02:27 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly

NSA's First Annual "Science Of Security Competition"

Winning paper was written by Dr. Joseph Bonneau, who now works for Google

A research paper that was highlighted last year at an international symposium is the winner of the National Security Agency's first annual Science of Security (SoS) Competition that recognizes the best scientific papers about cybersecurity.

The winning paper was written by Dr. Joseph Bonneau, who completed his doctorate last year at the University of Cambridge in the United Kingdom and now works for Google Inc. in New York City. His paper, "The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords," was one of 44 nominations. His research was centered on the use and strength of passwords.

Dr. Bonneau was honored on July 18 at an NSA event, where he presented his paper before an audience of cybersecurity experts. The competition reflects the agency's desire to increase collaboration and build the science base of national security efforts.

"We established this highly competitive contest to broaden the scientific foundations of cybersecurity where scientific work in all fields is sorely needed," said Dr. Patricia Muoio, Chief of the NSA Research Directorate's Trusted Systems Research Group. "Dr. Bonneau's paper offered careful and rigorous measurements of password use and strength, and is an example of research that demonstrates a sound scientific approach to cybersecurity."

Strong, evidence-based research requires a large and diverse data set with collection and analysis methods that are well documented and repeatable. Bonneau's research combined those features and used mathematics to produce a measure that has current impact and can enhance future investigations. He discussed his paper at the 2012 IEEE Symposium on Security and Privacy in San Francisco.

The NSA SoS Competition was created to stimulate research toward the development of systems that are resilient to cyber attacks. Entries were judged on scientific merit, the strength and significance of the work reported, and the degree to which the papers exemplify how to perform and report scientific research in cybersecurity.

"Our partnerships with academic and industrial researchers inspire a diversity of thought that enhances innovation," said Dr. Michael Wertheimer, Director of Research. "This competition offers a great opportunity to share scientific methods. It also supports the greater NSA mission to strengthen and protect cyber space for our nation."

Two additional papers received Honorable Mentions for scientific methodology.

One, "On Protection by Layout Randomization" by Drs. Martin Abadi and Gordon Plotkin, breaks new ground in improving security by using a formal approach to study the effect of dynamically changing what cyber attackers view in order to confound them.

In the other paper, "Before We Knew It: An Empirical Study of Zero-Day Attacks in the Real World," Drs. Leyla Yumer and Tudor Dumitras use data fusion analysis, tackling large scale data sets to measure cyber attack behavior. This careful measurement of attack behavior could be used in the U.S. government's efforts to protect systems from such attacks.

Eight distinguished experts were among the reviewers:

• Dr. Dan Geer, In-Q-Tel

• Dr. John McLean, Naval Research Laboratory

• Professor Ron Rivest, Massachusetts Institute of Technology

• Professor Angela Sasse, University College London

• Professor Fred Schneider, Cornell University

• Mr. Phil Venables, Goldman-Sachs

• Professor David Wagner, University of California-Berkeley

• Dr. Jeannette Wing, Microsoft Research

After reviewing the papers in an open nomination process, these experts provided individual recommendations to NSA. Dr. Deborah Frincke, NSA's former Deputy Director of Research, and Dr. Muoio then evaluated the nominated papers, as well as the submission rankings of each individual expert, and recommended the awards to Dr. Wertheimer.

The NSA Research Directorate creates breakthroughs in science, technology, engineering, and mathematics. These discoveries enable NSA to achieve and sustain intelligence advances against immediate and emerging threats to U.S. national security. As the only "in-house" organization in the Intelligence Community dedicated to advancing intelligence through science, the Research Directorate provides a consistent advantage over the scientific discoveries of industry, academia, and adversarial nations.

More information about the National Security Agency is available online at www.nsa.gov.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-09-18
GKSu 2.0.2, when sudo-mode is not enabled, uses " (double quote) characters in a gksu-run-helper argument, which allows attackers to execute arbitrary commands in certain situations involving an untrusted substring within this argument, as demonstrated by an untrusted filename encountered during ins...

Published: 2014-09-18
Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.

Published: 2014-09-18
Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS.

Published: 2014-09-18
Apple iOS before 8 enables Bluetooth during all upgrade actions, which makes it easier for remote attackers to bypass intended access restrictions via a Bluetooth session.

Published: 2014-09-18
Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.

Best of the Web
Dark Reading Radio