IEEE 30th Computer Security Foundations Symposium (CFS) Paper Wins NSA Best Scientific Cybersecurity Paper Competition

LOS ALAMITOS, Calif., 25 October 2018 – A paper originally accepted at the 30th IEEE Computer Security Foundations Symposium (CSF ’17) won the 6th Annual Best Scientific Cybersecurity Paper Competition, sponsored by the National Security Agency (NSA). The winning paper is “How Shall We Play a Game? A Game-theoretical Model for Cyber-warfare Games” (.pdf) by researchers Tiffany Bao, Yan Shoshitaishvili, Ruoyu Wang, Christopher Kruegel, Giovanni Vigna, and David Brumley, from Carnegie Mellon University (CMU) and University of California, Santa Barbara (UCSB).

“Game theory is a tool that has had tremendous value in many disciplines, but has historically been underutilized in an effective way in cybersecurity,” said Sean Peisert, Chair of the IEEE Technical Committee on Security & Privacy (TCSP), and Staff Scientist, Computational Research Division, at Berkeley National Lab. “This recent work by the CMU/UCSB team represents a powerful method for understanding effective ways of deploying automated cybersecurity techniques, and should have a lasting impact on the cybersecurity field.”

To encourage the development of the scientific foundations of cybersecurity, the NSA established the Annual Best Scientific Cybersecurity Paper Competition. NSA invites nominations of papers that show an outstanding contribution to cybersecurity science. The winning paper was selected from 28 nominations for papers published in 2017.

According to the competition reviewers, this paper was selected because it exemplifies outstanding scientific research, is technically sound, and is well written. The authors developed a cyber-warfare strategy based on strong scientific methods, and this new approach performs better than what was previously known. The reviewers particularly liked that the game-theoretic model was reflective of the physical world with a realistic set of assumptions and attributes, which is refreshing to see in game theory papers. The paper is noteworthy in the validation effort to test the effectiveness of the game theory strategy. They applied their game theory strategy to the third-place team at the DARPA Cyber Grand Challenge. Validation of research with real-world situations is important in science and helps build confidence.

The researchers endeavored to “identify the best strategy for the use of an identified zero-day vulnerability in a ‘cyber-warfare’ scenario where any action may reveal information to adversaries.” They developed a game-theoretic model and the ability to quickly find optimal solutions to it. These strategies aid humans and computers in making decisions when dealing with previously unknown vulnerabilities in computer systems. This model accounts for both attack and defensive actions and imperfect information about the current status. Actions that can be taken include attacking by using this vulnerability, patching one’s own systems, stockpiling for later, or taking no action. The model also develops steps for one to follow over time, such as patching one’s own computers for a period and then later attacking.

The authors of the winning paper will be attending a special recognition ceremony at NSA in October to receive the award and present the paper to an audience of cybersecurity experts. The authors are invited to further discuss their perspectives at the Hot Topics in Science of Security (HoTSoS) meeting in April 2019.


About IEEE Computer Society
The IEEE Computer Society is the world’s home for computer science, engineering, and technology. A global leader in providing access to computer science research, analysis, and information, the IEEE Computer Society offers a comprehensive array of unmatched products, services, and opportunities for individuals at all stages of their professional career. Known as the premier organization that empowers the people who drive technology, its unparalleled resources include membership, international conferences, peer-reviewed publications, a unique digital library, standards, and training programs. Visit for more information.