Prasad Calyam is an associate professor in the Department of Electrical Engineering and Computer Science at the University of Missouri-Columbia. He is the Director of the Cyber Education, Research and Infrastructure Center (Mizzou CERI) and Robert H. Buescher Faculty Fellow in the MU College of Engineering.
He is also a core faculty in the University of Missouri Informatics and Data Science Institute (MUII). His research and development areas of interest include: Distributed and Cloud Computing, Cyber Security, Computer Networking, Networked-Multimedia Applications, and Advanced Cyberinfrastructure. He enjoys working with students in the Virtualization, Multimedia, and Networking (VIMAN) Lab.
Prasad Calyam obtained his MS and Ph.D. degrees from Ohio State University and BE from Bangalore University. Before coming to MU in 2013, he was a Research Director at Ohio Supercomputer Center/OARnet, The Ohio State University. Faculty profile
Key takeaways from the interview
- Research focus: His current projects include NSF-funded research on aligning performance and security in data management and investigating security, privacy, and safety in virtual reality learning environments.
- Mizzou cyber range: Funded by the NSA, this project aims to provide a training ground for red and blue cyber defense teams, using an approach called “cyber defense by pretense” to develop effective defense strategies.
- Cyber education, research and infrastructure center: As Director of Mizzou CERI, Calyam leads efforts in fostering cyber-infrastructure innovations and collaborates in areas like Big Data Analytics and Smart Cities.
- Industry-academia collaboration: Calyam highlights the importance of aligning educational programs with industry needs, reflected in the creation of an industry advisory board and focus on providing students with relevant skills.
- Future of cybersecurity: Calyam anticipates a diverse future for cybersecurity with new applications in virtual and augmented reality, necessitating intelligent cyber defense strategies and collaborative efforts for effective security.
How did you first become interested in cybersecurity? How did that come about for you?
I did my Ph.D. at Ohio State and worked at the Ohio Supercomputer Center in the early 2000s. My job early on was a systems development engineer, and later I became a research engineer and got promoted to a research director position. We were building systems that would work on big networks, fat pipes, and large supercomputers.
As we focused on big file transfers, primarily for file transfers and video conferencing applications, we identified unique security problems. In those days, many of the existing firewalls would stop video conferencing because it would use all kinds of ports dynamically.
When you’re doing lots of file transfers, you need to monitor the network performance closely to identify bottlenecks. Sometimes the bottlenecks would correspond to cybersecurity incidents that caused issues with people being able to move their data around.
We focused on monitoring and data analytics to figure out how to configure firewalls and how to understand anomalous events in networks. This work led to my initial interest in cybersecurity.
My Ph.D. research was on performance engineering, but every time I would do something with performance, security would become an issue. In more recent years, I’ve been doing more deliberate security research.
That fits nicely into my next question. What security research are you working on that you can tell us about?
At the University of Missouri, I have three projects going on right now with my Ph.D. students. One project is going back to this notion of moving a lot of data, especially if you are doing bioinformatics or doing video processing. You might be moving lots of data between different cloud providers and are sharing the data with different kinds of stakeholders.
We are working on a National Science Foundation (NSF) project to look at how to align performance and security across an application’s data management life cycle.
For example, if I collect data from one provider and take the data to another provider, that second provider might have a different security policy set. My security requirements might not align with the provider’s policies. We have found a way to formalize the security requirements of users as well as the policies of the providers. We can broker the ideal performance and security.
So, for example, we had a bioinformatics workflow for one of the researchers. They wanted to have certain security requirements, and they had a performance requirement too. So we were able to say, “if you run it in Site A, it’s ideal for your performance requirement. If you run it in Site B, it’s ideal for your security requirements. But hey, look at Site C, it’s going to give you the best of both worlds.”
The second project we’re doing, which is also funded by NSF, is looking at security, privacy, and safety risk assessment for virtual reality learning environment applications. We’ve been doing this for three years, and it’s more important now than ever.
There are limited prior works that explored attack vulnerability in VR technology. So there is a need for systematic frameworks to quantify risks corresponding to security, privacy, and safety threats. These threats can adversely impact the educational user experience and hinder the delivery of VR content.
We built our system for people who work in special education, for example, kids who have autism spectrum disorder and have remote instructors. In the old world, everybody had to be in the same room. And that’s not ideal, especially if you are talking about rural communities. Not everybody has access to expertise physically everywhere.
A virtual learning environment is ideal; you can connect instructors and students in remote places and work together using these virtual reality learning environment systems. We worked with the College of Education, and we are building different sorts of virtual reality-based learning modules that feature game-based learning for these kids.
A VR platform for developing a learning curriculum has new security vulnerabilities. There are risks of causing cybersickness if the bandwidth is not configured correctly. Or you can have all the regular attacks that can happen to any web-based application, such as people eavesdropping. We have shown that you could have a range of attacks where you can mislead people and make them run into walls.
We have several papers that students are publishing looking at how to make these virtual reality environments more secure and be more privacy-preserving. We want to ensure there are no discrepancies in the system that could cause users to be injured or feel undesired cybersickness levels. And in our latest project, we’re building what’s called Mizzou Cyber Range. The National Security Agency (NSA) funds this project.
We’re essentially building a training ground for red teams and blue teams. Our cyber defense training is called cyber defense by pretense. It is based on how to use pretense to teach and learn about cybersecurity. Our platform is called Dolus – a Greek word for the spirit of trickery. I’m using the Mizzou Cyber Range in my Cyber Defense Course this semester.
We show how you can learn about offense and defense and think about how you can trick an attacker into feeling that the attack is succeeding. Then you take some precautions, and you clear the pretense so that the attacker still thinks that he has complete control and you have not found the attack yet. In doing that, you buy time before the pretense is given away. At some point, the attacker will know, “Hey, this is not a real one.”
By the time the attacker can figure out the pretense, we develop a more effective defense strategy, or we bring in a cooperative defense and bring other people in and come up with some policies to defeat the attack collectively.
That’s fascinating. Talk to us about the Cyber Education, Research and Infrastructure Center, for which you are the Director.
The Cyber Education, Research and Infrastructure Center (Mizzou CERI) aims to foster cyber-infrastructure innovations that benefit our society. The initiative supports our multi-disciplinary collaborations in Big Data Analytics, Smart Cities, Cybersecurity, and Smart Materials.
About 33 faculty have been opted into the center to do different kinds of research. We are an NSA-designated Center for Academic Excellence (CAE) and have a full-time faculty of staff helping people with their cyber needs.
When students come into your program, what kinds of things are they interested in learning?
I teach cloud computing, networking, and cybersecurity, so many students come to my classes primarily interested in cloud technology and networking. They understand that they need to have a grasp on the basics of cybersecurity as well.
Cybersecurity’s skills gap pushes students to learn more about this topic, even if it is not their primary interest. They know they will be expected to understand security – everyone is.
The employment and research opportunities in cloud and cybersecurity have enticed many students to focus on these areas for their master’s and Ph.D. programs.
Our labs and our courses have a lot of hands-on components to them. For example, in my cyber defense course, there are eight labs. In my cloud computing, we have six labs, and both courses have projects. And those projects resolve cutting-edge problems relating to emerging applications in healthcare, finance, education, and manufacturing.
Thinking about your undergrad students, do you find that they come to your program with a realistic understanding of what it means to work in cybersecurity? Or, have they seen too many episodes of CSI and expect that the work will all be about solving crimes using a 3-D graphical interface?
Yes, we see some students with unrealistic expectations, but we have a mechanism for managing the first impression for new students in our computing association. We encourage new students to attend cyber competitions. We do very well at these competitions, and new students can quickly learn what cybersecurity work is all about. They get very excited about it and look forward to competing themselves.
Do you feel that industry and academia are focused on cybersecurity as much as they need to be?
That’s a great question. In the last two years, I have had several CSOs from major companies reach out to understand what we teach in our cybersecurity courses. They are interested in knowing what our students are learning and giving their suggestions as well.
We listen to what they say. That’s one reason we have invested so much in personnel and resources for the Mizzou CERI Center. There has been so much interest that we have set up a new industry advisory board. Our first meeting will be in February.
Many of the industry representatives attend hiring expos and are not finding people with the skills they need. They are working with us so we can ensure our students get the most relevant education.
If you put a reading list together for someone trying to decide if cybersecurity is the right path for them, what books, blogs, papers, or lectures would be on that list?
We actually have a Hacker Tracker Cyber Security Workshop Camp for high school students. This year the four-day-long camp gave high school students training and development in Python coding and cybersecurity before turning them loose to put together a group project and presentation in front of other Mizzou camp participants.
Each year has a different focus area related to cybersecurity, with this year’s event dealing with defending online gaming companies against cyber attacks.
There are also a couple of TED Talks that I show my students each year.
● Fighting viruses, defending the net
● Everyday cybercrime – and what you can do about it
The wargames offered by the OverTheWire community can help new students learn and practice security concepts. It’s done in the form of games, so they love it.
The Verizon Data Breach Investigations Report (DBIR) is a good source for what’s going on with cybersecurity.
I like Cyber Defense Magazine.
And I’m using an excellent book, Computer and Internet Security by Wenliang Du that I recommend.
My last question requires that you dust off your crystal ball and tell us what you see in the future. As it relates to cybersecurity, what kinds of things do you anticipate?
I believe the future will be very diverse in the sense that technology will allow us to do so many things. The question is, of course, how secure will these options be?
There will be new applications that help us in virtual reality, augmented reality environments, and applications we can’t even imagine now. We must prepare now to defend these new technologies.
Cyber defense will need to be more intelligent in the future as we learn to understand the behavior of the various attackers we will face. We need to teach active defensive strategies, like the cyber defense by pretense we discussed earlier.
It will also take new levels of collaboration cooperation to defend against attacks in the future. There will be new ways in which people will share data and build trust to work on defense cooperatively.
That sounds like a promising future. Thank you so much. This conversation has been fascinating to me. I have enjoyed this, so thank you. I appreciate your time.