Cybersecurity and Software Assurance

Permanent URI for this collection


Recent Submissions

Now showing 1 - 8 of 8
  • Item
    Data-Driven Selection of Security Application Frameworks During Architectural Design
    ( 2019-01-08) Cervantes, Humberto ; Kazman, Rick ; Ryoo, Jungwoo ; Cho, Junsung ; Cho, Geumhwan ; Kim, Hyoungshick ; Kang, Jina
    The selection of application frameworks is an important aspect of architectural design. Selection often requires satisficing, that is, searching a potentially large space of design alternatives until an acceptable solution is found. There is, however, little help for architects in selecting software frameworks. In this paper we investigate the criteria used by practicing software architects in selecting security frameworks. We also propose how information associated with some of the criteria that are important to architects can be obtained manually or in an automated way from online sources such as GitHub. Our ultimate goal is to identify measures associated with these criteria that can be helpful in providing support for architects to select software frameworks.
  • Item
    Multi-Criteria Selection of Capability-Based Cybersecurity Solutions
    ( 2019-01-08) Llanso, Thomas ; McNeil, Martha ; Noteboom, Cherie
    Given the increasing frequency and severity of cyber attacks on information systems of all kinds, there is interest in rationalized approaches for selecting the “best” set of cybersecurity mitigations. However, what is best for one target environment is not necessarily best for another. This paper examines an approach to the selection that uses a set of weighted criteria, where the security engineer sets the weights based on organizational priorities and constraints. The approach is based on a capability-based representation for defensive solutions. The paper discusses a group of artifacts that compose the approach through the lens of Design Science research and reports performance results of an instantiation artifact.
  • Item
    Evaluating Security Assurance Case Adaptation
    ( 2019-01-08) Jahan, Sharmin ; Marshall, Allen ; Gamble, Rose
    Security certification processes for information systems involve expressing security controls as functional and non-functional requirements, monitoring deployed mechanisms that satisfy the requirements, and measuring the degree of confidence in system compliance. With the potential for systems to perform runtime self-adaptation, functional changes to remedy system performance may impact security control compliance. This impact can extend throughout a network of related controls causing significant degradation to the system’s overall compliance status. We represent security controls as security assurance cases and implement them in XML for management and evaluation. The approach maps security controls to softgoals, introducing achievement weights to the assurance case structure as the foundation for determining security softgoal satisficing levels. Potential adaptations adjust the achievement weights to produce different satisficing levels. We show how the levels can be propagated within the network of related controls to assess the overall security control compliance of a potential adaptation.
  • Item
    Fighting Against XSS Attacks. A Usability Evaluation of OWASP ESAPI Output Encoding
    ( 2019-01-08) Wijayarathna, Chamila ; Gamagedara Arachchilage, Nalin
    Cross Site Scripting (XSS) is one of the most critical vulnerabilities exist in web applications. XSS can be prevented by encoding untrusted data that are loaded into browser content of web applications. Security Application Programming Interfaces (APIs) such as OWASP ESAPI provide output encoding functionalities for programmers to use to protect their applications from XSS attacks. However, XSS still being ranked as one of the most critical vulnerabilities in web applications suggests that programmers are not effectively using those APIs to encode untrusted data. Therefore, we conducted an experimental study with 10 programmers where they attempted to fix XSS vulnerabilities of a web application using the output encoding functionality of OWASP ESAPI. Results revealed 3 types of mistakes that programmers made which resulted in them failing to fix the application by removing XSS vulnerabilities. We also identified 16 usability issues of OWASP ESAPI. We identified that some of these usability issues as the reason for mistakes that programmers made. Based on these results, we provided suggestions on how the usability of output encoding APIs should be improved to give a better experience to programmers.
  • Item
    Cyber Deception Architecture: Covert Attack Reconnaissance Using a Safe SDN Approach
    ( 2019-01-08) Shimanaka, Toru ; Masuoka, Ryusuke ; Hay, Brian
    Significant valuable information can be determined by observing attackers in action. These observations provide significant insight into the attacker’s TTPs and motivations. It is challenging to continue observations when attackers breach operational networks. This paper describes a deception network methodology that redirects traffic from the compromised Operational Network (O-Net) to an identically configured Deception Network (D-Net) minimizing any further compromise of operational data and assets, while also allowing the tactics, techniques, and procedures of the attacker to be studied. To keep the adversary oblivious to the transfer from the O-Net to the D-Net, we employ a sophisticated and unique packet rewriting technique using Software Defined Networking (SDN) technology that builds on two other strategies. This paper discusses the foundational strategies and introduces a new strategy that improves behavior for our described scenarios. We then provide some preliminary test results and suggest topics for further research.
  • Item
    Augmenting Authentication with Context-Specific Behavioral Biometrics
    ( 2019-01-08) Zhang, Haoruo ; Singh, Digvijay ; Li, Xiangyang
    Behavioral biometrics, being non-intrusive and cost-efficient, have the potential to assist user identification and authentication. However, user behaviors can vary significantly for different hardware, software, and applications. Research of behavioral biometrics is needed in the context of a specific application. Moreover, it is hard to collect user data in real world settings to assess how well behavioral biometrics can discriminate users. This work aims to improving authentication by behavioral biometrics obtained for user groups. User data of a webmail application are collected in a large-scale user experiment conducted on Amazon Mechanical Turk. Used in a continuous authentication scheme based on user groups, off-line identity attribution and online authentication analytic schemes are proposed to study the applicability of application-specific behavioral biometrics. Our results suggest that the useful user group identity can be effectively inferred from users’ operational interaction with the email application.
  • Item
    The Tularosa Study: An Experimental Design and Implementation to Quantify the Effectiveness of Cyber Deception
    ( 2019-01-08) Ferguson-Walter, Kimberly ; Shade, Temmie ; Rogers, Andrew ; Niedbala, Elizabeth ; Trumbo, Michael ; Nauer, Kevin ; Divis, Kristin ; Jones, Aaron ; Combs, Angela ; Abbott, Robert
    The Tularosa study was designed to understand how defensive deception--including both cyber and psychological--affects cyber attackers. Over 130 red teamers participated in a network penetration task over two days in which we controlled both the presence of and explicit mention of deceptive defensive techniques. To our knowledge, this represents the largest study of its kind ever conducted on a professional red team population. The design was conducted with a battery of questionnaires (e.g., experience, personality, etc.) and cognitive tasks (e.g., fluid intelligence, working memory, etc.), allowing for the characterization of a ``typical'' red teamer, as well as physiological measures (e.g., galvanic skin response, heart rate, etc.) to be correlated with the cyber events. This paper focuses on the design, implementation, data, population characteristics, and begins to examine preliminary results.
  • Item
    Introduction to the Minitrack on Cybersecurity and Software Assurance
    ( 2019-01-08) Chamberlain, Luanne Burns ; Llanso, Thomas ; George, Richard