COMMANDO-HUMANS: COMputational Modelling and Automatic Non-intrusive Detection Of HUMan behAviour based iNSecurity

COMMANDO-HUMANS：基于 iNSecurity 的人类行为的计算建模和自动非侵入式检测

• 批准号: EP/N020111/1
• 负责人: Shujun Li
• 金额: $ 26.52万
• 依托单位: University of Surrey
• 依托单位国家: 英国
• 项目类别: Research Grant
• 财政年份: 2016
• 资助国家: 英国
• 起止时间: 2016 至 无数据
• 项目状态: 已结题
• 来源: https://gtr.ukri.org/projects?ref=EP%2FN020111%2F1
• 关键词: COMMANDO; HUMANS; COMputational; Modelling; Automatic

This project addresses mainly the Human Factors challenge of the joint Singapore-UK call, and it has an interdisciplinary team with expertise in cyber security, cognitive psychology, and human-computer interface (HCI). It aims at producing direct evidence that human behaviour related insecurity can be detected automatically by applying human cognitive models to model and simulate humans involved in security systems. A key outcome of the project will be a working software system that can be used for this purpose by researchers and practitioners. The project will focus on human user authentication systems as a representative use case and will produce new knowledge on the role of human behaviours in such systems and security systems in general. Both the software framework and new knowledge on human behaviours can also help address other challenges of the call (e.g., detection of intruders/extremists requires knowledge on how they behave; protection of user privacy require knowledge on how human users handle personal data; policy makers need to understand behaviours of their organisations' employees and human attackers targeting their organisations to make more informed decisions).It has been well known that human factors are a very important aspect of cyber security, as recognised by governments all over the world e.g., in the UK Cyber Security Strategy (2011), in Singapore's National Cyber Security Masterplan 2018 (2013), and in the US Federal Cybersecurity Research and Development Strategic Plan (2011). Human related insecurity is often related to intended or unintentional (maybe subconscious) insecure human behaviours. To conduct research on human behaviours (in cyber security, HCI, psychology and other related fields), researchers normally depend on involvement of real human users via surveys, interviews, simulated scenarios, observations of real cases, interactive games, or other specially designed user studies. Such approaches are often time-consuming and costly, and suffer from other issues like limited and/or biased samples, questionable ecological validity, difficulties in reproducing results, and impossibility of running some studies due to ethical/privacy/legal concerns.This project aims at developing the first (to the best our knowledge) general-purpose computational framework and supporting software tools that will enable automatic detection of human behaviour related insecurity at the HCI level without the need to involve real human users. The framework will be built on computational models of human cognitive processes, HCIs, human behaviour related attacks and (in)security measures. The framework will be non-intrusive: instead of evaluating the running system itself, the framework will evaluate an abstract executable model of the system and humans involved. Removing real human users from the process allows faster and more objective inspection of potential insecurity of a given security system. The automated process can still be combined with traditional user studies to make better use of limited resources in automatically detecting potential insecurity problems deserving further manual analysis.The framework and software tools developed will be of great value for cyber security researchers, security system designers/developers and security industry to deliver securer systems to end users. As a natural byproduct, they will also allow easier evaluation of usability of security and non-security related computer systems with an HCI. As we mentioned above in this summary, people having concerns on other challenges of the call can benefit from the project's outcomes as well.In this project we will focus mainly on HCI-level ("micro") human behaviours, but possible extensions to higher-level ("macro") behaviours (e.g., how human users adapt their behaviours over time via rehearsals and learning) will be looked at as well to pave the way for our future research.

该项目主要解决了新加坡联合呼叫的人为因素挑战，它拥有一个跨学科团队，具有网络安全，认知心理学和人类计算机界面（HCI）方面的专业知识。它旨在产生直接的证据，表明可以通过应用人类认知模型来模拟和模拟与安全系统有关的人进行建模和模拟人类来自动检测到与人类行为相关的不安全感。该项目的关键结果将是一个工作软件系统，研究人员和从业人员可以将其用于此目的。该项目将集中于人类用户身份验证系统作为代表性用例，并将对人类行为在此类系统和安全系统中的作用产生新的知识。 Both the software framework and new knowledge on human behaviours can also help address other challenges of the call (e.g., detection of intruders/extremists requires knowledge on how they behave; protection of user privacy require knowledge on how human users handle personal data; policy makers need to understand behaviours of their organisations' employees and human attackers targeting their organisations to make more informed decisions).It has been well known that human factors are a very important aspect of cyber security, as recognised by governments在世界各地的《英国网络安全战略》（2011年）中，在新加坡国家网络安全总体规划2018（2013）和美国联邦网络安全研究与发展战略计划（2011年）中。与人类相关的不安全感通常与预期的或无意的（可能潜意识）不安全的行为有关。为了研究人类行为（在网络安全，HCI，心理学和其他相关领域），研究人员通常依靠通过调查，访谈，模拟场景，对真实案例的观察，互动游戏，互动游戏或其他专门设计的用户研究参与实际人类用户的参与。这种方法通常通常是耗时且昂贵的，并且遇到了其他问题，例如有限和/或有偏见的样本，可疑的生态有效性，难以实现的结果，再现结果的困难以及由于道德/隐私/法律的关注而无法进行一些研究，因此该项目旨在开发第一个（最佳我们的知识），而不是在我们的知识上开发的，而不是在我们的知识上开发人类的行为范围，以使人的行为能够固定级别，以使人的行为能力固定级别，以使人的行为能力限制，并依靠人类的行为范围。需要参与真正的人类用户。该框架将建立在人类认知过程，HCI，人类行为相关攻击和（IN）安全措施的计算模型上。该框架将是非侵入性的：该框架不会评估运行系统本身，而是评估涉及的系统和人类的抽象可执行模型。从该过程中删除真正的人类用户可以更快，更客观地检查给定安全系统的潜在不安全感。自动化过程仍然可以与传统的用户研究结合使用，以便更好地利用有限的资源来自动检测应有的进一步手动分析的潜在不安全感问题。开发的框架和软件工具对网络安全研究人员，安全系统设计师/开发人员和安全行业将具有巨大的价值，以将证券服务器提供给最终用户。作为一种天然副产品，它们还将更轻松地评估使用HCI的安全性和与非安全性相关的计算机系统。正如我们在本摘要中提到的那样，人们对呼叫的其他挑战感到担忧也可以从项目的结果中受益。在这个项目中，我们将主要关注HCI-Level（“ Micro”）人类行为，但可能会扩展到高级（“宏”）行为（例如，通过对人类的行为来适应我们的行为，我们将如何适应我们的行为，以使我们的行为适应我们的行为和学习的方式，并将其善于努力。

项目成果

Making a good thing better: enhancing password/PIN-based user authentication with smartwatch

• DOI: 10.1186/s42400-018-0009-4
• 发表时间: 2018-08
• 期刊: Cybersecurity
• 影响因子: 3.1
• 作者: Bing Chang;Yingjiu Li;Qiongxiao Wang;W. Zhu;R. Deng

When Human cognitive modeling meets PINs: User-independent inter-keystroke timing attacks

• DOI: 10.1016/j.cose.2018.09.003
• 发表时间: 2018-10
• 期刊: ArXiv
• 作者: Ximing Liu;Yingjiu Li;R. Deng;Bing Chang;Shujun Li

Human-Generated and Machine-Generated Ratings of Password Strength: What Do Users Trust More?

• DOI: 10.4108/eai.13-7-2018.162797
• 发表时间: 2019-08
• 期刊: EAI Endorsed Trans. Security Safety
• 作者: S. Alqahtani;Shujun Li;Haiyue Yuan;P. Rusconi

Data-driven multimedia forensics and security

数据驱动的多媒体取证和安全

• DOI: 10.1016/j.jvcir.2018.06.023
• 发表时间: 2018
• 期刊: Journal of Visual Communication and Image Representation
• 影响因子: 2.6
• 作者: Rocha A

PSV (Password Security Visualizer): From Password Checking to User Education

• DOI: 10.1007/978-3-319-58460-7_13
• 发表时间: 2017-07
• 作者: Nouf Aljaffan;Haiyue Yuan;Shujun Li