Visible to the public SoS Lablet Annual Report - NCSUConflict Detection Enabled

Submitted by drwright on Wed, 05/04/2016 - 5:28am

Lablet Annual Report
Purpose: To highlight progress made within the first base year (March 2014 to Present). Information is generally at a higher level which is accessible to the interested public. This will be published in an overall SoS Annual Report to be shared with stakeholders to highlight the accomplishments the Lablets have made over the past year.

A). Lablet Introduction

North Carolina State University’s (NCSU) Science of Security Lablet (SoSL) has embraced and helped build a foundation for NSA’s vision of the Science of Security (SoS) and of a SoS community.  We have emphasized data-driven discovery and analytics to formulate, validate, evolve, and solidify the theory and practice of security. Efforts in our current lablet have yielded significant findings, providing a deeper understanding of users’ susceptibility to deception, developers’ adoption of security tools, how trust between people relates to their commitments.  Motivated by NSA’s overarching vision for SoS and building on our experience and accomplishments, we are (1) developing a science-based foundation for the five hard problems that we previously helped formulate; and (2) fostering a SoS community with high standards for reproducible research. Our approach involves a comprehensive, rigorous perspective on SoS, including an integrated treatment of technical artifacts, humans (both stakeholders and adversaries) along with relationships and processes relevant to the hard problems.  Continual evaluation of our research and community development efforts is key to our approach.

 

Team Overview

We have formed teams to conduct scientific research and evaluate progress on hard problems: Security Metrics and Models; Humans; Policy; and Resilient Architectures. The Scalability and Composability hard problem has no explicit team since we address it as a secondary hard problem in several of our projects.  Each Hard Problem team is composed of three or four projects researching complementary aspects of the Hard Problem. We also have additional teams for Research Methods, Community Development and Support, and for Evaluation.

  • Security Metrics and Models

    Attack Surface and Defense-in-Depth Metrics:  Rochester Institute of Technology:  Andy Meneely, NC State University:  Laurie Williams

    Systematization of Knowledge from Intrusion Detection Models:  NC State University:  Huaiyu Dai, Rochester Institute of Technology:  Andy Meneely

    Vulnerability and Resilience Prediction Models:  NC State University:  Mladen Vouk, Laurie Williams

  • Humans

    Warning of Phishing Attacks: Supporting Human Information Processing, Identifying Phishing Deception Indicators, and Reducing Vulnerability:  NC State University:  Christopher B. Mayhorn, Emerson Murphy-Hill

    A Human Information-Processing Analysis of Online Deception Detection:  Purdue University:  Robert W. Proctor, Ninghui Li

    Leveraging the Effects of Cognitive Function on Input Device Analytics to Improve Security:  NC State University:  David L. Roberts, Robert St. Amant

  • Policy

    Understanding Effects of Norms and Policies on the Robustness, Liveness, and Resilience of Systems:  NC State University:  Emily Berglund, Jon Doyle, Munindar Singh

    Formal Specification and Analysis of Security-Critical Norms and Policies:  NC State University:  Jon Doyle, Munindar Singh, Rada Chirkova

    Scientific Understanding of Policy Complexity:  Purdue University:  Ninghui Li, Robert Proctor, NC State University:  Emerson Murphy-Hill

    Privacy Incidents Database:  NC State University:  Jessica Staddon

  • Resilient Architectures

    Resilience Requirements, Design, and Testing:  University of Virginia:  Kevin Sullivan, NC State University:  Mladen Vouk, University of North Carolina at Charlotte:  Ehab Al-Shaer

    Redundancy for Network Intrusion Prevention Systems (NIPS):  University of North Carolina:  Mike Reiter

    Smart Isolation in Large-Scale Production Computing Infrastructures:  NC State University:  Xiaohui (Helen) Gu, William Enck

    Automated Synthesis of Resilient Architectures:  University of North Carolina at Charlotte:  Ehab Al-Shaer

  • Research Methods, Community Development and Support:  University of Alabama:  Jeff Carver, NC State University:  Lindsey McGowen, Jon Stallings, Laurie Williams, David Wright
  • Evaluation:  NC State University:  Lindsey McGowen, Jon Stallings, David Wright, University of Alabama:  Jeff Carver

B). Fundamental Research

High level report of results for each project that helped move security science forward -- in most cases it should point to a "hard problem". - 1 paragraph per project

  • Security Metrics and Models

    • Attack Surface and Defense-in-Depth Metrics

      Our main technical accomplishment this year has been in being able to map the attack surface using stack traces.  Williams and Theisen were able to show that attack surface data can be used to predict vulnerabilities in binaries that crashed and had stacktraces reported.  Beyond that, we have developed a prediction model that uses random walks on call graphs to predict vulnerabilities at the method level.  This prediction model out-performs the literature in vulnerability prediction.

    • Systematization of Knowledge from Intrusion Detection Models

      Our main technical accomplishment has been the data collection, processing, and analysis of IDS literature for a systematic literature review.  Publication of these results are forthcoming.  Specifically, we have discovered that IDS literature does not use consistent evaluation metrics.  Researchers will often pick the evaluation metrics that cast their own research in the best light, and ignore trade-offs in their analysis.  For example, in samples we examined that use "precision" as an evaluation metric, less than half used "recall", despite the widespread use of presenting both precision and recall together in statistical communities.  These inconsistencies span multiple categories of metrics, such as failing to report space metrics when speed was being evaluated, or only evaluating precision and recall metrics without metrics of speed and space.  Worse yet, this problem has persisted over the years and has not improved as the number of IDS papers per year has increasingly grown. These inconsistencies make systematization a considerably challenging task in the intrusion detection research community.  In a second area, we initiated the investigation of game-theoretic approaches to addressing the dynamic interplay between the intruders and IDS. In particular, we achieved two accomplishments in this direction.  First, we tackled the challenging dynamic IDS configuration problem under the scientific framework of stochastic game with incomplete information, and proposed a new algorithm, Bayesian Nash-Q learning, to solve it.  We then explored the benefits of collaboration among IDS systems.  The problem is formulated as a two-layer game: the first layer game models the interplay between each IDS and its corresponding attackers, while the second-layer game models the collaboration among the IDSs.  We finished the algorithm design for collaborative IDS configuration, and tested it through extensive simulations.  Simulation results indicate that the proposed scheme can facilitate effective resource-sharing among IDSs, leading to significant gain in detection performance.

    • Vulnerability and Resilience Prediction Models

      Resilience of software to attacks is an open problem.  Resilience depends on the science behind the approach used, as well as on our engineering abilities.  The scope includes recognition of attacks through metrics and models we use to describe and identify software vulnerabilities, and the models we use to predict resilience to attacks in the field (Security Metrics and Models).  It also depends on the software (and system) architecture(s) used (Security Metrics and Models), and their scalability (Scalability and Composability).  For example, if one has a number of highly attack-resilient components and appropriate attack sensors, is it possible to compose a resilient system from these parts, and how does that solution scale and age?  Cyber-attacks and breaches are often detected too late to avoid damage.  "Classical" reactive cyber defenses usually work only if we have some prior knowledge about the attack methods and "allowable" patterns.  Properly constructed redundancy-based anomaly detectors can be more robust and adaptable, and often they are able to detect even zero day attacks.  Mitigation and management of detected issues can then follow in a number of ways.  In the world where Internet of Things (IoT) elements are a routine component of a workflow, security will be orders of magnitude more difficult unless we make those elements security aware and self-defending from the start.  During the last year we have shown through both experimental and theoretical work that redundancy-based security anomaly detectors are viable and have considerable ability to recognize some high-risk and difficult to detect attacks (including zero-day attacks) on web servers - a likely management interface for many IoT elements.  In parallel, we have been investigating security of cloud-based application chains that may also benefit from pro-active resilience.  We find that (1) three security properties (i.e., input validation, remote access validation, and data integrity) are essential for making such workflows more secure, and (2) that use of a security-aware provenance collection can help secure such chains.  We are working on a model that integrates IoT based attack detectors into workflow (application chain) resilience solutions.

  • Humans
    • Warning of Phishing Attacks: Supporting Human Information Processing, Identifying Phishing Deception Indicators, and Reducing Vulnerability

      In the past year, we completed two behavioral studies associated with phishing susceptibility and we are the process of beginning data collection on a third study.  In our initial study this year, we developed a study to explore how the mental models of security experts and novices differed with regard to phishing-related terms.  The terms were divided into three categories: prevention of phishing, trends and characteristics of phishing attacks, and the consequences of phishing.  Expert mental models were more complex with more links between concepts.  Specifically, experts had sixteen, thirteen, and fifteen links in the networks describing the prevention, trends, and consequences of phishing, respectively; however, novices only had eleven, nine, and nine links in the networks describing prevention, trends, and consequences of phishing, respectively.  In our second study, two reviewers assessed a cache of eight hundred eighty-seven phishing emails from Arizona State University, Brown University, and Cornell University by examining them for attributes consistent with Cialdini's six principles of persuasion:  authority, social proof, liking/similarity, commitment/consistency, scarcity, and reciprocation.  A correlational analysis of email characteristics by year revealed that the persuasion principles of commitment/consistency and scarcity have increased over time, while the principles of reciprocation and social proof have decreased over time.  Authority and liking/similarity revealed mixed results with certain characteristics increasing and others decreasing.  Most recently, we applied for and received IRB approval from NCSU and the NSA to conduct a third study that will explore the interaction between persuasive attributes in phishing emails and user personality characteristics.  Stimulus development and programming is well under way with data collection to begin this summer.

    • A Human Information-Processing Analysis of Online Deception Detection

      We completed the field study of a phishing warning Chrome extension in which we carried out a simulated phishing attack that bypassed the currently deployed defenses and reached almost all participants. Our results demonstrate the warning extension's ability to protect users against phishing, and the importance of combining skill training with understandable warning messages.  We also evaluated the influence of domain highlighting in two experiments in which participants judged the legitimacy of web pages.  Instructions to attend to the address bar improved detection of fraudulent web pages, whereas domain highlighting had little influence.  In the second experiment, analysis of eye-gaze fixation measures showed that people attend to the highlighted domain on the address bar but this did not impact their judgments.  This outcome implies that users lack knowledge of webpage security cues or how to use those cues.

    • Leveraging the Effects of Cognitive Function on Input Device Analytics to Improve Security

      We developed a set of cognitive labels that are based on a first-pass at segmenting typing data collected during our studies.  The labels include descriptions of motor processing, visual processing, and memory cognitive phenomena. Ultimately, the sequence, duration, and intervals between these labels will serve as descriptions of "normal" or "expected" behaviors for HSPs.  To supplement those data, we collected eye tracking data during task interactions to provide additional insight into cognition.  The eye motion data enables us to become much more detailed in labeling segments of time-series data with lower-level cognitive processes.  We have processed the eye tracking data to compute gaze fixations and saccades.  Fixations and saccades are extremely useful for identifying points in the data that are reflective of the different cognitive processes we're interested in modeling.  Visualization tools have also been invaluable in hypothesis generation for features of the log data that reflect the cognitive processes we're interested in detecting.  Using our visualization tool and the data we collected, we have discovered the need to identify with a high-degree of confidence the "perceptual segmentation" of words during transcription typing.  Our data suggest (and existing literature backs up) that users read words on the screen in a way that reflects dividing words into smaller, more recognizable and easily-spelled chunks.  For the tasks we're focusing on, characterizing these chunks and the way users identify them is critical to success.  Accordingly, we refined our visualization tool to facilitate a more detailed exploration of user task performance and enable a realtime comparison of the empirical data to an arbitrary cognitive model. Our tool now supports applying cognitive labels to sequences of task data based on human annotation in addition to model-based annotations.  The model-based annotations can be integrated from existing cognitive modeling tools like ACT-R. Using this ACT-R integration, we have identified parameters that, when tuned, explain the differences in the typing speed based on familiarity of word being typed.  Taken together, the visualization, data modeling, and cognitive modeling have laid a strong foundation for HSPs moving forward.  Our efforts have resulted in tools and techniques to identify, describe, and probe specific cognitive functions during typing data tasks, and our next steps will be to implement primitive HSPs in more complex environments.

  • Policy
    • Understanding Effects of Norms and Policies on the Robustness, Liveness, and Resilience of Systems

      This year we have focused on (1) identification of mathematical concepts relevant to expressing precise measures of system stability and resilience; (2) development of simple yet realistic abstract models of research organizations self-governed by self-enforced productivity and security norms; and (3) evaluation of hypotheses about these models using both computer simulations and experiments involving humans playing games based on the models.

    • Formal Specification and Analysis of Security-Critical Norms and Policies

      Our work has focused on (1) development of a formal language, formal semantics, and methodology for expressing, assessing, and verifying practicable statements of security, technical, regulatory, and social norms, including information about what norms govern action when norms conflict; (2) development of studies and experiments to assess the usability and comparative usability of this language and methodology.

    • Scientific Understanding of Policy Complexity

      We studied the reasons why large firewall policies are often too complex to understand and are error-prone, and identified three factors:  (1) firewall rules may conflict with each other; (2) policies expressed in ACL-based languages are monolithic; and (3) complex policies require a large number of rules.  A monolithic policy can only be understood as a whole.  This becomes infeasible as the policy gets large, since most people are unable to put a large amount of information in the working memory.  To reduce the complexity, we decided to tackle the monolithic nature of current firewall policies and developed an approach to specify modular policies. We identified five requirements for a successful modularization approach (i.e., logical partitioning into modules, isolation among components, flexible partitioning structure, human-computable policy slicing, and readily deployability).  We introduced our Tri-modular approach of modularizing firewall policies.  This includes identifying a primary attribute, which is either the source IP, the destination IP, or the service, and organizing a policy into three kinds of modules: primary, auxiliary, and template.  Beyond making policies more modular and easier to understand, our approach also supports policy refactoring, either by distilling templates from recurring patterns, or by breaking up a large module into multiple smaller ones, each covering a subset of the IP range.  To support legacy firewall policies, we have defined a 5-step process and introduced algorithms for converting them into their modularized form.  We have also implemented an automated tool for this purpose.  By utilizing the tool, we have converted several real-world firewall policies into their modularized form, and found that the process consistently improved the understanding of a policy, and the benefit is much more significant when the policy is large and/or when it has substantial usage of both permit and deny rules.

    • Privacy Incidents Database

      Our project was not funded until March 2016, so we are just getting started and have nothing to report for this period.

  • Resilient Architectures
    • Resilience Requirements, Design, and Testing

      During this year, we developed models and tools for resilient system verification.  In specific, we developed a language to model attacks, specifically DDoS and Worms propagation attacks.  To specify various attack scenarios, we define a language that the users can use to define the attack models to be used to verify resiliency.

    • Redundancy for Network Intrusion Prevention Systems (NIPS)

      While network optimization is central to many SDN applications, few efforts have attempted to make it accessible.  The goal of our research this year was a general, efficient framework for expressing and solving network optimizations in support of a wide range of network management and security applications.  Our framework, SOL, achieves both generality and efficiency via a path-centric abstraction, in which network managers express policies in terms of the characteristics of the forwarding paths that should be permissible for different classes of traffic (including the network functions that must be applied to each class).  We have shown that SOL can concisely express applications with diverse goals (traffic engineering, offloading, topology modification, service chaining, etc.)  and yields optimal or near-optimal solutions with often better performance than custom formulations.  Thus, SOL can lower the barrier to entry for novel SDN network optimization applications.

    • Smart Isolation in Large-Scale Production Computing Infrastructures

      In the past year, we have progressed our characterization of existing security isolation techniques.  The characterization highlights aspects that supports resiliency, and our survey of existing literature reveals relatively few instances of proactive or dynamic isolation.  Based on this survey study, we started to explore primitives for proactive and dynamic security isolation techniques.  We decided to start from the Docker isolation technology as it recently become the de factor isolation solution in industry.  We have downloaded and analyzed over 40K docker images from DockerHub to study the vulnerability of existing Docker images.  Our results show that the vulnerability issue is prevalent and an intelligent vulnerability detection and containment technique is a must.  When studying existing literature, we also found that primitives such as capabilities and information flow control (IFC) enable a form of dynamic isolation.  That is, the isolation protection domain changes based on runtime events.  Historically, IFC systems have limited practical applications.  Our research invited the notion of "lazy polyinstantiation" to make IFC more practical by limiting label explosion while maintaining compatibility with legacy software.

    • Automated Synthesis of Resilient Architectures

      We use hypothesis testing to improve our automated synthesis of security configuration framework in order to determine the optimal fine-grain isolation between any two hosts in the network.  Our approach enables the users of the system to incrementally until the configuration for statistically optimal isolation is found.  We also created on this year a formal model to enable resilient-by-construction development of cyber system.  Our preliminary model has two components: (1) resiliency metrics based on Cyber Resilience Engineering Framework (CREF), and (2) formal verification to investigate and extend the cyber model in order to exhibit the desired resilient properties in the design phase.

 

C). Hard Problem Progress

In one paragraph, please provide a statement of the progress this project has made towards meeting the challenge of the associated primary hard problem. This should be in the form of a "Before and Now" discussion and should include 1 - 4 relevant references that identify the "Before" state and that support your project's progress.

  • Security Metrics and Models

    • Attack Surface and Defense-in-Depth Metrics

      Before April 2015, we did not know if vulnerabilities could be predicted any better by incorporating attack surface data.  Today, we know that the models improve when we simulate attacker behavior by conducting random walks on the call graph starting from the attack surface.  This progress is important: with these metrics we are one step closer to being able to identify vulnerabilities as the code is written, instead of relying on patching them after the fact. We are currently submitting this for publication and revising the manuscript based on reviewer feedback.  Nuthan Munaiah used this research to pass his PhD qualifier exam, with the evaluation committee saying that this was "the best qualifier research we've seen in years."

      • Christopher Theisen. 2015. Automated attack surface approximation. In Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering (ESEC/FSE 2015). ACM, New York, NY, USA, 1063-1065. DOI=http://dx.doi.org/10.1145/2786805.2807563

      • Chris Theisen, and Laurie Williams, “Poster: Risk-Based Attack Surface Approximation”, to appear in HotSoS 2016.

    • Systematization of Knowledge from Intrusion Detection Models

      Before April 2015, we understood that the research into Intrusion Detection Systems was vast.  The number of IDS papers have been increasing drastically over the years. What we understand today is that empirical evaluation of IDS research is highly inconsistent, and often exaggerated by showing only the "good half" of the trade-offs.  Systematization of intrusion detection knowledge, then, will have to first identify a set of standard evaluation metrics that every empricial study ought to follow, so that future systematic literature reviews may make fair comparisons.  Also, there was little work on IDS configuration in the presence of unknown system dynamics and intruder type uncertainty.  We have developed a general incomplete-information stochastic game framework that can be readily applied to the dynamic IDS configuration problem, leading to high-fidelity intruder type detection and effective IDS configuration.  Finally, prior to our SoSL efforts, there was no design for computational resource sharing in IDS networks, and little quantitative study on the benefits of IDS collaboration.  We have developed such a design based on a two-layer game-theoretic approach, and derived the conditions under which there is a guaranteed performance improvement as compared to the autonomous IDS system.

      • Xiaofan He, Huaiyu Dai, P. Ning, and R. Dutta,  Dynamic IDS Configuration in the Presence of Intruder Type Uncertainty, IEEE Global Conference on Communications (GLOBECOM), San Diego, CA, Dec. 2015.

      • Richeng Jin, Xiaofan He, and Huaiyu Dai, Collaborative IDS Configuration: A Two-layer Game Theoretic Approach,  2016 IEEE Global Conference on Communications (GLOBECOM), submitted.

    • Vulnerability and Resilience Prediction Models

      The primary hard problem of concern here is in the domain of Resilient Architectures. Secondary hard problems are a) Security Metrics and Models, and b) Scalability and Composability.  While redundancy-based run-time problem detection is not novel and has been in use in high-assurance systems for decades, surprisingly few systems are cyber-attack resilient.

      • Eric Totel, Frederic Majorczyk, and Ludovic Me. Cots diversity based intrusion detection
        and application to web servers. In Proceedings of the 8th International Conference on
        Recent Advances in Intrusion Detection, RAID'05, pages 43-62, Berlin, Heidelberg, 2006.
        Springer-Verlag.

      • Fred Schneider, "Blueprint for science of cybersecurity," The Next Wave, Vol19, No 2, 2012, pp 47-57

      • Roopak Venkatakrishnan and Mladen A. Vouk,
        "Using Redundancy to Detect Security Anomalies: Towards IoT security attack detectors,"
        ACM Ubiquity, Volume 2016, January issue, pp 1-19, (http://ubiquity.acm.org/article.cfm?id=2822881)

      • Roopak Venkatakrishnan, Mladen Vouk, “Diversity-based Detection of Security Anomalies,”  Proceedings of the Symposium and Bootcamp on the Science of Security (HotSoS), April 8-9, 2014, Raleigh, NC, USA.Raleigh, NC,  pp 160-161

  • Humans
    • Warning of Phishing Attacks: Supporting Human Information Processing, Identifying Phishing Deception Indicators, and Reducing Vulnerability

      Before we began our work this year, our previous efforts revealed the cognitive and psychosocial factors that influence phishing susceptibility. Based on these previous results, we now have focused on understanding how and why social engineering works by investigating two particular psychosocial factors: previous experience and personality. By studying how mental models differ between security experts and novices, we have determined that previous experience frames the manner in which individuals approach security issues. This information could provide a basis for future research on how mental models could be used to determine phishing vulnerability and the effectiveness of phishing training. Likewise, our efforts to classify the content of hundreds of phishing emails in terms of persuasion and communication has allowed us to delve deeper into the interactions between message content and user characteristics such as personality.

      • Zielinska, O.A., Welk, A. K., Murphy-Hill, E. & Mayhorn, C. B. (2016).  The underlying phish: Examining the social psychological principles hidden in the phishing email message.  Proceedings of HotSoS: Symposium and Bootcamp on the Science of Security.  Pittsburgh, PA.

      •  Zielinska, O.A., Welk, A. K., Murphy-Hill, E. & Mayhorn, C. B. (2016).  A temporal analysis of persuasion principles in phishing emails.  Proceedings of the Human Factors and Ergonomics Society 60th Annual Meeting.  Santa Monica, CA: Human Factors and Ergonomics Society.

      • Zielinska, O.A., Welk, A. K., Murphy-Hill, E. & Mayhorn, C. B. (2015).  Exploring expert and novice mental models of phishing.  Proceedings of HotSoS: Symposium and Bootcamp on the Science of Security.  Urbana-Champaign, IL.

    • A Human Information-Processing Analysis of Online Deception Detection

      Before our work began, warnings mainly focused on increasing users' awareness and understanding of phishing attacks but not the skills needed to identify phishing web pages.  We incorporated a short skill training into a field phishing experiment and found that this training was necessary for a phishing warning to be effective.  Also, there was evidence suggesting that domain highlighting provides "some benefit"  to counteract phishing attacks.  However, previously, the effectiveness of domain highlighting was not clearly shown since highlighting was accompanied by an instruction to look at the address bar.  Through properly controlled experiments, we have found that domain highlighting does not provide even limited benefit.  We now know that for any active warning or passive warning to be effective, users will have to be equipped with the knowledge of how to use the cued information. 

      • Chen, J., Yang, W., Xiong, A., Li, N., & Proctor, R. W. (2015, August).  Warning users of phishing attacks with a Google Chrome extension.  Paper presented at Human-Computer Interaction International 2015, Los Angeles, CA.

      • Xiong, A., Yang, W., Li, N., & Proctor, R. W. (2015, November). Improving detection of phishing attacks by directing users' attention to domain highlighted URLs. Paper presented at the 45th Annual Meeting of the Society for Computers in Psychology, Chicago, IL.

    • Leveraging the Effects of Cognitive Function on Input Device Analytics to Improve Security

      Before our project began, the state of the art in security systems that differentiate legitimate human users from unauthorized bot users would require that users to "prove" they are human through one of two methods: explicit action on the part of the user forms what are known as Human Interactive Proofs (HIP), while passive observation of user tendencies form what are known as Human Observational Proofs (HOP).  CAPTCHAs are a common examples of HIPs.  An example of an observational proof is examining the spatial signature of mouse click locations as influenced by an interface layout.  HIPs, while generally more accurate, have a cost of increased cognitive burden and disrupt users from performing tasks.  HOPs, on the other hand, are not as intrusive, but may sacrifice accuracy as a result.  Probing human cognition through subtle task modification form the basis of Human Subtlety Proofs (HSP) in our work.

      • T. Barik, B. Harrison, D.L. Roberts, and X. Jiang, Spatial Game Signatures for Bot Detection in Social Games, Proceedings of the Artificial Intelligence and Interactive Digital Entertainment Conference. AAAI Press, 2012.
      • Y. W. Chow, W. Susilo, and H. Y. Zhou, CAPTCHA challenges for massively multiplayer online games: Mini-game CAPTCHAs. International Conference on Cyberworlds, pp. 254-261. IEEE, 2010.
      • S. Gianvecchio, Z. Wu, M. Xie, and H. Wang, Battle of botcraft: fighting bots in online games with human observational proofs, Proceedings of the ACM Conference on Computer and communications Security, pp. 256-268. ACM, 2009.
      • L. von Ahn, M. Blum, N. J. Hopper, and J. Langford, CAPTCHA: Using Hard AI Problems for Security, EUROCRYPT 2003: International Conference on the Theory and Applications of Cryptographic Techniques. 2003.
  • Policy
    • Understanding Effects of Norms and Policies on the Robustness, Liveness, and Resilience of Systems

      Previous research did not study social architectures requisite for the adoption and enforcement of normative requirements and the creation of flexible trust relationships.  We have begun to create models of social architectures in qualitative terms as a basis for further empirical validation with users. We have developed a simulation approach that accommodates both social and technical concerns in a setting where the interactions among the participants are not predetermined. This approach considers integrity violations (which technical mechanisms avoid) and conflicts (which social mechanisms in the form of norms help reduce). We revised and completed an article on extracting trust relationships (related to norms, specifically, commitments) from natural language communications among autonomous people. We revised and completed an article on sanctioning that we had begun previously -- sanctioning is important as a social approach that puts teeth into norms.

      • H. Du, B. Narron, N. Ajmeri, E. Berglund, J. Doyle,\M. Singh. 2015. Understanding Sanction under Variable Observability in a Secure, Collaborative Environment, in Proceedings of 2015\Symposium and Bootcamp on the Science of Security (HotSoS ’15).

      • H. Du, B. Narron, N. Ajmeri, E. Berglund, J.  Doyle, M. Singh, ENGMAS:  Understanding Sanction under Variable Observability in a Secure Environment, Second International Workshop on Agents andCyberSecurity (ACySe 2015), Istanbul, Turkey, May 4-8, 2015.

    • Formal Specification and Analysis of Security-Critical Norms and Policies

      Prior to the SoSL efforts, although policy approaches existed that handled authentication and authorization of users for performing data operations based on attribute or role-based credentials, they did not adequately and explicitly characterize the correctness requirements for secure collaboration and their impact on security.  We have advanced our understanding of how to express and validate normative requirements that are left implicit in previous research.  Specifically, we have developed elements of a formal language that helps capture various subtleties of secure collaboration requirements, including priorities between them.  We have developed initial mathematical models for determining whether those requirements are mutually consistent.  We have developed methods for expressing which norms take precedence when norms conflict.  We have developed initial methods to determine whether participants are interacting in a way that complies with the stated requirements or deviates from the requirements only when necessary to satisfy higher priority requirements. We have developed an approach for representing social protocols, as needed for expressing social architectures for cybersecurity. We have developed an approach for mapping norms (in their changing states) to information stores capturing events.

      • N. Ajmeri, J. Jiang, R. Chirkova, J. Doyle, M. Singh, Coco: Runtime Reasoning about Conflicting Commitments, Proceedings of the Twenty-Fifth International Joint Conference on Artificial Intelligence (IJCAI-2016), New York, NY, July 2016 (to appear).

      • J. Jiang, N. Ajmeri, R. Chirkova, J. Doyle, M. Singh, Expressing and Reasoning about Conflicting Norms in Cybersecurity: Poster, Symposium and Bootcamp on the Science of Security (HotSoS 2016), Pittsburgh, Pennsylvania, April 19-21, 2016.

    • Scientific Understanding of Policy Complexity

      Before our work, attempts at making firewall policies less complex either focuses on introducing syntactic sugars, or tries to make firewall policies modular, but still fail to achieve it.  For example, a notion of modular firewall policy was introduced in Acharya et al. 2010, where a firewall policy is considered modular if the policy is partitioned into multiple policy components such that each packet is accepted by at most one component. This approach is still inherently monolithic, since one still potentially needs to examine all components when trying to understand what is the decision for one packet.  Now we have introduced an approach to create modularized policy.

      • H. B. Acharya, A. Joshi, and M. G. Gouda.  Firewall modules and modular firewalls. In ICNP '10, pages 174-182, 2010.
      • A. Wool.  Trends in firewall configuration errors: Measuring the holes in swiss cheese.  IEEE Internet Computing, 14(4):58-65, July 2010.
  • Resilient Architectures
    • Resilience Requirements, Design, and Testing

      It was not clear before what and how resiliency properties can be defined.  Now we developed several properties and showed that they are useful to measure resiliency.

      • Ke Dou, Xi Wang, Chong Tang, Adam Ross, Kevin Sullivan, "An evolutionary theory-systems approach to a science of the ilities," 2015/12/31, Elsevier, Procedia Computer Science 44, pp. 433-442.

    • Redundancy for Network Intrusion Prevention Systems (NIPS)

      Before our research, realizing the benefits of software-defined networking (SDN) for network management resilient to changing conditions required a deep level of expertise.  At the core of many SDN applications are custom optimization problems to tackle various constraints and requirements that arise in practice (e.g., [Heller et al. 2010, Heorhiadi et al. 2014, Jain et al. 2013]).  For instance, an SDN application might need to account for limited TCAM, link capacities, or middlebox capacities, among other considerations.  Developing such formulations involves a non-trivial learning curve, a careful understanding of theoretical and practical issues, and considerable manual effort.  Furthermore, when the resulting optimization problems are intractable to solve with state-of-the-art solvers (e.g., CPLEX or Gurobi), heuristic algorithms must be crafted to ensure that new configurations can be generated on timescales demanded by the application as relevant inputs (e.g., traffic matrix entries) change.  And, without a common framework for representing network optimization tasks, it is difficult to reuse key ideas across applications or to combine useful features into a custom new application.  Our research has developed a framework for writing such SDN-based network optimization applications that raises the level of abstraction of (and decreases the needed expertise for) doing so, and that meets two important requirements: (1) generality to express the requirements for a broad spectrum of SDN applications (e.g.,  traffic engineering, policy steering, load balancing, and topology management); and (2) efficiency to generate (near-) optimal configurations on a timescale that is responsive to application needs.

      • B. Heller, S. Seetharaman, P. Mahadevan, Y. Yiakoumis, P. Sharma, S. Banerjee, and N. McKeown.  ElasticTree: Saving energy in data center networks.  In 7th USENIX Symposium on Networked Systems Design and Implementation, pages 19-21, 2010.
      • V. Heorhiadi, S. K. Fayaz, M. K. Reiter, and V. Sekar.  SNIPS: A software-defined approach for scaling intrusion prevention systems via offloading.  In 10th International Conference on Information Systems Security, Dec. 2014.
      • S. Jain, et al.  B4: Experience with a globally-deployed software defined WAN. In ACM SIGCOMM, pages 3-14, 2013.
    • Smart Isolation in Large-Scale Production Computing Infrastructures

      Previously, security isolation was viewed primarily as static building block for resilient architectures.  The only available survey of security isolation techniques was an unpublished draft by Viswanathan and Neuman [2010].  Our survey paper on security isolation [Shu et al., in press] explores how isolation is capable of providing both static and dynamic building blocks.  We observed that the key challenge for using security isolation as a dynamic building block for resilient architectures is achieving adaptability and measurability without sacrificing practical constraints.  To this end, we are studying new primitives that provide practical adaptability based on measurable events.

      • A. Viswanathan and B.C. Neuman.  A Survey of Isolation Techniques.  USC Information Sciences Institute, 2010.
      • R. Shu, P. Wang, S. Gorski, B. Andow, A. Nadkarni, L. Deshotels, J. Gionta, W. Enck, X. Gu, A Systematic Study of Security Isolation,  to appear ACM Computing Surveys (CSUR).
    • Automated Synthesis of Resilient Architectures

      It was not clear before how we can refine our search for finding a fine-grain isolation for resiliency.  Now, we discovered a new technique based on hypothesis testing that shows to be effective for this purpose. Users can now interact with the system to determine the appropriate granularity level of isolation.

 

D). Publications

Please list all publications published in the base year starting in March 2015 to March 2016.

E). Community Engagements

  • Hosted the 4th annual NCSU SoS Lablet Community Day on October 29, 2015. The goal of the meeting was to foster collaboration and knowledge transfer between the SoS Lablet and the local Security Community. The community meeting was attended by 28 non-Lablet participants from industry, academia, and government. The event involved student presentations in the pecha kucha style followed by four industry presentations.
  • Over the last year, out researchers have established collaborations with several  Industry and Government organizations, including IBM, Cisco, and the National Institute of Standards and Technology (NIST). 

  • On June 23-24, 2015, we hosted an invitation-only planning workshop for an upcoming NSA workshop on Science of Privacy. This gave us an opportunity to discuss Science of Security with visitors and to present posters on Lablet research.

  • On February 2-3, 2016, we hosted the Science of Security Quarterly Meeting.  A highlight of the meeting was a talk by Dr. Henry Petroski, Aleksandar S. Vesic Professor of Civil Engineering at Duke University, on the paradoxial relationship between success and failure in design.

  • We are continuing to dedicate efforts to building these kinds of relationships, including our 2016 summer workshop that has the theme "Translating Science of Security Research to Industry."

F). Educational

  • We held our annual summer workshop on May 27-28, 2015.  The theme of the workshop was "Classification and Assessment of Science of Security Publications."  Participants were engaged in classifying and rating papers from top-tier security conferences and comparing those publications with papers written by NCSU SoS Lablet researchers.
  • We have identified a seed list of publication venues where Science of Security research appears. We have been engaging the community (at other lablets) on refining and ranking a list of venues.
  • We further enhanced our research guidelines, creating a version for (1) empirical evaluation of real-world data; (2) analytical studies that use mathematical proofs; and (3) build-then-evaluate studies of security solutions. The research teams are guided in their plans through these guidelines. Students learn to critique others work through the use of the guidelines.
  • We continued our weekly seminar series in the Fall 2015 and Spring 2016 semesters with supported students and PIs. Students present their research plans and publications to obtain feedback on their work. We have developed a research proposal outline to help researchers organize their thoughts and ensure they are conducting their research in a scientifically defensible manner.  This outline is also the foundation for our feedback and evaluation instruments used during the seminars.

Project-specific educational and curriculum outcomes:

  • Security Metrics and Models

    • Attack Surface and Defense-in-Depth Metrics

      One side benefit of this work has been the collection and aggregation of vulnerability data across multiple, large open source case studies (Wireshark and FFmpeg). This data is now being made available to RIT students who study it in the classroom and discuss how the vulnerabilities could have been prevented. Understanding vulnerability history is a crucial step in developing that attacker mindset that students need when they enter the workforce.

    • Systematization of Knowledge from Intrusion Detection Models

      This works serves as a valuable case study to graduate students who are looking to provide new research in the IDS field.  By seeing how a lack of evaluation can lead to poor systematization, graduate students have seen in the classroom already how to conduct empirical evaluations with proper evaluation.

    • Vulnerability and Resilience Prediction Models

      Some of the techniques examined in this research, and lessons learned, in particular pro-active run-time resilience to attacks based on redundancy, were added as topics into NC State's graduate course on cloud computing technologies.

  • Humans
    • Warning of Phishing Attacks: Supporting Human Information Processing, Identifying Phishing Deception Indicators, and Reducing Vulnerability

      We have noticed an increased emphasis on the social sciences within security research.  Not too many years ago, there were few researchers interested in why humans behave in a certain manner when faced with security-related decisions.  At recent conferences such as HotSoS and Human Factors, research that investigates the human role in cybersecurity has been actively promoted.  While we have not seen any specific changes to curricula to date, these changes are certainly on the horizon.

    • A Human Information-Processing Analysis of Online Deception Detection

      We held a weekly research seminar involving graduate and undergraduate students and faculty members from Computer Science, Psychological Sciences, and Industrial Engineering.  In this seminar, we discussed various security-related projects on which we were working, and the students got to play a major role in the design and conduct of the research. 

      Graduate student members of the research team prepared papers and posters presented at various conferences.  Two members presented talks to the Cognitive Area colloquium in the Department of Psychological Sciences aimed at educating faculty members and students of ways in which basic psychological knowledge can be applied to research on security and privacy. 

      Dr. Proctor presented a talk at talk, titled "Cybersecurity: A human problem," at the Cybersecurity Awareness Day, University of Wisconsin, on October 22, 2015, explaining how human factors contribute to the science of cybersecurity.

  • Policy
    • Understanding Effects of Norms and Policies on the Robustness, Liveness, and Resilience of Systems

      Discussions of experimental and data-analytic results now introduce and emphasize the need for rigor and the dangers of simple statistical recipes, using examples and discussions patterned after ones given in works by Ioannidis and by Gigerenzer.

    • Formal Specification and Analysis of Security-Critical Norms and Policies

      NCSU CSC 503, Computational Applied Logic includes formal logical treatments of program and system specifications, obligations and norms, and knowledge and privacy, using security concerns to illustrate these ideas. 

      A new NCSU CSC senior-level undergraduate course on computability being developed introduces hybrid automata and systems along with ideas about verifying safety properties of hybrid computer/physical/social systems.

    • Scientific Understanding of Policy Complexity

      We held a weekly research seminar involving graduate and undergraduate students and faculty members from Computer Science, Psychological Sciences, and Industrial Engineering.  In this seminar, we discussed various security-related projects on which we were working, and the students got to play a major role in the design and conduct of the research.

      Graduate student members of the research team prepared papers and posters presented at various conferences.

      Two members presented talks to the Cognitive Area colloquium in the Department of Psychological Sciences aimed at educating faculty members and students of ways in which basic psychological knowledge can be applied to research on security and privacy.

      Dr. Proctor presented a talk at talk, titled "Cybersecurity: A human problem," at the Cybersecurity Awareness Day, University of Wisconsin, on October 22, 2015, explaining how human factors contribute to the science of cybersecurity.

  • Resilient Architectures
    • Resilience Requirements, Design, and Testing

      Many of the materials developed throughout this project was used in graduate level classes to measure and verify resiliency techniques and systems.  For example, in ITIS6230 which is "Cyber Risk Determination and Mitigation," we study Industry Control System resiliency which is material developed in this project.

    • Redundancy for Network Intrusion Prevention Systems (NIPS)

      This project is unusual in identifying connections between research in different domains of network security and management, and then in distilling from them primitives and tools that can be used to express and solve challenges across these multiple domains.  This has not resulted in changes to curriculum, per se, as of yet, but it has certainly caused us to think more deeply and rigorously about the fundamental nature of these different challenges.

    • Smart Isolation in Large-Scale Production Computing Infrastructures

      In Spring 2016, PI Enck taught CSC 574, Introduction to Computer and Network Security.  As part of this graduate level class, students are required to conduct a novel research project.  New for this semester, students were required to develop a research plan that described the threat model, methodology, and evaluation techniques for the project.  This milestone was motivated by the SoSL efforts at NCSU.

 

Groups: