A Journey towards Rigorous Cybersecurity Experiments
Date: June 28, 2016
Time: 14h
The Speaker:
Dr. Michel Cukier is the Director for Advanced Cybersecurity Experience for Students (ACES) and the Associate Director for Education for the Maryland Cybersecurity Center (MC2). Michel is an Associate Professor of Reliability Engineering with a joint appointment in the Department of Mechanical Engineering at the University of Maryland, College Park. Michel received a degree in physics engineering from the Free University of Brussels, Belgium, in 1991, and a doctorate in computer science from the National Polytechnic Institute of Toulouse, France, in 1996. From 1996 to 2001, he was a researcher in the Perform research group in the Coordinated Science Laboratory at the University of Illinois, Urbana-Champaign. He joined the University of Maryland in 2001 as Assistant Professor. His research covers dependability and security issues. His latest research focuses on the empirical quantification of cybersecurity. He has published over 80 papers in journals and refereed conference proceedings in those areas.
Abstract:
This presentation focuses on lessons learned from conducting empirical studies in cybersecurity. One of the challenges in cybersecurity is the lack of available security related data. Since data are highly sensitive, organizations are often reluctant to share them. The University of Maryland (UMD) plays a significant role in cybersecurity research due to a collaboration between the Division of Information Technology's (Div IT) security team and UMD researchers. The result of the collaboration enabled access to and analysis of security related data collected on UMD networks. These data include incidents, intrusion detection system alerts, network flows and malicious activity against a large range of honeypots.
In this talk, we will review some studies conducted using data provided by Div IT. First, being able to understand and predict trends in incidents can aid an organization¹s ability to allocate resources for the prevention of such incidents. Based on the over 12,000 incidents recorded since 2001, we compared models for their prediction capability for the number of incidents. Second, security administrators lack network visibility. We developed a tool called Nfsight that identifies clients, servers, and scanners solely based on network flows. Third, understanding an attacker’s motivation will allow security experts to provide better protection of an organization’s network. Our research focuses on attacks against targets of opportunity. We have developed several experiments to characterize attackers and their attacks. Honeypots with different configurations were deployed and data on attacks (e.g., malicious software downloaded) and the attacker (e.g., keystrokes) were used to derive conclusions about attackers and their attacks.