October 2008 Archives

There are many people I admire in different fields. From business to computer science. Some person I admire demonstrate their talents when they are young. For example, Larry Page and Sergey Brin designed google during their PHD. Some others do not follow the 'orthordox' way.

The person I wanna introduce in this blog is Fred Cohen. In my opinion, he poses both characteristics mentioned above.

During the last two months, I read tons of papers in deception in cyber security. Gradually, I found that most papers in this area have cited Fred's paper. I start to research him and found something I admire.

Fred Cohen is an American computer scientist and best known as the inventor of computer virus defense techniques.

In 1983, while a student at the University of Southern California's School of Engineering (currently the Viterbi School of Engineering), he wrote a program for a parasitic application that seized control of computer operations, one of the first computer viruses, in Leonard Adleman's class.

One of the few solid theoretical results in the study of computer viruses is Cohen's 1987 demonstration that there is no algorithm that can perfectly detect all possible viruses
He has many other works related to computer viruses.

Although he has published many high quality papers, he does not devote him into academia. On the contrary, he owns his own company helping other companies solve security problems. In my former post I mentioned that I want to devote my findings to help others, not only be presented on the papers. This is easy to say but very hard to apply. But Fred succeeds. Besides business, he also publish books, design games for security trainings and some other interesting things all related to security. I really admire such life style that I can do so many things based on my interest.

From the first day I came to grad school, I know publication will be one of the most important things for me unlessI leave academia. Unfortunately, in my undergraduate study, I had rarely done any systematic research and I do not have any publication yet. However, I do want to publish my first paper as soon as possble. Thus my advisor and me are working hard toward this goal.

After huge amount of literature review in the past two months, I found the following venues that will be good place to publish papers in my area:

ACM CCS
ACM Conference on Computer and Communication Security. The annual ACM Computer and Communications Security Conference is a leading international forum for information security researchers, practitioners, developers, and users to explore cutting-edge ideas and results, and to exchange techniques, tools, and experiences.

This is a very important conference in my area. I have read several papers written by senior students published in CCS.

ACSAC
The Annual Computer Security Applications Conference (ACSAC) is a premier security conference of outstanding tradition. Started in 1985, the conference has grown over the years to achieve worldwide attendance and recognition for the high quality of its presentations, discussions, and interactions.

This is another important conference in my area that a few researchers(my competitors!!!) who published same ideas of me in this conference.

HICSS
Since 1968 the Hawaii International Conference on System Sciences (HICSS) has become a respected forum for the substantive interchange of ideas in all areas of information systems and technology.  HICSS is sponsored by the Shidler College of Business, University of Hawai'i at Manoa. 

This is another good venue to publish security papers. In addition to the quality of the conference, the location is another attractive point to me. ;-)

I hope I could join any one of the following communities asap.

1. CERT

CERT is an organization devoted to ensuring that appropriate technology and systems management practices are used to resist attacks on networked systems and to limiting damage and ensure continuity of critical services in spite of successful attacks, accidents, or failures.

CERT is located at the Software Engineering Institute (SEI), a federally funded research and development center (FFRDC) operated by Carnegie Mellon University.

CERT is the most famous community in my area. They have standardized all the vulnerabilites of cyber systems and it is very important to analyze the potential risk of one system or network.

2. SARMA
The Security Analysis and Risk Management Association (SARMA) is an all-volunteer, non-profit professional association serving those responsible for analyzing and managing security risks to systems, structures and operations from man-made threats. SARMA was created to provide a forum for the further development, standardization, and professionalization of the security analysis and risk management discipline. It is dedicated to providing leadership, education, and certification for security analysis and risk management professionals.

SARMA is not a particular computer science community since it also includes mechanical and other subjects that need risk management. However, risk management and analysis is similar in different areas thus it is not the excuse for not to join SARMA.

3. SIGSAC
The ACM Special Interest Group on Security, Audit and Control's mission is to develop the information security profession by sponsoring high-quality research conferences and workshops. SIGSAC conferences address all aspects of information and system security, encompassing security technologies, secure systems, security applications, and security policies. Security technologies include access control, assurance, authentication, cryptography, intrusion detection, penetration techniques, risk analysis, and secure protocols. Security systems include security in operating systems, database systems, networks and distributed systems, and middleware. Representative security applications areas are information systems, workflow systems, electronic commerce, electronic cash, copyright and intellectual property protection, telecommunications systems, and healthcare. Security polices encompass confidentiality, integrity, availability, privacy, and survivability policies, including tradeoff and conflicts amongst these.

ACM, the community that every scholar in computation area should join!!

4. SRA
The Society for Risk Analysis is a multidisciplinary, interdisciplinary, scholarly, international society that provides an open forum for all those who are interested in risk analysis. Risk analysis is broadly defined to include risk assessment, risk characterization, risk communication, risk management, and policy relating to risk, in the context of risks of concern to individuals, to public and private sector organizations, and to society at a local, regional, national, or global level.

SRA is another big community dedicated for risk analysis that I wanna join.

This blog post is a little bit hard for me since I am the first and only student of Prof. McGill and we do not belong to any lab yet. Our research area is in cyber security but very different from the other professors' research area in IST.

Finally, I decided to talk with three senior students, one in Prof. Liu's lab, one in Prof.Chu's lab and the other in Prof. Wang's lab. The first student is doing research in intrusion detection which is also in cyber securty field. The second student's partial research interest is in RFID security and the last is doing data mining but I think he has a lot of ideas about the future.

All of them have attended conferences including CIT, IEEE Workshop on Information Security, CCS and so forth.

All of them have published papers, most in conferences and one student was once asked by one conference to be the chair of one section of the conference(I was suprised).

I am very interested in how they see  themselves academically. The first student think he likes his area and his area is more related to engineering so he wants to work in the industry after graduation. The second student wants to find a professor position in China, she prefers universities in Hongkong. And the last student also wants to find a professor position in China but he wants to work in a university near his hometown. We also talked a lot about the pros and cons of these choices. To be a professor in China is very different in USA, In China, professors are usually more related to engineering and they have more students. A phd from USA can obviously help us to find a professor position in one of the best universities in China. However, the academic environment, the graduate system especially for phd is not as good as USA.

For me, a first year phd student, I have not made up my mind yet. But maybe I'll work in the industry first as a consultant and I will come back to start my tenure if I get bored of industry. Is that possible?

The biggest difference between me and the other three students is that since I just finished by bachelar this year, my research interests are very broad and do not have a particular focus yet. However, the senior students all have narrowed down to a specific area and they know a lot about it.

As a brand new assistant professor who has just finished his Ph.D. from University of Maryland, professor McGill does not have a long CV with tons of publications. However, I dont think this is a disadvantage, On the contrary, I think that is an advantage.

As a new professor, I am the first student of professor McGill!! And right now, he has only one student. In database jargon, this is an 1:1 relationship. I like our cooperation now. Since I have a lot of opportunities to talk with my advisor about anything. From the research to course assignments, as well as graduate student life.

Professor McGill has publicated in the journal of Risk Analysis, Computers & Structures, Defense Modeling and Simulation, Natural Hazards Review, Bridge Engineering and so forth. Since I only have his publication in 2007 from his CV, this is only part of the data. But he is really productive, he published 13 papers in 2007. From this data, I can judge that he published most in journal of Risk Analysis.

The conferences professor McGill most attended are in the area of risk analysis, risk management and risk assessment.

Before coming to IST, professor McGill has worked in the Department of Defense as a research analyst. He was the 2003 fellow to the Department of Homeland Security. And before that he worked in Swales Aerospace Inc as a Structural Engineer.

Now in IST he develops and teaches undergraduate courses in risk management as part of the security risk analysis program.

If you are considering of applying IST, believe me, professor McGill is a good choice. His research is very new and exciting. And he is a good advisor both in academic and life.