NSA Science of Security Lablet at NC State

North Carolina State University’s (NCSU) Science of Security Lablet (SoSL) has embraced and helped build a foundation for NSA’s vision of the Science of Security (SoS) and of a SoS community. We have emphasized data-driven discovery and analytics to formulate, validate, evolve, and solidify the theory and practice of security. Efforts in our current lablet have yielded significant findings, providing a deeper understanding of users’ susceptibility to deception, developers’ adoption of security tools, how trust between people relates to their commitments. These efforts have led to over 50 peer-reviewed publications with more on the way. The lablet has supported 32 faculty and students and engaged more than 30 colleagues from industry.

Motivated by NSA’s overarching vision for SoS and building on our experience and accomplishments, we will continue (1) developing a science-based foundation for the five hard problems that we previously helped formulate; and (2) fostering a SoS community with high standards for reproducible research. Our approach will involve a comprehensive, rigorous perspective on SoS, including an integrated treatment of technical artifacts, humans (both stakeholders and adversaries) along with relationships and processes relevant to the hard problems. Continual evaluation of our research and community development fforts is key to our approach.

The NSA’s 2015 Annual Reports on the Science of Security Initiative is available from the Science of Security Virtual Organization.

Hard Problems

Research projects in the NCSU Science of Security lablet are oriented around five hard problems. These problems were selected based on criteria that includes technical challenge, potential operational significance, and potential to benefit from extra attention to the scientific research method and the development of improved measurement capabilities. The hard problems are intended to be crisply stated and well scoped, and provide the potential to assess progress in advancing solutions. Solutions may be incremental, discernable steps towards an overall solution, each with potential for a corresponding increment of mission impact, even when a fully comprehensive solution may remain elusive. Tthe problems have been scoped such that it is possible to assess, at least for each increment, whether there is a solution or not. Finally, it should be clear that this list of hard problems is representative, and not meant to be a covering set for the full inventory of Lablet projects.

1. Scalability and Composability: The challenge of this problem is to develop methods enabling the construction of secure systems with known security properties.
2. Policy-Governed Secure Collaboration: Projects addressing this hard problem seek to develop methods to express and enforce normative requirements and policies for handling data with differing usage needs and among users in different authority domains.
3. Predictive Security Metrics: The challenge of this problem is to develop security metrics and models capable of predicting whether or confirming that a given cyber system preserves a given set of security properties (deterministically or probabilistically), in a given context.
4. Resilient Architectures: The challange of developing the means to design and analyze system architectures that deliver required service in the face of compromised components.
5. Human Behavior: Modeling human behavior is a duanting task, and projects addressing this hard problem seek to develop models of human behavior (of both users and adversaries) that enable the design, modeling, and analysis of systems with specified security properties.

Funded Projects

• Projects 2011-2014
• Projects 2014-2017
• Projects 2018-2023