Malgorzata Urbanska

Accepting the Inevitable: Factoring the User into Home Computer Security

Third ACM Conference on Data and Application Security and Privacy,

February 18-20,2013, San Antonio, TX (United States)

Urbanska Malgorzata, Roberts Mark, Ray Indrajit, Howe Adele, Byrne Zinta.

Home computer users present unique challenges to computer security. A user’s actions frequently affect security without the user understanding how. Moreover, whereas some home users are quite adept at protecting their machines from security threats, a vast majority are not. Current generation security tools, unfortunately, do not tailor security to the home user’s needs and actions. In this work, we propose Personalized Attack Graphs (PAG) as a formal technique to model the security risks for the home computer informed by a profile of the user attributes such as preferences, threat perceptions and activities. A PAG also models the interplay between user activities and preferences, attacker strategies, and system activities within the system risk model. We develop a formal model of a user profile to personalize a single, monolithic PAG to different users, and show how to use the user profile to predict user actions.

Structuring a Vulnerability Description for Comprehensive Single System Security Analysis

Rocky Mountain Celebration of Women in Computing (RMCWiC),

November 01-02,2012, Fort Collins, CO (United States)

Malgorzata Urbanska, Indrajit Ray, Adele Howe, and Mark Roberts.

The National Vulnerability Database (NVD) provides unstructured descriptions of computer security vulnerabilities. These descriptions do not directly provide the information necessary to formally analyze how the user’s and the attacker’s actions lead to the exploit. Moreover, the descriptions vary in how they describe the vulnerabilities. In this paper, we describe a system for automatically extracting cause and effect information from a set of vulnerabilities. The result is a structured data set of vulnerability descriptions with pre- and post-condition relationships. We evaluate the system by comparing the output with a manually constructed representation for security analysis called the Personalized Attack Graph (PAG).

Using Planning for a Personalized Security Agent

The AAAI-12 Workshop on Problem Solving using Classical Planners (CP4PS-12),

July 22 or 23,2012, Toronto, Ontario, Canada

M. Roberts, A. Howe, I. Ray, M. Urbanska.

The average home computer user needs help in reducing the security risk of their home computer. We are working on an alternative approach from current home security software in which a software agent helps a user manage his/her security risk. Planning is integral to the design of this agent in several ways. First, planning can be used to make the underlying security model manageable by generating attack paths to identify vulnerabilities that are not a problem for a particular user/home computer. Second, planning can be used to identify interventions that can either avoid the vulnerability or mitigate the damage should it occur. In both cases, a central capability is that of generating alternative plans so as to find as many possible ways to trigger the vulnerability and to provide the user with options should the obvious not be acceptable. We describe our security model and our state-based approach to generating alternative plans.We show that the state-based approach can generate more diverse plans than a heuristic-based approach. However, the state-based approach sometimes generates this diversity with better quality at higher search cost.

The Psychology of Security for the Home Computer User

33rd IEEE Symposium on Security and Privacy,

May 21-23,2012, San Francisco Bay Area, CA (United States)

A. Howe, I. Ray, M. Roberts, M. Urbanska, Z. Byrne.

The home computer user is often said to be the weakest link in computer security. They do not always follow security advice, and they take actions, as in phishing, that compromise themselves. In general, we do not understand why users do not always behave safely, which would seem to be in their best interest. This paper reviews the literature of surveys and studies of factors that influence security decisions for home computer users. We organize the review in four sections: understanding of threats, perceptions of risky behavior, efforts to avoid security breaches and attitudes to security interventions. We find that these studies reveal a lot of reasons why current security measures may not match the needs or abilities of home computer users and suggest future work needed to inform how security is delivered to this user group.