CSET '18 Workshop Program

All sessions will be held in Grand Ballroom VII–VIII unless otherwise noted.

Papers are available for download below to registered attendees now and to everyone beginning August 13, 2018. Paper abstracts are available to everyone now. Copyright to the individual works is retained by the author[s].

Downloads for Registered Attendees
(Sign in to your USENIX account to download these files.)

This content is available to:

CSET '18 Attendee List (PDF)
CSET '18 Paper Archive (ZIP)

Monday, August 13, 2018

8:00 am–8:50 am

Continental Breakfast

Grand Ballroom Foyer

8:50 am–9:00 am

Opening Remarks

Program Co-Chairs: Christian Collberg, University of Arizona, and Peter A. H. Peterson, University of Minnesota Duluth

9:00 am–10:30 am

Data and Guidance

Session Chair: Christian Collberg, University of Arizona

Cyber Operations Stress Survey (COSS): Studying fatigue, frustration, and cognitive workload in cybersecurity operations

Josiah Dykstra and Celeste Lyn Paul, U.S. Department of Defense

Available Media

Operator stress is a common, persistent, and disabling effect of cyber operations and an important risk factor for performance, safety, and employee burnout. We designed the Cyber Operations Stress Survey (COSS) as a low-cost method for studying fatigue, frustration, and cognitive workload in real-time tactical cyber operations. The combination of pre- and post-operational measures with well validated factors from the NASA Task Load Index and additional contextual factors provide a quick, easy, and valuable assessment of cognitive stress. We report on our experiences developing and fielding the survey instrument, validation, and describe the use and results of the COSS in four studies of cyber operations across the National Security Agency.

Cybersecurity Research Datasets: Taxonomy and Empirical Analysis

Muwei Zheng, Hannah Robbins, Zimo Chai, Prakash Thapa, and Tyler Moore, The University of Tulsa

Available Media

We inspect 965 cybersecurity research papers published between 2012 and 2016 in order to understand better how datasets are used, produced and shared. We construct a taxonomy of the types of data created and shared, informed and validated by the examined papers. We then analyze the gathered data on datasets. Three quarters of existing datasets used as input to research are publicly available, but just 20% of datasets created by researchers are publicly shared. Furthermore, the rate of public sharing has remained flat over time. Using a series of linear regressions, we demonstrate that those researchers who do make public the datasets they create are rewarded with more citations to the associated papers. Hence, we conclude that an under-appreciated incentive exists for researchers to share their created datasets with the broader research community.

On Designing and Evaluating Phishing Webpage Detection Techniques for the Real World

Samuel Marchal and N. Asokan, Aalto University

Available Media

While a plethora of apparently foolproof detection techniques have been developed to cope with phishing, it remains a continuing problem with an increasing number of attacks and victims. This is due to a gap between the reported experimental detection accuracy of solutions from the academic literature and their actual effectiveness in real-world scenarios. For instance, design choices made while only considering how to maximize the accuracy of phishing detection sometimes has the unintended effect of constraining deployability or limiting usability. We hope to raise awareness about practices causing this gap and present a set of guidelines for the design and evaluation of phishing webpage detection techniques. These guidelines can improve the effectiveness of phishing detection techniques in real-world scenarios and foster technology transfer. They also facilitate unbiased comparison of evaluation results of different detection techniques.

10:30 am–11:00 am

Break with Refreshments

Grand Ballroom Foyer

11:00 am–12:30 pm

New Approaches

Session Chair: Sven Dietrich, City University of New York

DEW: Distributed Experiment Workflows

Jelena Mirkovic, Genevieve Bartlett, and Jim Blythe, USC/ISI

Available Media

Current testbed experiments are often ad-hoc, manual, complex and hard to repeat and reuse. We argue that this is due mostly to our current inability to capture, standardize and encode experiment behavior. We propose DEW - distributed experiment workflows. Unlike current experiment representations, which focus mostly on topology, DEW encodes experiment behavior, at both high and low level, and topological constraints, which help with realization on testbeds. We show how DEW enables easier experiment design, management, sharing and reuse and how it facilitates automated generation of topologies and runnable scripts.

Malware Analysis Through High-level Behavior

Xiyue Deng and Jelena Mirkovic, Information Sciences Institute, University of Southern California

Available Media

Malware is becoming more and more stealthy to evade detection and analysis. Stealth techniques often involve code transformation, ranging from equivalent code substitution and junk code injection, to continuously transforming code using a polymorphic or a metamorphic engine. Evasion techniques have a great impact on signature-based malware detection, making it very costly and often unsuccessful.

We propose to study a malware’s network behavior during its execution. While malware may transform its code to evade analysis, we contend that its behavior must mostly remain the same to achieve the malware’s ultimate purpose, such as sending spam, scanning for vulnerable hosts, etc. While live malware analysis is hard, we leverage our Fantasm platform on the Deterlab testbed to perform it safely and effectively. Based on ob- served network traffic we propose a behavior classification approach, which can help us interpret at a high level the malware’s actions and its ultimate purpose. We then apply our approach on 999 diverse samples from Georgia Tech Apiary project to understand current trends in malware behaviors.

BNV: Enabling Scalable Network Experimentation through Bare-metal Network Virtualization

Pravein Govindan Kannan, Ahmad Soltani, Mun Choon Chan, and Ee-Chien Chang, School of Computing, National University of Singapore

Available Media

New paradigms and architectures, such as Software Defined Networking (SDN), have added an unprecedented increase in the rate of research and development conducted in the field of computer networks. With this increase, there is a rising need for platforms that can enable researchers and operators to experiment with various scenarios involving performance testing, topology designs, etc. However, the available emulators fail to address fundamental needs of those research requiring fidelity.

In this work, we propose a novel approach to embed arbitrary topologies on a substrate network of programmable ToR switches using our network virtualization technique, called Bare-metal Network Virtualization(BNV). BNV is entirely software configurable and has been implemented on open source software and unmodified OpenFlow-enabled switches. The system has been deployed in a production testbed in National Cybersecurity Laboratory (NCL) for over nine months. Our evaluations show that BNV can support various data-center topologies with less number of switches which can facilitate building a high fidelity, repeatable and isolated experimentation platform for data-center, SDN and other research in computer networks.

12:30 pm–2:00 pm

Monday Luncheon

Grand Ballroom VI

2:00 pm–3:00 pm

Round Table: Opportunities and Challenges in Experimentation and Test

Moderator: Peter A. H. Peterson, University of Minnesota Duluth

Panelists: Eric Eide, University of Utah; Simson Garfinkel, US Census Bureau; Laura S. Tinnel, SRI; Terry Benzel, USC/ISI; Jeremy Epstein, NSF

Finding funding, venues, and users when the system is the research.

3:00 pm–4:00 pm

Shiny New Testbeds

Session Chair: Eric Eide, University of Utah

AMIsim: Application-layer Advanced Metering Infrastructure Simulation Framework for Secure Communication Protocol Performance Evaluation

Vitaly Ford, Arcadia University; Daniel Tyler and Ambareen Siraj, Tennessee Tech University

Available Media

The Advanced Metering Infrastructure (AMI) is a major component of the Smart Grid. Researchers have been working to protect its communication by designing pro-tocols that offer security and privacy in various ways to different extents. Simulation testing is a crucial part of any communication protocol development. Current sim-ulation frameworks for power Grid experiments primar-ily focus on simulating the electrical components and power flow in the Grid. In this paper, we introduce a uniform AMI simulation (AMIsim) framework for eval-uating secure and privacy-preserving AMI protocols. AMIsim allows researchers to conduct a performance assessment of their application-layer security protocols that are used for aggregation, privacy-preservation, and confidentiality/integrity protection of smart meter ener-gy data. We report on the empirical results of conducting experiments in AMIsim with an existing AMI secure and privacy-preserving protocol.

Galaxy: A Network Emulation Framework for Cybersecurity

Kevin Schoonover, Missouri University of Science and Technology; Eric Michalak, Los Alamos National Laboratory; Sean Harris, Adam Gausmann, Hannah Reinbolt, and Daniel R. Tauritz, Missouri University of Science and Technology; Chris Rawlings, Los Alamos National Laboratory; Aaron Scott Pope, Missouri University of Science and Technology

Available Media

The arms race of cyber warfare is growing increasingly asymmetric as defensive security practitioners struggle to successfully harden their domains without overly restricting their users, profits, and overall mission. Vulnerabilities span across technologies, business policies, and human behaviors, allowing cyber attackers to select the attack surface that best fits their strengths. This paper introduces the first version of Galaxy, a fine-control, high-fidelity computer network emulation framework designed to support rapid, parallel experimentation with the automated design of software agents in mind. Our framework provides a modular environment to experiment with arbitrary defense and attack strategies under a wide variety of business requirements and accounting for the productivity of users, allowing cybersecurity practitioners to consider the unique constraints of their real-world systems. We demonstrate the effectiveness of Galaxy for the use of an evolutionary algorithm to generate enumeration strategies for attacker agents.

4:00 pm–4:30 pm

Break with Refreshments

Grand Ballroom Foyer

4:30 pm–5:30 pm

Testbed Enhancements

Session Chair: David Balenson, SRI International

Supporting Docker in Emulab-Based Network Testbeds

David Johnson, Elijah Grubb, and Eric Eide, University of Utah

Available Media

Researchers conduct experiments in a variety of computing environments, including dedicated testbeds and commercial clouds, and they need convenient mechanisms for deploying their software within these disparate platforms. To address this need, we have extended Emulab so that it can instantiate and configure container-based virtual devices using Docker images. Docker is a de facto standard for packaging and deploying software in cloud environments; now, researchers can use Docker to package and deploy software within Emulab-based testbeds as well. We describe how Emulab incorporates Docker and how it extends Docker images to support the interactivity that researchers expect within a testbed. We show that Emulab can use many popular Docker images to create testbed experiments. We expect that Emulab's support for Docker will make it easier for researchers to move their activities freely, both into the testbed and out into production.

High Performance Tor Experimentation from the Magic of Dynamic ELFs

Justin Tracey, University of Waterloo; Rob Jansen, U.S. Naval Research Laboratory; Ian Goldberg, University of Waterloo

Available Media

The Tor anonymous communication network and Bitcoin financial transaction network are examples of security applications with significant risk to user privacy if they fail to perform as expected. Experimentation on private instances of these networks is therefore a popular means to design, develop, and test improvements before deploying them to real users. In particular, the Shadow discrete-event network simulator is one of the most popular tools for conducting safe and ethical Tor research. In this paper, we analyze Shadow's design and find significant performance bottlenecks in its logging and work scheduling systems stemming from its representation of simulated processes and its use of a globally shared process namespace. We design, implement, and empirically evaluate new algorithms that replace each of these components. We find that our improvements reduce Shadow run time by as much as 31% in synthetic benchmarks over a variety of conditions, and by as much as 73% over small and large experimental Tor networks. Our improvements have been merged into Shadow release v1.12.0 to the benefit of the security and privacy communities.