Current Projects

Comprehensive Security Assurance Solutions for Software-Dependent Systems

The overall aim of this research program is to establish comprehensive security assurance solutions by enhancing security-by-design approaches for engineering secure software-dependent systems. More specifically, it aims to develop more incremental, modular, and compositional solutions for securing systems from the outset and for generating sufficient evidence of their built-in resilience to a range of cyber-attacks and failures. This requires the integration of formal (mathematically rigorous) methods and security-by-design approaches to provide verifiable evidence to support security assurance claims from early stages of system development. We will achieve this by: (1) Developing formal modeling and analysis frameworks with which we can provide mathematical proofs of assurance of security properties of software-dependent systems at early stages of development; (2) Establishing system-level security evaluation methods and techniques for understanding and mitigating the risks to system assets posed by identified security vulnerabilities; and (3) Advancing techniques to support the management, evaluation, and presentation of sufficient evidence for developing incremental security assurance cases.

Natural Sciences and Engineering Research Council of Canada (NSERC), Ottawa ON, Canada
Discovery Grants Program
April 2019 – March 2024

System-Level Security for IoT-enabled e-Health Systems

The evolution of e-health systems with increased connectivity through the advancement of the Internet of Things (IoT) has exposed them to a new frontier of cybersecurity vulnerabilities from which they were previously shielded. Healthcare providers today depend on nearly 100 million connected medical devices to deliver cost-effective and lifesaving treatment to patients, and the number of these connected devices is expected to double in the next 2-3 years. The primary goal of this work is to develop a comprehensive system-level security platform, capable of guaranteeing acceptable levels of security, privacy, and trust in a heterogeneous IoT-enabled e-health system. We aim to develop a system-level security management platform that can help to identify vulnerabilities in a heterogeneous e-health system and inform the development of suitable security mechanisms and protocols.

This project is funded through the Canadian Safety and Security Program (CSSP) led by Defence Research and Development Canada’s Centre for Security Science (DRDC CSS), in partnership with Public Safety Canada.

Defence Research and Development Canada, Centre for Security Science (DRDC CSS), Ottawa ON, Canada
Collaborators: Mohamed Ibnkahla (Carleton University), Ashraf Matrawy (Carleton University)
April 2019 – March 2022

Cybersecurity Assurance for Critical Infrastructure

Protection of critical infrastructure is rapidly growing as one of the most important areas of cybersecurity. The primary goal of this project is to design and develop critical infrastructure cybersecurity assessment methodologies and associated modelling and simulation environments. We are working on a rigorous, formal methods-based approach for identifying and analyzing the existence of implicit component interactions in critical infrastructure systems. Our goal is to provide a formal understanding of how and why implicit interactions can exist in distributed systems, such as those commonly found in critical infrastructures. Additionally, the methods we are developing can identify deficiencies in important existing system components, allowing for better assessment of the risks being taken by using such components in critical systems.

Critical Infrastructure Resilience Institute (CIRI)University of Illinois, Urbana IL, USA
U.S. Department of Homeland Security Science & Technology Directorate
January 2016 – June 2021

Past Projects

Validating the Effectiveness of Security Design Patterns

Security design patterns have been proposed for mitigating security threats at early stages of software design. However, approaches for verifying and validating that using a security design pattern mitigates a particular threat, or class of threats, and improves system security, do not currently exist. This research project aims to close this gap in the research by developing approaches for: (1) detecting security threats targeting communication channels in the architectural design of distributed software systems, and (2) analyzing, verifying, and validating the effectiveness of security design patterns for mitigating detected security threats and improving system security at design-time.

CU Development GrantCarleton University, Ottawa ON, Canada
September 2018 – August 2019

Assurance Cases for Security and Resilience of Advanced Metering Infrastructure

Smart energy grids depend on advanced metering infrastructure (AMI) and enormous amounts of information collected and used to make important decisions related to energy services including billing, monitoring, distribution, load balancing, and more. Therefore, ensuring the confidentially, integrity, and availability of this information is paramount. However, proving that AMI is secure, and that it is acceptably resilient is a difficult task. In this project, we seek to establish the ground work required for the development of assurance case templates for security and resilience properties of AMI. We aim to form the foundation for ongoing research in the development of assurance cases for security and resilience of critical infrastructure. Our goal is to take the important first step towards developing a more holistic and comprehensive approach for ensuring the security and resilience of critical infrastructures. Having a systematic way in which we can assure that providers of AMI have done their due diligence in protecting against, and planning for, potential compromise or failure of their systems, and the components from which they are built, can advance and enhance cybersecurity assurance in the complex distributed systems that are now a part of so many critical infrastructures. This will ultimately provide valuable and insightful information regarding how to mitigate the security vulnerabilities and risks, and how to reduce the impact when a system experiences an attack or failure.

Natural Resources Canada, Ottawa ON, Canada
February 2018 – March 2018