Science of Human Circumvention of Science - April 2016

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s): Tao Xie

Co-PI(s): Jim Blythe (USC), Ross Koppel (UPenn), and Sean Smith (Dartmouth)

HARD PROBLEM(S) ADDRESSED
This refers to Hard Problems, released November 2012.

Our project most closely aligns with problem 5, "Understanding and Accounting for Human Behavior." However, it also pertains to problems 1, 2, and 3:

• Scalability and Composability: We want to understand not just the drivers of individual incidents of human circumvention, but also the net effect of these incidents.Included here are measures of the environment (physical, organizational, hierarchical, embeddedness within larger systems.)
• Policy-Governed Secure Collaboration: In order to create policies that in reality actually enable secure collaboration among users in varying domains, we need to understand and predict the de facto consequences of policies, not just the de juro ones.
• Security-Metrics-Driven Evaluation, Design, Development, and Deployment:Making sane decisions about what security controls to deploy requires understanding the de facto consequences of these deployments---instead of just pretending that circumvention by honest users never happens.

PUBLICATIONS
Papers published in this quarter as a result of this research. Include title, author(s), venue published/presented, and a short description or abstract. Identify which hard problem(s) the publication addressed. Papers that have not yet been published should be reported in region 2 below.

[15] Jim Blythe, Ross Koppel, Bruno Korbar, Vijay Kothari, Sean Smith. Toward Better Security Assessment Tools: Accounting for the Human with Cognitive Behavioral Agent-Based Models. Submitted to IEEE Special Issue on Intelligent Cyber Security Agents (must undergo second round of review; in process of making suggested revisions)

Abstract: Security assessment tools that incorporate faithful models of human behavior would enable security practitioners to better understand their security decisions' effects, ultimately leading to better decisions and improved security. In this paper, we explore the viability and utility of applying cognitive behavioral agent-based modeling to assess and evaluate different security postures. As an example, we discuss our work in developing an agent-based password simulation, which is validated by comparing results with published observations of human behavior. We discuss our research agenda and other promising directions for this work.

This paper addresses Problems 5, 1, 2, 3.

[16] Benjamin Andow, Adwait Nadkarni, Blake Bassett, William Enck, and Tao Xie. A Study of Grayware on Google Play. In Proceedings of Workshop on Mobile Security Technologies (MoST 2016), San Jose, CA, May 2016.

Abstract: While there have been various studies identifying and classifying Android malware, there is limited discussion of the broader class of apps that fall in a gray area. Mobile grayware is distinct from PC grayware due to differences in operating system properties. Due to mobile grayware's subjective nature, it is difficult to identify mobile grayware via program analysis alone. Instead, we hypothesize enhancing analysis with text analytics can effectively reduce human effort when triaging grayware. In this paper, we design and implement heuristics for seven main categories of grayware. We then use these heuristics to simulate grayware triage on a large set of apps from Google Play. We then present the results of our empirical study, demonstrating a clear problem of grayware. In doing so, we show how even relatively simple heuristics can quickly triage apps that take advantage of users in an undesirable way.

This paper addresses Problems 5,1,3.

[17] Tao Xie and William Enck. Text Analytics for Security. In Proceedings of the Symposium and Bootcamp on the Science of Security (HotSoS 2016), Tutorial, Pittsburgh, PA, April 2016.

Abstract: Computing systems that make security decisions often fail to take into account human expectations. This failure occurs because human expectations are typically drawn from in textual sources (e.g., mobile application description and requirements documents) and are hard to extract and codify. Recently, researchers in security and software engineering have begun using text analytics to create initial models of human expectation. In this tutorial, we provide an introduction to popular techniques and tools of natural language processing (NLP) and text mining, and share our experiences in applying text analytics to security problems. We also highlight the current challenges of applying these techniques and tools for addressing security problems. We conclude the tutorial with discussion of future research directions.

This paper addresses Problems 5,1,3.

[18] Sihan Li, Xusheng Xiao, Blake Bassett, Tao Xie and Nikolai Tillmann. Measuring Code Behavioral Similarity for Programming and Software Engineering Education. In Proceedings of the 38th International Conference on Software Engineering (ICSE 2016), SEET, Austin, TX, May 2016.

Abstract: In recent years, online programming and software engineering education via information technology has gained a lot of popularity. Typically, popular courses often have hundreds or thousands of students but only a few course staff members. Tool automation is needed to maintain the quality of education. In this paper, we envision that the capability of quantifying behavioral similarity between programs is helpful for teaching and learning programming and software engineering, and propose three metrics that approximate the computation of behavioral similarity. Specifically, we leverage random testing and dynamic symbolic execution (DSE) to generate test inputs, and run programs on these test inputs to compute metric values of the behavioral similarity. We evaluate our metrics on three real-world data sets from the Pex4Fun platform (which so far has accumulated more than 1.7 million game-play interactions). The results show that our metrics provide highly accurate approximation to the behavioral similarity. We also demonstrate a number of practical applications of our metrics including hint generation, progress indication, and automatic grading.

This paper addresses Problems 5,1,3.

ACCOMPLISHMENT HIGHLIGHTS

Via fieldwork in real-world enterprises, we have been identifying and cataloging types and causes of circumvention by well-intentioned users. We are using help desk logs, records security-related computer changes, analysis of user behavior in situ, and surveys--in addition to interviews and observations. We then began to build and validate models of usage and circumvention behavior, for individuals and then for populations within an enterprise--as well as developing some typologies of the deeper patterns and causes.

We have built a password simulation for measuring the security associated with a password composition policy, taking into account human circumventions such as writing down and reusing passwords. We've also taken more steps toward validation.

We have been developing questionnaires for both high-level computer security professionals and general users. The results will enable us to better understand computer security perceptions and behaviors. Moreover, they will allow us to produce more faithful models of human behavior.

We have built a platform on Mechanical Turk for conducting password security experiments. We are beginning to carry out these experiments.

We have begun collaboration with researchers at University of Pennsylvania who specialize in simulating and checking Markov chain models. The goal is to blend these Markov-based models with our DASH model to tackle security problems.

We are now working on implementing a version of DASH in Python. We are also working on implementing a new version of the password simulation built atop this Python version of DASH.