Despite significant progress in software-engineering practices, most software products remain insecure. At the same time, the consumer and business information handled by these software products is growing in importance and monetization potential, which triggers significant privacy and security concerns. In response to these challenges, companies are increasingly harvesting the effort and knowledge of external (ethical) security researchers through bug-bounty programs. These programs allow security researchers, so-called white hats, to evaluate the security of a software or service within a set of predefined rules. White hats are encouraged to submit reports of potential vulnerabilities, which will be rewarded by the company after validation. The benefits of these programs are at least twofold. First, the companies’ products are examined by the large and diverse population of white hats, which would be prohibitively expensive to employ directly. Second, the public nature of the majority of these programs can signal to third parties that the company is committed towards continual security improvements.
However, this public nature also poses a challenge since virtually anyone can participate, and companies may be overwhelmed by myriads of low-value reports. In fact, bug-bounty platforms acknowledge that the key challenge “companies face in running a public program at scale is managing noise, or the proportion of low-value reports they receive.” These low-value reports include both invalid reports (i.e., non-existing or out-of-scope vulnerabilities) and duplicates (i.e., vulnerabilities that have already been reported), and they often stem from misaligned incentives and misallocation of effort.
Our goal is to improve the efficiency of bug-bounty programs. In this project,
Due to rapid growth in renewable energy resources and improvements in battery technology, power grids are undergoing major changes, which create significant management and control challenges. To tackle these challenges, decentralized solutions are needed, which can support the evolution of electrical power distribution systems. Transactive energy is a decentralized solution for dynamically balancing demand and supply, in which consumers, prosumers (i.e., consumers with energy storage or generation capabilities), providers, etc. can trade energy in an open market.
However, transactive energy solutions must also satisfy security, safety, and privacy requirements, which often seem to contradict each other. For example, to provide safety, detailed energy consumption and production information might need to be disseminated, but this threatens the privacy of prosumers. As another example, the complex and computationally expensive solutions required to provide security might not abide the real-time constraints of power systems.
In this project, we create a transactive energy system based on blockchain technology, using the distributed ledger provided by a blockchain to implement an energy trading platform. We develop protocols, smart contracts, middleware, and control algorithms to provide security, safety, and privacy for transactive energy.Publications:
As cyber-physical systems become more prevalent, ensuring that they are resilient to cyber-attacks becomes a critical issue. For instance, cyber-physical attacks against smart water and transportation networks can pose a serious threat to public health and safety. Owing to the severity of these threats, a variety of techniques have been proposed for improving the resilience of a cyber-physical system, such as deploying redundant components and intrusion detection systems.
In this project, we explore a synergistic approach that combines multiple techniques in order to provide resilience against cyber-attacks. We study and model how the impact and feasibility of cyber-attacks depend on both the physical and cyber aspects of a system. Based on these models, we provide novel results on how to combine multiple techniques for improving resilience, considering static, dynamic, and adaptive defenses.Publications:
The evolution of traffic control from standalone hardware devices to complex networked systems has provided society with many benefits, such as reducing wasted time and environmental impact. However, it has also exposed transportation networks to cyber-attacks. While traditional hardware systems were susceptible only to attacks based on direct physical access, modern systems are vulnerable to attacks through wireless interfaces or even to remote attacks through the Internet.
In this project,