Predicting the Difficulty of Compromise through How Attackers Discover Vulnerabilities

PI(s), Co-PI(s), Researchers:

PI: Andrew Meneely; Co-PI: Laurie Williams; Researchers: Nuthan Munaiah and Nasif Imtiaz

HARD PROBLEM(S) ADDRESSED
This refers to Hard Problems, released November 2012.

• Metrics

PUBLICATIONS
Papers written as a result of your research from the current quarter only.

• Nuthan Munaiah, Akond Rahman, Justin Pelletier, Laurie Williams and Andrew Meneely. "Characterizing Attacker Behavior in a Cybersecurity Penetration Testing Competition." In proceedings of the 13th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM) (New Ideas and Emerging Results track), Porto de Galinhas, Sep 2019, pages 1--6.

KEY HIGHLIGHTS
Each effort should submit one or two specific highlights. Each item should include a paragraph or two along with a citation if available. Write as if for the general reader of IEEE S&P.
The purpose of the highlights is to give our immediate sponsors a body of evidence that the funding they are providing (in the framework of the SoS lablet model) is delivering results that "more than justify" the investment they are making.

• We completed our collection and analysis of the CPTC 2018 data set, and have logged events and reported vulnerabilities. We classified each event as part of the MITRE ATT&CK framework.
• We are continuing our instrumentation for collecting data from CPTC 2019 in November. We have created example infrastructures and tested out our monitoring tools.
• We analyzed the Coverity static analysis alert history for five products: Linux, Firefox, Samba, Kodi, and Ovirt-engine to gain understanding on how developers interact with static analysis tools.
• We have begun our analysis of stacktraces in Red Hat data to discover attack surface insights.

COMMUNITY ENGAGEMENT

• Andy Meneely presented our ESEM NIER paper in Porto de Galinhas, Brazil

EDUCATIONAL ADVANCES:

• None.