Recently, cyber reasoning systems demonstrated near-human performance characteristics when they autonomously identified, proved, and mitigated vulnerabilities in software during a competitive event. New research seeks to augment human vulnerability research teams with cyber reasoning system teammates in collaborative work environments. However, the literature lacks a concrete understanding of vulnerability research workflows and practices, limiting designers’, engineers’, and researchers’ ability to successfully integrate these artificially intelligent entities into teams. This paper contributes a general workflow model of the vulnerability research process, and identifies specific collaboration challenges and opportunities anchored in this model. Contributions were derived from a qualitative field study of work habits, behaviors, and practices of human vulnerability research teams. These contributions will inform future work in the vulnerability research domain by establishing an empirically-driven workflow model that can be adapted to specific organizational and functional constraints placed on individual and teams.
Get full access to this article
View all access options for this article.
References
1.
AbbottR. G.McClainJ.AndersonB.NauerK.SilvaA.ForsytheC. (2015). Log analysis of cyber security training exercises. Procedia Manufacturing, 3, 5088-5094.
2.
Al-FedaghiS. (2010). System-based approach to software vulnerability. In 2010 IEEE Second International Conference on Social Computing (pp. 1072-1079). IEEE.
BernsteinM. S.LittleG.MillerR. C.HartmannB.AckermanM. S.KargerD. R.… PanovichK. (2010). Soylent: a word processor with a crowd inside. In Proceedings of the 23nd annual ACM symposium on User interface software and technology (pp. 313-322).
5.
BrunsH. C. (2013). Working alone together: Coordination in collaboration across domains of expertise. Academy of management journal, 56(1), 62-83.
6.
CookeN. J. (1994). Varieties of knowledge elicitation techniques. International Journal of Human-Computer Studies, 41(6), 801-849.
7.
CowanC.ArnoldS.BeattieS.WrightC.ViegaJ. (2003). Defcon capture the flag: Defending vulnerable code from intense attack. In Proceedings DARPA Information Survivability Conference and Exposition (vol. 1, pp. 120-129). IEEE.
8.
DowdM.McDonaldJ.SchuhJ. (2006). The art of software security assessment: Identifying and preventing software vulnerabilities. Pearson Education.
9.
EndsleyM.R. (1995). Toward a theory of situation awareness in dynamic systems. Human Factors, 37(1), 32–64.
10.
FrazeD. (2018). Computers and humans exploring software security. Defense Advanced Research Projects Agency.
11.
GhaffarianS. M.ShahriariH. R. (2017). Software vulnerability analysis and discovery using machine-learning and data-mining techniques: A survey. ACM Computing Surveys (CSUR), 50(4), 1-36.
12.
IkutaniY.KuboT.NishidaS.HataH.MatsumotoK.IkedaK.NishimotoS. (2020). Expert programmers have fine-tuned cortical representations of source code. bioRxiv.
13.
KingJ. C. (1976). Symbolic execution and program testing. Communications of the ACM, 19(7), 385-394.
14.
KrsulI. V. (1998). Software vulnerability analysis. West Lafayette, IN: Purdue University.
15.
LiuB.ShiL.CaiZ.LiM. (2012). Software vulnerability discovery techniques: A survey. In Proceedings of the fourth international conference on multimedia information networking and security (pp. 152-156). IEEE.
16.
LuceroA. (2015). Using affinity diagrams to evaluate interactive prototypes. In IFIP Conference on Human-Computer Interaction. Springer, Cham.
17.
MuellerS. T.HoffmanR. R.ClanceyW.EmreyA.KleinG. (2019). Explanation in human-AI systems: A literature meta-review, synopsis of key ideas and publications, and bibliography for explainable AI. arXiv.
18.
MullinsR.FouseA.GanbergG.SchurrN. (2020). Practice Makes Perfect: Lesson Learned from Five Years of Trial and Error Building Context-Aware Systems. In Proceedings of the 53rd Hawaii International Conference on System Sciences.
19.
Nguyen-TuongA.MelskiD.DavidsonJ. W.CoM.HawkinsW.HiserJ. D.… RizziE. (2018). Xandra: An autonomous cyber battle system for the Cyber Grand Challenge. IEEE Security & Privacy, 16(2), 42-51.
20.
NikolaidisS.ShahJ. (2012). Human-robot teaming using shared mental models. ACM/IEEE HRI.
21.
OzmentA. (2007). Improving vulnerability discovery models. In Proceedings of the 2007 ACM workshop on quality of protection (pp. 6-11).
22.
RamanR.SunnyS.PavithranV.AchuthanK. (2014, April). Framework for evaluating Capture The Flag (CTF) security competitions. In 2014 International Conference for Convergence for Technology (pp. 1-5). IEEE.
23.
ShahriarH.ZulkernineM. (2012). Mitigating program security vulnerabilities: Approaches and challenges. ACM Computing Surveys (CSUR), 44(3), 1-46.
24.
ShoshitaishviliY.WeissbacherM.DreselL.SallsC.WangR.KruegelC.VignaG. (2017). Rise of the hacrs: Augmenting autonomous cyber reasoning systems with human assistance. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (pp. 347-362).
25.
SoH. J.BrushT. A. (2008). Student perceptions of collaborative learning, social presence and satisfaction in a blended learning environment: Relationships and critical factors. Computers & education, 51(1), 318-336.
26.
SuttonM.GreeneA.AminiP. (2007). Fuzzing: brute force vulnerability discovery. Pearson Education.
27.
ValentineM. A.RetelnyD.ToA.RahmatiN.DoshiT.BernsteinM. S. (2017). Flash organizations: Crowdsourcing complex work by structuring crowds as organizations. In Proceedings of the 2017 CHI conference on human factors in computing systems (pp. 3523-3537).
28.
VotipkaD.RabinS. M.MicinskiK.FosterJ. S.MazurekM. L. (2019). An Observational Investigation of Reverse Engineers’ Processes. arXiv preprint arXiv:1912.00317.
WertherJ.ZhivichM.LeekT.ZeldovichN. (2011, August). Experiences in cyber security education: The MIT Lincoln laboratory capture-the-flag exercise. In CSET.
31.
WilliamsL.KesslerR. R.CunninghamW.JeffriesR. (2000). Strengthening the case for pair programming. IEEE software, 17(4), 19-25.
