Digital Defense

Malicious computer viruses lurk in the background, silently waiting while unsuspecting victims work, browse social media or shop online. They masquerade as innocuous digital ads or emails sent from a familiar address. Once triggered, they spread like wildfire and are often difficult to contain.

These viruses can wreak havoc on personal finances and privacy. They can paralyze businesses, damage reputations and bring government entities to a grinding halt.

The size or scale of an organization, or the depths of its technical expertise, do not guarantee protection from cyberattacks.

Consider, for example, that in July 2017, about 50 million Facebook accounts were hacked by cybercriminals. That same year, Equifax, one of the largest consumer credit reporting agencies, reported that more than 145 million of its client accounts had been compromised.  And from 2014 to 2018, roughly 500 million Marriott customers had their account information stolen.

Meanwhile, the U.S. intelligence community says Russian hackers and trolls allegedly mounted a broad campaign to influence America’s 2016 U.S. presidential election, and warns the next target is likely the 2020 presidential contest. Around the world, ransomware attacks, in which malware is unleashed to deny access to computer systems or data until a ransom is paid, are also on the rise.

The cost of such cyberattacks is staggering. According to Juniper Research, cybercrimes accounted for $2 trillion in lost revenues in 2019. And businesses and governments are spending big money to try to defend themselves. Global Market Insights estimates that by the year 2024, the market for cybersecurity products and services will reach $300 billion. 

UMass Lowell has been devoting more resources to expanding its cybersecurity research and education programs to help defend and secure the country’s critical information systems and networks.

“The problem is, everything is running on software,” says Computer Science Prof. Xinwen Fu, a cybersecurity and cyberforensics expert and director of UMass Lowell’s Center for Internet Security and Forensics Education and Research (iSAFER). “It’s really hard to create a secure software.”

Another problem, Fu notes, is that people know how to use their mobile devices, but many lack the knowledge, experience and training to configure their operating systems and make them secure. “The hacker is always looking for ways to attack and exploit your system’s weaknesses,” he says. “It’s only a matter of time before it gets penetrated.”

Computer Science Asst. Prof. Sashank Narain agrees. “There is no device in the world that is totally secure. It’s a cat-and-mouse game between the hacker and the protector,” says Narain. “A protector has to think of a hundred ways to secure the system; the hacker only needs to find one weak point, and the hacker wins.”

He adds, “You can protect yourself only from known attacks. Any new, unknown attacks will leave you vulnerable.”

In 2016, the university was designated by the National Security Agency and the Department of Homeland Security as a National Center of Academic Excellence in Cyber Defense Research (CAE-R), in recognition of its decades-long leadership in cyberdefense education, training and research.

“UMass Lowell is one of only four universities in the state that carry the designation," says Fu. “The designation provides federal funding opportunities that are open only to CAE-R institutions.”

Aside from iSAFER, UMass Lowell is also home to the Center for Terrorism and Security Studies. Faculty from computer science and engineering to business and criminal justice are engaged in research in all aspects of cybersecurity, including Big Data, data mining and business analytics, digital forensics, health data security, network and mobile security, counterterrorism and transportation security.

“Our work is being supported by the National Science Foundation, the Department of Defense, the Department of Justice, DARPA, the Army Research Lab and many others,” says Fu.

Last November, UMass Lowell opened a new center for cybersecurity education, research and workforce development called the Cyber Range that will help students prepare for careers in the high-demand field.

The state-of-the-art lab facility, which is located on the fourth floor of the Wannalancit Business Center near East Campus, uses real-world scenarios and the latest technology to teach students how to defend against an array of cyberattacks, implement security measures to mitigate network vulnerabilities and harden different operating systems.

“The Cyber Range enhances the university’s learning and research capabilities by giving students the opportunity to practice cybersecurity exercises in a safe, interactive environment,” says Computer Science Prof. Fred Martin, the associate dean for student success at the Kennedy College of Sciences.

“Each workstation allows students to test their cybersecurity skills by facing live cyberattacks in a sandboxed environment. The machines are isolated from the internet during live exercises,” says Narain.

Fu and Narain, who are members of the Cyber Range faculty along with Assoc. Prof. Chunxiao (Tricia) Chigan of the Francis College of Engineering’s Department of Electrical and Computer Engineering, are currently training a student team that will participate in the National Collegiate Cyber Defense Competition (NCCDC), sponsored by Raytheon. The River Hawk team made the cut in the qualifying round to advance to the Northeast Regionals, which was scheduled to be held at the University of Maine this spring. Fu says the Cyber Range is planning to add more faculty members this year.

Hot Skills

Demand for computer security skills is strong, with the number of job openings in cybersecurity predicted to top 3 million by 2021, according to a recent industry report. And UMass Lowell sees a role for itself in preparing the professionals to fill those jobs.

“We are proud to provide UMass Lowell students with the very best training to prepare them for careers in this important field,” UMass Lowell Chancellor Jacquie Moloney said during the Cyber Range’s official opening, which drew representatives from Red Hat, MITRE, Spinnaker Security, the Massachusetts Technology Collaborative’s MassCyberCenter and state and local officials.

The opening of the Cyber Range comes as the university is expanding its computer security offerings. This fall, the Department of Computer Science will offer an undergraduate option in cybersecurity. 

“Right now, we have more than 900 students majoring in computer science; we have doubled the number of undergrads in the last five years,” says Prof. and Chair Haim Levkowitz. 

UMass Lowell’s other current academic offerings include training for the NIST Cybersecurity Framework, which is a set of best practices, standards and recommendations set forth by the National Institute of Standards and Technology, as well as a master’s degree in security studies, an online graduate certificate in cybersecurity and other programs from the departments of Computer Science, Electrical and Computer Engineering and the School of Criminology and Justice Studies.

The Internet of Things  

Last fall, the National Science Foundation (NSF) awarded two grants, totaling $1.54 million spread over three years, to Fu and his collaborators from the University of Central Florida (UCF) for their research on improving the security and privacy of the Internet of Things, or IoT. This refers to a network of separate physical and virtual devices that communicate with each other wirelessly, without human interaction or intervention.

“IoT is booming, with the popularity of smart, mobile devices,” says Fu. “However, these devices, if left unprotected, will allow hackers to be able to collect or manipulate data using a Bluetooth connection.”

The first grant, worth more than $1,198,000, focuses on building a secure, trustworthy and reliable air quality monitoring system for smart, connected communities.

“We are building sensors so that the air quality data cannot be manipulated by anybody, even by those who can physically touch and access the sensors,” says Fu.

A total of 110 prototypes will be deployed across Boston and Orlando. The data collected will be transmitted to a central server for analysis.

“The techniques used for securing the sensors can also be applied to protect all kinds of IoT devices, including security cameras, hospital medical sensors and virtual home assistants, so that administrators and researchers can make correct decisions based on trustworthy data,” says Fu.

The second grant, worth more than $340,000, provides education funding to build low-cost, state-of-the-art IoT security laboratory kits for use in university classrooms.

“We will teach students how to design and build secure IoT devices. They will experiment with the devices and learn how to defend them from cyberattacks,” explains Fu, who is the principal investigator for UMass Lowell on both projects.

“Our project is the first to use an industrial-grade microcontroller with a crypto coprocessor to systematically develop teaching materials, including hands-on labs and case studies on IoT security and privacy,” says Fu. “This IoT platform costs significantly less than existing platforms, and will allow for the development of a full-fledged IoT laboratory with hardware security modules that is affordable for students and institutions.”

In February, the U.S. Department of Energy awarded a $3 million grant to Fu and his UCF co-researchers to secure IoT-based automation systems used in smart buildings. Today’s smart building technology uses wireless sensors, equipment controllers and cloud-based software to control heat, ventilation, air-conditioning and lighting systems to save energy, increase comfort and improve air quality.

“Depending on its size and type, each building can have 50 to 100 controlled devices, while each device can have on average 10 sensors. That is, each building can have 500 to 1,000 IoT gateway points. With such a large network, vulnerabilities exist that could allow malicious hackers to attack those sensors, connect their computer to the building’s system and attack all devices hooked into the entire building,” says Fu. “My job is to examine network weaknesses and design defense measures against such cyberattacks.”

Get Smarter  

For his part, Narain has been studying privacy attacks on smartphones by hackers exploiting the phone’s sensor side-channels. According to Narain, by using machine learning algorithms and monitoring the smartphone’s gyroscope and microphone, it is possible for a hacker to infer the user’s keystrokes with up to 95 percent accuracy, giving the hacker access to the user’s name, password and other sensitive information. And by using models and algorithms and monitoring the phone’s accelerometer, gyroscope and magnetometer, a hacker can deduce the user’s travel routes and locations with high accuracy. Narain has applied for a federal grant to develop ways to mitigate these privacy attacks. The application is currently under review.

For the NSF air quality monitoring project, Fu has hired electrical engineering senior Brandon R. Keating to design the sensor’s printed circuit board, assemble its various components and fabricate the housing with a 3D printer at the Cyber Range.

Keating is taking a graduate course on cybersecurity, with Fu as his adviser. The two have been working on a patent pertaining to semiconductors.

“My experience with cybersecurity is more under the surface of things,” Keating says. “Part of my job is to design things with built-in resistance to cyberattacks or infiltration. My involvement is more to prevent leaks in a system than to directly repel attackers. The point of cybersecurity is to keep out infiltrators at every level. If there is a flaw in the system, one can assume it will be exploited by hackers. This attitude keeps us on our toes.”