Aniqua Baset and Tamara Denning (University of Utah) have recently published an interesting article and an accompanying website, discussing what the security researchers have been up to between 1980 and 2015, borrowing the data from the IEEE Symposium on Security & Privacy, ACM Conference on Computer and Communications Security, USENIX Security Symposium, and Network and Distributed System Security Symposium.
Let's see what they had to say about the major trends in privacy and security research over the past decades.
The authors used over 3000 research papers from the listed conferences to come up with 20 major topics researched over the past decades. As we look at how research topics develop over time, the major trend is diversification. Formalism was the king through the 1980s, followed by the dominance of Crypto in 1990s. After that, it is difficult to pinpoint a single dominant topic.
The authors also note, that no specific topics have died out completely between 1980 and 2015. They may have been re-named or looked at in different context, however (e.g. "databases" may have moved to "data privacy").
A number of topics have experienced a recent upsurge, easily visible on the paper's accompanying website. The authors highlight Mobile Apps, Verifiable Computation, Machine Learning, Exploits, Side-Channel Attacks, SSL/TLS, Binary Analysis, Control Flow, Crypto-currency, VMs & virtualization, and JavaScript Security + Browser Security if taken together.
Some topics kept showing up through the decades, only having 1-2 year gaps in publications, e.g. Access Control, Intrusion/Anomaly Detection, Files and File Systems, Cards and Tokens, Security Policies, Security Labeling, and Covert Channels, and Network Design.
Others have started a bit later, but continued since then, e.g. Network attacks, defenses, & detection from 1997, (De)obfuscation & decompilation from 2003, Social networks & (de)anonymization from 2005, Web application vulnerabilities from 2005, Bots and Botnets from 2006, and Mobile apps from 2009.
Looking at who produces the papers, there is a clear shift into academic dominance at the conferences that the authors of this paper looked at. From 1980s to mid 1990s, you'd see both academics, industry, and the government presenting papers, however that has since been dominated by academics without affiliation to industry or the government, who produced around 70% of papers in recent years.
There is a number of topics where all publishing parties agree we need more work on. between 2010 and 2015 these included: Mobile Apps, Verifiable Computation & Zero Knowledge Proofs, Machine Learning, Malware, and Data Privacy.
One big takeaway from this paper is that it shows a high-level overview of topics published in security and privacy research over the past nearly 4 decades, but it only looked at 4 conferences. There's plenty of other archived publications in e.g. journals that could shed more light on what the priorities have been, and where the gaps are in privacy and security research. It is hard to find a clear and simple overview of where digital TIPS have been, and where they might go, but with the help and collaboration among the digital TIPS community, it seems possible to achieve such a fit.
Thanks again toAniqua Baset and Tamara Denning (University of Utah) for the paper this blog post is based on. If you would like to join SPRITE+ - a digital TIPS community, registration is free for all at: https://spritehub.org/.