Relevant Degree Programs
Complete these steps before you reach out to a faculty member!
- Familiarize yourself with program requirements. You want to learn as much as possible from the information available to you before you reach out to a faculty member. Be sure to visit the graduate degree program listing and program-specific websites.
- Check whether the program requires you to seek commitment from a supervisor prior to submitting an application. For some programs this is an essential step while others match successful applicants with faculty members within the first year of study. This is either indicated in the program profile under "Requirements" or on the program website.
- Identify specific faculty members who are conducting research in your specific area of interest.
- Establish that your research interests align with the faculty member’s research interests.
- Read up on the faculty members in the program and the research being conducted in the department.
- Familiarize yourself with their work, read their recent publications and past theses/dissertations that they supervised. Be certain that their research is indeed what you are hoping to study.
- Compose an error-free and grammatically correct email addressed to your specifically targeted faculty member, and remember to use their correct titles.
- Do not send non-specific, mass emails to everyone in the department hoping for a match.
- Address the faculty members by name. Your contact should be genuine rather than generic.
- Include a brief outline of your academic background, why you are interested in working with the faculty member, and what experience you could bring to the department. The supervision enquiry form guides you with targeted questions. Ensure to craft compelling answers to these questions.
- Highlight your achievements and why you are a top student. Faculty members receive dozens of requests from prospective students and you may have less than 30 seconds to peek someone’s interest.
- Demonstrate that you are familiar with their research:
- Convey the specific ways you are a good fit for the program.
- Convey the specific ways the program/lab/faculty member is a good fit for the research you are interested in/already conducting.
- Be enthusiastic, but don’t overdo it.
G+PS regularly provides virtual sessions that focus on admission requirements and procedures and tips how to improve your application.
Security and privacy for mobile devices, privacy for online teenagers, enterprise security and privacy.
Graduate Student Supervision
Doctoral Student Supervision (Jan 2008 - Mar 2019)
With almost two billion users worldwide, smartphones are used for almost everything – booking a hotel, ordering a cup of coffee, or paying in a shop. However, small size and high mobility makes these devices prone to theft and loss. In this work we aim to broaden our understanding of how smartphone users and application developers protect sensitive data on smartphones.To understand how well users are protecting their data in smartphones, we conductedseveral studies. The results revealed that 50% of the subjects locked theirsmartphone with an unlocking secret and 95% of them chose unlocking secretsthat could be guessed within minutes.To understand how well application developers protect sensitive data in smartphones,we analyzed 132K Android applications. We focused on identifying misuseof cryptography in applications and libraries. The study results revealed thatdevelopers often misuse cryptographic API. In fact, 9 out of 10 Android applicationscontained code that used a symmetric cipher with a static encryption key.Further, source attribution revealed that libraries are the main consumer of cryptographyand the major contributor of misuse cases. Finally, an in-depth analysisof the top libraries highlighted the need for improvement in the way we define anddetect misuse of cryptography.Based on these results we designed and evaluated a system for encryptionkeys management that uses wearable devices as an additional source of entropy.Evaluation results showed that the proposal introduces insignificant overhead inpower consumption and latency.
Despite corporate cyber intrusions attracting all the attention, privacy breaches that we, as ordinary users, should be worried about occur every day without any scrutiny. Smartphones, a household item, have inadvertently become a major enabler of privacy breaches. Smartphone platforms use permission systems to regulate access to sensitive resources. These permission systems, however, lack the ability to understand users' privacy expectations leaving a significant gap between how permission models behave and how users would want the platform to protect their sensitive data.This dissertation provides an in-depth analysis of how users make privacy decisions in the context of Smartphones and how platforms can accommodate user's privacy requirements systematically. We first performed a 36-person field study to quantify how often applications access protected resources when users are not expecting it. We found that when the application requesting the permission is running invisibly to the user, they are more likely to deny applications access to protected resources. At least 80% of our participants would have preferred to prevent at least one permission request. To explore the feasibility of predicting user's privacy decisions based on their past decisions, we performed a longitudinal 131-person field study. Based on the data, we built a classifier to make privacy decisions on the user's behalf by detecting when the context has changed and inferring privacy preferences based on the user's past decisions. We showed that our approach can accurately predict users' privacy decisions 96.8% of the time, which is an 80% reduction in error rate compared to current systems.Based on these findings, we developed a custom Android version with a contextually aware permission model. The new model guards resources based on user's past decisions under similar contextual circumstances. We performed a 38-person field study to measure the efficiency and usability of the new permission model. Based on exit interviews and 5M data points, we found thatthe new system is effective in reducing the potential violations by 75%. Despite being significantly more restrictive over the default permission systems, participants did not find the new model to cause any usability issues in terms of application functionality.
The open nature of the Web, online social networks (OSNs) in particular, makes it possible to design socialbots—automationsoftware that controls fake accounts in a target OSN, and has the ability to perform basic activities similar to those of real users. In the wrong hands, socialbots can be used to infiltrate online communities, build up trust over time, and then engage in various malicious activities.This dissertation presents an in-depth security analysis of malicious socialbots on the Web, OSNs in particular. The analysis focuses on two main goals: (1) to characterize and analyze the vulnerability of OSNs to cyber attacks by malicious socialbots, social infiltration in particular, and (2) to design and evaluate a countermeasure to efficiently and effectively defend against socialbots.To achieve these goals, we first studied social infiltration as an organized campaign operated by a socialbot network (SbN)—a group of programmable socialbots that are coordinated by an attacker in a botnet-like fashion. We implemented a prototypical SbN consisting of 100 socialbots and operated it on Facebook for 8 weeks. Among various findings, we observed that some users are more likely to become victims than others, depending on factors related to their social structure. Moreover, we found that traditional OSN defenses are not effective at identifying automated fake accounts or their social infiltration campaigns.Based on these findings, we designed Íntegro—an infiltration-resilient defense system that helps OSNs detect automated fake accounts via a user ranking scheme. In particular, Íntegro relies on a novel approach that leverages victim classification for robust graph-based fake account detection, with provable security guarantees. We implemented Íntegro on top of widely-used, open-source distributed systems, in which it scaled nearly linearly. We evaluated Íntegro against SybilRank—the state-of-the-art in graph-based fake account detection—using real-world datasets and a large-scale, production-class deployment at Tuenti, the largest OSN in Spain with more than 15 million users. We showed that Íntegro significantly outperforms SybilRank in ranking quality, allowing Tuenti to detect at least 10 times more fake accounts than their current abuse detection system.
IT security management (ITSM) technologies are important components of IT security in organizations. But there has been little research on how ITSM technologies should incorporate human and social issues into their design. Identity and Access Management (IAM) systems, as an important category of ITSM, share such a gap with other ITSM technologies. The overreaching goal of this research is to narrow the gap between IAM technologies and social context. In the first phase, we developed a set of usability guidelines, and heuristics for design and usability evaluation of ITSM tools. We gathered recommendations related to ITSM tools from the literature, and categorized them into a set of 19 high-level guidelines that can be used by ITSM tool designers. We then used a methodical approach to create seven heuristics for usability evaluation of ITSM tools and named them ITSM heuristics. With a between-subjects study, we compared the usage of the ITSM and Nielsen's heuristics for evaluation of a commercial IAM system. The results confirmed the effectiveness of ITSM heuristics, as participants who used the ITSM heuristics found more problems categorized as severe than those who used Nielsen's. In the second phase, we conducted a field-study of 19 security practitioners to understand how they do IAM and identify the challenges they face. We used a grounded theory approach to collect and analyze data and developed a model of IAM activities and challenges. Built on the model, we proposed a list of recommendations for improving technology or practice. In the third phase, we narrowed down our focus to a specific IAM related activity, access review. We expanded our understanding of access review by further analysis of the interviews, and by conducting a survey of 49 security practitioners. Then, we used a usability engineering process to design AuthzMap, a novel user-interface for reviewing access policies in organizations. We conducted a user study with 430 participants to compare the use of AuthzMap with two existing access review systems. The results show AuthzMap improved the efficiency in five of the seven tested tasks, and improved accuracy in one of them.
OpenID and OAuth are open and lightweight web single sign-on (SSO) protocols that have been adopted by high-profile identity providers (IdPs), such as Facebook, Google, Microsoft, and Yahoo, and millions of relying party (RP) websites. However, the average users' perceptions of web SSO and the systems' security guarantee are still poorly understood. Aimed at filling these knowledge gaps, we conducted several studies to further the understanding and improvements of the usability and security of these two mainstream web SSO solutions. First, through several in-lab user studies, we investigated users' perceptions and concerns when using web SSO for authentication. We found that our participants had several misconceptions and concerns that impeded their adoption. This ranged from their inadequate mental models of web SSO, to their concerns about personal data exposure, and a reduction in their perceived web SSO value due to the employment of password management practices. Informed by our findings, we offered a web SSO technology acceptance model, and suggested design improvements. Second, we performed a systematic analysis of the OpenID 2.0 protocol using both formal model checking and an empirical evaluation of 132 popular RP websites. The formal analysis identified three weaknesses in the protocol, and based on the attack traces from the model checking engine, six exploits and a semi-automated vulnerability assessment tool were designed to evaluate how prevalent those weaknesses are in the real-world implementations. Two practical countermeasures were proposed and evaluated to strengthen the uncovered weaknesses in the protocol. Third, we examined the OAuth 2.0 implementations of three major IdPs and 96 popular RP websites. By analyzing browser-relayed messages during SSO, our study uncovered several vulnerabilities that allow an attacker to gain unauthorized access to the victim user's profile and social graph on IdPs, and impersonate the victim on RP websites. We investigated the fundamental causes of these vulnerabilities, and proposed several simple and practical design improvements that can be adopted gradually by individual sites. In addition, we proposed and evaluated an approach for websites to prevent SQL injection attacks, and a user-centric access-control scheme that leverage the OpenID and OAuth protocols.
Authorization protects application resources by allowing only authorized entities to access them. Existing authorization solutions are widely based on the request-response model, where a policy enforcement point intercepts application requests, obtains authorization decisions from a remote policy decision point, and enforces those decisions. This model enables sharing the decision point as an authorization service across multiple applications. But, with many requests and resources, using a remote shared decision point leads to increased latency and presents the risk of introducing a bottleneck and/or a single point of failure. This dissertation presents three approaches to addressing these problems.The first approach introduces and evaluates the mechanisms for authorization recycling in role-based access control systems. The algorithms that support these mechanisms allow a local secondary decision point to not only reuse previously-cached decisions but also infer new and correct decisions based on two simple rules, thereby masking possible failures of the central authorization service and reducing the network delays. Our evaluation results suggest that authorization recycling improves the availability and performance of distributed access control solutions.The second approach explores a cooperative authorization recycling system, where each secondary decision point shares its ability to make decisions with others through a discovery service. Our system does not require cooperating secondary decision points to trust each other. To maintain cache consistency at multiple secondary decision points, we propose alternative mechanisms for propagating update messages. Our evaluation results suggest that cooperation further improves the availability and performance of authorization infrastructures.The third approach examines the use of a publish-subscribe channel for delivering authorization requests and responses between policy decision points and enforcement points. By removing enforcement points' dependence on a particular decision point, this approach helps improve system availability, which is confirmed by our analytical analysis, and reduce system administration/development overhead. We also propose several subscription schemes for different deployment environments and study them using a prototype system.We finally show that combining these three approaches can further improve the authorization system availability and performance, for example, by achieving a unified cooperation framework and using speculative authorizations.
Master's Student Supervision (2010-2017)
Motivated by the two-way benefits, people have used a variety of web-based services to share health information (HI) online. Among these services, Facebook, which enjoys the largest population of active subscribers, has become a common place for sharing various types of HI. At the same time, Facebook was shown to be vulnerable to various attacks, resulting in unintended information disclosure, privacy invasion, and information misuse. As such, Facebook users face the dilemma of benefiting from HI sharing and risking their privacy.In this work, we investigate HI sharing practices, preferences, and risk perceptions among Facebook users. Our exploration focused on two main goals: (1) to identify the key factors that influenced users’ motivation to share HI on Facebook, and (2) to highlight a number of features that could motivate people toward engaging in effective HI sharing on Facebook.To achieve these goals, we first surveyed 166 active Facebook users about their HI sharing practices and risk perceptions. We quantified HI sharing practices and confirmed that it has become a common practice among users. Moreover, we found that the type of the shared HI and its recipients, can highly influence users’ perceived privacy risks when sharing HI. Following our preliminary survey, we interviewed 21 participants with chronic health conditions to identify the key factors that influence users’ motivation to share HI on Facebook. Then, we conducted an online survey with 492 Facebook users in order to validate, refine, and extend our findings.The results suggest that the gained benefits from prior HI sharing experiences, and users’ overall attitudes toward privacy, correlate with their motivation to disclose HI. Furthermore, we identify other factors, specifically users’ perceived health and the audience of the shared HI, that appear to be linked with users’ motivation to share HI. Finally, we suggest design improvements— such as anonymous identity as well as search and recommendation features— for facilitating HI sharing on Facebook and similar sites.
Accepting friend requests from strangers in Facebook-like online social networksis known to be a risky behavior. Still, empirical evidence suggests that Facebookusers often accept such requests with high rate. As a first step towards technologysupport of users in their decisions about friend requests, we investigate why usersaccept such requests. We conducted two studies of users’ befriending behavior onFacebook. Based on 20 interviews with active Facebook users, we developed afriend request acceptance model that explains how various factors influence useracceptance behavior. To test and refine our model, we also conducted a quantitativestudy with 397 participants using Amazon Mechanical Turk. We found thatfour factors significantly impact the receiver’s decision towards requests sent fromstrangers, namely, knowing the requester’s in real world, having common hobbiesor interests, having mutual friends, and the closeness of mutual friends. Based onour findings, we offer design recommendations for improving the usability of thecorresponding user interfaces in order to help users make more informed decisions.
Passwords are the main means of authenticating users in most systems today. However, they have been identified as a weak link to the overall security of many systems and much research has been done in order to enhance their security and usability. Although, many schemes have been proposed, users still find it challenging to keep up with password best practices. Our current work is based on recent research indicating that social navigation can be used to guide users to safer, more secure practices regarding computer security and privacy. Our goal is the evaluation of a novel concept for a proactive password checking mechanism that analyzes and presents to users, information about their peer's password strength. Our proposed proactive password feedback mechanism is an effort to guide users in creating better passwords by relating their password strength to that of other system users. We hypothesized that this would enable users to have a better understanding of their password's strength in regards to the system at hand and its users' expectations in terms of account security. We evaluated our mechanism with two between-subjects laboratory studies, embedding our proactive password checking scheme in the Campus Wide Login (CWL) mechanism for changing an account's password. In our study, we compared the password entropy of participants assigned to our proposed mechanism to this of participants assigned to the current CWL implementation (no feedback) as well as to the traditional horizontal bar, employed by many web sites, which provides feedback in the form of absolute password strength characterization. Our results revealed significant effect on improving password strength between our motivator and the control condition as well as between the group using the existing motivator and the control group. Although, we found a difference between the no feedback condition and the two feedback conditions, we did not find any difference between feedback conditions (i.e., relative vs. absolute strength assessment). However, our results show that relating password strength to that of one's peers, while maintaining the standard visual cues, may yield certain advantages over lack of feedback or current practices.
The retrieval and analysis of malicious content is an essential task for security researchers. Security labs use automated HTTP clients known as client honeypots to visit hundreds of thousands of suspicious URLs daily. The dynamic nature of malware distribution networks necessitate periodic re-evaluation of a subset of the confirmed malicious sites, which introduces two problems: 1) the number of URLs requiring re-evaluation exhaust available resources, and 2) repeated evaluation exposes the system to adversarial blacklisting, which affects the accuracy of the content collected. To address these problems, I propose optimizations to the re-evaluation logic that reduce the number of re-evaluations while maintaining a constant sample discovery rate during URLs re-evaluation. I study these problems in two adversarial scenarios: 1) monitoring malware repositories where no provenance is available, and 2) monitoring Fake Anti-Virus (AV) distribution networks. I perform a study of the adversary by repeatedly content from the distribution networks. This reveals trends in the update patterns and lifetimes of the distribution sites and malicious executables. Using these observations I propose optimizations to reduce the amount of re-evaluations necessary to maintain a high malicious sample discovery rate. In the first scenario the proposed techniques, when evaluated versus a fixed interval scheduler, are shown to reduce the number of re-evaluations by 80-93% (assuming a re-evaluation interval of 1 hour to 1 day) with a corresponding impact on sample discovery rate of only 2-7% percent. In the second scenario, optimizations proposed are shown to reduce fetch volume by orders of magnitude and, more importantly, reduce the likelihood of blacklisting.During direct evaluation of malware repositories I observe multiple instances of blacklisting, but on the whole, less than 1% of the repositories studied show evidence of blacklisting. Fake AV distribution networks actively blacklist IPs; I encountered repeated occurrences of IP blacklisting while monitoring Fake AV distribution networks.
Even though personal firewalls are an important aspect of security for the users of personal computers, little attention has been given to their usability.An initial series of usability studies on the Windows Vista firewall that we performed revealed that the participants' lack of an accurate mental model about the firewall's system model significantly contributed to their errors when configuring the firewall.The goal of this thesis research was to build upon these findings and improve the usability of personal firewalls.To do so, we redesigned the user interface of the Vista firewall to more accurately reflect its system model.The results of a laboratory study showed that the modified interface design helped participants to develop more effective mental models of the firewall and improve their understanding of the firewall's configuration, resulted in fewer potentially dangerous errors.However, participants' comments about personal firewalls revealed that it was important to better understand the users' knowledge, expectations, perceptions, and misconceptions of personal firewalls in order to successfully manage design tradeoffs.We performed a follow-up study, where we conducted semi-structured interviews with a diverse set of participants. Through a qualitative analysis of the data, we found that most of the participants were unaware of the functionality of firewalls and their role in protecting computers. More interestingly, we found that the interaction of most participants with firewalls was limited to responding to warnings, which ask them to allow or block a connection. Therefore, it is crucial to design firewall warnings that are understandable for users, which should result in fewer errors in allowing unwanted connections.We proposed a novel firewall warning design in which the functionality of a personal firewall is visualized based on a physical security mental model. The results of a laboratory study showed that the new warnings facilitated the comprehension of warning information, better communicated the risk, and increased the likelihood of safe behavior compared to warnings based on those from a popular personal firewall. Moreover, the new warnings provided participants with a better understanding of both the functionality of a personal firewall and the consequences of their actions.
To better protect users from security incidents, the principle of least privilege (PLP) requires that users and programs be granted the most restrictive set of privileges possible to perform the required tasks. The low-privileged user accounts (LUA) and privilege elevation prompts are two practical implementations of PLP in the main-stream operating systems. However, there is anecdotal evidence suggesting that users do not employ these implementations correctly. Our research goal was to understand users' challenges and behavior in using these mechanisms and improve them so that average users of personal computers can follow the PLP correctly.For this purpose, we conducted a user study and contextual interviews to investigate the understanding, behavior, and challenges users face when working with user accounts and the privilege elevation prompts (called User Account Control (UAC) prompts) in Windows Vista and 7. We found that 69% of participants did not use and respond correctly to UAC prompts. Also, all our 45 participants used an admin user account, and 91% were not aware of the benefits of low-privileged user accounts or the risks of high-privileged ones. Their knowledge and experience were limited to the restricted rights of low-privileged accounts. Based on our findings, we offered recommendations to improve the UAC and LUA approaches.Since our study showed that users can benefit from UAC prompts, we investigated the information content for such prompts so that users can assess the risk of privilege elevation more accurately and consequently respond to the prompts correctly. We considered thirteen different information items for including on these prompts mostly based on the results of our first study. Our user study with 48 participants showed that program name, origin, description, digital certification, changes the program applies and the result of program scan by anti-virus are the most understandable, useful and preferred items for users. To avoid habituation, decrease cognitive load on users and improve users' response to the prompts, we recommend to employ a context-based UAC prompt which presents a subset of information items to users based on the context. A set of guidelines is provided for selecting the appropriate items in different contexts.
With the emergence of tighter corporate policies and government regulations, access control has become an integral part of business requirements in enterprises. The authorization process in enterprise systems follow the request-response model, where a policy enforcement point intercepts application requests, obtains authorization decisions from a remote policy decision point, and enforces those decisions. The two advantages of this model are (1) the separation between the application and authorization logic (2) reduction of authorization policy administration. However, the authorization process adds to the already existing latency for accessing resources, affecting enterprises negatively in terms of responsiveness of their systems. This dissertation presents an approach to reduce latency introduced by the authorization process.We present Speculative Authorization (SPAN), a prediction technique to address the problem of latency in enterprise authorization systems. SPAN predicts the possible future requests that could be made by a client, based on the present and past behavior of the client. Authorization decisions to the predicted requests are fetched even before the requests are made by the client, thus reducing the latency. SPAN is designed using a clustering technique that combines information about requests made by different clients in order to make predictions for a particular client. We present our results in terms of hit rate and precision, and demonstrate that SPAN improves the performance of authorization infrastructures. We also calculate the additional load incurred by the system to compute responses to the predicted requests, and provide measures to reduce the unnecessary load.Caching is a simple and inexpensive technique, popularly used to improve the latency of enterprise authorization systems. On the other hand, we have not seen any implementation of techniques like SPAN to reduce latency. To demonstrate the effectiveness of such techniques, we implement caching and SPAN in the same system, and show that combining the two techniques can further improve the performance of access control systems.
Recent Tri-Agency Grants
The following is a selection of grants for which the faculty member was principal investigator or co-investigator. Currently, the list only covers Canadian Tri-Agency grants from years 2013/14-2016/17 and excludes grants from any other agencies.
- Investigating Unlocking Behavior and Usage Patterns of Android Smartphone Users - Natural Sciences and Engineering Research Council of Canada (NSERC) - Engage Grants Program (2015/2016)
- Android OS integration with KeyVault framework - Natural Sciences and Engineering Research Council of Canada (NSERC) - Engage Plus Grants (2014/2015)
- Security & privacy support for teenagers in online social media - Natural Sciences and Engineering Research Council of Canada (NSERC) - Discovery Grants Program - Individual (2014/2015)
- Investigating improvements to identify management - Natural Sciences and Engineering Research Council of Canada (NSERC) - Collaborative Research and Development Grants - Project (2013/2014)
- Graphics, Animation and New Media (GRAND) NCE (Networking & Commercialization) - Graphics, Animation and New Media (GRAND) - Networks of Centres of Excellence (NCE) - Administration (2013/2014)
- Security Engineering for large-scale distributed software applications - Natural Sciences and Engineering Research Council of Canada (NSERC) - Discovery Grants Program - Individual (2013/2014)
- The internetworked systems security network: ISSNet - Natural Sciences and Engineering Research Council of Canada (NSERC) - Strategic Network Grant (2013/2014)