Usable Security and Privacy, Human-Computer Interaction
Exploring Security and Privacy Issues in Online Social Networks through Studying Users' Security Perceptions & Browsing Behavior
Publications: ConPro 2018, IEEE S&P (Poster Session)
Facebook, the largest social networking site (SNS) with over one billion active monthly users, has been woven into the everyday life of many people. While this platform has drastically improved how we interact with one another, it has also opened up a multitude of security and privacy issues. In this project, we aim to understand how users react and decide whether to click when they encounter SNS posts with links, including possibly suspicious links. The findings from our research will lead to design and implement effective visual warning systems for suspicious posts to protect users from social engineering attacks on SNS.
Studying Journalists to Identify Requirements for Usable, Secure, and Trustworthy Communication
As digital communication technologies improve, they help journalists perform an array of activities more quickly and effectively, however, also put them at the risk of cyberattacks. In this collaborative project among Clemson University, University of Washington, and Columbia University, we aim to understand the challenges in secure communication between journalists and sources, and leverage that knowledge to design usable and secure tools for journalism profession, with a broader goal of extending these tools to other professions (e.g., lawyers, doctors) as well.
The Impact of Cues and User Interaction on the Memorability of System-Assigned Passwords
Publications: WIPS 2017, USEC 2017, ESORICS 2015, SOUPS 2015, CHI 2015
The goal of this project is to design a secure and memorable password scheme for online user authentication. Traditional user-chosen passwords are vulnerable to online guessing attacks. System-assigned random passwords are more secure but suffer from poor memorability. To address this usability-security tension, we propose a novel cued-recognition authentication scheme, which provides users with memory cues to learn system-assigned keywords. In our studies, we examine the impact of different types of memory cues, e.g., graphical, verbal, and spatial cues, and employing user interaction. The results show that verbal cues (i.e., real-life facts corresponding to assigned keywords) and user interaction play a significant role to gain high memorability for system-assigned random passwords.
A Comprehensive Study of the GeoPass User Authentication Scheme
Publication: Interacting with Computers, USEC 2015: NDSS Workshop
Password schemes based on selecting locations in an online map are an emerging topic in user authentication research. GeoPass is the most promising such scheme, as it provides satisfactory resilience against online guessing and showed high memorability in the preliminary lab study. In this project, we performed three separate user studies, e.g., a real-world field study and two multiple-password interference studies to understand the potentials of GeoPass. The single-password field study showed promise for GeoPass in a real-life scenario, however, the memorability for GeoPass was not satisfactory in the first multiple-password study. To overcome this issue, we design and evaluate a novel mental story based approach, which contributes to gain a significant improvement in memorability in the second multiple-password study on GeoPass.
Designing Secure and Memorable Two-factor Authentication Scheme
Publications: Information & Computer Security
Traditional textual passwords alone are not adequate to provide security guarantees for online authentication, because of attacks like online guessing, phishing, shoulder surfing, and keylogger malware. Thus, it is now widely held that two-factor authentication should be implemented to provide a higher level of security. The Federal Financial Institutions Examination Council (FFIEC) has recommended two-factor authentication for consumer online banking services. In this project, we leverage users' autobiographical memory and different types of memory cues to design two-factor authentication schemes offering resilience to online guessing, shoulder-surfing, phishing, and keylogger malware with minimal costs in terms of memory burden, additional communication channel, and hardware requirement.
P2P Systems and Security
Persea: A Sybil-Resistant Social DHT
P2P systems are inherently vulnerable to Sybil attacks, in which an attacker creates a large number of identities and uses them to control a substantial fraction of the system. We propose Persea, a novel social network-based P2P system that derives its Sybil resistance by assigning IDs through a bootstrap tree, the graph of how nodes have joined the system through invitations. Unlike prior Sybil-resistant P2P systems based on social networks, Persea does not rely on the assumptions that have been shown to be unreliable in real social networks. In addition, Persea uses a replication mechanism in which each (key, value) pair is stored in nodes that are evenly spaced over the network. Thus, even if attackers occupy a given region, the desired (key, value) pair can be retrieved from other regions in the network. We evaluate Persea in analysis and in simulations with social network datasets and show that it provides better lookup success rates than prior work with modest overheads. We have also designed and evaluated an improved version of Persea, called iPersea.
ReDS: A Framework for Reputation-Enhanced DHTs
Distributed hash tables (DHTs), such as Chord and Kademlia, offer an efficient means to locate resources in peer-to-peer (P2P) networks. Unfortunately, malicious nodes on a lookup path can easily subvert such queries. Several systems, including Halo (based on Chord) and Kad (based on Kademlia), mitigate such attacks by using redundant lookup queries. Much greater assurance can be provided; we design Reputation for Directory Services (ReDS), a reputation-based framework for improving the resilience of searches against malicious nodes in deterministic and nondeterministic DHTs. Through extensive simulations, we demonstrate that ReDS significantly improves lookup success rates for Halo and Kad over a wide range of conditions, even against strategic attackers.
Anonymity and Privacy
SDA-2H: Understanding the Value of Background Cover Against Statistical Disclosure
The statistical disclosure attack (SDA) is an effective method for compromising the anonymity of users in a mix-based system. In this project, we develop SDA-2H, an extension to SDA. We specifically use SDA-2H as a tool to measure the previously unknown effects of background cover on the anonymity of mix-based systems. Our study quantifies the importance of background cover traffic, which we show in simulation to be effective in various scenarios. Using the information gleaned from these experiments, coupled together with a greater understanding of mixes, we can be one step closer to obtaining the ideal form of anonymous communication, one that is insusceptible to any attack.
Other Projects [Algorithm and Computation, E-Commerce, Software Engineering, Wireless Sensor Networks]
Time and space efficient algorithm for consumer's priority product management
Publication: ICCIT 2012
In this competitive free-market economy, consumers' priority product management is a candidate for high degree of attention. We leverage the concept of balanced binary search tree to design an efficient algorithm for consumers' priority product management. Our algorithm is simulated for one million test cases, where it shows satisfactory performance in terms of time and space complexity.
Making Findbugs more Powerful
Publication: ICSESS 2011
Findbugs is a widely used bug-finding tool, which supports plug-in architecture in Java platform for adding new bug detectors. In this project, we design bug detectors to detect different bug patterns that could not be detected by the existing Findbugs tool. The effectiveness of our new bug detectors is tested with a number of popular applications.
The Mechanisms to Ensure Maximum Connectivity and Data Transmission in Wireless Sensor Networks
Publications: ICST 2008
In this project, we design a novel topology discovery algorithm for efficient data dissemination and aggregation in sensor networks, with an efficacious fault tolerance mechanism ensuring maximum connectivity among operational nodes at the failure of a node.