Jonathan Spring
CERT
Jonathan Spring is an SEI alumni employee.
Jonathan Spring is a senior member of the technical staff with the CERT division of the Software Engineering Institute (SEI) at Carnegie Mellon University. Spring began working at the SEI in 2009. Prior posts include adjunct professor at the University of Pittsburgh’s School of Information Sciences and research fellow for the ICANN’s Security and Stability Advisory Committee (SSAC). At the SEI, Spring’s work focuses on producing reliable evidence for various levels of cybersecurity policies. Spring’s approach to work balances leading by example with reflecting on study design and other philosophical issues. Spring earned a doctoral degree in computer science from University College London.
Publications by Jonathan Spring
-
Coordinated Vulnerability Disclosure User Stories
August 25, 2022 • White Paper
Brad RunyonEric HatlebackAllen D. Householder
This paper provides user stories to guide the development of a technical protocol and application programming interface for Coordinated Vulnerability Disclosure.
read -
Undiscovered Vulnerabilities: Not Just for Critical Software
June 02, 2022 • Podcast
Jonathan Spring
Jonathan Spring discusses the findings in a recent paper that analyzes the number of undiscovered vulnerabilities in information systems.
learn more -
An Analysis of How Many Undiscovered Vulnerabilities Remain in Information Systems
March 09, 2022 • White Paper
Jonathan Spring
This paper examines the paradigm that the number of undiscovered vulnerabilities is manageably small through the lens of mathematical concepts from the theory of computing.
read -
Bias in AI: Impact, Challenges, and Opportunities
September 30, 2021 • Podcast
Carol J. SmithJonathan Spring
Carol Smith discusses with Jonathan Spring the hidden sources of bias in artificial intelligence (AI) systems and how systems developers can raise their awareness of bias, mitigate consequences, and reduce risks.
learn more -
Applying Scientific Methods in Cybersecurity
August 26, 2021 • Podcast
Leigh B. MetcalfJonathan Spring
Leigh Metcalf and Jonathan Spring discuss with Suzanne Miller the application of scientific methods to cybersecurity, a subject of their recently published book, Using Science in Cybersecurity.
learn more -
A State-Based Model for Multi-Party Coordinated Vulnerability Disclosure (MPCVD)
July 01, 2021 • Special Report
Allen D. HouseholderJonathan Spring
This report discusses performance indicators that stakeholders in Coordinated Vulnerability Disclosure (CVD) can use to measure its effectiveness.
read -
Managing Vulnerabilities in Machine Learning and Artificial Intelligence Systems
June 10, 2021 • Podcast
Nathan M. VanHoudnosJonathan SpringAllen D. Householder
Allen Householder, Jonathan Spring, and Nathan VanHoudnos discuss how to manage vulnerabilities in AI/ML systems.
learn more -
Using Science in Cybersecurity
May 01, 2021 • Book
Leigh B. MetcalfJonathan Spring
This book will give readers practical tools for cybersecurity.
read -
Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization (Version 2.0)
April 30, 2021 • White Paper
Jonathan SpringAllen D. HouseholderEric Hatleback
This paper presents version 2.0 of a testable Stakeholder-Specific Vulnerability Categorization (SSVC) that takes the form of decision trees and that avoids some problems with the Common Vulnerability Scoring System (CVSS).
read -
A Stakeholder-Specific Vulnerability Categorization
October 29, 2020 • Podcast
Allen D. HouseholderEric HatlebackJonathan Spring
Eric Hatleback, Allen Householder, and Jonathan Spring, vulnerability and incident researchers in the SEI CERT Division, discuss SSVC and also take audience members through a sample scoring vulnerability.
learn more -
On Managing Vulnerabilities in AI/ML Systems
October 01, 2020 • Conference Paper
Jonathan SpringAllen D. HouseholderApril Galyardt
This paper explores how the current paradigm of vulnerability management might adapt to include machine learning systems.
read -
Automating Reasoning with ATT&CK?
August 19, 2020 • Presentation
Jonathan Spring
This presentation discusses limitations in MITRE's ATT&CK framework and proposes ways to restructure it to be more useful.
read -
Historical Analysis of Exploit Availability Timelines
August 13, 2020 • White Paper
Allen D. HouseholderJeff Chrabaszcz (Govini)Trent Novelly
This paper analyzes when and how known exploits become associated with the vulnerabilities that made them possible.
read -
Comments on NISTIR 8269 (A Taxonomy and Terminology of Adversarial Machine Learning)
February 04, 2020 • White Paper
April GalyardtNathan M. VanHoudnosJonathan Spring
Feedback to the U.S. National Institute of Standards and Technology (NIST) about NIST IR 8269, a draft report detailing the proposed taxonomy and terminology of Adversarial Machine Learning (AML).
read -
Machine Learning in Cybersecurity: 7 Questions for Decision Makers
December 12, 2019 • Podcast
Jonathan SpringApril GalyardtAngela Horneman
April Galyardt, Angela Horneman, and Jonathan Spring discuss key questions that managers and decision makers should ask about machine learning to effectively solve cybersecurity problems.
learn more -
Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization
December 04, 2019 • White Paper
Jonathan SpringEric HatlebackAllen D. Householder
This paper presents a testable Stakeholder-Specific Vulnerability Categorization (SSVC) that takes the form of decision trees and that avoids some problems with the Common Vulnerability Scoring System (CVSS).
read -
Improving the Common Vulnerability Scoring System
October 03, 2019 • Podcast
Jonathan SpringArt ManionDeana Shick
Art Manion, Deana Shick, and Jonathan Spring discuss a 2019 paper that outlines challenges with the Common Vulnerability Scoring System (CVSS) and proposes changes to improve it.
learn more -
Machine Learning in Cybersecurity: A Guide
September 05, 2019 • Technical Report
Jonathan SpringJoshua FallonApril Galyardt
This report suggests seven key questions that managers and decision makers should ask about machine learning tools to effectively use those tools to solve cybersecurity problems.
read -
Towards Improving CVSS
December 04, 2018 • White Paper
Jonathan SpringEric HatlebackAllen D. Householder
This paper outlines challenges with the Common Vulnerability Scoring System (CVSS).
read -
Open-source Measurement of Fast-flux Networks While Considering Domain-name Parking
December 19, 2017 • Conference Paper
Leigh B. MetcalfDaniel RuefJonathan Spring
In this paper, domain parking is the practice of assign- ing a nonsense location to an unused fully-qualified domain name (FQDN) to keep it ready for “live” use.
read -
Thinking about Intrusion Kill Chains as Mechanisms
May 02, 2017 • Presentation
Jonathan SpringEric Hatleback
We integrate two established modeling methods from disparate fields: mechanisms from the philosophy of science literature and intrusion kill chain modeling from the computer security literature.
read -
Blacklist Ecosystem Analysis: 2016 Update
August 15, 2016 • White Paper
Leigh B. MetcalfEric HatlebackJonathan Spring
This white paper, which is the latest in a series of regular updates, builds upon the analysis of blacklists presented in our 2013 and 2014 reports.
read -
Malware Capability Development Patterns Respond to Defenses: Two Case Studies
March 07, 2016 • White Paper
Kyle O'MearaDeana ShickJonathan Spring
In this paper, the authors describe their analysis of two case studies to outline the relationship between adversaries and network defenders.
read -
Blacklist Ecosystem Analysis
December 03, 2015 • Conference Paper
Leigh B. MetcalfJonathan Spring
In this paper, the authors compare the contents of 86 Internet blacklists to provide a view of the whole ecosystem of blocking network touch points and blacklists.
read -
CND Equities Strategy
July 22, 2015 • White Paper
Jonathan SpringEd Stoner
In this paper, the authors discuss strategies for successful computer network defense (CND) based on considering the adversaries' responses.
read -
Global Adversarial Capability Modeling
May 28, 2015 • Conference Paper
Jonathan SpringSarah KernAlec Summers
Jonathan Spring, Sarah Kern, and Alec Summers propose a model of global capability advancement, the adversarial capability chain (ACC).
read -
Flocon 2015 Welcome Talk
January 12, 2015 • Video
Jonathan Spring
In this video, Jonathan Spring introduces FloCon 2015, which took place in Portland, Oregon in January 2015.
watch -
Blacklist Ecosystem Analysis Update: 2014
January 07, 2015 • White Paper
Leigh B. MetcalfJonathan Spring
This white paper compares the contents of 85 different Internet blacklists to discover patterns in shared entries.
read -
Domain Parking: Not as Malicious as Expected
December 10, 2014 • White Paper
Leigh B. MetcalfJonathan Spring
In this paper we discuss scalable detection methods for domain names parking on reserved IP address space, and then using this data set, evaluate whether this behavior appears to be indicative of malicious behavior.
read -
Toward Realistic Modeling Criteria of Games in Internet Security
September 01, 2014 • Article
Jonathan Spring
In this article, Jonathan Spring discusses game theory and security as it relates to computers and the Internet.
read -
The Long "Taile" of Typosquatting Domain Names
August 20, 2014 • Article
Janos SzurdiBalazs KocsoGabor Cseh
In this USENIX 2014 paper, the authors describe a methodology to improve existing solutions in identifying typosquatting domains and their monetization strategies.
read -
Abuse of Customer Premise Equipment and Recommended Actions
August 07, 2014 • White Paper
Paul VixieChris HallenbeckJonathan Spring
In this paper, the authors provide recommendations for addressing problems related to poor management of Consumer Premise Equipment (CPE).
read -
Abuse of CPE Devices and Recommended Fixes
August 07, 2014 • Presentation
Paul VixieChris HallenbeckJonathan Spring
In this Black Hat 2014 presentation, the authors provide recommendations for addressing problems related to poor management of Consumer Premise Equipment (CPE).
read -
SiLK: A Tool Suite for Unsampled Network Flow Analysis at Scale
July 29, 2014 • Conference Paper
Mark ThomasLeigh B. MetcalfJonathan Spring
In this paper, the authors discuss SiLK, a tool suite created to analyze high-volume data sources without sampling.
read -
Exploring a Mechanistic Approach to Experimentation in Computing
July 01, 2014 • Article
Jonathan Spring
In this article, the authors describe the benefits of applying the mechanistic approach in philosophy of science to experimentation in computing.
read -
Introduction to Information Security: A Strategic-Based Approach
April 15, 2014 • Book
Timothy J. ShimeallJonathan Spring
The authors provide a strategy-based introduction to providing defenses as a basis for engineering and risk-management decisions in the defense of information.
read -
Modeling Malicious Domain Name Take-Down Dynamics: Why eCrime Pays
April 15, 2014 • Conference Paper
Jonathan Spring
In this paper, Jonathan Spring derives an ad-hoc model of the competition for domain names by criminals and defenders using a modification of Lanchester's equations for combat.
read -
Passive Detection of Misbehaving Name Servers
January 13, 2014 • Presentation
Jonathan SpringLeigh B. Metcalf
In this presentation, the authors discuss name servers that exhibit IP address flux, a behavior that falls outside the prescribed parameters.
read -
Passive Detection of Misbehaving Name Servers
October 04, 2013 • Technical Report
Leigh B. MetcalfJonathan Spring
In this report, the authors explore name-server flux and two types of data that can reveal it.
read -
Everything You Wanted to Know About Blacklists But Were Afraid to Ask
September 30, 2013 • White Paper
Leigh B. MetcalfJonathan Spring
This document compares the contents of 25 different common public-internet blacklists in order to discover any patterns in the shared entries.
read -
A Notation for Describing the Steps in Indicator Expansion
September 12, 2013 • Conference Paper
Jonathan Spring
In this paper, Jonathan Spring proposes a method of capturing the process of indicator expansion in a deterministic yet flexible and extensible manner.
read -
Name Servers Should Not Move
January 07, 2013 • Poster
Leigh B. MetcalfJonathan Spring
In this poster, Leigh Metcalf and Jonathan Spring illustrate how to find name servers that move from IP address to IP address too often.
read -
The Impact of Passive DNS Collection on End-User Privacy
March 22, 2012 • White Paper
Jonathan SpringCarly L. Huth
In this paper, the authors discuss whether pDNS allows reconstruction of an end user's DNS behavior and if DNS behavior is personally identifiable information.
read -
Modifying Lanchester's Equations for Modeling and Evaluating Malicious Domain Name Take-Down
January 06, 2012 • White Paper
Jonathan Spring
In this paper, Jonathan Spring models internet competition on large, decentralized networks using a modification of Lanchester's equations for combat.
read -
Passive Detection of Misbehaving Name Servers
January 02, 2012 • White Paper
Leigh B. MetcalfJonathan Spring
In this paper, the authors demonstrate that there are name servers that exhibit IP address flux, a behavior that falls outside the prescribed parameters.
read -
Controls for Monitoring the Security of Cloud Services
August 02, 2011 • Podcast
Art ManionJonathan SpringJulia H. Allen
In this podcast, participants explain that it depends on the service model how cloud providers and customers can use controls to protect sensitive information.
learn more -
Monitoring Cloud Computing by Layer, Part 2
June 01, 2011 • White Paper
Jonathan Spring
In this paper, Jonathan Spring presents a set of recommended restrictions and audits to facilitate cloud security.
read -
Correlating Domain Registrations and DNS First Activity in General and for Malware
April 11, 2011 • White Paper
Leigh B. MetcalfJonathan SpringEd Stoner
In this paper, the authors describe a pattern in the amount of time it takes for that domain to be actively resolved on the Internet.
read -
Monitoring Cloud Computing by Layer, Part 1
April 01, 2011 • White Paper
Jonathan Spring
In this paper, Jonathan Spring presents a set of recommended restrictions and audits to facilitate cloud security.
read -
Welcome to FloCon 2009
January 12, 2009 • Presentation
Jonathan SpringJuan Garza (APCON)
In this presentation, the author welcomes attendees and describes the schedule for Flocon 2009 and other information attendees need to know.
read