cryptography

Unlocking privacy with encrypted ingenuity: Security expert receives NSF CAREER award

Nathan Kahl — Mon, 27 Jan 2025 17:32:18 +0000

Unlocking privacy with encrypted ingenuity: Security expert receives NSF CAREER award Nathan Kahl Mon, 01/27/2025 - 12:32

Evgenios Kornaropoulos, an assistant professor in George Mason �鶹��’s Computer Science Department, focuses on computer security and applied cryptography, where he stays ahead of changes in the field. "The needs of everyday users have grown, and our technology's privacy expectations must advance accordingly,” he said. “We've moved beyond simply communicating sensitive data securely; now, we need technology capable of performing computations on sensitive data without compromising privacy.”

Evgenios Kornaropoulos. Photo provided

He recently received a National Science Foundation (NSF) CAREER award for $648,811 for his work on privacy and data security under the title “Encrypted Systems with Fine-Grained Leakage.”

The tension between the privacy of sensitive data and the functionality that users demand from their data is the focus of the NSF CAREER funding, and it has been among Kornaropoulos’ research areas for several years. He said, “The new technology that we are developing allows the user to never expose any information in the clear to the cloud while maintaining functionality. You want the cloud to do interesting computations for you without decrypting your information. If you don't decrypt, the cloud never gets to see what you are processing.”

When users store sensitive information, such as health records or financial data, with common cloud-based providers, the provider gains full access to the document's contents—essentially exposing the data in plain text to the cloud. A potential remedy is to encrypt the data before uploading it. However, this approach comes with a drawback: whenever users need to access or compute something from the encrypted data, they must download all the scrambled files locally and perform the computations on their own devices.

So how can the user still process the information but know that the cloud didn’t learn anything? “We believe that the answer is the notion of ‘cryptographic leakage’, he said. “The cloud provider still sees some accesses on encrypted data, that is, the leakage, but these observations are confusing. �鶹�� designs scale to today’s needs and come with provable guarantees that these observations cannot be meaningfully stitched together by the cloud provider to infer the sensitive data.”

Kornaropoulos said, “Searching on encrypted data is one of the biggest functionalities and we have a research thrust in which we will collaborate with industry leaders and local organizations on this problem. Specifically, we have an active collaboration with the Mason and Partners Clinics (interprofessional clinics which serve the uninsured and refugee community within Prince William and Fairfax counties in Northern Virginia) to explore the application scenarios of our technology to that setting.”

"Privacy-preserving data storage and data use is an important problem in computer security that is of critical interest to organizations that must trust their sensitive data to third-party data storage facilities," said Computer Science department chair David Rosenblum. "Evgenios is an internationally renowned leader in addressing this problem, and his NSF CAREER award will afford him the opportunity to explore novel solutions that balance strong security guarantees against practical needs for efficiency."

The NSF CAREER award is reserved for the nation’s most talented up-and-coming researchers. From the NSF website: “The Faculty Early Career Development (CAREER) Program offers NSF’s most prestigious award in support of early-career faculty who have the potential to serve as academic role models in research and education and to lead advances in the mission of their department or organization.”

The award is the most-recent of several distinctions Kornaropoulos has earned. He was elevated to IEEE Senior Member in 2024, his paper was among the finalists for the “Best Cryptographic Attack” category at Pwnie Awards 2024, and his latest work at the intersection of AI and security has gained significant media attention.

In This Story

Evgenios Kornaropoulos

Connect with the Department of Computer Science

Topics

National Science Foundation

Mason and Partners (MAP)

Podcast - EP 49: The metaverse, crypto, and the evolution of the internet

Damian Cristodero — Fri, 02 Jun 2023 17:37:33 +0000

Podcast - EP 49: The metaverse, crypto, and the evolution of the internet Damian Cristodero Fri, 06/02/2023 - 13:37

What exactly is the metaverse? Some say it is the future of the internet — a broad shift in how we interact with technology, including new and more ways to collaborate in virtual worlds.

Others say it creates even more infringements on privacy and creates chances for identity theft. Foteini Baldimtsi, an assistant professor in George Mason �鶹��’s Department of Computer Science, and James Casey, an associate professor in Mason’s Computer Game Design program, talk to Mason President Gregory Washington about what the metaverse is, and could be, and how the volatile world of cryptocurrency fits in.

Foteini Baldimsti and James Casey join Mason president Gregory Washington in the studio to discuss the imprint the metaverse is making on society and our future in this episode of the Access to Excellence podcast.
Photo: Cristian Torres / George Mason �鶹��

Listen to this episode

Explore Computer Science at Mason

Find out about Mason's Computer Game Design program

In This Episode

Foteini Baldimtsi

James Casey

Gregory Washington

Access to Excellence Podcast Episodes

Podcast — EP 67: Building community and conversation through the arts
April 21, 2025
Podcast — EP 66: Peace building amid the rise of global conflict
March 17, 2025
Podcast — EP 65: James Baldwin’s insights on American life and identity
February 17, 2025
Podcast — EP 64: Navigating AI’s risks and rewards
January 21, 2025
Podcast — EP 63: The economic perceptions driving U.S. politics
December 11, 2024

Topics

Access to Excellence podcast

Artificial Intelligence

cryptocurrencies

cryptography

metaverse

New scoring framework addresses software vulnerabilities

Tama Moni — Tue, 25 Oct 2022 17:50:54 +0000

New scoring framework addresses software vulnerabilities Tama Moni Tue, 10/25/2022 - 13:50

In This Story

Massimiliano Albanese

Liza Wilson Durant

The George Mason �鶹�� College of Engineering and Computing has launched the Mason Vulnerability Scoring Framework (MVSF), which publishes a continuously updated ranking of the most-common global software weaknesses. The work, in conjunction with PARC (Palo Alto Research Center), relies on the National Institute of Standards and Technology’s (NIST)—Common Vulnerabilities and Exposures data and other sources of vulnerability information to create an up-to-date database that can be used to identify and mitigate risks. This line of work has resulted in multiple pending patent applications and a Best Paper Award at the 19th International Conference on Security and Cryptography.

Cybersecurity code with 1s and 0s
Photo provided by iStock images

Liza Wilson Durant, Mason’s associate provost for strategic initiatives and community engagement, says, "This preemptive tool to guide strategic defense against cybersecurity vulnerabilities will not only safeguard systems but mitigate potential business revenue losses for those who leverage the tool. “

An existing list called the Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses, compiled by The MITRE Corporation, has long been the industry standard. MVSF improves on the CWE Top 25 by having data input monthly, compared to MITRE’s yearly reporting. This improvement allows researchers, programmers, developers, and others to have an accurate, almost real-time picture of where software vulnerabilities are most likely to be exploited. Additionally, where MITRE ranks the top 25 vulnerabilities, MVSF ranks the top 150.

Associate Professor, Department of Information Sciences and Technology and Associate Director, Center for Secure Information Systems, Max Albanese oversees the project for Mason. He says, “If there is a trend where a certain type of vulnerability is becoming more severe, you don’t have to wait for a full year to discover that; you’ll see that class of vulnerability getting worse – or better – month-to-month.” MVSF can even correct course based on new information, going back and re-ranking weaknesses’ order in a previous month based on new information that was not known at the time of original ranking.

Albanese further notes that NIST assigns a severity score to vulnerabilities based on a combination of an exploitability score – how difficult the vulnerability is to exploit – and an impact score – how bad the consequences would be if the vulnerability were exploited. MVSF uses those components as variables but allows users to add their own, additional variables not considered by NIST. MVSF also allows users to decide how to weigh the variables that rank the vulnerabilities. This customizability, still under development, is an important feature of the new system.

Mason and PARC’s collaboration on the Mason Vulnerability Scoring Framework builds on a relationship that started with both of them working on a Defense Advanced Research Projects Agency (DARPA) project dubbed SCIBORG: Secure Configurations for the Internet of Things (IoT) based on Optimization and Reasoning on Graphs. The goal of SCIBORG was to devise fundamentally new approaches to determine security configurations that protect critical infrastructure and IoT-based systems.

The association with PARC here was important to making the project a success. “Working with GMU was a productive collaboration,” says Marc Mosko, principal scientist, PARC. “Configuration vulnerabilities are growing, now comprising over 15 percent of all Common Vulnerability and Exposure (CVE) notices. We appreciate that across many different industry sectors, there are often gaps in context between management, software security teams, and those who are responsible for ensuring systems are performing optimally on an ongoing basis. �鶹�� work addresses these evolving configuration security needs, and we look forward to exploring opportunities to apply this work in the future.”

Mason and PARC’s collaboration on the Mason Vulnerability Scoring Framework builds on a relationship that started with both of them working on a Defense Advanced Research Projects Agency (DARPA) program ConSec in a project dubbed SCIBORG: Secure Configurations for the Internet of Things (IoT) based on Optimization and Reasoning on Graphs. The goal of SCIBORG was to devise fundamentally new approaches to determine security configurations that protect critical infrastructure and IoT-based systems.

Albanese, who is also an external consultant for MITRE, has initiated a collaboration with MITRE’s group responsible for CWE to leverage synergies between the two organizations.

In addition to the excitement of the innovation, it is equally impactful to see undergraduate students involved in its design and implementation and innovating alongside their mentor faculty," says Wilson Durant.

The Virginia Commonwealth Cyber Initiative (CCI) will provide continued support for two Mason undergraduate students to assist with the project, which Albanese says is key for the continued maintenance of the system.

Topics

cryptography

configuration vulnerabilities

Internet of Things

Information Sciences and Technology Department

Research

CEC faculty research

Foteini Baldimtsi earns NSF CAREER Award

Martha Bushong — Mon, 16 May 2022 15:05:16 +0000

Foteini Baldimtsi earns NSF CAREER Award Martha Bushong Mon, 05/16/2022 - 11:05

In This Story

Foteini Baldimtsi

Computer Science, Assistant Professor, Foteini
Baldimtsi.

George Mason Department of Computer Science Assistant Professor Foteini Baldimtsi has been granted a National Science Foundation CAREER Award for her project, Privacy Preserving Transactions with Accountability Extensions.

Baldimtsi recently discussed the ubiquity of cryptography. “We use cryptography every single day. Every time you log in to your email or make a transaction with your bank, you use cryptography. Data do not fly around unencrypted.”

Even so, certain types of interactions require people to offer up more data than they might be comfortable with. She gave a non-digital example of buying alcohol at a store, noting that a vendor simply needs to know if a buyer is over 21. When the buyer shows a driver’s license, the vendor can learn a customer’s full name, address, and exact date of birth, even though they didn’t need that information for the transaction. Using cryptographic techniques, she seeks to create digital credentials that only prove the necessities for a particular interaction. Such “zero-knowledge proofs,” she says, “lets me prove something to you about my identity, while keeping the rest of the stuff hidden.”

Privacy has a price, one of which is speed. She said, “A big part of my CAREER award is how to make privacy techniques practical by being faster and more efficient.” She is particularly looking at anonymous payments. A credit card company, for example, may know that someone is buying coffee from Einstein’s Bagel in the Nguyen Engineering Building every day, though they only need to be able to process a financial transaction. “If you pay with cash, your bank only knows you withdrew a sum of money, but no one knows where or how you’re spending that money. Using a credit card is so much more convenient than paying with cash,” she said. “The question is, using our credit cards or our phones, can we maintain the same level of privacy? The answer is yes.”

Digital privacy has regulatory consequences. “There is a tension between privacy and the ability to enforce the law,” she noted. “If we make everything completely private, there are regulatory issues, so I’m trying to design auditable or accountable schemes that ensure the following - as long as users obey the law, their privacy is maintained. If they break the law - under some well-defined notion of what the law says - their privacy will be lifted.” A key part of her grant, she said, is tackling the challenge of determining ways to mathematically formulate the law. To assist with this, she will be collaborating with the Mason policy and business schools.

From her abstract: “The amount of digital data collected electronically is increasing and poses threats to user privacy. Cryptographic mechanisms enhancing data privacy suffer from prohibitive computational and communication costs and do not offer accountability mechanisms. Towards the goal of bringing privacy-enhancing technologies closer to adoption, this project defines and constructs new cryptographic building blocks like: new types of digital signatures, cryptographic accumulators, and zero-knowledge proofs, which are at the core of mechanisms used to enhance privacy.”

The award totals more than $500K and the award period is from July 2022 to June 2027.

Topics

Cybersecurity

Cybersecurity Research

cryptography

computer science

Research

Commonwealth Cyber Initiative (CCI) researchers address multidisciplinary challenges

Martha Bushong — Wed, 26 Jan 2022 20:19:34 +0000

Commonwealth Cyber Initiative (CCI) researchers address multidisciplinary challenges Martha Bushong Wed, 01/26/2022 - 15:19

In This Story

Whether you are an experienced software developer, a teen texting on a smartphone, or an older adult checking a bank statement, cybersecurity is part of your life. Humans and computers interact every minute of every day and cybersecurity is there to keep information safe and actions private. But normal human behavior can compromise safety and privacy.

For the next 12 months, researchers funded by the Commonwealth Cyber Initiative’s (CCI) Northern Virginia Node (NoVa Node) will be exploring the impact of human behavior on cybersecurity systems. Divided into six teams, the researchers will seek to leverage the power of their academic expertise in the social sciences, and related fields. The teams include faculty from the Colleges of Engineering and Computing, Humanities and Social Sciences, Education and Human Development, and the School of Business. Each team will explore a different aspect of the problem as they aim to translate those understandings into solutions or areas for additional investigation that can impact the welfare of Virginians.

“Human-Centric Training for Privacy and Security Controls: Bridging the Awareness Gap for Diverse Populations”

PI: Vivian Genero Motti, College of Engineering and Computing (CEC), George Mason �鶹��; Co-PIs: Samy El-Tawab, and Ahmad Salman, College of Integrated Sciences, James Madison �鶹��

If you retired from the workforce 25 years ago, before Wi-Fi, online shopping, banking, or smartphones, you are likely more vulnerable to cyberattacks. In fact, older adults face a disproportionate risk of suffering cyberattacks; still, they do not have access to resources and educational materials suitable to meet their needs related to human behavior and privacy protection.

Vivian Motti and her team want to do something about that. They plan to reach out to underrepresented users and characterize their level of awareness about cybersecurity. Motti and her team believe that gaining a better understanding of these populations will help inform educational content development, providing content, language, and design aspects that are all suitable to their specific user profiles.

“By adopting a user-centric design approach, this project will ensure that cybersecurity training meets users' needs for minority groups. By involving older adults front and center in the research agenda, we will establish training contents that are appropriate to their level of understanding,” says Motti. Also, besides following the training contents and retaining what they learn, they will be able to act and prevent potential attacks that could pose privacy risks.

“Impact of Human Behavior in a Mixed Traffic Environment”

PI: Linghan Zhang, CEC; Co-PIs: Nirup Menon, School of Business, Nupoor Ranade, College of Humanities and Social Sciences (CHSS),

As autonomous vehicles become more prevalent and mingle with human-driven vehicles this mixed traffic environment may comprise both. In mixed traffic, the behaviors of human drivers are unpredictable and can lead to situations that confuse autonomous vehicles and cause adverse events for both.

The CCI NoVa Node’s research in autonomous vehicles (AVs) has already garnered attention from vehicle manufacturers such as Ford, Cadillac, and Daimler-Benz. Linghan Zhang and her team aim to extend that research by studying their use in mixed traffic.

According to Linghan, the team’s goal is to reflect driving reality through a multi-vehicle simulation in mixed traffic, using driving conditions that have led to real-world collisions in the past. She says, “Prior research only focuses on a single user’s behavior, and the data collected is mainly limited to surveys and interviews. With objective driving data missing, prior experiments did not reflect on-road driving reality.”

This project could achieve valuable and meaningful data on how human driver behaviors affect other components in mixed driving environments, especially in security- and safety-critical contexts when human errors are inevitable as well as uncover what humans need to know while driving alongside AVs. The team expects that the results will be significant for autonomous vehicle implementation and policymaking.

“Towards Building Cyber-Security Resilience in a COVID-Induced Virtual Workplace”

PI: Amitava Dutta; Co-PI: Pallab Sanyal, School of Business, George Mason �鶹��

Before COVID-19 rocked our world, individuals and businesses were already increasing their online presence. The pandemic accelerated the speed forcing a change. People who were not comfortable in the online environment were made to go online and people who were already comfortable expanded their online presence to areas that they had previously conducted in person.

“In short, COVID-19 has caused a shift from organizational ecosystems to a virtual workplace for employees, which has opened multiple vectors for cyberattacks,” says Amitava Duta, professor at the School of Business. “�鶹�� research focuses on the behavioral and organizational aspects of cybersecurity and is motivated by the ongoing transformations following the onset of the COVID-19 pandemic.”

In their project, the team will investigate the significant changes in online behavior following the onset of the COVID-19 pandemic are. They expect their insights will help organizations build greater cyber-security resilience in a virtual workplace.

Because Washington, D.C. and Northern Virginia are home to prominent financial services organizations these businesses would have a strong interest in strengthening their cybersecurity posture to address its behavioral aspects. Soon, Amazon will also have a significant presence and retail online sales is another area frequently targeted by cybercriminals. If organizations would be willing to provide data on customer behavior on their website, the models developed from the team’s work could be refined and tailored for an important application domain.

“Characterizing and Countering User Security Fatigue in Password Enhancement through Deep Learning”

PI: Gerald Matthews, CHSS, George Mason �鶹��; Co-PIs: Giuseppe Anteniese and Daniel Barbará, CEC, George Mason �鶹��

If you already have a demanding job, you might think maintaining security is an additional burden, and not keep up with cybersecurity best practices such as updating or changing your passwords.

Professor Giuseppe Ateniese has designed a tool for enhancing password strength, based on a deep learning approach, but psychological factors may limit the adoption and impact of the tool. Everyone can be vulnerable to security fatigue and lax cybersecurity practices can have major societal consequences—threats to national security, financial losses to individuals and organizations, and invasion of privacy.

Introducing security tools powered by Artificial Intelligence, when successful, will counteract typical human fallibilities and promote safety in computer systems across government, industry, and personal use. This project investigates the effect of security fatigue on the use of Anteniese’s tool. It will also explore strategies for mitigating fatigue and supporting user engagement.

The team believes that enhancing employees' ability and motivation to maintain effective security protocols has immediate economic benefits and the research has the potential to suggest design features of security tools that can support commercialization as well as training protocols.

“Enabling Invisible Security and Privacy for Resilient Human-Centric Cybersecurity Systems”

PI: Eric Osterweil, CEC, George Mason �鶹��; Co-PI: Matt Canham, CHSS, George Mason �鶹��

For decades, cryptography has been one of cybersecurity’s most essential tools. While its utility is certain, its complexity limits its use for non-experts. The result—non-experts fall prey to cybercriminals for many reasons including lack of knowledge, incorrect thought processes, and the inability to invest adequate time and resources to implement proper data protection.

Eric Osterweil and his co-investigator Matt Canham hope to change that through their work with the CCI NoVa Node. “This project will seed a critical foundation for adaptive cybersecurity protections for human users’ end-to-end encryption (E2EE) needs. The results from this project will be used as foundations for enhancing a core staple of Internet communications (email) and future advances in prescriptive protections for Cybersecurity Threat Intelligence (CTI) information sharing,” says Osterweil.

The CTI industry continues to grow, with companies, federal agencies, and international communities relying on CTI. In Virginia, where federal agencies and their partners routinely conduct transactions over email, this is especially true. Their view is that building human usable E2EE protections and extending those to adaptive CTI will be directly relevant to operational cybersecurity projects and needs throughout the industry and public sectors in Virginia.

The pair believes that a key benefit to the Commonwealth will include course-related exposure of this material to the students at George Mason �鶹��. “Students will be able to showcase both the results of this work and their own derived qualifications to benefit their entry into local industry and jumpstart their ascension to professional careers,” says Osterweil.

"Characterizing Biases in Automated Scam Detection Tools for Social Media to Aid Individuals with Developmental Disabilities"

PI: Hemant Purohit, CEC; Co-PIs: Géraldine Walther, CHHS; Matt Peterson, CHHS; YooSun Chung, CEHD

Designers of scam detection tools often focus on improving the computational accuracy of the methods, especially those with state-of-the-art Natural Language Processing (NLP) and Machine Learning (ML)-based techniques, but their understanding of the diverse human behavior can be limited. This project aims to build a foundation for inclusive cybersecurity technologies to protect individuals with disabilities from online scams using a unique interdisciplinary collaborative approach between computing and non-computing researchers.

Specifically, the team’s objective is to uncover the biases in the existing scam detection techniques for social media using NLP and ML methods. “We will conduct Eye Tracking analyses using a labeled scam dataset of social media posts from existing literature on online cybersecurity and study the differences between the attention patterns of individuals with and without developmental disabilities when perceiving scam posts,” says Hemant Purohit.

The project hopes to gain insights that will support cybersecurity training development for reducing online fraud for individuals with special education needs. At the same time, the researchers want to identify limitations in automated scam detection tools and help create more effective cybersecurity tools that can protect user groups in our communities.