COMMANDO-HUMANS: COMputational Modelling and Automatic Non-intrusive Detection Of HUMan behAviour based iNSecurity

COMMANDO-HUMANS：基于 iNSecurity 的人类行为的计算建模和自动非侵入式检测

• 批准号: EP/N020111/1
• 负责人: Shujun Li
• 金额: $ 26.52万
• 依托单位: University of Surrey
• 依托单位国家: 英国
• 项目类别: Research Grant
• 财政年份: 2016
• 资助国家: 英国
• 起止时间: 2016 至 无数据
• 项目状态: 已结题
• 来源: https://gtr.ukri.org/projects?ref=EP%2FN020111%2F1
• 关键词: COMMANDO; HUMANS; COMputational; Modelling; Automatic

This project addresses mainly the Human Factors challenge of the joint Singapore-UK call, and it has an interdisciplinary team with expertise in cyber security, cognitive psychology, and human-computer interface (HCI). It aims at producing direct evidence that human behaviour related insecurity can be detected automatically by applying human cognitive models to model and simulate humans involved in security systems. A key outcome of the project will be a working software system that can be used for this purpose by researchers and practitioners. The project will focus on human user authentication systems as a representative use case and will produce new knowledge on the role of human behaviours in such systems and security systems in general. Both the software framework and new knowledge on human behaviours can also help address other challenges of the call (e.g., detection of intruders/extremists requires knowledge on how they behave; protection of user privacy require knowledge on how human users handle personal data; policy makers need to understand behaviours of their organisations' employees and human attackers targeting their organisations to make more informed decisions).It has been well known that human factors are a very important aspect of cyber security, as recognised by governments all over the world e.g., in the UK Cyber Security Strategy (2011), in Singapore's National Cyber Security Masterplan 2018 (2013), and in the US Federal Cybersecurity Research and Development Strategic Plan (2011). Human related insecurity is often related to intended or unintentional (maybe subconscious) insecure human behaviours. To conduct research on human behaviours (in cyber security, HCI, psychology and other related fields), researchers normally depend on involvement of real human users via surveys, interviews, simulated scenarios, observations of real cases, interactive games, or other specially designed user studies. Such approaches are often time-consuming and costly, and suffer from other issues like limited and/or biased samples, questionable ecological validity, difficulties in reproducing results, and impossibility of running some studies due to ethical/privacy/legal concerns.This project aims at developing the first (to the best our knowledge) general-purpose computational framework and supporting software tools that will enable automatic detection of human behaviour related insecurity at the HCI level without the need to involve real human users. The framework will be built on computational models of human cognitive processes, HCIs, human behaviour related attacks and (in)security measures. The framework will be non-intrusive: instead of evaluating the running system itself, the framework will evaluate an abstract executable model of the system and humans involved. Removing real human users from the process allows faster and more objective inspection of potential insecurity of a given security system. The automated process can still be combined with traditional user studies to make better use of limited resources in automatically detecting potential insecurity problems deserving further manual analysis.The framework and software tools developed will be of great value for cyber security researchers, security system designers/developers and security industry to deliver securer systems to end users. As a natural byproduct, they will also allow easier evaluation of usability of security and non-security related computer systems with an HCI. As we mentioned above in this summary, people having concerns on other challenges of the call can benefit from the project's outcomes as well.In this project we will focus mainly on HCI-level ("micro") human behaviours, but possible extensions to higher-level ("macro") behaviours (e.g., how human users adapt their behaviours over time via rehearsals and learning) will be looked at as well to pave the way for our future research.

该项目主要解决新加坡-英国联合呼吁的人为因素挑战，它拥有一个在网络安全，认知心理学和人机界面（HCI）方面具有专业知识的跨学科团队。它的目的是产生直接的证据表明，人类行为相关的不安全可以通过应用人类认知模型来建模和模拟参与安全系统的人类来自动检测。该项目的一个关键成果将是一个可供研究人员和从业人员用于这一目的的工作软件系统。该项目将把人类用户认证系统作为一个代表性用例，并将产生关于人类行为在此类系统和一般安全系统中的作用的新知识。软件框架和关于人类行为的新知识也可以帮助解决呼叫的其他挑战（例如，检测入侵者/极端分子需要了解他们的行为方式;保护用户隐私需要了解人类用户如何处理个人数据;政策制定者需要了解其组织的员工和针对其组织的人类攻击者的行为，以做出更明智的决策）。众所周知，人为因素是网络安全的一个非常重要的方面，如世界各国政府所承认的，英国网络安全战略（2011年）、新加坡2018年国家网络安全总体规划（2013年）和美国联邦网络安全研究与发展战略计划（2011年）。与人类相关的不安全感通常与有意或无意（可能是潜意识）的不安全人类行为有关。为了对人类行为进行研究（在网络安全，人机交互，心理学和其他相关领域），研究人员通常依赖于通过调查，访谈，模拟场景，观察真实的案例，互动游戏或其他专门设计的用户研究来参与真实的人类用户。这些方法通常耗时且昂贵，并且存在其他问题，如有限和/或有偏见的样本，可疑的生态有效性，难以重现结果，由于伦理/隐私/法律的考虑，不可能进行一些研究。本项目旨在开发第一个（据我们所知）一般-目的计算框架和支持软件工具，其将使得能够在HCI级别自动检测人类行为相关的不安全性，而不需要涉及真实的人类用户。该框架将建立在人类认知过程、人机交互、人类行为相关攻击和安全措施的计算模型基础上。该框架将是非侵入性的：而不是评估运行的系统本身，该框架将评估系统的抽象可执行模型和所涉及的人。从过程中移除真实的人类用户允许对给定安全系统的潜在不安全性进行更快和更客观的检查。自动化过程仍然可以与传统的用户研究相结合，以更好地利用有限的资源，自动检测潜在的不安全问题，需要进一步的人工分析。开发的框架和软件工具将对网络安全研究人员，安全系统设计师/开发人员和安全行业提供更安全的系统给最终用户具有重要价值。作为一个自然的副产品，它们也将允许更容易地评估安全和非安全相关的计算机系统与HCI的可用性。正如我们在本摘要中提到的，对呼叫的其他挑战有顾虑的人也可以从项目的成果中受益。在这个项目中，我们将主要关注HCI级别（“微观”）的人类行为，但可能扩展到更高级别（“宏观”）的行为（例如，人类用户如何通过排练和学习随着时间的推移适应他们的行为）也将被视为为我们未来的研究铺平道路。

项目成果

Making a good thing better: enhancing password/PIN-based user authentication with smartwatch

• DOI: 10.1186/s42400-018-0009-4
• 发表时间: 2018-08
• 期刊: Cybersecurity
• 影响因子: 3.1
• 作者: Bing Chang;Yingjiu Li;Qiongxiao Wang;W. Zhu;R. Deng

When Human cognitive modeling meets PINs: User-independent inter-keystroke timing attacks

• DOI: 10.1016/j.cose.2018.09.003
• 发表时间: 2018-10
• 期刊: ArXiv
• 作者: Ximing Liu;Yingjiu Li;R. Deng;Bing Chang;Shujun Li

Human-Generated and Machine-Generated Ratings of Password Strength: What Do Users Trust More?

• DOI: 10.4108/eai.13-7-2018.162797
• 发表时间: 2019-08
• 期刊: EAI Endorsed Trans. Security Safety
• 作者: S. Alqahtani;Shujun Li;Haiyue Yuan;P. Rusconi

Data-driven multimedia forensics and security

数据驱动的多媒体取证和安全

• DOI: 10.1016/j.jvcir.2018.06.023
• 发表时间: 2018
• 期刊: Journal of Visual Communication and Image Representation
• 影响因子: 2.6
• 作者: Rocha A

2nd International Workshop on Multimedia Privacy and Security

第二届多媒体隐私与安全国际研讨会

• DOI: 10.1145/3243734.3243876
• 发表时间: 2018
• 作者: Hallman R