UTC InfoSec Center Publications

Journal/Book Chapter publication

  • Francis Akowuah, Jonathan Land, Xiaohong Yuan, Li Yang, Jinsheng Xu, Hong Wang, Standards and Guides for Implementing Security and Privacy for Health Information technology, A book chapter in Security and Privacy Management, Techniques, and Protocols, Chapter 8, pp 214-236, ISBN10: 1522555838, April, 2018.
  • Xiaohong Yuan, Audrey Rorrer, Li Yang, Bei-Tseng Chu, Kenneth Williams, Huiming Yu, Kathy Winters, Joseph Kizza, Evaluating the Impact of Faculty Workshops for Teaching Information Assurance through Hands-on Exercises and Case Studies,  Journal of Information Systems Education (JISE), 2016
  • Xiaohong Yuan, Li Yang, Bilan Jones, Huiming Yu, Bei-Tseng Chu. Secure Software Engineering Education: Knowledge Area, Curriculum and Resources. Journal of Cybersecurity Education, Research and Practice, 2016.
  • Jiang Y, Qin H, Yang L. Using network clustering to predict copy number variations associated with health disparitiesPeerJ 3:e677https://doi.org/10.7717/peerj.6772015. 
  • Li Yang, Xiaohong Yuan and Dhaval Patel, Interactive Visualization Tools for Cross-Site Scripting and Cross-Site Request Forgery Attacks, International Journal of Information Technology and Computer Science (IJITCS), vol. 15, Issue 3, 2014.
  • Prabir Bhattacharya, Li Yang, Minzhe Guo, Kai Qian, Ming Yang, Learning Mobile Security with Labware, Education column, IEEE Security and Privacy Magazine: Vol 12 No. 1, 2014. 

  • Wu He, Xiaohong Yuan, Li Yang, Supporting Case-based Learning in Information Security with Web-based Technology, Journal of Information Systems Education (JISE) Special Issue: Global Information Security and Assurance, Volume 24, Number 1, Spring 2013.

  • Joseph Kizza, Li Yang, Social History of Computing and Online Social Communities, the Encyclopedia of Social Network Analysis and Mining (ESNAM), 2013.

  • Joseph Kizza, Li Yang, Is the Cloud the Future of Computing?, a book chapter in "Security, Trust, and Regulatory Aspects of Cloud Computing in Business Environments", 2013.

  • Harkeerat Bedi, Li Yang, A Resilient Fair Electronic Contract Signing Protocol, Chapter 17, Security and Privacy Assurance in Advancing Technologies: New Developments, 2010. 
  • Li Yang, Managing Secure Database Systems, a book chapter in Readings and cases in information security: law and ethics, Whitman, M.E. & Mattord, H. J.,(editors), Course Technology, Cengage Learning, ISBN 1-435-44157-5, 2011. 

  • Ran Tao, Li Yang, et al., A Host-Based Intrusion Detection System Using Architectural Features to Improve Sophisticated Denial-of-Service Attack Detections,International Journal of Information Security and Privacy, 2010.

  • Li Yang, Alma Cemerlic,  Xiaohui Cui.  A fine-grained reputation system for reliable routing in wireless ad hoc network, Journal of Security and Communication Network, 2010.

  • L. Peng, L. Yang and B. Ramadass, Architectural Support for Enhancing Critical Secrets Protection in Chip-Multiprocessors,  a book chapter in Pervasive Information Security and Privacy Developments: Trends and Advancements, June 2010.  

Conference Proceedings

  • Sharmila Chackravarthy, Steven Schmitt, Li Yang, Crime Related Anomaly Detection Using Stream Analytics, The 1st International Workshop on ​Technology Convergence for Smart Cities ​(TeC4C),  in conjunction with IEEE 4th International Conference on Collaboration and Internet Computing, Philadelphia, PA, October 2018. 
  • Li Yang, Yu Liang, Dalei Wu, Jim Gault, Train and Equip Firefighters with Cognitive Virtual and Augmented Reality, First International Workshop on Emerging Cloud, IoT and Social Network Solutions for e-Health, in conjunction with IEEE 4th International Conference on Collaboration and Internet Computing, Philadelphia, PA, October 2018.

  • Wu He, Xiaohong Yuan, Li Yang, Jennifer Ellis, Li Xu, Using POGIL to help students learn secure coding, IEEE Frontiers in Education Conference (FIE), October, 2018. 
  • Li Yang, Xiaohong Yuan, Wu He, Jennifer Ellis, Jonathan Land, Cybersecurity Education with POGIL: Experiences with Access Control Instruction, New Orleans, LA, June 2018. 
  • Héctor Suárez, Li Yang, Dalei Wu, Securing GPR data for Use in Smart Cities, IEEE Internationa Workshop on Big Data Security and Services, Bamberg, Germany, March 2018.
  • David Schwab, Lama ALharbi, Oliver Nichols, Li Yang, Picture PassDoodle: Usability Study, Internationa Workshop on Big Data Security and Services, Bamberg, Germany, March 2018. 
  • Héctor Suárez, Hooper Kincannon, Li Yang, SSETGami: Secure Software Education Through Gamification, Conference on Cybersecurity Education, Research and Practice (CCERP), Kennesaw, GA, October, 2017. 
  • David Schwab, Li Yang, Katherine Winters, Matthew Jallouk, Emile Smith, Adam Claiborne, A Secure Mobile Cloud Photo Storage System, Workshop on Network Security Analytics and Automation (NSAA), in conjunction with the 26th International Conference on Computer Communications and Networks, Vancouver, Canada, August, 2017.
  • Xiaohong Yuan, Li Yang, Wu He, Jennifer Ellis, Jinsheng Xu and Cynthia Waters, Enhancing Cybersecurity Education Using POGIL, the ACM Technical Symposium on Computer Science Education (SIGCSE), poster, Seattle, WA, March, 2017.
  • Oliver Nichols, Li Yang, Xiaohong Yuan, Teaching Security of Internet of Things in Using RaspberryPi, Conference on Cybersecurity Education, Research and Practice (CCERP), Kennesaw, GA, October, 2016. 
  • Xiaohong Yuan, Wu He, Li Yang, Lindsay Simpkins, Teaching Security Management for Mobile Devices, Annual Conference on Information Technology Education (SIGITE), Boston, September, 2016. 
  • Oliver Nichols, Li Yang, Picture PassDoodle: An Authentication Alternative to Text Passwords, Workshop on Network Security Analytics and Automation, August, 2016. 
  • Minzhe Guo, Kai Qian, Li Yang, Hands-on Labs for Learning Mobile and NoSQL Database Security, COMPSAC, Atlanta, GA, June 2016. 

  • Eric Reinsmidt, David Schwab, Li Yang, Securing a Connected Mobile System for Healthcare, the 17th IEEE High Assurance Systems Engineering Symposium (HASE 2016), Orlando, FL January, 2016. 
  • Xinwen Fu, Li Yang, Modeling Cyber Crime and Investigation Strategies for Digital Forensics Education, The Colloquium for Information Systems Security Education, round table discussion, June 2015. 
  • Eric Reinsmidt, Li Yang Mobile Authentication Methodologies in Healthcare Systems, the 26th Modern Artificial Intelligence and Cognitive Science Conference (MAICS), Greensboro, NC, April, 2015. 
  • Lindsay Simpkins, Xiaohong Yuan, Jwalit Modi, Justin Zhan, Li Yang. A Course Module on Web Tracking and Privacy, InfoSecCD 2015 conference.
  • Wenliang Du, Li Yang, Xiaohong Yuan, Joseph Kizza, Browser Security Hands-on Labs and Case Studies, poster presentation at NSF SaTC PI meeting, January, 2015.

  • Li Yang, Xiaohong Yuan and Dhaval Patel, Interactive Visualization Tools for Cross-Site Scripting and Cross-Site Request Forgery Attack, 3rd International Conference on Human Computing, Education and Information Management System  (ICHCEIMS 2014 ), Sydney, Australia, June  4 – 5, 2014.

  • Xiaohong Yuan, Kenneth Williams, Huiming Yu, Bei-Tseng Chu, Audrey Rorer, Li Yang, Kathy Winters, Joseph Kizza, Developing Faculty Expertise in Information Assurance through Case Studies and Hands-on Experiences, the Proceedings of the 48th the Hawaii International Conference on System Sciences (HICSS), January 2014.  

  • Minzhe Guo, Prabir Bhattacharya, Kai Qian and Li Yang, WIP: Authentic Learning of Mobile Security with Case Studies, Frontiers in Education Conference (FIE), October 2013.

  • Minzhe Guo, Kai Qian, Ming Yang, KuoSheng Ma, Liang Hong, Li Yang, Android-Based Mobile Sensory System Labware for Embedded System Education, IEEE International Conference on Advanced Learning Technologies (ICALT), Beijing, China, July 2013.

  • Minzhe Guo, Prabir Bhattacharya, Ming Yang, Kai Qian, Li Yang, Learning Mobile Security with Android Security LabwareProceedings of the ACM Technical Symposium on Computer Science Education (SIGCSE), March 2013.

  • David Schwab, Li Yang, User and Device Authentication in a Mobile Cloud EnvironmentThe Proceedings of Cyber Security and Information Intelligence Research Workshop, ACM Digital Library, Oak Ridge, TN, January, 2012.

  • Wade Gasior and Li Yang, Exploring Covert Channel in Android Platform, Cyber Security Conference, Washington D.C., pages 516-520, December, 2012. 

  • Kai Qian, Prabir Bhattacharya, Minzhe Guo, Li Yang, Work in Progress: Real World Relevant Security Labware for Mobile Threat Analysis and Protection Experience, Frontier in Education, Seattle, WA, November, 2012.

Student Research Papers 

  1. Defending against XSS,CSRF, and Clickjacking by David Bishop from CPSC5900 (Graduate Project), spring 2012

  2. Entity Authentication in a Mobile-Cloud Environment by David Schwab from CPSC5900 (Graduate Project), summer 2012 

  3. Securing Android Communication using Cryptography by Brandon Davidoff from CPSC5900 (Graduate Project),  fall 2011 

  4. Network Covert Channels on the Android Platform by Wade Gasior from CPSC5999 (Master Thesis), fall 2011

  5. Entropy based approach to detect covert timing channels By Xiuwei Yi, Dhaval Patel from CPSC 4600/5600 (Biometrics and Cryptography)
  6. RSA Attacks By Abdulaziz Alrasheed and Fatima from CPSC 4600/5600 (Biometrics and Cryptography)
  7. White Box Cryptography by VivekVijayan and Raj Thakkar from CPSC 4600/5600 (Biometrics and Cryptography)
  8. Security Issues of Ad Hoc Networks by Robert Derveloy from CPSC 4620/5620 (Computer Network Security)
  9. Attacks on TCP/IP Protocols by Robbie Myers from CPSC 4620/5620 (Computer Network Security)
  10. Security Concerns and Countermeasures in Cloud by Pallavi Sidella from CPSC 4620/5620 (Computer Network Security)
  11. The Continuous Rise for Social Networking Privacy and Security by Adrian M. Powell CPSC 4620/5620 (Computer Network Security)
  12. Overview of CryptDB by Dhaval Patel, Yi Jiang from CPSC 4670/5670 (Database Security and Auditing)
  13. Hacking Database for Owning your Data By Abdulaziz Alrasheed & Xiuwei Yi from CPSC 4670/5670 (Database Security and Auditing)

Student Papers and Projects from Non-IA Courses or Disciplines

1. Defining the Line of Personal Data Privacy by Larry Pratt form CPSC 3610 (Computer Ethics)

2. Ethical Issues of Online Advertising and Privacy by Keelan Carpenter from CPSC 3610 (Computer Ethics)

3. Visualization Project from CPSC 4900-4910 (Capstone Project)

Funding and Grant 

Research Topics

Behavior Tracking and Ad Network

Dhaval Patel

One of the fastest-growing businesses on the Internet, a Wall Street Journal investigation has found, is the business of spying on web users. The Journal conducted a comprehensive study that assessed and analyzed a broad array of surveillance technologies that companies are used to monitor Internet users. It revealed that tracking of consumers has grown both far more pervasive and far more intrusive than it was realized by all but a handful of people in the vanguard of the industry. Recent studies have proposed several approaches to preventing the business from spying on web users, without disrupting the main web functionalities, such as providing advertisements, etc. 

Securing Health Data in mStroke: A System for Stroke Rehabilitation 

David Schwab, Dan Kolb, Eric Reinsmidt 

Mobile devices are seeing an increase in usage in recent years and mobile security becomes important in part due to the shift of computing landscape towards mobile devices.  Security and assurance of mobile computing is vital to the normal functioning in people’s lives, and our social, economic and political systems. In this paper, we propose and implement a novel system that authenticates  users, devices and a remote server  in a mobile computing environment based on fuzzy vault, digital signature and zero-knowledge authentication.      However, since mobile devices can be lost or stolen, it is important to not only authenticate the device, but also authenticate the user of the device.  Finally, as in any client-server model, the server must be authenticated as well.  Client and server authentication is provided using digital signatures, while the user is authenticated using a fuzzy picture password technique.  Secure communications are provided by using an AES session key generated by a Diffie-Hellman key exchange. 

Fine-grained Reputation-based Routing in Wireless Ad Hoc Networks

Mobile Ad-hoc Networks (MANETs) are extremely helpful in supporting and forming an instant network when no fixed infrastructure is available. MANETs can support applications in a variety of areas like emergency assistance and inter-vehicle communications.   Most developed wireless ad-hoc routing protocols are designed to discover and maintain an active path from source to destination with an assumption that every node is friendly. However, it is possible that the participating nodes may be selfish or malicious. A mechanism to evaluate reputation and trust for each node is essential for the reliability of routing protocol in MANETs.  

We integrate reputation and trust management into routing protocols in MANETs. Reputation mechanism is based on constantly monitoring and updating first-hand information and second-hand information. The nodes within the network are able to monitor their neighbors and obtain first-hand information based on the perceived behavior. Second-hand information is obtained from the sharing of first-hand information with other nodes. The nodes thus create total reputation value by a combination of first-hand and second-hand information. The total reputation value is then available to neighboring nodes for routing decisions.   Dynamic Source Routing Protocol (DSR) is selected to explore the possibility and benefits resulting from the integration of a reputation and trust management into a routing protocol. Reputation-based routing is designed to improve reliability in both route discovery and maintenance in MANETs.  

TMAS A Capstone Project

Hurricane Katrina that devastated the Gulf Coast region in 2005 exposed the management weaknesses and vulnerabilities in both the infrastructure and communication in emergency systems at federal, state, and local levels.   Out of this unfortunate situation, UTC became involved in developing a local system to support a timely, secure and reliable emergency communication system. Last year, Total Municipal Awareness System (TMAS) was selected as the capstone project for both undergraduate and graduate students.

A Relationship-based Context-aware Flexible Authorization Framework for Mediation Systems

Security is a critical concern for mediator-based data integration among heterogeneous data sources. We provide a modeling and architectural solution to the problem of mediation security that addresses the security challenges including context-awareness, semantic heterogeneity, and multiple security policy specification. A generic, extensible modeling method for the security policies in mediation systems is presented. A series of authorization constraints are identified based on the relationship on the different security components in the mediation systems. Moreover, we enforce the flexible access control to mediation systems while providing uniform access for heterogeneous data sources.

SecCMP: A Secure Chip-Multiprocessor Architecture

 Security has been considered as an important issue in processor design. Most of the existing mechanisms address security and integrity issues caused by untrusted main memory in single-core systems. We propose a secure Chip-Multiprocessor architecture (SecCMP) to handle security related problems such as key protection and core authentication in multi-core systems. Threshold secret sharing scheme is employed to protect critical keys because secret sharing is a distributed security scheme that matches the nature of multi-core systems. A critical secret is divided and distributed among multiple cores instead of keeping a single copy that is sensitive to exposure. The proposed SecCMP can not only enhance the security and fault-tolerance in key protection but also support core authentication. It is designed to be an efficient and secure architecture for CMPs. We use an application to demonstrate secure and remote critical information access and sharing supported by our SecCMP. Integrated with identity based cryptography, the SecCMP provides a secure and reliable way to generate and distribute encryption keys between local host and remote site when prior distribution of keys is not available.

Integrate Trust into Usage Control in File Sharing

Most access control models have formal access control rules to govern the authorization of a request from a principal. Trust evaluation helps to identify a principal or behaviors of a principal in a pervasive and collaborative environment when complete information on a principal is not available. We integrate trust management into usage control model to make file sharing decision in an ever-changing environment. The attributes associated with a certain principal and requested objects, contexts associated with a certain request, and even behaviors of a principal can change during the collaborative file sharing environment. A variety of such mutability poses challenges in file protection when resources sharing must happen during collaboration. In order to address the challenges, we propose a framework to determine trust value of a principle of a principle and thus integrate the trust into access control to make decision on resource exchange. First, a trust value for a principal is evaluated based on both observed behaviors and peer recommendations. Second, the usage-based access control rules are checked to decide the authorization of a request. Our system is dynamic because untrusted principal can be disenrolled and on-going access can be revoked when it does not meet the access control rules due to mutability. We apply our trust based-usage control framework into an application of file sharing by simulation.

Dependable Information Communication System (DICS) in Disaster Management

Disaster management efforts can range from disaster forecast, intro- and inter-agency coordination protocols, emergency notification, acknowledging and evacuation plans, to rescue relief distribution methods, e.g. food and drugs distribution. The key challenge for all the above efforts is the dependable and timely communication between agencies and masses, which could significantly mitigate emergency management ability to minimize the damage. The proposed dependable information communication system (DICS) will provide and maintain vital communication between the mass, physical environment, emergency responders, safety department, hospitals, police offices and emergency services in the face of the natural disaster (e.g., Hurricane) or man-made disaster (e.g., terrorism).   The proposed system includes a wireless sensor ad hoc network that monitors real-time situation of environments as well as peers, and a set of reliable Information Communication Mediators (ICMs) that employ redundant network communication channels. The ICMs progressively and securely deliver and acknowledge receipts of time-sensitive disaster-related information over several channels such that they can reinforce secure communication between different agencies.

Web and Browser Security

1. Marco Balduzzi, Manuel Egele, Engin Kirda, Davide Balzarotti, and Christopher Kruegel. 2010. A solution for the automated detection of clickjacking attacks. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security (ASIACCS '10). ACM, New York, NY, USA, 135-144. 

2. Know you enemy: web application threats: https://www.honeynet.org/papers/webapp

3. Kapil Singh, Alexander Moshchuk, Helen J. Wang, and Wenke Lee, On the Incoherencies in Web Browser Access Control Policies, 2010. 

4. Thomas Wadlow, Vlad Gorelik, Security in the Browser, ACM Queue, 2009. 

5. Willem De Groef, Dominique Devriese, Nick Nikiforakis, and Frank Piessens. 2012. FlowFox: a web browser with flexible and precise information flow control. In Proceedings of the 2012 ACM conference on Computer and communications security (CCS '12). ACM, New York, NY, USA, 748-759.

6. Eric Yawei Chen, Jason Bau, Charles Reis, Adam Barth, and Collin Jackson. 2011. App isolation: get the security of multiple browsers with just one. In Proceedings of the 18th ACM conference on Computer and communications security (CCS '11). ACM, New York, NY, USA, 227-238. 

7. Shuo Tang, Haohui Mai, Samuel T. King, Trust and Protection in the Illinois Browser Operating System, n Proceedings of the Symposium on Operating Systems Design and Implementation (OSDI), October 2010. 

8. Mike Ter Louw, Karthik Thotta Ganesh, and V. N. Venkatakrishnan. 2010. AdJail: practical enforcement of confidentiality and integrity policies on web advertisements. In Proceedings of the 19th USENIX conference on Security (USENIX Security'10). USENIX Association, Berkeley, CA, USA, 24-24.

9. Gustav RydstedtElie BurszteinDan Boneh, and Collin JacksonBusting frame busting: a study of clickjacking vulnerabilities at popular sites, IEEE Oakland Web 2.0 Security and Privacy (W2SP 2010). 

10. Daniel Bates, Adam Barth, and Collin Jackson. 2010. Regular expressions considered harmful in client-side XSS filters. In Proceedings of the 19th international conference on World wide web(WWW '10). ACM, New York, NY, USA, 91-100.

11. Helen J. Wang, Chris Grier, Alexander Moshchuk, Samuel T. King, Piali Choudhury, and Herman Venter. 2009. The multi-principal OS construction of the gazelle web browser. In Proceedings of the 18th conference on USENIX security symposium (SSYM'09). USENIX Association, Berkeley, CA, USA, 417-432.

Cloud Security

1. Juraj Somorovsky, Mario Heiderich, Meiko Jensen, Jörg Schwenk, Nils Gruschka, and Luigi Lo Iacono. 2011. All your clouds are belong to us: security analysis of cloud management interfaces. In Proceedings of the 3rd ACM workshop on Cloud computing security workshop(CCSW '11). ACM, New York, NY, USA, 3-14.

2. Pearson, S., "Taking account of privacy when designing cloud computing services," Software Engineering Challenges of Cloud Computing, 2009. CLOUD '09. ICSE Workshop on , vol., no., pp.44,52, 23-23 May 2009. 

3. Cong Wang; Qian Wang; Kui Ren; Wenjing Lou, "Privacy-Preserving Public Auditing for Data Storage Security in Cloud Computing," INFOCOM, 2010 Proceedings IEEE , vol., no., pp.1,9, 14-19 March 2010. 

4. Ko, R.K.L.; Jagadpramana, P.; Mowbray, M.; Pearson, S.; Kirchberg, M.; Qianhui Liang; Bu Sung Lee, "TrustCloud: A Framework for Accountability and Trust in Cloud Computing," Services (SERVICES), 2011 IEEE World Congress on , vol., no., pp.584,588, 4-9 July 2011. 

5. Dimitrios Zissis and Dimitrios Lekkas. 2012. Addressing cloud computing security issuesFuture Gener. Comput. Syst. 28, 3 (March 2012), 583-592. 

6. Richard Chow, Philippe Golle, Markus Jakobsson, Elaine Shi, Jessica Staddon, Ryusuke Masuoka, and Jesus Molina. 2009. Controlling data in the cloud: outsourcing computation without outsourcing control. In Proceedings of the 2009 ACM workshop on Cloud computing security (CCSW '09). ACM, New York, NY, USA, 85-90. 

7. Qian Wang, Cong Wang, Jin Li, Kui Ren, and Wenjing Lou. 2009. Enabling public verifiability and data dynamics for storage security in cloud computing. In Proceedings of the 14th European conference on Research in computer security (ESORICS'09), Michael Backes and Peng Ning (Eds.). Springer-Verlag, Berlin, Heidelberg, 355-370. 

8. Luis M. Vaquero, Luis Rodero-Merino, and Daniel Moran. Locking the sky: a survey on IaaS cloud securityComputing 91, 1 (January 2011), 93-118. 

9. Kaufman, L.M., "Data Security in the World of Cloud Computing," Security & Privacy, IEEE , vol.7, no.4, pp.61,64, July-Aug. 2009. 

10. Balachandra Reddy Kandukuri, Ramakrishna Paturi V., and Atanu Rakshit. 2009. Cloud Security Issues. In Proceedings of the 2009 IEEE International Conference on Services Computing (SCC '09). IEEE Computer Society, Washington, DC, USA, 517-520. 

11. Ramgovind, S.; Eloff, M.M.; Smith, E., "The management of security in Cloud computing," Information Security for South Africa (ISSA), 2010 , vol., no., pp.1,7, 2-4 Aug. 2010. 

12. Yanpei Chen, Vern Paxson and Randy H. Katz, What’s New About Cloud Computing Security?, Technical Report, UC Berkeley, 2010. 

13. Abdul Nasir Khan, M.L. Mat Kiah, Samee U. Khan, Sajjad A. Madani, Towards secure mobile cloud computing: A survey, Future Generation Computer Systems, Volume 29, Issue 5, July 2013, Pages 1278-1299, ISSN 0167-739X, http://dx.doi.org/10.1016/j.future.2012.08.003.