This year's winner is Joseph Bonneau for his paper "The Science of Guessing:  Analyzing an Anonymized Corpus of 70 Million Passwords."  This paper, which offered careful and rigorous measurements of password use in practice and theoretical contributions to how to measure and model password strength, reflected many dimensions of good science: it was well grounded in past work, yet clearly differentiated itself from that work; it uses appropriate mathematics and articulates a new entropy measure that can be used to enhance the work in other investigations; it is a strong example of evidenced-based security research, grounded in a data set of sufficient size and diversity; it clearly exposed the author's data collection method; the methodology described was designed with ethical considerations in mind and it offered external validation of the author's results. It effectively drew on and contributed to the community of security researchers, and ought to have impact beyond the particular problem discussed in the paper.

Dr. Bonneau is a software engineer with Google in New York City. He holds B.S. (2006) and MS (2007) degrees from Stanford University in Computer Science. He worked for Cryptography Research, Inc. for a year before moving on to graduate studies at Cambridge University as the recipient of a Gates Fellowship in 2008. He received his PhD from Cambridge in 2012, working under Prof. Ross Anderson. The award paper documents work reported in the dissertation, entitled "Guessing Human Chosen Secrets". His dissertation acknowledges Profs. Ilya Mironov, John Mitchell, and Dan Boneh of Stanford (along with many others) and is available here.

Honorable Mentions

Because the Science of Security is such a multi-faceted pursuit, we feel that it is appropriate to recognize two other papers that reflected different scientific methodology with Honorable Mention. The paper "On Protection by Layout Randomization" by Martin Abadi and Gordon Plotkin deserves recognition as a significant theoretical paper. This paper breaks new ground in developing a formal approach for studying layout randomization, an approach that helps us think our way through the issues associated with improving security by dynamically changing the attack surface. It explains how the randomization technique works and identifies the attacks it is effective at protecting against. 

Martin Abadi is a Principal Researcher at Microsoft Research Silicon Valley. He has been a Professor at UC Santa Cruz, and also held the Chair "Informatique et science numeriques" at the College de France. Earlier, he studied at Stanford University and worked at Digital's System Research Center and other industrial labs. His research is mainly on computer and network security, programming languages, and specification and verification methods. He has contributed, for example, to the design and analysis of security protocols and to the foundations of object-oriented languages. His research on security has been recognized with the Outstanding Innovation Award of the ACM Special Interest Group on Security, Audit and Control, and with the Hall of Fame Award of the ACM Special Interest Group on Operating Systems. He is a Fellow of the ACM and of the American Association for the Advancement of Science.

Dr. Plotkin is Professor of Theoretical Computer Science in the School of Informatics at The University of Edinburgh. He is a Fellow of the Royal Society and of the Royal Society of Edinburgh. He received his PhD from the University of Edinburgh in 1972, studying under Rod Burstall. He has received a number of prestigious awards, including 2012 Royal Society Milner Award for "his fundamental research into programming semantics with lasting impact on both the principles and design of programming languages."

Author's version of paper publicly available here.


The paper "Before We Knew It:  An Empirical Study of Zero-Day Attacks in the Real World" by Leyla Yumer and Tudor Dumitras is recognized as a significant data science paper, taking on the issues of sense making and data fusion in large scale data sets and using data science to measure a phenomenon that is not directly measurable. It offers a careful measurement of attack behavior, with implications for how we protect systems.

Dr. Leyla Yumer is a Senior Research Engineer in Symantec Research Labs since 2012. She obtained her PhD in December 2011 from Eurecom, which is based in south of France. The topic of her PhD thesis is Network-based Botnet Detection. In her thesis, she proposed three different network-based botnet detection schemes one of which is SymBAD. Currently, she is working on SymBAD (Symantec Behavioral Analysis of Domain names) which identifies domain names that are involved in various malicious activities. 

Dr. Tudor Dumitras is an Assistant Professor in the Electrical and Computer Engineering Department at the University of Maryland, College Park. His research focuses on Big Data approaches to problems in system security and dependability. In his previous role at Symantec Research Labs he built the Worldwide Intelligence Network Environment (WINE) - a platform for experimenting with Big Data techniques. He received an Honorable Mention in the NSA competition for the Best Scientific Cybersecurity Paper of 2012, the 2011 A.G. Jordan Award, from the ECE Department at Carnegie Mellon University, for an outstanding PhD thesis and for service to the community, the 2009 John Vlissides Award, from ACM SIGPLAN, for showing significant promise in applied software research, and the Best Paper Award at ASP-DAC'03. Tudor holds a PhD degree from Carnegie Mellon University.

Author's version of the paper publicly available here.

About the Paper Competition

The NSA Science of Security paper competition was created to help broaden the scientific foundations of cybersecurity needed in the development of systems that are resilient to cyber attacks. The best paper award recognizes the outstanding efforts of researchers who advance the science of cybersecurity in recently published work, and provides examples of high quality work that others can use to shape their research and publications. The 44 nominated papers were reviewed by a distinguished group of experts from academia and industry, led by officials from NSA's Research Directorate.  Details on the competition can be found here.