Visible to the public HotSoS 2023 SummaryConflict Detection Enabled

Hot Topics in the Science of Security (HotSoS) 2023

The National Security Agency (NSA) virtually hosted the 10th Annual Symposium on the Science of Security (HotSoS) from 3-5 April 2023. The General Chair was Adam Tagert (NSA), and Program Co-Chairs were Nirav Ajmeri (University of Bristol) and Ryan Gabrys (Naval Information Warfare Center). HotSoS brought together researchers from diverse disciplines to promote the advancement of work related to the Science of Security and Privacy initiative (SoS), and featured a mix of invited keynotes, Works-in-Progress (WiP) discussions, presentations of already published work, posters, and panel discussions.

Almost 410 individuals registered for HotSoS 2023, more than would have been able to attend had the event been held in person. The participants were a mix of government, academia, and industry. In addition to 3 keynote presentations, HotSoS 2023 included 2 presentations from NSA's Best Cybersecurity Paper Competition, 9 published papers, 4 WiP manuscripts, and 7 posters or demos, which, in total, represented the work of 62 authors from 23 universities and institutions. In keeping with the goal of collaborative community engagement, HotSoS 2023 again featured WiPs, which provide an opportunity for authors to get early feedback on a research direction, technology, or ideas before a paper has been fully evaluated, or to discuss systems in an early, pre-prototyping phase.

Keynote Presentations

The first keynote presentation, "Sailing the Seas of the Science of Security," given by Yan Shoshitaishvili (Arizona State University), delved into the process of contributing research to the Science of Security. Shoshitaishvili described his personal journey contributing to SoS and shared the lessons he learned in conducting applied security research.

Neal Ziring, the Technical Director for the NSA's Cybersecurity Directorate, gave a keynote entitled "Science of Composition is Vital for Science of Security," in which he discussed several areas where composition is important for security, and suggested ways to improve the science of building and assessing composite systems.

The final keynote, "The Science of Audio Deepfake Detection," by Carrie Gates of Bank of America, provided an overview of how deepfakes are created and how current detection technologies function. She also discussed areas where more science and a more rigorous application of the scientific method are required in designing appropriate deepfake detection solutions.

Best Cybersecurity Paper Competition Invited Talks

There were presentations on the Winning and Honorable Mention papers from the 10th Annual Best Scientific Cybersecurity Paper Competition. The winning paper was "Verifying Hyperproperties with Temporal Logic of Actions (TLA)" by Leslie Lamport from Microsoft Research and Fred B. Schneider from Cornell University. Hyperproperties generalize conventional properties by expressing relations between multiple system executions. Self-composition has been applied to reduce the verification of a system's compliance with certain classes of hyperproperties to the verification of a derived system's compliance with an ordinary property. The researchers use self-composition to handle a larger class of hyperproperties, including those that convey security conditions, by describing systems and their properties in the temporal logic TLA. TLA tools are used to ensure that high-level industrial system designs satisfy properties. They can now also validate that these systems satisfy these hyperproperties.

The paper which received an Honorable Mention was "Defensive Technology Use by Political Activists during the Sudanese Revolution," authored by Alaa Daffalla from Cornell University, Lucy Simko from George Washington University, Tadayoshi Kohno from the University of Washington, and Alexandru G. Bardas from the University of Kansas. Insights into technological defense tactics used by activists are presented in the paper based on interviews with 13 political activists who were involved throughout the 2018-2019 Sudanese revolution. The researchers discovered that the adoption of apps and security and privacy behaviors are influenced by politics and society. Blocking social media can lead to a number of large-scale ways to fight censorship, while blocking the Internet can make it hard for activists to use technology. Although the activists' technological defenses against threats of surveillance, arrest, and the seizure of devices were low-tech, they were adequate. Design principles emerged from these findings, but the researchers also noticed that generalizing design recommendations often leads to contradictions between the security and usability needs. Therefore, the paper offers a series of structured questions to help transform these conflicts into opportunities for technology designers and policymakers.

Works-Already-Published Sessions

The Works-Already-Published sessions featured 9 published papers.

Ryan Steed, a Ph.D. student at Carnegie Mellon's Heinz College of Information Systems and Public Policy, presented "Policy Impacts of Statistical Uncertainty and Privacy," which explores how education policies that rely on census data misallocate funding due to statistical uncertainty. The research compares the effects of quantified data error and the impacts of a potential differentially private mechanism. It was also discovered that policy reforms could mitigate the disparate effects of data error and privacy mechanisms.

Jan H. Klemmer, a Ph.D. student at Leibniz University, presented "How Does Usable Security (Not) End Up in Software Products? Results From a Qualitative Interview Study," which explores how usable security is implemented during the development of software products. Despite there being positive examples emphasizing beneficial factors for usable security, many organizations still do not implement usable security in their products. The paper identifies several challenges to implementing usable security, including a lack of awareness and understanding of usable security, misconceptions, stakeholder pressure, and communication barriers. The research discovered that contextual factors play an important role in the implementation of usable security. The paper proposes possible software development practice enhancements.

A paper titled "Robust Deep Reinforcement Learning through Bootstrapped Opportunistic Curriculum" was presented by Junlin Wu, a third-year Computer Science Ph.D. student at Washington University. The paper presents a novel flexible adversarial curriculum learning framework for reinforcement learning and an approach for adaptive curriculum generation that involves interval-bound propagation and FGSM-based adversarial input generation. In addition, the paper contributes a comprehensive experimental evaluation using OpenAI Gym Atari games (DQN-style) and Procgen (PPO-style, Appendix), showing that the proposed adversarial curriculum learning framework for reinforcement learning significantly improves robustness.

John Speed Meyers of Chainguard presented a paper titled "Sigstore - Software Signing for Everybody." The paper proposes Sigstore, a system that provides software signing capabilities. The system provides capabilities for signing artifacts, reducing the software signing adoption barrier for developers.

Nik Sultana, an assistant professor of Computer Science at Illinois Tech, presented "A Case for Remote Attestation in Programmable Dataplanes," which delves into how remote attestation can be used to facilitate dynamic assessments of network security characteristics by automating the generation, collection, and evaluation of evidence of trustworthiness. The paper also outlines how the Copland and NetKAT languages can be combined and expanded to create network-aware attestation policies. Sultana also presented a paper titled "Towards Practical Application-level Support for Privilege Separation," exploring the application of privilege separation (privsep) to C software.

Partha S. Sarker, a Ph.D. student in the Lane Department of Computer Science and Electrical Engineering at West Virginia University (WVU), presented "Resiliency Metrics for Monitoring and Analysis of Cyber-Power Distribution System with IoTs." The focus of this paper is on creating metrics for tracking the resiliency of the cyber-power distribution system while protecting user privacy. A neural network with federated learning is used in the IoT Trustability Score (ITS) component of the proposed cyber-power distribution system resiliency (DSR) metric to take the effects of IoTs into consideration. To calculate Primary level Node Resiliency (PNR), ITS and other resiliency-impacting elements are combined into a single metric using Fuzzy Multiple-Criteria Decision Making (F-MCDM).

A paper titled "Spatiotemporal G-code modeling for secure FDM-based 3D printing" was presented by Muhammad Haris Rais, a Ph.D. candidate in Computer Science at Virginia Commonwealth University. The paper introduces Sophos, a framework for detecting attacks on the Fused Deposition Modeling (FDM)-based 3D printing process. Sophos uses spatiotemporal G-code modeling and can detect attacks on the first print.

Syed Ali Qasim, a Ph.D. student at Virginia Commonwealth University, presented "Control Logic Forensics Framework using Built-in Decompiler of Engineering Software in Industrial Control Systems," a paper that proposes the use of Reditus to extract control logic from suspicious Industrial Control Systems (ICS) network traffic suspicious. The paper shows how Reditus can recover a control logic's source code from its network traffic.

Works-in-Progress Sessions

The Works-in-Progress sessions featured 4 papers.

Yevgeniy Vorobeychik, an Associate Professor of Computer Science & Engineering at Washington University, presented "Certifying Safety in Reinforcement Learning under Adversarial Perturbation Attacks."

Mubark Jedh, a Ph.D. student at Iowa State University, presented "Improvement and Evaluation of Resilience of Adaptive Cruise Control Against Spoofing Attacks Using Intrusion Detection System."

Researchers Marinos Vomvas, Norbert Ludant, and Guevara Noubir from Northeastern University, gave a presentation on their paper titled "Towards a Rigorous Approach for Zero Trust in the 5G Core."

Anwar Said, a postdoctoral research scholar at Vanderbilt University, presented a paper titled "Sequential Graph Neural Networks for Source Code Vulnerability Identification."

Panel Discussions

10 Years of HotSoS / SoS

HotSoS 2023 held a panel discussion on the 10-year progress of HotSoS and the SoS in general. The panelists included Laurie Williams, Carl Landwehr, Brad Martin, David Nicol, and William Scherlis. They discussed what they remember the most about the SoS program, how SoS influenced the rest of the government and the idea of applying scientific principles to research, and how scientific approaches in research impact cybersecurity. They also discussed the development, expectations, research contributions, and progress of the SoS hard problems: "Scalability and Composability," "Policy-Governed Secure Collaboration," "Security Metrics Driven Evaluation, Design, Development, and Deployment," "Resilient Architectures," and "Understanding and Accounting for Human Behavior."

Future of Foundational Research

A panel discussion was held on the future of foundational research. The panelists included Evan Austin, Josiah Dykstra, Glenn Lilly, and Neal Ziring. Topics included in the discussion included what they think the next big research area will be for the next 10 years and whether the move to microservices would improve or degrade system resilience and security. They discussed the possibility of running the same cyber incident investigation process on critical infrastructure, and using the recommendations to build a knowledge base of what is required. The panel also discussed over-investigated research areas or realms requiring more attention.

Graduate and Undergraduate Student Panels

Graduate and undergraduate students from the University of California, Riverside, Naval Post Graduate School, Auburn University, the University of Maryland, Baltimore County, Vanderbilt University, North Carolina State University, and the University of Chicago, participated in panel discussions on their academic and career-oriented activities and experiences. The panelists discussed what steps they took during or after their academic experience that made them successful. They touched on what academic courses helped shape or define their career path or job role. They also shared some strategies or approaches for effectively utilizing the skills and experience gained from academic research to achieve success in industry settings as well as how expectations be realistically managed in the process.

The HotSoS 2023 Best Poster Award, "Making Smart Contracts Predict and Scale" was given to Syed Badruddoja, Ram Dantu, Yanyan He, Mark Thompson, Kritagya Upadhyay, Abiola Salau of the University of North Texas.

The agenda and selected presentations are available here.

The SoS program is important to NSA because it enables NSA leadership to understand where to invest time, people and resources in order to safeguard national security systems and the defense industrial base. Details on SoS successes can be found in the SoS Annual Reports available here.

For non-members, information about the SoS VO community and the process for requesting membership is available here.