Cybersecurity: Your Secrets Are Safe With Us
This article originally appeared in the 2020 Engineering @ Northeastern magazine.
Northeastern researchers are at the forefront of cybersecurity research, protecting everything from the phone in your pocket to the city of the future.
By and large, the constantly connected and ever-growing internet that is so ubiquitous to everyday life is being run on an infrastructure that was created in the 1970s and 1980s.
“The world was different then; things like privacy weren’t baked into the system,” says Associate Professor Kaushik Chowdhury, electrical and computer engineering. “Now that devices have gotten so much faster, but the core network is still the same, we are working to learn the proper offenses and defenses to keep our information and ourselves safer.”
Institute of Information Assurance
Northeastern is at the cutting edge of cybersecurity research with a number of on-site research centers and institutes dedicated to various aspects of this burgeoning and deeply specialized field. Professor Engin Kirda, jointly appointed in computer sciences and electrical and computer engineering (ECE), is the director of Northeastern’s Institute of Information Assurance (IIA), which focuses on issues of cybersecurity and privacy. Kirda and his multidisciplinary team from across Northeastern’s colleges of engineering, computer science, and social sciences considers everything from the theoretical (such as encryption and data security), to the practical (such as how users recover from attacks).
“Cybersecurity itself is an issue that has been around for at least 15 years, but only recently has the internet become a critical infrastructure to our everyday lives,” says Kirda. “While the technology giants like Google and Facebook are, of course, interested in cybersecurity, so is everyone else because everything is connected, including your home and all your devices.”
In addition to large tech organizations, the IIA works with many other funding agencies, such as the National Science Foundation (NSF), the Office of Naval Research, and the U.S. Army and Air Force. Because of their ongoing research and education, the Institute contributes to Northeastern’s stature as a National Security Agency/Department of Homeland Security Center of Academic Excellence in Information Assurance Research and Education.
Another hotbed for cybersecurity research at Northeastern is a new multi-university research center called the Center for Hardware and Embedded Systems Security and Trust, or CHEST. ECE Professor Yunsi Fei is the Northeastern lead working with a consortium of five other universities, each responsible for a $750K, five-year grant from the NSF.
Part of the Industry-University Cooperative Research Centers Program, CHEST seeks to tackle common issues faced by industry. The idea is that funding will come both from the NSF and member companies at each university site to work on applicable solutions for their largest challenges. The insights and innovations are then shared throughout the consortium, making the greatest impact possible.
“CHEST is different from usual research centers, because the work is use-inspired, case-driven, and highly practical,” says Fei. “Because the needs come directly from industry, we have to align our research with their biggest issues right now.”
CHEST started running in October of 2019, and they are now in the process of kicking off their initial projects. They’ll be focusing on understanding and preventing security vulnerabilities in both hardware and software systems, as well as on different computing platforms, and ultimately in various applications supported by cyber-physical systems and infrastructures. Current members run the gamut from commercial to nonprofit to governmental and include AFRL, Boston-based electronics manufacturer Analog Devices, Draper Laboratory, Booz Allen Hamilton, and more.
Institute for the Wireless Internet of Things
Also established in fall 2019 was the Institute for the Wireless Internet of Things (WIOT), which is directed by ECE William Lincoln Smith Professor Tommaso Melodia.
“WIOT is focused on advancing research in wireless systems topics in our increasingly connected world and how they interact digitally as well as physically,” says Melodia. “We’re trying to advance the systems that create this interface, as well as the technologies that make this possible.”
One of the important problems WIOT seeks to conquer is expanding our ability to manipulate the wireless spectrum to use more devices. Right now, most devices operate on a tiny portion of the spectrum between 0 and 6 gigahertz, so by adding accessibility in higher frequency bands, Melodia and his team can expand the network capabilities exponentially.
“WIOT would not have been possible without the strengths of all of the participating faculty, who have expertise in everything from AI to networks to sensors to business,” says Melodia. “This complementary group of motivated people that also very much enjoys working together ensures that some very impactful research will come out of WIOT in the coming years.”
Through WIOT, Melodia and his team are involved in Colosseum, the world’s largest radiofrequency channel emulator. Located at Northeastern and developed by DARPA, the Colosseum is a data center that can emulate complex interactions, such as how wireless devices deployed in a metropolitan area behave and interact.
“Colosseum will enable us to create intelligent, autonomous, collaborative wireless technologies for everything from commercial to military use,” says Melodia. “We’re also operating under the philosophy that we can accelerate the industry by making our research and learnings available for everyone, as opposed to keeping it all proprietary.”
Can you see me now?
On the individual research front, ECE Assistant Professor Xue “Shelley” Lin is working to determine deep neural network vulnerabilities by rendering people virtually invisible to the network—simply by wearing a T-shirt.
Working with researchers from Northeastern, IBM, and the Massachusetts Institute of Technology, Lin and her colleagues have created a colorful, somewhat psychedelic pattern that, when worn by a person on an otherwise plain white T-shirt, confuses the deep neural network into thinking they aren’t a person at all.
“Most of my previous work has been in virtual examples in the digital world, when we try to alter the computer’s processes to see if there’s a change in the outcome,” explains Lin. “With this real-world example, we were able to prove that in more than 60 percent of cases, the computer did not recognize that what it was seeing was a person.”
Lin’s work also has ramifications for the future—for example, driverless cars not being able to recognize humans as objects to be avoided would have disastrous consequences.
Making autonomous vehicles smarter and safer
Another of Lin’s cybersecurity projects works directly with autonomous systems, such as cars and drones, this time working to make the deep neural network models for UAVs more robust and to strengthen their resistance against adversarial attacks.
As the principal investigator of a $500K grant from the NSF, Lin works in collaboration with Alfred Chen from the University of California Irvine, who is an expert on cybersecurity for autonomous vehicles. By working with Northeastern’s Center for STEM Education and the Office of Access and Inclusion Center at UC-Irvine, Lin’s research is particularly focused on engaging undergraduates, women, and minority students.
“Our hypothesis is that in deep learning, it’s very important for systems to have full autonomy so that they can make decisions about detection, prediction, and control quickly,” says Lin. “As we work to explore additional vulnerabilities of autonomous systems through their deep learning algorithms, we’re also seeking to develop countermeasures to make these potential attacks less costly.”
Some of the adversarial examples Lin and her team use in attempting to confuse the network are stickers placed on stop signs, or imperceptibly altering the pixels on a digital image. Though Lin’s research is focused on UAVs, these security techniques in general can apply to other systems, such as object detection, facial recognition, and a language model.
Privacy in the palm of your hand
ECE Associate Professor Kaushik Chowdhury is working to bring more data privacy to individual devices that transmit personal data, from your smartphone to pacemakers, fitness watches, and more. “One of the ways in which we are trying to ensure security in the Internet of Things (IoT) age is to identify that each device is the one it claims to be,” explains Chowdhury. “People who intend to steal personal information or otherwise do harm can spoof a device’s unique ID, so through my research we are working to detect and identify devices based on the unique radio signals that they are transmitting.”
Chowdhury and his faculty colleagues— ECE Assistant Professor Stratis Ioannidis, ECE Professor Jennifer Dy, and Professor Melodia—and their student researchers have created a deep neural network that can learn the subtle differences inside each of the many types of devices signals in the world today, adding another layer of authentication that a device is what it claims to be, called radio fingerprinting.
“This research also has ramifications for more nationwide and global security,” says Chowdhury. “We can take this concept and apply it to secret communications, in which we can intentionally inject variation in the way radio signals are being transmitted to encode additional information.”
In fact, Chowdhury’s interest and expertise in this area at the intersection of machine learning and theory of wireless communications started nearly two years ago. He leads a university research team that was selected for a Defense Advanced Research Projects Agency (DARPA) Radio Frequency Machine Learning Systems (RFMLS) Program, which tasks the team with classifying 10,000 different radio signals with 99 percent accuracy.
After the initial DARPA funding, Chowdhury’s work has garnered additional interest and support from the NSF, Air Force Research Laboratory, Office of Naval Research, and other defense-centric organizations.
Making security move faster
Also in the realm of protecting personal data, Assistant Professor Stratis Ioannidis and ECE Professor Miriam Leeser are collaborating on large-scale and secure data mining using field-programmable gate arrays (FPGAs) to protect data privacy.
Today, it’s commonplace for users to want to share their data with various web services, from healthcare to social media. The issue is the knowledge that at some point, their individual data could fall into the wrong hands and be compromised.
“Data coming from human subjects is used from medicine to sociology to economics,” says Ioannidis. “On one hand, this is critically important for scientific discovery, so we can learn, for example, whether certain genes correlate to certain disease. However, this process also raises inherent and well-documented privacy concerns, so it comes down to a question of whether you can use people’s data while also offering them guarantees.”
Currently, the personal information you provide to various web services is transmitted in an encrypted format, but then gets decrypted for processing. With this new method that Ioannidis and Leeser are developing for secure function evaluation methods—funded first by Google, and now through the NSF—the data is used to perform only very specific tasks that users have agreed upon, and nothing more. In particular, data never gets decrypted, so no one would ever have the opportunity to access your information directly.
Accomplishing this level of privacy is computationally expensive—it is 500,000x slower to run this kind of security, so Leeser is using FPGAs to make secure function evaluation more efficiently.
“FPGAs are hardware that can be reconfigured like software, so you get the advantage of specializing your computation to what it is that you want it to do,” explains Leeser. “FPGAs are good at some things and not at others, but solving cryptography is a place where they can shine.”
The team is partnering with Amazon Web Services and using their specialized hardware on this project. Beyond the benefits of acceleration, enabling such secure computations in the cloud can also help with making secure function evaluation more broadly available.
Finding weaknesses in deep neural networks
Another team interested in data privacy are ECE faculty members Fei and Lin and Northeastern’s Khoury College Associate Professor Thomas Wahl, who are working together on a $1.2 million NSF grant to secure deep neural networks against side-channel and fault attacks.
Side-channel attacks are covert and based on passive information leakage about how a computer system executes sensitive applications, while fault attacks are much more active: They manipulate a device in a physical way—such as laser beaming or electromagnetic pulsing—to try to generate temporary errors that lead to system failure or secret retrieval.
In order to understand and prevent against these kinds of assaults, the team’s research is threefold:
- Studying the vulnerability of deep neural networks to model reverse engineering to prevent side-channel attacks
- Investigating how likely active fault attacks are to disrupt the execution of deep neural networks
- Identifying ways to protect, detect, and shore up secure execution of deep neural networks
The team is considering these issues holistically from a backend/analytical way and a front end/practical way. And like Ioannidis and Leeser’s research, all of the team’s findings, methodologies, and software tools will be made available to the public to facilitate community usage.
The future lies with the students
No matter which piece of the cybersecurity puzzle Northeastern’s faculty are trying to understand, one of the constants is the invaluable input and innovation that comes from students.
“They are at the core of what we do,” says Melodia. “At WIOT, they’re not only doing research on groundbreaking technology, but they’re being trained on becoming the tech and cybersecurity leaders of tomorrow. Our graduates are highly prepared and are taking jobs immediately in industry, from Google to manufacturing to academia.”
“Today, there are more attacks and the bad guys are getting better and more sophisticated, so defending against them requires more thought and preparation, especially from an interdisciplinary point of view,” says Kirda. “We’re proud that Northeastern’s students and alumni are there to safeguard us in the future.”