COMMANDO-HUMANS: COMputational Modelling and Automatic Non-intrusive Detection Of HUMan behAviour based iNSecurity

COMMANDO-HUMANS：基于 iNSecurity 的人类行为的计算建模和自动非侵入式检测

• 批准号: EP/N020111/1
• 负责人: Shujun Li
• 金额: $ 26.52万
• 依托单位: University of Surrey
• 依托单位国家: 英国
• 项目类别: Research Grant
• 财政年份: 2016
• 资助国家: 英国
• 起止时间: 2016 至 无数据
• 项目状态: 已结题
• 来源: https://gtr.ukri.org/projects?ref=EP%2FN020111%2F1
• 关键词: COMMANDO; HUMANS; COMputational; Modelling; Automatic

This project addresses mainly the Human Factors challenge of the joint Singapore-UK call, and it has an interdisciplinary team with expertise in cyber security, cognitive psychology, and human-computer interface (HCI). It aims at producing direct evidence that human behaviour related insecurity can be detected automatically by applying human cognitive models to model and simulate humans involved in security systems. A key outcome of the project will be a working software system that can be used for this purpose by researchers and practitioners. The project will focus on human user authentication systems as a representative use case and will produce new knowledge on the role of human behaviours in such systems and security systems in general. Both the software framework and new knowledge on human behaviours can also help address other challenges of the call (e.g., detection of intruders/extremists requires knowledge on how they behave; protection of user privacy require knowledge on how human users handle personal data; policy makers need to understand behaviours of their organisations' employees and human attackers targeting their organisations to make more informed decisions).It has been well known that human factors are a very important aspect of cyber security, as recognised by governments all over the world e.g., in the UK Cyber Security Strategy (2011), in Singapore's National Cyber Security Masterplan 2018 (2013), and in the US Federal Cybersecurity Research and Development Strategic Plan (2011). Human related insecurity is often related to intended or unintentional (maybe subconscious) insecure human behaviours. To conduct research on human behaviours (in cyber security, HCI, psychology and other related fields), researchers normally depend on involvement of real human users via surveys, interviews, simulated scenarios, observations of real cases, interactive games, or other specially designed user studies. Such approaches are often time-consuming and costly, and suffer from other issues like limited and/or biased samples, questionable ecological validity, difficulties in reproducing results, and impossibility of running some studies due to ethical/privacy/legal concerns.This project aims at developing the first (to the best our knowledge) general-purpose computational framework and supporting software tools that will enable automatic detection of human behaviour related insecurity at the HCI level without the need to involve real human users. The framework will be built on computational models of human cognitive processes, HCIs, human behaviour related attacks and (in)security measures. The framework will be non-intrusive: instead of evaluating the running system itself, the framework will evaluate an abstract executable model of the system and humans involved. Removing real human users from the process allows faster and more objective inspection of potential insecurity of a given security system. The automated process can still be combined with traditional user studies to make better use of limited resources in automatically detecting potential insecurity problems deserving further manual analysis.The framework and software tools developed will be of great value for cyber security researchers, security system designers/developers and security industry to deliver securer systems to end users. As a natural byproduct, they will also allow easier evaluation of usability of security and non-security related computer systems with an HCI. As we mentioned above in this summary, people having concerns on other challenges of the call can benefit from the project's outcomes as well.In this project we will focus mainly on HCI-level ("micro") human behaviours, but possible extensions to higher-level ("macro") behaviours (e.g., how human users adapt their behaviours over time via rehearsals and learning) will be looked at as well to pave the way for our future research.

该项目主要解决新加坡-英国联合通话中的人为因素挑战，并拥有一支在网络安全、认知心理学和人机界面(HCI)方面拥有专业知识的跨学科团队。它的目的是提供直接证据，证明可以通过应用人类认知模型对参与安全系统的人类进行建模和模拟，从而自动检测与不安全有关的人类行为。该项目的一个关键成果将是一个可供研究人员和从业人员用于这一目的的工作软件系统。该项目将把人类用户认证系统作为一个有代表性的用例，并将产生关于人类行为在这类系统和一般安全系统中的作用的新知识。软件框架和有关人类行为的新知识也有助于解决通话的其他挑战(例如，探测入侵者/极端分子需要了解他们的行为；保护用户隐私需要了解人类用户如何处理个人数据；政策制定者需要了解其组织的员工和针对其组织的人类攻击者的行为，以便做出更明智的决策)。众所周知，人为因素是网络安全的一个非常重要的方面，世界各国政府都承认这一点，例如，在英国网络安全战略(2011)、新加坡2018年国家网络安全总体计划(2013)和美国联邦网络安全研究和发展战略计划(2011)中。与人类相关的不安全感往往与有意或无意(可能是潜意识的)不安全的人类行为有关。为了对人类行为进行研究(在网络安全、人机交互、心理学等相关领域)，研究人员通常依靠真实人类用户的参与，通过调查、访谈、模拟场景、真实案例观察、互动游戏或其他专门设计的用户研究。此类方法通常费时费钱，并存在其他问题，如样本有限和/或有偏差、生态有效性有问题、复制结果困难，以及由于伦理/隐私/法律问题而无法进行某些研究。该项目旨在开发第一个(据我们所知)通用计算框架和辅助软件工具，使能够在不需要真实人类用户参与的情况下，在人机交互水平上自动检测与人类行为相关的不安全感。该框架将建立在人类认知过程、人机接口、与人类行为相关的攻击和安全措施的计算模型上。该框架将是非侵入式的：该框架将评估所涉及的系统和人员的抽象可执行模型，而不是评估正在运行的系统本身。将真实的人类用户从流程中剔除，可以更快、更客观地检查给定安全系统的潜在不安全。自动化过程仍可与传统的用户研究相结合，以更好地利用有限的资源自动发现潜在的不安全问题，值得进一步人工分析。开发的框架和软件工具将对网络安全研究人员、安全系统设计/开发人员和安全行业向最终用户提供更安全的系统具有重要价值。作为一种自然的副产品，它们还将允许更容易地评估具有人机界面的安全和非安全相关计算机系统的可用性。正如我们在上面的总结中所提到的，对Call的其他挑战感到担忧的人也可以从项目的结果中受益。在这个项目中，我们将主要关注人机界面级别(“微观”)的人类行为，但也将研究更高级别(“宏观”)行为的可能扩展(例如，人类用户如何通过排练和学习随着时间的推移调整他们的行为)，为我们未来的研究铺平道路。

项目成果

Making a good thing better: enhancing password/PIN-based user authentication with smartwatch

• DOI: 10.1186/s42400-018-0009-4
• 发表时间: 2018-08
• 期刊: Cybersecurity
• 影响因子: 3.1
• 作者: Bing Chang;Yingjiu Li;Qiongxiao Wang;W. Zhu;R. Deng

When Human cognitive modeling meets PINs: User-independent inter-keystroke timing attacks

• DOI: 10.1016/j.cose.2018.09.003
• 发表时间: 2018-10
• 期刊: ArXiv
• 作者: Ximing Liu;Yingjiu Li;R. Deng;Bing Chang;Shujun Li

Human-Generated and Machine-Generated Ratings of Password Strength: What Do Users Trust More?

• DOI: 10.4108/eai.13-7-2018.162797
• 发表时间: 2019-08
• 期刊: EAI Endorsed Trans. Security Safety
• 作者: S. Alqahtani;Shujun Li;Haiyue Yuan;P. Rusconi

Data-driven multimedia forensics and security

数据驱动的多媒体取证和安全

• DOI: 10.1016/j.jvcir.2018.06.023
• 发表时间: 2018
• 期刊: Journal of Visual Communication and Image Representation
• 影响因子: 2.6
• 作者: Rocha A

2nd International Workshop on Multimedia Privacy and Security

第二届多媒体隐私与安全国际研讨会

• DOI: 10.1145/3243734.3243876
• 发表时间: 2018
• 作者: Hallman R