Faysal Hossain Shezan

Current Institution: University of Virginia

Email: fs5ve@virginia.edu

Bio: Faysal Hossain Shezan is currently pursuing a Ph.D. degree in the Department of Computer Science at the University of Virginia, working with prof. Yuan Tian. His research interest lies in the intersection of security & privacy, machine learning, software engineering, and cyber-physical systems. He is especially interested in data-driven security and privacy analysis in emerging systems. The goal of his research is to measure the attack surface of the IoT platforms, analyze privacy leakages among inter-connected home automation applications and investigate the enforcement of privacy policies. His research findings are acknowledged by several well-known companies (such as., Google) and resulted in the publishing of several CVEs. He is fortunate to receive a few awards and recognition during his Ph.D., including- UVA endowed graduate fellowship award, Link Lab outstanding graduate research award, travel grants from the Web conference, and BlackHat USA.

Abstract: Ensuring Safe, Secure & Privacy-aware Emerging Systems using Limited Data

The ubiquitous usage of the Internet of Things (IoT) devices has proliferated the number of smart home devices in our homes. As of 2021, 47.4 million households in the USA have one or more smart devices inside their home. Security researchers and developers are working side-by-side to build secure and privacy preserving emerging eco-system. Despite those limitless efforts, the amount of information leakage and threats to user safety via these smart devices is still alarming, especially when new applications, platforms, or techniques come into being. An emergent need is to introduce an effective system to detect such problems in real-time as the resultant security and privacy consequences are fearsome. The key reason behind the existence of such threats can be divided into three phases: (P1) the security gap in user-device interaction, (P2) the existence of overprivileged applications, and (P3) the weak enforcement of privacy policies. To find solutions to these problems, I start with investigating the attack surface of applications and identify the overprivileged applications, and then design an automated framework to enforce privacy policy to detect security risky applications.

Now, I want to highlight my works on identifying and measuring security and privacy risks as well as implementing and vetting privacy schemes for emerging platforms. First, in the interaction step, I study an in-depth analysis of the sensitivity of voice applications. To that end, I built an active learning-based tool to detect sensitive voice applications. Second, in the implementation stage, I investigate the existing problems of the permission-based access control system. This helps me to design and implement TKPERM, a transfer learning-based software, which transfers knowledge of permission correlation systems across mobile, web, and IoT platforms. Third, at the certification level, I performed a security analysis of the current vetting process of voice applications. With these insights, I built an automatic chatbot to unfold the behavior of malicious voice applications which request unauthorized access to user health and medical data. The overall goal of my research is to ensure security and privacy for the end-users with a secure implementation of a privacy-preserving end-to-end system.