SoS Quarterly Summary Report - NCSU - July 2016

Lablet Summary Report
Purpose: To highlight progress. Information is generally at a higher level which is accessible to the interested public.

A). Fundamental Research
High level report of result or partial result that helped move security science forward-- In most cases it should point to a "hard problem".

• For the metrics hard problem, we have accomplished the following:
  • We showed how to model cloud-based application networks based on established data-flow, security awareness, and provenance information models. Our approach can learn the operational profile of a data-flow model to identify vulnerable interfaces and thereby to assess workflow and network vulnerability.
  • We developed a model and some initial metrics on collaborative decision making for security, specifically, in intrusion detection, where the collaborators (as defenders) are interdependent but not part of the same organization. The collaborators decide how much private information to reveal to each other. We demonstrated a tradeoff between gains in security (defense) and privacy of the defenders.
• For the humans hard problem, we have accomplished the following:
  • We developed software to support the analysis of time series data on human performance based on a model of perceptual, motor, and cognitive processes. This software will facilitate scientific research, including hypothesis evaluation, on user behavior in cybersecurity.
  • We designed online empirical studies (and associated surveys to be used for data collection) that seek to evaluate the effectiveness of phishing warnings and how the reliability of such a warning system influences users' decision making regarding incoming email messages.
• For the resilience hard problem, we have accomplished the following:
  • We analyzed over 400,000 container images available on Docker Hub for vulnerabilities via an analysis framework we built. We found that vulnerabilities are rife on these images and the number of unique Common Vulnerabilities and Exposures (CVEs) in images on Docker Hub are increasing over time.
  • We developed a verification technique to determine whether a SCADA (Supervisory Control And Data Acquisition) system configuration will maintain operational integrity despite attacks that make a specified number of sensors unavailable and corrupt a specified amount of data.
  • We developed metrics to compare SCADA systems with respect to their resilience to attacks based on the number of sensors and data that are affected by an attack.
  • We received interest, which may lead to additional research or technology transfer, from a leading network service provider for our ongoing research on our SDN Optimization Layer (SOL) framework for the construction of optimization applications atop Software-Defined Network (SDN) controllers.
• For the policy hard problem, we have accomplished the following:
  • We initiated and began populating a privacy incidents database to provide a foundation for empirically grounding scientific research on privacy. Recognizing the fluid nature of the concept of privacy, we conducted a human study to validate the assumption that the incidents recorded in our database are understood as privacy incidents by nonspecialists.
  • We determined that anomalies in policy composition are a leading root cause for policy misconfigurations in SEAndroid (Security Enhancements for Android).
  • We developed an approach to reason at runtime about conflicts that might arise between commitments, authorizations, and prohibitions, which are key atoms for models of secure collaboration. This approach generalizes our previous work on commitments.
  • We conducted an empirical study on how analysts develop a computational representation given security requirements. A computational representation is an input to formal reasoning and is executed in security decision making. This study compared our approach with a previous legal reasoning and an informal approach. Our preliminary results indicate that, compared to the previous approaches, our approach yields gains in coverage and correctness of requirements.

B). Community Interaction
Work to explain or extend scientific rigor in the community culture. Workshops, Seminars, Competitions, etc.

• We conducted our Summer Workshop on the theme of promoting impact, especially through technology transfer. We included a session on strategies to achieve technology transfer, a keynote by an HHS researcher, reviews of previous attempts to measure impact in computer science, and a lively industry panel on the particular challenges of technology transfer in computer science.
• Our evaluation of papers appearing in ACM CCS 2015 showed that several papers omitted details of their study designs, including objectives, rationale for selection of cases, and threats to validity.
• Several lablet members attended HotSoS in Pittsburgh where they had fruitful interactions with colleagues, especially from government.

C. Educational
Any changes to curriculum at your school or elsewhere that indicates an increased training or rigor in security research.

• Our Summer Workshop included a lecture on the pitfalls of statistical analysis as well as a group exercise on how to promote scientific practices and writing and to evaluate the scientific clarity of published papers in cybersecurity.