NDSS 2026 Showcase: Cybersecurity Operators & Infrastructure (Day 3)
My NDSS 2026 Showcase is in full swing. While the actual symposium takes place later this month (February 23-27 in San Diego), I am spending this week highlighting the most remarkable papers from the program in four tranches. Over the past two days, I have covered "Mad Science" physical attacks and the intersection of "Digital Rights" and society.
For Day 3, we pivot from the edges of the network to its core. Today's theme, Cybersecurity Operators & Infrastructure, looks at the plumbing of the Internet—the threat intelligence feeds, time synchronization protocols, and routing security systems that we implicitly trust. These four papers reveal that the infrastructure we rely on is often more fragile than we admit:
1. Actively Understanding the Dynamics and Risks of the Threat Intelligence Ecosystem
Galloway et al. conducted a longitudinal study of the Threat Intelligence (TI) sharing ecosystem, mapping how Indicators of Compromise (IoCs) propagate across vendors. They identified significant bottlenecks where vendors hoard data to maintain a competitive edge, delaying protection for the broader community. Furthermore, they found that the "sandboxes" used to test malware are often so predictable that viruses can easily detect they are being watched and hide their malicious behavior. Read the paper here
2. On Borrowed Time: The NTP Pool's Robustness to Monopoly Attacks
Beverly and Rye demonstrate a critical vulnerability in the Network Time Protocol (NTP) Pool project, which synchronizes clocks for millions of devices. They discovered a "monopoly attack" surface where a single bad actor can trick the system into assigning a client only their malicious time servers. This dominance allows the attacker to execute time-shifting attacks, potentially breaking TLS certificates or bypassing time-based security locks on the victim's machine. Read the paper here
3. Tickets to Hide: An Inside Look into the Anti-Abuse Ecosystem
Bijmans et al. analyze a massive dataset of internal abuse tickets to understand why reporting spam or phishing often feels futile. They found that hosting providers are flooded with such a high volume of low-quality, automated abuse reports that they end up ignoring valid notifications. This "compliance gap" allows real scammers to stay online simply because the signal-to-noise ratio in the reporting system is broken. Read the paper here
4. Crack in the Armor: Infrastructure Threats to RPKI
Liu et al. reveal that the security lock for Internet routing (RPKI) hinges on fragile infrastructure. They show that RPKI Publication Points—the servers that host the digital certificates preventing BGP hijacking—often lack redundancy. When these servers crash or go offline, route validation fails, effectively removing the protection and re-exposing networks to hijacking attacks. Read the paper here
These findings highlight the operational challenges of maintaining a secure Internet. Tomorrow, for our final day, we will look at the mathematical breakthroughs that promise to fix these problems: Hardcore Cryptography. You can find the full program at the NDSS website. Support open access security research by checking out the Internet Society.