Hot Topics in the Science of Security Symposium (HotSoS)

These presentations are part of the Works-in-Progress session. Manuscript titles and abstracts are redacted, per authors preference, until the work has been published.

Works-in-Progress Session 1: Tuesday, April 4 | 1135 to 1305 CDT

ATTACK SCENARIOS (full title not shown)

Slides and recording unavailable.

Industrial Control Systems (ICS) are a highly valuable target for cyber attacks. The number of cyber attacks on ICS is growing every year and, with each major attack, the impact is becoming more severe. The damage of such attacks directly transfers into the physical operations and results in higher average economic impact. Recent cyber attacks have shown that a single average attack can reach tens of millions of USD. Realistic attack scenarios will allow to study real-life cyber attacks in a contained environment and develop defences, capable of detecting advanced threat actors. Common scenarios against which defences can be evaluated and compared. This is a work-in-progress paper, that presents ongoing research, aimed at understanding the attack paths, including paths of least resistance, and generating real-life reference scenarios for the cyber attackers of different skillset breaching the industrial networks. The research goal is to create a capacity to generate a range of realistic scenarios with specific conditions, nuances, and constraints, such as the shortest path, least cost, most impact, etc. Generated attacks cover already existing attacks and the attacks that have never happened before but are possible.

Stanislav Abaimov is a research associate at the Department of Computer Science, University of Bristol. He received a PhD in Cyber Security and Electronic Engineering from the University of Rome, Tor Vergata; and earned a degree of MSc in Information Security at the Royal Holloway, University of London. Stanislav’s research area is related to the security of industrial control systems and machine learning application for cyber defence.

Joseph Gardiner is a Research Associate as part of the Bristol Cyber Security Group at the University of Bristol. His research covers the security of cyber physical systems, with a focus on industrial control systems and IIoT. His primary areas of focus are attack discovery within ICS, asset discovery in OT networks and digital forensics in industrial devices. He is also currently working towards a PhD at Lancaster University with a focus on security in software defined networks.

EFFICACY OF PHISHING (full title not shown)

Slides and recording available here.

The advent of Single Sign-On (“SSO”) over a decade ago has facilitated secure identity management and eased the burden of security on end-users by allowing a single set of user credentials to access multiple applications. SSO is arguably the de facto standard in enterprise and organizational settings where many users have access to a suite of third-party services such as document management and telecommunication software.

Despite its popularity, SSO authentication measures seem to make a critical assumption: that end users handling requests such as login confirmations will always act in a manner consistent with security best practices. Indeed, recent trends suggest that this assumption does not hold, and users may unknowingly or otherwise inadvertently approve login confirmations for users other than themselves, thereby improving the chance of successful phishing or otherwise malicious activity. While this mistake may stem from insufficient user training, it nevertheless poses a significant entry point for malicious actors even in the face of security mechanisms.

In this paper, we develop a model of the “Semi-Untrusted User” problem and discuss how errant login request approvals can lead to compromised user accounts and possibly wider breaches of SSO services. We identify the requirements for a solution that can mitigate this issue, and propose a simple mechanism to prevent mishandled login requests. Briefly, we develop a login page that is unavailable (i.e. not visible or returns 404) to unauthorized users so that malicious actors cannot use these credentials without enrolling the device requesting login, which in turn requires an already trusted device for the account of the user in question (e.g. TOTP or similar time-bound primitive).

Michael Sandborn is a graduate research assistant in computer science and Russell G. Hamilton Scholar at Vanderbilt University. He is advised by Dr. Jules White who leads the Magnum Research Group. Michael's research focuses on cyber-physical systems and computer security and aims to improve the security guarantees of authentication methods in both cyber and physical domains.

Works-in-Progress Session 2: Wednesday, April 5 | 1120 to 1250 CDT

VERIFICATION OF CYBER EMULATION EXPERIMENTS (full title not shown)

Slides and recording available here.

Virtual machine emulation environments provide ideal testbeds for cybersecurity evaluations because they run real software binaries in a scalable, offline test setting that is suitable for assessing the impacts of software security flaws on the system. Verification of such emulations determines whether the environment is working as intended. Verification can focus on various aspects such as timing realism, traffic realism, and resource realism. In this paper, we study resource realism and issues associated with virtual machine resource utilization. By examining telemetry metrics gathered from a series of structured experiments. These experiments involve large numbers of parallel emulations meant to oversubscribe resources at some point. We present an approach to use telemetry metrics for emulation verification, and we demonstrate this approach on two cyber scenarios. Descriptions of the experimental configurations are provided along with a detailed discussion of statistical tests used to compare telemetry metrics. Results demonstrate the potential for a structured experimental framework, combined with statistical analysis of telemetry metrics, to support emulation verification.We conclude with comments on generalizability and potential future work.

Jamie Thorpe is a cybersecurity researcher at Sandia National Laboratories in Albuquerque, New Mexico, where she works to develop tools needed to help build and analyze models of cyber-physical systems, such as power systems. Her research interests include cyber resilience metrics, system model development, data analysis for emulated environments, and emulation verification.

Laura Swiler is a computational scientist at Sandia National Laboratories whose research focuses on quantifying the uncertainty associated with predictions from models. Her research interests include experimental design, sampling algorithms, Bayesian inference, and surrogate models. Laura has worked on many application areas, including nuclear waste repository assessment, circuit model calibration, additive manufacturing, and cyber emulation.

Thomas Tarman is a distinguished member of the technical staff at Sandia National Laboratories in Albuquerque, New Mexico, where he leads research in virtualization and rigorous cyber experimentation methodologies, with application to high-consequence cyber systems. His research interests are in network modeling and simulation, hybrid simulation-emulation-physical testbeds for cyber-security research, and network security protocols.

CYBERSECURITY INCIDENT RESPONSE (full title not shown)

Slides and recording available here.

Cybersecurity incident response (CSIR) is an integral part of the organization’s risk management strategy to reduce the damage to the network after the initial breach. In spite of the great financial interest and the recent developments, CSIR remains a rather complex process. In particular, the existing literature lacks a quantitative approach that can effectively deal with the complex, uncertain, and rapidly changing nature of cyberattacks. In this work, we developed a model-based approach that seeks to address part of this challenge. The approach allows the defender to (i) aggregate noisy, incomplete, and sometimes conflicting information about the attack and, without fully knowing the scope of the attack, (ii) come up with a containment plan that minimizes the impact of the attack on the network and the cost of making wrong containment decisions based on inaccurate information. We illustrated the approach using an example of a small network and discussed ideas for the future work.

Hoang Hai Nguyen is a fifth year Ph.D. student in Computer Engineering at the University of Illinois at Urbana-Champaign (UIUC). His research at UIUC lies at the intersection between network security, graph theory, probability theory, and quantitative risk.

 

Works-in-Progress Session 3: Thursday, April 6 | 1150 to 1320 CDT

RESILIENCE AND MULTI-UAV SYSTEMS (full title not shown)

Slides and recording available here.

Unmanned Aerial Vehicles (UAVs) are gaining popularity for distributed systems used for a variety of tasks, such as inspection of dangerous environments, surveillance, and pursuit of a target. These systems use distributed machine learning algorithms to cooperate towards achieving an objective and are prone to denial of service (DoS) and integrity attacks. In this paper, we integrate a messaging mechanism and a coordination algorithm based on stochastic gradient descent (SGD) in a multi-agent network for target pursuit resilient against such attacks. The network consists of agents sending messages containing local data and estimates and uses the SGD algorithm to optimize the global loss by aggregating state estimates from immediate neighbors. The network can suffer from a denial of service (DoS) attack to disrupt the ordering of messages or an integrity attack where one agent sends arbitrary estimates to neighbors to disrupt the convergence of normal agents towards an optimal state. The messaging mechanism uses Hashgraph, a distributed ledger technology, to guarantee a correct ordering of messages. The SGD algorithm uses a centerpoint-based aggregation for converging to a target in the presence of compromised agents. We evaluate the approach using scenarios of target pursuit for multi-UAV systems using simulations in Microsoft Air- Sim with PX4 flight controllers. The evaluation results demonstrate cases for which the multi-agent system under attack is resilient and converges to the approximate optimal state.

Nicholas Potteiger is a Ph.D. candidate in computer science at Vanderbilt University. His current research interests are towards the resilience of cooperative learning algorithms in multi-agent systems.

MIXED-AUTONOMY VEHICULAR TRAFFIC (full title not shown)

Slides and recording unavailable.

abstract redacted

George Gunter is a PhD student in the Civil and Environmental Engineering Department, as well as a member of the Institute for Software Integrated Systems at Vanderbilt University. George's research interests are in the intersection of cyber-physical systems and the built environment with a special focus on the implications of automated vehicles on transportation system performance.