11th Annual Best Scientific Cybersecurity Paper Competition Awards Ceremony
On 8 March 2024, the National Security Agency (NSA) recognized the winners of the Science of Security (SoS) 11th Annual Best Scientific Cybersecurity Paper Competition at a ceremony, which included a presentation of the winning paper and a Question and Answer (Q&A) session. The winning paper, Uninvited Guests: Analyzing the Identity and Behavior of Certificate Transparency Bots, was authored by Professor Nick Nikiforakis, Dr. Brian Kondracki, and Mr. Johhny So, of Stony Brook University.
Following an introduction by Ms. Shavon Donnell, the SoS Program Manager, Dr. Rita Bush, Chief, Laboratory for Advanced Cybersecurity Research, welcomed the attendees and noted that it was the first live awards ceremony since the global COVID-19 pandemic. The goal of the Paper Competition is to increase scientific rigor in cybersecurity research and recognize outstanding papers. The 11th annual competition covered papers written in 2022 that appeared in peer reviewed journals, magazines, and technical conferences. A panel of Distinguished Experts reviewed submitted papers and provided a recommendation to the Chief of the Research Directorate, Mr. Gil Herrera. Addressing the awardees, Mr. Herrera emphasized the opportunity for a rewarding career at NSA. Mr. Herrera noted that NSA gives out awards in multiple areas to acknowledge excellence, and this award acknowledges excellence in cybersecurity.
Mr. Herrera was followed by Dr. Evan Austin of the Naval Research Lab, one of the Distinguished Experts, who stated that cybersecurity is still a very nascent discipline. All of the papers submitted were “taking a bite of the elephant” and they provided great rigor to the approach, including the development of tools and datasets to help other researchers.
Following the presentation of award certificates and SoS tokens, the awardees gave a talk based on their winning paper. The paper examined a study of automated attacks on new webservers and explored how a web browser can trust an organization’s publicly issued cryptographic credentials. At the heart of their investigation was a simple question: What happens when you setup a new encrypted website? The researchers studied autonomous systems, which probe newly instantiated encrypted websites. They identified 105 malicious security bots attempting to perform nefarious actions such as data exfiltration, reconnaissance, and vulnerability exploitation. They also identified security systems examining sites to identify new phishing attacks. These profiles provide new insights into these autonomous actions happening on the Internet. This data can be used by both system administrators and developers to protect systems from compromise. The research team collected this data by creating the Certificate Transparency Honeypot (CTPOT), a system that obtains new certificates and monitors web bots for potential targets. CTPOT allows researchers to trick web bots, isolate them, and identify if they are malicious.
Q&A:
Responding to how AI algorithms can help with analysis, the authors noted that they have started using Large Language Models in other projects, though they could be better used on the deception side since it would allow the receiving site to learn on the fly what data keeps the bots engaged.
An attendee asked whether any of the traffic appeared to be live, and the authors said that some percentage of the bots looked like they were browsers.
When asked if they were going to pursue further research, the authors said that they hoped to do so, and that they could potentially use trademarked names and top-level domains such as .gov, to present more enticing data to the bots; they would also consider using honey tokens to try to track the bots.
The authors were asked whether certificate transparency was “worth it,” and they said that it does its job well though there are side effects; as part of the deployment strategy, sites should get the certificate last since the research showed the certificate to the domain being accessed 12 seconds after the certificate was published. They continued by noting that the advice is for developers and companies, not home users. Some of the honeypot network was in the university lab and some was in Amazon Cloud.
The researchers answered a question about whether there was a difference in the bot traffic in the different honeypots, by saying that it was essentially the same in both. A follow-up project for more hardware is in the works, using certificate transparency and assessing security (in the most ethical way possible) and trying to determine if things are being hardened.
As has been the case for recent Paper Competition winners, the authors presented their paper at the Hot Topics in Science of Security (HotSoS) Symposium, which was held in early April. Details on the Paper Competition and the winning paper can be found here.
The deadline for submitting nominations for the 12th Annual Best Scientific Cybersecurity Paper Competition, which covers papers written in 2023, was April 15, 2024.
Submitted by Cyber Pack Ventures, Inc.