SoS Lablet Annual Report - NCSU

Lablet Annual Report
Purpose: To highlight progress made within the base year (March 2016 to Present). Information is generally at a higher level which is accessible to the interested public. This will be published in an overall SoS Annual Report to be shared with stakeholders to highlight the accomplishments the Lablets have made over the past year.

A). Lablet Introduction

North Carolina State University’s (NCSU) Science of Security Lablet (SoSL) has embraced and helped build a foundation for NSA’s vision of the Science of Security (SoS) and of a SoS community.  We have emphasized data-driven discovery and analytics to formulate, validate, evolve, and solidify the theory and practice of security. Efforts in our current lablet have yielded significant findings, providing a deeper understanding of users’ susceptibility to deception, developers’ adoption of security tools, how trust between people relates to their commitments.  Motivated by NSA’s overarching vision for SoS and building on our experience and accomplishments, we are (1) developing a science-based foundation for the five hard problems that we previously helped formulate; and (2) fostering a SoS community with high standards for reproducible research. Our approach involves a comprehensive, rigorous perspective on SoS, including an integrated treatment of technical artifacts, humans (both stakeholders and adversaries) along with relationships and processes relevant to the hard problems.  Continual evaluation of our research and community development efforts is key to our approach.

Team Overview

We have formed teams to conduct scientific research and evaluate progress on hard problems: Security Metrics and Models; Humans; Policy; and Resilient Architectures. The Scalability and Composability hard problem has no explicit team since we address it as a secondary hard problem in several of our projects.  Each Hard Problem team is composed of three or more projects researching complementary aspects of the Hard Problem. We also have additional teams for Research Methods, Community Development and Support, and for Evaluation.

• Security Metrics and Models

  Attack Surface and Defense-in-Depth Metrics:  Rochester Institute of Technology:  Andy Meneely, NC State University:  Laurie Williams

  Systematization of Knowledge from Intrusion Detection Models:  NC State University:  Huaiyu Dai, Rochester Institute of Technology:  Andy Meneely

  Vulnerability and Resilience Prediction Models:  NC State University:  Mladen Vouk, Laurie Williams

• Humans

  Warning of Phishing Attacks: Supporting Human Information Processing, Identifying Phishing Deception Indicators, and Reducing Vulnerability:  NC State University:  Christopher B. Mayhorn, Emerson Murphy-Hill

  A Human Information-Processing Analysis of Online Deception Detection:  Purdue University:  Robert W. Proctor, Ninghui Li

  Leveraging the Effects of Cognitive Function on Input Device Analytics to Improve Security:  NC State University:  David L. Roberts, Robert St. Amant

• Policy

  Understanding Effects of Norms and Policies on the Robustness, Liveness, and Resilience of Systems:  NC State University:  Emily Berglund, Jon Doyle, Munindar Singh

  Formal Specification and Analysis of Security-Critical Norms and Policies:  NC State University:  Jon Doyle, Munindar Singh, Rada Chirkova

  Scientific Understanding of Policy Complexity:  Purdue University:  Ninghui Li, Robert Proctor, NC State University:  Emerson Murphy-Hill

  Privacy Incidents Database:  NC State University:  Jessica Staddon

• Resilient Architectures

  Resilience Requirements, Design, and Testing:  University of Virginia:  Kevin Sullivan, NC State University:  Mladen Vouk, University of North Carolina at Charlotte:  Ehab Al-Shaer

  Redundancy for Network Intrusion Prevention Systems (NIPS):  University of North Carolina:  Mike Reiter

  Smart Isolation in Large-Scale Production Computing Infrastructures:  NC State University:  Xiaohui (Helen) Gu, William Enck

  Automated Synthesis of Resilient Architectures:  University of North Carolina at Charlotte:  Ehab Al-Shaer

  High-Assurance Active Cyber Defense Policies for Auto-Resiliency:  University of North Carolina at Charlotte:  Ehab Al-Shaer

• Research Methods, Community Development and Support:  University of Alabama:  Jeff Carver, NC State University:  Lindsey McGowen, Jon Stallings, Laurie Williams, David Wright
• Evaluation:  NC State University:  Lindsey McGowen, Jon Stallings, David Wright, University of Alabama:  Jeff Carver

B). Fundamental Research

Identify all of the researchers (PIs and students) that have worked on each project during the reporting period.  Answer the "Burning Questions" in a single paragraph

• What was completed? Describe the work/research conducted (2-3 sentences)
• What was learned? Present results and conclusions (1-2 sentences)
• How does it help? Identify how the results contribute towards solving a specific Hard Problem OR Area of Research (1-2 sentences)

​

• Security Metrics and Models

  • Attack Surface and Defense-in-Depth Metrics  (Researchers:  Andrew Meneely, Nuthan Munaiah, Christopher Theisen, Laurie Williams)

    We developed metrics and techniques to assess security risk by examining the attack surface using stack traces and call graphs. We conducted a systematic literature review on the notion of attack surface, and  created a unified definition of attack surface. We developed metrics to estimate the attack surface and vulnerability discovery to better predict vulnerabilities. This research produces better measurements of security risk by providing actionable intelligence on problematic section of source code. Our models outperform competing models in vulnerability prediction accuracy.

  • Systematization of Knowledge from Intrusion Detection Models  (Researchers:  Andy Meneely, Nuthan Munaiah, Huaiyu Dai, Xiaofan He, Richeng Jin)

    We examined how intrusion detection research today can be generalized by examining the validation criteria used in empirical studies of intrusion detection systems. We conducted a systematic literature review on the metrics used in intrusion detection research. We found that IDS literature has some standardization of metrics, but typically lacks fully examination of trade-offs such as memory vs. speed. This study provides a foundation and guidance for empirical studies to be conducted on intrusion detection research. The metrics we uncovered and systematically aggregated will help provide a consistent picture of the quality of any IDS technique. We developed a distributed incentive mechanism for IDS collaboration that approximates socially optimal VCG auction based scheme with significantly reduced complexity.  To study collaborative security with privacy concerns, we developed a repeated two-layer single-leader multi-follower game and obtained the optimal collaboration and defending strategies based on privacy policies of collaborative entities. Our results help quantify the benefits of IDS collaboration, and the trade-off between collaboration utility and privacy.

  • Vulnerability and Resilience Prediction Models  (Researchers:  Mladen A. Vouk, Laurie Williams, Donghoon Kim, Akond Rahman)

    We conducted a survey of SaaS and PaaS vulnerabilities and countermeasures. We showed that well-understood data-flow, security awareness and provenance information models can cost-effectively represent and manage resilience of cloud-based application networks, including prioritization of security-related validation and verification efforts based on vulnerability prediction. Depending on the security priorities (e.g., Confidentiality vs. Integrity vs. Availability), we construct a data-flow model of interacting components, "learn" its normal operational profile using provenance collecting engine, and identify vulnerable externally facing interfaces. This model then serves to position and implement appropriate countermeasures (e.g., access controls, reputation firewalls, and data integrity checks). Modeling and assessment platform (with GUIs) is based on an augmented version of Kepler, a scientific workflow modeling tool. This research supports recognition of attacks through metrics and models, and provides models to predict resilience to attacks in the field, thereby cutting across the hard problems of Metrics, Resilience, and Scalability.   Additionally, we produced vulnerability prediction models for Infrastructure as a Service (IaS) scripts which are often used in continuous deployment/DevOps environments.

• Humans
  • Warning of Phishing Attacks: Supporting Human Information Processing, Identifying Phishing Deception Indicators, and Reducing Vulnerability  (Researchers:  Christopher B. Mayhorn, Emerson Murphy-Hill, Olga A. Zielinska, Allaire K. Welk, and Patrick Lawson)

    We explored the content of phishing emails and conducted a temporal analysis to determine what attack vectors were used over time and how these tactics have evolved. Phishing email content was categorized according to the principles of persuasion identified by Cialdini (1987). Recent work investigated how personality attributes interacted with phishing email content to make individuals deferentially susceptible to phishing email attacks that used specific persuasion techniques. Over time, phishing email messages have increasingly come to rely on the following persuasion principles: commitment, liking, authority, and scarcity. Personality characteristics such as high extroversion was found to make people particularly susceptible to phishing attacks. By exploring the interaction between phishing message content and personality characteristics, this work contributing to solving the "Humans" hard problem by cataloging when and why security vulnerabilities exist in the phishing domain.

  • A Human Information-Processing Analysis of Online Deception Detection  (Researchers:  Robert Proctor, Ninghui Li, Aiping Xiong, Isis Chong, Huangyi Ge, Wanling Zou, Scott Moore, Weining Yang, Jing Chen)

    We conducted field experiments and online and laboratory studies investigating influences of warnings and training on responses to phishing attacks. We showed that training-embedded warnings are effective at improving users' ability to identify phishing webpages. Users who received both warnings and training did not fall for simulated phishing attacks in the natural context, whereas those who received either one did. Domain highlighting attracted users' attention, but they did not know how to apply that information. Thus, we established that users not only be aware of online deception but also skilled to make informed decisions given the risk.

  • Leveraging the Effects of Cognitive Function on Input Device Analytics to Improve Security  (Researchers:  David L. Roberts, Robert St. Amant, Ignacio Domginuez, Nishal Shrestha, Jayant Dahwan, Alok Goel, Huseyin Sencan)

    We planned, designed, piloted, and evaluated studies on the efficacy of Human Subtlety Proofs (HSPs) for detecting the effects of cognition on input device usage. Additionally, we completed the model-based labeling of event data from previous studies, providing a detailed corpus of data with labels describing cognitive processes at the millisecond resolution. Most notably, we completed the validation of our study design through numerous iterations and refinement steps. Our results lay an important foundation for attacking the Humans hard problem, by contributing the knowledge that scaffolds cognitive-model-based interpretation of input device usage. This novel interpretive ability could be leveraged in a wide-variety of ways to address the human factors that lead to security issues.

• Policy
  • Understanding Effects of Norms and Policies on the Robustness, Liveness, and Resilience of Systems  (Researchers:  Munindar P. Singh, Emily Z. Berglund, Jon Doyle, Nirav Ajmeri, Shams Al-Amin)

    We developed a framework for modeling the adoption of security practices in software development and to explore sanctioning mechanisms that may promote greater adoption of these practices among developers. The multiagent simulation framework incorporates developers and manager roles, where developers maximize task completion and compliance with security policies, and the manager enforces sanctions based on functionality and security of the project. The adoption of security practices emerges through the interaction of manager and developer agents in time-critical projects. Results indicate that group sanctioning for security practices yields better adoption of security practices, whereas, individual sanctioning results in lower retention of developers. The model provides comparison of security adoption in developers with different preferences and provides guidance for managers to identify appropriate sanctioning mechanisms for increasing the adoption of security tools in software development.

  • Formal Specification and Analysis of Security-Critical Norms and Policies  (Researchers:  Nirav Ajmeri, Jiaming Jiang, Ozgur Kafali, Rada Y. Chirkova, Jon Doyle, Munindar P. Singh;  External collaborators: Thomas C. King, Akin Gunay, Amit K. Chopra)

    Using our representation for sociotechnical systems (STSs) in terms of norms (to characterize the social architecture) and mechanisms (to characterize the technical architecture), we developed an approach to realize interactions between autonomous parties relating to their commitments directed to each other. This approach places commitments and other norms over an information model that captures key and causal dependencies, enabling flexible realization in a decentralized setting. We developed an approach that helps maintain alignment of commitments (as an exemplary social construct) between autonomous parties communicating over an asynchronous medium. Our research contributes a formal grounding to STSs for cybersecurity and privacy that leads to new methods for architecting security and privacy into a software system.

  • Scientific Understanding of Policy Complexity  (Researchers:  Ninghui Li, Robert Proctor, Haining Chen, Huangyi Ge)

    We analyzed potential policy misconfigurations in SEAndroid policies, in part by comparing against underlying Unix/Linux policies. We analyzed how policy misconfigurations evolve over time. We found that several kinds of policy misconfiguration problems exist. One such example is composition privilege escalation, in which combined effects of multiple rules grant more access than sum of parts. Whereas such problems exist across multiple versions of Android, the situation is improving. Our research contributes to methods for comparing policies specified in different layers of a large, complicated, and widely used system.

  • Privacy Incidents Database  (Researchers:  Jessica Staddon, Esha Sharma, Pradeep Murukannaiah)

    We launched the Privacy Incidents Database web site at http://research.csc.ncsu.edu/privacyincidents/pages/index.php.  We have completed the development of a privacy incidents classifier that achieves an overall accuracy (F1 measure) of more than 93% which is 12% better than keyword-based classifiers (i.e., identifying incidents by classifying articles containing "privacy" and other privacy related keywords, as privacy incident articles). We prototyped a classifier for tweets that are about privacy incidents. The privacy incidents classifier significantly reduces the amount of human review needed to identify news articles that are about privacy incidents (and so, are content for the database).  We developed visualizations of the chronology, entities, and location of privacy incidents to help users understand database entries.

  • Formal Analysis of Breach Reports (Researchers:  Laurie Williams, Munindar Singh, Ozgur Kafali, Sarah Elder, Hui Guo)

We developed a semantic reasoning framework that computes the coverage of security breaches by policies via comparison of individual policy clauses and breach descriptions, i.e., identifying the gaps in between. Our investigation of a subset of the breaches reported by the US Department of Health and Human Services (HHS) revealed the gaps between HIPAA and reported breaches, leading to a coverage of 65%. Additionally, our classification of the 1,577 HHS breaches shows that 44% of the breaches are accidental, not malicious, misuses. We found that HIPAA's gaps regarding accidental misuses are significantly larger than its gaps regarding malicious misuses. This result reinforces the fact that designing policies to address human factors is important and nontrivial. Preliminary findings from a study on Amazon Mechanical Turk indicate that crowdsourcing is an effective way of understanding normative relations between natural language artifacts such as security policies, regulations, and breach reports.

• Resilient Architectures

  • Resilience Requirements, Design, and Testing  (Researchers:  Ehab Al-Shaer, Mohamed Alsaleh, Farooq Abdullah, Mladen A. Vouk, Donghoon Kim)

    We developed a formal framework for automated active cyber defense (ACD) systems that consist of a reactive control policy controller for defense action synthesis to create investigation and reconfiguration courses-of-actions, and a verifier to ensure the consistency, correctness and safety of automated ACD. Combining cyber automation and policy verification can enable adaptive cyber defense that mitigates risk in a timely manner, with minimum human intervention. Our work creates the foundation for verifiable ACD which a key mechanism for cyber resiliency.  We also analyzed resilience issues and countermeasures in cloud SaaS and PaaS layers, focusing on multi-tenancy, isolation, and virtualization.  We considered how they relate to PaaS services and security trends, as well as the concerns such as user and resource isolation, side-channel vulnerabilities in multi-tenant environments, and protection of sensitive data. We recommend a number of effective procedures which can help in providing security.

  • Redundancy for Network Intrusion Prevention Systems (NIPS)  (Researchers:  Michael Reiter, Victor Heorhiadi, Jun Jiang, Sheng Liu)

    We developed a framework to support specification and composition of network monitoring, policy-enforcement, and resource-management applications in software defined networking (SDN) environments. We demonstrated information leakage that results from the reactive deployment of rules to SDN switches, and how this leakage might enable an attacker to conduct reconnaissance on the flows occurring in a network. Our SDN application framework simplifies the specification and composition of applications while achieving resource efficiency, responsiveness, and fairness. Our work on SDN leakage showed how an attacker can construct an approximately optimal probe to maximize its information gain. Our research contributes a new management and policy-enforcement capability that is accessible for network operators without advanced training in algorithm design or optimization.

  • Smart Isolation in Large-Scale Production Computing Infrastructures  (Researchers:  Xiaohui (Helen) Gu, William Enck, Rui Shu, Adwait Nadkarni, Luke Deshotels)

    We studied how smart isolation can be practically incorporated into systems, discovering novel mechanisms (e.g., lazy polyinstantiation) and properties (e.g., vulnerability inheritance) that enable better design of resilient architectures. Our research created a taxonomy about existing security isolation techniques, identified security vulnerability in popular container-based systems, using information flow control as an adaptive policy for smart isolation. Our empirical study of the Docker Hub ecosystem identified pervasive concerns of unpatched software containing security vulnerabilities. This study further highlighted the potential for a security metric based on vulnerability inheritance within similar environments. Our investigation of policy specification produced the approach of Policy By Example (PyBE), which is based on the approach of Programming by Example (PBE) used for program synthesis.

  • Automated Synthesis of Resilient Architectures  (Researchers:  Ehab Al-Shaer, Mohamed Alsaleh, Farooq Abdullah)

    We developed path and IP mutation for resilience to disguise or hide the network resource from external entities, so that in the reconnaissance phase the attacker gets incorrect information about the network. Cyber resilience depends on an ability to resist reconnaissance and DDoS attacks. We showed cyber mutation to be an effective technique for cyber resilience. It can provide 86% effectiveness (hiding critical resources) with affordable overhead.

  • High-Assurance Active Cyber Defense Policies for Auto-Resiliency  (Researchers:  Ehab Al-Shaer, Mohamed Alsaleh, Farooq Abdullah)

    Active cyber defense through reactive policies is a key component in cyber resiliency. We developed metrics for measuring the safety of reactive policies for active cyber defense. Developing a scalable approach for verification of reactive policy is feasible if both static and dynamic analyses are employed.

C). Publications

Please list all publications published in the base year starting in March 2016 to Present.

• Ajmeri, N., Jiang, J., Chirkova, R.Y., Doyle, J., and Singh, M.P.. “Coco: Runtime Reasoning about Conflicting Commitments.” Proceedings of the 25th International Joint Conference on Artificial Intelligence (IJCAI). New York: IJCAI, July 2016, 7 pages
• Ajmeri, N., Hang, C-W., Parsons, S.D., and Singh, M.P.. “Aragorn: Eliciting and Maintaining Secure Service Policies.” IEEE Computer 50(6), June 2017. To appear, pages 1–8
• Ajmeri, N., Gu, H., Murukannaiah, P.K., and Singh, M.P.. “Arnor: Modeling Social Intelligence via Norms to Engineer Privacy-Aware Personal Agents.” Proceedings of the 16th International Conference on Autonomous Agents and MultiAgent Systems (AAMAS). São Paulo: IFAAMAS, May 2017, pages 1–9
• Alsaleh, M., and Al-Shaer, E.. Towards Automated Verification of Active Cyber Defense Strategies on Software Defined Networks, ACM SafeConfig '16 Proceedings of the 2016 ACM Workshop on Automated Decision Making for Cyber Defense, October 2016
• Burcham, M., Al-Zyoud, M., Carver, J., Alsaleh, M., Du, H., Gilani, F., Jiang, J., Rahman, A., Kafali, O., Al-Shaer, E., and Williams, L. "Characterizing Scientific Reporting in Security Literature: An analysis of ACM CCS and IEEE S&P Papers," HotSoS 2017.
• Chen, J., Xiong, A., Li, N., & Proctor, R. W. (2016). The description-experience gap in the effect of warning reliability on user trust, reliance, and performance in a phishing context. Talk presented at the 7th International Conference on Applied Human Factors and Ergonomics (AHFE), OrlandO., FL, July
• Chen, J., Proctor, R. W., & Li, N. (2016, November). Human trust in automation in a phishing context. Talk presented at 46th Annual Meeting of the Society for Computers in Psychology (SCiP), Boston, MA
• Dominguez, I.X., Goodwin, P.R., Roberts, D.L., and St. Amant, R.. Human Subtlety Proofs: Using Computer Games to Model Cognitive Processes for Cybersecurity. International Journal Of Human–Computer Interaction. Online. 2016
• Dominguez, I.X., Dhawan, J., St. Amant, R. and Roberts, D.L.. Exploring the Effects of Different Text Stimuli on Typing Behavior. Proceedings of the 2016 International Conference on Cognitive Modeling (ICCM 2016). State College, PA, USA. 2016
• Dominguez, I.X., Dhawan, J., St. Amant, R. and Roberts, D.L.. JIVUI: JavaScript Interface for Visualization of User Interaction. Proceedings of the 2016 International Conference on Cognitive Modeling (ICCM 2016). State College, PA, USA. 2016
• He, X.,  Islam, M.M., Jin, R., Dai, H..  2017.  Foresighted Deception in Dynamic Security Games. IEEE International Conference on Communications (ICC)
• Heorhiadi, V., Rajagopalan, S., Jamjoom, H., Reiter, M.K., Sekar V..  2016.  Gremlin: Systematic resilience testing of microservices. 36th IEEE International Conference on Distributed Computing Systems. 
• Jin, R., He, X., Dai, H..  2017.  On the Tradeoff between Privacy and Utility in Collaborative Intrusion Detection Networks - A Game Theoretical Approach. 2017 Hot Topics in the Science of Security (HotSoS)
• Jin, R., He, X., Dai, H..  2016.  Collaborative IDS Configuration: A Two-layer Game Approach. IEEE Global Conference on Communications (GLOBECOM).
• Jin, R., He, X., Dai, H., Dutta, R., Ning, P..  2017.  Towards Privacy-Aware Collaborative Security: A Game-Theoretic Approach. IEEE Symposium on Privacy-Aware Computing (PAC)
• Kafali, O., Ajmeri, N., Singh, M.P.. Revani: Revising and Verifying Normative Specifications for Privacy. IEEE Intelligent Systems, 2016
• Kafali, O., Singh, M.P., Williams, L.. Nane: Identifying Misuse Cases Using Temporal Norm Enactments. 24th IEEE International Requirements Engineering Conference
• Kafali, O., Ajmeri, N., and Singh, M.P.. Formal Understanding of Tradeoffs among Liveness and Safety Requirements. Proceedings of the 3rd International Workshop on Artificial Intelligence for Requirements Engineering (AIRE), pages 17-18, 2016
• Kafali, O., Ajmeri, N., and Singh, M.P.. Normative Requirements in Sociotechnical Systems. Proceedings of the 9th International Workshop on Requirements Engineering and Law (RELAW), pages 259-260, 2016
• Kafali, O., Ajmeri, N., and Singh, M.P.. Kont: Computing Tradeoffs in Normative Multiagent Systems. Proceedings of the 31st Conference on Artificial Intelligence (AAAI), 2017
• Kafali, O., Jones, J, Petruso, M., Williams, L., and Singh, M.P.. How Good is a Security Policy against Real Breaches? A HIPAA Case Study. Proceedings of the 39th International Conference on Software Engineering (ICSE), 2017
• King, T.C., Gunay, A., Chopra, A.K., and Singh, M.P., Tosca: Operationalizing Commitments Over Information Protocols. Proceedings of the 26th International Joint Conference on Artificial Intelligence (IJCAI), Melbourne, 9 pages, August 2017
• Lawson, P. & Mayhorn, C.B. Interaction of personality and persuasion tactics in email phishing attacks. Proceedings of the Human Factors and Ergonomics Society 61st Annual Meeting.  Santa Monica, CA: Human Factors and Ergonomics Society
• Liu, S., Reiter, M.K., Sekar, V..  2017.  Flow reconnaissance via timing attacks on SDN switches. 37th IEEE International Conference on Distributed Computing Systems
• López Fogués, R., Murukannaiah, P.K., Such, J.M., Singh, M.P.. Understanding Sharing Policies in Multiparty Scenarios: Incorporating Context, Preferences, and Arguments into Decision Making. ACM Transactions on Computer-Human Interaction (TOCHI), 2017
• Mashayekhi, M., Du, H., List, G.F., and Singh, M.P.. “Silk: A Simulation Study of Regulating Open Normative Multiagent Systems.” Proceedings of the 25th International Joint Conference on Artificial Intelligence (IJCAI). New York: IJCAI, July 2016
• Munaiah, N., Meneely, A., Short, B., Wilson, R., Tice, J.  2016.  Are Intrusion Detection Studies Evaluated Consistently? A Systematic Literature Review :18.
• Munaiah, N., Meneely, A.  2016.  Beyond the Attack Surface: Assessing Security Risk with Random Walks on Call Graphs. Proceedings of the 2nd International Workshop on Software Protection
• Murukannaiah, P., Staddon, J., Lipford, H., Knijnenburg, B..  2016.  PrIncipedia: A Privacy Incidents Encyclopedia. Privacy Law Scholars Conference.
• Nadkarni, A., Andow, B., Enck, W., Jha, S.  2016.  Practical DIFC Enforcement on Android. USENIX Security Symposium
• Murukannaiah, P., Staddon, J., Lipford, H. Kinijnenberg, B.  "Is this a privacy incident? Using news exemplars to study end user perceptions of privacy incidents", Usable Security Mini Conference (USEC) 2017.
• Pearson, C.J., Welk, A.K., Boettcher, W.A., Mayer, R.C., Streck, S., Simons-Rudolph, J.M., Mayhorn, C.B..  2016.  Differences in Trust Between Human and Automated Decision Aids. Proceedings of the Symposium and Bootcamp on the Science of Security. :95–98. doi: 10.1145/2898375.2898385
• Pearson, C. J., Welk, A. K., Mayhorn, C. B..  2016.  In Automation We Trust? Identifying Varying Levels of Trust in Human and Automated Information Sources. Human Factors and Ergonomics Society. :201-205
• Rahman, M.A., Al Faroq, A., Datta, A., and Al-Shaer, E., Automated Synthesis of Resiliency Configurations for Cyber Networks, IEEE Conference on Communications and Network Security (CNS), Philadelphia, Pennsylvania, USA, October 2016.
• Rahman, M.A., Jakaria, AHM, and Al-Shaer, E, "Formal Analysis for Dependable Supervisory Control and Data Acquisition in Smart Grids", The 46th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), Toulouse, France, June 2016
• Rahman, A., Pradhan, P., Parth., A., and Williams, L., Predicting Android Application Security and Privacy Risk With Static Code Metrics, Short paper, 4th IEEE/ACM International Conference on Mobile Software Engineering and Systems, Buenos Aires
• Rahman, A., Parth., A., Meder, D., and Williams, L., Which Factors Influence Usage of Build Automation Tools? International Conference on Software Engineering (ICSE), 3rd International Workshop on Rapid Continuous Software Engineering (RCoSE) 2017, Buenos Aires, Argentina
• Shu, R., Wang, P., Gorski III, B.A., Andow, B., Nadkarni, A., Deshotels, L., Gionta, J., Enck, W., Gu, X.  2016.  A Study of Security Isolation Techniques. ACM Computing Surveys (CSUR). doi: 10.1145/2988545
• Shu, R., Gu, X., Enck, W..  2017.  A Study of Security Vulnerabilities on Docker Hub. Proceedings of the ACM Conference on Data and Application Security and Privacy (CODASPY). doi: 10.1145/3029806.3029832
• Singh, M.P. and Chopra, A.K.. The Internet of Things and Multiagent Systems: Decentralized Intelligence in Distributed Computing. Proceedings of the 37th IEEE International Conference on Distributed Computing Systems (ICDCS). Blue Sky Thinking Track. Atlanta: IEEE,  2017, pages 1738–1747
• Staddon, J., "Privacy Incidents Database: the data mining challenges and opportunities", Cyber Security Practitioner, November 2016.  Available at: http://www.cecileparkmedia.com/cyber-security-practitioner/article_template.asp?Contents=Yes&from=cslp&ID=211
• St. Amant, R. and Roberts, D.L.. Natural Interaction for Bot Detection. IEEE Internet Computing ( Volume: 20, Issue: 4, July-Aug. 2016 )
• Theisen, C., “Reusing Stack Traces: Automated Attack Surface Approximation”, 38th International Conference on Software Engineering - Doctoral Symposium
• Theisen, C., Williams, L., Murphy-Hill, E., and Oliver, K., “Software Security Education at Scale”, Companion Proceedings of the 38th International Conference on Software Engineering
• Theisen, C., Murphy, B., Kerzig, K., Williams, L., Risk-Based Attack Surface Approximation: How Much Data is Enough?, International Conference on Software Engineering (ICSE) Software Engineering in Practice (SEIP) 2017, Buenos Aires, Argentina
• Xiong, A., Yang, W., Li, N., & Proctor, R. W. (2016). Ineffectiveness of domain highlighting as a tool to help users identify phishing webpages. Talk presentated at the 60th Annual Meeting of Human Factors and Ergonomics Society, Washington, DC, September. (nominated for the for the HFES 2016 Marc Resnick Best Paper Competition)
• Xiong, A., Li, N., Zou, W., & Proctor, R. W. Tracking users’ fixations when evaluating the validity of a web site. Talk presented at the 7th International Conference on Applied Human Factors and Ergonomics (AHFE), OrlandO., FL, July
• Xiong, A., Proctor, R. W., Yang, W., & Li, N.  Is domain highlighting actually helpful in identifying phishing webpages?  Human Factors: The Journal of the Human Factors and Ergonomics Society
• Xiong, A., Proctor, R. W., Li, N., & Yang, W. (2016, November). Use of warnings for instructing users how to detect phishing webpages. Talk presented at the 46th Annual Meeting of the Society for Computers in Psychology (SCiP), Boston, MA
• Yang, W., Xiong, A., Chen, J., Proctor, R.W., Li, N..  2017.  Use of Phishing Training to Improve Security Warning Compliance: Evidence from a Field Experiment. doi: 10.1145/3055305.3055310
• Zielinska, O., Welk, A., Mayhorn, C.B., Murphy-Hill, E..  2016.  The Persuasive Phish: Examining the Social Psychological Principles Hidden in Phishing Emails. Proceedings of the Symposium and Bootcamp on the Science of Security. :126–126. doi: 10.1145/2898375.2898382
• Zielinska, O.A., Welk, A. K., Murphy-Hill, E. & Mayhorn, C. B. (2016). A temporal analysis of persuasion principles in phishing emails. Proceedings of the Human Factors and Ergonomics Society 60th Annual Meeting.  Santa Monica, CA: Human Factors and Ergonomics Society

D). Community Engagements

• Lablet research has contributed to the development of datasets for research. Specifically,
  • Our Privacy Incidents Database is an open research dataset, under development, of known privacy incidents.
  • Our metrics research has contributed to the Vulnerability History Project, an open research dataset of vulnerabilities.
• Lablet researchers gave numerous presentations at conferences and workshops emphasizing not only computer science but also other fields relevant to cybersecurity such as psychology and human factors. These presentations promoted the Science of Security. Some highlights are these:
  • On the Privacy Incidents Database at Indiana University's Center for Applied Cybersecurity Research in October 2016.
  • On norms and analysis of breach reports at the Carolina Privacy Officials Network (CPON) members and the International Association of Privacy Professionals (IAPP) meeting in April 2017.
  • On the Science of Security through a keynote presentation at the flagship software engineering conference, the Foundations of Software Engineering in September 2017.
• Lablet researchers developed and extended collaborations with researchers outside of the four lablets.
  • We continued our international collaboration with researchers at Lancaster University in UK and at a number of institutions in the US.
• Some Lablet research has garnered media attention.
  • Our work on smart isolation was identified by The Morning Paper blog and on ACM’s official Twitter feed.
• The Lablet hosted two workshops targeted at industry and government practitioners.
  • We hosted our Industry Community Day on October 20, 2016.  This event included 18 fast-paced student presentations, a poster session, and presentations from industry representatives to NC State Lablet researchers.  The goal of this annual event is to build collaborative relationships between our researchers and external organizations.
  • We hosted our annual Healthcate IT Forum on April 12, 2017.  The forum included invited talks and moderated discussions between four industry influencers and NC State Lablet researchers.
  • We hosted a Summer Workshop on June 21-22, 2017 for Lablet faculty, postdocs, and students, as well as guests from industry, academic IT practitioners, and government, including the Laboratory for Analytic Sciences. The workshop program included keynote lectures, one each from industry and academia, as well as a panel of security professionals from government (HHS), nonprofits (RTI), technology sector (Cisco), and finance sector (Credit Suisse). The workshop included tutorials on scientific methodology as well as sessions on a methodological critique of recent security papers.
• Additional engagement with industry and government:
  • Lablet researchers had several discussions with and gave presentations to industry researchers and practitioners.
  • Lablet researchers engaged with government researchers and practitioners, including those working for the NSA, the FBI, and the Department of Health and Human Services (HHS). We also interacted with academic practitioners, such as in university and college-level IT organizations.

E). Educational

Lablet funding has supported the training of multiple graduate students toward their MS and PhD degrees. The Lablet has driven these students toward principled, scientific approaches to their research.  Additionally, students have contributed research efforts through independent study projects and collaborative activities with other non-lablet research projects.  the NC State Lablet has also supported several Research Experiences for Undergraduates (REU) students who have made significant contributions.

Lablet research has influenced courses at the participating institutions. Specifically,

• At RIT, we incorporated our metrics research in Engineering Secure Software, a required course for software engineering majors.
• At RIT, we incorporated a discussion of tradeoffs with respect to security metrics in a course on Software Performance Engineering.
• At NCSU, we adopted problems and methods identified through our research on norms and breach reports as exemplars in an undergraduate course on Privacy.
• At NCSU, we adopted cybersecurity problems as exemplars for a combined graduate and undergraduate course in Social Computing.
• At NCSU, we added modules on cloud security in a graduate level course on security.
• At NCSU, findings on resilience requirements were incorporated into security discussions in a cloud computing course.
• At UNCC, we introduced cyber resiliency into graduate and undergraduate courses.
• At UNCC, we introduced reactive policy into a graduate course.

Students who participated in the Lablet have taken up research and faculty positions, including at RIT and William and Mary.

Project-specific educational and curriculum outcomes:

• Security Metrics and Models

  • Attack Surface and Defense-in-Depth Metrics

    • This work is shaping a course called Engineering Secure Software, a required course at RIT for all software engineering majors.
  • Systematization of Knowledge from Intrusion Detection Models
    • Based on the results from this work, we introduced cyber resiliency into graduate and undergraduate courses at UNCC.
    • This work has changed some of the ways that RIT teaches security and performance engineering in the Department of Software Engineering.
    • Also at RIT, the discussion of trade-offs appears in a current course called Software Performance Engineering, and will help students discern the scientific literature on intrusion detection research.
  • Vulnerability and Resilience Prediction Models
    • Results from this project, along with the Resilience Requirements, Design, and Testing project, have been incorporated into the security module of a cloud computing course at NCSU.

• Humans

  • Warning of Phishing Attacks: Supporting Human Information Processing, Identifying Phishing Deception Indicators, and Reducing Vulnerability

     

  • A Human Information-Processing Analysis of Online Deception Detection

     

• Policy
  • Understanding Effects of Norms and Policies on the Robustness, Liveness, and Resilience of Systems
    • We have used results from modeling the adoption of security practices in software development and the sanctioning mechanisms that may promote greater adoption of these practices among developers to guide new topics in our Social Computing course at NCSU.
  • Formal Specification and Analysis of Security-Critical Norms and Policies
    • We have used sociotechnical cybersecurity problems as exemplars for a combined graduate and undergraduate course in Social Computing at NCSU.
  • Scientific Understanding of Policy Complexity
    • We adopted problems and methods identified through our research on norms and breach reports as exemplars in an undergraduate course on Privacy.

• Resilient Architectures

  • Resilience Requirements, Design, and Testing

    • Results from this project, along with the Vulnerability and Resilience Prediction Models project, have been incorporated into the security module of a cloud computing course at NCSU.
  • Redundancy for Network Intrusion Prevention Systems (NIPS)

     

  • Smart Isolation in Large-Scale Production Computing Infrastructures
    • We have added new class modules on cloud security in the graduate level classes the PIs regularly teach at NCSU.
  • Automated Synthesis of Resilient Architectures
    • Based on the results from this work and the High-Assurance Active Cyber Defense project, we introduced reactivtive security policy into a graduate course at UNCC.
  • High-Assurance Active Cyber Defense Policies for Auto-Resiliency
    • Based on the results from this work and the Automated Synthesis project, we introduced reactivtive security policy into a graduate course at UNCC.