SoS Quarterly Summary Report - NCSU - April 2017

Lablet Summary Report
Purpose: To highlight progress. Information is generally at a higher level which is accessible to the interested public.

A). Fundamental Research Highlights
High level report of result or partial result that helped move security science forward-- In most cases it should point to a "hard problem".

• For the metrics hard problem, we have accomplished the following:

  • We deepened our previous study on collaborative IDS configuration. Particularly, we developed a game-theoretic model of resource allocation among IDSs, based on which we proposed a distributed incentive mechanism for resource allocation. Simulation results show that the performance of the proposed distributed incentive mechanism is close to the socially optimal outcome given by the VCG auction based scheme.

  • We completed a systematic literature review of the concept of attack surface in the academic literature. From a review of 643 papers, we found that a large majority (71%) of papers use the term "attack surface" without defining it or citing a definition. We examined competing definitions and conceptions of attack surface. We provide a conceptual analysis, including a unified defintion and an assessment of alternative definitions.

  • We built a prediction model using static code metrics as predictors to aid Android application developers in assessing the security and privacy risk associated with Android applications by using static code metrics as predictors.

  • We identified the adoption factors that influence usage of build automation tools. Build automation tools can aid organizations in deploying securely configured projects.

• For the humans hard problem, we have accomplished the following:

  • We found that when anti-phishing training was embedded within security warnings, users became better at detecting phishing pages later even though the warning was not presented. We developed hypotheses that embedded training will have similar effects in other online deception contexts.

  • We advanced our understanding of Human Subtlety Proofs (HSPs), viewed as basis for identifying authorized, but risky, behaviors of system users. We prepared a dataset for 40 users comprised of eye gaze, mouse movements, and keyboard usage, providing a basis for user-specific, real-time HSPs. We have developed the infrastructure for evaluating HSPs on a system administration task involving a Linux command line.

  • From our study of phishing message characteristics (mapped from Cialdini's persuasion principles) and user personality characteristics, we found that hit rate (ability to detect a phishing attack) and false alarms (labeling a legitimate email as phishing) varies by message content.

• For the resilience hard problem, we have accomplished the following:
  • We proposed a policy language, CLIPS, for defining adaptive cyber defense that can specify a course of action composed of investigation and reconfiguration actions. We developed as a case study a rule using CLIPS for defending against a sophisticated, stealthy distributed denial of service attack.
  • We developed an open interface and engine for a decision-making controller that enables implementing adaptive cyber defense and cyber agility capabilities rapidly and safely on Software Defined Networks. ActiveSDN enables users to specify arbitrary sensing and actuation defense functions and translates these specifications into provably correct OpenFlow configurations that it deploys on appropriate devices for enforcement. ActiveSDN provides built-in cyber agility functions such as IP mutation, route mutation, service migration, continuous monitoring and others.
  • Our research on the vulnerability of SDN networks to flow reconnaissance attacks demonstrates how an attacker who can inject flows into a network (possibly with forged addressing information) can infer information about recently past flows in the network. Our work on composing SDN applications in the SOL framework demonstrates how SDN applications expressed in a framework, such as SOL, can be composed automatically and near-optimally, while ensuring that the per-application policies continue to be enforced.

  • Our stream-based docker image scanner reveals the widespread security vulnerabilities on the popular container image repository Docker Hub. We began investigating runtime vulnerability detection techniques that intelligently trigger strong isolation in a just-in-time manner as a way to prevent jailbreak exploits that can potentially compromise the host kernel from a compromised container.

• For the policy hard problem, we have accomplished the following:
  • We extended our multiagent simulation framework and model for the adoption of security practices among developers in software projects. Our model takes into account the incentives for developers and managers as well as sanctioning policies regarding compliance or noncompliance. Preliminary results indicate group sanctioning for security promotes better adoption of security practices, compared to individual sanctioning.
  • Based on a review of the attribute-based access control (ABAC) literature, we began developing a normative models that supports representation and reasoning about information sharing in a manner that extends past ABAC by capturing norms, handling conflicts between norms, and producing reasoned explanations for authorization decisions.
  • We advanced closer to realizing the vision of being able to automatically generate SEAndroid policies that better enforce the least privilege principle.

B). Community Interaction
Work to explain or extend scientific rigor in the community culture. Workshops, Seminars, Competitions, etc.

• The NCSU Lablet hosted the Quarterly Meeeting on February 1 & 2, 2017. The agenda, including links to posters, presentations, adn video recordings of the proceeds, can be found at http://cps-vo.org/SoSLmtg/NCSU/2017.

• PI Williams presented a distinguised lecture at the University of Utah explaining the lessons learned via the lablet entitled, "The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity."

C. Educational
Any changes to curriculum at your school or elsewhere that indicates an increased training or rigor in security research.

• A new Masters Track in Security was approved in our graduate program. This track involves several lablet faculty and reflects some of the gains in understanding we have collectively made through the lablet. Additional details on this track are available online here: https://www.csc.ncsu.edu/academics/graduate/degrees/security.php

.
D. Publications
All work published during the reporting quarter.

• Aiping Xiong, Robert W. Proctor, Ninghui Li, Weining Yang. 2017. Is domain highlighting actually helpful in identifying phishing webpages? Human Factors: The Journal of the Human Factors and Ergonomics Society. doi: 10.1177/0018720816684064

• Weining Yang, Aiping Xiong, Jing Chen, Robert W. Proctor, Ninghui Li. 2017. Use of Phishing Training to Improve Security Warning Compliance: Evidence from a Field Experiment. doi: 10.1145/3055305.3055310

• Richeng Jin, Xiaofan He, Huaiyu Dai. 2017. On the Tradeoff between Privacy and Utility in Collaborative Intrusion Detection Networks - A Game Theoretical Approach. 2017 Hot Topics in the Science of Security (HotSoS).

• Burcham, M., Al-Zyoud, M., Carver, J., Alsaleh, M., Du, H., Gilani, F., Jiang, J., Rahman, A., Kafali, O., Al-Shaer, E., and Williams, L. "Characterizing Scientific Reporting in Security Literature: An analysis of ACM CCS and IEEE S&P Papers," HotSoS 2017.

• "Is this a privacy incident? Using news exemplars to study end user perceptions of privacy incidents", P. Murukannaiah, J. Staddon, H. Lipford and B. Kinijnenberg, . Usable Security Mini Conference (USEC) 2017.

• Sheng Liu, Michael K. Reiter, Vyas Sekar. 2017. Flow reconnaissance via timing attacks on SDN switches. 37th IEEE International Conference on Distributed Computing Systems.

• Rui Shu, Xiaohui Gu, William Enck. 2017. A Study of Security Vulnerabilities on Docker Hub. Proceedings of the ACM Conference on Data and Application Security and Privacy (CODASPY). doi: 10.1145/3029806.3029832
  URL: http://dl.acm.org/citation.cfm?id=3029832

• Nirav Ajmeri, Chung-Wei Hang, Simon D. Parsons, and Munindar P. Singh. "Aragorn: Eliciting and Maintaining Secure Service Policies." IEEE Computer 50(6), June 2017. To appear, pages 1-8.

• Nirav Ajmeri, Hui Guo, Pradeep K. Murukannaiah, and Munindar P. Singh. "Arnor: Modeling Social Intelligence via Norms to Engineer Privacy-Aware Personal Agents." Proceedings of the 16th International Conference on Autonomous Agents and MultiAgent Systems (AAMAS). Sao Paulo: IFAAMAS, May 2017, pages 1-9.

• Rahman, A., Pradhan, P., Partho, A., and Williams, L., Predicting Android Application Security and Privacy Risk With Static Code Metrics, Short paper, 4th IEEE/ACM International Conference on Mobile Software Engineering and Systems, Buenos Aires, Argentina, to appear.

• Rahman, A., Partho, A., Meder, D., and Williams, L., Which Factors Influence Usage of Build Automation Tools? International Conference on Software Engineering (ICSE), 3rd International Workshop on Rapid Continuous Software Engineering (RCoSE) 2017, Buenos Aires, Argentina, to appear.

• Theisen, C., Murphy, B., Kerzig, K., Williams, L., Risk-Based Attack Surface Approximation: How Much Data is Enough?, International Conference on Software Engineering (ICSE) Software Engineering in Practice (SEIP) 2017, Buenos Aires, Argentina, to appear.