Center For Infomration Security and Assurance Publications

Book publication

  • Joseph M. Kizza, Guide to Computer Network Security –  2nd Edition – Hardcover,
  • Joseph M. Kizza, Guide to Computer Network Security – 1st Edition – Chinese.
  • Joseph M. Kizza, Social and Ethical Issues in the Information Age – 5th Edition -  Hardcover,
  • Joseph M. Kizza, Social and Ethical Issues in the Information  Age – 5th Edition -  Archived Edition
  • Joseph M. Kizza, Computer Network Security  and CyberEthicsThird  Edition. McFarland & Company.
  • Joseph M. Kizza, Ethical and Social Issues in the Information Age. Fourth  Edition, Springer-Verlag,  London, 
  • Joseph M. Kizza, Guide to Computer Network Security. Springer-Verlag, 2009. London, UK
  • Joseph M. Kizza, Securing the Information Infrastructure,  IGI Global, Hershey, PA, 2008.
  • Joseph M. Kizza, Ethical and Social Issues in the Information Age. Third  Edition, Springer-Verlag,  New York,  2007. 

Journal/Book Chapter publication

  • Prabir Bhattacharya, Li Yang, Minzhe Guo, Kai Qian, Ming Yang, Learning Mobile Security with Labware, Education column, IEEE Security and Privacy Magazine: Vol 12 No. 1, 2014. 

  • Wu He, Xiaohong Yuan, Li Yang, Supporting Case-based Learning in Information Security with Web-based Technology, Journal of Information Systems Education (JISE) Special Issue: Global Information Security and Assurance, Volume 24, Number 1, Spring 2013.

  • Joseph Kizza, Li Yang, Social History of Computing and Online Social Communities, the Encyclopedia of Social Network Analysis and Mining (ESNAM), 2013.

  • Joseph Kizza, Li Yang, Is the Cloud the Future of Computing?, a book chapter in "Security, Trust, and Regulatory Aspects of Cloud Computing in Business Environments", 2013.

  • Harkeerat Bedi, Li Yang, A Resilient Fair Electronic Contract Signing Protocol, Chapter 17, Security and Privacy Assurance in Advancing Technologies: New Developments, 2010. 
  • Li Yang, Managing Secure Database Systems, a book chapter in Readings and cases in information security: law and ethics, Whitman, M.E. & Mattord, H. J.,(editors), Course Technology, Cengage Learning, ISBN 1-435-44157-5, 2011. 

  • Ran Tao, Li Yang, et al., A Host-Based Intrusion Detection System Using Architectural Features to Improve Sophisticated Denial-of-Service Attack Detections,International Journal of Information Security and Privacy, 2010.

  • Li Yang, Alma Cemerlic,  Xiaohui Cui.  A fine-grained reputation system for reliable routing in wireless ad hoc network, Journal of Security and Communication Network, 2010.

  • L. Peng, L. Yang and B. Ramadass, Architectural Support for Enhancing Critical Secrets Protection in Chip-Multiprocessors,  a book chapter in Pervasive Information Security and Privacy Developments: Trends and Advancements, June 2010.  

Conference Proceedings

Student Research Papers 

  1. Defending against XSS,CSRF, and Clickjacking by David Bishop from CPSC5900 (Graduate Project), spring 2012

  2. Entity Authentication in a Mobile-Cloud Environment by David Schwab from CPSC5900 (Graduate Project), summer 2012 

  3. Securing Android Communication using Cryptography by Brandon Davidoff from CPSC5900 (Graduate Project),  fall 2011 

  4. Network Covert Channels on the Android Platform by Wade Gasior from CPSC5999 (Master Thesis), fall 2011

  5. Entropy based approach to detect covert timing channels By Xiuwei Yi, Dhaval Patel from CPSC 4600/5600 (Biometrics and Cryptography)
  6. RSA Attacks By Abdulaziz Alrasheed and Fatima from CPSC 4600/5600 (Biometrics and Cryptography)
  7. White Box Cryptography by VivekVijayan and Raj Thakkar from CPSC 4600/5600 (Biometrics and Cryptography)
  8. Security Issues of Ad Hoc Networks by Robert Derveloy from CPSC 4620/5620 (Computer Network Security)
  9. Attacks on TCP/IP Protocols by Robbie Myers from CPSC 4620/5620 (Computer Network Security)
  10. Security Concerns and Countermeasures in Cloud by Pallavi Sidella from CPSC 4620/5620 (Computer Network Security)
  11. The Continuous Rise for Social Networking Privacy and Security by Adrian M. Powell CPSC 4620/5620 (Computer Network Security)
  12. Overview of CryptDB by Dhaval Patel, Yi Jiang from CPSC 4670/5670 (Database Security and Auditing)
  13. Hacking Database for Owning your Data By Abdulaziz Alrasheed & Xiuwei Yi from CPSC 4670/5670 (Database Security and Auditing)

Student Papers and Projects from Non-IA Courses or Disciplines

1. Defining the Line of Personal Data Privacy by Larry Pratt form CPSC 3610 (Computer Ethics)

2. Ethical Issues of Online Advertising and Privacy by Keelan Carpenter from CPSC 3610 (Computer Ethics)

3. Visualization Project from CPSC 4900-4910 (Capstone Project)

Funding and Grant 

Research Topics

Behavior Tracking and Ad Network

Dhaval Patel

One of the fastest-growing businesses on the Internet, a Wall Street Journal investigation has found, is the business of spying on web users. The Journal conducted a comprehensive study that assessed and analyzed a broad array of surveillance technologies that companies are used to monitor Internet users. It revealed that tracking of consumers has grown both far more pervasive and far more intrusive than it was realized by all but a handful of people in the vanguard of the industry. Recent studies have proposed several approaches to preventing the business from spying on web users, without disrupting the main web functionalities, such as providing advertisements, etc. 

Securing Health Data in mStroke: A System for Stroke Rehabilitation 

David Schwab, Dan Kolb, Eric Reinsmidt 

Mobile devices are seeing an increase in usage in recent years and mobile security becomes important in part due to the shift of computing landscape towards mobile devices.  Security and assurance of mobile computing is vital to the normal functioning in people’s lives, and our social, economic and political systems. In this paper, we propose and implement a novel system that authenticates  users, devices and a remote server  in a mobile computing environment based on fuzzy vault, digital signature and zero-knowledge authentication.      However, since mobile devices can be lost or stolen, it is important to not only authenticate the device, but also authenticate the user of the device.  Finally, as in any client-server model, the server must be authenticated as well.  Client and server authentication is provided using digital signatures, while the user is authenticated using a fuzzy picture password technique.  Secure communications are provided by using an AES session key generated by a Diffie-Hellman key exchange. 

Fine-grained Reputation-based Routing in Wireless Ad Hoc Networks

Mobile Ad-hoc Networks (MANETs) are extremely helpful in supporting and forming an instant network when no fixed infrastructure is available. MANETs can support applications in a variety of areas like emergency assistance and inter-vehicle communications.   Most developed wireless ad-hoc routing protocols are designed to discover and maintain an active path from source to destination with an assumption that every node is friendly. However, it is possible that the participating nodes may be selfish or malicious. A mechanism to evaluate reputation and trust for each node is essential for the reliability of routing protocol in MANETs.  

We integrate reputation and trust management into routing protocols in MANETs. Reputation mechanism is based on constantly monitoring and updating first-hand information and second-hand information. The nodes within the network are able to monitor their neighbors and obtain first-hand information based on the perceived behavior. Second-hand information is obtained from the sharing of first-hand information with other nodes. The nodes thus create total reputation value by a combination of first-hand and second-hand information. The total reputation value is then available to neighboring nodes for routing decisions.   Dynamic Source Routing Protocol (DSR) is selected to explore the possibility and benefits resulting from the integration of a reputation and trust management into a routing protocol. Reputation-based routing is designed to improve reliability in both route discovery and maintenance in MANETs.  

TMAS A Capstone Project

Hurricane Katrina that devastated the Gulf Coast region in 2005 exposed the management weaknesses and vulnerabilities in both the infrastructure and communication in emergency systems at federal, state, and local levels.   Out of this unfortunate situation, UTC became involved in developing a local system to support a timely, secure and reliable emergency communication system. Last year, Total Municipal Awareness System (TMAS) was selected as the capstone project for both undergraduate and graduate students.

A Relationship-based Context-aware Flexible Authorization Framework for Mediation Systems

Security is a critical concern for mediator-based data integration among heterogeneous data sources. We provide a modeling and architectural solution to the problem of mediation security that addresses the security challenges including context-awareness, semantic heterogeneity, and multiple security policy specification. A generic, extensible modeling method for the security policies in mediation systems is presented. A series of authorization constraints are identified based on the relationship on the different security components in the mediation systems. Moreover, we enforce the flexible access control to mediation systems while providing uniform access for heterogeneous data sources.

SecCMP: A Secure Chip-Multiprocessor Architecture

 Security has been considered as an important issue in processor design. Most of the existing mechanisms address security and integrity issues caused by untrusted main memory in single-core systems. We propose a secure Chip-Multiprocessor architecture (SecCMP) to handle security related problems such as key protection and core authentication in multi-core systems. Threshold secret sharing scheme is employed to protect critical keys because secret sharing is a distributed security scheme that matches the nature of multi-core systems. A critical secret is divided and distributed among multiple cores instead of keeping a single copy that is sensitive to exposure. The proposed SecCMP can not only enhance the security and fault-tolerance in key protection but also support core authentication. It is designed to be an efficient and secure architecture for CMPs. We use an application to demonstrate secure and remote critical information access and sharing supported by our SecCMP. Integrated with identity based cryptography, the SecCMP provides a secure and reliable way to generate and distribute encryption keys between local host and remote site when prior distribution of keys is not available.

Integrate Trust into Usage Control in File Sharing

Most access control models have formal access control rules to govern the authorization of a request from a principal. Trust evaluation helps to identify a principal or behaviors of a principal in a pervasive and collaborative environment when complete information on a principal is not available. We integrate trust management into usage control model to make file sharing decision in an ever-changing environment. The attributes associated with a certain principal and requested objects, contexts associated with a certain request, and even behaviors of a principal can change during the collaborative file sharing environment. A variety of such mutability poses challenges in file protection when resources sharing must happen during collaboration. In order to address the challenges, we propose a framework to determine trust value of a principle of a principle and thus integrate the trust into access control to make decision on resource exchange. First, a trust value for a principal is evaluated based on both observed behaviors and peer recommendations. Second, the usage-based access control rules are checked to decide the authorization of a request. Our system is dynamic because untrusted principal can be disenrolled and on-going access can be revoked when it does not meet the access control rules due to mutability. We apply our trust based-usage control framework into an application of file sharing by simulation.

Dependable Information Communication System (DICS) in Disaster Management

Disaster management efforts can range from disaster forecast, intro- and inter-agency coordination protocols, emergency notification, acknowledging and evacuation plans, to rescue relief distribution methods, e.g. food and drugs distribution. The key challenge for all the above efforts is the dependable and timely communication between agencies and masses, which could significantly mitigate emergency management ability to minimize the damage. The proposed dependable information communication system (DICS) will provide and maintain vital communication between the mass, physical environment, emergency responders, safety department, hospitals, police offices and emergency services in the face of the natural disaster (e.g., Hurricane) or man-made disaster (e.g., terrorism).   The proposed system includes a wireless sensor ad hoc network that monitors real-time situation of environments as well as peers, and a set of reliable Information Communication Mediators (ICMs) that employ redundant network communication channels. The ICMs progressively and securely deliver and acknowledge receipts of time-sensitive disaster-related information over several channels such that they can reinforce secure communication between different agencies.

Web and Browser Security

1. Marco Balduzzi, Manuel Egele, Engin Kirda, Davide Balzarotti, and Christopher Kruegel. 2010. A solution for the automated detection of clickjacking attacks. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security (ASIACCS '10). ACM, New York, NY, USA, 135-144. 

2. Know you enemy: web application threats:

3. Kapil Singh, Alexander Moshchuk, Helen J. Wang, and Wenke Lee, On the Incoherencies in Web Browser Access Control Policies, 2010. 

4. Thomas Wadlow, Vlad Gorelik, Security in the Browser, ACM Queue, 2009. 

5. Willem De Groef, Dominique Devriese, Nick Nikiforakis, and Frank Piessens. 2012. FlowFox: a web browser with flexible and precise information flow control. In Proceedings of the 2012 ACM conference on Computer and communications security (CCS '12). ACM, New York, NY, USA, 748-759.

6. Eric Yawei Chen, Jason Bau, Charles Reis, Adam Barth, and Collin Jackson. 2011. App isolation: get the security of multiple browsers with just one. In Proceedings of the 18th ACM conference on Computer and communications security (CCS '11). ACM, New York, NY, USA, 227-238. 

7. Shuo Tang, Haohui Mai, Samuel T. King, Trust and Protection in the Illinois Browser Operating System, n Proceedings of the Symposium on Operating Systems Design and Implementation (OSDI), October 2010. 

8. Mike Ter Louw, Karthik Thotta Ganesh, and V. N. Venkatakrishnan. 2010. AdJail: practical enforcement of confidentiality and integrity policies on web advertisements. In Proceedings of the 19th USENIX conference on Security (USENIX Security'10). USENIX Association, Berkeley, CA, USA, 24-24.

9. Gustav RydstedtElie BurszteinDan Boneh, and Collin JacksonBusting frame busting: a study of clickjacking vulnerabilities at popular sites, IEEE Oakland Web 2.0 Security and Privacy (W2SP 2010). 

10. Daniel Bates, Adam Barth, and Collin Jackson. 2010. Regular expressions considered harmful in client-side XSS filters. In Proceedings of the 19th international conference on World wide web(WWW '10). ACM, New York, NY, USA, 91-100.

11. Helen J. Wang, Chris Grier, Alexander Moshchuk, Samuel T. King, Piali Choudhury, and Herman Venter. 2009. The multi-principal OS construction of the gazelle web browser. In Proceedings of the 18th conference on USENIX security symposium (SSYM'09). USENIX Association, Berkeley, CA, USA, 417-432.

Cloud Security

1. Juraj Somorovsky, Mario Heiderich, Meiko Jensen, Jörg Schwenk, Nils Gruschka, and Luigi Lo Iacono. 2011. All your clouds are belong to us: security analysis of cloud management interfaces. In Proceedings of the 3rd ACM workshop on Cloud computing security workshop(CCSW '11). ACM, New York, NY, USA, 3-14.

2. Pearson, S., "Taking account of privacy when designing cloud computing services," Software Engineering Challenges of Cloud Computing, 2009. CLOUD '09. ICSE Workshop on , vol., no., pp.44,52, 23-23 May 2009. 

3. Cong Wang; Qian Wang; Kui Ren; Wenjing Lou, "Privacy-Preserving Public Auditing for Data Storage Security in Cloud Computing," INFOCOM, 2010 Proceedings IEEE , vol., no., pp.1,9, 14-19 March 2010. 

4. Ko, R.K.L.; Jagadpramana, P.; Mowbray, M.; Pearson, S.; Kirchberg, M.; Qianhui Liang; Bu Sung Lee, "TrustCloud: A Framework for Accountability and Trust in Cloud Computing," Services (SERVICES), 2011 IEEE World Congress on , vol., no., pp.584,588, 4-9 July 2011. 

5. Dimitrios Zissis and Dimitrios Lekkas. 2012. Addressing cloud computing security issuesFuture Gener. Comput. Syst. 28, 3 (March 2012), 583-592. 

6. Richard Chow, Philippe Golle, Markus Jakobsson, Elaine Shi, Jessica Staddon, Ryusuke Masuoka, and Jesus Molina. 2009. Controlling data in the cloud: outsourcing computation without outsourcing control. In Proceedings of the 2009 ACM workshop on Cloud computing security (CCSW '09). ACM, New York, NY, USA, 85-90. 

7. Qian Wang, Cong Wang, Jin Li, Kui Ren, and Wenjing Lou. 2009. Enabling public verifiability and data dynamics for storage security in cloud computing. In Proceedings of the 14th European conference on Research in computer security (ESORICS'09), Michael Backes and Peng Ning (Eds.). Springer-Verlag, Berlin, Heidelberg, 355-370. 

8. Luis M. Vaquero, Luis Rodero-Merino, and Daniel Moran. Locking the sky: a survey on IaaS cloud securityComputing 91, 1 (January 2011), 93-118. 

9. Kaufman, L.M., "Data Security in the World of Cloud Computing," Security & Privacy, IEEE , vol.7, no.4, pp.61,64, July-Aug. 2009. 

10. Balachandra Reddy Kandukuri, Ramakrishna Paturi V., and Atanu Rakshit. 2009. Cloud Security Issues. In Proceedings of the 2009 IEEE International Conference on Services Computing (SCC '09). IEEE Computer Society, Washington, DC, USA, 517-520. 

11. Ramgovind, S.; Eloff, M.M.; Smith, E., "The management of security in Cloud computing," Information Security for South Africa (ISSA), 2010 , vol., no., pp.1,7, 2-4 Aug. 2010. 

12. Yanpei Chen, Vern Paxson and Randy H. Katz, What’s New About Cloud Computing Security?, Technical Report, UC Berkeley, 2010. 

13. Abdul Nasir Khan, M.L. Mat Kiah, Samee U. Khan, Sajjad A. Madani, Towards secure mobile cloud computing: A survey, Future Generation Computer Systems, Volume 29, Issue 5, July 2013, Pages 1278-1299, ISSN 0167-739X,