Visible to the public SoS Quarterly Summary Report - NCSU - January 2017Conflict Detection Enabled

Lablet Summary Report
Purpose: To highlight progress. Information is generally at a higher level which is accessible to the interested public.

A). Fundamental Research Highlights
High level report of result or partial result that helped move security science forward-- In most cases it should point to a "hard problem".

  • For the metrics hard problem, we have accomplished the following:
    • We have developed a game-theoretic model for the setting of collaborative intrusion detection in which intrusion detection systems (IDSs) can collaborate to detect attacks but, because of privacy concerns, may not share information fully. We have quantified the tradeoff between collaboration utility and privacy, and shown that in an optimal response strategy for IDSs is to share a nonzero amount of information
    • We have developed a tool for computing metrics, especially for attack surface and defense in depth, that enable engineering secure software.
    • We proposed Semaver, an ontology-based framework to understand how well security breaches that arise in practice would be avoided by stated security policies. We consider two types of breaches: accidental misuses and malicious misuses where adversaries exploit vulnerabilities. We investigated 1,577 healthcare breaches reported by the US Department of Health and Human Services (HHS) and found that 44% of the breaches are accidental misuses. We also found that US Health Insurance Portability and Accountability Act (HIPAA) policies do not account for accidental misuses as effectively as they do malicious misuse
  • For the humans hard problem, we have accomplished the following:
    • Following on our previous findings regarding decision support for resisting phishing attacks, we found that users' quality of decision making improves as the decision support tool becomes better but their subjective trust in the tool improves only when they are explicitly informed about the (enhanced) reliability of the improved tool.
    • We conducted an empirical study relating users' personality with their susceptibility to phishing messages that exploit principles of persuasion. We found that extraversion correlates with susceptibility to phishing.
    • We investigated multiuser privacy scenarios, in which a decision is to be made that affects the privacy of two or more users. Specifically, we studied how users decide which sharing policy to adopt for sharing a photo that shows all of them. From an empirical study of nearly 1,000 subjects, we found that contextual factors, user preferences, and arguments influence the optimal sharing policy in a multiuser scenario.
  • For the resilience hard problem, we have accomplished the following:
    • We followed up on our previous work on the flow-reconnaissance vulnerability for software defined networks (SDNs), which arises when an adversary injects flows into the network and monitors the time taken by the SDN switch to determine whether covering rules for those flows already existed. We showed how an adversary could optimize its information gain by determining injected flows that reveal most about the SDN state. This study brings up a new potential challenge to realizing resilient architectures over SDNs.
    • We developed a verification technique for active cyber defense (ACD) that verifies whether a specified ACD strategy is correct (the reconfigurations generated through the strategy are mutually consistent) and enforceable (the proposed reconfigurations satisfy network constraints on any resources).
    • We developed and evaluated the feasibility of an approach based on programming by example to create information flow policies that help isolate a user's data based on user preferences. Our results indicate that an automated approach for policy creation is promising for helping control information flow between applications.
  • For the policy hard problem, we have accomplished the following:
    • We conducted an empirical study of how nontechnical users understand privacy incidents. We found that users do not precisely delineate security and privacy and consider legal aspects as within the realm of privacy.
    • We discovered that SEAndroid policies from six OEMs all suffer from shortcomings, including over-permissive policies and policies that combine to yield unintended privilege escalation.
    • We developed an approach for representing specifications of sociotechnical systems using norms that can support comparing these specifications with respect to their success in meeting stakeholder requirements.
    • We developed a multiagent decision model of a software development organization as a way of understanding what factors influence the adoption of security practices in software development. This model underlies an agent-based simulation framework to support investigations on it of hypotheses concerning observed security practices and relevant control variables.

B). Community Interaction
Work to explain or extend scientific rigor in the community culture. Workshops, Seminars, Competitions, etc.

  • We held our annual Industry Day in October, where 15 lablet students presented their research to an audience of industry and government researchers and practitioners. (Student presentations were in the Pecha Kucha format, which limits presentations to 20 slides that auto advance at 20 seconds each.) The program included some industry presentations.

  • We launched a survey to assess the impact of participation in Lablet research on students and alumni. Preliminary results indicate 100% transition to the US workforce in academia and industry.

C. Educational
Any changes to curriculum at your school or elsewhere that indicates an increased training or rigor in security research.

  • Straddling the community and educational aspects, we continued our study of the maturity as science of published research into cybersecurity. We found that although empirical evaluations are common, researchers often do not identify their research objectives, demonstrate replicability of their evaluations, and identify threats to validity of their findings.

  • Some undergraduate and graduates students in a new course on Social Computing used cybersecurity games as a project theme with mentoring by Lablet researchers.

D. Publications
All work published during the reporting quarter.

[1] Mohammad Alsaleh and Ehab Al-Shaer. Towards Automated Verification of Active Cyber Defense Strategies on Software Defined Networks. ACM SafeConfig '16 Proceedings of the 2016 ACM Workshop on Automated Decision Making for Cyber Defense, October 2016.

[2] Jing Chen, Robert W. Proctor, and Ninghui Li. (2016, November). Human trust in automation in a phishing context. Talk presented at 46th Annual Meeting of the Society for Computers in Psychology (SCiP), Boston, MA.

[3] Ricard Lopez Fogues, Pradeep K. Murukannaiah, Jose M. Such, and Munindar P. Singh. Understanding Sharing Policies in Multiparty Scenarios: Incorporating Context, Preferences, and Arguments into Decision Making. ACM Transactions on Computer-Human Interaction (TOCHI), 2017, To appear.

[4] Ozgur Kafali, Nirav Ajmeri, and Munindar P. Singh. Kont: Computing Tradeoffs in Normative Multiagent Systems. Proceedings of the 31st Conference on Artificial Intelligence (AAAI), 2017.

[5] Ozgur Kafali, Jasmine Jones, Megan Petruso, Laurie Williams, and Munindar P. Singh. How Good is a Security Policy against Real Breaches? A HIPAA Case Study. Proceedings of the 39th International Conference on Software Engineering (ICSE), 2017.

[6] Rui Shu, Peipei Wang, Sigmund A. Gorski III, Benjamin Andow, Adwait Nadkarni, Luke Deshotels, Jason Gionta, William Enck, and Xiaohui Gu. A Study of Security Isolation Techniques. ACM Computing Surveys (CSUR), 2016. DOI: 10.1145/2988545

[7] Jessica Staddon. Privacy Incidents Database: The data mining challenges and opportunities. Cyber Security Practitioner, November 2016.

[8] Aiping Xiong, Robert W. Proctor, Ninghui Li, and Weining Yang. Use of warnings for instructing users how to detect phishing webpages. Talk presented at the 46th Annual Meeting of the Society for Computers in Psychology (SCiP), November 2016, Boston, MA.

[9] Aiping Xiong, Robert W. Proctor, Weining Yang, and Ninghui Li. Is domain highlighting actually helpful in identifying phishing webpages? Human Factors: The Journal of the Human Factors and Ergonomics Society, In press.