Visible to the public NSA AWARD FOR THE BEST SCIENTIFIC CYBERSECURITY PAPER

1st Annual Best Scientific Cybersecurity Paper Competition

The first NSA Competition for Best Scientific Cybersecurity Paper invited nominations of papers published in fiscal year 2012 (Oct. 1, 2011 - Sept. 30, 2012) that show an outstanding contribution to cybersecurity science.

Winning Paper

This winner of the 1st Annual Best Scientific Cybersecurity Paper Competition is Joseph Bonneau for his paper “The Science of Guessing:  Analyzing an Anonymized Corpus of 70 Million Passwords.”  This paper, which offered careful and rigorous measurements of password use in practice and theoretical contributions to how to measure and model password strength, reflected many dimensions of good science: it was well grounded in past work, yet clearly differentiated itself from that work; it uses appropriate mathematics and articulates a new entropy measure that can be used to enhance the work in other investigations; it is a strong example of evidenced-based security research, grounded in a data set of sufficient size and diversity; it clearly exposed the author’s data collection method; the methodology described was designed with ethical considerations in mind and it offered external validation of the author’s results. It effectively drew on and contributed to the community of security researchers, and ought to have impact beyond the particular problem discussed in the paper.

Dr. Bonneau is a software engineer with Google in New York City. He holds B.S. (2006) and MS (2007) degrees from Stanford University in Computer Science. He worked for Cryptography Research, Inc. for a year before moving on to graduate studies at Cambridge University as the recipient of a Gates Fellowship in 2008. He received his PhD from Cambridge in 2012, working under Prof. Ross Anderson. The award paper documents work reported in the dissertation, entitled “Guessing Human Chosen Secrets”. His dissertation acknowledges Profs. Ilya Mironov, John Mitchell, and Dan Boneh of Stanford (along with many others) and is available here.


Honorable Mentions

Because the Science of Security is such a multi-faceted pursuit, we feel that it is appropriate to recognize two other papers that reflected different scientific methodology with Honorable Mention. The paper “On Protection by Layout Randomization by Martín Abadi and Gordon Plotkin deserves recognition as a significant theoretical paper. This paper breaks new ground in developing a formal approach for studying layout randomization, an approach that helps us think our way through the issues associated with improving security by dynamically changing the attack surface. It explains how the randomization technique works and identifies the attacks it is effective at protecting against. 

Martín Abadi is a Principal Researcher at Microsoft Research Silicon Valley. He has been a Professor at UC Santa Cruz, and also held the Chair "Informatique et science numériques" at the Collège de France. Earlier, he studied at Stanford University and worked at Digital's System Research Center and other industrial labs. His research is mainly on computer and network security, programming languages, and specification and verification methods. He has contributed, for example, to the design and analysis of security protocols and to the foundations of object-oriented languages. His research on security has been recognized with the Outstanding Innovation Award of the ACM Special Interest Group on Security, Audit and Control, and with the Hall of Fame Award of the ACM Special Interest Group on Operating Systems. He is a Fellow of the ACM and of the American Association for the Advancement of Science.

Dr. Plotkin is Professor of Theoretical Computer Science in the School of Informatics at The University of Edinburgh. He is a Fellow of the Royal Society and of the Royal Society of Edinburgh. He received his PhD from the University of Edinburgh in 1972, studying under Rod Burstall. He has received a number of prestigious awards, including 2012 Royal Society Milner Award for “his fundamental research into programming semantics with lasting impact on both the principles and design of programming languages.”

Author’s version of paper publicly available here.

The paper “Before We Knew It:  An Empirical Study of Zero-Day Attacks in the Real World” by Leyla Yumer and Tudor Dumitraş is recognized as a significant data science paper, taking on the issues of sense making and data fusion in large scale data sets and using data science to measure a phenomenon that is not directly measurable. It offers a careful measurement of attack behavior, with implications for how we protect systems.

Dr. Leyla Yumer is a Senior Research Engineer in Symantec Research Labs since 2012. She obtained her PhD in December 2011 from Eurecom, which is based in south of France. The topic of her PhD thesis is Network-based Botnet Detection. In her thesis, she proposed three different network-based botnet detection schemes one of which is SymBAD. Currently, she is working on SymBAD (Symantec Behavioral Analysis of Domain names) which identifies domain names that are involved in various malicious activities. 

Dr. Tudor Dumitraş is an Assistant Professor in the Electrical and Computer Engineering Department at the University of Maryland, College Park. His research focuses on Big Data approaches to problems in system security and dependability. In his previous role at Symantec Research Labs he built the Worldwide Intelligence Network Environment (WINE) - a platform for experimenting with Big Data techniques. He received an Honorable Mention in the NSA competition for the Best Scientific Cybersecurity Paper of 2012, the 2011 A.G. Jordan Award, from the ECE Department at Carnegie Mellon University, for an outstanding PhD thesis and for service to the community, the 2009 John Vlissides Award, from ACM SIGPLAN, for showing significant promise in applied software research, and the Best Paper Award at ASP-DAC'03. Tudor holds a PhD degree from Carnegie Mellon University.

Author’s version of the paper publicly available here.


Award Ceremony

Joseph Bonneau was honored on July 18th 2013 at an award ceremony, hosted by the NSA's Director of Research, where his paper was presented before an audience of cybersecurity experts. Dr. Leyla Yumer and Dr. Tudor Dumitras were also honored during the ceremony for their research as this year's honorable mention.


Review Team

NSA Competition Leads

Dr. Deborah Frincke - Former Deputy Director of Research, NSA
Dr. Patricia Muoio - Chief, NSA Trusted Systems Research Group

Distinguished Expert Reviewers

Dr. Daniel Earl Geer Jr., Sc. D. - Chief Information Security Officer at In-Q-Tel
John D. McLean - Superintendent of the Naval Research Laboratory's Information Technology Division (ITD)
Ronald Rivest - Andrew and Erna Viterbi Professor of Electrical Engineering and Computer Science in MIT's Department of Electrical Engineering and Computer Science
M. Angela Sasse - Professor of Human-Centered Technology and Head of Information Security Research in the Department of Computer Science at University College London (UCL), UK
Fred B. Schneider - Samuel B. Eckert Professor of Computer Science at Cornell University
Phil Venables - Chief Information Risk Officer at Goldman Sachs
David A. Wagner - Assistant Professor in the Computer Science Division at the University of California, Berkeley
Jeannette Wing - Vice President, head of Microsoft Research International


About the 1st Annual Paper Competition

The NSA Science of Security paper competition was created to help broaden the scientific foundations of cybersecurity needed in the development of systems that are resilient to cyber attacks. The best paper award recognizes the outstanding efforts of researchers who advance the science of cybersecurity in recently published work, and provides examples of high quality work that others can use to shape their research and publications. The 44 nominated papers were reviewed by a distinguished group of experts from academia and industry, led by officials from NSA’s Research Directorate.