Lablet Quarterly Meeting at NCSU - Feb 2016

Researchers and NSA meet, discuss Science of Security and value of secure design.

The winter 2016 quarterly Science of Security (SoS) Lablet meeting, sponsored by NSA, was hosted at North Carolina State University on February 2 and 3, 2016.  Laurie Williams and Munindar Singh, Principal Investigator PI’s at NCSU, hosted the event. Each Lablet and NSA provided speakers. They shared current research, presented interim findings, and stimulated thought and discussion about the Science of Security.  Panel discussions and focus groups provided an opportunity for researchers to interact both with each other and with guests from the government industry to address the hard problems of cyber security.  The importance of good design was a theme than ran through the presentations.

The keynote by Henry Petrosky, noted civil engineer, author and professor from Duke University, addressed the paradox between success and failure in design.  Illustrating his point with historic failures in bridge design and construction, he showed how success, over time, leads to complacencies which in turn lead to failure. Conversely, failure stimulates revisions in design that can produce successes.  From 1850s experience to the present, the paradox of design is that anticipating failure leads to success and successful designs evolve into failures.

Pete Loscocco of NSA presented a related keynote addressing “An Approach to Secure Design.” 

The motivation for his study is security still lacking and that designers don’t look at security from a holistic viewpoint.  His approach is to look at the design process and develop a methodology. His approach is to document a methodical process for design that can be easily taught, produces suitable designs that have been analyzed, captures reasoning behind the design decisions, and enables understanding for consequences of modifications.  One big challenge is documentation.  Using a design tree provides a tangible artifact of the design process and allows the of use threat models as assumptions.

Guided discussions and breakout groups addressed the security metrics and human aspects in security hard problems. The Security Metrics discussion addressed the importance of measurement and asked the questions: “Context always matters, so how do we protect against attacks that haven’t been thought of yet?  Can metrics help?”  Many current metrics are on the negative side, measuring, for example, attacks, and failures, so can we develop the positive?   The human factors workshop determined that different traits make people susceptible in different ways and that cognitive modeling can help understand human interaction with security.  The workshop summary is available at: https://drive.google.com/folderview?id=0ByHON_USOShec0hCUkdwSWF4RkU&usp=sharing

A panel of leading researchers from the four Lablets and guest speakers Warren Grunbok from IBM  and Andy Porter from Merck provided their views on how to transfer technology and the value of Science of Security research into the private sector.  Communication and an iterative approach seemed to offer the greatest opportunities for success as a consensus of the group.

Technical research presentations included papers by each Lablet.  Tao Xie, UIUC, presented his study on “AppContext: Differentiating Malicious and Benign Mobile App Behavior under Contexts.” Jonathan Aldrich CMU, presented “Capability-Based Architectural Control.” A study of user generated pattern passwords was presented by UMD-affiliated researcher Adam Aviv from the US Naval Academy. Robert Proctor, an NCSU a cognitive psychologist, addressed ways for people to detect phishing attacks.    

Adam Tagert, from the NSA Research Directorate spoke on human subject research procedures at DoD and how to coordinate with university institutional review boards.  Beth Richards, Laboratory for Analytic Studies (LAS), described LAS as an NSA lab using non-traditional data and approaches from open sources to get to “anticipating,” that is, to move from reaction or observation of threats and attacks to anticipation, to get a head of the foreign adversary, and run at scale and speed since the nature of the threat requires a real time response.

Updates on progress in measuring advancement in SoS were presented by Jeff Carver, Alabama, and on evaluation of the research and research publications by Lindsey McGowan, NCSU. Carver’s talk reviewed a rubric-based method of evaluating the scientific content of articles published in IEEE Security & Privacy.

More than a dozen excellent student poster presentations provided an opportunity to see a range of Science of Security research and discuss issues, methods and findings.

The annual national conference, HotSoS, will be held April 19-21, 2016 at Carnegie Mellon University in Pittsburgh. The next lablet quarterly meeting will be held July 19-20, 2016 at the University of Illinois Urbana-Champaign.

During the business sessions of the Lablet Quarterly Meeting, the NSA Research Directorate presented the Science of Security (SoS) Initiative Annual Report 2015 to the Lablet PI's. Shown on the right are Bill Scherlis and Laurie Williams, Principal Investigators PI’s at CMU and NCSU holding the report.

Slideshow Image: