distributed collaborative control. We consider the problem of detecting Byzantine adversaries in a network of agents with the goal of reaching consensus. We propose a novel trust model that establishes both local trust based on local evidences and global trust based on local exchange of local trust values. We describe a trust-aware consensus algorithm that integrates the trust evaluation mechanism into the traditional consensus algorithm and propose various local decision rules based on local evidence. To further enhance the robustness of trust evaluation itself, we also provide a trust propagation scheme in order to take into account evidences of other nodes in the network. The algorithm is flexible and extensible to incorporate more complicated designs of decision rules and trust models. Then we show by simulation that the trust-aware consensus algorithm can effectively detect Byzantine adversaries and exclude them from consensus iterations even in sparse networks. These results can be applied for fusion of trust evidences as well as for sensor fusion when malicious sensors are present like for example in power grid sensing and monitoring.
• J.S. Baras gave the following invited, plenary and keynote lectures on the topics, approach and results in this Task: J.S. Baras, "Security and Trust in a Networked Immersed World: From Components to Systems and Beyond," invited keynote lecture, Workshop on Security and Safety: Issues, Concepts and Ideas , 2nd Hellenic Forum for Science, Innovation and Technology, Demokritos Research Center, Athens, Greece, June 30 - July 4, 2014.

(ID#: 14-3365)

---

Note:

Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to SoS.Project (at) SecureDataBank.net for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.

---

SoS Lablet Quarterly Meeting - NCSU

---

Raleigh, NC -- January 29, 2015

Lablet Researchers meet at NC State to exchange and advance research and Ideas about Science of Security

The quarterly Science of Security Lablet meeting, sponsored by NSA, was hosted by the Lablet at the North Carolina State University on January 27 and 28, 2015. Quarterly meetings are held to share research, coordinate, present interim findings, and stimulate thought and discussion about the Science of Security. Laurie Williams, Principal Investigator at NC State, organized the series of talks and discussions about technical and behavioral aspects of cybersecurity.

Members of the Research Directorate at NSA, the program’s sponsor, began the talks. Orville Stockland, Special Assistant for Novel Research Partnership Strategies, Trusted Systems Research Group, greeted the assembled researchers and encouraged them both to share the results of their research throughout the community and to make their students aware of the many government resources available to them online. Stephanie Yannacci, Science of Security Program Manager, provided an SoS program update and described the core elements of the Science of Security Program noting how the Lablets, the HOT SoS conference, the annual paper competition and the CPS-VO web page mesh to offer communication and information sharing among the members of the Science of Security community. Stuart Krohn, SoS Technical Director, described the progress the Lablets are making. He relayed a presentation given by Dan Geer at the National Science Foundation’s SaTC Principal Investigators’ meeting about Science of Security based on Thomas Kuhn’s work, “The Structure of Scientific Revolutions.” He noted that NIST, NSF, DHS and NSA all presented Science of Security briefings to the National Academy of Science, and that NSA's work reflected a stricter definition of foundational: Basic scientific tenets in the multi-disciplinary areas of security upon which we can base trust. Krohn explained the selection process for the annual best paper award and noted the SoS Virtual Organization now numbers more than 500 individuals and that sub-Lablet research partners have expanded the SoS community globally.

Pete Loscocco of NSA presented the keynote address, “Integrity Measurement: The Way Ahead, Knowing if your Systems have been Altered”. He outlined issues and solutions on the use of integrity measurement as a tool to achieve trusted computing. The broad goal, he stated, is to secure systems, but we are falling short of the ideal. Software cannot sufficiently protect systems from attack, and the question of remote trust remains unanswered. Integrity measurement can be useful in bridging the gap between traditional concepts—that is, if the design and implementation of a system are correct, it is “secure”—and the reality of network security. Loscoco described prototypes of Integrity Measurement currently in use and characterized it as a tool that augments existing systems and is useful for detecting trust issues. The large issue, he says, is that trust decisions require system integrity to preserve trust, and that evidence is required to test the trust attestations that are rooted in trustworthy mechanisms. Using load time and run time, the process effectively allows scalability to trust relationships anywhere on the network, can adapt to changing requirements and can project trust across domains using currently available technologies.

Individual researchers from each Lablet and their teams presented materials from their work addressing the five Hard Problems in cybersecurity. Carnegie-Mellon’s Lablet presented current research on security risk perception in composable systems and on analyzing highly configurable systems. Preemptive intrusion detection and hypothesis testing for network security were the topics presented by the University of Illinois. Maryland contributed presentations on a trust-aware social recommender system design and on remote voting protocols. Host NC State presented an objective resiliency analysis of smart grid systems and a discussion of systematizing isolation techniques. In addition, 16 research posters were presented and NCSU presented their work on analysis of bibliometrics applied to Science of Security publications. Jeff Carver of the University of Alabama (working in cooperation with the NCSU lablet) presented an interactive exercise that presented a rubric for teams to determine if a specific research paper showed scientific value and rigor.
 

The next quarterly meeting will be held April 21 and 22, 2015 at the University of Illinois Urbana Champaign in conjunction with HOT SoS 2015.

(ID#:14-3364)

---

Note:

Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to SoS.Project (at) SecureDataBank.net for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.

---