Dusko Pavlovic
ABSTRACT
The diverse views of science of security have opened up several alleys towards applying the methods of science to security. We pursue a different kind of connection between science and security. This paper explores the idea that security is not just a suitable subject for science,. but that the process of security is also similar to the process of science. This similarity arises from the fact that both science and security depend on the methods of inductive inference. Because of this dependency, a scientific theory can never be definitely proved, but can only be disproved by new evidence, and improved into a better theory. Because of the same dependency, every security claim and method has a lifetime, and always eventually needs to be improved.
In this general framework of security-as-science, we explore the ways to apply the methods of scientific induction in the process of trust. The process of trust building and updating is viewed as hypothesis testing. We propose to formulate the trust hypotheses by the methods of algorithmic learning, and to build more robust trust testing and vetting methodologies on the solid foundations of statistical inference.
- Thomas Bayes. An essay towards solving a problem in the doctrine of chances. Philosophical Transactions of the Royal Soceity. of London, 53: 370--418, 1763.Google Scholar
- Steven M. Bellovin. On the brittleness of software and the infeasibility of security metrics. IEEE Security & Privacy, 4(4): 96--96, 2006. Google ScholarDigital Library
- Terry Benzel. The science of cyber security experimentation: The DETER Project. In Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC '11, pages 137--148, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- Joyce Berg, John Dickhaut, and Kevin McCabe. Trust, reciprocity, and social history. Games and Economic Behavior, 10(1): 122--142, July 1995.Google ScholarCross Ref
- J. M. Bernardo and A. F. M. Smith. Bayesian Theory. Wiley Series in Probability and Statistics. Wiley, 2009.Google Scholar
- V. Buskens. Social Networks and Trust. Theory and Decision Library C. Springer US, 2002.Google Scholar
- Phuong Cao, Key-whan Chung, Zbigniew Kalbarczyk, Ravishankar Iyer, and Adam J. Slagell. Preemptive intrusion detection. In Proceedings of the 2014 Symposium and Bootcamp on the Science of Security, HotSoS '14, pages 21:1--21:2, New York, NY, USA, 2014. ACM. Google ScholarDigital Library
- T. M. Cover and J. A. Thomas. Elements of Information Theory. Wiley, 2012. Google ScholarDigital Library
- D. R. Cox and D. V. Hinkley. Theoretical Statistics. Chapman and Hall, 1990.Google Scholar
- Dorothy E. Denning. An intrusion-detection model. IEEE Trans. Softw. Eng., 13(2): 222--232, February 1987. Google ScholarDigital Library
- P. Feyerabend. Against Method. Verso, 1993.Google Scholar
- Richard P. Feynman. The Character of Physical Law. Penguin Books, 1992.Google Scholar
- Ronald A. Fisher. Statistical Methods for Research Workers. Oliver and Boyd, Edinburgh, 1925.Google Scholar
- Ronald A. Fisher. Statistical Methods and Scientific Inference. Oliver and Boyd, Edinburgh, UK, second edition, 1959.Google Scholar
- Jingwei Huang and David Nicol. A formal-semantics-based calculus of trust. IEEE Internet Computing, 14(5): 38--46, September 2010. Google ScholarDigital Library
- Jingwei Huang and David M. Nicol. Evidence-based trust reasoning. In Proceedings of the 2014 Symposium and Bootcamp on the Science of Security, HotSoS '14, pages 17:1--17:2, New York, NY, USA, 2014. ACM. Google ScholarDigital Library
- JASON Defense Advisory Panel. Science of Cyber-security. The MITRE Corporation, 2010.Google Scholar
- Audun Jøsang, Roslan Ismail, and Colin Boyd. A survey of trust and reputation systems for online service provision. Decis. Support Syst., 43: 618--644, March 2007. Google ScholarDigital Library
- Andrei Kolmogorov. On the logical foundations of probability theory. In A. N. Shiryayev, editor, Selected Works of A. N. Kolmogorov, volume 26 of Mathematics and Its Applications (Soviet Series), pages 515--519. Springer Netherlands, 1992.Google Scholar
- Thomas S. Kuhn. The Structure of Scientific Revolutions. University of Chicago Press, 2012.Google ScholarCross Ref
- Imre Lakatos. The Problem of Inductive Logic. Proceedings of the International Colloquium in Philosophy of Science (London, 1965). North Holland Publishing Company, 1968.Google Scholar
- Carl E. Landwehr. Cybersecurity: From engineering to science. The Next Wave, 19(2): 2--5, 2012.Google Scholar
- N. Luhmann. Trust; And, Power: Two Works. Number pts. 1--2 in UMI Books on Demand. Wiley, 1979.Google Scholar
- Teresa F Lunt. A survey of intrusion detection techniques. Computers & Security, 12(4): 405--418, 1993. Google ScholarDigital Library
- Andrew Meneely, Ben Smith, and Laurie Williams. Validating software metrics: A Spectrum of Philosophies. ACM Trans. Softw. Eng. Methodol., 21(4): 24:1--24:28, February 2013. Google ScholarDigital Library
- Robert Meushaw. NSA initiatives in cybersecurity science. The Next Wave, 19(4): 8--13, 2012.Google Scholar
- Jerzy Neyman and Egon S. Pearson. On the use and interpretation of certain test criteria for purposes of statistical inference: Part I, Part II. Biometrika, 20A(1/2, 3/4): 175--240, 263--294, 1928.Google Scholar
- Jerzy Neyman and Egon S. Pearson. On the problem of the most efficient tests of statistical hypotheses. Philosophical Transactions of the Royal Society of London, Series A, 231: 289--337, 1933.Google ScholarCross Ref
- D. M. Nicol, W. H. Sanders, W. L. Scherlis, and L. A. Williams. Science of security hard problems: A Lablet Perspective. cps-vo.org/file/6394/download/47034, retrieved on 2015/1/10.Google Scholar
- D. M. Nicol and M. P. Singh, editors. HotSoS '14: Proceedings of the 2014 Symposium and Bootcamp on the Science of Security, New York, NY, USA, 2014. ACM.Google Scholar
- Dusko Pavlovic. Dynamics, robustness and fragility of trust. In Pierpaolo Degano, Joshua Guttman, and Fabio Martinelli, editors, Proceedings of FAST 2008, volume 5491 of Lecture Notes in Computer Science, pages 97--113. Springer Verlag, 2008. arxiv.org:0808.0732. Google ScholarDigital Library
- Dusko Pavlovic. The unreasonable ineffectiveness of security engineering: An overview. In José Luiz Fiadeiro and Stefania Gnesi, editors, Proceedings of IEEE Conference on Software Engineering and Formal Methods, Pisa, Italy, 2010, pages 12--18. IEEE, 2010. Google ScholarDigital Library
- Dusko Pavlovic. Quantifying and qualifying trust: Spectral decomposition of trust networks. In Pierpaolo Degano, Sandro Etalle, and Joshua Guttman, editors, Proceedings of FAST 2010, volume 6561 of Lecture Notes in Computer Science, pages 1--17. Springer Verlag, 2011. arxiv.org:1011.5696. Google ScholarDigital Library
- Dusko Pavlovic. On bugs and elephants: Mining for science of security. The Next Wave, 19(2): 23--29, 2012.Google Scholar
- Kenneth Pennington. Innocent until proven guilty: The origins of a legal maxim. Jurist, 63: 106--124, 2003.Google Scholar
- Karl Popper. The Logic of Scientific Discovery. Routledge Classics. Taylor & Francis, 2002.Google Scholar
- Jorma Rissanen. Information and Complexity in Statistical Modeling. Information science and statistics. Springer, New York, 2007. Google ScholarDigital Library
- Fred B. Schneider. Blueprint for a science of cybersecurity. The Next Wave, 19(2): 47--57, 2012.Google Scholar
- Ray J. Solomonoff. A formal theory of inductive inference. Part I., Part II. Information and Control, 7: 1--22, 224--254, 1964.Google ScholarCross Ref
- C. S. Wallace. Statistical and Inductive Inference by Minimum Message Length. Information Science and Statistics. Springer, 2005. Google ScholarDigital Library
- Jacob Ziv and Abraham Lempel. A universal algorithm for sequential data compression. IEEE Transactions on Information Theory, 23(3): 337--343, 1977. Google ScholarDigital Library
- Jacob Ziv and Abraham Lempel. Compression of individual sequences via variable-rate coding. IEEE Transactions on Information Theory, 24(5): 530--536, 1978. Google ScholarDigital Library
Index Terms
- Towards a science of trust
Recommendations
Distrust and trust in B2C e-commerce: do they differ?
ICEC '06: Proceedings of the 8th international conference on Electronic commerce: The new e-commerce: innovations for conquering current barriers, obstacles and limitations to conducting successful business on the internetResearchers have not studied e-commerce <u>distrust</u> as much as e-commerce <u>trust</u>. This study examines whether trust and distrust are distinct concepts. If trust and distrust are the same, lack of distrust research matters little. But if they ...
National culture and consumer trust in e-commerce
The article examines how culture influences trust in e-commerce.Disposition to trust is a significant predictor of perceived trustworthiness.Disposition to trust mediates effects between national culture and trustworthiness.Long-term orientation and ...
Examining Mobile Banking User Trust: A Tripartite Perspective
Building users' trust is crucial to alleviating their perceived risk and facilitating their usage of mobile banking. Drawing on a tripartite perspective of transference-based, personality-based and self-perception-based determinants, this research ...
Comments