SoS Quarterly Summary Report - CMU - October 2014

Lablet Summary Report
Purpose: To highlight progress. Information is generally at a higher level which is accessible to the interested public.

A). Fundamental Research (sampling of highlights)

[Carley] New dynamic network metrics provide the SOS community with ways of assessing impact and identifying key attackers in large scale human and organizational networks. New metrics are faster and scale better than existing ones. Pioneered an approach for mapping the global cyber threat environment..

[Breaux] A study was completed that examines how experts experience uncertainty in perception, comprehension and projection during security vulnerability analysis. The theory explains why novices and experts differ in their ability to mitigate complex security threats. The results verify the theory, and the outcome of this presentation includes feedback concerning the difference between Fuzzy Logic and Bayesian models of reasoning under uncertainty that informs our current work. (Invited paper published)

[Aldrich] Aldrich presented an invited talk at TTI/Vanguard, a conference attended by leaders in industry and government. The talk covered Lablet-sponsored research, both in providing security against command-injection attacks through language extensibility, and our ongoing Science of Secure Frameworks research on architectural control. Follow-on discussions with a number of individuals, including Alan Kay, David Reed, and several researchers from the NSA, provided positive feedback and useful suggestions for future research.

[Cranor] The team are now pilot testing numerous data collection sensors, which are collecting live field data on client machines' processes, filesystem meta-data (e.g., file path, file size, date created, date modified, permissions), network packet headers, Windows security logs, Windows updates, installed software, and wireless access points.

B). Community Interaction
Work to explain or extend scientific rigor in the community/culture. Workshops, Seminars, Competitions, etc.

CMU hosted the first Quarterly Meeting of the new Lablet Community. Approximately 75 people attended from the four universities, multiple subcontractors, and government organizations. Workshop sessions address the planning for updating and disseminating the Hard Problems list, which is intended to provide a key component of the unifying framework for the SoS research undertaken at the Lablets. DIscussions were also held regarding other mechanisms through which the SoS Lablet community could advance the effectiveness and explicitness of the scientific process of cyberseucity research.

Just prior to the Quarterly Meeting, CMU also hosted the CASOS Summer Institute, focusing on network analytics, led by Kathleen Carley and including Juergen Pfeffer. This institute is dedicated to advancing the theory and practice of network analytics.

In addition, Lorrie Cranor was the General Chair for the 10th SOUPS conference (Symposium on Usable Privacy and Security). This conference has served as a premier catalyst for the advancement of scientific practice associated with research related to privacy and to human interfaces associated with security.

C. Educational
Any changes to curriculum at your school or elsewhere that indicates an increased training or rigor in security research.

New students: The Fall 2014 student/advisor selection process has been completed, and we are pleased to report that six new students will be joining the following projects: A Language and Frameworks for Development of Secure Mobile Applications (Aldrich): Michael Coblenz..Usable Formal Methods for the Design and Composition of Security and Privacy Polices (Breaux): Daniel Smullen and Jaspreet Bhatia. Multi-Model run-time security analysis (Pfeffer/Garlan): Hemank Lamba. Highly Configurable Systems (Pfeffer/Kaestner): Chu Pan Wong, Gabe Ferreira.

Recent Graduates: Tingting Yu, A PhD student partially supported by Race Vulnerability Study and Hybrid Race Detection ptoject (Aldrich) graduated in August 2014 and is now an Assistant Professor at University of Kentucky-Lexington.

The CMU Lablet now has a total of 21 affiliated PhD students.

CMU ISR is now hosting the second class of students in the new Masters degree program in Privacy Engineering, led by Lorrie Cranor and Norman Sadeh. Courses are taught by several SoS Lablet faculty including Cranor, Sadeh, and Travis Breaux.

CMU is continuing its revamping is undergraduate core course sequence on software engineering, and security topics as well as method-related topics (data analysis, developer studies, and the like) are being augmented. SoS Lablet faculty involved include Aldrich, Kastner, Breaux, Scherlis, and others. Specific results will be reported in a later quarterly report.