Hot Research in Cybersecurity Fuels HotSoS 2016
Carnegie Mellon University hosted HotSoS 2016, the Symposium and Bootcamp on the Science of Security, on April 19-21 in Pittsburgh, PA. Researchers from multiple academic fields came together for presentations demonstrating methodical, rigorous, scientific approaches to identify, prevent, and remove cyber threats. A major focus of the conferences was on the advancement of scientific methods, including data gathering and analysis, experimental methods, and mathematical models for modeling and reasoning.
Bill Scherlis, co-PI for the Carnegie Mellon Lablet, was conference co-chair. Introducing the event, he called for participants to interact and share ideas and thoughts and to ask questions about the nature of security and the nascent science that is emerging. Stuart Krohn, the initial program manager for the Science of Security initiative at NSA, welcomed the group. Noting the government’s long-term interest and commitment to their work, he challenged them to continue to address cybersecurity using strong scientific principles and rigorous methods. Four outside speakers addressed Science of Security from the perspectives of consumer interest, government policy, industry, and on the value of a large graph method of analysis. Research papers, presentations, tutorials, and poster sessions rounded out the agenda.
Lorrie Cranor, CMU professor on loan to the Federal Trade Commission (FTC), addressed “Adventures in Usable Privacy and Security: From Empirical Studies to Public Policy.” Topics of interest to FTC are quantifying privacy interests, q disclosures, financial technologies, attack trends, improving complaint reporting, tools to automate tracking, targeted advertising, cross device tracking, fraud, and emerging scams. “Good warnings help users determine whether they are at risk,” she said, but “people ignore poor warnings that put the onus of calculating risk on the end user.” She described a study that shows that password expiry is counterproductive.
Greg Shannon, CMU professor currently working at the White House Office of Science and Technology (OSTP), spoke on the science challenges in “Trustworthy Cyberspace: Strategic Plan for the Federal Cybersecurity R&D Program” issued in February 2016. In the plan, OSTP is looking at the science and technology issues that affect policy and the policy issues that impact technology. The keys to addressing the problems, he said, include the creation of a Commission on Enhancing National Cybersecurity, a Federal CISO to take lead on policies, oversight, and strategy, budgeting a $3.1 billion IT modernization fund and working with industry to encourage broader use of security tools such as multi-factor authentication. The plan’s goals are to counter adversaries’ asymmetrical advantages, reverse those asymmetrical advantages, achieve S&T advantages to achieve effective deterrence and meet the long term goal that cybersecurity research, development, and operations community will be able to quickly design, develop, deploy, and operate effective new cybersecurity technologies and services, that cybersecurity tasks for users will be few and easy to accomplish, and that many adversaries will be deterred from launching malicious cyber activities.
Christos Faloutsos, Professor of Electrical and Computer Engineering at CMU, spoke on “Anomaly Detection in Large Graphs.” Citing recent research from several projects, he demonstrated the value of using graph theory to identify patterns that are otherwise hidden. Motivating his research are the problems of identifying such patterns for fraud detection and patterns in time-evolving graphs/tensors. He uses Hadoop to search for many clusters in parallel, starting with random seeds, update sets of pages and like times for each cluster, and then repeats until convergence is achieved. This approach has been deployed at Facebook as CopyCatch where it was determined that most clusters—77%— come from hard to detect real-but-compromised users and that easier to detect fake accounts are only 22%. For E-Bay fraud detection, the technique has been used on the non-delivery scam. Using NetProbe allows detection of the scam by identifying the groups of people who are cross rating each other to appear honest. The fraudulent nodes look trustworthy. His conclusions: patterns and anomalies go hand in hand; large data sets reveal patterns/outliers that are otherwise invisible.
FireEye’s Matt Briggs gave “A View from the Front Lines with M-Trends.” In corporate cybersecurity, he said, continuing trends show that Spear phishing remains the most common entry point and that most hacks are leveraging trust relationships to get in, especially leveraging IT outsourcing. New trends are described as “David v. Goliath:” the rise of business disruption attacks that are politically motivated, cause data leaks to embarrass the company, are financially motivated, and produce the destruction of critical systems. His “good news” was that in the last five years the median number of days before discovery has been reduced from 416 days to 146.
Tutorials about ways to add rigor to relatively soft data analysis were provided. The first, “Systematic Analysis of Qualitative Data in Security” was given by Hanan Hibshi, Carnegie Mellon University. Her tutorial introduced participants to Grounded Theory, a qualitative framework to discover new theory from an empirical analysis of data. It is useful, she said, when analyzing text, audio or video artifacts that lack structure, but contain rich descriptions.
Tao Xie, University of Illinois Urbana-Champaign, and William Enck, North Carolina State University, presented the second tutorial, “Text Analytics for Security.” Researchers in security and software engineering have begun using text analytics to create initial models of human expectation. In this tutorial, they provided an introduction to popular techniques and tools of natural language processing and text mining, and shared their experiences in applying text analytics to security problems.
Nine research papers were presented on studies about intrusion detection, threat modeling, anomaly detection, and attack variants. Thirteen posters were also offered. The Hot SoS 2016 Proceedings will be published by ACM and available on line at the ACM Digital Library available at: http://dl.acm.org/. Abstracts of the tutorials, papers and posters are available with their Digital Object Identifier in a companion document.
Both members and non-members of the Science of Security Virtual Organization can view the agenda and presentations on the CPS-VO web site at: For non-members, information is available at: http://cps-vo.org/group/SoS.
Read more about the event in the SoS Newsletter (2016 Issue 4) in the article “HotSoS 2016 Papers, Posters, and Tutorials” at http://cps-vo.org/node/26082