Carnegie Mellon University
July 12, 2017

New Research Tackles Adaptive Security Decision Support

Recognising the complexity of cyber attacks and the multi-stakeholder nature of tackling cyber security are the key components of a new data-driven cyber security system being developed by researchers at Carnegie Mellon University and the UK's National Cyber Security Centre, with leadership from their counterparts at the University of Nottingham.

The project’s aim is to support organizations of all sizes in maintaining adequate levels of cyber security through a semi-automatic, regularly updated, organisation-tailored security assessment of their digital infrastructures.

With funding from the UK’s Engineering and Physical Sciences Research Council (EPSRC) and the National Cyber Security Centre (formerly CESG), the project will establish the foundations for a digital ‘Online CYber Security System’ decision support service (OCYSS) which is designed to rapidly bring together information on system vulnerabilities and alert organisations which may be affected.

“While the UK has access to some of the world’s leading experts in cyber security, the scale and variety of systems in UK organisations, both public and private, make it extremely challenging to flag potential system threats in a timely fashion,” notes Dr. Christian Wagner, faculty in the School of Computer Science at the University of Nottingham and lead project researcher. “This international collaborative project targets a novel approach to semi-automatically identify system vulnerabilities, thus greatly increasing the efficiency and capacity to respond to emerging threats.”

This new, semi-automatic, data-driven approach is underpinned by novel research on integrating information from a number of different sources while managing discord and potential dependencies of individual components within systems. The aim is to enable systems which are capable of maximizing the utility of the available cyber security insights and to rapidly deliver user-tailored, up-to-date threat analysis and decision support to help organisations mitigate potential cyber attacks before they happen.

Dr. Travis Breaux, faculty member in the School of Computer Science’s Institute for Software Research at Carnegie Mellon University, is supporting the project and is especially concerned about the challenge of system composability.

“Increasingly, computer systems are built from hundreds, if not thousands, of hardware and software components that interact with one another,” Breaux notes. “To improve security, system analysts must pay special attention to how these components interact, and they must place these interactions in the context of specific threats. The number of configurations and possible cyber threats is simply insurmountable for human analysts to effectively comprehend and evaluate on their own, which necessitates a semi-automated approach that can stay ahead of emerging technology. Our goal is to empower these analysts to comprehend a larger attack surface without being overwhelmed by increasingly complex systems.”

To that end, Breaux and his team at Carnegie Mellon are building a framework for establishing the IT security context (e.g., IT artifacts, threats, actors, etc.), which is then permuted in ways to measure each IT element's individual and collective effects on security.

The interdisciplinary approach leverages foundational theory and methods from both software engineering and social sciences. “Instead of asking security experts about individual security configurations, for which there are millions, select configurations are combined to reveal critical dependencies and interactions among secure and insecure components,” notes Societal Computing Ph.D. student and team member, Hanan Hibshi. The approach collects experts ratings of security components that are shown as different configurations in multiple scenarios. To collect expert assessments, the team’s approach uses response scales that are being developed in collaboration with Dr. Stephen Broomell of Carnegie Mellon's Department of Social and Decision Sciences. The security assessments computed through this work are the basis for the modelling and reasoning component in OCYSS.

To learn more about the OCYSS project and read the full research profile, visit the University of Nottingham site.

To read more about Hibshi and Breaux’s approach, please see their latest paper, entitled “Reinforcing Security Requirements with Multifactor Quality Measurement,” to appear in the Proceedings of the 25th International Requirements Engineering Conference.