Security & Privacy Symposium




20-22 February 2014
Home Agenda Speakers Posters Registration Venue Organizers Past SPSs

Speakers


Dr. Mustaque Ahamad, College of Computing, Georgia Institute of Technology

Title: Ground-Truth Driven Cyber Security Research: Some Examples
Abstract: Like other fields of security, cyber security must make assumptions about trust in systems and people, and the threats that will target systems that need to be secured. Based on such assumptions, we strive to provide certain security guarantees. There is much talk about the growing sophistication of cyber security threats. However, making realistic assumptions about such threats requires access to data that can reveal the ground-truth.Thus, data becomes an enabler for research that seeks to understand threats proactively and to develop defenses against them. This talk will cover several examples of research projects that would not have been successful without access to data. These range from malware analysis to attacks that use the converged telephony infrastructure to craft automated and large-scale accounts. The talk will conclude by arguing that data sharing and coordination is a key requirement for us to address future cyber security threats.

Bio: Dr. Mustaque Ahamad is a professor of Computer Science at the Georgia Institute of Technology, and a global professor of engineering at New York University Abu Dhabi. He served as director of the Georgia Tech Information Security Center (GTISC) from 2004-2012. As director of GTISC, Dr. Ahamad helped develop several major research thrusts in areas that include security of emerging convergedcommunication networks and applications, identity and access management andsecurity of healthcare information technology. He also worked extensively with local and national industry leaders to develop effective relationships to address thechallenges associated with cyber security. Dr. Ahamad also co-founded Pindrop Security which provides solutions to secure telephony-based transactions.
In his twenty seven year academic career at Georgia Tech, Dr. Ahamad has led numerous research projects and educationalinitiatives. His research interests span distributed systems and middleware, computer security and dependable systems. He has published over one hundredresearch papers in these areas and has advised over two dozen doctoral students. He has also served on program committees of numerous conferences and has received awards for his research papers. His research has been funded by the National Science Foundation, Department of Defense and numerous information technology and security companies. Dr. Ahamad led the effort to create a broad and comprehensive information security curriculum and a graduate degree program in this area at Georgia Tech. Dr. Ahamad received his Ph.D. in Computer Science from the State University of New York at Stony Brook in 1985. He received his undergraduate degree in electrical and electronics engineering from the Birla Institute of Technology and Science, Pilani, India.


Mr. Sanjay Bahl, CERT-in

Title: Capacity Building
Abstract: The internet penetration in India is expected to reach a figure of 330 million by 2015 and is propelling the country towards the digital economy. The word digital involves interactive machine learning as well as commerce using ICT infrastructures. As the cyberspace continues to expand exponentially, it is increasingly becoming apparent that the vulnerability of businesses, society, individuals and Nations is at risk. Managing these risks is a challenge as the threat sophistication is outpacing the skills, knowledge and awareness of security professionals and users. To address this challenge this session would touch upon what could be a sustainable capacity building strategy for the country.

Bio: Sanjay Bahl, CISM, CIPP/IT, is currently with CERT-In and an adjunct faculty with IIIT Delhi. He has been providing consultancy in the area of governance, risk, compliance, security, privacy, forensics, investigation and fraud management to some national level projects in India. Prior to CERT-In, he was the Chief Security Officer (CSO) for Microsoft Corporation (India) Pvt Ltd., where he was responsible for interaction with the government, academia, key strategic accounts and the CxO community with respect to Microsoft's security strategy and helping in the public policy direction. Sanjay is and has been a member of various Security committees at National and International level.


Dr. Soumya K Ghosh, IIT, Kharagpur

Title: VANET Security: Misbehavior Detection in Vehicular Ad-hoc Network
Abstract: Vehicular Ad-hoc Network (VANET) enables moving vehicles to communicate with each other (V2V) as well as with roadside base stations (V2I) by creating mobile ad-hoc networks. The communication in VANET takes place in single-hop as well as multi-hop. Privacy and security of the participating vehicles are two major concerns before rolling out of the VANET in real scenario. VANET has security threat from the authenticated as well as unauthenticated nodes. However, the major security concern is due to authenticated nodes, which are allowed to communicate with the peers in the network. In any network, there is always the possibility of existence of nodes, whose behavior is not conformant to specifications. Irrespective of the reasons behind such misbehavior, these nodes pose threats to the genuine nodes in the network. This talk discusses the requirements, challenges and the possible approaches to the misbehavior detection problem in VANET.

Bio: Soumya K. Ghosh is an Associate Professor at the School of Information Technology, IIT Kharagpur. He received his PhD in Computer Science & Engineering, Indian Institute of Technology (IIT) Kharagpur, India. Before joining IIT Kharagpur, Dr. Ghosh worked for Indian Space Research Organization in the area of Satellite Remote Sensing and GIS. His research interests include Geoscience and Spatial Web Services, Network Security, Cloud Computing and Security. He has over 100 research publications in journals and conference proceedings.

Dr. Krishna P. Gummadi, Networked Systems Research Group, Max Planck Institute for Software Systems

Title: Exploring the Design Space of Social Network-based Sybil Defenses
Abstract: Recently, there has been significant research interest in leveraging social networks to defend against Sybil attacks. While much of this work may appear similar at first glance, I will argue that the existing social network-based Sybil defense schemes can be broadly divided into two categories: Sybil detection and Sybil tolerance. These two categories of systems both leverage global properties of the underlying social graph, but they rely on different assumptions and provide different guarantees: Sybil detection schemes are application-independent and rely only on the graph structure to identify Sybil identities, while Sybil tolerance schemes rely on application-specific information and leverage the graph structure and transaction history to bound the leverage an attacker can gain from using multiple identities. In this talk, I will take a closer look at the design goals, models, assumptions, guarantees, and limitations of both categories of social network-based Sybil defense systems.

Bio: Krishna Gummadi is tenured faculty member and head of the networked systems research group at the Max Planck Institute for Software Systems (MPI-SWS) in Germany. He received his Ph.D. (2005) and M.S. (2002) degrees in Computer Science and Engineering from the University of Washington, Seattle. He also holds a B.Tech (2000) degree in Computer Science and Engineering from the Indian Institute of Technology, Madras. Krishna's research interests are in the measurement, analysis, design, and evaluation of complex Internet-scale systems. His current projects focus on enabling the social Web. Specifically, they include (a) understanding the structure and evolution of social network graphs, (b) understanding how content and information propagates through social networks, and (c) leveraging social networks for building better information sharing systems (i.e., better search results and content recommendations as well as filtering unwanted communication and content). Krishna's work on online social networks, Internet access networks, and peer-to-peer systems has led to a number of widely cited papers. He also received best paper awards at OSDI, SIGCOMM IMW, and MMCN for his work on Internet measurements and peer-to-peer systems.

Mr. Raj Gopalakrishna, CA Technologies

Title: Protecting secrets in Software
Abstract: Traditionally cryptographic keys and other secrets are protected using specialised crypto hardware like Smartcard, Secure Element (SE), HSM. Crypto USB etc. In a domain like mobile payments or Internet Banking, using specialised crypto hardware in security solutions is a very expensive, inconvenient and inhibits adoption. Secondly Card skimming is a multi-billion dollar global fraud problem. The traditional approach is the use of chip and pin to protect against card skimming but the fraud just moves to CNP. This presentation will cover some innovative work from CA to protect secrets in software. The presentation will also cover the protection of payment information in software on mobile devices without the assistance of SE.

Bio: Raj Gopalakrishna is SVP and Distinguished Engineer at CA Technologies Inc. He brings over 2 decades of product development experience across Security, Data management, Cloud, and Payments domains. He has multiple patents to his name and is currently working on Big Data, Cloud and Analytics.
Raj architected the popular payer authentication solution known as Verified-by-Visa / MasterCard SecureCode , which as a SaaS service is used by 15,000+ Banks and 100+ million card holders each day. Amongst others, he also architected CA Arcot AuthMinder (2FA), CA Arcot RiskMinder (Fraud detection) products and the Informix Online Database server.

Dr. Ponnurangam Kumaraguru ("PK")

Title: Privacy and Security in Online Social Media
Abstract: With increase in usage of the Internet, there has been an exponential increase in the use of online social media on the Internet. Websites like Facebook, Google+, YouTube, Orkut, Twitter and Flickr have changed the way Internet is being used. There is a dire need to investigate, study and characterize privacy and security on online social media from various perspectives (computational, cultural, psychological). Real world scalable systems need to be built to detect and defend security and privacy issues on online social media. I will describe briefly some cool ongoing projects that we have: Twit-Digest, MultiOSN, Finding Nemo, OCEAN, Privacy in India, and Call Me MayBe. Many of our research work is made available for public use through tools or online services. Our work derives techniques from Data Mining, Text Mining, Statistics, Network Science, Public Policy, Complex networks, Human Computer Interaction, and Psychology. In particular, in this talk, I will focus on the following: (1) Twit-Digest is a tool to extract intelligence from Twitter which can be useful to security analysts. Twit-Digest is backed by award-winning research publications in international and national venues. (2) MultiOSN is a platform to analyze multiple OSM services to gain intelligence on a given topic / event of interest (2) OCEAN: Open source Collation of eGovernment data and Networks Here, we show how publicly available information on Government services can be used to profile citizens in India. This work obtained the Best Poster Award at Security and Privacy Symposium at IIT Kanpur, 2013 and it has gained a lot of traction in Indian media. (3) In Finding Nemo, given an identity in one online social media, we are interested in finding the digital foot print of the user in other social media services, this is also called digital identity stitching problem. This work is also backed by award-winning research publication. I will be more than happy to clarify, discuss, any of our work indetail, as required, after the talk.

Bio: Ponnurangam Kumaraguru ("PK") Assistant Professor, is currently the Hemant Bharat Ram Faculty Research Fellow at the Indraprastha Institute of Information Technology (IIIT), Delhi, India. PK is the Founding Head of Cybersecurity Education and Research Centre (CERC). PK is one of ACM India Eminent Speakers. He received his Ph.D. from the School of Computer Science at Carnegie Mellon University (CMU). His research interests include Privacy, e-Crime, Online Social Media, and Usable Security, in particular, these days he has been dabbling with complex networked systems (e.g. social web systems like Twitter, Facebook, and telephone logs). He is also very passionate about issues related to human computer interaction. As Principal Investigator, PK is currently managing research projects of about 2 Crores INR. PK is a Co-Principal Investigator in a project approved at the Europe Union FP7 which is about 5.3 million Euros. PK has received research funds from Government of India, National Science Foundation (NSF), USA, industry bodies in India, and International Development Research Centre. He is serving as a PC member in prestigious conferences like WWW, AsiaCCS and he is also serving as a reviewer for International Journal of Information Security and ACM's Transactions on Internet Technology (TOIT). PK’s Ph.D. thesis work on anti-phishing research at Carnegie Mellon University has contributed in creating an award winning start-up Wombat Security Technologies wombatsecurity.com. PK founded and manages PreCog, precog.iiitd.edu.in a research group at IIIT-Delhi. PK is actively working with budding entrepreneurs to convert their technological ideas into products and services, a few examples: Wizters and backpack. PK can be reached at pk@iiitd.ac.in.

Dr. Murat Kantarcioglu, University of Texas at Dallas

Title: Limits of Data Mining in Malicious Activity Detection
Abstract: Many data mining applications, such as spam filtering and intrusion detection, are faced with active adversaries. In all these applications, the future data sets and the training data set are no longer from the same population, due to the transformations employed by the adversaries. Hence a main assumption for the existing data mining techniques no longer holds and initially successful data mining models degrade easily. This becomes a game between the adversary and the data miner: The adversary modifies its strategy to avoid being detected by the current classifier; the data miner then updates its classifier based on the new threats. In this talk, we investigate the possibility of an equilibrium in this seemingly never ending game, where neither party has an incentive to change. Modifying the data mining algorithm causes too many false positives with too little increase in true positives; changes by the adversary decrease the utility of the false negative items that are not detected. We discuss our game theoretic framework where equilibrium behavior of adversarial classification applications can be analyzed, and provide solutions for finding an equilibrium point. A classifier's equilibrium performance indicates its eventual success or failure. The data miner could then select attributes based on their equilibrium performance, and construct an effective data mining model. In addition, we discuss how our framework could be applied for building support vector machines that are more resilient to adversarial attacks.
In the remainder of this talk, we discuss the implications of our game theoretic adversarial data mining framework in the context of social network mining. We discuss how data mining techniques could be applied to predict undisclosed private information. More specifically, we discuss how to launch inference attacks using released social networking data to predict undisclosed private information about individuals, such as their political affiliation or sexual orientation. We then discuss various techniques that could be employed to prevent learning of such sensitive data and the effectiveness of these techniques in practice. We show that we can decrease the effectiveness of data mining algorithms by sanitizing data.

Bio: Dr. Murat Kantarcioglu is an Associate Professor in the Computer Science Department and Director of the UTD Data Security and Privacy Lab at the University of Texas at Dallas. He holds a B.S. in Computer Engineering from Middle East Technical University, and M.S. and Ph.D degrees in Computer Science from Purdue University. He is a recipient of NSF CAREER award and Purdue CERIAS Diamond Award for Academic excellence. Currently, he is a visiting scholar at Harvard Data Privacy Lab.
Dr. Kantarcioglu's research focuses on creating technologies that can efficiently extract useful information from any data without sacrificing privacy or security. His research has been supported by grants from NSF, AFOSR, ONR, NSA, and NIH. He has published over 110 peer reviewed papers. Some of his research work has been covered by the media outlets such as Boston Globe, ABC News etc. and has received two best paper awards.

Dr. Rahul Purandare, IIIT, Delhi

Title: Providing Security Assurances Using Dynamic Program Analysis
Abstract: Program analysis techniques have been employed in the past to ensure that programs do not violate safety properties. More recently, there has been a growing interest in the development of analysis techniques to address issues related to software security. Security properties and features often evolve with the software and the analysis techniques need to be efficient as well as adaptive to the changing environment and requirements. Dynamic program analysis is particularly attractive due to its high precision, scalability and adaptability. In this talk, we will take a look at some of the promising approaches and models developed to provide assurances about software security.

Bio: Rahul Purandare is an Assistant Professor in the department of Computer Science and Engineering at the Indraprastha Institute of Information Technology Delhi (IIIT-D). He received his Ph.D. in Computer Science from the University of Nebraska - Lincoln in 2011. Before that he worked with Tech Mahindra (India) and with BT (U.K.) from 1996 to 2006 in various capacities as a software engineer, a project leader and a senior consultant. His research interests are in software engineering, program analysis, software security, automatic program repair and specification mining. His research has appeared in the proceedings of several reputed conferences including OOPSLA, ICSE, ISSTA, ASE and RV. He has received the ACM distinguished research paper award for the work which was presented at ISSTA 2013.

Dr. R. Ramanujam, The Institute of Mathematical Sciences, Chennai

Title: Feeling secure: The need for formal proof
Abstract: Roger Needham once famously remarked: security protocols are three-line programs that we still manage to get wrong. This is because the reasoning underlying security mechanisms and models tends to be subtle. While there is a clear case for formal proofs in the design and verification of security policies and protocols, there is as yet no simple and elegant logic that can be "sold" to practitioners. We discuss the role formal proofs and analyis can play in security verification and the challenges involved in making these part of the overall security scenario.

Bio: R. Ramanujam is a researcher in theoretical computer science at the Institute of Mathematical Sciences, Chennai. His work involves the application of techniques from automata theory and mathematical logic for problems arising from computer science: of late, these have involved distributed computing, security theory and game theory.

Dr. Srini Ramaswamy, ABB Research, Bangalore

Title: Addressing Security and Privacy in Industrial Automation Systems through Effective Software Design
Abstract: Future automation systems, in spite of greater and wider automation, will retain the human element in the decision making loop for reflexive decision making skills that impact safety and security. Much of our current day problems with automation software systems can be attributed to the inherent flexibility that users’ actively seek in software-driven automation control systems. Often, problems arise as these systems are not effectively designed and tested to coexist with other complex systems, including humans, while generating vast and dynamic information elements. In this talk, I will outline and summarize a few notional software design concepts for enabling security and privacy in such complex systems and outline some of the challenges, risks and opportunities that lie ahead for engineering professionals, specifically from a computing perspective, who will be tasked with the engineering of such complex automation systems.

Bio: Dr. Srini Ramaswamy currently serves as the Global Project Manager for the Symphony Plus Engineering for the Power Generation business unit and a member of its global technology organization. Earlier he served the Global lead for Software Tools Development and Services for the Software Development Improvement Program (SDIP) at ABB, headed the Industrial Software Systems research group at its India Corporate Research Center (CRC), and headed the Tools and Support Services group for its India Development Center (IDC) in Bangalore, India. On the academic front, he serves as a visiting professor at the Univ. of Arkansas at Little Rock and an honorary adjunct professor at the International Institute of Information Technology – Bangalore. Additionally, he serves as the Associate Director for the Australia-India Center for Automation Software Engineering, a $3M 3-way Industry – University – Government partnership focused on software systems research. His research interests are on systems engineering, intelligent and flexible control, behavior modeling, analysis and simulation, empirical software systems research, software stability and scalability; particularly in the design and development of complex software systems. Before embarking on a corporate career, he was in US academia for 16 years, which included several invited visiting appointments: at INSA de Rouen, France (four times), at the Institute of Software Integrated Systems (ISIS) at Vanderbilt University (thrice), and at the University of Texas at Austin (thrice).

Dr. Bimal K. Roy, Indian Statistical Institute, Kolkata

Title: Combinatorial Batch Codes
Abstract: The issue dealt here is related to retrieval of data items from a data base with some security constraint. There are n data items, stored in m servers (repetition allowed). For given k, any k items are to be retrieved with the constraint that at most t (t<=k) items can be obtained from a single server. N is the total storage. The idea is to minimize N given n, m, k, t. Existing as well as new results will be presented.

Bio: His bio is available at http://www.isical.ac.in/~bimal/

Dr. Kannan Srinathan, IIIT, Hyderabad

Title: One, Two, Three, Four, Five of Modern Cryptography
Abstract: In late 1940s, Claude Shannon proved that secure message transmission, one of the simplest problems in information security, has no perfect solution. In order to circumvent Shannon's pessimistic theorem, modern scientists find that two relaxations are usually necessary, viz. (a) the adversary's computational power is polynomially bounded, and (b) negligible probability of error in the solution is allowed. Further, if one-way functions exist, it is known that these relaxations are sufficient too! However, contemporary mathematics falls short of proving/disproving the existence of one-way functions. One therefore needs to assume that certain functions are potentially one-way. Consequently, unlike other mathematical sciences that are founded on the two pillars of good definitions and rigorous proofs, cryptography has three design principles, namely, (a) formulate good security definitions, (b) state precisely the assumptions involved and (c) give rigorous proofs of security. Alternatively, Shannon's pessimism can also be fundamentally circumvented in at least three other ways, namely, quantum mechanical, or information-theoretical or access/distributed control, leading to four different paradigms of security.
In the talk, we discuss on One-way functions, Two famous relaxations, Three design principles, Four security paradigms and Five fields where analogous pessimistic theorems are circumvented.

Bio: Kannan Srinathan is an Assistant Professor at IIIT-Hyderabad. He is an alumnus of IIT Madras where he did his Ph.D. in Computer Science and Engineering. His research interests include cryptography, distributed computing and quantum algorithms. He has published over 100 research papers in reputed International journals and Conferences proceedings. He is a recipient of the IBM Outstanding PhD Student Award, 2006 and Microsoft Young Faculty Fellowship Award, 2008.