Science of Security - Can Machine Learning Help?
Mladen A. Vouk, N.C. State University
Reliable science-based engineering of secure software-based systems is still in many ways an art. We frequently rely on heuristics and use ad hoc reactive methods to deal with cyber security issues. This happens despite the fact that, in theory, security vulnerabilities and failures are a subset of a more general class of faults and failures that we typically try to handle pro-actively when we build high-assurance systems. There are a number of reasons for this. One is that we currently do not have a good handle on the science behind security. For example, we really do not know how to construct security preserving systems (and in fact how to measure that property in the first place), so we either under-engineer or over-engineer for security at the detriment of both the end-user and the business model. In some situations security has not yet risen to the level of safety so we may not be willing to spend the effort and funds needed to construct secure systems. While encryption has very sound science behind it, encryption on its own has limited security preserving properties and is only one element in the whole picture. Much more is needed. For instance, we may not know enough about what happens when a software-intensive system is under attack – malicious probing and attacks changes the normal operational profile of a system and violates many assumptions. We lack in predictive security metrics, we lack in reliable security resiliency mechanisms, and we really do not seem to understand system design, scalability and composability principles when it comes to security. Above all, we frequently do not understand the human component - human behaviors behind vulnerabilities, attacks and exploits. To add insult to injury we note that a lot of security problems are self-inflicted, that there is an enormous amount of data related to security that we do not understand and have not analyzed yet (or do not know how to analyze), and that we often are at a loss when dealing dynamics of (unexpected?) security-related situations. On the other hand most cyber security challenges stem from computing machines and environments, and a natural question is "Can we leverage the capabilities of this medium to help us understand the science behind security, and help us mitigate and pro-actively manage this highly dynamic challenge? Can we use machine learning (ML) technology to help us understand the problem, discover new scientific principles (e.g., laws, axioms, theorems) behind security, and help us reliably engineer and operate reliably secure systems?" Our lack of understanding of most of the science behind security is a huge challenge and impediment. Science brings in explanations, laws, reliability, confidence, and an understanding of the uncertainties and limitations. Most of that we are today still hard-pressed to articulate in the context of security of software-intensive systems. This talk discusses the "Science of Security" challenges, on-going research efforts in that domain, and potential ML opportunities in this domain.
Mladen A. Vouk received Ph.D. from the King's College , University of London , U.K. He is Department Head and Professor of Computer Science, and Associate Vice Provost for Information Technology at N.C. State University, Raleigh, N.C., U.S.A. Dr. Vouk has extensive experience in both commercial software production and academic computing. He is the author/co-author of over 300 publications. His research and development interests include software engineering, scientific computing and analytics, information technology (IT) assisted education, and high-performance and cloud computing. Dr. Vouk has extensive professional visibility through organization of professional meetings, membership on professional journal editorial boards, and professional consulting. Dr. Vouk is a member of the IFIP Working Group 2.5 on Numerical Software, and a recipient of the IFIP Silver Core award. He is an IEEE Fellow, and a recipient of the IEEE Distinguished Service and Gold Core Awards. He is a member of several IEEE societies, and of ASEE, ASQ (Senior Member), ACM , and Sigma Xi.