Visible to the public Lablet Quarterly Meeting CMU Report 2017Conflict Detection Enabled

Science of Security Lablet Quarterly Meeting

Pittsburgh, PA

July 11, 2017

Researchers, NSA meet, discuss Science of Security theory and practice

The summer 2017 quarterly Science of Security (SoS) Lablet meeting was held at Carnegie Mellon University on July 10 and 11. Bill Scherlis, Principle Investigator at CMU, hosted it. This session, the last under the initial Science of Security project, included a panel discussion focused on the current state of the Science of Security. Each Lablet presented an update on the results of research they and their collaborators have performed and five technical papers were presented.

NSA's Science of Security & Privacy Technical Director provided a program update. He outlined each Lablets' work. Each SoS project Lablet is a small transdisciplinary Lab for research and to build a science of cybersecurity. About a fifth of the research has been done in collaboration with other institutions. While research has focused on the 5 Hard Problems, it also applies to such areas of concern as access control, IoT, sandboxing, adversary-supplied code, monitoring, privacy, mitigation, and others. Related projects include Vanderbilt's SURE resiliency initiative, the Best Cybersecurity Paper competition and Intel's International Science and Engineering Fair (ISEF), where high school students are recognized for accomplishment in scientific cybersecurity research. The SoS project includes 138 lablets, sub-lablets, SURE, and collaborators on 5 continents and in 30 countries.

The panel discussion "A Retrospective: Lessons Learned on the Lablets" featured five NSA researchers who have participated in and monitored the program since its inception. Questions discussed included how each panelist defines Science of Security, whether there is or can be a standard definition, how and whether the five hard problems can be solved, and where the field goes from here. A robust interactive discussion both among the panelists and with the audience ensued. While there appeared to be consensus there is no standard definition of SoS, there was also a strong theme that there is significant value in adding rigorous methods and processes and probing for fundamental or basic principles. Some parts are mathematical and not empirical; the other side is the practical side. Most panelists described a progression in their thinking during the project and having become less wedded to the distinction between engineering and good empirical work from the mathematical. The initial concept focused on pure science, systemization of knowledge and clarification of ideas that can be a basis for advancement. The actual outcomes may not have provided complete "solutions" to the five hard problems, but there has been significant improvement both in terms of an ultimate solution and as benchmarks for the development of a Science of Security.

Summaries by the four PI's showed that Lablet research has been substantial. Michel Cukier (UMD) displayed a matrix of research by hard problem and gave specific examples from learning secure behavior; fiction as a learning experience; user centric designs for security; application of criminal justice theory to cybersecurity; measuring vulnerability patching; trustworthy and composable software; and trust.

Bill Sanders and Sayan Mitra (UIUC) described research into a hypothesis testing framework for network security; anonymous messaging; data driven model-based decision making; static-dynamic analysis of security metrics for CPS; data driven security models and analysis including preventive detection of attacks using probabilistic graphical models; science of human circumvention of security, monitoring, and a fusion and response framework to provide cyber resiliency.

Laurie Williams (NCSU) outlined projects directly related to the five hard problems. These included research into automated synthesis of resilient architectures; redundancy for network intrusion prevention systems; smart isolation in large-scale computing infrastructures; formal specifications and analysis of security-critical norms and policies; runtime reasoning about norm conflicts; scientific understanding of policy complexity; human information processing analysis of online deception detection; embedding anti-phishing training within cybersecurity warnings; leveraging the effects of cognitive function on input device analysis to distinguish human users from bots; systemization of knowledge in intrusion detection systems; and attack surface and defense in depth metrics. She also spoke about efforts in community building, co-authorship, and the development and use of rigorous scientific methodologies.

Bill Scherlis (CMU) described his Lablet's goal as to advance scientific coherence through methods, validation, and productivity and to broaden the cybersecurity technical community via educational engagement and conferences such as HotSoS. Specific research projects focus on advancing the process and methods by which science is done-systematization of processes and include security for highly configurable systems; multi-model run time analysis--focused on resiliency and related to anomaly detection, architectures and information flows; science of secure frameworks--software in a framework-based ecosystem; secure composition of systems and policies in low-level systems software; formal methods for composing policies; modules for resource control; and the Security Behavior Laboratory.

Five technical research presentations were offered. Sayan Mitra (UIUC) addressed "Optimal State Estimation and Model Detection and Applications to Security and Privacy." "Prioritizing Security Efforts with a Risk-Based Attack Surface Approximation" was offered by Chris Theisen (NC State). Jonathan Aldrich (CMU) presented "Immutability for Integrity: Combining Language Theory and the Science of Usability in Glacier." Lorrie Cranor and Sarah Pearman (CMU) presented "Observing Passwords in Their Natural Habitat." "Vulnerability Disclosure In the Age of Social Media: Exploiting Twitter for Predicting Real-world Exploits" was the work of Octavian Suciu (UMD).

A synopsis of each presentation is offered here.

These presentations are available for viewing on the Science of Security Virtual Organization website. Click on the title of the talk to recover the slide presentation.

The annual national conference on Hot Topics in the Science of Security, HotSoS, will be held in April 2018.