To Catch A Threat by Kim Horner

To thwart criminal activity in the digital age, cybersecurity experts must think like the bad guys. UT Dallas researchers are on the case.

The threat of catastrophic cyberattacks looms larger than ever, as recent strikes have disrupted the fuel supply, temporarily halted various business, government and hospital operations, and attempted to poison a Florida town’s drinking water.

The risk has risen as organizations’ computer networks can be accessed remotely. In just the past two years, attacks on Colonial Pipeline Co., which operates the largest fuel pipeline in the U.S.; on information technology provider Kaseya; on the Washington, D.C., Metropolitan Police Department; and on a water treatment plant in Oldsmar, Florida, demonstrate the potential for serious damage.

Headshot of Dr. Bhavani Thuraisingham

“We haven’t seen even one-hundredth of the problem. These attacks are causing a lot of difficulties, but it’s going to get worse and worse and worse,” said Dr. Bhavani Thuraisingham, professor of computer science and the Founders Chair in Engineering and Computer Science at The University of Texas at Dallas. She is recognized nationally as one of the country’s leading cybersecurity experts.

“The challenge we have now is that almost everything that has a microprocessor – whether we’re talking about autonomous vehicles or drones or everyday items in our homes – could be attacked, and there could be some very serious consequences,” said Thuraisingham, founding executive director from 2004 until last year and currently senior strategist for the Cyber Security Research and Education Institute (CSI) in the Erik Jonsson School of Engineering and Computer Science (ECS).

With a steady stream of new technologies that bring the potential for unprecedented kinds of attacks, cybersecurity is a field of constant change. Cybersecurity experts are forced to think like criminals to anticipate and figure out how to detect the countless ways that attackers could gain access. Crooks, however, only need to find one flaw to infiltrate an entire system. In the case of Colonial Pipeline, a single compromised password resulted in fuel shortages along the East Coast.

“Hackers get more and more sophisticated, and they only have to find one vulnerability to be successful,” Thuraisingham said. “We have to find 100% of those cracks.”

UT Dallas cybersecurity experts are developing creative ways to prevent, detect and stop the ever-evolving range of breaches through research supported by government agencies including the National Science Foundation (NSF), National Institutes of Health, National Security Agency (NSA), Air Force Office of Scientific Research, Office of Naval Research and the Army Research Office. The University’s cybersecurity program reaches beyond computer science as researchers collaborate with faculty from the Department of Electrical and Computer Engineering, the Naveen Jindal School of Management, and the schools of Economic, Political and Policy Sciences (EPPS) and Behavioral and Brain Sciences, as well as with colleagues at other academic institutions. For example, UT Dallas researchers have developed novel techniques based on machine learning to protect data and users’ privacy, detect intrusions, and deceive online intruders in order to learn from their tactics.

In 2015 UT Dallas became the first university in Texas to receive the NSA’s prestigious designation as a National Center of Academic Excellence in Cyber Operations. In 2020 the University joined five other national universities in an NSF-sponsored research center dedicated to industry-focused projects aimed at protecting the security of microchips and other hardware that can be especially vulnerable to attack.

But research alone is not enough. From high school cybersecurity camps to graduate degree programs, UT Dallas faculty members also provide educational and training programs that help fill a critical shortage of cybersecurity professionals worldwide.

“Hackers get more and more sophisticated, and they only have to find one vulnerability to be successful.”
–Dr. Bhavani Thuraisingham

A Changing Game

Cybersecurity has evolved over the years from focusing on blocking digital intruders from a main entry point to tracking their movements throughout a computer network if they break past security measures, said Dr. Kangkook Jee, assistant professor of computer science.

“The game is changing right now,” he said. “You can’t just have a lock on the front door. You need security cameras inside the house.”

New threats continue to emerge. The increase in numbers of people working from home due to the COVID-19 pandemic opened an untapped entry point for attackers, exposing weak security measures in some entities. While all types of cyberattacks were up in 2020 and 2021, ransomware attacks made the biggest headlines.

“The game is changing right now. You can’t just have a lock on the front door. You need security cameras inside the house.”
–Dr. Kangkook Jee

In a ransomware attack, criminals seize sensitive data and hold it hostage for payments that have reached tens of millions of dollars. Companies are warned that their sensitive information will be exposed if they do not pay. One of the primary ways the culprits gain access to an organization’s network is through a phishing email that deploys malware to encrypt servers.

“Once an attacker breaks into your system, they have access to everything in it,” Thuraisingham said. “They can do more than steal your data; they can encrypt all your data and files, destroy your system, and make it inaccessible without paying the ransom. It’s like someone breaking into a house and stealing jewelry but then kidnapping a child and demanding a ransom.”

As the use of electronic devices grows, their components also have become increasingly vulnerable to malicious tampering and counterfeiting.

“Suppose a bad actor replaces a chip during a service or upgrade at a power plant, enabling capabilities that can cause the power distribution network to fail,” said Dr. Yiorgos Makris, professor of electrical and computer engineering. “Semiconductor tampering also has implications for consumer electronics, such as wireless communication devices, where private data may be leaked by untrusted chips, or the automotive industry, where safety may be compromised by counterfeit parts.”

To address this risk, UT Dallas, along with five other universities, in 2020 established the Center for Hardware and Embedded Systems Security and Trust (CHEST), a new research initiative focused on protecting the security of semiconductors, the circuit boards they are mounted on and other computer hardware. Led by the University of Cincinnati, CHEST also involves Northeastern University; University of California, Davis; University of Connecticut; and the University of Virginia.

CHEST is an NSF Industry-University Cooperative Research Center that serves as a hub for industry-focused research and currently comprises 23 members across industry and governmental laboratories.

Outsmarting Cyber Spies

As the Internet of Things – the vast network of connected devices, from smartwatches to home security systems – rapidly grows, so too does the potential for criminals to use the technology to spy, cause physical harm, or steal information for financial gain or to use as blackmail.

The complex network of computing devices that are connected by software and sensors nearly doubled to more than 38 billion from 2018 to 2020, according to Juniper Research. The firm, which provides research and analysis to the global high-tech communications sector, predicts that by 2024 that number will surpass 83 billion.

In a study published in the September-October 2019 issue of the journal IEEE Security & Privacy, UT Dallas researchers tested home security systems, drones and children’s smart toys to demonstrate just a few of the many ways common personal devices can be hacked. The team found several different types of vulnerabilities, which they reported to the manufacturers. One of the most eye-opening examples involved a children’s toy. The stuffed animal contained a microphone through which an attacker could inject audio into the device and have conversations with the child, perhaps even telling the child to open the door to the home.

“If AI systems are attacked, there are going to be all kinds of crazy repercussions.”
–Dr. Bhavani Thuraisingham

Mobile apps pose another type of threat, making it possible for criminals to determine a person’s location and other personal information.

“When you download an app, it can access a lot of information on your cellphone,” said Dr. Kanad Basu, assistant professor of electrical and computer engineering. “You have to keep in mind that all this info can be collected by these apps and sent to third parties. What do they do with it? They can pretty much do anything. We should be careful about this.”

The personal identifiable information can include names, email addresses, phone numbers, location, and audio and visual recordings. It also can include unique identifiers for devices such as an international mobile equipment identity, media access control addresses, Android ID and Advertising ID, which allows software developers to collect information on users’ interests and sell it to advertisers.

In a study published March 27, 2020, in IEEE Transactions on Information Forensics and Security, Basu and fellow researchers found that 72 out of 100 children’s mobile apps violated the Children’s Online Privacy Protection Act, making it easy for a hacker to determine a child’s identity and location. He and fellow researchers are developing a tool that can determine whether an Android game or other mobile app complies with the legislation.

Learn more about protecting yourself like a cybersecurity pro

Door

Countering Attacks on Artificial Intelligence

The increasing use of artificial intelligence (AI) poses new types of security risks as well. Massive amounts of data are used to train the software that controls autonomous vehicles and other AI systems. Machine learning, an AI technique, involves feeding millions of real-life examples into a computer to teach a self-driving car, for example, how to respond to a stop sign. A subset of machine learning, called deep learning, analyzes layers of information, paving the way for AI to perform tasks such as evaluating mammograms to flag tumors. But what if online vandals access and tamper with the data?

“Artificial intelligence is affecting every aspect of our lives, from health care to finance to driving to managing the home,” Thuraisingham said. “Sophisticated machine-learning techniques with a focus on deep learning are being applied successfully to detect cancer, to make the best choices for investments and to determine the most suitable routes for driving, as well as efficiently managing the electricity in our homes.”

The threat of attacks on AI systems has fueled one of the hottest areas of cybersecurity research.

“If AI systems are attacked, there are going to be all kinds of crazy repercussions,” Thuraisingham said. “Imagine financial organizations that depend on AI giving you messed up results and advice, or a medical provider giving the wrong diagnosis.”

Current driver-assist technology also could be vulnerable. Consider the sensors used to alert drivers when it is unsafe to change lanes.

“What if it doesn’t detect another vehicle, and the driver thinks it’s safe to change lanes?” she asked.

Headshot of Dr. Murat Kantarcioglu
“We are looking at how … we can make machine-learning models more robust against … attacks.”
–Dr. Murat Kantarcioglu

Dr. Murat Kantarcioglu, Ashbel Smith Professor of computer science, works on technology to make machine learning more resistant to attacks.

“There is an increase in machine learning and AI techniques used for automating decisions and making predictions,” Kantarcioglu said. “We are looking at how these techniques can be attacked and also how we can make machine-learning models more robust against those attacks.”

Kantarcioglu’s research also involves protecting the massive amounts of data collected and stored online. In 2014 he and his colleagues won a Homer R. Warner Award from the American Medical Informatics Association for creating a tool that uses cryptography techniques to protect patient records in hospital databases.

In another area of research, Dr. Justin Ruths, assistant professor of mechanical engineering, is developing technology to detect cyberattacks on physical plants or operations. The method involves building predictions about how a system should work and creating an alert system when things don’t go as expected.

“If you can make a good prediction, then you can ask, ‘Is my observation roughly equivalent to my prediction?’ If those things are very different, that’s the kind of tool we use to detect anomalies,” he said.

Crook Sourcing

While the growing use of AI poses ever-changing cybersecurity threats, the technology also brings new ways to detect, disable and even learn from attacks.

A team of researchers, including Dr. Kevin Hamlen, the Louis Beecherl Jr. Distinguished Professor of computer science, and Dr. Latifur Khan, professor of computer science, developed a cyberthreat detection system that uses AI to fight attacks. The method, called DEEP-Dig (DEcEPtion DIGging), ushers intruders into a decoy website so the computer can learn from hackers’ tactics. The information is then used to train the computer to recognize and stop future attacks.

Dr. Kevin Hamlen writing on glass board

DEEP-Dig advances a rapidly growing cybersecurity field known as deception technology, or “crook sourcing,” which involves setting traps for hackers. Researchers hope that the approach can be especially useful for defense organizations.

“There are criminals trying to attack our networks all the time, and normally we view that as a negative thing,” said Hamlen, who succeeded Thuraisingham as CSI executive director. “Instead of blocking them, maybe what we could be doing is viewing these attackers as a source of free labor. They’re providing us data about what malicious attacks look like. It’s a free source of highly prized data.”

There are criminals trying to attack our networks all the time.
–Dr. Kevin Hamlen

Training the Next Generation

The high demand for cybersecurity experts has created excellent job prospects for students who want to enter the field.

According to a 2019 study by (ISC)2, an international nonprofit group of certified cybersecurity professionals, the U.S. cybersecurity workforce numbers around 800,000, but there’s a shortage of nearly 500,000 skilled professionals. Sixty-five percent of organizations in the study reported a shortage of skilled staff.

UT Dallas’ Department of Computer Science has long recognized this need and actively targets teens interested in the field through its summer Cyber Defense Camps for high school and advanced middle school students. These camps enable the students to pass industry certification exams.

Additionally, CSI leaders are committed to broadening the field to include more women, who make up 24% of the cybersecurity workforce, through initiatives like the Center for Engaging Women in Cyber Security, which was conceived after the University hosted the 2016 Women in Cybersecurity Conference.

Another way UT Dallas is meeting the need for cybersecurity experts is by offering scholarships to qualified master’s students through the NSF-funded program CyberCorps: Scholarship for Service (SFS). The program pays qualified students’ tuition and fees, and provides a stipend of up to $34,000 per academic year. Recipients must agree to work after graduation for a federal, state or local government entity for a period equal to the length of the scholarship. The Jonsson School has been participating in the SFS grant program since 2010. Most recently, in 2019, the school received a $4 million grant to support some 24 students through 2024.

“The SFS program at UT Dallas is structured to provide students with strong technical education and professional training opportunities to start strong in their professional careers in cybersecurity after graduation,” said Dr. Kamil Sarac, professor of computer science, director of cyber security education programs in ECS and co-principal investigator on the grant.

Alumni have gone on to work for the Department of Defense (DOD), as well as Amazon, Meta (formerly Facebook) and Procter & Gamble Co. And they’re serving with distinction: In 2019, Ryan Burchfield BS’06, MS’09, who works for the DOD, received a Presidential Early Career Award for Scientists and Engineers, the U.S. government’s highest honor for scientists and engineers at the beginning of their research careers.

The University also recently added a Master of Science in cybersecurity, technology and policy through EPPS in partnership with the Department of Computer Science. The interdisciplinary degree is designed to teach students how to ascertain the risk of a cyberattack, identify security gaps in different policy settings and work within a regulatory framework. It provides an opportunity for both students with prior computer science experience and those coming from nontechnical backgrounds to learn strategic, policy and analytic aspects of cybersecurity.

Know Your Risks

While ransomware and other attacks have increased in recent years, experts are concerned that public awareness of cybersecurity risks has not kept pace.

“A problem in our society is that we’re using the internet, but we are not aware of what this means in terms of privacy,” Basu said. “Few of us care about privacy; although, we should.”

One of the biggest mistakes is for individuals to assume they are not at risk, said Lucas Castro BS’19, MS’20, an SFS scholarship recipient who is now a cybersecurity engineer at MITRE. He said many people believe they have nothing on their computer worth stealing. Even if that were true, however, their computer could be hijacked as part of a distributed denial-of-service attack. In this type of attack, criminals access a large number of personal computers, gaining computing power for a targeted assault against a business that makes it impossible for anyone to access the company’s website.

“Even if you don’t get hacked, your device could be used as a zombie computer in a botnet attack,” Castro said. “They don’t want your data; they just want your computing power. There’s always something criminals can get out of taking control of your machine.

“Your stuff is not nearly as secure as you want to believe it is.”