SoSL Projects 2014-2017

The following projects were funded during the Lablet’s second phase of funding (2014-2017).

Metrics Hard Problem Projects

Team Captain: Andy Meneely

We take security to be a composite property comprising confidentiality, integrity, and availability properties. Many aspects of confidentiality, integrity, and availability must be measured and combined to get an overall picture of a system’s security posture. Security metrics should best demonstrate causality, and be quantifiable, feasible, repeatable, objective, and validated. We will identify key existing security metrics and needs for new security metrics. We will develop measurement scales and methods for taking measurements. In addition, we will validate metrics for descriptive and predictive power in relation to security properties. This work will produce empirically validated theoretical constructs to better enable scientific and engineering communities to develop and test fundamental laws of security. Security metrics and analytics involving these metrics underlie the scientific progress and evaluation of all hard problems.

• M1: Attack Surface and Defense-in-Depth Metrics

  Investigators: Andy Meneely, Laurie Williams
  Secondary hard problem(s): Scalability and Composability; Resilience
  Goal: To understand the vulnerability proneness of composable systems by characterizing the correlation between vulnerabilities and attack surface and defense in depth metrics.
  Research Questions: What methods of composition can be employed to provide defense in depth protections? How can a value-based economic analysis of attack surface metrics and defense-in-depth metrics be used to predict vulnerabilities in systems?

• M2: Systemization of Knowledge from Intrusion Detection Models

  Investigators: Huaiyu Dai, Andy Meneely
  Secondary hard problem(s): Resilient Architectures, Scalability and Composability, Humans
  Goal: To develop and validate theories about and propose security metrics that embody fundamental intrusion detection mechanisms and attacker behaviors through a longitudinal analysis of existing and emerging models.
  Research Questions: What independent variables indicate fundamental defense mechanisms and attacker behaviors? How do attacker behaviors tend to change over time to thwart defense mechanisms, and how can defense mechanisms adapt and respond to them?

• M3: Vulnerability and Resilience Prediction Models

  Investigators: Mladen Vouk, Laurie Williams
  Secondary hard problem(s): Resilient Architectures; Scalability and Composability
  Goal: To develop a scientific understanding of which security metrics of a system can be used to accurately predict its resilience and vulnerability-proneness.
  Research Questions: What security metrics (e.g. code characteristics, pre-release validation and verification measures, metrics related to software development processes) accurately predict vulnerability-proneness and resilience of a system? How may existing software availability models be adapted to handle adversaries?

Humans Hard Problem Projects

Team Captain: Emerson Murphy-Hill

Humans are a crucial to any security ecosystem. A complete and effective SoS presupposes deep and fundamental theories of human behavior as it relates to system security. To attack this problem, we can divide humans into three main types: users, adversaries, and developers. We willstudy these three types of users; develop evidence-based models of human perception, decision making, and behavior; test the validity of these models and iteratively improve them; and finally show that these theoretical models have predictive power that can inform the design and evolution of secure systems with humans in the loop.

• H1: Warning of Phishing Attacks: Supporting Human Information Processing, Identifying Phishing Deception Indicators, and Reducing Vulnerability

  Investigators: Christopher B. Mayhorn, Emerson Murphy-Hill
  Secondary hard problem(s): None
  Goal: To expand understanding of human information processing to reduce users’ vulnerabilities to phishing by developing warnings that serve to augment cognitive processing.
  Research Questions: What strategies do adversaries adopt during phishing and which are most successful? How do particular phishing attack strategies exploit human information processing? How can warnings be designed to aid people in identifying phishing deception indicators? More explicitly, how can warnings aid in directing attention to important deception-linked cues and how can decision-making be facilitated to promote information security?

• H3: A Human Information-Processing Analysis of Online Deception Detection

  Investigators: Robert W. Proctor, Ninghui Li, Emerson Murphy-Hill
  Secondary hard problem(s): None
  Goal: To expand the theory of deception detection to incorporate implicit cognitive processes that influence individual users’ judgments and decisions regarding possible online deception, as well as the explicit processes that are currently the focus of the theory.
  Research Questions: To what extent do implicit cognitive processes influence deception detection? How do those processes interact with explicit processes in determining judgments and decisions that users make? Can effective training principles and design guidelines be developed from this more comprehensive theory of deception detection?

• H4: Leveraging the Effects of Cognitive Function on Input Device Analytics to Improve Security

  Investigators: David L. Roberts, Robert St. Amant
  Secondary hard problem(s): None
  Goal: To enable new pathways to software security by identifying the principles governing how cognitive processes relate to the use of software and hardware, then leveraging that understanding to model and classify unintended (malicious or benevolent) uses.
  Research Questions: What features of mouse or keyboard usage analytics are reflective of the cognitive processes users are performing? What cognitive processes distinguish normal, benevolent use from potentially insecure (such as distracted or confused) use?

Policy Hard Problem Projects

Team Captain: Munindar Singh

We will develop a science of policies and their relationships to human behavior with a view toward uncovering principles that underlie and support effective and rigorous means for constructing and maintaining long-lived secure collaborations among two or more parties. A distinguishing feature of our envisioned approach is the study of policies in relation to high-level objectives, specifically, norms, i.e., standards of correct and secure behavior. Our overarching objective is to develop the principles underlying the specification, evaluation, revision, computation, complexity, and comprehensibility of norms and policies to achieve secure collaboration in diverse collaboration contexts. These principles will enable uses of norms and policies that improve (1) robustness, liveness, and resilience of policy-guided systems; (2) modeling, analysis, and enactment of secure behaviors; and (3) comprehensibility and effectiveness in applications.

• P1: Understanding the Effects of Norms and Policies on Robustness, Liveness, and Resilience of Systems

  Investigators: Emily Berglund, Jon Doyle, Munindar Singh
  Secondary hard problem(s): Resilient architecture
  Goal: To characterize via suitable metrics how norms and policies governing behavior of a system of heterogeneous autonomous principals (individuals or organizations) influences its robustness (difficulty faced by a principal violating its norms), liveness (ability to achieve goals and provide service), and resilience (how quickly and well it recovers from a violation).
  Research Questions: Can one predict the robustness, liveness, and resilience of a system as a function of its norms and policies and the social environment? What tradeoffs exist between robustness, liveness, and resilience that can be influenced by norms and policies?

• P2: Formal Specification and Analysis of Security - Critical Norms and Policies

  Investigators: Jon Doyle, Munindar Singh, Rada Chirkova
  Secondary hard problem(s): Scalability and Composability.
  Goal: To understand how security properties vary with norms and policies that govern the behavior of collaborators (users and organizations), to enable identification of norms and policies that achieve desired tradeoffs between security and user preferences.
  Research Questions: How can we verify whether a set of norms (1) is consistent and realizable through the policies and preferences of the collaborators, and (2) achieves specified security properties? How can we predict the difficulty of the reasoned and modular creation and maintenance of sets of norms, policies, and preferences by collaborators?

• P3: Scientific Understanding of Policy Complexity

  Investigators: Ninghui Li, Robert Proctor
  Secondary hard problem(s): Humans.
  Goal: To develop a scientific understanding of what makes security policies complex as well as metrics for measuring security policy complexity, defined as the degree of difficulty in understanding by relevant users.
  Research Questions: What is the right way to define security policy complexity? How should we measure users’ ability to understand and specify security policies? What features of policy languages or policies make them inherently more complex? Can we transform a security policy into a logically equivalent one that has lower complexity? In other words, is today’s high complexity for security policies accidental or inherent?

• P4: Privacy Incidents Database

  Investigator: Jessica Staddon
  Secondary hard problem(s): Humans, Policy
  Goal: Our project is building the first comprehensive encyclopedia and database of privacy incidents. This publicly-accessible repository will enable tracking of incident rates and characteristics such as involved entities and incident root causes. The repository will provide a resource for privacy researchers to investigate the patterns of a broad range of privacy incidents, and the incident patterns surfaced by the database will help inform privacy technology development globally.

Resilience Hard Problem Projects

Team Captain: Will Enck

Software and systems engineers must now assume that adversity (being under attack) is the normal state of affairs. There is thus a high premium on generalizable architectural approaches to assuring continuity and recovery of acceptable service in the face of attacks and partial compromises, including continued provision of specified services and non-functional properties, including but not limited to security. The purpose of resiliency architectures is to provide generalizable design and implementation frameworks for assured continuity of acceptable service through and recovery of full service after attacks. Traditional dependability has aimed to fully mask all random failures, using diversity, redundancy, adaptation, evolution, and isolation. Our work focuses on (a) clarifying the nature of resiliency, including partial masking of intentional failures; providing foundations for rigorously specifying resiliency requirements (including metrics); and architectural strategies for meeting such requirements; (b) projects in redundancy, adaptation, and isolation; and finally (c) automated synthesis of resilient security architectures.

• R1: Resilience Requirements, Design, and Testing

  Investigators: Kevin Sullivan, Mladen Vouk, Ehab Al-Shaer
  Secondary hard problem(s): Metrics.
  Goal: To precisely characterize resiliency as a non-functional property in a manner effective for security; enable precise specification of testable resiliency requirements within this framework; develop architectural and implementation strategies for assuredly meeting such requirements.
  Research Questions: How should we define resilience as a measurable non-functional property in adversarial settings? How can resilience requirements be stated precisely enough that engineers can show that implementations meet them? What architectural and implementation strategies support effective, evidence-based certification of satisfaction of such requirements?

• R2: Redundancy for Network Intrusion Prevention Systems (NIPS)

  Investigator: Mike Reiter
  Secondary hard problem(s): Metrics.
  Goal: To quantify the tradeoffs between overhead and resilience in network policy enforcement.
  Research Questions: In a network where network intrusion prevention systems (NIPS) enforce policy, can traffic routes be optimized to ensure traversal through redundant NIPS nodes without impacting throughput and latency of traffic and balancing processing load at NIPS nodes?

• R5: Smart Isolation in Large-Scale Production Computing

  Investigators: Xiaohui (Helen) Gu, William Enck
  Secondary hard problem(s): None.
  Goal: To develop smart isolation design principles to provide adaptive and proactive isolation for different tasks with varied security risks running inside a large-scale computing infrastructure.
  Research Questions: What isolation granularity is best given system requirements? When should isolation occur uniformly or differentiatedly, and passively or proactively?

• R6: Automated Synthesis of Resilient Architectures

  Investigator: Ehab Al-Shaer
  Secondary hard problem(s): Metrics.
  Goal: To enable automatic creation of compliant resilient architectures through the development of formal methods techniques and tools.
  Research Questions: What metrics are needed to synthesize resilient architectures? How can an appropriate security configuration architecture be created to satisfy a resiliency measure? Can the resulting architecture be automatically synthesized?

Evaluation

Investigators: Lindsey McGowen, David Wright, Jon Stallings

Goals: The lablet will design and implement a two-phased evaluation process for assessing the effectiveness and impact of the lablet’s research and community development activities. The evaluation will be structured around a program logic model that shows the anticipated connections between lablet activities and their ultimate impact. The motivations are ensuring accountability and guiding program management to improve outcomes.

Research Methods, Community Development, & Data Sharing:

Investigators: Jeff Carver, Lindsey McGowen, Ehab Al-shaer, Jon Stallings, Laurie Williams, David Wright

Goals: To build an extended and vibrant interdisciplinary community of science of security researchers, research methodologists, and practitioners. To create and maintain a repository of defensible scientific methods for security research. To encourage application of scientifically defensible research through various methods of consultation and feedback. To enable open, efficient, and secure sharing of data and experimental results for experimentation among SoS researchers.