SoS Lablet Annual Report - UIUC

Lablet Annual Report
Purpose: To highlight progress made within the first base year (March 2014 to Present). Information is generally at a higher level which is accessible to the interested public. This will be published in an overall SoS Annual Report to be shared with stakeholders to highlight the accomplishments the Lablets have made over the past year.

A). Lablet Introduction
Please include each of the following:

• General introduction about the Lablet - 1 paragraph
• Team description (universities that are Lablets, Sub-Lablets, and any collaborators) - 1 paragraph
• Overall viewpoint of the progress made over the past year - 1-2 paragraphs

  The UIUC Lablet is contributing broadly to the development of security science while leveraging Illinois expertise in resiliency, which in this context means a system's demonstrable ability to maintain security properties even during ongoing cyber attacks. The Lablet's work draws on several fundamental areas of computing research. Some ideas from fault-tolerant computing can be adapted to the context of security. Strategies from control theory are being extended to account for the high variation and uncertainty that may be present in systems when they are under attack. Game theory and decision theory principles are being used to explore the interplay between attack and defense. Formal methods are being applied to develop formal notions of resiliency. End-to-end system analysis is being employed to investigate resiliency of large systems against cyber attack. The Lablet's work also draws upon ideas from other areas of mathematics and engineering as well.

  The team is comprised of mostly faculty and researchers from the University of Illinois at Urbana-Champaign. Project by project details of the personnel are listed below:

  A Hypothesis of Testing and Framework for Network Security: Illinois: Brighten Godfrey, Matt Caesar, David Nicol, Bill Sanders, Illinois Institute of Technology: Dong (Kevin) Jin

  Data-Driven-Model-Based Decision-Making: Illinois: Bill Sanders, Masooda Bashir, David Nicol, Newcastle University, UK: Aad Van Moorsel

  Data Drive Security Models and Analysis: Illinois: Ravi Iyer, Zbigniew Kalbarczyk and Adam Slagell

  Science of Human Circumvention of Security: Illinois: Tao Xie, University of Southern CaliforniaJim Blythe, University of Pennsylvania: Ross Koppel, Dartmouth College: Sean Smith

  Static-Dynamic Analysis of Security Metrics for Cyber-Physical Systems: Illinois: Sayan Mitra and Geir Dullerud, Rice University: Swarat Chaudhuri

  The Science of Security has many attributes, that range from use and development of scientific techniques in experimental security work, to modeling/mathematical foundations of systems where security and security properties are the object of the reasoning. UIUC contributes principally to the latter category with research that also supports the former category. We study how security properties are shaped by policy at different layers of the network stack, and use that to help define hypotheses that might be empirically tested. We are defining models of cyber-physical systems that allow us to analyze how closely the system is allowed to skirt disaster, a measure of the system's resilience to disturbance. We are developing mathematical models of systems under attack, the attackers, and the defenders, to better understand how well the system is able to maintain required service levels through the attack, and to aid defensive decision-makers. We are applying sophisticated stochastic modeling techniques to describe vast volumes of data within which there are attacks; the models describe correlations between observations that might suggest attacks, and unobservable state that describes the attack. Finally, we are developing models of human behavior that seek to explain the how and why of humans circumventing security mechanisms. In short, the UIUC Science of Security research is exploring foundational mathematical modeling formalisms that quantitatively describe security attributes, and seek to predict those attributes as a function of context and environment.

B). Fundamental Research
High level report of results for each project that helped move security science forward -- in most cases it should point to a "hard problem". - 1 paragraph per project

A Hypothesis of Testing and Framework for Network Security: Illinois: Brighten Godfrey, Matt Caesar, David Nicol, Bill Sanders, Illinois Institute of Technology: Dong (Kevin) Jin

This project is developing the analysis methodology needed to support scientific reasoning about the security of networks, with a particular focus on information and data flow security. The core of this vision is Network Hypothesis Testing Methodology (NetHTM), a set of techniques for performing and integrating security analyses applied at different network layers, in different ways, to pose and rigorously answer quantitative hypotheses about the end-to-end security of a network.

While our work touches on several hard problems, over the last year, our key accomplishments focused on the hard problem of predictive security metrics. To realize NetHTM, we need the ability to model and predict behavior of networked systems. We made advances in modeling and enforcing correct behavior in dynamic networks. This required a model of network behavior under timing uncertainty; that is, in a dynamic network, we will have only imperfect information about the exact time network events take place, which makes reasoning about properties difficult. We used our model and verification algorithms on top of it to develop network control algorithms which preserve specified properties across time. A paper on this project was submitted in 2014 and accepted to one of the two top venues in computer networking, USENIX NSDI 2015. In addition, we made progress on modeling virtualized networks, with an emphasis on determining when virtual and physical networks may differ, and resolving these inconsistencies. A paper on this work appeared at the ACM Workshop on Hot Topics in Software Defined Networks (HotSDN) in August 2014, where it received the Best Paper Award.

Data-Driven-Model-Based Decision-Making: Illinois: Bill Sanders, Masooda Bashir, David Nicol, Newcastle University, UK: Aad Van Moorsel

System security analysis requires a holistic approach that considers the behavior of non-human subsystem, bad actors or adversaries, and expected human participants such as users and system administrators. Modeling and evaluating human behavior is challenging, but it is an imperative component in security analysis. We have developed and implemented a modeling formalism to formally describe the behavior of human participants and how their decisions affect overall system performance and security. With the HITOP modeling formalism and its implementation in the Mobius modeling framework, we are able to produce quantitative security metrics for cyber-human systems. HITOP evaluates a human's opportunity, willingness, and capability to perform individual tasks in their daily behavior. Partnered with an effective data collection strategy to validate model parameters, we have made good progress toward a sound model of human behavior. Our next steps include development of a case study to validate our approach, as well as further refinement of the HITOP methodology based on the experience we gain from the study.

Data Drive Security Models and Analysis: Illinois: Ravi Iyer, Zbigniew Kalbarczyk and Adam Slagell

We developed and evaluated AttackTagger, a Factor Graph based framework for accurate and preemptive detection of attacks, i.e., before the system misuse. A Factor Graph is a type of probabilistic graphical model that can describe complex dependencies among random variables using an undirected graph representation, specifically a bipartite graph. The bipartite graph representation consists of variable nodes representing random variables, factor nodes representing local functions (or factor functions), and edges connecting the two types of nodes. In our model random variables correspond to observable events (e.g., alerts generated by an intrusion detection system) and unknown user states (benign, suspicious, or malicious. The factor functions represent dependencies between events and user states. By evaluating the constructed graph we can determine the user state at each stage of an attack. We used security logs on real-incidents that occurred over a six-year period at the National Center for Supercomputing Applications (NCSA) to evaluate AttackTagger. Our data consist of security incidents that led to the target system being compromised, i.e., the attacks were detected after the fact. AttackTagger detected 74% of attacks, a vast majority of them were detected before the system misuse (minutes or houers). Importantly, AttackTagger uncovered hidden malicious users that were missed by the intrusion detection systems during the incident and by security analysts in post-incident forensic analysis.

Paper: Cao, E. Badger, Z. Kalbarczyk, R. Iyer, A. Slagell, "Preemptive Intrusion Detection: Theoretical Framework and Real-world Measurements," in Symposium and Bootcamp on the Science of Security (HotSoS), University of Illinois at Urbana-Champaign, April 21-22, 2015

Science of Human Circumvention of Security: Illinois: Tao Xie, University of Southern California: Jim Blythe, University of Pennsylvania: Ross Koppel, Dartmouth College: Sean Smith

We continue to study people's trust in cyber security, websites, their organization's databases, and use of the Internet. We focus especially on passwords as a prime in the context of this trust (or suspicion or distrust). Use of passwords, adherence to password guidelines, and circumvention of password rules (e.g., sharing, writing them down on available files) are also excellent reflections of people's understanding, misunderstandings, and beliefs about personal and organizational efforts to protect individual and enterprise-level information. In addition, we are building and testing DASH agent models and designing a mechanical Turk experiment/simulation to further examine users' use of passwords, workarounds, cyber trust, and strategies. Results include duplication in our simulation of a version of "uncanny descent", in which making constraints on passwords more complex can decrease overall security. To study people's trust in cyber security, especially mobile app security, we focus on exposing contextual information to enable mobile app users to make informed decisions on mobile app security.

Static-Dynamic Analysis of Security Metrics for Cyber-Physical Systems: Illinois: Sayan Mitra and Geir Dullerud, Rice University: Swarat Chaudhuri

Addressing the hard problem of developing predictive security metrics, in this collaborative project, we have formulated the general problem of controller synthesis in the presence of resource constrained adversaries; namely, given an adversary of a certain class, parametrized according to the quantifiable resources available to them, we are creating a methodology to assess the worst-case potential impact and performance degradation of a control system from a threat of this class. We have developed a sound and complete algorithm for solving this problem, for the special case of control systems with linear and monotonic dynamics and adversary resources characterized by their signal energy. The approach used to develop the algorithms brings together ideas from robust control and recent developments in syntax-guided program synthesis. Using our algorithms we are able to synthesize controllers that are provably resilient to certain threat classes; in addition, we are also able to characterize the states of the systems in terms of their vulnerability levels. Going forward, we will expand this research to address significantly more complex systems involving more general nonlinear dynamics, and apply them to controller synthesis for, and security evaluation of, autonomous and semi-autonomous unmanned vehicles.

C). Publications
Please list all publications published in the base year starting in March 2014 to present.

• Dong Jin and Yi Ning, "Securing Industrial Control Systems with a Simulation-based Verification System", 2014 ACM SIGSIM Conference on Principles of Advanced Discrete Simulation, May 2014.
• Vijay Kothari, Jim Blythe, Sean W. Smith, Ross Koppel, "Agent-Based Modeling of User Circumvention of Security", 1st International Workshop on Agents and CyberSecurity (ACySE '14), May 2014.
• Cuong Pham, Zachary Estrada, Zbigniew Klabarczyk, and Ravishankar Iyer, "Reliability and Security Monitoring of Virtual Machines using Hardware Architectural Invariants", 44th International Conference on Dependable Systems and Networks, June 2014. William C. Carter Award for Best Paper based on PhD work and Best Paper Award voted by conference participants.
• G. Wang, Zachary Estrada, Cuong Pham, Zbigniew Klabarczyk, and Ravishankar Iyer, "Hypervisor Introspection: Exploiting Timing Side-Channels against VM Monitoring", 44th International Conference on Dependable Systems and Networks, June 2014.
• Soudeh Ghorbani and Brighten Godfrey, "Towards Correct Network Virtualization", ACM Workshop on Hot Topics in Software Defined Networks (HotSDN), August 2014. Best paper award.
• Jim Blythe, Ross Koppel, Vijay Kothari and Sean Smith, "Ethnography of Computer Security Evasions in Healthcare Settings: Circumvention as the Norm", 2014 USENIX Summit on Health Information Technologies, August 2014.
• Cuong Pham, Zachary Estrada, Phuong Cao, Zbigniew Kalbarczyk, and Ravishankar Iyer, "Building Reliable and Secure Virtual Machines using Architectural Invariants", IEEE Security and Privacy Magazine, volume 12, issue 5, September - October 2014.
• Ross Koppel, Sean Smith, Jim Blythe and Vijay Kothari, "Workarounds to Computer Access in Healthcare Organizations: You Want My Password or a Dead Patient?" Driving Quality in Informatics: Fulfilling the Promise, Series on Technology and Informatics, 2015.
• Zhengi Huang, Yu Wang, Sayan Mitra and Geir Dullerud, "Controller Synthesis for Linear Time-varying Systems with Adversaries", January 2015. http://arxiv.org/abs/1501.04925
• Ross Koppel, Sean Smith, James Blythe, and Vijay Kothari, "Workarounds to Computer Access in Healthcare Organizations: You Want My Password or a Dead Patient?" Information Technology and Communications in Health (ITCH 2015), February - March 2015.
• Sean Smith, Ross Koppel, Jim Blythe and Vijay Kothari, "Mismorphism: A Semiotic Model of Computer Security Circumvention", Technical Report TR2015-768, Dartmouth College, March 2015.
• Vijay Kothari, Jim Blythe, Sean Smith and Ross Koppel, "Measuring the Security Impacts of Password Policies Using Cognitive Behavioral Agent Based Modeling", Symposium and Bootcamp on the Science of Security (HotSoS), April 2015.
• John C. Mace, Charles Morisset, and Aad van Moorsel, "Modelling User Availability in Workflow Resiliency Analysis", Symposium and Bootcamp on the Science of Security (HotSoS), April 2015.
• Phuong Cao, Eric Badger, Zbigniew Kalbarczyk, Ravishankar Iyer, Alexander Withers and Adam Slagell, "Towards an Unified Security Testbed and Security Analytics Framework", Symposium and Bootcamp for the Science of Security (HotSoS), April 2015.
• Sean Smith, Ross Koppel, Jim Blythe and Vijay Kothari, "Mismorphism: A Semiotic Model of Computer Security Circumvention", Symposium and Bootcamp on the Science of Security (HotSoS), April 2015.
• T. Xie, J. Bishop, N. TIllmann and J. de Halleux, "Gamifying Software Security Education and Training via Secure Coding Duels in Code Hunt", Symposium and Bootcamp on the Science of Security (HotSoS), April 2015.
• Phuong Cao, Eric Badger, Zbigniew Kalbarczyk, Ravishankar Iyer and Adam Slagell, "Preemptive Intrusion Detection: Theoretical Framework and Real-World Measurements", Symposium and Bootcamp for the Science of Security (HotSoS), April 2015.
• W. Yang, X. Xiao, B. Andow, S. Li, T. Xie and W. Enck, "App:Contex: Differentiating Malicious and Benign Mobile App Behavior Under Contexts", 37th International Conference on Software Engineering (ICSE), Florence, Italy, May 2015.
• Wei Yang, Xusheng Xiao, Benjamin Andow, Sihan Li, Tao Xie, and William Enck, "AppContext: Differentiating Malicious and Benign Mobile App Behavior Under Context", International Conference on Software Engineering (ICSE 2015), Florence, Italy, May 2015.
• Wenxuan Zhou, Matthew Caesar, Brighten Godfrey, and Dong Jin, "Enforcing Generalized Consistency Properties in Software-Defined Networks", 12th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2015), May 2015.

D). Community Engagements
Briefly describe your Lablets community outreach efforts to extend scientific rigor in the community/culture. For example, list workshops, seminars, competitions, etc. that your Lablet has accomplished since March 2014 to present.

UIUC Lablet team has put forth outreach efforts throughout the Science of Security community. This year's Symposium and Bootcamp on the Science of Security (HotSoS 2015) was held at the University of Illinois at Urbana-Champaign on April 21-22. The symposium brought together researchers from numerous disciplines seeking a comprehensive and methodical approach to identifying and removing threats.

UIUC SoS Lablet Bi-weekly Research Seminars September 2014 - April 2015

• Yu Wang, Entropy-minimizing Mechanism for Differential Privacy of Discrete-time Linear Feedback Systems
• Zhenqi Huang, Verification from Simulations and Modular Annotations
• David Nicol, Science of Security Hard Problems: A Lablet Perspective
• Soudeh Ghorbani, Towards Correct Network Virtualization
• Ravi Iyer, Resiliency Survey: Challenges Going Forward
• Ken Keefe, Making Sound Security Decisions Using Quantitative Security Metrics
• Tao Xie, AppContext: Differentiating Malicious and Benign Mobile App Behavior Under Contexts
• Mohammad Noureddine, Human Aware Science of Security
• Tao Xie, Science of Human Circumvention of Security
• Brighten Godfrey, Hypothesis Testing for Network Security
• Phuong Cao, Preemptive Intrusion Detection: Theoretical Framework and Real-world Measurements
• Geir Dullerud, Static Dynamic Analysis of Security Metrics for Cyber Physical Systems
• Wenxuan Zhou, Enforcing Customizable Consistency Properties in Software-Defined Networks
• Mohammad Noureddine, A Taxonomy of Human Behavior in Cybersecurity

SoS Quarterly Meetings

• July 2014, NSA SoS Quarterly Meeting, Bill Sanders, Making Sound Design Decisions Using Quantitative Security Metrics
• October 2014, NSA SoS Quarterly Lablet Meeting, Ravi Iyer, Survey on Resilience
• October 2014, NSA SoS Quarterly Lablet Meeting, Sayan Mitra, Static-Dynamic Analysis of Security Metrics for Cyber-Physical Systems
• January 2015, NSA SoS Quarterly Meeting, Matt Caesar,
• January 2015, NSA SoS Quarterly Lablet Meeting, Ravi Iyer, Preemptive Intrusion Detection: Theoretical Framework and Real-world Measurements

SoS Speaker Series

• April 2015, Somesh Jha, University of Wisconsin, Thoughts on Retrofitting Legacy Code for Security

Other Presentations

• August 2014, 2014 USENIX Summit on Health Information Technologies, Keynote, Ross Koppel: "Software Loved by its Vendors and Disliked by 70% of its Users: Two Trillion Dollars of Healthcare Information Technology's Promises and Disappointments"
• August 2014, European Sociological Association Midterm Conference, presentation, Ross Koppel: "Ethnography of Computer Security Evasions in Healthcare Organizations: Circumvention and Cyber Controls"
• November 2014, 21st ACM Conference on Computer and Communications Security (CCS), tutorial, Tao Xie: "Text Analytics for Security"
• December 2014, Rutgers University, Department of Electrical and Computer Engineering Colloquium, Sean Smith: "Circumvention: Why Do Good People Do Bad Things, and What Can We Do About It?"
• February 2015, Royal College of Physicians (Edinburgh), Keynote, Ross Koppel: "Healthcare Software Usability and the Influence on Compliance with Cybersecurity Rules"
• February 2015, Wales Health Trust at Prince of Wales Hospital, invited seminar, Ross Koppel: "Healthcare Software Usability and the Influence on Compliance with Cybersecurity Rules"
• April 2015, Symposium and Bootcamp on the Science of Security (HotSoS), invited tutorial, Jim Blythe and Sean Smith: "Understanding and Accounting for Human Behavior"
• April 2015, Human Factors and Ergonomics in Health Care: Improving Outcomes (HFES), Ross Koppel, Sean W. Smith, and Harold Thimbleby: "What You See Is What You See: Misinforming Displays in Electronic Health Care Records and Medical Devises"
• April 2015, Dagstuhl, Assuring Resilience, Security and Privacy for Flexible Networked Systems and Organizations: Sean W. Smith: "Trust Challenges in Massive Multi-organization Distributed Systems"

E). Educational
Briefly describe any changes to curriculum at your school or elsewhere that indicates an increased training or rigor in security research that your Lablet has accomplished since March 2014 to present.

[Godfrey, Caesar, Nicol, Sanders, Jin] David Nicol developed and taught a graduate course in the Science of Security for spring 2015. The seminar, ECE 598, examined a number of security papers from the literature and for each discussed the questions: what attributes of this paper either study security properties themselves as first class objects or use scientific methodologies to identify and assess security properties, in what ways does this paper lacking in scientific foundations for the work it presents. Discussions were lively, and exhibited a variance in students' understandings and expectations of "Science of Security." The security of computers, communications, and data is of great concern to our society. Decades of research have produced solutions to a variety of isolated problems, some of which have been produced using techniques that are recognizable as "scientific", others of which appear to be ad-hoc. There is a growing sentiment in the community that research in security should be conducted when possible on a scientific or engineering basis. This course examined the questions of what might constitute a science of security, framing the questions around five "hard areas" proposed by the NSA: Composition, Policy, Metrics, Resiliency, and Human Factors. The students read and presented papers from the literature that exemplified a scientific approach to security, and wrote essays on the questions raised by the course. The course was intended for graduate students interested in trustworthy systems research.

Tao Xie is designing teaching materials on Code Hunt (https://www.codehunt.com/) released by Microsoft Research for teaching and training students on software security. The teaching materials incorporate educational gamification to teach students on improving their software security skills. Some initial designs are described in the HotSoS 2015 poster paper.

Kevin Jin has developed a new graduate-level course, CS558 Advanced Computer Security at the Illinois Institute of Technology. A key topic in this course is network security, which will cover some of the research results of this project.

Other educational and curricular plans for the UIUC SoS Lablet are:

• Plans for the UIUC SoS Summer School are in the early organizational stages.
• Three undergraduate and one graduate intern have been selected for the summer the UIUC SoS Lablet Summer Internship Program.They will begin working on their research projects in June 2015.