The Centre for Research on Engineering Software Technologies (CREST)

Challenges Overview and Internal co-supervisors
Challenge ID Project name Project Supervisor Name
1 Collaboration and Teamwork for CCOP CCOP Asangi and Mansooreh
2 AI-based Assistant for Executive Cyber Awareness CCOP Ngyuen
3 Metric recommendation based on organizational needs CCOP Ngyuen and Chandi
4 Containerized application live updating with network-level services Pokaps Mobin
5 Towards Configurable Vulnerability Assessment in Docker Containers Pokaps Victor and Mobin
6 Automatic coordination of software security patch management Pokaps Nesara
7 Dependency analytics in software security patch management Pokaps Nesara
8 Blockchain-based Tool for Security Patching Lifecycle Management Pokaps Auffef
9 Automated security assessment for interconnected systems C3i Faheem
10 Log file analysis and visual feedback generator C3i Faheem
11 Security database mapping for meaningful mitigation C3i Faheem
12 Modelling Security Operations Activities for Securing C3I Systems C3i Ali
13 Evaluation of Tool Support for Security by Design of C3i Software Systems C3i Ali
14 Resilience and Security of Command and Control infrastructure for C3i Systems C3i Faheem and Nguyen
15 Protecting software-defined enterprise networks of a C3I system from packet injection Attacks C3i Faheem and Nguyen
16 Evasion Attack on ML based Insider Attack Detectors C3i Faheem
17 Accountable Artificial Intelligence (AI) Ali
18 Securing Deep Leanring Based NLP Systems Ali
19 Leveraging Deep Learning for Recommending Security Tools APIs Ali
20 Human Decision-Making for Cyber Security Ali

All the project are supervised by Ali, Asangi, and Mansooreh.

Challenge #1: Collaboration and Teamwork for CCOP

Common Operational Pictures (COPs) have been used in the military domain as a powerful tool for gaining Situational Awareness (SA) and thus enabling appropriate decision-making in moments of crisis or attacks. Today, SA is also an essential part of the cybersecurity operations of many organisations, but particularly for Critical Infrastructures (CIs) and national agencies. A number of solutions have been proposed to enhance Cyber Situational Awareness (CSA) by means of Cyber Common Operational Pictures (Cyber COPs). A COP is defined as "a single identical display of relevant information shared by more than one command that facilitates collaborative planning and assists all echelons to achieve situational awareness".

Complete cyber situation awareness is implausible to achieve through interactions only between an individual analyst and their technology. Achieving complete situation awareness requires members of different teams and different organisational positions, working across different work shifts to collaborate and share information with each other. Often each team member will have different, though perhaps overlapping, perspectives and hypotheses on the situation. In a complex and dynamic world, it is likely that two or more such perspectives will need to be combined to obtain complete SA that extends beyond a single analyst's knowledge. Unfortunately, there is a lack of technologies conducive to humans to collaborate, effectively communicate, and share information and knowledge with each other in the context of CCOP and CSA. The project's main aim is to enable people from different organisational teams and levels to share their knowledge and perspective in order to:

  1. collaboratively analyse alerts and observations related to the CCOP dashboard and;
  2. collectively make actionable decisions.

The expected outcomes for this research challenges are:

  1. Develop a functional prototype of this concept.
  2. Make the prototype usable for getting feedback from users on ways to improve the workflow and to identify additional requirements.

Challenge #2: AI-based Assistant for Executive Cyber Awareness

Cyber Common Operating Picture (CCOP) comprises a set of metrics, coming from different security intelligence sources. One of the current means of displaying a CCOP is executive dashboards, which were carefully designed to display the right kind of metrics at an appropriate level of detail. While these dashboards can be tailored to individual organizations, or even individual executives, they can only narrow down the available information of the CCOP to a more manageable level instead of providing the very specific information that executives seek within a specific context. Moreover, when using these dashboards, executives need to examine and analyze the security status details themselves instead of having an assistant to offer them what they need and useful recommendations for making security decisions.

This research activity will explore the ways we can apply semantic modelling, logic reasoning, and information retrieval technique to retrieve and return the precise information that executives need within a context.

The key outcomes of will be:

  1. Develop a mechanism to understand natural language requests from executives and return an appropriate set of information from the CCOP model that satisfies the request.
  2. Integrate this mechanism into an open-source voice assistant platform such as Mycroft AI, Open Assistant, LinTO, Leon, etc.

Challenge #3: Metric recommendation based on organizational needs

Cyber Common Operating Picture (CCOP) comprises security metrics that reflect the cyber-health of an organization with respect to its historical performance and the industry standard. These metrics are generated from various sources of security intelligence, such as reports from security tools (e.g., SIEM, IDS, firewalls) as well as external intelligence sources (e.g, Open-source intelligence, vulnerability registries). Each organization has different level of access to these sources. Moreover, they have different requirements in terms of the metrics to be included in the CCOP and the relative importance of these metrics.

Given the large number of metrics that can be used for CCOP, it is difficult for organizations to map their current capabilities, in terms of the security intelligence sources that they have, to the metrics. Moreover, the requirements of an organization might simply be insatisfiable given their existing capability. Thus, the organization needs recommendations on either extending their capability or modifying their requirements. A CCOP-specific recommendation system that can solve this problem does not exist.

This research activity aims at applying Artificial Intelligence (AI) techniques, such as semantic reasoning and collaborative filtering, to develop a recommendation mechanism that matches organizations with the right metrics in the CCOP model and provides suggestions about extending capabilities or modifying requirements.

The expected outcomes will be:

  1. An AI-enabled prototype tool for providing organizational specific security metrics recommendation services that would become part of the CCOP platform

Challenge #4: Containerized application live updating with network-level services

Software live updating can occur at different granularity, such as instruction-level, function-level, process-level, etc. This research challenge will focus on container-level software updating. Minimising or completely eliminating service downtime associated with vulnerable container updating is necessary for highly critical applications. An automated and transparent way to manage run-time updating of vulnerable containers would be beneficial for such critical environments. Traditional container updating approach involves multiple steps. Namely, a) stopping the existing vulnerable container, b) preparing a new updated/patched container, c) starting the newly created container. However, with the growth of modern software in terms of size and complexity leads to increased container creation and preparation times. Thus, in order to minimise the downtime of the service provided by a container, this research effort would focus on investigation of seamless downtime-free client migration from vulnerable to updated containers.

The expected outcomes for this research challenges are:

  1. A prototype tool for managing dynamic container updates at the network level.

Challenge #5: Towards Configurable Vulnerability Assessment in Docker Containers

Security is considered as one of the most challenging factors for migrating Small and mid-size enterprises (SMEs) services and applications to the cloud (containers). SMEs employ one or more open-source tools without properly configuring them to fit in appropriate context. This results in several issues: 1) waste of computing resources, 2) improper accuracy in vulnerability detection, 3) misidentification of security events. This challenge aims to explore the potential of multi-tools approach on vulnerability assessment of virtualised infrastructure.

The planned activities and deliverables are:

  1. Exploring the strengths and weaknesses of the performance and accuracy of existing vulnerability scanning tools in the context of containers.
  2. Identifying and using mechanisms for integrating and orchestrating various existing container security tools into a coherent container security enabling flow.
  3. Developing a multi-tools approach for automatically detecting vulnerabilities and configuring Docker containers.

Challenge #6: Automatic coordination of software security patch management

Keeping machines up to date by applying the critical security patches on time is critical security hygiene. Enterprise software security patch management involves the process of applying security patches to large and complex organization systems, which is a challenging task. The dynamic and collaborative nature involving multiple stakeholders at different stages of the process create further difficulties in patch management tasks. Efficient coordination of the tasks with multiple stakeholders of conflicting interests is a daunting task that could easily be neglected because of the inherent complexity and lack of technological support yet a critical success factor to security patch management. A typical manual approach to this problem would use discussion with several stakeholders to argue the different considerations and reach a consensus. This research challenge will analyse the activities, tasks, and artefacts generated and shared for supporting coordination of security practitioners for security patch management tasks in large and complex organizations. Then the research activities will identify the needs of automating the coordination tasks for better and timely decision making by the relevant stakeholders in the following areas:

  1. collaboratively analyse alerts related to patch application;
  2. gain and share situational awareness of the context of the patch being applied and;
  3. collaboratively make actionable decisions

The task/expected outcome is to:

  1. Develop a prototype tool for improving automation support of coordination in software security patch management process.

Challenge 7#: Dependency analytics in software security patch management

Timely security patch installation in organizations is often impeded by the necessity to manually test and install patches to avoid the risks of unexpected system breakdowns caused by faulty and malicious patches. These manual tasks are often associated with misconfiguration and erroneous responses and consume a significant amount of time and human effort. Dependency and compatibility concerns cause severe problems for automation in these security patch management tasks. The challenge is to utilize AI capabilities to assess patch dependencies and visualize the results to investigate the pre-requisites for patch application and identify any particular outliers (missing patches/patch information) that would streamline the patching workflow and assist practitioners in decision-making for timely patch installation.

The expected deliver is:

  1. A ML-based approach and prototype tool for automatically track and visualise the patch dependencies for supporting patching decisions.

Challenge #8: Blockchain-based Tool for Security Patching Lifecycle Management

Software security patching plays a critical role in thwarting cyber security attacks. A security patch involves a change applied to the software code to correct the security weakness discovered by a vulnerability. Software security patch lifecycle management refers to the application process of security patches to address the identified security vulnerabilities in the software code. Enterprise security patch management involves the process of applying security patches to large and complex organization systems with hundreds of servers, multiple operating systems, and heterogeneous applications, all interconnected through networking devices which is a challenging task. It important to have an automatic and trustworthy support infrastructure for the activities and artefacts of the software security patch lifecycle management.

This research challenge is aimed at exploring the suitability and viability of leveraging distributed ledger technologies to automate the process of software patch management in mission critical system, e.g., industrial control systems or healthcare systems. The research activities will design and implement a prototype for a blockchain enabled tool for supporting the software security patch lifecycle management.

The expected deliver is:

  1. A blockchain-enabled App for managing security patches from generation to application

Challenge #9: Automated security assessment for interconnected systems

Modern command, control, and communication systems are highly interconnected supported by advanced networks and Internet of Things (IoT). The hypberconnectivity of the such systems and the software underpinning exposes them to a large number of security vulnerabilities, which leads to an increase in the volume and sophistication of cyberattacks. These attacks potentially disrupt the cyber safety and operation of many organisations and enterprises with millions of users. Assessment of these cyber risks is important to prioritise to fix the ones that would have the highest impact on a system. The current techniques are mostly expert-based with manually crafted rules, and thus do not scale well to new vulnerabilities. The proposed research challenge aims to automate the security assessment process using Artificial Intelligence enabled technologies. The envisioned solution will support evaluation-based security modelling to analyse vulnerabilities in complex and dynamically changing computer systems and interconnected networks.

The expected deliverables of the project are:

  1. Enrichment of graphical security models with a variety of security metrics extracted from software vulnerability assessment
  2. Automated security analysis of the interconnected systems using a combination of machine learning-driven software vulnerability assessment and graphical security modelling techniques

Challenge #10: Log file analysis and visual feedback generator

Command, control, and communication systems are considered a type of Systems-of-Systems (SoS). Such systems are complex distributed and concurrent systems, bring many benefits, but also raise many security challenges. With the scalability and robustness characteristics, these systems are widely deployed to support mission critical processes and business functions such as search and rescue tasks, smart buildings, health care and transportation. However, heterogeneity, highly distribution and emergent behaviours of SoS also significantly increase their exposure to a large number of security vulnerabilities. A vulnerability in an individual constituent system (CS) usually makes that CS the weakest link for the whole SoS in cae of cascading attack resulting from the interactions among the CSs. Moreover, SoS modification and vulnerability mitigation would be expensive when a system becomes mature. Thus, the security solution at the early stage becomes a critical challenge. To address this problem, our research has introduced a model-driven based method for designing and analysing security of Systems-of-Systems Security (SoSSec). The proposed research challenge will provide a tool support for automatically analyse and visual the log files generated based on the security model developed using the SoSSec. The envisioned automated analysis/visualisation tool will make the security vulernability models easy to understand for system designers.

The deliverables for addressing this challenge are:

  1. Automatically analyse the log file of execution/simulation results and extract the information, such as agents (CS), vulnerabilities, pre and post-conditions, and interactions/messages of the agents.
  2. Generate visual feedback by drawing the cascading attack diagram using model driven engineering techniques.

Challenge #11: Security database mapping for meaningful mitigation

When a vulnerability is found, the security architects need to take necessary actions to mitigate the attacks. To fix the system vulnerability, the architects need to know the root and the reason for the problem. Therefore, weaknesses and attack patterns can be employed to explore system vulnerabilities. With this information, the proposed security solutions and patterns can be provided to the architects as a guideline and references. This project explores the relationship between the vulnerabilities and weaknesses of the SoS, attack patterns, and potential mitigations. Based on the proposed mitigations, systems can return the security solution suggestions.

The expected outcomes for addressing this challenge will be:

  1. ML/NLP techniques for automatically linking the relevant CVE, CWE, CAPEC and security centric patterns.
  2. A web-based system to visual the mapping for support designers in understanding and mitigating security vulnerabilities by suggested the relevant security patterns.

Challenge #12: Modelling Security Operations Activities for Securing C3I Systems

Command, Control, Communication, and Intelligence (C3i) system is a kind of System of Systems (SoS) that is increasingly leveraging ICT infrastructures. As C3I systems are becoming more pervasive in military and police organizations, there is a high risk of cyber-attacks on these systems. Given that it is inevitable that a cyber-attack will happen at one stage or another, it is important to be ready for promptly responding to the attack. This research challenge aims at modelling the security operational activities of C3i systems. The modelling will underpin the identification of the response activities that is how the C3i system will response when it is under an attack. Such modelling will greatly benefit the designer of C3i system in determining, planning, and testing the response of C3i system to various kinds of attacks right at the design stage of the system. The proposed work will leverage semantic modelling, natural language processing, and model-driven engineering for the identification and modelling of the features of the plan to respond to an attack.

The expected outcome for addressing this challenge will be:

  1. A prootype tool and report for modelling the security operational activities.

Challenge #13: Evaluation of Tool Support for Security by Design of C3i Software Systems

This research action will carry out a preliminary study of the available tools and approaches for building a Design Space for supporting security by design paradigm for next generation smart command, control and communication systems. Such design space is needed for building and/or improving organizational and individuals' competencies in embedded security by design paradigm in the design and evaluation phases of large-scale mission- and business-critical software intensive services. The research activities will identify and critically analyse the available security modelling and analysis tools for the access and provision of an integrated body of knowledge consisting of design principles, guidelines, patterns, reusable meta-models, and artefacts for designing and evaluating secure C3i systems. The research activities will also focus on the collaborative capabilities and activity-based provision of the required security knowledge to the stakeholders involved in the design and analysis activities. One important aspect of the evaluation will be the available decision making support for identifying, considering and incorporating security centric approaches. The evaluated tools will also be reviewed for their abilities for customization to individual knowledge and preferences and the total cost of ownership.

The expected outcome from this research action will be:

  1. A report on the evaluation of tools supporting collaborative activity-based security by design for C3i systems.

Challenge #14: Resilience and Security of Command and Control infrastructure for C3i Systems

This research activity will focus on adopting and applying resilience and security methodologies for command and control infrastructure for collaborative autonomous systems and collaborating autonomous robots. The research would focus on exploring resilience and security in the following aspects. (i) Planning mission strategies when some of the command and control (master), or slave nodes (robots) fail. (ii) Configuring new command and control cluster nodes when some of the operational nodes fail. (iii) Establishing alternative communication channels if some or all of the communication channels fail. (iv) Restoring to original system operational state with new data when optimal systems configuration is reestablished. (v) Optimising task assignment when command and control services are reestablished. (vi) Exploring and adapting consensus based protocols and leader selection algorithms to find optimal decision making strategies.

The expected outcome from this research would be:

  1. Identification and implementation of algorithms for the above mentioned use cases that can work on a cluster of edge and cloud nodes.
  2. Develping optimisation strategies for performing online and offline computing to make global and local decisions based upon available data.
  3. Implement the strategies on autonomous robots e.g., TurtleBots.

Challenge #15: Protecting software-defined enterprise networks of a C3I system from packet injection Attacks

The networking architecture of the software-defined network (SDN) employed in a C3I infrastructure makes it easy to target the packet injection attack. The attacker can affect the services and performance of the SDN controller and can overflow the capacity of the SDN switch devastatingly, by injecting the malicious packets into the SDN network. That ultimately stops the network functioning in real-time, leading to the situation of network breakdown. Thus, the packet injection attack is a primary threat to the software-defined enterprise network of a C3I infrastructure, in which continuous connectivity and real-time network functioning are two essential requirements.

In this project, we will design and implement a packet injection attack's mitigation technique that will detect and immediately block the malicious data packet flow at the gateway switch of the software-defined enterprise network of a C3I infrastructure. In our project, we want to guarantee that the core network does not stop functioning due to the packet injection attack. We want to shift the computational functionality of the controller to the edge switch, using the P4 based implementation, to thoroughly reduce the workload of mitigating the edge controller's packet injection attack.

The outcomes of this project will be a software/tool and research paper that will protect software-defined enterprise network from the packet injection attack.

Challenge #16: Evasion Attack on Machine Learning based Insider Attack Detectors

Insider threats are one of the most challenging attack models to deal with in practice. According to a recent report1, 30% of all cybercrime incidents were suspected to be committed by insiders and the overall cost of insider threats is rising, with a 31% increase from $8.76 million in 2018 to $11.45 million in 2020. Machine Learning (ML) based approaches are frequently used to detect insider attacks (see attached survey paper). Most of these approaches use anomaly detectors such as Hidden Markov Model (HMM), Gaussian Mixture Models (GMM), One Class SVM (OCSVM) and Isolation Forest Tree (IFT). In Deep learning methods, recently LSTM, Multistate LSTM and CNN and Autoencoders are used to detect insider threat with an average accuracy of more than 90%. However, there is no study done on testing the security of these detectors and assessing their practical applicability are against adversarial attacks such as Poisoning and Evasion. The goal of this project to assess the test-time security and practical applicability of these systems. To achieve this goal, this project aims to model an evasion attack against ML-based insider attack detection systems.

This project will answer following research questions

  1. Which models are more robust (hard to fool)? Based on time, number of perturbations and number of queries to the model?
  2. How transferrable adversarial examples generated by different models?
  3. Examining the impact of adversarial examples generated against a target model on other models. Studying which model adversarial examples are more transferrable.
  4. Identify the most sensitive features that impact the performance of all the models?

Challenge #17: Accountable Artificial Intelligence (AI)

Deep Learning-based models (DL) are increasingly adapted in security-sensitive applications such as Spam and toxic content detection. However, the datasets on which the models are trained are obtained from people, online sources or third-party such as threat intelligence feeds such as Phish Tank or social media. The end-user usually has some control over these data sources and an adversary can use this for poisoning the datasets. DL models trained over poisoned dataset can shift the decision boundary of the model in accordance with the adversary will. A popular real-world example of poisoning the attack is Microsoft Tay. Tay was an artificial intelligence chatterbot that was originally released by Microsoft Corporation via Twitter on March 23, 2016; it caused subsequently controversy when the bot began to post inflammatory and offensive tweets through its Twitter account, forcing Microsoft to shut down the service only 16 hours after its launch. According to Microsoft, this was caused by trolls who "attacked" the service as the bot made replies based on its interactions with people on Twitter.

This project aims to detect Poisoning attack on Spam and Phishing detectors. This will be done by first generating a log file to assess the security of DL systems by executing a list of poisoning attacks on spam and phishing detectors and logging the critical security events. After that, the generated log file will be used to develop a Machine Learning model that automated analyse the log files to detect poisoning attack against DL systems.

The expected deliverables of the project are:

  1. Knowledge and understanding of types of approaches to detecting poisoning attacks on spam and phishing DL models.
  2. A DL based tool for automating the detection of poisoning attacks

Challenge #18: Securing Deep Learning based NLP Systems Deep Learning (DL) models have attained remarkable success in several tasks such as classification and decision analytics. However, DL models, are often sensitive to Adversarial Examples (AEs). AEs consist of transformed original training data samples that preserve the intrinsic utilities of the ML solutions, but influence target classifier’s predictions between the original and the modified input. A recent popular and powerful attack against DL based NLP systems is synonym substitution, where a transforming a word in the original example with its semantically similar synonym changes the prediction of the target model. For example, transforming “The Fish N Chips are excellent” to “The Fish N Chips are first-class” changes the target model output from positive to negative. This project aims to create a robust encoding method and train a robust model that is resilient to synonym substitution attack at test time. The NLP datasets that will be used to evaluate the method will be security critical datasets Enron (for spam email detection), Toxic comments (Kaggle jigsaw), Yelp (Positive/Negative reviews) and Fake News datasets. Three state-of-the- art synonym- substitution attacks will be considered to generate AEs against these systems.

The goals of this project will be achieved by answering the following questions:

  1. How effective Robust_Encoding is against synonym substitution attack?
  2. How well Robust_Encoding perform in comparison of state-of-the-art adversarial training?

The expected deliverables of the project are:

  1. The outcome of this project would be a robust encoding method to develop robust DL models against synonym substitution attack.

Challenge #19: Leveraging Deep Learning for Recommending Security Tools APIs

A wide variety of multi-vendor disparate security tools are used in a Security Operation Center (SOC) of an organization to defend and respond against emerging cyber-security attacks. Security Orchestration Platform (SecOrP) aims to integrate the activities performed by diverse types of security tools to execute an incident response process. While using this high number of diverse security tools in SecOrP, SOC team members require APIs from the varied tools to perform their activities. Searching appropriate APIs of a distinct tool for their specific task is challenging and time-consuming. Besides, in security tool domain the user contributed data sources such as Stack Overflow and GitHub are not always available. Hence, the target of this project is to recommend API from documentation rather than depending on user contributed data sources. Recently, many deep learning and natural language processing techniques have been proposed for various text-based applications such as question answering, sentence classification etc. This project aims to investigate state-of-the-art deep learning techniques to recommend API for diverse security tools from documentation and provide an interface for API recommendation.

The expected deliverables of the project are:

  1. Implementation of Deep Laerning approaches for answering free form security tool API related query.
  2. Comparative analysis of DL approaches to recommending security tool API.
  3. An interface for answering security tool API related query.

Challenge #20: Human Decision-Making for Cybersecurity

Most people receive dozens of emails that contain attempts to phish their personal data each week. Phishing attacks cost approximately $10 billion each year, and incidence of coordinated phishing attempts directed to individuals and businesses is expected to increase. Safeguarding sensitive material and protecting personal finances against fraud relies on more than just protective software, but also on human behaviour. This project investigates human decision making and learning processes in the context of targeted phishing emails. We are interested in identifying (i) visual and textual cues that may signal the presence of a phishing attack in simulated emails, (ii) the behavioural and cognitive processes that occur after correctly identifying, incorrectly identifying, or failing to identify such cues, (iii) methods by which such behavioural and cognitive processes may be trained in such cases where humans fail to identify cues, and (iv) quantifiable metrics that allow organisations to evaluate the efficacy of anti-phishing training programs in their staff.

The expected deliverables from the project are:

  1. A body fo knowledge about behavioural and cognitive processes that might be used to measure positive and negative phishing outcomes.
  2. Design and experiment for testing the efficacy of cueing participants in phishing email simulations based on the findings of that review.
For further information

For a confidential discussion regarding to the positions, contact:

Professor Ali Babar

Dr. Asangi Jayatilaka

Dr. Mansooreh Zahedi

Download the document