Friday, September 14, 2007

Once More on Failure of Academic Research in Security

Many people, myself included, have bemoaned the complete failure of academic research in information security. The main reason for this is a complete disconnect of academic security research from real-world threats and vulnerabilities (e.g. I still see people publishing papers inventing signature-based network IDS systems, reinventing MAC/RBAC, neural nets to catch hackers, etc - and if I hear about the Lincoln labs 1998 intrusion detection data set again, I will screeeeeeeeeeeam! :-))

This fun post brings a few more examples. It gets to "Security against real threats is the point where scientific integrity, method and rigour unravels" and continues to "The academics have presented stuff that is sometimes interesting but rarely valuable. They've pretty much ignored all the work that was done before hand, and they've consequently missed the big picture" and even "The academic world of security is simply too far away from their subject. " (which all ring sadly true)

What is much more exciting is that there is finally an explanation for this "induced stupidity" phenomenon, that puzzled so many in the security field: "Academic work is only serious if it quotes other academic work. The papers above are reputable because they quote, only and fulsomely, other reputable work. And the work is only rewarded to the extent that it is quoted ... again by academic work. The academics are caught in a trap: work outside academia and be rejected or perhaps worse, ignored. Or, work with academic references, and work with an irrelevant rewarding base."

You know what? I think the above does explain it!

Dr Anton Chuvakin