Control System Security: This project investigates security issues in control systems that are part of a critical infrastructure. We are currently working on a domain specific language to specify "policy compliance monitors" during control system operations. In addition, we are investigating control system honeynets to provide virtual testbeds for control systems that cannot be pen tested.

Integrated Software Assurance Tools Environment: The identification, enhancement and development of software assurance tools. This project explores the current automation tools available to analyze software dependability properties and attempts to correlate their results for meaningful analysis.

Regulatory Requirements-driven Risk Assessment: Security breaches most often occur due to a cascading effect of failure among security constraints that collectively address risk in a socio-technical environment. Therefore, while assessing risk during software system certification activities, analysts must systematically take into account the nexus of causal chains that exist among security constraints imposed by regulatory security requirements. Numerous regulatory requirements specified in natural language documents or listed in spreadsheets/databases do not facilitate such analysis. Moreover, a mere checklist of requirements most certainly fails to consider the interdependencies among them in the system context, their cross-cutting impact across several system properties, and the understanding of risk in terms of their compliance level.
Our current research outlines a step-wise methodology to discover and understand the multi-dimensional correlations among regulatory requirements for the purpose of risk assessment. Our lattice algebraic computational model helps estimate the collective adequacy of diverse security constraints imposed by regulatory requirements and their interdependencies with each other to address risks in a bounded scenario of investigation. Abstractions and visual metaphors combine human intuition with metrics available from the methodology to improve the understanding of risks. In addition, a problem domain ontology that classifies and categorizes regulatory requirements from multiple dimensions of a socio-technical environment promotes a common understanding among stakeholders during risk assessment.  

Security Aspects in Service Oriented Architectures (SOA): Exploring the possibilities to separate cross-cutting concerns related to access control, logging, and business process. These are all important cross-cutting concerns while composing an application based on SOA.

Certification and Accreditation in a Net-Centric Environment: A net-centric environment requires faster access to current C&A information, at a reduced cost, and delivered simultaneously to a variety of devices in different locations. In this project we explore the challenges with C&A in a net-centric and dynamic environment.

Vulnerability Models: Current semantic web technologies allow representing and modeling rich information which can support complex problem solving. In this project we investigate the use of an interconnected web of information about common vulnerabilities to provide insights on possible attack vectors in a given system operational context.

Structured compliance requirements: In this research we tackle the challenging problem of formalizing the specification of regulatory software security requirements. We follow a scenario-driven approach, where a sequence of activities performed by the software system are modeled and then tested using automated verification techniques to prove that the mandated security properties are preserved in the early system conceptualization