Expert Interview of Security Research with Dr. Yuhong Liu

Bulletin of the Technical Committee on Learning Technology (ISSN: 2306-0212) Volume 23, Number 1, 6-12 (2023) Received March 10, 2023 Accepted March 11, 2023 Published online July 5, 2023 This work is under Creative Commons CC-BY-NC 3.0 license. For more information, see Creative Commons License

Abstract:

Keywords: Cybersecurity, Information Technology, Networks.

I. INTRODUCTION

Data transmission is susceptible to interception by attackers via cyberspace. Understanding the influence of attacks on network vulnerabilities, Dr. Liu displays her interests pertaining to peer-to-peer implementation, centralised computing, collaboration, coordination, user behaviour, and incentivisation for detailing a lack of focus on security. It is these aspirations that have advanced network security protocol capabilities such as Datagram Transport Layer Security (DTLS) for virtual private networks and Secure Shell (SSH) port forwarding. In addition, the interests of Dr. Liu are crucial to discerning how misusers exploit information systems that hold sensitive data:

• Your research interests and expertise lie in online social network security and privacy, trustworthy Internet-of-Things, trust management in cyber-physical systems, and blockchain. What motivated you to pursue these research interests?

“It seems like my topic covers different areas, so that was an interesting journey actually. Back to my Master’s degree, I was interested in a project as a peer-to-peer network project. Back then in 2004, the peer-to-peer concept was very popular, and it was used a lot for file sharing in decentralised systems. I was also interested in that project, so through the project, I learned a lot of different concepts about decentralised computing (paralleled computing, decentral) but one important thing I found interesting is the cultivation and the collaboration among different parties, different peers, when they participated in the network. And an interesting thing is the most challenging thing in a peer-to-peer network is how can you encourage people to participate and contribute. Not everyone is willing to do things for others – most of the users are selfish. We have our own interests and we want to maximise our own benefits. So there could be three writers, and if the majority of the network are just these three writers, you can hardly imagine the system will run forever or run in good shape. So that becomes a very challenging question.

Then starting from my PhD the project I started working on was trust modelling with a particular application domain as the online social network. From that domain, we actually tried to understand the users’ behaviours, and an interesting thing that started to connect is the online users – they are oftentimes also selfish and even worse, some of the users are malicious – they are attackers, they try to grab sensitive information from other users, or they try to do something bad. So what I did for PhD studies is using some tools – trust modelling – to actually estimate what predicts users’ behaviour, and try to differentiate those normal and obvious user behaviours from those malicious or selfish ones. And taking it one step further, I even tried to provide incentives to encourage the users to behave in a trustworthy way to contribute to the network and to facilitate other users.

So that starts to connect, and that’s the major topic for my PhD. But then I graduated and got a job in academia, so in my future direction I was wondering: ‘how can I utilise the knowledge I have to look for new problems?’ and it turns out that trust modelling can be generally applied in much broader application domains. As long as there is a network or system, there are multiple agents either human users or just machines – as long as they participate in the system they share. They may have different interests, different goals, then they can be modelled like multi-agent systems. And trust modelling, which can inspire or encourage the participants to collaborate together, while at the same time try to help them achieve their different goals. That became general tools to play a role, so that’s how I started applying the system’s very good direction to be generally applied that I found particularly useful. For example, cyber-physical systems or Internet-of-Things, and Blockchain systems, those decentralised systems where you have different parties. That’s generally how I got into the field, and I still feel passionate about this field.”

Conducting extensive research following their interests, Dr. Liu describes how mentorship assists in building the foundations for further use of security concepts. Performing comprehensive surveys, result analysis, faculty development, and learning from the experience of colleagues provide examples of such mentorship:

• Did you have any mentors in this journey? How did they inspire you?

“I feel I was very lucky, I have a number of good mentors who help me find out the way about my pursuit. First I want to mention that it’s my PhD advisor, she’s actually my role model. She did very successful in her career. Technically, I learned how to do serious research from her. I closely worked with her just as her student for five years plus one year postdoc, so altogether six years. She taught me how to perform comprehensive literature surveys, how to do solid experiments design, and how to do the result analysis of the technical stuff. But more importantly, she helped me know that as a PhD, close to graduation you need to be able to do independent work. You need to identify an interesting, while important, problem to that work. Think about for the next five years what can you work on? For the next ten years, what can you work on? So those are very helpful suggestions for me that keep me thinking will connect you for the future.

Also, there are some other skills that I learned from her, for example how to do a public presentation. You do all the solid work, you get publications, but still need to talk to people to help them understand what you are doing so that you can see other opportunities. I think those are also very helpful skill sets that I learned. Then later when I started my career as a professor at the university, I found many of my colleagues are very helpful. They are generous in terms of sharing their unique experiences with me. Not only our research but also teaching, surveys, work-life balance; there are a lot of challenging issues when you start your career in academia. For example, I graduated as a fresh PhD, I had no teaching experience at all. How can you attract your students in your class, not just teaching them in a very boring way? People will never learn that. I had a few colleagues that are very good teachers – they know how to attract students’ interests while at the same time being able to pass the knowledge to the students. So I learned a lot from them as well.

Then the other side is how do you balance your work life. Starting as an assistant professor, you have a lot of different things you have to learn, you have to develop, your independent research, your teaching skill. You also need to go to conferences, get to know people, there’s a lot of work you have to do. Also, one thing is: how do you say ‘no’ to all those different tasks. That’s an important skill as well. I initially didn’t do a very good job but I was learning my way. I talked to colleagues from my department, from some other departments within the school. Our university provides very good opportunities for us to participate in national level academic development programs, and I got the chance to talk to other faculties from totally different distant places in another institution. So I share my experiences and also learn their experiences. I think that’s very helpful and I get to know some very good mentors that help me pass this challenging stage.”

II. CYBERSECURITY OUTLOOK

The future of Trust management merges the concept of trust with configuration, faults, performance, and security while analysing how an entity becomes reliable in decision-making processes. The future of Trust management pertaining to cyber-physical systems incorporates such concepts with the latest trends in technology. Relating to data integrity, the latest technologies are to be consolidated with black box testing, unit testing, and integration testing for advanced solutions to reliability in cyber-physical systems. This future direction and reliability of Trust management for cyber-physical systems are significant to the implementation of Security-as-a-Service (SaaS) for businesses using cloud-based cyber-physical systems in their architecture. In addition, the future direction may assist in scalability for the total cost of ownership within SaaS and assist the customer domain. Dr. Liu now discusses the future direction and her work on cyber-physical systems:

• What is the future direction of Trust management for cyber-physical systems, and how is data integrity established?

“I covered my cyber-physical system in my PhD. It was a subproject that I was participating in. The last project we were working on was on amputees that had lost their lower limb. So we needed to involve the mechanical part and utilise biomechanical sensors to capture the user’s neural signals and to use machine learning to predict the users movement intention. Such as if the person wanted to stand up or sit down in a chair or to climb stairs etc. We were able to send the control signal to the mechanical limb, the fake limb. Then to help them with their movement. This is the first cyber-physical system that I had worked on. Actually, through this project I learned that cyber-physical systems, depending on which cyber-physical systems you work on, the problem itself can be unique. It is different from one domain to the other. In my part of the project Trust management reliability can be one important issue.

How to apply the cyber-physical systems, we worked on models of the cyber part, as we applied our model to the real world, physical systems. As we worked on the model there were a lot of counter cases and you have to be able to cover those cases. Otherwise, it could cause severe injury to people’s lives. So we have to be super careful. So we have to do real testing to make sure it will work in reality, which is important.

I see you mentioned data integrity for cyber-physical systems as well. From a security point of view, for Test management, machine learning algorithms. For example, there is a new direction for Test management machine learning. In autonomous recall applications, for example, we know that deep learning matter has been applied a lot and has been developed very fast over the past few years. They are having a critical challenge. Although you can achieve 99% accuracy, already you have the 1%, and so you know when machine learning will fail. Not the part, we both understand, until now the deep learning model. In multiple cases they are still like a black box. They know that it works but they do not know when it will not work. So how do you know how to control it so it will not crash, in a special case. So it is kind of untrustworthy. So trust modelling can play a role there. But I’m not particularly working in that domain.”

Data security approaches are to protect the privacy of online social networks and include laws such as the Gramm-Leach-Bliley Act, Berne Convention, and the Privacy Act of 1974 for regulation. However, additional laws are to be considered with respect to best security practices for privacy. Dr. Liu further discusses these approaches from a regulation perspective focusing on security:

• What data security approaches can be used to protect online social network privacy?

“There are several different aspects from the regulation point of view. There have been some regulations developed already, for example, the EU, they have the GDPR that is well known by international companies. For example, they must comply with that regulation. Also in the US, in California, we started to have the CCPA as well, employed at the beginning of 2021. Those are very good starts or efforts made by the government. On the other hand, we also need technical solutions and technical tools. People have actually been studying this for quite a long time. For example, some technologies include differential privacy, or from a machine learning point of view, these people tend to share their data. How can you, without getting the detailed raw data from the individual users but still include their patterns in your generally learned machine learning model? So federated learning could be a good way to do that. So the individual users just need to train their local model, and only pass the model parameters to the central party. Then the central party will aggregate these parameters from different individuals, so they don’t have to look at any more raw data.

Another angle is for the online social media platforms, they collect a lot of their user’s data. They’re responsible to protect that data, and a common practice is they may have to outsource the data to third-party cloud computing services. In that case, they have to encrypt the data before they outsource the data.  Another challenge becomes where if they need to provide services to the individual users, how can they process the data? You have to have some technologies to support operations on top of encrypted data. Like secure multiparty computation, and homomorphic encryption, those techniques are also developed. So there are some technical aspects as well that are making efforts, but I would say eventually, the most important thing is our individual users. We pay attention to our own data, we have to be aware of the data privacy issue, because eventually a lot of operations are made by ourselves. For example, when you register an account from an online social media platform, they may give you their privacy policy. You need to track the policy and make sure you understand what’s going on. Also, you can go to another website’s cookies; you have to make careful choices about your cookies, otherwise, they will be able to track your information.

Another thing is try not to post everything online, especially your sensitive personal information. A couple years ago we did a study with real online social user data, and we focused on the user friendship relation. For example, we may not want to reveal all of our friendship relations to the general public. But from the social network perspective, they want to review more information so they can attract. For example the user A and the user C, they may not be friends yet but they may have someone in the middle who knows both. There is a high chance they may get in touch if the social media platform lets the two users know they have a common friend. There’s some conflicts, and we did a study where if we allow the individual users to make their own choice about how many friendship relationships they want to reveal to the general public, can we achieve that? It turns out that in those friendship relations, the privacy is not only depending on your own settings – it also depends on your friends and their privacy settings. If they decide to reveal a certain relationship, if they make very relaxed constrictions, then your relationship may also be revealed as well. Your privacy is not only controlled by yourself, it is also in the hands of your friends, so be careful about who you connect with. Also, try not to accept those random and arbitrary unknown friend requests, that is another way to protect yourself.”

III. SOCIAL NETWORK SECURITY ANALYSIS

The emerging threats against social networking security consist of propagation and malware deployment that leads to consequential factors of phishing attacks, fraud, identity theft, privacy violations, and further information disclosure issues. Prioritising the assessment of such social network security threats ensures prevention regarding the access and manipulation of user’s data. In addition, evaluation of the emerging threats may assist intercepting spam and false crises developed to deceive susceptible individuals. Determining the emerging threats will then aid users to make safe choices on social media platforms:

• What are the emerging threats against social network security, and how can users stay informed about protecting themselves?

“This is a very interesting thing as there are a lot of threats, deep threats in social networks, like one of the already kind of blurry, commonly recognized one that is different from other systems on social networks that you depend to trust people who you connect with, like your friends and family members or people that you have common interests with. So then the malware also finds their way to propagate to a lesser social media that’s much more efficient than the propagation like spam email or some other ways. So that is starting to become more popular than before. So this allows different techniques to actually develop to warn users. For example, if you receive a link sent from your friend and shared by your friend, try not to click that directly. The picture that will attack is from your friend and is not a random thing, or sometimes your friend will get compromised so the shared thing may not be shared by the real person. So you should be aware of that, don’t just arbitrarily trust someone. Another thing is, well another emerging thing is about deep fake. So we know the technique, development of deep learning of multimedia there are applications. So nowadays people can easily make some deep fake media for use. So recently there was a deep fake media story about Zelensky, the president of Ukraine and in that fake media he was asking his soldiers to surrender. That got propagated on social media.

Although in the US site most of those fake feeds were blocked or taken down. But in Russia for example, that media got very popular and propagated out there on social media. So new technologies in the field are threatening people’s knowledge. So for that one, now it is very difficult from the technology perspective to defend our side to actually be able to capture that. There were some very good studies that can actually differentiate from those fake videos to the true videos, but it is typically not a lobbying environment. The technology is not mature yet to be applied in the wild to randomly when you have a fake video there is no guarantee that we can detect it. So do pay attention or be more aware of that. The similar thing is that not only the media side is all about information, misinfo and disinfo. Those social media platforms, the major ones already take a lot of actions to try to prevent such propagation, massive propagation – for example, they also generate like Facebook, Twitter, and Google they generate tags to help mark this piece of information as unverified or possibly misinformation, to try remind the individual users. The problem at heart is, the real-world impact, if the effectiveness is poor, when we get online social networks we tend, there is an iculture. You tend to be connected with people who share similar interests or similar mind sight with you that leads to everything you see kind of iculture what you believe and you are blind about the other side and because of that there is a higher chance all of your friends, your subculture, they are sharing something, even if that is not true you may tend to believe it, there is a high probability. In some places they tend to be less vulnerable to misinfo and disinfo. So the suggestion for individual users to try not to speak with a fixture of static source but to be more diverse about gathering your information. So that is something I think will be helpful.”

Enforcing security measures pertaining to social networking applications is strenuous in determining whether the security measures are cost effective, and whether the implemented techniques are sufficient to circumvent exploits to vulnerabilities. Certain techniques are implemented for these applications to balance such issues in development. Within social networking applications, common development techniques for security include buffer overflow prevention, input validation, and misconfiguration analysis. Nonetheless, social networking applications continue to be primary targets for misusers who victimise entities through susceptibility with a lack of social engineering education and improper assessment of threats. The consideration of securing mobile technologies and mitigating rogue devices with social networking applications is discussed to inform individuals of the approaches they can take for their privacy:

• From your perspective, how can we secure our social networking applications?

“Yes, so again I also consider the mobile side because they have limited resources, computation storage and other things so, they have limited resources available for security implementation. So that makes them especially vulnerable and also, for example, when you use an Android phone, for example when you download an app you need to make some basic settings but most people go with the default settings. They don’t bother to check that carefully. For example location service, that is closely related to your privacy. If you go into the technical detail that would be too difficult for individual users so that is why most users tend to go with the default settings. But now they are trying to make the settings, the different settings, more easier for the individual user. But again, people may not bother to use them. For example, the location service where you grant the particular app or not if the app is not related to location service at all why do you allow the location service? Some other things, even if you allow the location service, do you allow that all the time? Or should you allow that only when the app is running? For a particular purpose. So there are a lot of detailed choices that you have to make. For example, should an app be granted access to your contact info, your phone book, that can always be the user’s choice.

From the other side the app developers, because it was easily granted, they try to ask for more than is needed.  Because of that, it might also generate some vulnerabilities. They take care of your data, they have your data, and if they are vulnerable, if they have some security vulnerabilities it may make them tend to lose your data to some malicious hacker and that can cause damage as well.  We had a previous project working on Bluetooth security for mobile phones. We found out that in the Android system for example, that all the apps kind of share the same Bluetooth connection ID. So if one app is an official location app it can get connection out with another device through the Bluetooth signal. The channel is established and all other apps can also access the channel. So whatever you are transmitting over the channel can be learned by others as well as easily manipulated. The plain text is transmitted over the channel then the malicious app can get what you are transmitting. You are better to encrypt your data at the application layer so even if your other apps are exposed to other malicious apps you are still protected. So those are some of the suggestions.”

In addition to educating users regarding social network applications, building trust for social network analyses is significant in establishing efficiency and reliability for information sharing. Means such as trust modelling with probability theory are discussed to provide awareness on the development of trust in social networks:

• How can we build trust on social network analyses?

“There are many different ways – I will just mention a few examples. For trust modelling, some of them are kind of intuitive, and hopefully will make sense to you. One classic model is direct trust and indirect trust. Direct trust means you make your own observations about a particular person’s account or some source object. If we observe this object or this atom over a long time, then you will have sufficient experiences to make your own choice. Sometimes when you don’t have the chance or opportunities to make your own observations, you may rely on others, so that’s what we call the indirect trust. For example, recommendations, like the online rating system in Amazon and eBay, if you haven’t bought any online products somebody has bought before, you tend to look at their online reviews and ratings. That’s another way to help you to build your trust and whether this could be a trustworthy, honest seller or not. That’s a typical model for direct and indirect trust.

Another way is, we can also based on the statistical analysis for probability – for example, the Bayesian model can be applied based on the prior, should we try to estimate the next step of how likely this user or particular object will make a trustworthy behaviour or make a malicious behaviour. So that’s some statistical analysis, and a very well-known one was the Beta trust model, so they modelled user’s behaviour as binary values; zero means bad, one means good. Then based on the Beta model, they would build up the expectation. So for the next behaviour, what is the probability of that to be a good one or a bad one, so that’s a model. Beyond that, there are also other models I will briefly mention, for example, the entropy-based model. So we consider if the user’s behaviour tends to be high entropy that is less predictable, then that cannot be trusted. If the user behaviour has a very low entropy, which means it’s highly predictable, then that can be a trustworthy user. So some of the models are like that. Another important thing is trust can actually dynamically change over time. So it’s just like a human world – when you know someone, but you haven’t seen him or her for a long time. Your experiences or observations about this person from ten years ago should not have a very high impact on today’s behaviour or your expectations. So over time, we should gradually forget the experience we had a long time ago and pay more attention to the most recent behaviours. That is another model we can consider. So there are many different models like that.”

Understanding the consequential factors of implementing social network security and privacy, certain challenges arise with human-related instances that conclude to detriment the reputation of organisations focusing on social media platforms. This understanding is inquired as user interactions create susceptibility to inaccurate or biassed information that alter the perceptions of a mass majority:

• Within your expertise of social network security and privacy, what are the major challenges you have encountered?

“I have worked on some different and specific problems including the online reputation system, online rating system where people may provide fake ratings or reviews to online products and services. I also work on social network communities where you impact social communities. Recently one of the wealth of major problems I worked on is the disinfo and misinfo problem. In this problem, you will see that human users are vulnerable to disinfo and misinformation and there’s a lot of different parties at the back end trying to push the propagation of the disinfo and misinfo. Different from the other multi-agent systems in the online social networks, we have a lot of human users and they make their decisions sometimes arbitrary, sometimes based on their own personality, and sometimes based on different social or psychological factors. It’s a very complex and dynamic system. How do we understand why as a human user you make such decisions? It’s quite challenging. So with only the technologies or tools from Computer Science and Engineering, that’s not sufficient. I actually started submitting my proposals by proposing my own solution to that, and the feedback I got was how can you model human users as static or symbols or some fixed model. That’s kind of impossible and infeasible, so I started to talk to colleagues from other disciplines, and then I realised actually the human factor has been studied a lot in other disciplines. For example Sociology, Psychology – there are experts focusing on the disinfo and misinformation domain. I started my collaboration with them and for example, I collaborated with a professor from a social psychology perspective. I try to understand now why people will participate in online trolling, and then how they perceive the emotion if the emotion change leads to different behaviours or not and if yes, why? We start from those mental works to specific problems now. We are making progress little by little. I also work with journalism, like another researcher who has a journalist background. For example, we study: ‘What is the ethics of the journalist? What should be their responsibility to address the problem?’ There are so many different angles I learned from all my other colleagues.”

Further inquiring on the challenges and the mastery of such challenges, it is determined that collaboration with various disciplines assists in resolving issues:

• As a follow-up, how did you overcome the challenges, what were some lessons learned, and what advice would you give to your younger self?

“I think I touched on that a little bit, just talking to more people with different backgrounds. Another thing, I think my advice would be to keep your curiosity – do not just focus on your narrow specific problem, because that can make your mindset very narrow. You may be blind to all other fields, and talk to people. Get to know them, don’t limit yourself. I remember one thing I learned from a conference I participated in during my PhD. I learned the concept ‘never get a chance to practise’, now I start to remember that. They did a study on the general scientific research publications, and they figured out it’s interesting that it’s very difficult for researchers from different disciplines to collaborate. But, if they are able to collaborate, it can lead to very impactful research. That’s a lesson I learned. I believe this was a machine learning conference, and they used real data and applied machine learning models to tell what impactful research and they found this interesting pattern. That’s very impressive.”

IV. INTERNET-OF-THINGS CONTRIBUTION

Rogue IoT devices inhibit negative reactions from users when trust is improperly established. The critical research on trustworthiness in Internet-of-Things (IoT) devices – which combine embedded systems, applications, and cloud integration is critical to initialising a safe conduct for systems compared to the malicious behaviours documented regarding IoT in the past. It is this research that enables users to perceive safety in IoT technologies:

• Can you share with us the critical research occurring for Trustworthy Internet-of-Things (IoT)?

“Actually for today a lot of people, they consider the IoT from a very different angle I would say. Most people agree that IoT devices are relatively less power, resource constrained. But even for that concept, they have a different understanding. For example, someone may consider that compared to cloud computing, your desktop is an IoT device already. And also they may consider your mobile phone as an IoT device. For our research group, we mainly focus on a low power, low energy, resource constraint device, for example Google Home, Alexa, your smart home devices. Like lightbulbs – the smart light bulb. Those are very low power, they have a very limited resource. Because of that, it makes them vulnerable to security attacks. They don’t have much resources dedicated to security purposes. Also, there are so many different manufacturers – they are generating those devices, and they may use different chips, the hardware could be different, the firmware, the software, everything is different. And sometimes even the same IoT device may have a software provider from a different third party. So all of that makes the problem particularly complex; then it’s very challenging if not impossible to have a general solution to address all.

We have to work from different aspects to focus on a small problem to make progress. In our lab, we mainly focus on the smart home with very low, battery-based, resource constrained IoT devices. And then for that, say for example, we want to study the malicious traffic, the network traffic generated, and then those IoT devices may be vulnerable to security attacks. So we want to analyse what network traffic they have, they are sending out, or they are receiving, and see if we can differentiate that malicious traffic from the honest, ordinary traffic. The first problem we faced was that a lot of studies recently are using deep learning. But deep learning cannot be directly applied on those IoT resource embedded devices for sure. For us, we need to for example propose and talk to the domain experts, have the domain knowledge, develop the features that are specifically lightweight and feasible for those low resource IoT devices, and we need to develop the techniques with machine learning for very lightweight machine learning models that can be applied in those scenarios. So those are some of the challenges we are trying to address. Also, it’s important that your security solution be energy efficient, because those devices are battery-based and you don’t want them to just spend any percent of the battery on security purposes.”

The approaches utilised for the safety of IoT devices are crucial to consider when attempting mitigation of threats. As IoT devices are integrated with the cloud, governance on approaches contain additional complexities. Such approaches are evaluated for assisting organisations in recommending tools for analysis of IoT traffic, adopting software updates, and incorporating components that secure the embedded system aspect of IoT:

• What approaches can be utilised to enhance the safety of IoT?

There are a lot but I would like to just emphasise a few. To connect to the previous question, I think green and light weight beta analysis tools are important. Another one, recently some hardware companies are also making a lot of efforts to appeal to the security on the chip. For example, they can do a simple analysis on the hardware on the chip directly that makes the operation much more efficient and fast actually. That is some techniques that we can consider.

Another aspect that we can consider is that IoT devices may be distributed all over the place. But the initial setting worked but over time their firmware or software may be out of date. They need to frequently keep them up to date, so that for example the older version that have some vulnerabilities can be patched right, which is also very important.

I also think security sensors for the IoT manufacturers are very important. We often say, How badly a network system is secure enough really depends on the most vulnerable point of your system. So making sure you have a common extender way to protect the devices now would be very important.”

Directed towards the discipline of social good, IoT devices are investigated as measures for providing sustainable methods towards the environment. This utilisation of IoT is discussed as well as the research on community-based conservation for underrepresented populations:

• Where is a substantive starting point for social good within IoT? How can we utilise IoT for water conservation, species conservation, etc.?

“I personally do not work on them, but I am aware that there are a lot of efforts trying to utilise  IoT for social good, water conservation, species conservation that is mentioned in your question. An example though would be variable medical devices are developed to facilitate people with disabilities. For example with their vision, hearing and their moving, those devices can help them sense their surroundings and help them make decisions about what their next step would be more efficiently and accurately. That can sufficiently improve people’s quality of life.

I have a colleague that has developed an IoT base flight monitoring system for the city of San Jose. At our university we have on the top of the building receivers that receive the signals and communicate with the IoT sensors we employed. This has been an interesting project.

I would like to mention an IEEE conference called IEEE Global Human Powering technology conference GHTC, my colleague has been involved in the conference for a few years. This year 2022 it will be at our University, Santa Clara University in September as the last year. That conference is an international conference which is focusing on bringing people together to work on the application of technology to address the critical issues of the benefit of the resource constraint and the vulnerable populations in the world. In previous years we have had some papers addressing such as water sanitation in African countries. These projects are very interesting.”

V. BLOCKCHAIN PREDICTION

A habitual practice in the realm of internet culture, users establish transactions between themselves, other individuals, and e-commerce sites with cryptocurrency in blockchain technologies. Though this practice is in demand for users, the functionality of blockchain technologies contain a more comprehensive purpose for the future. With public-key infrastructure and the emergence of authenticated key exchanges in Internet Key Exchange (IKE) daemons for Bitcoin, we inquire further predictions of blockchain technology as a gateway to the future of communication security:

• What are your predictions on Blockchain for the future?

“For the past few years, we have seen rapid growth of blockchain techniques. Starting from the digital currency, cryptocurrency, Bitcoin, and nowadays blockchain has already been adopted in quite a few different fields. For example like decentralised defendants (defy) or used as decentralised game platforms with non-fungible tokens (NFT). So those are popular areas that blockchain have played important roles. Recently, there are some emerging application domains as well for blockchain. For example the DAO (decentralised autonomous organisations), you have probably heard about that. Traditionally when you have some fundings, it is typically a financial investment through a central party. But then there’s a lot of issues regarding transparency and organisation management, so as an investor you may not know how important decisions were made. Blockchain actually provides a public, open, and transparent way for you to verify what’s going on. That’s a very important and different tool from the existing technology. I can see blockchain in the future may be able to play an even more important role for an infrastructure, fundamental of computing infrastructure for many other applications as well, because it provides open structure and is decentralised.

Suppose everyone should be able to participate, and everything going on there can be publicly verifiable. I would imagine a concern as a trustworthy platform, and of course there are many challenges. Like the performance, throughput, scalability issue, and also the security issue as well. The recent hack of the LUNA digital currency led to the stock market dropping significantly. So starting from this stage I think cybersecurity attracts even more attention because for blockchain there’s a significant amount of finance work where money is involved. When security breaches occur it will be significant. Another thing is there are many digital cryptocurrencies in the world right now, but the problem is they never talk to each other. For example, at the beginning of this year there were more than eleven digital currencies available. So among them how do you choose the right one and the one that is most secure, and which one is not? It’s a very challenging question. Also, another important problem is they don’t talk to each other. They are kind of isolated, so the interoperability is another issue – how do you enable different currencies? For example, as a user you invest in multiple digital currencies. How can we convert one from the other? And this conversion or interoperability raises another challenge for security because they are heterogenous. Some currencies may be more secure, some may not. While you allow this free flow then some less secure currency may actually bring even more security vulnerabilities to other currencies as well. There’s a lot of challenges ongoing and we need further development in the future.”

Intellectual property is a significant intangible source of ownership that affects how businesses, social constructs, and individuals such as artists are perceived. For example, a musician writes a song, publishes the song on a platform, and obtains an income from the song. If an attacker were to download and transmit the song to different parties, the musician would have issues with proprietorship and monetary loss. We make use of Dr. Liu’s experiences to discover how blockchain ledgers may assist in protecting intellectual property for content such as patents, music, or NFTs:

• How can blockchain technologies be accountable for intellectual property?

“I am not particularly working on intellectual property, so I will try to explain from my own angle – it may not be complete. In my opinion, as we mentioned before, Blockchain can serve as a public ledger. It provides the whole complete history, trackable history, for any digital items. Then it may provide a way to protect the intellectual property, so that people can trace back to what’s a real original source so you can not actually fake or manipulate the overall history. That’s my understanding, and another important thing is although Blockchain can be generally publicly verifiable, it doesn’t mean that everything in Blockchain is in plain text. We still can utilise the cryptographic-based algorithm protocols. For example, the zero-knowledge proof to provide privacy protection. So that users, although their data is unchanged, they don’t have to expose data to everyone.”

VI. IMPACT

As Dr. Liu is a professor residing at Santa Clara University, Dr. Liu integrates her research and the topics discussed during certain courses and programs that prospective students may consider matriculating in. It is recommended that those interested in the topics discussed recognize this material to prepare for a security- related profession:

• How are your research interests integrated into the courses you instruct?

“So at our university, we are teaching two courses relating to cybersecurity, and one is at the undergraduate level that’s an introductory class about computer and network security, and the other one is a lecture for the Masters and PhD students that is for trustworthy computing. For the introductory level undergraduate students, my goal is to help students get exposed to some general fundamental cybersecurity concepts and hopefully attract their interests to further pursue knowledge in the field. That’s what I consider interesting is the most important thing- helping students to start to dive into the field.

Since some of my research is a little far away from daily life and some of them are related closely to daily life, I use those daily life examples to help students understand what are those cybersecurity problems they may encounter every day. For example, the online social network- they use that daily; they share their photos, their videos, and talk to their friends all the time, so that actually makes them become more vulnerable to potential attacks about their privacy, and also they may be exposed to one of those most important things today, that is the disinformation and misinformation. They may even unintentionally participate in the propagation of some untrustworthy information. Those are in our everyday lives and I often use those examples to help students understand. Beyond that, we also have the hands-on projects closely connecting with theory part interviews in the lecture, so hopefully students through those experiments and those hands-on experiences can understand more about the practical aspect of security, because eventually, you have to be able to protect your system by yourself.”

Interested in the specific hands-on applications of the discussed topics, we inquire further on the importance of projects and trends compared to traditional exams for motivation:

• How do you motivate students into pursuing these topics?

“I think this question is kind of connected with the previous question – I have mentioned that I motivate them through everyday life examples and also introduce them to hands-on labs and projects. Also, another course that I teach, the Trustworthy Computing, I know that recently students are very interested in machine learning AI, because that’s a really hot topic. So I do introduce a term project with data analysis, machine learning, and data mining as tools to help attract students’ interests, but the goal is to solve a cybersecurity problem. So for example I share some initial data sets with students regarding disinfo/misinfo, and they need to apply deep learning tools or machine learning tools to differentiate the trustworthy info from the malicious info. And through that process – I think students that can learn the concept and know that actually different domains or different tools can be combined to achieve one goal. So that’s how I motivate my students.”

Retrospective to the historical factors that have put forward how emerging technologies are developed, establishing a scenario in which Dr. Liu reflects on her experiences exhibit the evolution of security. Such evolution is critical in understanding the outlook of technology to come and the challenges associated:

• If you have control over a time machine on Computing, where would you like to see yourself?

“As a trend in the cybersecurity field, I think many people working in the field have this observation. So whenever there is a new emerging technology, the first thing people are not sure about is cybersecurity. We can always start from the functionality, the performance of a system and that it works right. Security seems to be the very last thing to be considered. I think that has been very well demonstrated with the development of the internet, or the world wide web. When it started people had the assumption, not now but back then that all the commonalities participating in the communication that they could be trusted, which is not true.

But because of this initial assumption, it makes the performance, functionality of the networks develop very fast. That people adapted to the concept of the technology very fast, to the technology which is important. But it also caused some fundamental issues for security. Nowadays what we try to work on and address the vulnerabilities. But because that happens in the fundamental design, what we are doing now is just fixing a particular bug and fixing it, but then you may have other bugs as well where you can not fundamentally fix the problem. Possibly with the new architecture and new systems maybe people will learn the lesson and try to design the security from the very beginning. It turns out that we have more opportunities, for example today’s blockchain. It may not be the case. People pay a lot of attention to the vulnerabilities and performance of blockchain, but the fundamental security problem you have to measure it out and when people talk about blockchain we can wait for a better time to handle security problems that again occur. That seems to be a dilemma I would say.”

VII. CONCLUSION

In conclusion, the interview is aimed toward principles in security and application of such principles for modernised technology. Highlighting the expertise of Dr. Yuhong Liu, the team believes addressing these principles will serve as guidance to security best practices for the future. The interview is then determined to provide confidence in cyber-related fundamentals regarding industry and academic areas.

 Authors