Team TigerBytes, coached by Center members Ziming Zhao and Marcin Lukowiak, won 3rd place in the 2019 MITRE Embedded Capture-the-Flag (eCTF) competition. The eCTF is an attack-and-defense exercise for designing secure embedded systems, in which teams from universities such as Northeastern, CMU, RIT, UMass, Penn, MIT, and Virginia Tech competed for the championship. The cross-college Team TigerBytes consists of 10 students from the Computing Security, Computer Engineering and Computer Science Departments. The team not only gained points by developing novel software and hardware security systems on an ARM-based and FPGA-enabled platform, but also succeeded in attacking other teams' designs and implementations. For more information about the competition, please refer to and .
The Transport Layer Security (TLS) public key infrastructure (PKI) is what provides confidentiality and integrity in HTTPS, as well as a variety of other systems including email (IMAP), voice-over-IP, social networking, and mobile application APIs. Despite its tremendous importance, PKI suffers from a number of issues, such as certificate authorities (CAs) in the PKI having the right to issue a TLS certificate for any domain and the protocols that the PKI relies on often having hidden dependencies on underlying, insecure technologies. While it is tempting to simply declare that a clean-slate approach is required, completely replacing distributed systems that no single entity controls is very hard in practice. This project will address issues in the TLS PKI in ways that can be incrementally deployed and thus improve security progressively over time.
Tijay Chung (co-PI), “CNS Core: Large: Collaborative Research: Towards an Evolvable Public Key Infrastructure,” National Science Foundation (NSF), $3,000,000. June 2019 to July 2024.
Out of 500+ applications to , a joint project from the MIT Media Lab and Harvard's Berkman Klein Center for Internet & Society, computing security professor Wright’s project “AI Ethics Initiative for Robust Deepfake detection” is one of the seven final winners. He and his team will experiment with techniques to assist researchers and the public in identifying evidence that a given piece of video or audio is a fake generated via machine learning. These techniques will then be field tested with journalists and media forensics experts who are on the frontlines of identifying and evaluating media “in the wild.”
Listen to Matt’s interview with WXXI News:
Watch Matt’s interview with WROC-TV:
To enhance engineering of Cyber-Assured Systems, this project aims at providing a modeling language-agnostic technique to support resilient architecture design and reasoning. Software engineering professor Mirakhorli’s team works on the development of novel technologies for detection of cyber resiliency related architectural weaknesses. This project not only bridges the gap between multiple technologies being developed by DARPA, but also the field of cyber-resilient systems engineering.
Mehdi Mirakhorli (PI), “An Architecture-Based Approach to Cyber Resiliency,” Defense Advanced Research Projects Agency’s (DARPA), $619,034. February 2019 to February 2022.
The Border Gateway Protocol (BGP) is responsible for managing how packets are routed across the Internet by exchanging routing related messages (path announcements) between routers. While the Border Gateway Protocol plays a critical role in the Internet communications, it remains highly vulnerable to many attacks. This project has two research foci, each examining the management and improving security challenges of Resource Public Key Infrastructure (RPKI). First, the project will analyze existing RPKI repositories from multiple vantage points in an effort to understand how much of actual BGP feeds in the Internet are verifiable. Second, the project will develop new techniques to detect misconfigurations of routers and potential security vulnerabilities.
Taejoong (Tijay) Chung (PI), “CRII: SaTC: Measuring and Improving the Management of Resource Public Key Infrastructure (RPKI),” NSF CNS, $166,561. October 2019 to September 2021.
David E. Narváez, Zack Fitzsimmons, Edith Hemaspaandra, and Alexander Hoover, “Very Hard Electoral Control Problems” Accepted for 33rd AAAI Conference on Artificial Intelligence (AAAI’19), January 2019.
Danielle Gonzalez, a 3rd year PhD student in the Center has been recognized by Microsoft Research as one of the 10 outstanding PhD students in North America (). Her research focuses on software architecture and security, and she works under supervision of Center member Dr. Mehdi Mirakhorli. She also has been the lead author on a recent paper on architectural security weaknesses in industrial control systems (ICS). ICS are computers used to control automation systems in industrial processes and environments that include critical infrastructures, such as, oil and gas production, chemical processing, power grids, transportation, and pharmaceutical. The paper exploits the vulnerability data received from Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to highlight security design issues in ICS and their root causes. Furthermore, it provides an in depth investigation of attacks in ICS domain.
 Danielle Gonzalez, Fawaz Alhenaki and Mehdi Mirakhorli, “Architectural Security Weaknesses in Industrial Control Systems (ICS): An Empirical Study based on Disclosed Software Vulnerabilities”, International Conference on Software Architecture, Hamburg, Germany, March 2019.
Center member Tijay Chung is a recipient of Applied Networking Research Prize (ANRP) for his paper, “Understanding the Role of Registrars in DNSSEC Deployment”, published at IMC’2017. The prize is awarded for recent results that are relevant for transitioning into shipping Internet products and related standardization efforts. It will offer the winners the opportunity to present and discuss their work with the engineers, network operators, policy makers and scientists that participate in the Internet Engineering Task Force (IETF) and its research arm, the Internet Research Task Force (IRTF). The goal of the ANRP is to recognize the best new ideas in networking, and bring them to the IETF and IRTF especially in cases where they would not otherwise see much exposure or discussion.
Center member and business direction Justin Pelletier is the PI in two funded projects titled “Pentesting Engagement” and “Examining Industrial Control and IoT Devices”.
At the request of the CEO of Vulsec, RIT’s Eaton Cybersecurity SAFE Lab will conduct an external, blackbox penetration test against network environments for a company’s portfolio of brands. The goal of this penetration test will be to evaluate the extent to which an external attacker could compromise the IP addresses associated with the brands. The penetration testing team will exclusively conduct tests externally without pre-established user credentials.
The second project is a one year project to examine industrial control devices and Internet of Thing (IoT) devices. The devices and necessary tools will be provided by Eaton Corporation.
Justin Pelletier (PI) and Rob Olson (Co-PI), “VULSEC2018-01 Pentesting Engagement,” Vulsec, $9,944. Nov. 2018 to Nov. 2019.
Justin Pelletier (PI) and Rob Olson (Co-PI), “Examining Industrial Control and IoT Devices,” Eaton Inc., $142,325. Sep. 2018 to Aug. 2019.
Hyunwoo Lee, Zachary Smith, Junghwan Lim, Gyeongjae Choi, Selin Chun, Taejoong Chung, and Ted Kwon, “maTLS: How to Make TLS middlebox-aware?” Accepted for Network and Distributed System Security Symposium (NDSS), February 2019.
The Department of Computing Security and RIT's Center for Cybersecurity hosted the National Collegiate Penetration Testing Competition (CPTC)—the premier offensive-based competition—on Nov. 2–4, 2018. This allowed students to learn about cybersecurity from a different vantage point—offense, as opposed to defense. Teams from nine national universities faced-off to break into fabricated computer networks, evaluating their weak points and presenting plans to better secure them.
The event was sponsored by several top tech companies, including IBM, Google, Palo Alto Networks and Eaton. The CPTC is one way that higher education is working with industry to combat the national shortage of qualified cybersecurity professionals. Stanford University took home the top trophy in the 2018 competition, while Cal-State Fullerton placed second and University of Central Florida placed third. During the course of this year’s CPTC events, Stanford distinguished itself by discovering a 0-day vulnerability.
Center PhD student Payap Sirinam’s paper “Deep Fingerprinting: Undermining Website Fingerprinting Defenses with Deep Learning” was one of nine finalists for the outstanding paper award at CCS 2018, putting in the top 1% of all 809 papers submitted to the conference. The acceptance rate of ACM CCS this year was 16.6%.
This paper explores how advanced deep learning architectures and techniques can be leveraged to perform more dangerous attacks on the Tor anonymity system and even undermine some of the state-of-the-art defenses. The paper was written together with external collaborators Mohsen Imani (UT Arlington) and Marc Juarez (KU Leuven), along with the Center Director Matthew Wright.
Center PhD student Igor Khokhlov’s presentation on “What is the Android Colluded Applications Attack and How to Detect It” at the was awarded the Certificate of Appreciation in recognition of an outstanding presentation. This was based on Igor’s work under supervision of Center member and CS professor Leon Reznik.
Center member Prof. Mehdi Mirakhorli is participating in a six-university project funded $1.7 Million by the National Science Foundation (NSF) to develop the Software Architecture INstrument (SAIN). SAIN is a first-of-its-kind integration framework for assembling architecture-related techniques and tools with the goal of enabling empirical research in the context of software maintenance. Other participating universities are: University of Southern California (USC), University of California, Irvine (UCI), University of Hawaii, Drexel University, and Stevens Institute of Technology.
Mehdi Mirakhorli (PI), “CRI: CI-NEW: Collaborative Research: Constructing a Community-Wide Software Architecture Infrastructure,” NSF CNS, $374,238.00. Sep. 2018 to Aug. 2021.
Center member Josephine Wolff published an opinion piece in NY Times on “Trump’s Reckless Cybersecurity Strategy” and the consequences of administration’s new policy of striking first at online attackers. Read her piece: https://www.nytimes.com/2018/10/02/opinion/trumps-reckless-cybersecurity-strategy.html
Taejoong (Tijay) Chung, Jay Lok, Balakrishnan Chandrasekaran, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, John Rula, Nick Sullivan, and Christo Wilson, “Is the Web Ready for OCSP Must Staple?” Accepted for the ACM Internet Measurement Conference (IMC), November 2018.
 Haehyun Cho, Penghui Zhang, Donguk Kim, Jinbum Park, Choonghoon Lee, Ziming Zhao, Adam Doupé, and Gail-Joon Ahn, “Prime+Count: Novel Cross-world Covert Channels on ARM TrustZone,” Accepted for the Annual Computer Security Applications Conference (ACSAC), December 2018.
 Jaejong Baek, Sukwha Kyung, Haehyun Cho, Ziming Zhao, Adam Doupé, Yan Shoshitaishvili, and Gail-Joon Ahn “Wi Not Calling: Practical Privacy and Availability Attacks in Wi-Fi Calling,” Accepted for the Annual Computer Security Applications Conference (ACSAC), December 2018.
Marwan Krunz, Berk Akgun, Peyman Siyari, Hanif Rahbari, Rashad Eletreby, and Ozan Koyluoglu "Systems and Methods for Securing Wireless Communications", U.S. Patent App. 15/336,070 (granted Sep. 4, 2018).
Rajendra Raj (PI) and center member Daniel Krutz (co-PI) successfully executed two weeks of GenCyber camps in July. The camp covered both introductory and advanced security topics in web and mobile computing, and served approximately 80 middle and high school students from diverse backgrounds. The two-week, non-residential camps were set on the RIT campus.
Rajendra Raj (PI) and Daniel Krutz (co-PI), “GenCyber @ RIT: Secure Web and Mobile Computing,” National Security Agency (NSA), $130,908, May. 2018 to May. 2019.
The goal of this work is to explore the new landscape of website fingerprinting attacks and defenses in light of recent findings with deep learning. A key aspect of the work is to leverage and build upon recent advances in adversarial machine learning and be the first to apply these new findings to the context of traffic analysis.
Matthew Wright (PI), “SaTC: CORE: Small: Adversarial ML in Traffic Analysis,” NSF SaTC, $500,000. Aug. 2018 to Jul. 2021.
 Payap Sirinam, Marc Juarez, Mohsen Imani, and Matthew Wright, “Deep Fingerprinting: Undermining Website Fingerprinting Defenses with Deep Learning,” Accepted for ACM Conference on Computer and Communications Security (CCS), October 2018.
 Vaibhav Hemant Dixit, Adam Doupé, Yan Shoshitaishvili, Ziming Zhao and Gail-Joon Ahn, “AIM-SDN: Attacking Information Mismanagement in SDN-datastores,” Accepted for ACM Conference on Computer and Communications Security (CCS), October 2018.
Armon Barton, Mohsen Imani, Jiang Ming, and Matthew Wright, “Towards Predicting Efficient and Anonymous Tor Circuits,” Accepted for USENIX Security Symposium, August 2018.
Jing Chen, Chiheng Wang, Kun He, Ziming Zhao, Min Chen, Ruiying Du, and Gail-Joon Ahn, “Semantics-Aware Privacy Risk Assessment Using Self-Learning Weight Assignment for Mobile Apps,” Accepted for the IEEE Transactions on Dependable & Secure Computing (TDSC), September 2018.
IEEE ComSoc selected Center member Hanif Rahbari’s paper "Exploiting Frame Preamble Waveforms to Support New Physical-Layer Functions in OFDM-Based 802.11 Systems" as a Tech Focus paper in Prototyping Wireless Networks. https://goo.gl/CqCFmU
Hanif Rahbari, Peyman Siyari, Marwan Krunz, and Jung-Min (Jerry) Park, “Adaptive Demodulation for Wireless Systems in the Presence of Frequency-Offset Estimation Errors,” Accepted for the International Conference on Computer Communications (INFOCOM), April 2018.
Principal investigator Robert Olson will be hiring, managing and supervising a team of RIT students to perform a cybersecurity assessment for the Eaton Corporation.
The project is to develop a comprehensive plan for solving challenges in federated network security using an approach based on Proof-Carrying Code (PCC).
Center member Leonid Reznik (PI, Computer Science) has received a new grant from the DOD National Securty Agency. The program designs a curriculum, develops all course materials, tests and evaluates them in real college classroom settings, compiles and disseminates the practical recommendations for delivery of a college level course on Intelligent Security Systems. The award brings $118,000 to RIT.
Center for Cybersecurity PhD students Joanna C. S. Santos and Anthony Peruma together with advisor Mehdi Mirakhorli led a team who won the 2017 ACM SIGSOFT Distinguished Paper award at the International Conference on Software Architecture (ICSA).
Center members Jay Yang (PI, Computer Engineering) and Katie McConky (Co-PI, Industrial & Systems Engineering) have received a new grant from IARPA in conjunction with defense contractor Leidos, Inc. The project seeks to develop CAUSE, a system that leverages data that is not currently used for cybersecurity to predict cyber attacks. Phase 1 of the award brings $350,000 to RIT.
Center Director Matt Wright (Computing Security) has a new $500,000 grant from the NSF’s Secure and Trustworthy Computing (SaTC) program to work with the Tor Project on improving its defenses against a type of traffic analysis called website fingerprinting. The award brings $150,000 to RIT.
A paper authored by Marc Juarez, Mohsen Imani, Mike Perry, Claudia Diaz and Center Director Matthew Wright, titled "Toward an Efficient Website Fingerprinting Defense,” won the Outstanding Student Paper Award at ESORICS 2016.
To help plan for a large, collaborative research effort, a group of researchers including Center member Mehdi Mirakhorli (Software Engineering) have gotten a $90,000 grant from NSF’s CISE Infrastructure program. The goal of the project, titled "Planning and Prototyping a Community-Wide Software Architecture Instrument," is to provide metrics for software architecture.
- When: Friday, Sep. 14 at 4 pm
- Where: Golisano Auditorium
- Title: When Electronic Privacy Gets Physical: Privacy in the Age of Pervasive Photography
- Abstract: As always-on and wearable cameras -- and digital photography in general -- become more common place, we will need to reconsider our notions of privacy. How will people react to constant surveillance by their peers ("sousveillance") and what technical solutions can enhance privacy in this new age? I will highlight some of our interdisciplinary research on answering and addressing these questions in the context of wearable cameras. I will also talk about how cameras can enhance privacy, e.g., by aiding populations with visual impairments with a visual assessment of their surroundings.
- Bio: Apu Kapadia is an Associate Professor of Computer Science at the School of Informatics, Computing, and Engineering, Indiana University Bloomington. Before joining Indiana University, he received his Ph.D. in Computer Science from the University of Illinois at Urbana-Champaign (UIUC), was later a Post-Doctoral Research Fellow at Dartmouth College, and then a Member of Technical Staff at MIT Lincoln Laboratory.
For the second year in a row, RIT will host Great Lakes Security Day (GLSD) in Slaughter Hall on the RIT campus. GLSD 2017 was a very successful event with 100 registered participants coming from nearby universities, including U. Binghamton, U. Buffalo, Cornell, Penn State, U. Rochester, Syracuse, and of course RIT. This year's event will include research talks, a panel on research trends in security, a lunch with topic-based discussion tables, a poster session, and it will end with a Distinguished Lecture from Apu Kapadia, Assoc. Professor of Computer Science at Indiana University.
The Center for Cybersecurity and the IEEE regional chapter are sponoring Great Lakes Security Day 2017, an event bringing together researchers in cybersecurity from around the region to discuss their latest works. There will be talks, posters, and a distinguished lecture from Patrick McDaniel of PSU.
Dr. Mittal talks about RAPTOR Attacks and Counter-RAPTOR Defenses at the GCCIS Colloquium Series.
When: Friday, April 21, 2017
Where: Golisano College 70-1435
Time: 12:00 – 1:00 PM
For more information click here.
Dr. Tao Xie, Associate Professor and Willett Faculty Scholar at U. Illinois (UIUC), will present a Center for Cybersecurity seminar on "User Expectations in Mobile App Security" on Friday, Mar. 24 at 11:45 AM in Golisano Auditorium, 70-1435. For more information, click here.
Robert Walls, Asst. Professor of Computer Science at Worchester Polytechnic Institute (WPI) will be the IEEE speaker on Nov. 18th at 12. His talk will cover the Science of Security in the context of computer forensics.
Center member Jay Yang is running a workshop on Nov. 7 based on his NSA project on Modeling attackers. The workshop brings together top cybersecurity minds to discuss the project findings and new directions in cybersecurity. Members of the Center will also display their latest research results in a poster session.
On Nov. 4-6, 2016, RIT hosted the second Collegiate Pentesting Competition (CPTC), bringing on campus 10 teams from Florida, Texas, California, and more to test their red team skills on vulnerable systems. RIT also hosted the first CPTC in 2015. Center members Bill Stackpole and Daryl Johnson ran the event with lots of help from the Dept. of Computing Security. CPTC was sponsored in part by NSA, Google, and Amazon. Planning is underway for the first CPTC Regional events and the third national event in 2017.