Irfan Ahmed, Ph.D.

Professor VCU College of Engineering

  • Richmond VA

Dr. Ahmed's research interests are broadly in cybersecurity, currently focusing on digital forensics, malware, and cyber-physical systems.

Contact

VCU College of Engineering

View more experts managed by VCU College of Engineering

View all Experts

Spotlight

3 min

Researchers fight cybercrime with new digital forensic tools and techniques

Irfan Ahmed, Ph.D., associate professor of computer science, provides digital forensic tools — and the knowledge to use them — to the good guys fighting the never-ending cyber-security war. Ahmed is director of the Security and Forensics Engineering (SAFE) Lab within the Department of Computer Science and VCU Engineering. He leads a pair of interrelated projects funded by the U.S. Department of Homeland Security (DHS) aimed at keeping important industrial systems safe from the bad guys — and shows the same tools crafted for investigating cyber attacks can be used to probe other crimes. The goal of cyber attacks on physical infrastructure may be to cause chaos by disrupting systems and/or to hold systems for ransom. The SAFE lab focuses on protecting industrial control systems used in the operation of nuclear plants, dams, electricity delivery systems and a wide range of other elements of critical infrastructure in the U.S. The problem isn’t new: In 2010, the Stuxnet computer worm targeted centrifuges at Iranian nuclear facilities before getting loose and infecting “innocent” computers around the world. Cyber attacks often target a portion of the software architecture known as the control logic. Control logic is vulnerable in that one of its functions is to receive instructions from the user and hand them off to be executed by a programmable logic controller. For instance, the control logic monitoring a natural gas pipeline might be programmed to open a valve if the system detects pressure getting too high. Programmers can modify the control logic — but so can attackers. One of Ahmed’s DHS-supported projects, called “Digital Forensic Tools and Techniques for Investigating Control Logic Attacks in Industrial Control Systems,” allows him to craft devices and techniques that cyber detectives can use in their investigations of attacks on sensitive critical infrastructure. Their investigation capabilities, he explains, is an under-researched area, as most of the emphasis to date has been on the prevention and detection of their cyber attacks. “The best scenario is to prevent the attacks on industrial systems,” Ahmed said. “But if an attack does happen, then what? This is where we try to fill the gap at VCU. And the knowledge that we gain in a cyber attack investigation can further help us to detect or even prevent similar attacks.” In the cat-and-mouse world of cyber security, the way cybercriminals work is in constant evolution, and Ahmed’s SAFE lab pays close attention to the latest developments by malefactors. For instance, an attacker may go for a more subtle approach than modifying the original control logic. An attack method called return-oriented programming sees the malefactor using the existing control logic code, but artfully switching the execution sequence of the code. Other attackers might insert their malware into another area of the controller, programmed to run undetected until it can replace the function of the original control logic. Attackers are always coming up with new methods, but each attack leaves evidence behind. The SAFE lab examines possible attack scenarios through simulations. Scale models of physical systems, including an elevator and a belt conveyor system, are housed at the SAFE lab to help facilitate this. The elevator is a four-floor model with inside and outside buttons feeding into a programmable logic controller. The conveyor belt is more advanced, equipped with inductive, capacitive and photoelectric sensors and able to sort objects. The tools and methods applied in cybercrime can be useful in tracking down other malefactors. That’s where Ahmed’s second DHS-funded project comes in. It’s called “Data Science-integrated Experiential Digital Forensics Training based-on Real-world Case Studies of Cybercrime Artifacts.” Ahmed is the principal investigator, working with co-PI Kostadin Damevski, Ph.D., associate professor of computer science. The goal is to keep law enforcement personnel abreast of the latest trends in the field of cybercrime investigation and to equip them with the latest tools and techniques, including those developed in the SAFE lab. “For example, investigators often have to go through thousands of images, or emails or chats, looking for something very specific,” Ahmed said. “We believe the right data science tools can help them to narrow down that search.” The FBI and other law enforcement agencies already have dedicated cybersleuthing units; the Virginia State Police have a computer evidence recovery section in Richmond. Ahmed and Damevski are arranging sessions showing investigators how techniques from data science and machine learning can make investigations more efficient by sorting through the mounds of digital evidence that increasingly is a feature of modern crime.

Irfan Ahmed, Ph.D.Kostadin Damevski, Ph.D.

3 min

Research team aims to enhance security of medical devices

Tamer Nadeem, Ph.D., the principal investigator of the VCU-based MedKnights project, explained that the project’s focus is on the Internet of Medical Things (IoMT). Nadeem and co-PI Irfan Ahmed, Ph.D., both associate professors in the VCU College of Engineering Department of Computer Science, recently received $600,000 from the NSF’s Office of Advanced Cyberinfrastructure to put together a framework to improve IoMT security. IoMT devices are used in a range of diagnostic, monitoring and therapeutic applications. IoMT includes patient monitors, ventilators, MRI machines — even “smart beds.” Ahmed cited the internet-connected insulin pump is a good example of an IoMT device. Internet connectivity allows for both monitoring and adjusting the dosage remotely — functions that require a high degree of security for patient privacy as well as safety. All IoMT devices are potentially vulnerable to ransomware, denial of service and other malicious hacker attacks. Nadeem points out that IoMT devices have a higher security requirement than traditional IoT devices such as smart doorbells and smart thermostats in homes. “The most important thing in the medical domain is privacy,” Nadeem said. “For IoT devices in your home, you wouldn’t care that much about privacy, but for medical devices, it is an essential thing. You wouldn’t want anyone to know what your health conditions are, or what problems you might have had.” The work of the MedKnights group is important, as the IoMT domain is expanding; there is growth in terms of types of devices, number of patients using them and number of IoMT vendors. Nadeem added that the COVID pandemic and accompanying quarantine and stay-home orders increased the focus of medical-technology providers on the possibilities of IoMT. “Talking to some of the medical-device providers, I’ve learned that they are considering a line of products where they can remotely monitor patients on those devices, and they also can configure those devices remotely,” Nadeem said. Security is a large concern for the new generation of devices, because the current IoMT devices have been hit hard by hackers, he said. Security is an issue that extends from the individual patient to the institution. “Statistics show there are a lot of ransom attacks being done on the health sectors during the pandemic,” Nadeem said. “That motivated us.” The MedKnights team’s preparation for taking on the dragon of malicious IoMT attacks includes building a “test bed,” an isolated hardware/software assembly that Nadeem says will mimic the internet-enabled hospital setting. “In the hospital environment, there’s set of rooms. Each room has a lot of medical devices; they could be wired, or they could be wireless devices,” he said. “But there is no way that we can do what we want to do in a hospital.” The test bed will incorporate IoMT datasets based on typical device behavior, traffic and known malicious attacks. Nadeem explained that MedKnights will explore vulnerabilities of various IoMT hardware and software by subjecting the elements of the IoMT test bed to a range of attacks. “We will try to see in real time how efficient our technologies to monitor or detect these attacks, then try to intervene if we notice any change in the activities on the network,” he said. “Now, if the attacks manage to get into the device, we would like to also to start to see whether we can monitor these devices and observe abnormality or any misbehavior.” Nadeem said the next step is to isolate the source of fishy activity in the test bed network and begin to reverse-engineer the malware. He explained the group will work on understanding the question by looking for the “hole” that created the vulnerability. Ahmed said the MedKnights will bring undergraduates into the project through DURI, the Dean’s Undergraduate Research Initiative at the VCU College of Engineering. High school students will have an opportunity to join the team through a similar program known as the Dean’s Early Research Initiative, or DERI. DURI and DERI are just two ways of getting younger scientists and engineers involved in actual research. “For the last couple of years, I’ve been contacted by local high schools to host a couple of their students during the summer,” Nadeem added. “The students were really excited about it. We came up with some nice ideas about how to extend that work to their classrooms. As we continue this project, we will reach out to the schools, because we would love having a couple of their students involved.”

Irfan Ahmed, Ph.D.Tamer Nadeem, Ph.D.

Social

Areas of Expertise

Digital Forensics
Malware
Cyber-physical Systems Security
System Security
Cybersecurity Education
Powered by