Individualized Cybersecurity Research Mentoring (iMentor) Workshop 2023

Title: Rebuttal How-to: Strategies, Tactics, and the Big Picture in Research

Abstract: Rebuttals are not published, thus, it is difficult for junior researchers to read successful rebuttals and improve. This article demystifies rebuttal writing by showing the arm-the-champion strategy and a few key tactics. More importantly, we also discuss the conformity nature of conference reviewing and why researchers should not be defeated by paper rejections.

Bio: Dr. Danfeng (Daphne) Yao is a Professor of Computer Science at Virginia Tech. She is an Elizabeth and James E. Turner Jr. '56 Faculty Fellow and CACI Faculty Fellow. Her research interests include building cyber defenses, as well as machine learning for digital health, with a shared focus on accuracy and deployment. She creates new models, algorithms, techniques, and deployment-quality tools for securing large-scale software and systems. Her tool CryptoGuard helps large software companies and Apache projects harden their cryptographic code. She systematized program anomaly detection in the book Anomaly Detection as a Service. Her patents on anomaly detection are extremely influential in the industry, cited by patents from major cybersecurity firms and technology companies, including FireEye, Symantec, Qualcomm, Cisco, IBM, SAP, Boeing, and Palo Alto Networks.

Dr. Yao is an IEEE Fellow for her contributions to enterprise data security and high-precision vulnerability screening. In 2021, she received the prestigious ACM CODASPY Lasting Research Award. She is also an ACM Distinguished Scientist. Previously, she received the NSF CAREER Award and ARO Young Investigator Award. Dr. Yao is the ACM SIGSAC Vice Chair and has been a member of the ACM SIGSAC executive committee since 2017. Daphne received her Ph.D. degree from Brown University (Computer Science), M.S. degrees from Princeton University (Chemistry) and Indiana University (Computer Science), Bloomington, B.S. degree from Peking University in China (Chemistry).

Title: The Persistent Problem of Applications Insecurity

Abstract: Data is a critical resource and as such it is very often the target of cyber-attacks with a variety of goals, including data theft and ransom requests.  Today database systems provide several effective security controls and defenses, such as database encryption, fine-grained content and context-based access control, role-based access control, and logging capabilities for security relevant events. In addition, database systems supports a variety of authentication techniques, such as multi-factor authentication. However, there is a major weak point in data security: the applications. Once data is transmitted from a database to applications, the data is exposed to many risks if applications have vulnerabilities.

Unfortunately, applications and more in general software systems are still often insecure, despite the fact the “problem of software security” had been known to the industry and research communities for decades.  In the case of database applications,  for example, SQL injection vulnerabilities - known since more than 20 years, are still common; for example just in 2022, 1162 vulnerabilities with the type “SQL injections” were accepted as a common CVE (common vulnerability exposure). In this talk, I first briefly argue why the software security problem is more complex than ever. I then focus on the problem of SQL injection and other vulnerabilities, often occurring in database applications, and present an initial approach to automatically detect these vulnerabilities and "repair" them. I also cover the case of a more sophisticated attacker, able to tamper the application code.  I then move to discuss the problem of software supply-chain attacks and research directions.

Bio: Elisa Bertino is Samuel Conte professor of Computer Science at Purdue University. She serves as Director of the Purdue Cyberspace Security Lab (Cyber2Slab). Prior to joining Purdue, she was a professor and department head at the Department of Computer Science and Communication of the University of Milan. She has been a visiting researcher at the IBM Research Laboratory in San Jose (now Almaden), at Rutgers University, at Telcordia Technologies. She has also held visiting professor positions at the Singapore National University and the Singapore Management University.  Her recent research focuses on security and privacy of cellular networks and IoT systems, and on edge analytics for cybersecurity.  Elisa Bertino is a Fellow member of  IEEE, ACM, and AAAS. She received the 2002 IEEE Computer Society Technical Achievement Award for “For outstanding contributions to database systems and database security and advanced data management systems”, the 2005 IEEE Computer Society Tsutomu Kanai Award for “Pioneering and innovative research contributions to secure distributed systems”, the 2019-2020 ACM Athena Lecturer Award, and the 2021 IEEE 2021 Innovation in Societal Infrastructure Award. She received a Honorary Doctorate from Aalborg University in 2021 and a Research Doctorate in Computer Science from the University of Salerno in 2023.

Title: IoTFlow the Making-Of: Inferring IoT Device Behavior at Scale through Static Mobile Companion App Analysis

Abstract: The number of “smart” devices, that is, devices making up the Internet of Things (IoT), is steadily growing. They suffer from vulnerabilities just as other software and hardware. Automated analysis techniques can detect and address weaknesses before attackers can misuse them. Applying existing techniques or developing new approaches that are sufficiently general is challenging though. Contrary to other platforms, the IoT ecosystem features various software and hardware architectures.

We introduce IoTFlow, a new static analysis approach for IoT devices that leverages their mobile companion apps to address the diversity and scalability challenges. IoTFlow combines Value Set Analysis (VSA) with more general data-flow analysis to automatically reconstruct and derive how companion apps communicate with IoT devices and remote cloud-based backends, what data they receive or send, and with whom they share it. We analyzed 9,889 manually verified companion apps with IoT-Flow to understand and characterize the current state of security and privacy in the IoT ecosystem. We discovered various IoT security and privacy issues, such as abandoned domains, hard-coded credentials, expired certificates, and sensitive personal information being shared.

In this work I will talk about the making-of of the IoTFlow paper, from its overall inception, through various iterations and revisions until we now finally will present it at ACM CCS 2023.

Bio: Martina Lindorfer is an associate professor at TU Wien, which she joined at the end of 2018, and a key researcher at SBA Research, the largest research center in Austria which exclusively addresses information security. She received her PhD from TU Wien in 2016 and spent two years as a postdoc at the University of California, Santa Barbara. Her research and outreach activities have been recognized with the ERCIM Cor Baayen Young Researcher Award, the ACM CyberW Early Career Award for Women in Cybersecurity Research, as well as the Hedy Lamarr Award from the City of Vienna.

Her research focuses on applied systems security and privacy, with a special interest in automated static and dynamic analysis techniques for the large-scale analysis of applications for malicious behavior, security vulnerabilities, and privacy leaks. Building on her background on malware analysis, she currently focuses on the analysis of mobile apps to enable transparency and accountability in the way they process and share private information. The resulting tools help uncover new and unexpected ways in which apps are violating users' privacy expectations.

Title: IRShield: A Countermeasure Against Adversarial Physical-Layer Wireless Sensing

Abstract: Wireless radio channels are known to contain sensitive information about the surrounding propagation environment, which can be extracted using well-established wireless sensing methods. Thus, today's ubiquitous wireless devices (e.g., IoT) are attractive targets for passive eavesdroppers to launch reconnaissance attacks. In particular, by overhearing standard communication signals, eavesdroppers can obtain estimations of wireless channels, which then give away sensitive information about indoor environments. For instance, adversaries can infer human motion from wireless channel observations, therefore, allowing them to remotely monitor premises of victims.

In this talk, I will present IRShield, a novel countermeasure leveraging the technology of intelligent reflecting surfaces (IRS). IRShield is designed as a plug-and-play, privacy-preserving extension to existing wireless networks and is capable of obfuscating wireless channels.

Bio: Veelasha Moonsamy is a tenured research faculty at the Horst Görtz Institute for IT Security and a Principle Investigator within the Excellence Cluster CASA at Ruhr University Bochum in Germany. Previously, she was an Assistant Professor at Radboud University, in The Netherlands, where she also spent some years working as a postdoctoral researcher. She obtained her Ph.D. from Deakin University in Melbourne (Australia). Her research interests revolve around security and privacy of mobile/IoT devices, in particular side- and covert-channel attacks, malware detection, and mitigation of information leaks at application and hardware level. Veelasha was awarded a Google Faculty Research award in 2020 and recently she served as Track Chair for Hardware, Side Channels, and Cyber-Physical Systems at ACM CCS 2023.

Title: Rethinking Online Trust in the AI Era

Abstract: Large Language Models (LLMs) are powerful tools for generating context-specific high-quality text. However, their potential misuse in fraudulent activities, scams, or for political interference is a concern. Identifying such content is challenging, especially when these models are also being used to enhance legitimate and benign communications.

In this presentation, I will discuss a new cryptographic design that brings “accountability” to direct communication applications, hence building up more trust. First, I will revisit some of the assumptions the solutions from literature made in the context of phishing and spam and how they will change. Then, I will detail the design and discuss the guarantees it can provide. On the way, I will gently touch on how to stitch multiple ideas borrowed from previous research results in a new application context.

Bio: I am a senior researcher at Microsoft Research (MSR) at Redmond. I am trained in applied cryptography. In my 2 years at MSR, I have researched on how to bring more privacy to the end users without harming security of the platforms. Recently, I have started thinking about such privacy-security trade-offs that emerge in new technologies. More specifically, I am interested in preventing disruptions in communication due to Large Language Models.

Title: Streamlining Security Property Assessment for Advancing Cyber Threat Intelligence

Abstract: Real-world malicious cyber activity, or cybercrime, not only endangers public safety but also poses severe threats to national and economic security. As per Cybersecurity Ventures, the global cost of cybercrime is projected to reach an alarming $8 trillion USD in 2023, underlining the urgency of this issue. Cybercrime has long been a critical concern for security practitioners, posing complex challenges that demand constant vigilance and innovative countermeasures.

In this talk, I will unfold the story of my research group's dedicated fight against cybercrime, sharing vital insights and lessons learned along our journey. Our research spans a broad spectrum, focusing on cyber threat intelligence in diverse domains such as web, mobile, cloud, blockchain, and AI systems (including Large Language Model-based systems). I will discuss our group's research agenda, highlighting our innovative approaches and breakthroughs in these areas.

Furthermore, I will present our vision for where our cybercrime research is heading to: emphasizing strategies to enhance protection for large-scale systems and elevating threat/risk awareness among end-users.

Bio: Xiaojing Liao is an Assistant Professor in the Department of Computer Science and Grant Thornton Scholar at Indiana University Bloomington. She earned her Ph.D. from Georgia Institute of Technology. Her research interests include data-driven security and privacy, with specific focuses on system security, cybercrime, as well as privacy compliance analysis. She has published papers on leading system security venues such as S&P (Oakland), Usenix Security, CCS, and NDSS. She is the recipient of the Meta Privacy-enhancing Technology Research Award (2021),  NDSS Distinguished Paper Award (2019), CCS Best Paper Award Runner-up (2021) and ACM SIGSAC Doctoral Dissertation Award Runner-up (2018).

Title: Security Researcher, Educator, and Leader in Academia – Reflections on Career Paths and Opportunities

Abstract: My goal of this talk is to illuminate, empower, and inspire graduate students, early-stage researchers, and other members of the audience interested in academic careers in Computer Science, in particular in the dynamic field of computer and cyber security. Drawing from personal experiences, I offer a candid exploration of my own career trajectory from cyberspace to outer space, unveiling pivotal opportunities, navigating challenges, and distilling the invaluable lessons collected along my academic journey – all in a non-scientific, but fully subjective narrative.

Bio: Christina Pöpper is a faculty of Computer Science at New York University Abu Dhabi (NYUAD) where she is heading the Cyber Security & Privacy (CSP-) Lab. She is the Director of Research at the Center for Cyber Security at NYUAD and a Global Network Assistant Professor of Computer Science at the Courant Institute of Mathematical Sciences at NYU. Since Summer 2023, she has been serving as Program Head of Computer Science at NYUAD. She holds a Ph.D. and a graduate degree in Computer Science from ETH Zurich.

Her research interest is cyber security and privacy for real-world systems. Her focus areas are wireless and communication security, including cellular network security, secure localization, and aerial cybersecurity, as well as privacy and anonymity in communication networks, detection and prevention of disinformation, and LLM security and privacy.  In the past, she worked at the European Space Agency in Paris. She is excited about everything from cyberspace to outer space. The research work of her group has been recognized by the Coordinated Vulnerability Disclosure program of GSMA, the GSM Association. She is currently co-chairing the TPCs of NDSS’24 and ACNS’24. She has been a member of the steering committee of ACM WiSec, the ACM Conference on Security and Privacy in Wireless and Mobile Networks, since 2018, and was TPC Co-Chair in 2018 and General Chair in 2021. Since 2021, she has been a member of the Executive Committee of ACM SIGSAC and she is serving as an Associate Editor of the Viewpoints section of CACM, the Communications of the ACM.