Monday, September 17, 2007

The Academic Trap

I really enjoyed Anton's post Once More on Failure of Academic Research in Security where he cites Ian Greg's The Failure of the Academic Contribution to Security Science:

[A]cademics have presented stuff that is sometimes interesting but rarely valuable. They've pretty much ignored all the work that was done before hand, and they've consequently missed the big picture.

Why is this? One reason is above: academic work is only serious if it quotes other academic work. The papers above are reputable because they quote, only and fulsomely, other reputable work. And the work is only rewarded to the extent that it is quoted ... again by academic work.

The academics are caught in a trap: work outside academia and be rejected or perhaps worse, ignored. Or, work with academic references, and work with an irrelevant rewarding base. And be ignored, at least by those who are monetarily connected to the field.

By way of thought experiment, consider how many peer-review committees on security conferences include the experts in the field?

This is very interesting, but I'm not sure I agree. I think another reason might be the lack of ex-practitioners (with military and/or commercial hands-on experience) in the teaching ranks. Whatever the case, it should not be restricted to our field. There must be dozens of other professions with disconnects between academia and industry?

Incidentally, I was just invited to be on the peer-review committee for VizSec 2008, in conjunction with RAID 2008, in Boston next September. I am really excited to be attending both conferences. Maybe inviting me to be on the board is an indication of academia reaching out to industry?

A focus on practicality is one of the reasons I am drawn to the University of Cambridge Computer Laboratory, where the focus is on actionable security research, not theory.


jbmoore said...

Another possibility is that a lot of the academic research that goes on might not be publishable if the grants are DARPA or DOD. One would never see any of that work because it would be classified. The same would hold true if a private firm requested a study and provided a grant with the stipulation that the results remain private. There is practical research coming out of academia, Neils Provos and Thorsten Holz are proof of that with honeyd and the papers presented in the site.

Radu State said...

I also come from an academic background. There is a gap becuse academia people are evaluated on their published papers (reputation of the journal/conference) and this is an objective criteria. On the other hand, I agree that many people coming from the academia fail to address real issues and address non relevant items like intrusion detection in grid/ad-hoc networks, etc..). This comes because 1) they try to solve problems that they know how to solve, and 2) they do not know which are the real problem (most of academic people never heard of Blackhat or terms like XSS, jikto, shellcode, etc...). On the other hand, fees for conferences like blackhat are to high for academic people....
There is also the issue of social group and power. Each community developed it's conferences/event where places in the technical program committees or organisational structure are hard to obtain. why should these be shared with others ?
so unless, these people will not people, things will stay like this.

PaulM said...


I'm glad you mentioned Niels Provos in this context. His work on honeypots is important and very popular with the vendor side of industry. But it is often seen as irrelevant by operational security practitioners, and it's over the heads of most academics. Instead, he is most popularly cited for the work he did with Peter Honeyman around ScanSSH or steganography.

Generally speaking, there is a disconnect between the focus of industry and academia in infosec. I think Richard might be right about a lack of instructors or researchers with practical experience. Even within universities, the expertise is often within the admin staff ranks (like the UF guys that won DefCon CTF again this year).

jbmoore said...

I've been pondering why this is so. Here's the likely answer - no one is funding the research, or if they are, it's classified. Why is this so?
1. The government has decreased funding for science across the board, at least civilian sources. NSF and NIH have many, many more applicants for grants than awardees. For NIH, about 1 out of 10 get a grant. I don't know about NSF but I know they are hurting badly. The trend in funding has been downward for over twenty years.
2. A lot of the engineering grants, i.e. CS, EE, etc., will either be NSF or DOD. If they are the latter, likely the research will not be published. Of that limited pool, security research applications will have to compete with other CS applications that might be more useful for science or engineering like HPC. This is cutting edge applied and basic research and there just isn't enough money to go around. Better HPC research helps a lot of people. Better IT security doesn't really help the scientists or engineers that much compared to making parallel programming easier. Everyone goes where the money is even in research.
3. The CS profs generally know enough to secure their systems. If they don't, then it's due to apathy or laziness. They also know that you can't lock everyone out - security just buys you time - the same as with encryption.
4. When they demonstrate a weakness in proprietary code, they get threatened with a lawsuit either due to the language in the EULA that prohibits reverse engineering, or because it's easier to silence them with a lawyer than fix the broken application that was not tested until the prof and his students looked at it. The lawyer also prevents them from publishing or disclosing their results.
5. Few corporations fund basic or applied research without strings, and corporate R&D has been declining or is being moved overseas closer to the manufacturing, where it's cheaper.

So, add it up, nobody is likely funding security projects or if they are it's classified. The legal environment for testing closed source code products is hostile. Open source products work good enough, but require expertise and cheap labor to set up which you have plenty of in universities, but any projects based on them are likely not to get you published in a top notch journal or get you hired by any one but Google. If you want a simpler answer, here it is SECURITY IS NOT SEXY.

jbmoore said...

The above is an article about the sorry state of IT research.