Skip to main content

Test of Time Awards

On the occasion of ACSAC's 35th Anniversary, the Steering Committee instituted the inaugural Test of Time Awards. These awards provide an opportunity to honor papers that have been published at ACSAC that have had enduring significance and impact to the security community. The committee considered papers published during the first 20 years of the conference, from 1985-2004, looking at a corpus of over 630 papers, and discussed their impact on academia, industry, and government. Below are the 7 papers to win an ACSAC 35 Test of Time Award.

awards photo

Secure Computer Systems: A Network Interpretation
David E. Bell
Presented at ACSAC 2 (1986)

The Orange Book (aka TCSEC) was the first attempt to codify assessments for security of computer systems. This paper considered the differences between systems and networks, and codified notions of hosts and connections that could allow reasoning about simple and star properties discussed in the Bell-LaPadula model. This work formed the basis for what later became the "Red Book" (aka Trusted Network Interpretation of the TCSEC), which influenced how DoD thought about network security. More information about the genesis of this paper can be found at

Haystack: An Intrusion Detection System
Stephen E. Smaha
Presented at ACSAC 3 (1988)

Haystack is one of the earliest papers on intrusion detection systems. It was a prototype system used to detect intrusions in multi-user Air Force computer systems, developing methods of extracting user behaviors, anomalous events, and security incidents from lengthy audit trails, and specifically was designed to deal with the insider threat. Its over 500 citations (Google Scholar as of November 2019) make it one of the most cited papers from the 1980s.

Role-Based Access Control (RBAC): Features and Motivations
David F. Ferraiolo, Janet A. Cugini, and Richard D. Kuhn
Presented at ACSAC 11 (1995)

This highly influential paper was one of the first in the area of Role-Based Access Control (RBAC), which is considered best practice and widely used in today.s information systems. This paper explored some of the properties of RBAC and formalized role hierarchies, authorization, execution, and other properties, and is notable for its formal rigor. It is the second most cited ACSAC paper of all time, with over 1000 citations as of November 2019.

Proxies for Anonymous Routing
Michael G. Reed, Paul F. Syverson, and David M. Goldschlag
Presented at ACSAC 12 (1996)

This enormously influential work was the first conference paper to discuss the concept of onion routing, which formed the basis for Tor and to this day spurs substantial research into anonymity networks.

NetSTAT: A Network-Based Intrusion Detection Approach
Giovanni Vigna and Richard A. Kemmerer
Presented at ACSAC 14 (1998)

This paper represents one of the first efforts to focus on network-based intrusion detection, compared to past approaches that focused on hosts. It developed a formal model of a network and of attacks against it, extending the State Transition Analysis Technique to determine which network events need to be monitored and where that monitoring should occur. NetSTAT won the outstanding paper award in 1998 and has been cited almost 400 times (as of November 2019).

ITS4: A Static Vulnerability Scanner for C and C++ Code
John Viega, J. T. Block, Yoshi Kohno, and Gary McGraw
Presented at ACSAC 16 (2000)

ITS4 is a tool for statically scanning security-critical C code for vulnerabilities. It represents one of the earliest papers describing automated vulnerability finders in source code, which led to the creation of the software analysis industry and several companies like Fortify and Ounce Labs which were subsequently acquired by HP & IBM. Static code analysis continues to be an extensively-used technique for vulnerability mitigation. ITS4 won the 2000 Outstanding Paper Award.

Why Information Security is Hard — An Economic Perspective
Ross Anderson
Presented at ACSAC 17 (2001)

This is a seminal paper about the economic aspects of cybersecurity, and used the lens of microeconomics to discuss security problems in terms of network externalities, asymmetric information, moral hazards, and tragedies of the commons amongst others. This paper opened the door to considerable work in the space and the well-known Workshop on the Economics of Information Security (WEIS). As of November 2019, it is the most cited ACSAC paper of all time with over 1000 citations.

left to right: David Bell, David Ferraiolo, David Goldschlag, John Viega, Michael Reed, Giovanni Vigna, and Stephen Smaha