Visible to the public Predicting the Difficulty of Compromise through How Attackers Discover VulnerabilitiesConflict Detection Enabled

Submitted by mpsingh on Sat, 12/29/2018 - 8:53pm

PI(s), Co-PI(s), Researchers:

HARD PROBLEM(S) ADDRESSED
This refers to Hard Problems, released November 2012.

  • Metrics

PUBLICATIONS
Papers written as a result of your research from the current quarter only.

Justin Pelletier, Nuthan Munaiah, Shau-Hsuan Su, S. Jay Yang, Andrew Meneely. 2019. A Cybersecurity Dataset Derived from the National Collegiate Penetration Testing Competition. HICSS Symposium on Cybersecurity Big Data Analytics, to appear.

KEY HIGHLIGHTS
Each effort should submit one or two specific highlights. Each item should include a paragraph or two along with a citation if available. Write as if for the general reader of IEEE S&P.
The purpose of the highlights is to give our immediate sponsors a body of evidence that the funding they are providing (in the framework of the SoS lablet model) is delivering results that "more than justify" the investment they are making.

  • We collected a massive data set from a national collegiate penetration testing competition. Nine teams from schools across the United States performed coordinated sets of network and device penetration attempts during the 2018 National Collegiate Penetration Testing Competition (CPTC). During the ten-hour attack window, the teams generated an aggregate of more than 300GB of alert logs across duplicate networks consisting of 252 virtual machines in total. We captured and made available full images of 99 virtual machines (as .vmdk) and approximately 200GB of alert log data (as JSON) for the six teams who consented to allow their data to be published in this academic research. The inclusion of virtual machine instances along with network alert data is a novel contribution to the research community.
  • We are using the national collegiate penetration testing competition data set to provide a fine-grained history of vulnerability discovery and exploitation. With this data, we can enrich our models of the attack surface which will in turn lead to more robust metrics of difficulty to compromise. Given that this data is from a competition where teams were assigned the same systems and evaluated on their attacks, the difficulty to compromise will come from the correlation of competition data with the alert and virtual machine data.

  • We are conducting a study to aid security testers in exploiting vulnerabilities in software by synthesizing attack mechanisms used in open source software. Security testers often perform a series of operations to exploit vulnerabilities in software source code. By characterizing these operations, we will identify patterns of tools and techniques used to exploit a vulnerability. This information will help security test detect vulnerabilities before code changes are integrated and deployed. We are currently investigating security reports archived in open source software bug reports, such as the Bugzilla reports, hosted by Mozilla to characterize what steps are executed to exploit a vulnerability. We are using the Structured Threat Information eXpression (STIX) format to record and standardize the steps needed to exploit a vulnerability.

COMMUNITY ENGAGEMENT

  • Nuthan Munaiah worked on the montioring team at the regional CPTC as well as the national CPTC, the sources of this data.

EDUCATIONAL ADVANCES:

  • The national collegiate penetration testing competition data set has now been released via our publication, which can be used in the classroom.
Groups: