The Department of Homeland Security Science and Technology Directorate is always looking for new cybersecurity and privacy solutions, and it recently awarded a grant to university researchers who are developing a way to control leaks of personally identifiable information.
Northeastern University was given a grant worth $645,229 for its Revealing and Controlling Privacy Leaks in Network Traffic project. The award was given to Northeastern through the S&T Cyber Security Division’s Data Privacy Project.
The Science and Technology Directorate operates by looking for capability gaps and pain points among DHS components, state and local law enforcement, critical infrastructure in the private sector, and international partners. S&T asks those groups about what they need in order to strengthen their cybersecurity and privacy efforts.
"If there is another DHS component that has a need for a privacy solution, we will get engaged and look at the problem and do one of two things: We will see if there’s a market solution that exists, point them in the right direction, and step out of the way," DHS Data Privacy Project Program Manager Erin Kenneally said in an interview with Privacy Tech. "Where we excel is where there may not be a market solution, or it’s immature or ill fitting. That’s where we step in and engage in applied research, advanced development, evaluations, and technology transfer."
Northeastern's grant-winning project operates by analyzing network traffic to identify leaks of personally identifiable information. The solution is deployed on a network level and interposes itself between smart, mobile and internet-of-things devices. The solution uses machine learning to understand the way the leak occurs and uses crowdsourcing methods to validate the machine-learning classifiers.
The solution uses what it learns via machine, combined with user feedback, to gain an understanding of PII leaks as they continue to evolve.
Northeastern is also developing open-sourced applications aimed at allowing users to control the ways their information is used by third parties.
When looking for solutions to fund, Kenneally said S&T looks for projects focused on privacy issues along three dimensions: data collection, data use and data exposure. Within those dimensions, S&T looks at three different contexts for administering R&D funding: connected and IoT devices, big data and algorithms, and the delivery of digital services.
Northeastern's solution falls in the first of those three contexts. Kenneally said the solution helps strike at the heart of the dichotomy in the mobile computing space. While an increase in connected devices has resulted in a surge of capability, users often do not know where their information is going to end up.
Kenneally said Northeastern's solution works to solve those problems for both organizations and their customers.
"What’s attractive about this project is it allows [companies] to regain visibility control over privacy sensitive information," Kenneally said. "If you think of it from the perspective of an enterprise owner and operator, they want to know where they might be leaking sensitive information from users, customers or employees. It allows them to protect their network. From a consumer perspective, it helps them to regain transparency and control over where their data is going."
One of the reasons why Northeastern's solution was attractive to S&T was how much more effective it was than other solutions currently in existence. Kenneally said software options work well on operating systems but not on monitoring networks. While some apps can monitor leaks coming from other apps, Kenneally said those solutions are expensive and often require buy-in.
By approaching leaks from the network, Kenneally said Northeastern's solution offers the most accurate results. Detecting leaks through static code analysis leads to a large amount of false positives, while more dynamic approaches, such as TaintDroid, are often too slow for today's hardware.
Even other network-based solutions have their faults, Kenneally said. With the definition of PII constantly evolving, network-based solutions can miss leaks due to outdated settings. By using machine learning, Kenneally said Northeastern's solution will be the best one to keep tabs on the fluctuating state of PII.
Northeastern has been working on the solution since May and will have funding for two years. While the solution is currently designed for mobile and IoT devices, the researchers are working to adapt the system over to home routers. Kenneally said the Northeastern researchers are having discussions with industry leaders and are hoping to port the code to IoT devices by early 2018. Depending on any impending successful partnerships, Kenneally said the solution could be on the marketplace by late 2018.
As Northeastern works to bring its solution to the marketplace, the Science and Technology Directorate will continue to fund other privacy-enhancing technologies in order to combat any gaps needing to be filled.
"We are seeing a lack of plausible solutions in the marketplace," Kenneally said. "Some of the solutions or projects that have historically come out of the R&D space have oftentimes been just theoretically based. They’ve lacked a practical or pragmatic touchpoint. That’s where we like to think that we are pretty unique in connecting the real world problem space with the folk who can do the R&D and don’t have the industry pressures at their heels to come up with these solutions."
If you want to comment on this post, you need to login.