UNIVERSITY PARK, Pa. — Alejandro Cuevas was a freshman majoring in engineering who simply wanted to learn more about cybersecurity.
“I was accepted into the Schreyer Honors College, and early on they start telling you to think about your thesis,” he said. “Computer security had always been appealing to me, so I thought this was a good opportunity to explore it in depth.”
Flash forward three years — pursuing that research idea changed everything for the Paraguay native. His cybersecurity research has recently been included in an annual research progress report reported to the Department of Defense, as a senior majoring in security and risk analysis with an emphasis on information and cyber security.
His exploration into cybersecurity led him to Peng Liu, professor of information sciences and technology (IST), a leading researcher in the field.
“I looked at his papers and I had no idea what he was talking about,” Cuevas said. “I told him, ‘I really think it’s interesting what you’re doing and I’m really interested in this realm, but I don’t know anything about it. What can I do?’”
Liu gave him a complied list of fundamental resources, which gave Cuevas something to start studying. “I was finally going to learn this stuff,” he said.
After a year of hard work and stamina, Cuevas returned to Liu ready and eager to contribute.
“Fortunately, he [Liu] had just gotten a grant for a new project,” said Cuevas. “A few other students emailed him expressing interest in the project and he structured the project in the way that we would be learning as we accomplished milestones.”
Through this hard work, Cuevas helped build a tool that can generate reports on the cost-effectiveness of certain computer defense mechanisms, and focuses primarily on moving target defenses.
“[Moving target defenses] are defense mechanisms that are employed to introduce randomness into your computer to protect it,” said Cuevas. He used the example of a computer as a house, and malware as a robber.
“Imagine a robber trying to break your window with a rock,” he said. “He would try throwing a rock at the window. If all the windows on all of the houses look the same, he only has to do the same thing the entire way down the block. Analogously, if you have the same exact application, one vulnerability means everyone is compromised.”
What these defenses aim to do, he explained, is move the vulnerability around randomly. “It doesn’t block the window, it just puts it somewhere else in the house,” he explained.
Cuevas said it is currently time consuming and tedious for a security officer to assess what moving target defense is best suited for deployment. Instead, he is developing a series of tests that will generate the needed information. Ultimately, the tool will automatically run these tests, collect the data, and synthesize the results into an actionable report.
The process wasn’t easy, however. The students working under Liu were only initially briefed on the goal of the research project; they knew the end result but had to discover the processes to achieve the goal. Accomplishing very little tangible results, three students dropped out after researching for one semester.
After another student graduated, Cuevas was the only student left working on the project. “By junior year, I was still working towards this abstract [task],” he said.
“[Liu] had this great analogy,” Cuevas said. “You’re on an ocean, swimming on your own, and you just have to find land eventually. So, you know what the goal is, but how are you going to get there?” This advice helped Cuevas still through the difficult times when it seemed there was no solution in sight.
Now, Cuevas and Liu are scheduled to present their research and demo the tool to the Department of Defense in Washington, D.C. in November 2018.
“It’s exciting because I can finally see some ‘land’ after trying so many things,” he said.