Rise of the HaCRS: Augmenting autonomous cyber reasoning systems with human assistance

Yan Shoshitaishvili; Michael Weissbacher; Lukas Dresel; Christopher Salls; Ruoyu Wang; Christopher Kruegel; Giovanni Vigna

doi:10.1145/3133956.3134105

Rise of the HaCRS: Augmenting autonomous cyber reasoning systems with human assistance

Yan Shoshitaishvili, Michael Weissbacher, Lukas Dresel, Christopher Salls, Ruoyu Wang, Christopher Kruegel, Giovanni Vigna

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

11 Scopus citations

Abstract

Software permeates every aspect of our world, from our homes to the infrastructure that provides mission-critical services. As the size and complexity of software systems increase, the number and sophistication of software security flaws increase as well. The analysis of these flaws began as a manual approach, but it soon became apparent that a manual approach alone cannot scale, and that tools were necessary to assist human experts in this task, resulting in a number of techniques and approaches that automated certain aspects of the vulnerability analysis process. Recently, DARPA carried out the Cyber Grand Challenge, a competition among autonomous vulnerability analysis systems designed to push the tool-assisted human-centered paradigm into the territory of complete automation, with the hope that, by removing the human factor, the analysis would be able to scale to new heights. However, when the autonomous systems were pitted against human experts it became clear that certain tasks, albeit simple, could not be carried out by an autonomous system, as they require an understanding of the logic of the application under analysis. Based on this observation, we propose a shift in the vulnerability analysis paradigm, from tool-assisted human-centered to human-assisted tool-centered. In this paradigm, the automated system orchestrates the vulnerability analysis process, and leverages humans (with different levels of expertise) to perform well-defined sub-tasks, whose results are integrated in the analysis. As a result, it is possible to scale the analysis to a larger number of programs, and, at the same time, optimize the use of expensive human resources. In this paper, we detail our design for a human-assisted automated vulnerability analysis system, describe its implementation atop an open-sourced autonomous vulnerability analysis system that participated in the Cyber Grand Challenge, and evaluate and discuss the significant improvements that non-expert human assistance can offer to automated analysis approaches.

Original language	English (US)
Title of host publication	CCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security
Publisher	Association for Computing Machinery
Pages	347-362
Number of pages	16
ISBN (Electronic)	9781450349468
DOIs	https://doi.org/10.1145/3133956.3134105
State	Published - Oct 30 2017
Event	24th ACM SIGSAC Conference on Computer and Communications Security, CCS 2017 - Dallas, United States Duration: Oct 30 2017 → Nov 3 2017

Other

Other	24th ACM SIGSAC Conference on Computer and Communications Security, CCS 2017
Country	United States
City	Dallas
Period	10/30/17 → 11/3/17

Keywords

Cyber Reasoning Systems
Fuzzing
Human assistance

ASJC Scopus subject areas

Software
Computer Networks and Communications

Access to Document

10.1145/3133956.3134105

Fingerprint Dive into the research topics of 'Rise of the HaCRS: Augmenting autonomous cyber reasoning systems with human assistance'. Together they form a unique fingerprint.

Cite this

Shoshitaishvili, Y., Weissbacher, M., Dresel, L., Salls, C., Wang, R., Kruegel, C., & Vigna, G. (2017). Rise of the HaCRS: Augmenting autonomous cyber reasoning systems with human assistance. In CCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (pp. 347-362). Association for Computing Machinery. https://doi.org/10.1145/3133956.3134105

Rise of the HaCRS : Augmenting autonomous cyber reasoning systems with human assistance. / Shoshitaishvili, Yan; Weissbacher, Michael; Dresel, Lukas; Salls, Christopher; Wang, Ruoyu; Kruegel, Christopher; Vigna, Giovanni.

CCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 2017. p. 347-362.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Shoshitaishvili, Y, Weissbacher, M, Dresel, L, Salls, C, Wang, R, Kruegel, C & Vigna, G 2017, Rise of the HaCRS: Augmenting autonomous cyber reasoning systems with human assistance. in CCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, pp. 347-362, 24th ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, United States, 10/30/17. https://doi.org/10.1145/3133956.3134105

Shoshitaishvili, Yan ; Weissbacher, Michael ; Dresel, Lukas ; Salls, Christopher ; Wang, Ruoyu ; Kruegel, Christopher ; Vigna, Giovanni. / Rise of the HaCRS : Augmenting autonomous cyber reasoning systems with human assistance. CCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 2017. pp. 347-362

@inproceedings{317e46bacf2f452da769b60b2a33e178,

title = "Rise of the HaCRS: Augmenting autonomous cyber reasoning systems with human assistance",

abstract = "Software permeates every aspect of our world, from our homes to the infrastructure that provides mission-critical services. As the size and complexity of software systems increase, the number and sophistication of software security flaws increase as well. The analysis of these flaws began as a manual approach, but it soon became apparent that a manual approach alone cannot scale, and that tools were necessary to assist human experts in this task, resulting in a number of techniques and approaches that automated certain aspects of the vulnerability analysis process. Recently, DARPA carried out the Cyber Grand Challenge, a competition among autonomous vulnerability analysis systems designed to push the tool-assisted human-centered paradigm into the territory of complete automation, with the hope that, by removing the human factor, the analysis would be able to scale to new heights. However, when the autonomous systems were pitted against human experts it became clear that certain tasks, albeit simple, could not be carried out by an autonomous system, as they require an understanding of the logic of the application under analysis. Based on this observation, we propose a shift in the vulnerability analysis paradigm, from tool-assisted human-centered to human-assisted tool-centered. In this paradigm, the automated system orchestrates the vulnerability analysis process, and leverages humans (with different levels of expertise) to perform well-defined sub-tasks, whose results are integrated in the analysis. As a result, it is possible to scale the analysis to a larger number of programs, and, at the same time, optimize the use of expensive human resources. In this paper, we detail our design for a human-assisted automated vulnerability analysis system, describe its implementation atop an open-sourced autonomous vulnerability analysis system that participated in the Cyber Grand Challenge, and evaluate and discuss the significant improvements that non-expert human assistance can offer to automated analysis approaches.",

keywords = "Cyber Reasoning Systems, Fuzzing, Human assistance",

author = "Yan Shoshitaishvili and Michael Weissbacher and Lukas Dresel and Christopher Salls and Ruoyu Wang and Christopher Kruegel and Giovanni Vigna",

year = "2017",

month = oct,

day = "30",

doi = "10.1145/3133956.3134105",

language = "English (US)",

pages = "347--362",

booktitle = "CCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery",

note = "24th ACM SIGSAC Conference on Computer and Communications Security, CCS 2017 ; Conference date: 30-10-2017 Through 03-11-2017",

}

TY - GEN

T1 - Rise of the HaCRS

T2 - 24th ACM SIGSAC Conference on Computer and Communications Security, CCS 2017

AU - Shoshitaishvili, Yan

AU - Weissbacher, Michael

AU - Dresel, Lukas

AU - Salls, Christopher

AU - Wang, Ruoyu

AU - Kruegel, Christopher

AU - Vigna, Giovanni

PY - 2017/10/30

Y1 - 2017/10/30

N2 - Software permeates every aspect of our world, from our homes to the infrastructure that provides mission-critical services. As the size and complexity of software systems increase, the number and sophistication of software security flaws increase as well. The analysis of these flaws began as a manual approach, but it soon became apparent that a manual approach alone cannot scale, and that tools were necessary to assist human experts in this task, resulting in a number of techniques and approaches that automated certain aspects of the vulnerability analysis process. Recently, DARPA carried out the Cyber Grand Challenge, a competition among autonomous vulnerability analysis systems designed to push the tool-assisted human-centered paradigm into the territory of complete automation, with the hope that, by removing the human factor, the analysis would be able to scale to new heights. However, when the autonomous systems were pitted against human experts it became clear that certain tasks, albeit simple, could not be carried out by an autonomous system, as they require an understanding of the logic of the application under analysis. Based on this observation, we propose a shift in the vulnerability analysis paradigm, from tool-assisted human-centered to human-assisted tool-centered. In this paradigm, the automated system orchestrates the vulnerability analysis process, and leverages humans (with different levels of expertise) to perform well-defined sub-tasks, whose results are integrated in the analysis. As a result, it is possible to scale the analysis to a larger number of programs, and, at the same time, optimize the use of expensive human resources. In this paper, we detail our design for a human-assisted automated vulnerability analysis system, describe its implementation atop an open-sourced autonomous vulnerability analysis system that participated in the Cyber Grand Challenge, and evaluate and discuss the significant improvements that non-expert human assistance can offer to automated analysis approaches.

AB - Software permeates every aspect of our world, from our homes to the infrastructure that provides mission-critical services. As the size and complexity of software systems increase, the number and sophistication of software security flaws increase as well. The analysis of these flaws began as a manual approach, but it soon became apparent that a manual approach alone cannot scale, and that tools were necessary to assist human experts in this task, resulting in a number of techniques and approaches that automated certain aspects of the vulnerability analysis process. Recently, DARPA carried out the Cyber Grand Challenge, a competition among autonomous vulnerability analysis systems designed to push the tool-assisted human-centered paradigm into the territory of complete automation, with the hope that, by removing the human factor, the analysis would be able to scale to new heights. However, when the autonomous systems were pitted against human experts it became clear that certain tasks, albeit simple, could not be carried out by an autonomous system, as they require an understanding of the logic of the application under analysis. Based on this observation, we propose a shift in the vulnerability analysis paradigm, from tool-assisted human-centered to human-assisted tool-centered. In this paradigm, the automated system orchestrates the vulnerability analysis process, and leverages humans (with different levels of expertise) to perform well-defined sub-tasks, whose results are integrated in the analysis. As a result, it is possible to scale the analysis to a larger number of programs, and, at the same time, optimize the use of expensive human resources. In this paper, we detail our design for a human-assisted automated vulnerability analysis system, describe its implementation atop an open-sourced autonomous vulnerability analysis system that participated in the Cyber Grand Challenge, and evaluate and discuss the significant improvements that non-expert human assistance can offer to automated analysis approaches.

KW - Cyber Reasoning Systems

KW - Fuzzing

KW - Human assistance

UR - http://www.scopus.com/inward/record.url?scp=85041432348&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85041432348&partnerID=8YFLogxK

U2 - 10.1145/3133956.3134105

DO - 10.1145/3133956.3134105

M3 - Conference contribution

AN - SCOPUS:85041432348

SP - 347

EP - 362

BT - CCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

PB - Association for Computing Machinery

Y2 - 30 October 2017 through 3 November 2017

ER -