Skip to main content

Guardians of the IT galaxy

Keeping the internet safer
February 9, 2017
By Patrick Lejtenyi

Without a doubt, someone in information technology (IT) at a major global financial institution is going to have a busy day.

It’s a late November morning, and I’m sitting seven floors up in a conference room in Concordia’s Engineering, Computer Science and Visual Arts Integrated Complex. I’m staring at a big projected computer screen and looking at one of the 1,000-plus attacks around the world being tracked in nearreal time by professors and graduate students at the Concordia Institute for Information Systems Engineering.

There’s a long list of targets. Some are financial institutions, some are departments of major European governments, some are well-known companies. However, they are all at risk from a clever hacker with a new way to code malware, despite the security measures they’ve installed against such attacks. And the staff and students at the institute have made it their life’s work to — if not stop the attacks — make life as difficult as possible for those carrying them out.

Staying on top of it all — the viruses, the scam emails, the malware, the web server attacks — is more than a full-time job. It’s bordering on Herculean.

Mourad Debbabi Institute co-founder Mourad Debbabi holds a Tier 1 Research Chair in Information Systems Security. In December he was named NSERC/ Hydro-Québec Thales Senior Industrial Research Chair.

Yet that hasn’t stopped Mourad Debbabi, the institute co-founder who holds a Tier 1 Research Chair in Information Systems Security and is a leading expert on cybersecurity. He’s also the newly named NSERC/ Hydro-Québec Thales Senior Industrial Research Chair. Debbabi is the one showing me the computer screen tracking the threats and attacks, and he rattles off a series of figures that is both impressive and sobering.

“On a daily basis, an average of 1.18 million viruses are collected,” he says. “This is what we’re able to collect, it’s not the total number: 230,000 distributed reflection denial of service attacks are perpetrated; 156 million phishing emails are sent on a daily basis; 1.1 million attacks against web servers and web services — these are attacks that we block.” The actual total number of all attacks is much higher.

All of this information, and much more, is stored on a secure server and shared with certain partners of the institute — though the information is generally kept very close to the vest and not shared with the public. And since these partners often deal with very sensitive information, Debbabi says, “One way to be on top of things is to have intel that will help you to detect, prevent, mitigate and attribute these attacks.”

Their secure facility is able to take the raw data collected from the attacks in near-real time and analyze it thoroughly: what kind of attack was it, where did it originate, who did it target, what was the speed and timing of the attack and perhaps even who was behind it. “This is a unique capability,” he says. “You don’t find this anywhere else in Canada.”

Hacking for degrees

Rachida Dssouli Rachida Dssouli, director of the Concordia Institute for Information Systems Engineering, points out that while its faculty members come from a variety of fields, “they either have a formal degree or were working with it as a component in their work and research.”

You don’t find academic institutes like Concordia’s Institute for Information Systems Engineering elsewhere in Canada either. It’s a graduate institute, created in 2002 in the Faculty of Engineering and Computer Science, and founded by its current director, Rachida Dssouli. Her first hire was Mourad Debbabi.

The institute offers several different programs, including a PhD in Information and Systems Engineering and two master’s degree streams: one theory-based, in applied science, the other course-based, in engineering. There are also graduate certificate programs in Service Engineering and Network Management and in 3D Graphics and Game Development, run jointly with the Department of Computer Science and Software Engineering. With about 20 professors, including five research chairs, and more than 550 students, the institute is the largest of its kind in the country. And Dssouli says it has the biggest concentration of faculty and researchers working in the field of cybersecurity in Canada.

While security isn’t the only field of study at the institute, it is the most prominent. Its mission upon being founded was to enhance education and research around cybersecurity and systems engineering. A system can be anything from a car to a country’s electrical grid.

It’s clear that Dssouli takes pride in the varied expertise of the institute’s faculty members. “We have faculty with backgrounds in industrial engineering, mechanical engineering, building and civil and environmental engineering, and we have people from supply chain management,” she says. “And on the other end, we will see some computer science people working on verification and 3D graphics, we have a mathematician — and they are all multidisciplinary. All of them know IT.”

That diversity is an invaluable asset, Dssouli explains, as it exposes faculty and students to modes of thinking and paths to solutions to problems they may not have considered. “It is not one single domain that will solve the problem,” she says.

The problems being addressed and studied by researchers and faculty at the institute aren’t, by and large, theoretical. They are very much a part of the real world and could cause very serious damage if left unchallenged. For that reason, the institute has developed fruitful partnerships with outside privateand public-sector actors like Ericsson, Telus, Hydro-Québec, CMC Electronics and CS Canada. “We would like to have more of these kinds of collaborations and extend our research and teaching to other domains that are close to security and quality systems engineering,” she says.

There is a lot of back-and-forth between industry and the institute, and with the Canadian government. Debbabi, for instance, does not just work with industry on the problems he encounters daily; he also teams with National Cyber-Forensics and Training Alliance Canada, a non-profit privatepublic partnership that links academia, government, industry and law enforcement against cybercrime threats.

And hacking for democracy

Jeremy Clark The research interests of Jeremy Clark, assistant professor at the Concordia Institute for Information Systems Engineering, include cryptocurrency, online voting systems and email security. Photo: David Ward

Since cybersecurity is a fairly young field, many of the experts are also fairly young. Jeremy Clark is no exception.

When I find him in his office, he is layered in Montreal Impact soccer team apparel, earphones plugged in, a laptop on his knees. At 35, he is an assistant professor at the institute, where he teaches cryptography and security evaluation methodologies. He is particularly interested in cryptocurrency like Bitcoin and voting systems. His expertise is especially timely in these days of suspected Russian hacks of the U.S. election, WikiLeaks and vote recounts in key American states.

His interest in voting sprang from a meeting with the highly influential cryptographer David Chaum. “Once I started working on voting, I came to realize how interesting it is to work on real-world problems — to talk to political scientists, election officials and workers, and the vendors of computerized voting technology,” Clark says. “Basically, it was inclusive of everyone. It really hooked me on the idea of doing interdisciplinary, applied research and also trying to do something that’s good for the public.”

He was struck by the fact that the vendors he met didn’t particularly feel any moral obligation to produce secure voting machines; they only felt compelled to improve their security in case their competitors did. “It dawned on me that as academics, we are in a unique position to get funding from the government to do something that’s in the public interest,” Clark says. “Someone needs to fight for the public.”

When the discussion moves on to hacked emails and the mess they caused the Democratic National Committee in the United States in August 2016, Clark, who happens to be writing a paper on email security, warns that we should expect more like it down the line. The leaks, he says, “were an influential factor in terms of power — maybe not in terms of money because it didn’t profit anyone necessarily, but it did influence power. And before that there were leaks from Sony and other companies. We are seeing an increase.”

That’s troubling. “There are more incriminating things on computers that have an internet connection,” he continues. “The attackers can go around and look for the easiest targets.”

Online voting — something that Clark, as a fan of technology, would love to see become a reality on a national scale — presents a host of problems that need sorting out before advanced democracies see widespread digital ballots.

“First of all, someone can be standing over your shoulder and watching how you vote. You’re no longer in a voting booth,” he says. Voters could sell usernames and passwords to the highest bidder, they could be coerced into voting a certain way from a mobile device, and they wouldn’t know if or how their votes were counted.

How safe is safe enough?

Lingyu Wang Lingyu Wang, associate professor in the Concordia Institute for Information Systems Engineering, Receives funding from Ericsson and the Canadian government to support his research into identifying weaknesses in cloud security properties. Photo: David Ward

Down the hall from Clark is the office of Lingyu Wang, an associate professor who came to the institute in 2006 following several years as a research assistant and PhD student at George Mason University in Fairfax, Va. Wang specializes in privacy, vulnerability analysis, security metrics and intrusion detection.

He also has links to the private sector, especially via Ericsson Canada, that allow him to research methods on improving information storage security. As more computing and more storage is based in clouds — networks of remote servers that store, manage and process data — companies are becoming increasingly concerned about understanding how they work. Since they aren’t using their own private servers, they want to know what is going on inside the opaque and amorphous cloud, and what the risks are.

“If you’re using an app in the cloud, you can’t see how it’s being executed,” Wang says. “You have no clue, because the servers could be anywhere in the world.”

Companies such as Ericsson want clients like big telecom to have an understanding, and so are working to provide transparency to identify weaknesses in the cloud security properties. The Canadian government also has an obvious interest in securing cloud networks, and Wang receives funding from both.

The arrangement allows him to conduct research that is practical, valuable and interesting, and gives him a fair degree of freedom as well. “Companies provide the big picture,” he says. Ericsson, for example, will approach him and tell him that they need to provide cloud users with transparency. How he develops solutions is up to him.

The good the bad and the interesting

Institute faculty members like Debbabi, Clark and Wang are in the curious position of looking forward, in a sense, to bad news. It’s their bread and butter. “Threats drive research,” says Wang. “We’re seeing more and more attacks with more and more serious consequences. The good part for researchers is that we never run out of problems to study.”

Fall 2016 was particularly fruitful. On October 21, the malware worm Mirai wreaked havoc on a number of large websites including Twitter, Reddit, Netflix and others. While that particular attack was relatively quickly contained, it highlighted a new area of vulnerability in our ever-more-connected world: the Internet of Things. Things like security cameras, refrigerators, thermometers — all of our so-called “smart devices” — were hijacked by Mirai to perform huge DDoS (distributed denial of service) attacks against any number of targets. Indeed, nearly a million customers of Deutsche Telekom, a German internet provider, were thrown offline by a Mirai attack over the last weekend in November.

“The attackers came up with new ideas,” Wang says. “In the past, these kinds of attacks were almost always for fun. It was teenagers doing it just to show off.” With attacks like Mirai, he adds, “The landscape has changed. It’s getting more and more serious.”

Yet just as threats multiply, so do the number of people who are very skilled at combatting them. There are more and more specialists in cybersecurity entering the workforce every year, and more than 600 of them are Concordia graduates.

Xavier de Carné de Carnavalet Xavier de Carné de Carnavalet, who is pursuing his PhD at the institute, says he appreciates the academic freedom professors are given to pursue their own areas of interest.

It’s clear that graduates from the institute do well. Indeed, institute director Dssouli says that at one point their students were in such high demand that they would sometimes be scooped up by employers before they completed their degrees. The situation has regulated itself since, yet she says there is no shortage of opportunities for students once they leave Concordia.

The students, Dssouli says, “are very good developers of systems, but they have the additional capability to secure and analyze systems.” Banks and government agencies are big employers of the institute’s grads, as are many universities in the United States, thanks to funding grants by the U.S. federal government.

In the meantime, students are benefiting from being in the middle of an institute with what Debbabi calls a “critical mass” of cybersecurity experts.

For Xavier de Carné de Carnavalet, MASc 14, who first arrived at Concordia as a computer science exchange undergrad in September 2011 and returned the following year for his master’s degree and PhD, the institute offers constant high-level stimulus. “All these professors you see on a weekly basis, in the corridors or in meetings — it’s nice to have a set of professors who have broad research interests, and to have different points of view,” he says.

Carnavalet studies how memory and confidential data in computers are protected under the supervision of Mohammad Mannan, an associate professor at the institute. Carnavalet says that at the institute students are “free to work on whatever we want as long as it is interesting, research-wise, and relevant to practical life.”

Saed Alrabaee, MASc 12, who has become well known in cybersecurity research and academic circles for his sleuth-like abilities to identify authors of malware, is a PhD candidate at the institute. Alrabaee appreciates the opportunity to take advantage of the facilities and opportunities to collaborate with industry leaders outside of academia. Working with people from Hydro-Québec, Ericsson, Google and other organizations “opens up a practical channel,” he says. “Often as students we only have theory.”

After he completes his PhD, Alrabaee is considering three postdoctoral fellowships at universities in Canada and the U.S. However, he says, “I won’t find a school with this number of professors in security.”

Most of us don’t think about cybersecurity much, at least not until something goes wrong. And as I consider changing all my online account passwords and who might be plotting to turn my home gaming console into a weapon, I’m certainly glad there are pros out there who are, indeed, watching our backs.

Back to top

© Concordia University