The Rising Tide Raises All Boats: The Advancement of Science of Cybersecurity

The Rising Tide Lifts All Boats: The Advancement of

Science in Cybersecurity

Laurie Williams North Carolina State University

https://alisonhinksyoga.wordpress.com/2013/09/09/a-rising-tide-lifts-all-boats/

My Intentions: You Leave Here With …

�  Greater awareness of a scientific software security research agenda

�  A greater understanding of techniques for collaboratively doing large-scale research

�  Some new thoughts about doing more scientific-ish and less engineering-ish research

�  Even … reflecting on some things about life in general

It’s been quite the year alreadyZNET

http://www.zdnet.com/pictures/worst-largest-security-data-breaches-2015/3/

Top 3

http://www.zdnet.com/pictures/worst-largest-security-data-breaches-2015/3/

BAD STUFF ALERT!

Why the Science of Security?

�  “… nagging perception that too much of the research is opportunistic, lacks rigor, has weak methodology, and fails to produce material advances on underlying hard problems.”

(NSA BAA Industry Day)

http://www.blazingcatfur.ca/wp-content/uploads/2015/06/logo_ouch-620x443.png

Carnegie Mellon NC State University of Illinois –

Urbana Champagne http://www.leftlion.co.uk/articles.cfm/title/the-three-musketeers/id/1539

2010 Release

http://www.dailymail.co.uk/tvshowbiz/article-1085791/Free-DVD-The-Four-Musketeers-todays-Mail-Sunday.html

University of Maryland

2014 Re-release

The three missions of the Science of Security Lablets �  “Solve” hard security problems through the

application of scientific research

�  Advance research methods in the context of cybersecurity to build a sound science of security

�  Build a science of security community

The evolution of my journey as a researcher

Seven lessons �  Stand on the shoulders of giants.

�  Through focus, progress is made.

�  Through diversity of opinion, creativity and unity is born.

�  It’s so easy to fall back to “engineering-ish” research.

�  Those humans cannot be abstracted away.

�  Hard questions lead to great(er) insight.

�  Through collaboration and unity, we can change on a larger scale.

1. Stand on the shoulders of giants.

https://www.linkedin.com/pulse/standing-shoulders-giants-6-apis-instant-saas-success-nick-boucart

ESE

Giants Focus Diversity Engineering Humans Questions Collaborate

Remind me: What’s the actual problem?

�  “… Nagging perception that too much of the research is opportunistic, lacks rigor, has weak methodology, and fails to produce material advances on underlying hard problems.”

(NSA BAA Industry Day)

http://thebsblog.com/2015/10/09/oops-wrong-diagnosis/#prettyPhoto/0/

ESE Intervention

“OK” Research Results

Intervention “Much better”

Research Results

Why do we need “much better”? •  More credible, convincing, substantiated •  More impact (other researchers, the practice of software

engineering/practitioners/real people!) •  Enable meta analysis, combining of results, theory/law

building

Books

� 

Guidelines

Meetings

International Software Engineering Research

Network (ISERN)

Journal

5-year impact factors for 2014

Education

Conference

http://www.infocomrade.com/wp-content/uploads/2011/04/beijing-great-wall.jpg

ESE Intervention

“OK” Research Results

Intervention

* Books

* Guidelines

* Meetings

* Journal

* Education

* Conference

“Much better” Research Results

http://www.deogloria.org/standing-on-the-shoulders-of-giants/

Mary Shaw (ICSE 2002 data) Types of software engineering research validation

Shaw, M., Writing Good Software Engineering Papers, Proceedings of the 25th International Conference on Software Engineering, IEEE Computer Society, 2003, pp. 726-736.

Success of Intervention? �  A quasi-experiment on the intervention

�  Top 4 journals (TSE, IST, JSS, ESE) �  1992-2002 versus 2006-2010

�  Result: Paper quality significantly associated with year

Kitchenham, B., Sjoberg, D, Dyba, T., Brereton, P., Budgen, D., Host, M., Runeson, P., Trends in the Quality of Human-Centric Software Engineering Experiments – A Quasi-Experiment, IEEE Transactions in Software Engineering, Vol. 39, Issue 7, pp. 1002 - 1017, July 2013.

http://tinypic.com/view.php?pic=x1a989&s=5#.ViWXMdYyDdk

Science of Security Copycats �  Guidelines

�  Seminars

�  Research plan reviews

�  Workshops

�  Conference (Hot SoS)

�  IRN-SoS

The Rising Tide: Leading by Example

Jeff Carver, University of Alabama

http://www.themunicheye.com/news/The-Science-Behind-Superman-3057

http://www.themunicheye.com/news/The-Science-Behind-Superman-3057

2. Through focus, progress is made.

1.  Thing 1

2.  Thing 2

3.  Thing 3

4.  Thing 4

5.  Thing 5

6.  Thing 6

7.  Thing 7

8.  Thing 8

Do This!

DON’T DO THIS!

You wouldn’t do it anyway.


Hard Problem 1: Scalability and Composability

Challenge

�  Develop methods to enable the construction of secure systems with known security properties.

http://itnewscast.com/book/export/html/62241

Hard Problem 2: Policy-Governed Secure Collaboration

Challenge

�  Develop methods to express and enforce normative requirements and policies for handling data with differing usage needs and among users in different authority domains

Hard Problem 3: Predictive Security Metrics

Challenge

�  Develop security metrics and models capable of predicting whether or confirming that a given cyber system preserves a given set of security properties (deterministically or probabilistically), in a given context.

Hard Problem 4: Resilient Architectures

Challenge

�  Develop means to design and analyze system architectures that deliver required service in the face of compromised components

http://thecybersaviours.com/intrusion-detection-system-ids

Hard Problem 5: Human Behavior

Develop models of human behavior (of both users and adversaries) that enable the design, modeling, and analysis of systems with specified security properties

http://1000awesomethings.com/2011/02/23/302-grandma-hair/ and http://garysreflections.blogspot.com/2011/02/chinese-hackers-now-hitting-major.html http://www.my-programming.com/2011/10/how-to-become-a-programmer/ http://www.govconexecutive.com/2011/02/executive-spotlight-joseph-cormier-of-gtec/

Science of Security Focus 1.  Scalability and composability

2.  Policy-governed secure collaboration

3.  Encryption algorithms

4.  Predictive security metrics

5.  Intrusion Detection

6.  Resilient architectures

7.  Human behavior

Do This!

DON’T DO THIS!

http://lorettalovehuffblog.com/

3. Through diversity of opinion, creativity and unity is born.

https://www.reddit.com/r/pics/comments/1aw3f3/pathway/; http://www.bbc.co.uk/bristol/content/image_galleries/tunnel_gallery.shtml http://www.thomthom.net/gallery/everything/tunnel-vision/ http://davemeehan.com/cycling/ojos-negros-tunnel-vision


Carnegie Mellon NC State University of Illinois –

Urbana Champagne http://www.leftlion.co.uk/articles.cfm/title/the-three-musketeers/id/1539

Pair Programming

http://www.ideachampions.com/weblogs/collaboration.png

4. It’s so easy to fall back to “engineering-ish” research.

http://user47329.vs.easily.co.uk/wp-content/uploads/2014/08/Science-v-Engineering-Wordpress3.jpg


May be just a “subtle change”

http://www.pxleyes.com/photoshop-contest/20606/makeover.html

Can you tell me WHY yours should be better?

http://memegenerator.net/instance/59256035

Principles, Theories, Laws, Hypotheses … Science

“… nagging perception that too much of the research is opportunistic …”

5. Those humans cannot be abstracted away.

https://securityintelligence.com/the-role-of-human-error-in-successful-security-attacks/


https://xkcd.com/538/

https://www.iii.com/sites/default/files/imce/Elizabeth_Image_for_Blog_July_2015.png

6. Harder questions lead to great(er) insight.

“The quality of your answers is in direct proportion to the quality of your questions.” --Albert Einstein


Those “pesky” and ever-present hard questions

�  Where’s the science?

�  How are you doing at solving those hard problems?

�  Can you show that the lablet is achieving its outcomes?

http://www.findmemes.com/eye-roll-memes

7. Through collaboration and unity, we can change on

a larger scale.

https://bizpsycho.files.wordpress.com/2015/05/colored_puzzle_connection_1600_wht_9893.png


Competition-free zone

https://scottmccown.wordpress.com/category/competition/

Lablet (4)National Security Agency

NCSU

UIUC

CMUNSAUMD

Science of Security Lablets

Lablet (4)National Security Agency Sub-Lablet (26)

UNL

CUDC

PENN

PITT

NAVY

UVA

GWU

RICEUTSAUTA

UA

UNCCNCSU

VT

USC

UC

UC BERKELEYICSI

UIUC IU

IIT

PU

WSU

CMU

GMU

UNC UMD

RIT

NSA

Science of Security Lablets & Sub-Lablets NEWCASTLE (UK)

NDSU

UNL

CURSA

CCTDC

BC

SC

MITLL

POTSDAM

MIT

SIEMENS

RUTGERSAT&TPENN

ARL

PSUPITT

NAVY

UVA

GWU

HPHC

NLM-NIH

NU

UMICH

VERISIGN

RPIUALBANY

UCFRICEUTSAUTA

TX A&M

UA AUBURN

GT

UNCCNCSU

VU

VT

UNM AFRLUSC

UC

LLNL

HPSU

FUJITSUGOOGLE

UC BERKELEYICSI

SYMANTEC

L&C

UW

INL

UIUC IU

IIT

UW-MADISON NWU

PU

WSU

CMU

GMU

UNC UMD

UH MANOA

PC

RIT

NSA

Lablet (4)National Security Agency Sub-Lablet (26) Collaborator (64)SURE (4)

Science of Security Lablets, Sub-Lablets, and Collaborators NEWCASTLE (UK)

UOFW

UVIC

IMDEA

NOVAUP

UPVEPFL USI

UWAR

LEEDSLU

KENT

OXFORD

NEWCASTLE (UK)UDS

JWGUMPI-SWS

UiO KTH

IUT

THUBUAA

SMU

UNIMELBANU

VUW

ULISBOA

Science of Security International Sub-Lablets and Collaborators

Sub-Lablet (26) Collaborator (64)

Agile Manifesto authors: It is in their collaboration and cooperation that they revolutionized the software industry. We need to work together to beat the attackers!

Seven lessons

�  Stand on the shoulders of giants.

�  Through focus, progress is made.

�  Through diversity of opinion, creativity and unity is born.

�  It’s so easy to fall back to “engineering-ish” research.

�  Those humans cannot be abstracted away.

�  Hard questions lead to great(er) insight.

�  Through collaboration and unity, we can change on a larger scale.

Continuing my journey

mariaguedeslisboa.clix.pt

My Intentions Security

Collaborative Research

Science

Life