Visible to the public Empirical Models for Vulnerability Exploits - UMD - April 2015Conflict Detection Enabled

Submitted by jkatz on Thu, 03/26/2015 - 11:40am

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s): Tudor Dumitras
Researchers: Octavian Suciu, Michael Hicks, Jonathan Katz, Joseph JaJa

 

HARD PROBLEM(S) ADDRESSED
This refers to Hard Problems, released November 2012.

Security-Metrics-Driven Evaluation, Design, Development, and Deployment

Project synopsis
The security of deployed and actively used systems is a moving target, influenced by factors not captured in the existing security metrics. For example, the count and severity of vulnerabilities in source code, as well as the corresponding attack surface, are commonly used as measures of a software product's security. For example, simply estimating the number of vulnerabilities in source code does not account for the fact that some vulnerabilities are never exploited by attackers, perhaps due to reduced attack surfaces or because of other technologies that render exploits less likely to succeed. Conversely, vulnerabilities that have been "patched" can continue to impact security in the real world because some users do not deploy the corresponding software patches. Overall, we currently do not know how to assess the security of real-world systems. In this task, we will conduct empirical studies of security in the real world. Our goals are to derive empirical models of vulnerabilities and attack surfaces exercised in cyber attacks and to understand the deployment-specific factors that influence the security of systems in active use.

PUBLICATIONS
Papers published in this quarter as a result of this research. Include title, author(s), venue published/presented, and a short description or abstract. Identify which hard problem(s) the publication addressed. Papers that have not yet been published should be reported in region 2 below.

ACCOMPLISHMENT HIGHLIGHTS

MC2 Workshop on Data-Driven Approaches to Security and Privacy (http://www.umiacs.umd.edu/~tdumitra/data-driven/).

  • The workshop was aimed at strenghtening the community of researchers interested in studying security and privacy empirically, using data-driven techniques. This includes (but is not limited to) topics such as understanding the motivations, capabilities and limitations of real-world adversaries; putting theoretical assumptions to the test; accounting for the socio-economic incentives of attackers and for the properties of deployment environments; measuring and predicting security. The workshop was attended by 23 US and international researchers.
Groups: