Visible to the public HotSoS 2019 Summary ReportConflict Detection Enabled

Hot Topics in the Science of Security: Symposium and Bootcamp (HotSoS) 2019

Nashville, TN

April 3, 2019

Cyberdeception, accountability, and attack surfaces among topics at HotSoS 2019

The 2019 Symposium and Bootcamp on the Science of Security (HoTSoS), the sixth annual event, was held April 2-3, 2019 at Vanderbilt University in Nashville, Tennessee. HoTSoS is a research event centered on the Science of Security, which aims to address the fundamental problems of security in a principled manner. Researchers from diverse disciplines came together to promote advancement of work related to the science of security. The conference was a mix of invited talks, panels, tutorials, and refereed papers soon to be published by ACM. Participants included a broad mix from academia, commerce and government.

The Science of Security (SoS) emphasizes the advancement of research methods as well as the development of new research results. This dual focus is intended to improve both the confidence gained from scientific results and the capacity to address increasingly technical problems. Keynote speeches, refereed papers, panel discussions and poster sessions rounded out the agenda.

Rebecca Wright (Barnard College and Rutgers University), Kevin Hamlen (University of Texas at Dallas), and Trent Jaeger (The Pennsylvania State University) were keynote speakers. Prof. Wright's presentation explored using accountability as a useful paradigm to shift away from prevention-only approaches. Cyberdeception and creating a science around it was the topic covered by Prof. Hamlen. Cybersecurity is the most asymmetric form of warfare ever, he averred, and proposes leveling that asymmetry through deception. Prof. Jaeger said attack surfaces should be used as a principle for security because they can be computed systematically and tracked at runtime to aid detection and can leverage to drive improvement in software security.

Papers were presented on subjects that included a distributed hospital recording and replay system; observability in cyber physical systems; a game theoretical model for cyber-warfare games; cyberdeception; situated information flow theory; attestation management; and browser fingerprinting. Quanyan Zhu, New York University, offered a tutorial on "Game Theory for Cyber Deception." The Best Paper was "Integrated Data Space Randomization and Control Reconfiguration for Securing Cyber-Physical Systems" by Bradley Potteiger, Vanderbilt University.

There was a new format to discuss draft papers. In this new approach, a faculty member serves as discussant and mentor to a student author who has submitted a draft. The two describe the work. The discussant asks questions or makes comments and then the author may rebut or accept those critiques. Audience participators could request copies of the drafts in advance and participate in a discussion of the work. Since the work discussed is unpublished, details are being withheld.

A session on Works-in-Progress / Works-already-Published included "Attacks on Electricity Markets," Carlos Barreto and Xenofon Koutsoukos(Vanderbilt); "Ethics in Norm-Aware Agents," Nirav Ajmeri, Hui Guo, Pradeep Kumar Murukannaiah and Munindar Singh (NC State); "A Graph-Based Analysis of Industrial Control Systems Network Traffic," Imani Palmer, Shane McFly and Edmond Rogers (UIUC); "A Multidimensional Multilevel Model for Smart Environment," Amir Modarresi, John Symons and James Sterbenz; "Search Prevention using Captchas against Web Search Engine: A Proof of Concept," Luke Sample and Donghoon Kim (Arkansas State); "The Tularosa Study: An Experimental Design and Implementation to Quantify the Effectiveness of Cyber Deception," Kimberly Ferguson-Walter, Temmie Shade, Andrew Rogers, Elizabeth Niedbala, Michael Trumbo, Kevin Nauer, Aaron Jones, Angela Combs and Robert Abbott. Synopses of the presentations that have already been published will be available in a companion document. The works in progress are embargoed, similar to the special session papers.

Twenty-one posters were presented on topics including intrusion and anomaly detection, resilience, APT chains, reliability measurement, privacy leaks, moving target defenses, and others. The Best Poster was "A Synopsis of Static Analysis Alerts on Open Source Software" by Nasif Imtiaz and Laurie Williams, NC State University. The Best Poster Award recognizes cybersecurity research with scientific rigor, clarity of presentation, and global impact. It is to encourage scientists across multiple disciplines to address the fundamental problems of security in a principled manner.

For members of the Science of Security-Virtual Organization the agenda and presentations are available on the CPS-VO web site at:

For non-members, information about the SoS VO community and the process for requesting membership is available at:

The University of Kansas will host both the next Lablet Quarterly meeting on July 9-10, 2019 and the 2020 HotSoS conference on April 6-8, 2020. Next year's HotSoS will be a more open workshop approach looking at works in progress.