Aiding Security Analytics -- From Dempster-Shafer Theory to Anthropology
Xinming Ou - Kansas State University
Mar 04, 2015Size: 112.5MB
Download: MP4 Video
Watch in your Browser Watch on YouTube
AbstractResearch on new technologies to help security analysts defend networks and systems from attacks has unique challenges --- the ad-hoc nature of attacks and their mitigation makes formal modeling elusive; the diverse threat scenarios of organizations makes a one-size-fit-all solution unlikely; and the lack of data and production deployment to test research prototypes makes evaluation extremely difficult.
In this talk I will describe the unique approaches we have been taking to address this problem. Since algorithms and tools that arise from this research are intended to help the tasks performed by human analysts, it becomes a pre-requisite for researchers to first understand how analysts do their jobs, and identify the key obstacles and bottlenecks for performance. I will explain how we designed/built the SnIPS system for intrusion analysis by eliciting expert knowledge through ad-hoc interviews, and the formulation of a customized Dempster-Shafer theory to capture how humans deal with the inherent uncertainty in this reasoning process. I then explain how this led us to eventually adopt an anthropological approach to address this research challenge.
Anthropology is a social science well known for its long-term participant observation method in which researchers spend substantial amounts of time living/working together with the subjects of study, as participant observers who take part in the daily lives and challenges of those they study, giving them a more empathic perspective understanding of their views, practices, and challenges. I will use the examples in my past eight years' research to explain why this type of ethnographic fieldwork is crucial and could be a very effective method to extract the "tacit knowledge" embodied in the practices of security analysts. Joining the "community of practice" of security operations will enable researchers to access the tacit knowledge, make it explicit, subject it to systematic analysis and modeling, and yield algorithms that execute the knowledge in an automated fashion. I will also talk about "unexpected findings" we are still deriving from on-going anthropological fieldwork at multiple
security operations centers.
About the SpeakerDr. Xinming (Simon) Ou is an associate professor of Computer Science and the Peggy and Gary Edwards Chair in Engineering at Kansas State University. He received his PhD from Princeton University in 2005. Before joining Kansas State University in 2006, he was a post-doctoral research associate at Purdue University's Center for Education and Research in Information Assurance and Security (CERIAS),
and a research associate at Idaho National Laboratory (INL). Dr. Ou's research is primarily in cyber defense technologies, with focuses on intrusion/forensics analysis, cloud security and moving-target defense, mobile system security, and cyber physical system security. Dr. Ou's research has been funded by National Science Foundation, Department of Defense, Department of Energy, National Institute of Standards and Technology (NIST), HP Labs, and Rockwell Collins. He is a recipient of 2010 NSF Faculty Early Career Development (CAREER) Award, a three-time winner of HP Labs Innovation Research Program (IRP) award, and 2013 K-State College of Engineering Frankenhoff Outstanding Research Award.
The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.