Securing Networks by Detecting Logical Flaws in Protocol Implementations

Dr. Endadul Hoque
Postdoctoral Research Associate, Northeastern University

12:00pm Wednesday, 22 February 2017, ITE 325b, UMBC

Implementations of network protocols are integral components of various networked computing systems, spanning from Internet-of-Things (IoT) to enormous data centers. Research efforts to defend these implementations by introducing new designs for security and advocating best practices in secure programming are not always feasible, nor effective. Even rigorous analysis of the design of a protocol is not sufficient, as indicated by the frequent reports of bugs discovered in protocol implementations after deployment. Hence, it is crucial to develop automated techniques and tools to help programmers detect logical flaws in actual implementations of protocols.

In this talk, I will first present an automated compliance checker to analyze operational behavior of a protocol implementation for detecting semantic bugs, which cause the implementation fail to comply with its specifications. Next, I will present an automated testing tool to analyze robustness of a protocol implementation against malicious attacks mounted to degrade its runtime performance (e.g., throughput). Finally, I will conclude with several directions for future research to aid the development of secure networked systems.

Endadul Hoque is a Postdoctoral Research Associate in the College of Computer and Information Science at Northeastern University. He received his PhD in Computer Science from Purdue University in 2015. His research revolves around practical cybersecurity problems in the networking domain. His current research focuses on leveraging program analysis and formal verification techniques to create automated analysis tools for ensuring secure and reliable operations of networked systems. During his PhD, he received the Graduate Teaching Fellowship award in 2014 and the Bilsland Dissertation Fellowship award in 2015. His research on automated adversarial testing has also been integrated into course curriculum at Purdue University for teaching secure distributed systems programming.

A Semantically Rich Approach to Automating Big Data and Cloud

Dr. Karuna Joshi
University of Maryland, Baltimore County

12:00pm Monday, 20 February 2017, ITE 325b, UMBC

With the explosion of Big Data and the growth of data science, there is an urgent need to automate the data lifecycle of generation, ingestion, analytics, knowledge extraction, and archival and deletion. With a promise of rapid provisioning, scalability and high computing capability, cloud based services are being adopted as the default computing environment for Big Data analytics.

To effectively manage their data on cloud, organizations need to continuously monitor the rules/constraints and performance metrics listed in a variety of legal contracts. However, these documents, like Service Level Agreements (SLA), privacy policy, regulatory documents, etc., are currently managed as plain text files meant principally for human consumption. Additionally, providers often define their own performance metrics for their services. These factors hinder the automation of steps of the data lifecycle, leading to inefficiencies in using the dynamic and elastic elements of the Data+Cloud ecosystem and require manual effort to monitor the service performance. Moreover, Cloud-based service providers are collecting large amounts of data about their consumers including Personally Identifiable Information (PII) like contact addresses, credit card details, bank account details, etc. They are offering customized service level agreements which indicate how such data will be handled. To see whether these agreements meet individual or corporate requirements, or comply with statutory constraints, currently involves significant human effort.

In this talk, we present the semantically rich approach that we have developed to automatically extract knowledge from large textual datasets, specially legal documents, using text analytics and Semantic Web technologies. We describe the OWL ontologies that we have developed, and the techniques to extract key terms and rules from textual legal documents. We will also illustrate application of our work in domains such as education, healthcare and cybersecurity.

Karuna P. Joshi is a Research Assistant Professor of Computer Science and Electrical Engineering at the University of Maryland, Baltimore County. Her research focuses on Data Science and Big Data Analytics, especially legal text analytics; knowledge representation and reasoning; privacy and security of Big Data and Cloud; and cloud enabled Health IT services. She has published over 30 papers, including in journals like IEEE Transactions on Service Computing and conferences like IEEE Big Data and IEEE CLOUD. Her research is supported by organizations like DoD, ONR, NIST, NSF, GE and IBM. She was also awarded the TEDCO MII award for exploring the commercialization of her research. She has been awarded the prestigious IBM PhD Fellowship. She also has over 15 years of industrial experience, primarily as an IT project manager. She worked at the International Monetary Fund for nearly a decade. Her managerial experience includes portfolio/program/project management across various domains. She received the MS and PhD degrees in Computer Science from UMBC and bachelor’s degree in Computer Engineering from the University of Mumbai, India.

UMBC’s Grand Challenge Scholars Program is designed for students from all majors who are interested in solving important societal problems. The program fosters a vibrant interdisciplinary community to help tackle the National Academy of Engineering’s (NAE) Grand Challenges, and gives students experiences and skills to create solutions to some of the most pressing challenges of the 21st century.

Apply to become a UMBC Grand Challenge Scholar!

UMBC will hold a Grand Challenge Symposium 1:00-2:30 on Friday, February 17 on the 7th floor of the UMBC Library. It features 14 speakers who will give two-minute mini-talks on the 14 Grand Challenges. Professor desJardins will talk briefly about the program and current GC Scholars will be there to share their activities and experiences with the program. Light refreshments will be provided.

Make Solar Energy Economical:
Nilanjan Banerjee, Associate Professor, Computer Science & Electrical Engineering

Provide Access to Clean Water:
Lee Blaney, Assistant Professor, Chemical, Biochemical, and Environmental Engineering

Provide Energy from Fusion:
Carlos Romero-Talamas, Assistant Professor, Mechanical Engineering

Manage the Nitrogen Cycle:
David Lansing, Associate Professor, Geography & Environmental Systems

Develop Carbon Sequestration Methods:
Maggie Holland, Assistant Professor, Geography & Environmental Systems

Engineer Better Medicines:
Erin Lavik, Professor, Chemical, Biochemical & Environmental Engineering

Advance Health Informatics:
Helena Mentis, Assistant Professor, Information Systems

Restore and Improve Urban Infrastructure:
Seung-Jun Kim, Assistant Professor, Computer Science and Electrical Engineering

Secure Cyberspace:
Naghmeh Karini, Assistant Professor, Computer Science and Electrical Engineering

Prevent Nuclear Terror:
Simon Stacey, Interim Vice Provost Dean for Undergraduate Education and

Advance Personalized Learning:
Omar Ka, Associate Professor, Modern Languages, Linguistics & Intercultural Communication

Enhance Virtual Reality:
Lee Boot, Research Associate Professor, Visual Arts, and Director, Imaging Research Center

Reverse-Engineer the Brain:
Tim Oates, Professor, Computer Science and Electrical Engineering

Engineer the Tools of Scientific Discovery:
Gymama Slaughter, Associate Professor, Computer Science and Electrical Engineering

UMBC Cybersecurity Program Cyber Talk

Cybersecurity and Cellular Technology

Joshua Franklin

6:00-8:00pm Thursday, 23 February 2017

The Universities at Shady Grove
Building III (Camille Kendall Academic Center) Room 3241
9636 Gudelsky Drive, Rockville, MD 20850

​​The UMBC Cybersecurity Program is proud to bring you Cyber Talk, a new speaker series that highlights special topics in Cybersecurity. ​Join us at The Universities at Shady Grove (USG) for an informative and engaging discussion on the operation of cellular networks and the threats posed to mobile technology. Participants will have the opportunity to ask questions and hear about the latest trends in industry.

Cellular technology plays an increasingly large role in society as it has become the primary portal to the internet for a large segment of the population. One of the main drivers making this change possible is the deployment of modern 4G LTE cellular technologies. This talk serves as a guide to the fundamentals of how cellular networks operate and explores the evolution of 2G GSM, 3G UMTS and 4G cellular security architectures. This is followed by an analysis of the threats posed to cellular networks and supporting mitigations. Although the talk discusses older GSM and UMTS technologies – it is heavily focused on LTE.

Joshua Franklin is a Security Engineer at the National Institute of Standards and Technology (NIST) focusing on cellular security, electronic voting, and public safety. Prior to NIST, Joshua worked at the U.S. Election Assistance Commission gathering extensive experience with voting technologies. After graduating from Kennesaw State University with a Bachelors of Science in Information Systems, he received a Masters of Science in Information Security and Assurance from George Mason University.

Towards End-to-End Security and Privacy: Accountability
and Data Privacy in the Life Cycle of Big Data

Taeho Jung
Department of Computer Science
Illinois Institute of Technology

11:00am Tuesday, 14 February 2017, ITE 325b, UMBC

The advent of big data has given birth to numerous innovative life-enhancing applications, but the big data is often called as a double-edged sword due to the increased privacy and security threats. Such threats, if unaddressed, will become deadly barriers to the achievement of big opportunities and success anticipated in the big data industry because they may arise at any part of the life cycle of the big data.

In this talk, I will describe my research which addressed various privacy and security issues in the big data life cycle: acquisition, storage, provisioning, and consumption. More specifically, I will briefly present how various types of data can be protected in their acquisition and consumption phases of the life cycle, and subsequently, I will introduce the theoretic foundations of the presented research. Finally, I will present how to make large-scale data trading accountable against dishonest users for the provisioning phase of big data, and this talk will be concluded with my future research agenda briefing.

Taeho Jung is a Ph.D. candidate in Computer Science at Illinois Institute of Technology. His research area, in general, includes privacy and security issues in data mining and provisioning in the big data life cycle. His paper has won a best paper award (IEEE IPCCC 2014), and two of his papers were selected as best paper candidate (ACM MobiHoc 2014) and best paper award runner up (BigCom 2015) respectively. He has served many international conferences as a TPC member, including IEEE DCOSS 2016, IEEE MSN 2016, IEEE IPCCC 2016, and BigCom 2016. He received his B.E. in Computer Software in Tsinghua University in 2011, and he will receive his Ph.D. in May 2017.

Philosophy Department Colloquium

Bayesianism and the Evidence Problem

Lisa Cassell
University of Massachusetts/Amherst

4-6:00pm Wednesday, 15 February 2017, 456 Performing Arts & Humanities

Bayesianism is a theory that gives us norms for how the degrees of belief we have in certain propositions — our “credences” — ought to hang together. For instance, it tells me that if my credence that I will play baseball tomorrow is .3 and my credence that I will play basketball tomorrow is .4, then, if I believe that I will only play one or the other, my credence that I will either play baseball tomorrow or basketball tomorrow is .7. One of Bayesianism’s most attractive features is its updating norm, which gives us a simple and powerful way of revising our beliefs in the light of new evidence. However, Bayesians have an “Evidence Problem”: while their updating norm tells us what to do once we get evidence, it doesn’t tell us what it means to actually have evidence. In this talk, I consider two arguments — one in support of Bayesian’s updating norm and one against it — and show that both of these arguments fail. I go on to consider what these failures teach us about the Evidence Problem. I conclude by considering some different ways of resolving this problem.

At a time when just 12 percent of information security analysts are black, Hispanic or Asian, and only 20 percent of information security analysts are women, successful student support programs like UMBC’s Cyber Scholars are poised to make a major impact on the field, suggests a new article in Diverse: Issues in Higher Education. The article focuses on this UMBC program as a model for increasing diversity in cyber-related fields through supporting the success of women and underrepresented minority students in cybersecurity, including providing them with opportunities to expand their professional networks.

The UMBC Cyber Scholars program currently includes 40 scholars and 10 associates, and over 97 percent of the scholars and associates in the program have graduated in their intended major, or are pursuing degrees in computer science, computer engineering or information systems, said Cindy Greenwood, assistant director of the program. Of those participating students, 53 percent are women and 40 percent are underrepresented minorities, in stark contrast to national averages for information security professions.

The Cyber Scholars program stands out in higher education because of the variety of elements offered to students, explained Anupam Joshi, professor and chair of computer science and electrical engineering, and director of the Center for Cybersecurity at UMBC. “Many other programs only focus on imparting technology training in cybersecurity,” he said. “Our program is part of formal degree requirements in computer science, computer engineering and information systems” and students can take a broad range of elective courses, which, Joshi noted, “mix instruction in the theory with hands-on projects.”

Each week, Joshi explained, the students in the Cyber Scholars program hear from industry leaders and government officials on topics such as professional development and technical aspects of the field. “They also conduct peer-led workshops in cybersecurity and work with faculty in research labs,” he added. “They are encouraged to do internships in the industry multiple times and get security clearances in the process.”

Alejandra Diaz ‘17, computer science, has been involved with the Cyber Scholars program since she was a freshman at UMBC, and described how the program has helped her grow and access new opportunities. After she met with UMBC President Freeman Hrabowski and Wes Bush, CEO of Northrop Grumman, Diaz interviewed for an internship with Northrop Grumman. Diaz has now interned twice with Northrop Grumman and plans to return to the company before pursuing her master’s degree.

Alejandra Diaz, left, with fellow Cyber Scholars. Photo by Marlayna Demond ’11 for UMBC.

Read “Programs Aim to Open Doors to Diversity in Cybersecurity” in Diverse: Issues in Higher Education.

Adapted from UMBC News; Header Image: The ITE building at UMBC. Photo by Marlayna Demond ’11 for UMBC.

UMBC undergraduates interested in the Grand Challenge Scholars Program are encouraged to attend a symposium and recruiting event at 1:00pm on Friday, February 17.

The Grand Challenge Scholars Program is a program for undergraduates in all majors who are interested in thinking about big problems facing society, and how to solve them from broad, multidisciplinary perspectives. Students select one of 14 Grand Challenges identified by the National Academy Engineering, and work within the cohort of Grand Challenge Scholars to identify and pursue experiences related to their Grand Challenge in five program areas: research, interdisciplinary, entrepreneurship, global, and service.

To launch the upcoming spring application period for UMBC students entering the program, there will be a Grand Challenge Symposium on February 17, 2017, from 1-2:30 pm on the 7th floor of the Library. The symposium will feature 14 UMBC faculty members who will give two minute “mini-talks” on their research as it relates to the 14 Grand Challenges. The event will also showcase some of the work of the current Grand Challenge Scholars, and we will offer light refreshments.

Students who are interested in applying to the Grand Challenge Scholars Program are especially encouraged to attend, as are faculty and staff who have an interest in any of the Grand Challenges or would simply like to learn more about the program. More information about the program is available on the UMBC Grand Challenge Scholars Program Web site and applications are due on April 1.

Course instructors or TAs can arrange for a program representative come to their class to share information about the program by contacting Prof. Marie desJardins or Ciara Christian.

Please RSVP for the event, follow the Grad Challenges MyUMBC group and contact Prof. Marie desJardins if you have any questions or comments about the program.

Professor Anupam Joshi, chair of the CSEE Department and director of the UMBC Center for Cybersecurity

With a new administration in the White House, securing the president’s smartphone is a national security priority, but exactly what steps are taken to secure the phone are not made public. In a new article in The Conversation, Anupam Joshi, professor and chair of computer science and electrical engineering, and director of the Center for Cybersecurity at UMBC, discusses several likely ways President Trump’s security team is building protections into his phone, through everything from hardware to settings to app restrictions.

Limiting the number of people who have the president’s new phone number and keeping the unique International Mobile Equipment Identity number guarded can prevent potential attackers from accessing confidential information stored on the phone. This method is called “security by obscurity,” says Joshi.

Joshi also says the device Trump will use was likely made by a trusted manufacturer with carefully created and checked parts, explaining that this minimizes the “risk that the hardware would have any vulnerabilities that an attacker could exploit.”

Customizing the operating system, and allowing the phone to connect only with predetermined networks that are regularly monitored can also help protect against attacks, says Joshi. “Limiting its contact with the internet would, of course, by key,” he notes, “though that would also significantly limit the phone’s usefulness to a president whose routine involves constant connection.” Joshi says that limiting the number of apps on the phone, reducing the ability for additional apps to be downloaded and installed, and disabling automatic updates to the phone could keep the device even more secure.

While it is not certain which methods have been employed to secure the presidential smartphone, Joshi says that Trump trading in his commercial-grade phone for a government-secured device is an important first step in protecting the U.S. from hacks and attacks.

In another article in The Conversation, Rick Forno, assistant director of the UMBC Center for Cybersecurity and director of the Cybersecurity Graduate Program at UMBC, addresses the importance of addressing both short-term and long-term cybersecurity issues. He explains that ignoring underlying problems and only addressing small, attention-grabbing issues does not lead to lasting progress. “Cyber-fatigue,” explains Forno, is an “inability to think critically about what needs to happen for meaningful, lasting cybersecurity improvements while focusing only on near-term problems.”

He says that while it is important to evaluate the benefits, conveniences and savings that new products and services may offer, the potential risks and problems should be considered, too. “So instead of repeating the same guidelines and recommendations of the past, it’s time to take a new and unconventional look at our approach to technology and how we secure it,” Forno explains. “Unless we’re willing to go beyond our traditional cybersecurity ‘comfort zone’ and explore new solutions, our cyber-fatigue will worsen.”

Read “How to secure a smartphone for the tweeter-in-chief” and “Overcoming ‘cyber-fatigue’ requires users to step up for security” in The Conversation. Joshi’s piece also appeared in Mashable and Channel Newsasia, and together the articles have already been read over 36,000 times.

Adapted from UMBC News, photo by Marlayna Demond ’11 for UMBC.

The Capital Area Women in Computing Celebration, sponsored by ACM-W, will be held at Georgetown University on Friday, February 24th and Saturday, February 25.

The celebration will bring together women at the high school, undergraduate, graduate, and professional levels to promote the recruitment, retention, and progression of women in computing fields.

The cost of student attendance is modest: $50 with shared hotel room, or $25 without hotel. Scholarships are available as well.

To get more information and to register, visit the CAPWIC 2017 Web site.

Reasons to Attend

• Share your work and ideas with your peers and experts during the poster session, flash talk, or technical short.
• Be inspired. Meet technical women like you and celebrate your accomplishments together.
• Hear success stories of technical women who made it this far!
• Broaden your skills by attending a workshop.
• Meet recruiters from business, industry, and academia for internships, jobs, or graduate programs.
• Find a new job or internship. Bring your resume to our career fair to apply for job and internship opportunities.
• Did we mention that it is FUN!