Winning Paper | Honorable Mention | Award Ceremony | Review Team
The third NSA Competition for Best Scientific Cybersecurity Paper recognizes the best scientific cybersecurity paper published in 2014. Papers were nominated between December 1, 2014 through March 31, 2015 and 50 nominations were received. Three papers were selected for recognition, a winning paper and two papers for an honorable mention.
Winning Paper
The 3rd annual competition winner, “Additive and Multiplicative Notions of Leakage and Their Capacities,” is a research paper presented at the 2014 IEEE Computer Security Foundations Symposium written by Prof. Mario S. Alvim, Dr. Kostas Chatzikokolakis, Prof. Annabelle McIver, Prof. Carroll Morgan, Prof. Catuscia Palamidessi and Prof. Geoffrey Smith. This international team’s research focused on information flows and theory, and proposed leakage measures to set bounds on the amount of information a vulnerability can divulge. They mathematically proved their measures were robust as they were resistant to limited knowledge of operation conditions and of attackers cost benefit calculations. In doing so they advanced information flow theory and Shannon capacity and g-leakage. This paper was selected for the award as the research shows strong scientific work and provides needed foundations for information flow and cyberscurity. Their theories can be applied to a wide range of applications such as helping to evaluate vulnerabilities for gauging the safeness of an application or to prioritize vulnerability remediation.
Mário Alvim's research interests are formal methods and the foundations of computer security. His research focus is in quantitative analysis of information flow and privacy, from an information-theoretic perspective.
He received his Ph.D. in Computer Science from École Polytechnique (France) in 2011. In 2012 and 2013 he held a postdoctoral research position at the University of Pennsylvania (USA). Since 2013 he has been an assistant professor at the Federal University of Minas Gerais (Brazil).
Kostas Chatzikokolakis' is a researcher working on foundational aspects of security & privacy. His work for the past 10 years focuses on quantitative information flow, differential privacy and their interaction with probabilistic concurrency and information theory.
He obtained his Ph.D. in Computer Science at the Ecole Polytechnique of Paris in 2007. He was then a postdoctoral researcher at Oxford University and later at the Technical University of Eindhoven. Since 2011 he is a permanent CNRS researcher at the Ecole Polytechnique of Paris, member of the Inria team Comete.
Annabelle McIver is a mathematician specialising in logics for the quantitative analysis of computer systems. Since 2008 she has been developing techniques to reason about the control of sensitive information in security systems.
She has degrees in mathematics from Cambridge and Oxford Universities and from 1994 — 2001 she worked in the Programming Research Group at Oxford University. In 2001 she joined the Department of Computing at Macquarie University in Sydney where she is now a professor. She is a member of IFIP working group 2.3 and is (joint) author of the monograph Abstraction, Refinement and Proof for Probabilistic Systems.
Carroll Morgan specialises in Formal Methods. Over the last ten years he has been applying those methods to security, and to quantitative information flow in particular. Combining those two interests, he is a member of IFIP Working Groups 1.3, 1.7, 2.1 and 2.3.
From 1982 to 1999 he was at Oxford's Programming Research Group (now the Department of Computer Science); from 2000 he has been at the University of New South Wales and for the last 5 years also at NICTA, both in Sydney. He is author of the two monographs Programming from Specifications and (with McIver) Abstraction, Refinement and Proof for Probabilistic Systems.
Catuscia Palamidessi’s main research interests are the theory of concurrency, the foundations of security and privacy, with particular focus on the quantitative aspects, and location privacy.
She obtained her Ph.D. in Computer Science at the University of Pisa, in 1988. She has been Professor in Computer Science at the University of Genova (Italy) and at Penn State University (USA). Since 2002, she is director of research at the National Institute for Research in Computer Science and Automata (INRIA) in France, where she leads the research team Comete.
Geoffrey Smith’s research interests are centered on the foundations of computer security, especially from the perspective of programming languages. For the past 20 years he has studied secure information flow, focusing first on type systems to ensure noninterference and, more recently, on quantitative information flow.
He completed his Ph.D. in Computer Science at Cornell University in 1991. Since 1994, he has been at Florida International University, where he is now a professor in the School of Computing and Information Sciences. He has held recent visiting appointments at the École Polytechnique (France), IMDEA Software (Spain), and Macquarie University (Australia). He is a partner in the INRIA associate team Princess, a member of IFIP Working Group 1.7, and he was named an ACM Distinguished Scientist in 2013.
Honorable Mention
The first paper receiving an honorable mention, “Increasing Security Sensitivity with Social Proof: A Large-Scale Experimental Confirmation,” was written by Sauvik Das, Dr. Adam D.I. Kramer, Prof. Laura Dabbish and Prof. Jason Hong. Their paper was presented at the 2014 ACM Computer and Communication Security Conference. They examined ways to motivate individuals to adopt security features by showing information about their friends’ use of the security features. Particularly notable was the scale of this study, 50,000 people were studied, which is at a much larger scale than traditional human behavior studies. The work also showed scientific merit, analysis and the paper clearly documents the study, results and motivation of both the study and statistical approaches employed.
Sauvik Das is Ph.D. student at the Human-Computer Interaction Institute of Carnegie Mellon University. Sauvik's research interests are in usable privacy and security. Specifically, he creates quantitative models of user behavior and uses these models to create tools that facilitate the use of and access to digital resources in secure and privacy preserving ways. In his time as a Ph.D. student, he has received an NDSEG fellowship, the 2014 Qualcomm Innovation Fellowship, and a best paper award at one of the premier international conferences in the human-computer interaction: UbiComp. In addition, he has worked with Facebook, Google and Microsoft Research to bring his research contributions into practice.
Laura Dabbish is an associate professor in the Human-Computer Interaction Institute in the School of Computer Science at Carnegie Mellon University, with a joint appointment in the Heinz College of Public Policy, Information Systems and Management. Laura studies the design and use of communication technologies, with a focus on the workplace. Her research spans the fields of Human-Computer Interaction, Computer-Supported Cooperative Work, Information Systems and Organizational Behavior. She received her B.Sc. in Computer Science from the University of Southern California, and her M.S. and PhD from Carnegie Mellon as part of the first cohort to receive a PhD in the field of Human-Computer Interaction. Laura has spent time at Microsoft Research, studying communication technology usage, and Motorola, Inc., developing software for cellular technology infrastructure. She directs the Connected Experience Lab (coexlab.com) within the HCI Institute at CMU.
Jason Hong is an associate professor in the Human Computer Interaction Institute, part of the School of Computer Science at Carnegie Mellon University. He works in the areas of ubiquitous computing and usable privacy and security, and his research has been featured in the New York Times, MIT Tech Review, CBS Morning Show, CNN, Slate, and more. Jason is an associate editor for IEEE Pervasive Computing and ACM Transactions on Human Computer Interaction, and is on the editorial board for CACM (Web site) and Foundations and Trends in HCI. He is also an author of the book The Design of Sites, a popular book on web design using web design patterns. Jason is also a co-founder of Wombat Security Technologies, which focuses on the human side of computer security. Jason received his PhD from Berkeley and his undergraduate degrees from Georgia Institute of Technology. Jason has participated on DARPA's Computer Science Study Panel (CS2P), is an Alfred P. Sloan Research Fellow, a Kavli Fellow, a PopTech Science fellow, a New America National Cybersecurity Fellow, and currently holds the HCII Career Development fellowship.
The second paper receiving an honorable mention, “Quantitative Evaluation of Dynamic Platform Techniques as a Defensive Mechanism,” was written by Dr. Hamed Okhravi, Dr. James Riordan, and Dr. Kevin Cater and presented at the 17th International Symposium on Research in Attacks, Intrusions and Defenses. Their research studied the effectiveness of dynamic platforms where programs and computers are often changed as a way to prevent intrusions. They built an experimental testbed for evaluation and also simulated the dynamics. The two approaches led to similar results. The paper was selected as it provided scientific analysis of the dynamic platform approach to quantifiably measure increased resistance to compromise. The approach utilized in the paper is able to be applied as a way to evaluate effectiveness of dynamic platforms, which will help decision making and design choices.
Dr. Hamed Okhravi is a research staff at the Cyber Analytics and Decision Systems group of MIT Lincoln Laboratory, where he leads programs and conducts research in the area of systems security. He is the recipient of 2014 MIT Lincoln Laboratory Early Career Technical Achievement Award and 2015 Team Award for his work on cyber moving target research. His research interests include cyber security, science of security, security metrics, and operating systems.
Currently, Dr. Okhravi’s research is focused on analyzing and developing cyber moving target techniques and system defenses. Dr. Okhravi has served as a program committee member for a number of academic conferences and workshops including ACM Computer and Communications Security (CCS), Symposium on Research in Attacks, Intrusions, and Defenses (RAID), and ACM Moving Target Defense (MTD) Workshop.
Dr. Okhravi earned his MS and PhD in electrical and computer engineering from University of Illinois at Urbana-Champaign in 2006 and 2010, respectively.
Dr. James F. Riordan is a member of the technical staff in the Cyber Analytics and Decision Systems Group. He joined MIT Lincoln Laboratory in June 2009. His research interests include operational security, applied cryptography, risk assessment, resilient computing, and the semantic web. Prior to joining the Laboratory, he was a research staff member at the IBM Research Laboratory in Zurich, Switzerland, for twelve years; at this laboratory he led numerous security-related projects ranging from mobile computing to intrusion detection to web-centric trust enhancement and was named an IBM Master Inventor. He served on the executive board of the resilient computing network of excellence of the European Union.
Dr. Riordan received a PhD degree in mathematics from the University of Minnesota in 1997. During his studies, he was a member of the Architecture, Research, and Technology group of the Secure Computing Corporation and a consultant to Counterpane Internet Security.
Dr. Kevin M. Carter is an Associate Leader in the Cyber Analytics and Decision Systems Group at MIT Lincoln Laboratory. He joined the Laboratory in February of 2009 and has been working on problems of network security, situational awareness, and anomaly detection. His focus lies in large-scale network traffic analysis, identifying patterns of interest in the midst of overwhelming noise. The emphasis on cyber modeling is part of a larger need for a "Science of Cyber," focusing less on ad hoc and one-off solutions and applying sound scientific principles to understand cyber environments.
Dr. Carter's academic research interests include statistical signal processing, pattern recognition, and machine learning, with specific focuses on dimensionality reduction and manifold learning. He developed several algorithms that took an information geometric approach to dimensionality reduction using the properties of statistical manifolds. These methods were applied to many practical applications, the most noteworthy of which is flow cytometry analysis.
Dr. Carter earned his BSE degree, cum laude, in computer engineering from the University of Delaware in 2004, and his MSE and PhD degrees in electrical engineering from the University of Michigan in 2006 and 2009, respectively.
Award Ceremony
Review Team
NSA Competition Leads
- Dr. Deborah Frincke - Director of Research, NSA
- Dr. Adam Tagert - Science of Security, NSA Trusted Systems Research Group
Distinguished Expert Reviewers
- Dr. Whitfield Diffie - Cybersecurity Advisor
- Dr. Daniel Earl Geer Jc., Sc.D. - Chief Information Security Officer at In-Q-Tel
- John D. McLean - Superintendent of the Naval Research Laboratory's Information Technology Division (ITD)
- M. Angela Sasse - Professor of Human-Centered Technology and Head of Information Security Research in the Department of Computer Science at University College London (UCL), UK
- Fred B. Schneider - Samuel B. Eckert Professor of Computer Science at Cornell University
- Phil Venables - Chief Information Risk Officer at Goldman Sachs
- David A. Wagner - Assistant Professor in the Computer Science Division at the University of California, Berkeley
- Jeannette Wing - Vice President, head of Microsoft Research International
About the 3rd Annual Paper Competition
The Best Scientific Cybersecurity Paper Competition is sponsored yearly by NSA's Research Directorate and reflects the Agency's desire to increase scientific rigor in the cybersecurity field. This competition was established to recognize current research that exemplifies the development of scientific rigor in cybersecurity research. SoS is a broad enterprise, involving both theoretical and empirical work across a diverse set of topics. While there can only be one best paper, no single paper can span the full breadth of SoS topics. Nevertheless, work in all facets of security science is both needed and encouraged.
Links
August 21, 2015 - NSA Press Release Annoucing the Winners of the Competition
February 9, 2015 - NSA Press Release Annoucing the Competition