Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
The Rising Tide Lifts All
Boats: The Advancement of
Science in Cybersecurity
Laurie Williams
North Carolina State Universi...
My Intentions: You
Leave Here With …
—  Greater awareness of a scientific software security
research agenda
—  A greater...
It’s been quite the year alreadyZNET
http://www.zdnet.com/pictures/worst-largest-security-data-breaches-2015/3/
Top 3
http://www.zdnet.com/pictures/worst-largest-security-data-breaches-2015/3/
BAD STUFF
ALERT!
Why the Science of Security?
—  “… nagging perception that too much of the
research is opportunistic, lacks rigor, has we...
Carnegie
Mellon
NC State University of Illinois –
Urbana Champagne
http://www.leftlion.co.uk/articles.cfm/title/the-three-...
http://www.dailymail.co.uk/tvshowbiz/article-1085791/Free-DVD-The-Four-Musketeers-todays-Mail-
Sunday.html
University of
M...
The three missions of the
Science of Security Lablets
—  “Solve” hard security problems through the
application of scient...
The evolution of my journey
as a researcher
Seven lessons
—  Stand on the shoulders of giants.
—  Through focus, progress is made.
—  Through diversity of opinion,...
1. Stand on the shoulders
of giants.
https://www.linkedin.com/pulse/standing-shoulders-giants-6-apis-instant-saas-success-...
Remind me: What’s the
actual problem?
—  “… Nagging perception that too much of the
research is opportunistic, lacks rigo...
ESE Intervention
“OK”
Research
Results
Intervention
“Much better”
Research
Results
Why do we need “much better”?
•  More c...
Books
— 
Guidelines
Meetings
International Software
Engineering Research
Network (ISERN)
Journal
5-year impact factors for 2014
Education
Conference
http://www.infocomrade.com/wp-content/uploads/2011/04/beijing-great-wall.jpg
ESE Intervention
“OK” Research
Results
Intervention
* Books
* Guidelines
* Meetings
* Journal
* Education
* Conference
“Mu...
Mary Shaw (ICSE 2002 data)
Types of software engineering research validation
Shaw, M., Writing Good Software Engineering P...
Success of Intervention?
—  A quasi-experiment on the intervention
—  Top 4 journals (TSE, IST, JSS, ESE)
—  1992-2002 ...
http://tinypic.com/view.php?pic=x1a989&s=5#.ViWXMdYyDdk
Science of Security Copycats
—  Guidelines
—  Seminars
—  Research plan reviews
—  Workshops
—  Conference (Hot SoS)
...
The Rising Tide: Leading by
Example
Jeff Carver, University of
Alabama
http://www.themunicheye.com/news/The-Science-Behind...
http://www.themunicheye.com/news/The-Science-Behind-Superman-3057
2. Through focus, progress is made.
1.  Thing 1
2.  Thing 2
3.  Thing 3
4.  Thing 4
5.  Thing 5
6.  Thing 6
7.  Thing 7
8....
Hard Problem 1: Scalability
and Composability
Challenge
—  Develop methods to enable the construction
of secure systems w...
Hard Problem 2: Policy-Governed
Secure Collaboration
Challenge
—  Develop methods to express and enforce
normative requir...
Hard Problem 3: Predictive
Security Metrics
Challenge
—  Develop security metrics and models
capable of predicting whethe...
Hard Problem 4: Resilient
Architectures
Challenge
—  Develop means to design and analyze
system architectures that delive...
Hard Problem 5: Human
Behavior
Develop models of human behavior (of both
users and adversaries) that enable the design,
mo...
Science of Security Focus
1.  Scalability and composability
2.  Policy-governed secure collaboration
3.  Encryption algori...
3. Through diversity of opinion,
creativity and unity is born.
https://www.reddit.com/r/pics/comments/1aw3f3/pathway/;
htt...
Carnegie
Mellon
NC State University of Illinois –
Urbana Champagne
http://www.leftlion.co.uk/articles.cfm/title/the-three-...
Pair Programming
http://www.ideachampions.com/weblogs/collaboration.png
4. It’s so easy to fall back to
“engineering-ish” research.
http://user47329.vs.easily.co.uk/wp-content/uploads/2014/08/Sc...
May be just a “subtle change”
http://www.pxleyes.com/photoshop-contest/20606/makeover.html
Can you tell me WHY yours shoul...
http://memegenerator.net/instance/59256035
Principles, Theories, Laws,
Hypotheses … Science
“… nagging perception that too...
5. Those humans cannot
be abstracted away.
https://securityintelligence.com/the-role-of-human-error-in-successful-security...
https://xkcd.com/538/
https://www.iii.com/sites/default/files/imce/Elizabeth_Image_for_Blog_July_2015.png
6. Harder questions lead to
great(er) insight.
“The quality of your answers is in direct
proportion to the quality of your...
Those “pesky” and ever-
present hard questions
—  Where’s the science?
—  How are you doing at solving those hard proble...
7. Through collaboration
and unity, we can change on
a larger scale.
https://bizpsycho.files.wordpress.com/2015/05/
colore...
Competition-free zone
https://scottmccown.wordpress.com/category/
Lablet (4)National Security Agency
NCSU
UIUC
CMU
NSAUMD
Science of Security Lablets
Lablet (4)National Security Agency Sub-Lablet (26)
UNL
CU
DC
PENN
PITT
NAVY
UVA
GWU
RICEUTSA
UTA
UA
UNCC
NCSU
VT
USC
UC
UC...
NDSU
UNL
CU
RSA
CCT
DC
BC
SC
MITLL
POTSDAM
MIT
SIEMENS
RUTGERS
AT&T
PENN
ARL
PSU
PITT
NAVY
UVA
GWU
HPHC
NLM-NIH
NU
UMICH
V...
UOFW
UVIC
IMDEA
NOVA
UP
UPV
EPFL USI
UWAR
LEEDS
LU
KENT
OXFORD
NEWCASTLE (UK)
UDS
JWGU
MPI-SWS
UiO
KTH
IUT
THU
BUAA
SMU
UN...
Agile Manifesto authors: It is in their collaboration and
cooperation that they revolutionized the software industry.
We n...
Seven lessons
—  Stand on the shoulders of giants.
—  Through focus, progress is made.
—  Through diversity of opinion,...
Continuing my journey
mariaguedeslisboa.clix.pt
My Intentions
Security Collaborative Research
Science Life
The Rising Tide Raises All Boats:  The Advancement of Science of Cybersecurity
The Rising Tide Raises All Boats:  The Advancement of Science of Cybersecurity
Nächste SlideShare
Wird geladen in …5
×

The Rising Tide Raises All Boats: The Advancement of Science of Cybersecurity

562 Aufrufe

Veröffentlicht am

Keynote at the Empirical Software Engineering and Measurement (ESEM) conference in Beijing in October 2015

Veröffentlicht in: Software
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

The Rising Tide Raises All Boats: The Advancement of Science of Cybersecurity

  1. 1. The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity Laurie Williams North Carolina State University https://alisonhinksyoga.wordpress.com/2013/09/09/a-rising-tide-lifts-all-boats/
  2. 2. My Intentions: You Leave Here With … —  Greater awareness of a scientific software security research agenda —  A greater understanding of techniques for collaboratively doing large-scale research —  Some new thoughts about doing more scientific-ish and less engineering-ish research —  Even … reflecting on some things about life in general
  3. 3. It’s been quite the year alreadyZNET http://www.zdnet.com/pictures/worst-largest-security-data-breaches-2015/3/
  4. 4. Top 3 http://www.zdnet.com/pictures/worst-largest-security-data-breaches-2015/3/ BAD STUFF ALERT!
  5. 5. Why the Science of Security? —  “… nagging perception that too much of the research is opportunistic, lacks rigor, has weak methodology, and fails to produce material advances on underlying hard problems.” (NSA BAA Industry Day) http://www.blazingcatfur.ca/wp-content/uploads/2015/06/logo_ouch-620x443.png
  6. 6. Carnegie Mellon NC State University of Illinois – Urbana Champagne http://www.leftlion.co.uk/articles.cfm/title/the-three-musketeers/id/1539 2010 Release
  7. 7. http://www.dailymail.co.uk/tvshowbiz/article-1085791/Free-DVD-The-Four-Musketeers-todays-Mail- Sunday.html University of Maryland 2014 Re-release
  8. 8. The three missions of the Science of Security Lablets —  “Solve” hard security problems through the application of scientific research —  Advance research methods in the context of cybersecurity to build a sound science of security —  Build a science of security community
  9. 9. The evolution of my journey as a researcher
  10. 10. Seven lessons —  Stand on the shoulders of giants. —  Through focus, progress is made. —  Through diversity of opinion, creativity and unity is born. —  It’s so easy to fall back to “engineering-ish” research. —  Those humans cannot be abstracted away. —  Hard questions lead to great(er) insight. —  Through collaboration and unity, we can change on a larger scale.
  11. 11. 1. Stand on the shoulders of giants. https://www.linkedin.com/pulse/standing-shoulders-giants-6-apis-instant-saas-success-nick-boucart ESE Giants Focus Diversity Engineering Humans Questions Collaborate
  12. 12. Remind me: What’s the actual problem? —  “… Nagging perception that too much of the research is opportunistic, lacks rigor, has weak methodology, and fails to produce material advances on underlying hard problems.” (NSA BAA Industry Day) http://thebsblog.com/2015/10/09/oops-wrong-diagnosis/#prettyPhoto/0/
  13. 13. ESE Intervention “OK” Research Results Intervention “Much better” Research Results Why do we need “much better”? •  More credible, convincing, substantiated •  More impact (other researchers, the practice of software engineering/practitioners/real people!) •  Enable meta analysis, combining of results, theory/law building
  14. 14. Books — 
  15. 15. Guidelines
  16. 16. Meetings
  17. 17. International Software Engineering Research Network (ISERN)
  18. 18. Journal 5-year impact factors for 2014
  19. 19. Education
  20. 20. Conference http://www.infocomrade.com/wp-content/uploads/2011/04/beijing-great-wall.jpg
  21. 21. ESE Intervention “OK” Research Results Intervention * Books * Guidelines * Meetings * Journal * Education * Conference “Much better” Research Results http://www.deogloria.org/standing-on-the-shoulders-of-giants/
  22. 22. Mary Shaw (ICSE 2002 data) Types of software engineering research validation Shaw, M., Writing Good Software Engineering Papers, Proceedings of the 25th International Conference on Software Engineering, IEEE Computer Society, 2003, pp. 726-736.
  23. 23. Success of Intervention? —  A quasi-experiment on the intervention —  Top 4 journals (TSE, IST, JSS, ESE) —  1992-2002 versus 2006-2010 —  Result: Paper quality significantly associated with year Kitchenham, B., Sjoberg, D, Dyba, T., Brereton, P., Budgen, D., Host, M., Runeson, P., Trends in the Quality of Human-Centric Software Engineering Experiments – A Quasi- Experiment, IEEE Transactions in Software Engineering, Vol. 39, Issue 7, pp. 1002 -  1017, July 2013.
  24. 24. http://tinypic.com/view.php?pic=x1a989&s=5#.ViWXMdYyDdk
  25. 25. Science of Security Copycats —  Guidelines —  Seminars —  Research plan reviews —  Workshops —  Conference (Hot SoS) —  IRN-SoS
  26. 26. The Rising Tide: Leading by Example Jeff Carver, University of Alabama http://www.themunicheye.com/news/The-Science-Behind-Superman-3057
  27. 27. http://www.themunicheye.com/news/The-Science-Behind-Superman-3057
  28. 28. 2. Through focus, progress is made. 1.  Thing 1 2.  Thing 2 3.  Thing 3 4.  Thing 4 5.  Thing 5 6.  Thing 6 7.  Thing 7 8.  Thing 8 Do This! DON’T DO THIS! You wouldn’t do it anyway. Giants Focus Diversity Engineering Humans Questions Collaborate
  29. 29. Hard Problem 1: Scalability and Composability Challenge —  Develop methods to enable the construction of secure systems with known security properties. http://itnewscast.com/book/export/html/62241
  30. 30. Hard Problem 2: Policy-Governed Secure Collaboration Challenge —  Develop methods to express and enforce normative requirements and policies for handling data with differing usage needs and among users in different authority domains
  31. 31. Hard Problem 3: Predictive Security Metrics Challenge —  Develop security metrics and models capable of predicting whether or confirming that a given cyber system preserves a given set of security properties (deterministically or probabilistically), in a given context.
  32. 32. Hard Problem 4: Resilient Architectures Challenge —  Develop means to design and analyze system architectures that deliver required service in the face of compromised components http://thecybersaviours.com/intrusion-detection-
  33. 33. Hard Problem 5: Human Behavior Develop models of human behavior (of both users and adversaries) that enable the design, modeling, and analysis of systems with specified security properties http://1000awesomethings.com/2011/02/23/302-grandma-hair/ and http://garysreflections.blogspot.com/2011/02/chinese-hackers-now-hitting-major.html http://www.my-programming.com/2011/10/how-to-become-a-programmer/ http://www.govconexecutive.com/2011/02/executive-spotlight-joseph-cormier-of-gtec/
  34. 34. Science of Security Focus 1.  Scalability and composability 2.  Policy-governed secure collaboration 3.  Encryption algorithms 4.  Predictive security metrics 5.  Intrusion Detection 6.  Resilient architectures 7.  Human behavior Do This! DON’T DO THIS! http://lorettalovehuffblog.com/
  35. 35. 3. Through diversity of opinion, creativity and unity is born. https://www.reddit.com/r/pics/comments/1aw3f3/pathway/; http://www.bbc.co.uk/bristol/content/image_galleries/tunnel_gallery.shtml http://www.thomthom.net/gallery/everything/tunnel-vision/ http://davemeehan.com/cycling/ojos-negros-tunnel-vision Giants Focus Diversity Engineering Humans Questions Collaborate
  36. 36. Carnegie Mellon NC State University of Illinois – Urbana Champagne http://www.leftlion.co.uk/articles.cfm/title/the-three-musketeers/id/1539
  37. 37. Pair Programming http://www.ideachampions.com/weblogs/collaboration.png
  38. 38. 4. It’s so easy to fall back to “engineering-ish” research. http://user47329.vs.easily.co.uk/wp-content/uploads/2014/08/Science-v- Engineering-Wordpress3.jpg Giants Focus Diversity Engineering Humans Questions Collaborate
  39. 39. May be just a “subtle change” http://www.pxleyes.com/photoshop-contest/20606/makeover.html Can you tell me WHY yours should be better?
  40. 40. http://memegenerator.net/instance/59256035 Principles, Theories, Laws, Hypotheses … Science “… nagging perception that too much of the research is opportunistic …”
  41. 41. 5. Those humans cannot be abstracted away. https://securityintelligence.com/the-role-of-human-error-in-successful-security-attacks/ Giants Focus Diversity Engineering Humans Questions Collaborate
  42. 42. https://xkcd.com/538/
  43. 43. https://www.iii.com/sites/default/files/imce/Elizabeth_Image_for_Blog_July_2015.png
  44. 44. 6. Harder questions lead to great(er) insight. “The quality of your answers is in direct proportion to the quality of your questions.” --Albert Einstein Giants Focus Diversity Engineering Humans Questions Collaborate
  45. 45. Those “pesky” and ever- present hard questions —  Where’s the science? —  How are you doing at solving those hard problems? —  Can you show that the lablet is achieving its outcomes? http://www.findmemes.com/eye-roll-memes
  46. 46. 7. Through collaboration and unity, we can change on a larger scale. https://bizpsycho.files.wordpress.com/2015/05/ colored_puzzle_connection_1600_wht_9893.png Giants Focus Diversity Engineering Humans Questions Collaborate
  47. 47. Competition-free zone https://scottmccown.wordpress.com/category/
  48. 48. Lablet (4)National Security Agency NCSU UIUC CMU NSAUMD Science of Security Lablets
  49. 49. Lablet (4)National Security Agency Sub-Lablet (26) UNL CU DC PENN PITT NAVY UVA GWU RICEUTSA UTA UA UNCC NCSU VT USC UC UCBERKELEY ICSI UIUC IU IIT PU WSU CMU GMU UNC UMD RIT NSA Science of Security Lablets & Sub-Lablets NEWCASTLE (UK)
  50. 50. NDSU UNL CU RSA CCT DC BC SC MITLL POTSDAM MIT SIEMENS RUTGERS AT&T PENN ARL PSU PITT NAVY UVA GWU HPHC NLM-NIH NU UMICH VERISIGN RPI UALBANY UCFRICEUTSA UTA TX A&M UA AUBURN GT UNCC NCSU VU VT UNM AFRL USC UC LLNL HP SU FUJITSU GOOGLE UCBERKELEY ICSI SYMANTEC L&C UW INL UIUC IU IIT UW-MADISON NWU PU WSU CMU GMU UNC UMD UH MANOA PC RIT NSA Lablet (4)National Security Agency Sub-Lablet (26) Collaborator (64)SURE (4) Science of Security Lablets, Sub-Lablets, and Collaborators NEWCASTLE (UK)
  51. 51. UOFW UVIC IMDEA NOVA UP UPV EPFL USI UWAR LEEDS LU KENT OXFORD NEWCASTLE (UK) UDS JWGU MPI-SWS UiO KTH IUT THU BUAA SMU UNIMELB ANU VUW ULISBOA Science of Security International Sub-Lablets and Collaborators Sub-Lablet (26) Collaborator (64)
  52. 52. Agile Manifesto authors: It is in their collaboration and cooperation that they revolutionized the software industry. We need to work together to beat the attackers!
  53. 53. Seven lessons —  Stand on the shoulders of giants. —  Through focus, progress is made. —  Through diversity of opinion, creativity and unity is born. —  It’s so easy to fall back to “engineering-ish” research. —  Those humans cannot be abstracted away. —  Hard questions lead to great(er) insight. —  Through collaboration and unity, we can change on a larger scale.
  54. 54. Continuing my journey mariaguedeslisboa.clix.pt
  55. 55. My Intentions Security Collaborative Research Science Life

×