Risk
7/24/2013
02:27 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%
Repost This

NSA's First Annual "Science Of Security Competition"

Winning paper was written by Dr. Joseph Bonneau, who now works for Google

A research paper that was highlighted last year at an international symposium is the winner of the National Security Agency's first annual Science of Security (SoS) Competition that recognizes the best scientific papers about cybersecurity.

The winning paper was written by Dr. Joseph Bonneau, who completed his doctorate last year at the University of Cambridge in the United Kingdom and now works for Google Inc. in New York City. His paper, "The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords," was one of 44 nominations. His research was centered on the use and strength of passwords.

Dr. Bonneau was honored on July 18 at an NSA event, where he presented his paper before an audience of cybersecurity experts. The competition reflects the agency's desire to increase collaboration and build the science base of national security efforts.

"We established this highly competitive contest to broaden the scientific foundations of cybersecurity where scientific work in all fields is sorely needed," said Dr. Patricia Muoio, Chief of the NSA Research Directorate's Trusted Systems Research Group. "Dr. Bonneau's paper offered careful and rigorous measurements of password use and strength, and is an example of research that demonstrates a sound scientific approach to cybersecurity."

Strong, evidence-based research requires a large and diverse data set with collection and analysis methods that are well documented and repeatable. Bonneau's research combined those features and used mathematics to produce a measure that has current impact and can enhance future investigations. He discussed his paper at the 2012 IEEE Symposium on Security and Privacy in San Francisco.

The NSA SoS Competition was created to stimulate research toward the development of systems that are resilient to cyber attacks. Entries were judged on scientific merit, the strength and significance of the work reported, and the degree to which the papers exemplify how to perform and report scientific research in cybersecurity.

"Our partnerships with academic and industrial researchers inspire a diversity of thought that enhances innovation," said Dr. Michael Wertheimer, Director of Research. "This competition offers a great opportunity to share scientific methods. It also supports the greater NSA mission to strengthen and protect cyber space for our nation."

Two additional papers received Honorable Mentions for scientific methodology.

One, "On Protection by Layout Randomization" by Drs. Martin Abadi and Gordon Plotkin, breaks new ground in improving security by using a formal approach to study the effect of dynamically changing what cyber attackers view in order to confound them.

In the other paper, "Before We Knew It: An Empirical Study of Zero-Day Attacks in the Real World," Drs. Leyla Yumer and Tudor Dumitras use data fusion analysis, tackling large scale data sets to measure cyber attack behavior. This careful measurement of attack behavior could be used in the U.S. government's efforts to protect systems from such attacks.

Eight distinguished experts were among the reviewers:

• Dr. Dan Geer, In-Q-Tel

• Dr. John McLean, Naval Research Laboratory

• Professor Ron Rivest, Massachusetts Institute of Technology

• Professor Angela Sasse, University College London

• Professor Fred Schneider, Cornell University

• Mr. Phil Venables, Goldman-Sachs

• Professor David Wagner, University of California-Berkeley

• Dr. Jeannette Wing, Microsoft Research

After reviewing the papers in an open nomination process, these experts provided individual recommendations to NSA. Dr. Deborah Frincke, NSA's former Deputy Director of Research, and Dr. Muoio then evaluated the nominated papers, as well as the submission rankings of each individual expert, and recommended the awards to Dr. Wertheimer.

The NSA Research Directorate creates breakthroughs in science, technology, engineering, and mathematics. These discoveries enable NSA to achieve and sustain intelligence advances against immediate and emerging threats to U.S. national security. As the only "in-house" organization in the Intelligence Community dedicated to advancing intelligence through science, the Research Directorate provides a consistent advantage over the scientific discoveries of industry, academia, and adversarial nations.

More information about the National Security Agency is available online at www.nsa.gov.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6213
Published: 2014-04-19
Unspecified vulnerability in Virtual User Generator in HP LoadRunner before 11.52 Patch 1 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1833.

CVE-2013-6214
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 9.05, 10.01, and 10.10 allows remote authenticated users to obtain sensitive information via unknown vectors, aka ZDI-CAN-2042.

CVE-2012-0871
Published: 2014-04-18
The session_link_x11_socket function in login/logind-session.c in systemd-logind in systemd, possibly 37 and earlier, allows local users to create or overwrite arbitrary files via a symlink attack on the X11 user directory in /run/user/.

CVE-2012-6646
Published: 2014-04-18
F-Secure Anti-Virus, Safe Anywhere, and PSB Workstation Security before 11500 for Mac OS X allows local users to disable the Mac OS X firewall via unspecified vectors.

CVE-2013-4279
Published: 2014-04-18
imapsync 1.564 and earlier performs a release check by default, which sends sensitive information (imapsync, operating system, and Perl version) to the developer's site.

Best of the Web