For people in a rush: I do research about security, in particular; access control, the use of privacy-enhanced technologies in different contexts and security/privacy of blockchain. Some of the areas I worked on (or am working on) include:
Not in a rush? /\ Something more casual?
- Privacy-preserving ML and Security of ML
- Access control and security policy enforcement
- Data Privacy and Computation over Encrypted Data
- Formal and empirical methods for (security) analysis
I work at the intersection of privacy engineering, blockchain and access control. I am passionate about the identification of security/privacy problems when accessing or processing sensitive data, and the development of feasible solutions to these problems.
Some of the central questions to my research include:
- How can we achieve ``privacy'' and ``security'' in machine learning systems? Well, I won't bother you with the terminology hassle but use straight examples. Alice's record is contained in a data set and she does not want to be identified. Or the hospital X wants to donate Alice's record for science but it is concerned that her conditions will be leaked. Privacy question here is clear but what about security? Example: Company UranusX developed a brilliant ML algoritm and trained over a large data set. I look for the problems here and ways of protecting the model (and its data).
- Can we use Distributed Ledgers for security related functionality (e.g. identity)? What are the security issues in blockchain-based systems? How can we use smart contracts, Zero-knowledge proofs and alike for security related functionalities?
Some additional works I am busy with include the design and implementation of security services for cloud systems with a focus on computation over encrypted data and federated authorizations. The particular application areas of the proposed techniques in my research include verifiable (and private) genome analysis and secure smart energy systems in which the processing of large sensitive data is outsourced to (possibly untrusted) clouds and the access to data is strictly regulated.
In my PhD, I developed/applied run-time reasoning and verification techniques for all activities involved in static and dynamic analysis of certain security properties and constraints. So simply, I work on run-time verification in access control. The access control model I consider is mainly Role Based Access Control (RBAC). Conventionally access control to resources has been considered from two perspectives:
- Model: How to model a system with a generic approach that has the necessary machinery to represent authorization requirements. Examples include, Role Based Access Control (RBAC) model, Attribute Based Access Control (ABAC).
- Specification: Expressive notations for encoding an access control policy.
Recent advances in automated reasoning enabled the use of formal methods in verification of the specifications at design time. However, as many information (i.e. parameter) used in access control decision is only available at run-time and the design time analysis can easily lead to state explosion problem in many access control settings, run-time analysis can provide efficient solutions to many verification problems. So the question is can we use the existing methods or develop new ones that exploit automated reasoning techniques at run-time?
What I did was developing and implementing formal/semi-formal methods for the verification of specifications at run-time by 1. Approximating some of the run-time parameters at compile time and simulation, 2. Using efficient representation techniques and algorithms to encode the problem, 3. Optimizing the analysis of state traces at run-time (in just in time manner) by state space elimination as at run-time one needs to deal with only finite traces.
Throughout the years I worked on several projects. Some of them include
- Low Resource Chat-based Conversational Intelligence (LESSEN) - NWO
- Complete Dynamic Multi-cloud Application Management (CYCLONE) - EU H2020
- Adaptive Cooperative Control in Urban (sub)Sytems (ACCUS) - EU Artemis
- Managing and Auditing Security and Trust for sERvices (Master) - EU FP7
- System Engineering for Security and Dependability (Serenity) - EU FP7
- Anomaly Detection and Resolution Physical Access Control Policies - UTRC Collaboration
Some other problem specific projects and software can be found here