Quantifying Security: Methods, Challenges and Applications

Abstract

Data and cyber security, whether defined from the point of view of corporations, individuals, or Internet hosts/networks, have been studied from a variety of perspectives, ranging from theoretical models, to measurement studies, and data-driven approaches that combine statistical analysis and learning techniques with real-world measurements, to assess security, find flaws in current systems, and regulate more secure designs. In this dissertation, we explore the applicability of machine learning, and statistical modeling, in building algorithms that are able to make generalized statements regarding the security of real-world entities: (1) We assess the security of organizations, quantified as the likelihood of sustaining data incidents, by combining previous breach disclosures, with geographic, industry, size, and Internet traffic information, and evaluate techniques for estimating the distribution of risk among various incident categorizations, in order to guide resource allocation, and improve security policies; (2) we leverage field measurements of patch deployment on user machines, to quantify updating behaviors (resulting in a simple, single-parameter model), inspect the dynamics between software vendors and consumers, and its impact on the security posture of user machines; and (3) we develop a framework for scalable analysis of Internet-facing hosts, by distilling an abundance of knowledge obtained from global scans of the public Internet, into compact numerical fingerprints, and examine their utility for detecting (potentially) malicious hosts, inferring unobserved attributes of web servers, quantifying similarities, and characterizing networks of hosts.

Our presented techniques can be utilized by system administrators, analysts, or individuals, to make informed decisions by self-monitoring, or assessing other parties. We select/develop our tools in accordance with the requirements of the examined supervised and unsupervised tasks, and attempt to address deficiencies in the utilized data sets, to advance the efficacy of our proposed algorithms for real-world applications. In order to develop interpretable designs that can produce actionable forecasts and recommendations, we provide case studies, perform statistical tests, and inspect trained models, to further support our claims, and draw high-level conclusions based on our findings. We develop and evaluate our frameworks on (often public) data sets that are available to us, though they can also be applied on top of other similar databases. While most of the focus of this research is on cyber and data security, we also explore applications of data-driven analysis for monitoring of Internet hosts and networks for non-security related objectives.