Visible to the public Empirical Models for Vulnerability Exploits - UMD - April 2017Conflict Detection Enabled

Submitted by jkatz on Thu, 03/30/2017 - 6:54am

PI(s): Tudor Dumitras
Researchers: Sanghyun Hong, Octavian Suciu, Michael Hicks, Jonathan Katz, Joseph JaJa

HARD PROBLEM(S) ADDRESSED

Security-Metrics-Driven Evaluation, Design, Development, and Deployment

Project synopsis
The security of deployed and actively used systems is influenced by factors not captured in existing security metrics. For example, the count and severity of unpatched vulnerabilities in source code, as well as the corresponding attack surface, are commonly used as measures of a software product's security. But simply estimating the number of vulnerabilities in source code does not account for the fact that some vulnerabilities are never exploited by attackers, perhaps due to reduced attack surfaces or because of other technologies that render exploits less likely to succeed. Conversely, vulnerabilities that have been "patched" can continue to impact security in the real world because some users do not deploy the corresponding software patches. Overall, we currently do not know how to assess the security of real-world systems. In this task, we will conduct empirical studies of security in the real world. Our goals are to derive empirical models of vulnerabilities and attack surfaces exercised in cyber attacks and to understand the deployment-specific factors that influence the security of systems in active use.

PUBLICATIONS

ACCOMPLISHMENTS

In January 2017, the Maryland Cybersecurity Center (MC2) organized a second invitation-only workshop aimed at researchers interested in studying security empirically, using data-driven techniques. The goal of the workshop was to identify promising research directions for improving security in measurable ways. The 29 workshop participants came from 6 countries and represented organizations from academia, industry, and government. The discussion topics included understanding the motivations, capabilities, and limitations of real-world adversaries; putting theoretical assumptions to the test; accounting for the socio-economic incentives of attackers and for the properties of deployment environments; measuring and predicting security; secure data mining and machine learning techniques; automatically learning the semantics of security threats; clean-slate ideas, grounded in security measurements.

More information is available at http://www.umiacs.umd.edu/~tdumitra/data-driven/.

Groups: