SoS Quarterly Summary Report - NCSU - July 2017

Lablet Summary Report
Purpose: To highlight progress. Information is generally at a higher level which is accessible to the interested public.

A). Fundamental Research Highlights
High level report of result or partial result that helped move security science forward-- In most cases it should point to a "hard problem".

• For the metrics hard problem, we have accomplished the following:
  • We applied the orthogonal defect classification scheme to categorize defects in Infrastructure as Code (IaC) scripts, which arise in continuous deployment/DevOps environments. We found that whereas IaC scripts in Mozilla and Wikimedia Commons prominently exhibit the defect categories of configuration assignments and syntax differ, non-IAC scripts prominently exhibit defects in algorithms.
  • We studied collaborative security in a setting where observations may be unknown or misreported. We developed an approach based on Expectation Maximization that does not require the participants to share their misreport probabilities.
  • We adopted information leakage in quantitative information flow theory as a basis for a privacy metric. We defined a game whose players are an attacker and a defender (the collaborative entities). Each player seeks to learn secret information of its opponent and minimize its own information leakage. The payoffs in this game are based upon our chosen privacy metric.
  • We further advanced our systematic literature review on attack surfaces to provide a unified definition of this concept.
• For the humans hard problem, we have accomplished the following:
  • We investigated the comparative effectiveness of warning modalities. Our empirical study indicates that warnings based on color -- even two colors -- can influence users to make safe app selection decisions. Moreover, colors are more effective than emoticons in guiding users.
  • Our study on warnings for phishing attacks indicates that high extraversion is predictive of susceptibility to phishing emails. In addition, we identified that the persuasion principle of "liking" is effective whereas combining the principles of "authority" and "scarcity" arouse suspicion.
  • We iteratively revised and piloted an ecologically valid study of Humans Subtlety Proofs (HSPs) to tune its length and complexity to improve the validity of the data to be gathered. The study involves measuring on-task and off-task eye tracking behavior of users for a password task.
• For the resilience hard problem, we have accomplished the following:
  • We developed a formal approach that automatically determines the security configuration for optimal risk mitigation given prior constraints. Our global risk optimization model incorporates end-host security compliance scanning reports and vulnerability inter-dependencies due to network reachability.
  • We developed new metrics for assessing global cyber risk for enterprises. Network Threat Resistance (NTR) measures the effects of network counter-measures on preventing or detecting the propagation of an exploit of a specific vulnerability. Cyber Threat Exposure (CTE) for a specific service incorporates the quantity and capability of vulnerable sources that can reach a service.
  • We demonstrated flow-reconnaissance attacks that arise due to timing channels in SDN switches.
  • We demonstrated how our SOL framework can help capture a security application (specifically, SNIPS) in a simple manner while yielding performance that is competitive with manually tuning.
  • We built a framework for observing system effects, including performance, resulting from the exploitation of vulnerabilities of software running within Docker containers. Those system effects enable detection models for exploits and thereby enable trigger isolation and patching.
• For the policy hard problem, we have accomplished the following:
  • We developed tools to facilitate mining and visualizing incidents in our privacy incidents database that bring out the who, where, and when of these incidents.
  • We introduced a technique for analyzing the inconsistency of access control checks, and realized it in a tool to facilitate further research. We applied this tool to identify previously unknown vulnerabilities in Android, including some potentially serious ones.
  • We studied established languages for access control policies and evaluated alternative ways of expressing the policies in logic. In particular, we showed how to relate knowledge representation best practices with policy formalizations. A benefit of doing so is to make the policies applicable in diverse settings and to identify shortcomings of traditional approaches that our research would address.
  • We implemented a simulation framework geared toward the adoption of security practices by developers in a software engineering group based upon their incentives, as those incentives are modulated through distinct types of sanctions.
  • We enhanced and re-implemented a game based on our earlier enterprise security scenario (involving workforce adoption of cybersecurity practices) that supports gameplay by Amazon MTurk workers.

B). Community Interaction
Work to explain or extend scientific rigor in the community culture. Workshops, Seminars, Competitions, etc.

• We conducted deeper analysis of the paper completeness rubric to provide sound theoretical basis and to identify good examples from published literature. The motivation is to provide guidance in best practices for reporting scientific research.

• We hosted a summer workshop on June 21-22, 2017 for Lablet faculty, postdocs, and students, as well as guests from industry, academic IT practitioners, and government, including the Laboratory for Analytic Sciences. The workshop program included keynote lectures, one each from industry and academia, as well as a panel of security professionals from government (HHS), nonprofits (RTI), technology sector (Cisco), and finance sector (Credit Suisse). The workshop included tutorials on scientific methodology as well as sessions on a methodological critique of recent security papers.

• We analyzed Lablet publication data from the last three years for co-authorship patterns as a way to measuring the emerging community of practice in science of security. We found that of the Lablet publications 57% result from multi-institutional, 4% from multi-sector (industry, university, government), and 44% from multidisciplinary collaborations

C. Educational
Any changes to curriculum at your school or elsewhere that indicates an increased training or rigor in security research.

• We have been mentoring three undergraduate students on Lablet under the Research Experiences for Undergraduates (REU) program.

D. Publications
All work published during the reporting quarter.

• Morgan Burcham, Mahran Al-Zyoud, Jeffrey C. Carver, Mohammed Alsaleh, Hongying Du, Fida Gilani, Jun Jiang, Akond Rahman, Ozgur Kafali, Ehab Al-Shaer, and Laurie Williams. Characterizing Scientific Reporting in Security Literature: An Analysis of ACM CCS and IEEE S&P Papers. Proceedings of the Hot Topics in Science of Security: Symposium and Bootcamp (HotSoS), pages 13-23, 2017.
• Xiaofan He, Mohammad M. Islam, Richeng Jin, and Huaiyu Dai. Foresighted Deception in Dynamic Security Games. IEEE International Conference on Communications (ICC), 2017.
• Richeng Jin, Xiaofan He, Huaiyu Dai, Rudra Dutta, and Peng Ning. Towards Privacy-Aware Collaborative Security: A Game-Theoretic Approach. IEEE Symposium on Privacy-Aware Computing (PAC), 2017.
• Thomas C. King, Akin Gunay, Amit K. Chopra, and Munindar P. Singh, Tosca: Operationalizing Commitments Over Information Protocols. Proceedings of the 26th International Joint Conference on Artificial Intelligence (IJCAI), Melbourne, 9 pages, August 2017, in press.
• Patrick Lawson and Christopher B. Mayhorn. Interaction of personality and persuasion tactics in email phishing attacks. Proceedings of the Human Factors and Ergonomics Society 61st Annual Meeting, Santa Monica, CA, 2017, in press.
• Sheng Liu, Michael K. Reiter, and Vyas Sekar. Flow reconnaissance via timing attacks on SDN switches. Proceedings of the 37th IEEE International Conference on Distributed Computing Systems (ICDCS). Atlanta: IEEE, 2017.
• Munindar P. Singh and Amit K. Chopra. The Internet of Things and Multiagent Systems: Decentralized Intelligence in Distributed Computing. Proceedings of the 37th IEEE International Conference on Distributed Computing Systems (ICDCS). Blue Sky Thinking Track, pages 1738-1747, 2017.