SunTrust Fellows Presentations

In recent years, we have witnessed the dramatic growth of mobile devices in the IoT domain, which enables people and services to interconnect and exchange information constantly. The number of IoT mobile users tends to grow larger connecting more and more people and devices. On the flip side, IoT mobile devices are subject to insecure design, implementation, or configuration. As a result, underpinning networks that are based on such devices are exposed to misuse and cyberattacks [1]. To safeguard Mobile IoT networks, Intrusion Detection Systems (IDSs) have been widely used to monitor the network traffic and identify suspicious activities within the traffic. IDS systems are often regarded as a critical component in protecting IoT nodes and networks as well as mitigating adverse effects of cyber attack targeting IoT. In general, IDSs are categorized as signature-based or anomaly-based defense mechanisms [2]. Signature-based IDSs recognize intrusions (or suspicious activities) by finding the relationship between previously learned rules/signatures of known attacks' rules. Anomaly-based IDSs monitor network traffic and compare the traffic with previously learned patterns to spot malicious activities. Despite their wide adoption, IDS-based methods are, however, not very effective in detecting new and unknown adversarial attacks (signature-based IDSs are unable to detect new attacks unless they have the latest version of all attack signatures). Anomaly-based methods have shown to be able to recognize known and new attacks to some degree, but they often arise high false-positive rates hindering the accuracy [3]. Given the massive scale and heterogeneous networks of the IoT mobile devices, the effectiveness of the Intrusion Detection System (IDS) in detecting attacks is questionable. Machine Learning (ML), as cutting-edge technology for designing and implementing robust intelligent systems, has been greatly contributing to cybersecurity solutions. The past decade has witnessed the release of several approaches utilizing ML for different aspects of cybersecurity ranging from malware detection and threat intelligence to forensic investigation and privacy-preserving. Deep Learning (DL) is one of the emerging topics of ML, which is generally related to a capable learning model that includes several layers, and each layer contains enormous computational nodes. DL models have demonstrated their suitability and competency for different data-driven problems including cybersecurity. Recently, recurrence neural networks have been used in different IDS based on anomaly-detection techniques. Lately, Malhorta et.al in [4] apply Long Short-Term Memory (LSTM) for detecting anomalies in time series data. Opera et al. [5] utilize a deep network to analyze DNS log data to detect anomaly patterns in enterprise networks. The recently proposed approaches mostly operate in an off-line manner while there is a high demand for a real-time data analysis platform to detect zero-day vulnerabilities and anomaly attacks. In this project, we aim to propose a new effective anomaly detection model to differentiate benign patterns of behavior from malicious activities in mobile-based networks. To tackle the aforementioned challenges, we utilize Federated Machine Learning (FML) technique for aggregating anomaly detection patterns for IDSs. While traditional Machine Learning models mainly rely on computational power and training dataset of a centralized server, Federated Machine Learning (FML), which has gained much attention recently in different domains, is defined as a combination of federated and machine learning techniques [4]. FML implements different machine learning techniques in a decentralized environment where the machine learning models are developed based on the datasets distributed across different devices. Our work intends to use FML using PySyft framework1 to develop a global machine learningbased IDS model from many local IDS running at each IoT mobile device. While applying anomaly detection techniques in the IoT environment is associated with some challenges such as resource limitations and heterogeneity of IoT devices, and the current approaches are still dealing with those, we plan to target those issues and come up with a novel and efficient model for anomaly detection IDS using FML. In our model, the light version of the IDS (local IDS) will run on each IoT device. The local IDS will be trained, and the improved version of the model will be sent to the main server to contribute to the global IDS. In the training procedure, the IoT device collects local information, incorporates the data into the local model, refining and learning the decision boundary between the benign pattern of behavior and malicious activities. The central server, generally, average all of the updates to calculate the improved global model. Then the updated model, which is the most accurate IDS, is pushed onto the IoT mobile devices. Using FML to implement anomaly detection based IDS, enables all IoT devices to cooperate in training and improving the global model without the need of sharing their actual data. Additionally, the FML technique features the IDSs to operate in a real-time manner that we have not noticed in the current ML-based IDSs.

A key organizational mechanism used to manage IT security relates to security policies and procedures. Such procedures tend to be prescriptive and assume all individual use of technology to be rational and similar. However, recent research in information use identifies three clear and distinct types of IT use that depends on technology familiarity and task at hand. The three types of uses (initial, continued and novel use) draw on different types of cognitive load. This research draws on the theory of cognitive load from psychology to understand the impact on behavior and performance of actions Our primarily focus is on post- adoptive (continued and novel use) behavior, since that is what most users tend to do, since that is where much of the organizational security instructions happen. We propose using NeuroIS methods to evaluate and test each of the components of the theory.

Artificial intelligence (AI) workloads have changed the computing paradigm from cloud services to mobile applications. However, there lacks an in-depth analysis of their advantages, limitations, performance and resource consumptions in an edge environment. In this work, we perform a comprehensive study of representative AI workloads on edge computing. We first conduct a summary of modern edge hardware and popular AI workloads. Then we quantitatively evaluate the AI applications in realistic edge environments based on Raspberry Pi, Nvidia TX2, etc. Our experiments show that performance variation and difference in resource footprint limit availability of certain types of workload. Our results could help user select the appropriate AI models or edge hardwares for their workloads and guide the optimization of existing AI scenarios.

We study the jamming resistant mobile device communication problem under the multiple resource constraint model in 5G networks. Given a set of communication links, assume that the complete channel state information of each link is unknown subject to jamming resistant constraints, but we can estimate it by exploiting the memory along with channel state feedback. Assume time is divided into time-slots. The objective is to select links under the multiple resource constraint model to transmit sequentially to maximize the jamming resistant throughput over an infinite time horizon. Existing work simply assumes a single resource constraint or an even simpler model. To this end, we apply the framework of restless multi-armed bandit and develop a fast and simple approximation algorithm. We prove that the proposed algorithm can achieve good approximation bounds. We evaluate and compare our work with a greedy method adapted from the well known Whittle’s index policy, and show that our algorithm outperfoms the greedy method in terms of average throughput.

As the mobile devices and applications are being widely adopted and used, Mobile security, or more specifically mobile device security, has become increasingly important. Attacks through mobile apps have caused major data leak due to application vulnerabilities continue to occur. This kind of data leaks can be addressed and fixed in the application development process. Many developers may not be well aware of the vulnerabilities when developing mobile applications and may lack the technical support for detecting data leak analysis within the development environment. In this report, we discuss the need and development of a plugin tool for Android Studio for preventing data leak. We developed a hands-on labware where the plugin can be applied for detection of data leak through SQL injection. We also shared our ongoing experience of the labware integrated in a Summer 2020 course. The preliminary student feedback is collected and reported in this document.

This project aims to develop a repository of instructional materials and assessment tools related to information security using a collaborative guided learning pedagogy. The focus is on the development and implementation of collaborative guided learning materials for Business Email Comprise Attacks (BEC), as well as contingency operations for ransomware attacks. We also take the opportunity to expand beyond these two topics and further develop learning materials to cover a wide range of security topics such as input validation, buffer-overflow attack, SQL injection, and cross-site scripting attack that can be integrated into a broad range of curriculum.

In addition to developing a repository of learning materials, learning the effectiveness of the collaborative guided learning pedagogy for information security-related topics is also investigated. A set of four learning activities: TCP/IP SYN Attack, HIPAA, Input Validation, and CIA/AAA, were implemented in the Spring and Summer semesters of 2020.

Despite the challenges brought by COVID-19, the collaborative online learning activities worked well during the preliminary trial run. Overall, students were more prepared in the summer than spring for online collaborative activities due to the initial impact of the pandemic. Feedback from student survey expressed a positive attitude and learning experience towards the collaborative learning activities. Through these activities, students will have increased cybersecurity awareness both at home and at work. Our next step, in addition to developing more collaborative learning activities for information security-related topics, is to adapt them for both in-class and online modality.

The deep convolutional neural networks show outstanding competence of computer vision tasks in various areas, and in recent years these computer vision models have been widely implemented by the information industry replacing the traditional handcrafted feature extraction models. Therefore, the enormous development and improvement of performance on information extraction from image data in both accuracy and running speed make the problem of information leak from the users' image data more crucial and urgent. To proctect the privacy of image data, we propose the noise generation model to add noise on image data to avoid the unnecessary information leak to the unauthorized computer vision models, the Pivot Pixel Noise Generator(PPNG) by Particle Swarm Optimization(PSO). The PPNG is based on the fact that the sensitivity of each of the pixels on one input image is different. In other words, the changes in the image classification model's output prediction scores vary significantly, reacting to the same RGB value change on different pixels. Also, the pattern of the sensitivity density distribution over the image is highly related to the category and composition of the input image. By utilizing this feature and the PSO, the PPNG generates noise points on the most sensitive pixels on the target images to lower the computer vision model’s performance and reserve privacy on users' images. The PPNG model performs in a half-black-box manner and balances the number of queries to the target model and the total number of the modified points. We also introduce the PSO Knowledge Transfer as the initialization strategy for the PPNG model. The PSO Knowledge Transfer initializes the PPNG model’s parameters based on the experiences from the previous optimizations and effectively reduces the number of queries and noise points generated. The complete model is tested on the image classification benchmark model ResNet50, and the results show the improvement from the baseline algorithm.

Ensuring employees comply with the information security policy is an essential component of the security program in an organization. Grounded in action research and inspired by Unified Model of Information Security Compliance (UMISPC) (Moody et al. 2018), we introduce a customizable framework to promote information security policy compliance and lay out a plan to empirically test the proposed framework in a large public university in the southeast of US. The proposed framework can facilitate organizations to better understand their employees’ non-compliance behaviors and create effective remediation actions. This project is supported by SunTrust Fellowship program. In this paper, we report the progress of our project and the preliminary results of our findings.