A threat detection system for extended reality systems

Project summary

Shared XR (extended-reality) applications have potential to collect very personal data about users and their surroundings and the security of this data is important. Happa, Glencross and Steed outlined key cyber security challenges as an emerging problem for shared XR applications. In this project, we aim to research and implement a proof-of-concept testbed system for exploring the breadth and scope of the potential attack surface of shared XR applications. This testbed will enable experimental exploration and demonstration of the feasibility of novel attack vectors and help inform the design of detection and prevention mechanisms against attacks.

Project description

Security analysts use Intrusion Detection and Prevention Systems (IDS/IPS) to detect and combat threats to digital infrastructure. These systems identify and limit misuse or anomalies from actuating into real-world harms, but these are technology-centric solutions and have not been designed with extended reality (XR) in mind. The immersive nature of XR applications and the degree of personal data XR devices and applications could collect, necessitates a re-evaluation of the meaning of threats and threat detection of such systems. We argue that a testbed tool for evaluating XR systems must take a wider view of what constitutes harms and will need to consider technical harms, social harms and their human impact (e.g. reputation, identify theft, mental health, situational context etc.). The innovation of this project is in exploring these socio-technical threats. Currently, no threat detection system available addresses these, but we expect this to become vital in the future to support the design of suitable threat detection and mitigations. The project will build upon UCL’s open-source social VR toolkit (Ubiq) and leverage existing XR equipment investment at UQ. Four thesis student projects will also be aligned with this project, offering students research and training opportunities in analysis of threats in XR.

The primary research question that this project will address is: How to develop an extendible threat detection system suited to evaluating the extent of threats and harms for shared XR applications? To answer this, the project will involve the following steps:

Requirements Gathering and Analysis. Building upon our previous work, in this project we will engage with a range of stakeholders including the XR Safety Initiative, developers of XR applications, XR device manufacturers and users of XR systems to identify concerns about future attack vectors. We will use a co-design approach involving a specialist panel drawn from the contacts of the investigatory team and run in an online workshop format. The team will gather requirements for the proposed testbed system to ensure stakeholder requirements are analysed sufficiently.

Proof of Concept Tool Development. Based on the above requirements gathering, we propose to design and implement a proof-of-concept tool to explore the extent of potential attack vectors and their harms enabling visualisation of these to better design mitigations for future attacks. This prototype will form the foundation for a longer-term program of research, that builds better understanding of how to design and develop safe XR systems with appropriate interventions for differing levels of risk and harms. This framework will also aim to share and output datasets, utilise pre-built tests/configurations, and methods to assess and benchmark new and existing XR-specific attacks that users can simulate and propose countermeasures against. In the context of this project, we assume that end users of this threat detection framework to be XR manufacturers, software developers and security analysts/researchers, and not mixed-reality end users.

Evaluation. We will evaluate our testbed tool with the help of the specialist panel through a second online workshop to understand its effectiveness in exploring potential attack vectors, harms and appropriate mitigation strategies.