To authors: A regular paper presentation would be 20 mins live presentation and Q&A. A dataset/tool and poster paper presentation would be 10 mins live presentation and Q&A.

To attendees: All times in the main program are in Eastern Daylight Time (UTC-04:00).

April 26 - April 27 - April 28


April 26


Welcome and Opening Remarks

08:45AM - 09:00AM

Keynote I

09:00AM - 10:00AM

Evans

When Models Learn Too Much

David Evans, The University of Virginia

Abstract

Statistical machine learning uses training data to produce models that capture patterns in that data. When models are trained on private data, such as medical records or personal emails, there is a risk that those models not only learn the hoped-for patterns, but will also learn and expose sensitive information about their training data. Several different types of inference attacks on machine learning models have been found, and methods have been proposed to mitigate the risks of exposing sensitive aspects of training data. Differential privacy provides formal guarantees bounding certain types of inference risk, but, at least with state-of-the-art methods, providing substantive differential privacy guarantees requires adding so much noise to the training process for complex models that the resulting models are useless. Experimental evidence, however, suggests that inference attacks have limited power, and in many cases a very small amount of privacy noise seems to be enough to defuse inference attacks. In this talk, I will give an overview of a variety of different inference risks for machine learning models, talk about strategies for evaluating model inference risks, and report on some experiments by our research group to better understand the power of inference attacks in more realistic settings, and explore some broader the connections between privacy, fairness, and adversarial robustness.


Short Bio

David Evans is a Professor of Computer Science at the University of Virginia where he leads a research group focusing on security and privacy (https://uvasrg.github.io/). He won the Outstanding Faculty Award from the State Council of Higher Education for Virginia, and was Program Co-Chair for the 24th ACM Conference on Computer and Communications Security (CCS 2017) and the 30th (2009) and 31st (2010) IEEE Symposia on Security and Privacy, where he initiated the Systematization of Knowledge (SoK) papers. He is the author of an open computer science textbook (https://computingbook.org/) and a children's book on combinatorics and computability (https://dori-mic.org/), and co-author of a book on secure multi-party computation (https://securecomputation.org/). He has SB, SM and PhD degrees from MIT and has been a faculty member at the University of Virginia since 1999.

Session 1: Adversarial Machine Learning (I)

10:10AM - 11:10AM

Membership Inference Attacks and Defenses in Classification Models
Jiacheng Li (Purdue University), Ninghui Li (Purdue University) and Bruno Ribeiro (Purdue University).
Using Single-Step Adversarial Training to Defend Iterative Adversarial Examples
Guanxiong Liu (New Jersey Institute of Technology), Issa Khalil (QCRI) and Abdallah Khreishah (New Jersey Institute of Technology).
Real-Time Evasion Attacks against Deep Learning-Based Anomaly Detection from Distributed System Logs
Jerome Dinal Herath (State University of New York at Binghamton), Ping Yang (State University of New York at Binghamton) and Guanhua Yan (State University of New York at Binghamton).

Session 2: Privacy

11:15AM - 12:45PM

Decentralized Reputation
Tassos Dimitriou (Computer Technology Institute, Greece and Kuwait University, Kuwait).
Don’t fool yourself with Forward Privacy, Your queries STILL belong to us!
Khosro Salmani (Mount Royal University) and Ken Barker (University of Calgary).
(Dataset/Tool Paper) A Large Publicly Available Corpus of Website Privacy Policies Based on DMOZ
Razieh Nokhbeh Zaeem (The University of Texas at Austin) and K. Suzanne Barber (The University of Texas at Austin).
Adaptive Fingerprinting: Website Fingerprinting over Few Encrypted Traffic
Chenggang Wang (University of Cincinnati), Jimmy Dani (University of Cincinnati), Xiang Li (University of Cincinnati), Xiaodong Jia (University of Cincinnati) and Boyang Wang (University of Cincinnati).
Utrack: Enterprise User Tracking Based on OS-Level Audit Logs
Yue Li (College of William & Mary), Zhenyu Wu (Google), Haining Wang (Virginia Tech), Kun Sun (George Mason University), Zhichun Li (Stellar Cyber), Kangkook Jee (University of Texas at Dallas), Junghwan Rhee (University of Central Oklahoma) and Haifeng Chen (NEC Laboratories America).

Session 3: Software Security and Malware

01:30PM - 02:30PM

Code Specialization through Dynamic Feature Observation
Priyam Biswas (Purdue University), Nathan Burow (Purdue University) and Mathias Payer (EPFL).
Towards Accurate Labeling of Android Apps for Reliable Malware Detection
Aleieldin Salem (Technische Universität München).
SE-PAC: A Self-Evolving Packer Classifier against rapid packers evolution
Lamine Noureddine (Univ Rennes, Inria, CNRS, IRISA, Rennes, France), Annelie Heuser (Univ Rennes, Inria, CNRS, IRISA, Rennes, France), Cassius Puodzius (Univ Rennes, Inria, CNRS, IRISA, Rennes, France) and Olivier Zendra (Univ Rennes, Inria, CNRS, IRISA, Rennes, France).

Panel I: AI for Security and Security for AI

03:00PM - 04:15PM

Panelists
Elisa Bertino - Purdue University
Murat Kantarcioglu - The University of Texas at Dallas
Cuneyt Gurcan Akcora - University of Manitoba, Canada
Sagar Samtani - Indiana University

Moderators
Sudip Mittal - University of North Carolina Wilmington
Maanak Gupta - Tennessee Technological University

Abstract

On one side, the security industry has successfully adopted some AI-based techniques. Use varies from mitigating denial of service attacks, forensics, intrusion detection systems, homeland security, critical infrastructures protection, sensitive information leakage, access control, and malware detection. On the other side, we see the rise of Adversarial AI. Here the core idea is to subvert AI systems for fun and profit. The methods utilized for the production of AI systems are systematically vulnerable to a new class of vulnerabilities. Adversaries are exploiting these vulnerabilities to alter AI system behavior to serve a malicious end goal. This panel discusses some of these aspects.

Poster Session A

09:00PM - 10:00PM

Quantum Obfuscation: Quantum Predicates with Entangled qubits
Vivek Balachandran (Singapore Institute of Technology).
Neutralizing Hostile Drones with Surveillance Drones
Vivek Balachandran (Singapore Institute of Technology); Melissa Chua (Defence Science and Technology Agency Singapore).
Blockchain-based Proof of Existence (PoE) Framework using Ethereum Smart Contracts
Shawn Lim Wei Ming (Singapore Institute of Technology); Purnima Murali Mohan (Singapore Institute of Technology); Peter Loh Kok Keong (Singapore Institute of Technology); Vivek Balachandran (Singapore Institute of Technology).
IIoT-ARAS: IIoT/ICS Automated Risk Assessment System for Prediction and Prevention
Bassam Zahran (Towson University); Adamu Hussaini (Towson University); Aisha Ali-Gombe (Towson University).
OBFUS: Obfuscation tool for software copyright and vulnerability protection
Seoyeon Kang (Chungnam National University); Sujeong Lee (Chungnam National University); Yumin Kim (Chungnam National University); Seong-Kyun Mok (Chungnam National University); Eun-Sun Cho (Chungnam National University).

April 27


Keynote II

09:00AM - 10:00AM

Yao

Measurable and Deployable Security: Gaps, Successes, and Opportunities

Danfeng (Daphne) Yao, Virginia Tech

Abstract

Security measurement helps identify deployment gaps and present extremely valuable research opportunities. However, such research is often deemed as not novelty by academia. I will first share my research journey designing and producing a high-precision tool CryptoGuard for scanning cryptographic vulnerabilities in large Java projects. That work led us to publish two benchmarks used for systematically assessing state-of-the-art academic and commercial solutions, as well as help Oracle Labs integrate our detection in their routine scanning. Other specific measurement and deployment cases to discuss include the Payment Card Industry Data Security Standard, which was involved in high-profile data breach incidents, and fine-grained Address Space Layout Randomization. The talk will also point out the need for measurement in AI development in the context of code repair. Broadening research styles by accepting and encouraging deployment-related work will facilitate our field to progress towards maturity.


Short Bio

Dr. Danfeng (Daphne) Yao is a Professor of Computer Science at Virginia Tech. She is an Elizabeth and James E. Turner Jr. ’56 Faculty Fellow and CACI Faculty Fellow. Her research interests are on building deployable and proactive cyber defenses, focusing on detection accuracy and scalability. She creates new models, algorithms, techniques, and deployment-quality tools for securing large-scale software and systems. Her tool CryptoGuard helps large software companies and Apache projects harden their cryptographic code. She systematized program anomaly detection in the book Anomaly Detection as a Service. Her patents on anomaly detection are extremely influential in the industry, having been cited by over 200 other patents from major cybersecurity firms and technology companies, including FireEye, Symantec, Qualcomm, Cisco, IBM, SAP, Boeing, and Palo Alto Networks. Her IEEE TIFS papers on enterprise data loss prevention were viewed 30,000 times. Dr. Yao was a recipient of the NSF CAREER Award and ARO Young Investigator Award. Dr. Yao is the ACM SIGSAC Treasurer/Secretary and is a member of the ACM SIGSAC executive committee since 2017. She spearheads multiple inclusive excellence initiatives, including the NSF-sponsored Individualized Cybersecurity Research Mentoring (iMentor) Workshop and the Women in Cybersecurity Research (CyberW) Workshop. Daphne received her Ph.D. degree from Brown University, M.S. degrees from Princeton University and Indiana University, Bloomington, B.S. degree from Peking University in China.

Session 4: Blockchains, Digital Currency

10:10AM - 11:20AM

BFastPay: a Routing-free Protocol for Fast Payment in Bitcoin Network
Xinyu Lei (Michigan State University), Guan-Hua Tu (Michigan State University), Tian Xie (Michigan State University) and Sihan Wang (Michigan State University).
Security Threats from Bitcoin Wallet Smartphone Applications: Vulnerabilities, Attacks, and Countermeasures
Yiwen Hu (Michigan State University), Sihan Wang (Michigan State University), Guan-Hua Tu (Michigan State University), Li Xiao (Michigan State University), Tian Xie (Michigan State Univeristy), Xinyu Lei (Michigan State University) and Chi-Yu Li (National Chiao Tung University).
BlockFLA: Accountable Federated Learning via Hybrid Blockchain Architecture
Harsh Desai (The University of Texas at Dallas), Mustafa Ozdayi (The University of Texas at Dallas) and Murat Kantarcioglu (The University of Texas at Dallas).
(Dataset/Tool Paper) SteemOps: Extracting and Analyzing Key Operations in Steemit Blockchain-based Social Media Platform
Chao Li (Beijing Jiaotong University), Balaji Palanisamy (University OF Pittsburgh), Runhua Xu (IBM Research - Almaden), Jinlai Xu (University OF Pittsburgh) and Jingzhe Wang (University OF Pittsburgh).

Session 5: Hardware and Device Security/Privacy

11:30AM - 12:10PM

Ghost Thread: Effective User-Space Cache Side Channel Protection
Robert Brotzman (Pennsylvania State University), Danfeng Zhang (Pennsylvania State University), Mahmut Kandemir (Pennsylvania State University) and Gang Tan (Pennsylvania State University).
(Dataset/Tool Paper) The Cost of OSCORE and EDHOC for Constrained Devices
Stefan Hristozov (Fraunhofer AISEC), Manuel Huber (Microsoft), Lei Xu (Fraunhofer AISEC), Jaro Fietz (Fraunhofer AISEC), Marco Liess (Fraunhofer AISEC) and Georg Sigl (Technical University of Munich).
(Dataset/Tool Paper) Secure Pull Printing with QR Codes and National eID Cards: A Software-oriented Design and an Open-source Implementation
Matteo Leonelli (Fondazione Bruno Kessler (FBK)), Umberto Morelli (Fondazione Bruno Kessler (FBK)), Giada Sciarretta (Fondazione Bruno Kessler (FBK)) and Silvio Ranise (Fondazione Bruno Kessler (FBK), University of Trento).

Session 6: Policies

01:30PM - 02:50PM

Graph-Based Specification of Admin-CBAC Policies
Clara Bertolissi (Université Aix-Marseille, CNRS UMR 7020), Maribel Fernandez (KCL) and Bhavani Thuraisingham (University of Texas at Dallas).
Incremental Maintenance of ABAC Policies
Gunjan Batra (Rutgers University), Vijay Atluri (Rutgers University), Jaideep Vaidya (Rutgers University) and Shamik Sural (IIT, Kharagpur).
Contact Tracing Made Un-relay-able
Marco Casagrande (University of Padua), Mauro Conti (University of Padua) and Eleonora Losiouk (University of Padua).
Formal Analysis of ReBAC Policy Mining Feasibility
Shuvra Chakraborty (The University of Texas at San Antonio) and Ravi Sandhu (The University of Texas at San Antonio).

Panel II: Is there a Security Mindset and Can it be Taught?

03:00PM - 04:15PM

Panelists
Ambareen Siraj - Tennessee Technological University
Nigamanth Sridhar - Cleveland State University
John A. “Drew" Hamilton, Jr. - Mississippi State University
Latifur Khan - The University of Texas at Dallas
Siddharth Kaza - Towson University

Moderators
Maanak Gupta - Tennessee Technological University
Sudip Mittal - University of North Carolina Wilmington

Abstract

The field of cybersecurity is becoming very dynamic, and needs continuous evolution. This requires not only the formal and in-formal education, but a security mindset to be developed for our future workforce. This panel elaborates on some such aspects.

Poster Session B

09:00PM - 10:00PM

Object Allocation Pattern as an Indicator for Maliciousness - An Exploratory Analysis
Adamu Hussaini (Towson University); Bassam Zahran (Towson University); Aisha Ali-Gombe (Towson University).
Attribute-Based Access Control for NoSQL Databases
Eeshan Gupta (IIT Kharagpur); Shamik Sural (IIT Kharagpur); Jaideep Vaidya (Rutgers University); Vijay Atluri (Rutgers University).
A Multi Perspective Access Control in a Smart Home
Shravya Kanchi (International Institute of Information Technology, Hyderabad); Kamalakar Karlapalem (CDE, IIIT Hyderabad, India).
Assessing the Alignment of Social Robots with Trustworthy AI Design Guidelines: A Preliminary Research Study
Ankur Chattopadhyay (Northern Kentucky University); Abdikadar Ali (Northern Kentucky University); Danielle Thaxton (Northern Kentucky University)
Towards Efficient Labelling of Network Incident Datasets Using Tcpreplay and Snort
Kohei Masumi (National Institute of Information and Communications Technology); Chansu Han (National Institute of Information and Communications Technology); Ban Tao (National Institute of Information and Communications Technology); Takeshi Takahashi (National Institute of Information and Communications Technology).

Session 7: Adversarial Machine Learning (II)

10:00PM - 11:20PM

Brittle Features of Device Authentication
Washington Garcia (University of Florida), Animesh Chhotaray (University of Florida), Joseph Choi (University of Florida), Suman Kalyan Adari (University of Florida), Kevin Butler (University of Florida) and Somesh Jha (University of Wisconsin-Madison).
Role-Based Deception in Enterprise Networks
Iffat Anjum (North Carolina State University), Mu Zhu (North Carolina State University), Isaac Polinsky (North Carolina State University), William Enck (North Carolina State University), Michael Reiter (University of North Carolina, Chapel Hill) and Munindar Singh (North Carolina State University).
We can pay less : Coordinated False Data Injection Attack against Residential Demand Response in Smart Grids
Thusitha Dayaratne (Monash University), Carsten Rudolph (Monash University), Ariel Liebman (Monash University) and Mahsa Salehi (Monash University).
Identifying and Characterizing COVID-19 Themed Malicious Domain Campaigns
Pengcheng Xia (Beijing University of Posts and Telecommunications), Mohamed Nabeel (Qatar Computing Research Institute), Issa Khalil (Qatar Computing Research Institute), Haoyu Wang (Beijing University of Posts and Telecommunications) and Ting Yu (Qatar Computing Research Institute).

April 28


Distinguished Talk

08:15AM - 09:00AM

Bhavani

The Importance of Mentoring to Support Diversity, Equity and Inclusion (DEI) in Data and Applications Security and Privacy

Bhavani Thuraisingham, The University of Texas at Dallas

Abstract

We are living in a complex world that is rapidly evolving due to technology. The WWW and Social Media have eliminated boundaries and social norms and with COVID-19 the work environment has drastically changed. While there are numerous career opportunities in Computer Science in general and Cyber Security and Artificial Intelligence/Data Science in particular, the competition is also extremely intense around the globe. It is almost impossible for a person to succeed in his/her career without the advice and mentorship of the senior researchers, developers and technologists. Almost every person I have known who has succeeded has had a mentor (in many cases mentors) who have guided him/her and supported him/her during the early stages of his/her career. Therefore, every career professional must have a mentor regardless of gender, race/ethnicity and age.

Lack of mentorship is perhaps the most important reason why women and minority communities have not done as well in their careers especially in lucrative fields like Cyber Security; another could be bias. Lack of opportunities start at an early age as boys are given preferences over girls in almost every culture and as time progresses girls are left behind in schools, colleges and in the workforce. So, women mainly work to supplement their husbands’ incomes. Minority communities also have a tremendous disadvantage as often their parents are not as educated as those from the non-minority communities and so minority boys and girls have a huge handicap. If the women and minority communities are fortunate enough to get an education and a good job, there are very few from these communities who are at higher positions and so the junior researchers, developers and technologists are often ignored and left to fend for themselves. They see their non-minority colleagues thrive possibly due to the extensive mentoring they receive and get frustrated and that gets them into a vicious cycle.

What is the solution to this huge problem? The first step is to realize that there is a problem; people, especially those in non-minority communities do not realize there is a problem. Thanks to the #MeToo movement and the Black Lives Matter (BLM) movement, people are getting more educated about the problem. As a result, there is much more awareness about Diversity, Equity, and Inclusion (DEI); it is not about giving a job to a person because she is a woman, its about building a safe and inclusive work environment where everyone can thrive. We must not only focus on the advancement of women which is a must, we must also include every underrepresented community including African Americans, Latino Americans, Native Americans, LGBTQ Americans, People with disability, Autistic Individuals and the Elderly. We have to go beyond our own gender race/ethnicity and help everyone to succeed. Every organization must have policies for Diversity, Equity and Inclusion (DEI). Good mentoring will enable a person to understand the culture of the organization and what it takes to succeed. That is, mentoring is essential to support DEI. We need Domain Specific Mentors (e.g., Cyber Security, Data Science) and not generalists (e.g., Psychologists); only those working in your field really understand what you need to do to advance in your education/career (e.g. top journals vs top conference publications for tenure).

This presentation will start with a discussion of DEI and then discuss the importance of mentoring to support DEI in fields like cyber security and data science. It will give examples of my personal story on how lack of mentoring was initially tough on my career and then how I chose mentors who have then supported me and helped me to thrive in my career in cyber security and data science. I will also give my top ten reasons as to why a career in cyber security / data science will benefit the women and underrepresented minority communities.


Short Bio

Dr. Bhavani Thuraisingham is the Founders Chair Professor of Computer Science and the Executive Director of the Cyber Security Research and Education Institute at the University of Texas at Dallas (UTD). She is also a visiting Senior Research Fellow at Kings College, University of London and an elected Fellow of the ACM, IEEE, the AAAS, the NAI and the BCS. She was a Cyber Security Policy Fellow at the New America Foundation for 2017-2018 and focused on engaging rural America in cyber security. Her research interests are on integrating cyber security and artificial intelligence/data science including as they relate to public policy for the past 35 years (where it used to be computer security and data management/mining). She has received several technical and leadership awards including the IEEE CS 1997 Technical Achievement Award, ACM SIGSAC 2010 Outstanding Contributions Award, the IEEE Comsoc Communications and Information Security 2019 Technical Recognition Award, the IEEE CS Services Computing 2017 Research Innovation Award, the ACM CODASPY 2017 Lasting Research Award, the IEEE ISI 2010 Research Leadership Award, and the ACM SACMAT 10 Year Test of Time Awards for 2018 and 2019 (for papers published in 2008 and 2009).

She has worked tirelessly to support women and minority groups in Cyber Security and Data Science. Out of the 23 PhD students she would have graduated by between 2008 and 2022, at least 50% are women and they also include members of the African American, Latino American and the LGBTQ communities. She co-chaired the Women in Cyber Security Conference (WiCyS) in 2016 and delivered the featured address at the 2018 Women in Data Science (WiDS) at Stanford University serves as the Co-Director of both the Women in Cyber Security and Women in Data Science Centers at UTD. She has spent around 20 years promoting Diversity, Equity and Inclusion in Cyber Security and Data Science and has chaired multiple panels including her recent panel at IEEE ISI 2020 (Intelligence and Security Informatics) and gave multiple keynote/featured addresses at Cyber-W, iMentor, SWE, WITI, Girls Who Code, and WICE (Women in Communications Engineering) celebrating International Women’s Day. She gives talks on cyber security at DFW public libraries and is an official mentor to junior faculty as well as high school students in DFW. She received the Women in Technology Awards from the Dallas Business Journal in 2017 and the Woman of Color Leadership from Career Communications Inc. in 2001. She was named one of 500 most influential business leaders in North Texas for 2021 by the D Magazine’s D CEO Magazine. She is the recipient of IEEE Cyber Security and Cloud’s 2021 Special Recognition Award for her tireless work in promoting Diversity, Equity and Inclusion among women and underrepresented minority communities.

Her 40-year career includes industry (Honeywell), federal research laboratory (MITRE), US government (NSF) and US Academia. Her work has resulted in 130+ journal articles, 300+ conference papers, 180+ keynote and featured addresses, seven US patents, fifteen books, podcasts as well as technology transfer of the research to commercial products and operational systems. She received her PhD from the University of Wales, Swansea, UK, and the prestigious earned higher doctorate (D. Eng) from the University of Bristol, UK. She has a Certificate in Public Policy Analysis from the London School of Economics (May 2021).

Closing Remarks

09:00AM - 09:15AM