Visible to the public USE: User Security Behavior (CMU/Berkeley/University of Pittsburgh Collaborative Proposal)Conflict Detection Enabled

Submitted by Jamie Presken on Wed, 06/10/2015 - 2:34pm

Public Audience
Purpose: To highlight progress. Information is generally at a higher level which is accessible to the interested public.

PI(s): A. Acquisti, L.F. Cranor, N. Christin, R. Telang
Researchers: Alain Forget (CMU), Serge Egelman (Berkeley), and Scott Beach (Univ of Pittsburgh)

1) HARD PROBLEM(S) ADDRESSED (with short descriptions)
This refers to Hard Problems, released November 2012.

5. Understanding and Accounting for Human Behavior

The Security Behavior Observatory addresses the hard problem of "Understanding and Accounting for Human Behavior" by collecting data directly from people's own home computers, thereby capturing people's computing behavior "in the wild". This data is the closest to the ground truth of the users' everyday security and privacy challenges that the research community has ever collected. We expect the insights discovered by analyzing this data will profoundly impact multiple research domains, including but not limited to behavioral sciences, computer security & privacy, economics, and human-computer interaction.

2) PUBLICATIONS
Report papers written as a results of this research. If accepted by or submitted to a journal, which journal. If presented at a conference, which conference.

A. Forget, S. Komanduri, A. Acquisti, N. Christin, L.F. Cranor, R. Telang. "Security Behavior Observatory: Infrastructure for Long-term Monitoring of Client Machines." Carnegie Mellon University CyLab Technical Report CMU-CyLab-14-009. https://www.cylab.cmu.edu/research/techreports/2014/tr_cylab14009.html (accessed 2014-09-05)

A. Forget, S. Komanduri, A. Acquisti, N. Christin, L.F. Cranor, R. Telang (2014). Building the Security Behavior Observatory: An Infrastructure for Long-term Monitoring of Client Machines. Invited talk and poster at the IEEE Symposium and Bootcamp on the Science of Security (HotSoS) 2014.

By its very nature - building infrastructure to collect data, then collecting, and eventually analyzing the data - the project has a long set up phase. As a result, it will likely be much more publication-centered toward the second half of its projected duration. However, we are confident that the greater number and quality of sensors we are building, and the more secure, reliable, and robust infrastructure we continue to build will provide more and better data, resulting in more and stronger publications.

That said, we are currently performing data analysis on validating our UC Berkeley collaborator's Security Behavior Intentions Scale with early data from the SBO, which we hope to submit for peer-review and publication soon. Time willing, we may also submit a seminal paper solely about the SBO infrastructure with some early results. Finally, we also hope to compile the lessons learnt about building and launching such a large-scale field study into another publication.

3) KEY HIGHLIGHTS

1) The completion of development of our improved client data collection software, version 2.0, which provides additional data collection functionality and should resolve many of the technical hurdles encountered with the previous version's deployment and long-term stability.

2) The second accomplishment is the successful deployment tests of version 2.0 of our data collection software on our currently active clients' machines. After some final stability tests, we will begin recruiting more participants, with the goal of reaching 100 active clients as soon as possible.

3) Alongside our existing sensors, several new sensors are being deployed to our clients, including:

  • A logs sensor that obtains logs generated by the security software most popular with our clients, including Avast, AVG, Kaspersky, MalwareBytes, McAfee, Norton, and Webroot.
  • An improved process sensor that logs snapshots of the clients' running processes, as well as detects the files and network ports that process accesses, allowing us to trace potentially malicious programs' behavior on clients' systems and the Internet, and more.
  • A session sensor that collects information on the state of the client machine, including events such as login, logout, lock, unlock, shutdown, startup, and various power related events.
  • A registry sensor that allows us to query clients' Windows registry, which frequently contains detailed information about most applications' and operating system configuration settings.
  • A WMI sensor which can run queries through the client's Windows Management Instrumentation (WMI) interface, providing a plethora of system information.

4) We are continuing our early data analysis project of examining how user-reported security behavior intentions contrast to their actual behaviors, as well as gaining a general understanding of the state of our early clients' machines with respect to security, or the lack thereof. We soon hope to submit these data analysis results for peer-review and publication.

Groups: