June 27, 2022, Baltimore, Maryland, USA
Chaired by: Ibéria Medeiros, University of Lisbon, Portugal |
10H30 | | Data-Centric Analysis of Compound Threats to Critical Infrastructure Control Systems |
11H00 | | Network Message Field Type Clustering for Reverse Engineering of Unknown Binary Protocols |
11H30 | | A Practical Security Evaluation of a Moving Target Defence against Multi-Phase Cyberattacks - available by video |
Chaired by: Ibéria Medeiros, University of Lisbon, Portugal |
15H30 | | A Dataset of Linux Failure Data for Dependability Evaluation and Improvement |
16H00 | | Privacy Leakage Analysis for Colluding Smart Apps |
16H30 | | Machine Learning Analysis of Memory Images for Process Characterization and Malware Detection |
|
Marco Vieira, University of Coimbra, PortugalMarco Vieira is a Full Professor in the Department of Informatics Engineering of the University of Coimbra (UC).His research focuses on dependable and secure systems, namely in dependability and security assessment and benchmarking, fault injection and vulnerability & attack injection, robustness and security testing, software Verification & Validation, online failure prediction, and resilience benchmarking, subjects in which he has authored or co-authored more than 200 papers in refereed conferences and journals. Marco Vieira is a member of the Transaction Processing Performance Council (TPC), and of the Standard Performance Evaluation Corporation (SPEC) - Research Group, in which he co-founded the Security Benchmarking working group. He is currently the Chair of the IFIP WG 10.4 on Dependable Computing and Fault Tolerance and member of the ERCIM SERENE Working Group. Marco Vieira was/is the project coordinator of the projects DEVASSES (FP7) and EUBrasilCloudFORUM (H2020), and the principal investigator at UC of the projects EUBRA-BIGSEA (H2020), ATMOSPHERE (H2020), ALIOT (H2020), Talkconnect (P2020), and AIDA (PT2020 CMU/PT program), among other projects. |
Title: On the Analysis of Field Data to Characterize Source Code and Detect Software
Vulnerabilities
Abstract: Automated tools, namely Static Analysis and Penetration Testing Tools, are frequently
used
by developers to detect
vulnerable code. However, research and practice show that the effectiveness of those tools in
large-scale projects is
low, being prone to both false positives and false negatives. There is thus an urgent need for more
effective
techniques, which ultimately require representative field data for driving their design and testing.
In this keynote, we
discuss the process of building a dataset of vulnerabilities from large open-source C/C++ projects.
Vulnerabilities are
collected from the Common Vulnerability and Exposures (CVE) Details website, and, for each
vulnerability, we retrieve
the corresponding source code units from the project repository. We then compute a large set of
software metrics for
those code units and run a static code analysis to collect security alerts (i.e., potential
vulnerabilities and/or
weaknesses). To demonstrate the usefulness of such field data, we briefly explore three case studies:
i) an experiment
to study how effective software metrics can be to distinguish vulnerable code units from
non-vulnerable ones using
Machine Learning (ML); ii) an experiment on combining alerts from SATs with SMs to predict
vulnerabilities; and iii) a
study using software metrics to feed a set of trustworthiness models to identify the code units that
less trustworthy
from a security perspective (i.e., more prone to be vulnerable).
|
|
Homa Alemzadeh, University of Virginia, United States of AmericaHoma Alemzadeh is an Assistant Professor in the Department of Electrical and Computer Engineering and Computer Science (by courtesy) at the University of Virginia since 2017.She is also affiliated with the UVA Link Lab, a multi-disciplinary center for research and education in Cyber-Physical Systems (CPS). Before joining UVA, she was a Research Staff Member at the IBM T. J. Watson Research Center. She received her Ph.D. in Electrical and Computer Engineering from the University of Illinois at Urbana-Champaign and her B.Sc. and M.Sc. in Computer Engineering from the University of Tehran. Her research interests are at the intersection of computer systems dependability and data science, in particular data-driven resilience assessment and design of CPS with applications to medical devices, surgical robots, and autonomous systems. She is the recipient of the 2022 CAREER Award from the National Science Foundation and 2017 William C. Carter Ph.D. Dissertation Award in Dependability from the IEEE TC and IFIP Working Group 10.4 on Dependable Computing and Fault Tolerance. Her work on the analysis of safety incidents in robotic surgery was selected as the Maxwell Chamberlain Memorial Paper at the 50th annual meeting of the Society of Thoracic Surgeons (STS) and was featured by the MIT Technology Review, Wall Street Journal, and BBC, among others. |
Title: Hybrid Knowledge and Data Driven Safety Assurance in Cyber-Physical Systems
Abstract:
Rapid advances in computing, networking, and sensing technologies have resulted in the
ubiquitous deployment of
Cyber-Physical Systems (CPS) in various safety-critical settings. However, with the growing complexity
and connectivity
of software, the increasing use of machine learning for control and decision making, and the
involvement of human
operators in the system supervision, there are still significant challenges in ensuring CPS safety and
security. In this
talk, I will present our recent work on hybrid knowledge and data-driven design of context-aware
runtime monitors that
can detect the early signs of hazards and mitigate adverse events in CPS. Specifically, we propose two
approaches for
combining temporal logic formulas which specify system safety requirements, with data-driven
optimization and
adversarial training based on measurements from closed-loop system simulations. Our experiments using
two real-world
case studies of artificial pancreas systems (APS) for diabetes management and advanced driver
assistance systems (ADAS)
demonstrate improved accuracy, timeliness, robustness, and transparency in detecting safety hazards
compared to solely
model-based and data-driven solutions.
|