DCDS '22

DSN Workshop on Data-Centric Dependability and Security

June 27, 2022, Baltimore, Maryland, USA

Program

Timezone: EDT (GMT -4)

08H45 - 09H00 | Welcome DCDS 2022

Ibéria Medeiros, University of Lisbon, Portugal

09H00 - 10H00 | Keynote #1: On the Analysis of Field Data to Characterize Source Code and Detect Software Vulnerabilities

Marco Vieira, University of Coimbra, Portugal
Chaired by: Ibéria Medeiros, University of Lisbon, Portugal

10H00 - 10H30 | Coffee Break


10H30 - 12H00 | Research Session 1: Cyberattack and Threat Analysis

Session Chair: Ilis Gashi, City University of London, United Kingdom
10H30 | Data-Centric Analysis of Compound Threats to Critical Infrastructure Control Systems
Sahiti Bommareddy, Benjamin Gilby, Maher Khan, Imes Chiu, Mathaios Panteli, John van de Lindt, Linton Wells, Yair Amir, and Amy Babay
11H00 | Network Message Field Type Clustering for Reverse Engineering of Unknown Binary Protocols
Stephan Kleber, Milan Stute, Matthias Hollick, and Frank Kargl
11H30 | A Practical Security Evaluation of a Moving Target Defence against Multi-Phase Cyberattacks - available by video
Tina Moghaddam, Minjune Kim, Jin-Hee Cho, Hyuk Lim, Terrence J. Moore, Frederica F. Nelson, and Dan Dongseong Kim

12H00 - 14H00 | Lunch Break


14H00 - 15H00 | Keynote #2: Hybrid Knowledge and Data Driven Safety Assurance in Cyber-Physical Systems

Homa Alemzadeh, University of Virginia
Chaired by: Ibéria Medeiros, University of Lisbon, Portugal


15H00 - 15H30 | Coffee Break


15H30 - 16H30 | Research Session 2: Data Analysis for Privacy and Dependability

Session Chair: Amy Babay, University of Pittsburgh, United States of America
15H30 | A Dataset of Linux Failure Data for Dependability Evaluation and Improvement
João R. Campos, Ernesto Costa, and Marco Vieira
16H00 | Privacy Leakage Analysis for Colluding Smart Apps
Junzhe Wang and Lannan Luo

16H30 - 17H00 | AITS Workshop - Research Session: Machine Learning System Analysis

Session Chair: Ibéria Medeiros, University of Lisbon, Portugal
16H30 | Machine Learning Analysis of Memory Images for Process Characterization and Malware Detection
Seth Lyles and Kristine Monteith

17H00 - 17H30| Discussion & Final remarks


Keynote 1

Marco Vieira, University of Coimbra, Portugal

Marco Vieira is a Full Professor in the Department of Informatics Engineering of the University of Coimbra (UC).
His research focuses on dependable and secure systems, namely in dependability and security assessment and benchmarking, fault injection and vulnerability & attack injection, robustness and security testing, software Verification & Validation, online failure prediction, and resilience benchmarking, subjects in which he has authored or co-authored more than 200 papers in refereed conferences and journals.

Marco Vieira is a member of the Transaction Processing Performance Council (TPC), and of the Standard Performance Evaluation Corporation (SPEC) - Research Group, in which he co-founded the Security Benchmarking working group. He is currently the Chair of the IFIP WG 10.4 on Dependable Computing and Fault Tolerance and member of the ERCIM SERENE Working Group. Marco Vieira was/is the project coordinator of the projects DEVASSES (FP7) and EUBrasilCloudFORUM (H2020), and the principal investigator at UC of the projects EUBRA-BIGSEA (H2020), ATMOSPHERE (H2020), ALIOT (H2020), Talkconnect (P2020), and AIDA (PT2020 CMU/PT program), among other projects.

Title: On the Analysis of Field Data to Characterize Source Code and Detect Software Vulnerabilities

Abstract: Automated tools, namely Static Analysis and Penetration Testing Tools, are frequently used by developers to detect vulnerable code. However, research and practice show that the effectiveness of those tools in large-scale projects is low, being prone to both false positives and false negatives. There is thus an urgent need for more effective techniques, which ultimately require representative field data for driving their design and testing. In this keynote, we discuss the process of building a dataset of vulnerabilities from large open-source C/C++ projects. Vulnerabilities are collected from the Common Vulnerability and Exposures (CVE) Details website, and, for each vulnerability, we retrieve the corresponding source code units from the project repository. We then compute a large set of software metrics for those code units and run a static code analysis to collect security alerts (i.e., potential vulnerabilities and/or weaknesses). To demonstrate the usefulness of such field data, we briefly explore three case studies: i) an experiment to study how effective software metrics can be to distinguish vulnerable code units from non-vulnerable ones using Machine Learning (ML); ii) an experiment on combining alerts from SATs with SMs to predict vulnerabilities; and iii) a study using software metrics to feed a set of trustworthiness models to identify the code units that less trustworthy from a security perspective (i.e., more prone to be vulnerable).

Keynote 2

Homa Alemzadeh, University of Virginia, United States of America

Homa Alemzadeh is an Assistant Professor in the Department of Electrical and Computer Engineering and Computer Science (by courtesy) at the University of Virginia since 2017.
She is also affiliated with the UVA Link Lab, a multi-disciplinary center for research and education in Cyber-Physical Systems (CPS). Before joining UVA, she was a Research Staff Member at the IBM T. J. Watson Research Center. She received her Ph.D. in Electrical and Computer Engineering from the University of Illinois at Urbana-Champaign and her B.Sc. and M.Sc. in Computer Engineering from the University of Tehran.

Her research interests are at the intersection of computer systems dependability and data science, in particular data-driven resilience assessment and design of CPS with applications to medical devices, surgical robots, and autonomous systems. She is the recipient of the 2022 CAREER Award from the National Science Foundation and 2017 William C. Carter Ph.D. Dissertation Award in Dependability from the IEEE TC and IFIP Working Group 10.4 on Dependable Computing and Fault Tolerance. Her work on the analysis of safety incidents in robotic surgery was selected as the Maxwell Chamberlain Memorial Paper at the 50th annual meeting of the Society of Thoracic Surgeons (STS) and was featured by the MIT Technology Review, Wall Street Journal, and BBC, among others.

Title: Hybrid Knowledge and Data Driven Safety Assurance in Cyber-Physical Systems

Abstract: Rapid advances in computing, networking, and sensing technologies have resulted in the ubiquitous deployment of Cyber-Physical Systems (CPS) in various safety-critical settings. However, with the growing complexity and connectivity of software, the increasing use of machine learning for control and decision making, and the involvement of human operators in the system supervision, there are still significant challenges in ensuring CPS safety and security. In this talk, I will present our recent work on hybrid knowledge and data-driven design of context-aware runtime monitors that can detect the early signs of hazards and mitigate adverse events in CPS. Specifically, we propose two approaches for combining temporal logic formulas which specify system safety requirements, with data-driven optimization and adversarial training based on measurements from closed-loop system simulations. Our experiments using two real-world case studies of artificial pancreas systems (APS) for diabetes management and advanced driver assistance systems (ADAS) demonstrate improved accuracy, timeliness, robustness, and transparency in detecting safety hazards compared to solely model-based and data-driven solutions.