Risk
7/24/2013
02:27 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%

NSA's First Annual "Science Of Security Competition"

Winning paper was written by Dr. Joseph Bonneau, who now works for Google

A research paper that was highlighted last year at an international symposium is the winner of the National Security Agency's first annual Science of Security (SoS) Competition that recognizes the best scientific papers about cybersecurity.

The winning paper was written by Dr. Joseph Bonneau, who completed his doctorate last year at the University of Cambridge in the United Kingdom and now works for Google Inc. in New York City. His paper, "The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords," was one of 44 nominations. His research was centered on the use and strength of passwords.

Dr. Bonneau was honored on July 18 at an NSA event, where he presented his paper before an audience of cybersecurity experts. The competition reflects the agency's desire to increase collaboration and build the science base of national security efforts.

"We established this highly competitive contest to broaden the scientific foundations of cybersecurity where scientific work in all fields is sorely needed," said Dr. Patricia Muoio, Chief of the NSA Research Directorate's Trusted Systems Research Group. "Dr. Bonneau's paper offered careful and rigorous measurements of password use and strength, and is an example of research that demonstrates a sound scientific approach to cybersecurity."

Strong, evidence-based research requires a large and diverse data set with collection and analysis methods that are well documented and repeatable. Bonneau's research combined those features and used mathematics to produce a measure that has current impact and can enhance future investigations. He discussed his paper at the 2012 IEEE Symposium on Security and Privacy in San Francisco.

The NSA SoS Competition was created to stimulate research toward the development of systems that are resilient to cyber attacks. Entries were judged on scientific merit, the strength and significance of the work reported, and the degree to which the papers exemplify how to perform and report scientific research in cybersecurity.

"Our partnerships with academic and industrial researchers inspire a diversity of thought that enhances innovation," said Dr. Michael Wertheimer, Director of Research. "This competition offers a great opportunity to share scientific methods. It also supports the greater NSA mission to strengthen and protect cyber space for our nation."

Two additional papers received Honorable Mentions for scientific methodology.

One, "On Protection by Layout Randomization" by Drs. Martin Abadi and Gordon Plotkin, breaks new ground in improving security by using a formal approach to study the effect of dynamically changing what cyber attackers view in order to confound them.

In the other paper, "Before We Knew It: An Empirical Study of Zero-Day Attacks in the Real World," Drs. Leyla Yumer and Tudor Dumitras use data fusion analysis, tackling large scale data sets to measure cyber attack behavior. This careful measurement of attack behavior could be used in the U.S. government's efforts to protect systems from such attacks.

Eight distinguished experts were among the reviewers:

• Dr. Dan Geer, In-Q-Tel

• Dr. John McLean, Naval Research Laboratory

• Professor Ron Rivest, Massachusetts Institute of Technology

• Professor Angela Sasse, University College London

• Professor Fred Schneider, Cornell University

• Mr. Phil Venables, Goldman-Sachs

• Professor David Wagner, University of California-Berkeley

• Dr. Jeannette Wing, Microsoft Research

After reviewing the papers in an open nomination process, these experts provided individual recommendations to NSA. Dr. Deborah Frincke, NSA's former Deputy Director of Research, and Dr. Muoio then evaluated the nominated papers, as well as the submission rankings of each individual expert, and recommended the awards to Dr. Wertheimer.

The NSA Research Directorate creates breakthroughs in science, technology, engineering, and mathematics. These discoveries enable NSA to achieve and sustain intelligence advances against immediate and emerging threats to U.S. national security. As the only "in-house" organization in the Intelligence Community dedicated to advancing intelligence through science, the Research Directorate provides a consistent advantage over the scientific discoveries of industry, academia, and adversarial nations.

More information about the National Security Agency is available online at www.nsa.gov.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6306
Published: 2014-08-22
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.

CVE-2014-0232
Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

CVE-2014-3525
Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server 4.2.1.1 and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CVE-2014-3563
Published: 2014-08-22
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.

CVE-2014-3594
Published: 2014-08-22
Cross-site scripting (XSS) vulnerability in the Host Aggregates interface in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-3 allows remote administrators to inject arbitrary web script or HTML via a new host aggregate name.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.