Attack Surface and Defense-in-Depth Metrics - January 2016

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s):  Andy Meneely, Laurie Williams
Researchers: Kevin Campusano Gonzalez, Nuthan Munaiah, Jason King, Chris Theisen

HARD PROBLEM(S) ADDRESSED

• Security Metrics and Models - The project is to develop and analyze metrics that quantify the "shape" of a system's attack surface
• Scalability & Composability - The project delves uses call graph data beyond the attack surface to determine the risk of a given entry point
• Resilient Architectures - The project can be used to analyze large systems in terms of their inputs and outputs, providing information on the architecture of the system

PUBLICATIONS

ACCOMPLISHMENT HIGHLIGHTS

• We have discovered that our original conception the attack surface can be modelled in a much more lightweight, less labor-intensive way. In particular, the "designed defenses" idea we originally proposed showed no statistical improvement over using a regular call graph, making our approach less labor-intensive than we had originaly formulated.
• We have initial results from a sensitivity analysis to improve our vulnerability prediction capabilities. In particular, we are searching for better parameters in the way we weight the edges of our call graph. Our entire analysis is still automated and extremely parallelizable, so we are searching a space of millions of optimizations to tune our models better.