The winning paper was written by Dr. Joseph Bonneau, who completed his doctorate last year at the University of Cambridge in the United Kingdom and now works for Google Inc. in New York City. His paper, "The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords," was one of 44 nominations. His research was centered on the use and strength of passwords.
Dr. Bonneau was honored on July 18 at an NSA event, where he presented his paper before an audience of cybersecurity experts. The competition reflects the agency's desire to increase collaboration and build the science base of national security efforts.
"We established this highly competitive contest to broaden the scientific foundations of cybersecurity where scientific work in all fields is sorely needed," said Dr. Patricia Muoio, Chief of the NSA Research Directorate's Trusted Systems Research Group. "Dr. Bonneau's paper offered careful and rigorous measurements of password use and strength, and is an example of research that demonstrates a sound scientific approach to cybersecurity."
Strong, evidence-based research requires a large and diverse data set with collection and analysis methods that are well documented and repeatable. Bonneau's research combined those features and used mathematics to produce a measure that has current impact and can enhance future investigations. He discussed his paper at the 2012 IEEE Symposium on Security and Privacy in San Francisco.
The NSA SoS Competition was created to stimulate research toward the development of systems that are resilient to cyber attacks. Entries were judged on scientific merit, the strength and significance of the work reported, and the degree to which the papers exemplify how to perform and report scientific research in cybersecurity.
"Our partnerships with academic and industrial researchers inspire a diversity of thought that enhances innovation," said Dr. Michael Wertheimer, Director of Research. "This competition offers a great opportunity to share scientific methods. It also supports the greater NSA mission to strengthen and protect cyber space for our nation."
Two additional papers received Honorable Mentions for scientific methodology.
One, "On Protection by Layout Randomization" by Drs. Martin Abadi and Gordon Plotkin, breaks new ground in improving security by using a formal approach to study the effect of dynamically changing what cyber attackers view in order to confound them.
In the other paper, "Before We Knew It: An Empirical Study of Zero-Day Attacks in the Real World," Drs. Leyla Yumer and Tudor Dumitras use data fusion analysis, tackling large scale data sets to measure cyber attack behavior. This careful measurement of attack behavior could be used in the U.S. government's efforts to protect systems from such attacks.
Eight distinguished experts were among the reviewers:
• Dr. Dan Geer, In-Q-Tel
• Dr. John McLean, Naval Research Laboratory
• Professor Ron Rivest, Massachusetts Institute of Technology
• Professor Angela Sasse, University College London
• Professor Fred Schneider, Cornell University
• Mr. Phil Venables, Goldman-Sachs
• Professor David Wagner, University of California-Berkeley
• Dr. Jeannette Wing, Microsoft Research
After reviewing the papers in an open nomination process, these experts provided individual recommendations to NSA. Dr. Deborah Frincke, NSA's former Deputy Director of Research, and Dr. Muoio then evaluated the nominated papers, as well as the submission rankings of each individual expert, and recommended the awards to Dr. Wertheimer.
The NSA Research Directorate creates breakthroughs in science, technology, engineering, and mathematics. These discoveries enable NSA to achieve and sustain intelligence advances against immediate and emerging threats to U.S. national security. As the only "in-house" organization in the Intelligence Community dedicated to advancing intelligence through science, the Research Directorate provides a consistent advantage over the scientific discoveries of industry, academia, and adversarial nations.
More information about the National Security Agency is available online at www.nsa.gov.