Research Idea Forensics

v0.1



When reading a paper, I always wonder how the author came up with the idea. Knowing this could helps us better understand the essence of the paper. We could also learn how to find good ideas by studying predecessors' path. Finding a good idea is much more harder than reading and understanding an idea. From the history of science and technology we could see that only a few of creative minds were able to propose great ideas.

Since most papers do not include how the authors got the idea, the readers have to figure out by themselves. We can call this activity research idea forensics. It is pretty much like a detective deducing motivation and crime of a criminal. In this article, I just share some thoughts on idea forensics. For more general and comprehensive discussion, [2] might be helpful.

How to do research idea forensics? A few authors might mention the story in some sections of the paper, such as introduction or related works. Or the reader can find a clue in the citations of the paper, since the authors might directly inspired by some existing works. The publication record of the authors define their specialty and way of thinking, which are usually important factors for generating ideas. The inspiration might also from industry, because a new technology could turn impractical ideas practical.

Actually, these heuristics sounds not difficult to understand and use. So some researchers in information retrieval, data mining, etc. could even try to create some tools that can automatically infer the idea generation process

However, I do find some other works that might have a very interesting and unique idea path. Recently, I re-read the following classical paper:

A sense of self for unix processes, by Forrest, Stephanie, et al, 1996

It proposes a way of differentiating intended execution of a process and maliciously injected execution (e.g. shell code execution through a stack overflow attack) during a process run time. So that intrusions to a system could be detected. The idea is to use short system call sequences to build a model of self (i.e. intended execution of a process), and then apply the model to detect abnormal system call sequences. The closest work uses system calls as building blocks for a policy language that allows users to specify what is correct and incorrect. While it is an interesting approach to detect intrusion, human might not have the ability to make a comprehensive policy. On the other hand, the work by Stephaine is automated. Until now, this paper has received 1863 citations on Google Scholar. It particularly inspires later intrusion detection work and more recently, behavior-based software analysis work [3, 4].

I am quite curios on how the authors discovered this idea. And my current hypothesis is that this idea is a product of interdisciplinary research. The last sentence of the abstract part is:

"This work is part of a research program aimed at building computer security systems that incorporate the mechanisms and algorithms used by natural immune systems."

It seems that such motivation push the author to think how to create an immune system for computer system. There are many concepts in immune system that might be useful in computer security. And the authors seem to focus on phagocyte cells, which "eat" foreign particles in the body. Phagocyte cells use some chemical cues to identify foreigners, so to implement them in a computer system, you need to find the correspondent "chemical cues". These cues have to be simple (i.e do not require too much time to identify) and effective (e.g. will not let bad guys run away and will not kill good ones). And system call trace is a very good candidate, because it contains the critical behaviors of  a process and it is much smaller than raw instruction traces.

The lesson is that, thinking from a new angle could make a difference:)



Reference
[1] The picture. http://www.teamyeater.com/2011/09/phases-of-computer-forensics/computer-forensics-2/

[2] Where Good Ideas Come From, Steven Johnson

[3] Zhao, Bin, and Peng Liu. "Behavior Decomposition: Aspect-Level Browser Extension Clustering and Its Security Implications." Research in Attacks, Intrusions, and Defenses. Springer Berlin Heidelberg, 2013. 244-264.

[4] Wang, Xinran, et al. "Behavior based software theft detection." Proceedings of the 16th ACM conference on Computer and communications security. ACM, 2009.

[5] Data mining approaches for intrusion detection. Defense Technical Information Center, 2000.