Dr. Eman M El-Sheikh

The CyberAI Programs of Study (PoS) represent a pioneering step in integrating Artificial Intelligence (AI) with cybersecurity education. Sponsored by the U.S. National Science Foundation (NSF) and developed in collaboration with the U.S. National Security Agency's (NSA) National Centers of Academic Excellence in Cybersecurity (NCAE-C), the CyberAI initiative (www.towson.edu/cyberai) aims to produce a workforce adept in both cybersecurity skills and AI competencies. This paper presents the knowledge areas produced in collaboration with 200+ individuals, with two distinct programs of study – SecureAI, securing the lifecycle of AI, and AICyber – using AI tools and techniques in cybersecurity. A review highlighting the evolution of cybersecurity educational standards and the growing necessity of interdisciplinary AI integration in higher education is presented. Further, this paper outlines the development and validation processes for new Knowledge Units (KUs) supporting these programs, presents findings from pilot implementations, and discusses a validation framework aligned with the U.S. National Institute of Standards and Technology (NIST) NICE Framework and the U.S. DoD Cyber Workforce Framework (DCWF) standards.

Backdoor attacks pose a critical threat by embedding hidden triggers into inputs, causing models to misclassify them into adversary-chosen target labels. While extensive research has focused on mitigating these attacks in object recognition models through weight fine-tuning and other reactive strategies, much less attention has been given to detecting backdoored samples directly. Given the vast datasets used in training models, manual inspection for backdoor triggers is impractical, and even state-of-the-art defense mechanisms fail to fully neutralize their impact. To address this gap, we introduce a groundbreaking method to detect unseen backdoored images during both training and inference. Leveraging the transformative success of prompt tuning in Vision Language Models (VLMs), our approach trains learnable text prompts to differentiate clean images from those with hidden backdoor triggers. Comprehensive experiments on CIFAR-10 and GTSRB covering six diverse attack families demonstrate the robustness of our detector. When exposed to unseen backdoor threats, the learned prompts achieve an average 86% accuracy at distinguishing previously unseen backdoor images from clean ones, outperforming baselines by up to 30 percentage points. These results establish prompt-tuned VLMs as an effective first line of defense against backdoor threats. Code and datasets will be available.

The growing complexity and volume of ransomware attacks demand advanced detection techniques that can effectively model dependencies within high-dimensional data. Traditional machine learning methods often struggle to capture nuanced relationships among features in such cybersecurity datasets. To address this problem, we propose a novel technique that transforms structured, non-linguistic data into descriptive natural language formats. This conversion facilitates the tailored refinement of a Bidirectional Encoder Representations from Transformers (BERT) architecture with optimized parameters. By leveraging BERT's multi-head self-attention mechanism, our method embeds non-textual ransomware data into semantic textual data so that multi-heads can make relationships and dependencies of tokens in different perspectives to transform instances to comprehensive latent representations where interfeature dependencies are effectively present. This allows BERT to understand contextual relevance among tokens, leading to superior classification performance. Our evaluation demonstrates that the resulting model shows dominant performance, surpassing other advanced solutions, achieving a classification accuracy of 99.21%, surpassing ensemble models (99.0%) and LSTM-based approaches (98.5%). The important finding of this novel approach is that one-third of the data points have been used to outperform other existing works. It highlights its potential and adaptability in cybersecurity domains whenever a text dataset is absent to use the natural language context for the model.

The rapid advancement of connected and autonomous vehicles created new challenges for security and safety professionals. The sophistication of vehicle communication systems, located externally and internally, provides an added complexity to the issue. In security parlance, this is an expansion of the attack surface on vehicles. These challenges prompted the enhancement of existing and the development of new safety and security standards initiated by government, industry, and trade organizations. These initiatives clearly underscore the need to examine the state of connected vehicle security and develop effective security metrics. As a major component of continuous improvement, quantitative and qualitative measures must be devised to be able to make a full appreciation of the process. This paper builds upon previous research on connected vehicle security metrics, offers new metrics, and proposes visualization systems to enhance their utilization.

As the complexity and connectivity of networks increase, the need for novel malware detection approaches becomes imperative. Traditional security defenses are becoming less effective against the advanced tactics of today's cyberattacks. Deep Packet Inspection (DPI) has emerged as a key technology in strengthening network security, offering detailed analysis of network traffic that goes beyond simple metadata analysis. DPI examines not only the packet headers but also the payload content within, offering a thorough insight into the data traversing the network. This study proposes a novel approach that leverages a large language model (LLM) and few-shot learning to accurately recognizes novel, unseen malware types with few labels samples. Our proposed approach uses a pretrained LLM on known malware types to extract the embeddings from packets. The embeddings are then used alongside few labeled samples of an unseen malware type. This technique is designed to acclimate the model to different malware representations, further enabling it to generate robust embeddings for each trained and unseen classes. Following the extraction of embeddings from the LLM, few-shot learning is utilized to enhance performance with minimal labeled data. Our evaluation, which utilized two renowned datasets, focused on identifying malware types within network traffic and Internet of Things (IoT) environments. Our approach shows promising results with an average accuracy of 86.35% and F1-Score of 86.40% on different malware types across the two datasets.

As malicious cyber threats become more sophisticated in breaching computer networks, the need for effective intrusion detection systems (IDSs) becomes crucial. Techniques such as Deep Packet Inspection (DPI) have been introduced to allow IDSs analyze the content of network packets, providing more context for identifying potential threats. IDSs traditionally rely on using anomaly-based and signature-based detection techniques to detect unrecognized and suspicious activity. Deep learning techniques have shown great potential in DPI for IDSs due to their efficiency in learning intricate patterns from the packet content being transmitted through the network. In this paper, we propose an accurate DPI algorithm based on transformers adapted for the purpose of detecting malicious traffic with a classifier head. Transformers learn the complex content of sequence data and generalize them well to similar scenarios thanks to their self-attention mechanism. Our proposed method uses the raw payload bytes that represent the packet contents and is deployed as man-in-the-middle. The payload bytes are used to detect malicious packets and classify their types. Experimental results on the UNSW-NB15 and CIC-IOT23 datasets demonstrate that our transformer-based model is effective in distinguishing malicious from benign traffic in the test dataset, attaining an average accuracy of 79% using binary classification and 72% on the multi-classification experiment, both using solely payload bytes.

The introduction of Docker containers ushered the emergence of microservices to facilitate efficient ways to deploy and manage containerized applications. Digital Twins in Industrial Control Systems (ICS) has enabled advances in the test and evaluation of those systems in a low-cost and non-disruptive manner. In this paper, we present our work on advancing the security of Industrial Control Systems through a four-pronged approach: i) provide a safe training infrastructure for ICS security; ii) present an effective avenue for ICS security testing without operational disruption; iii) implement ICS digital twins to enable ICS security training; and iv) facilitate the design, implementation, and evaluation of ICS security tools. To realize these objectives, we propose the utilization of Open Platform Infrastructure (OPI) with Docker technologies to deploy virtualized Programmable Logic Controllers (PLCs), also known as softPLC, and Human Machine Interfaces (HMIs) that can emulate or act as digital twins of ICS. Further, we describe several docker containers instantiated from Dockerfiles to emulate typical Information Technology (IT) and Operation Technology (OT) networks to illustrate the viability and affordability of such implementations for teaching, learning, and testing of ICS security.

The increasing connectivity in vehicles brings the potential for cyber-attacks, which can result in safety hazards or vehicle malfunctioning. Therefore, it is crucial to develop novel methods that can protect the vehicular network from malicious actors. In this paper, we propose a method of utilizing PCAP (Packet Capture) payloads extracted from the Controller Area Network (CAN) of a sample vehicle dataset, and applying a Recurrent Neural Network (RNN) to detect malicious or benign activity in the dataset. The process converts the extracted hexadecimal values of the payload to tensors and are labeled as either malicious or benign. The tensors are then passed through a neural network to produce the outputs. Our method showed to detect 78% of all packets within the dataset, which indicated its effectiveness in identifying cyberattacks in vehicular networks. This approach can eventually be applied to real-world scenarios, where the detection and prevention of malicious activity can make vehicles more secure.

The critical need to fill the cybersecurity workforce gap is a pressing national issue that requires immediate action. Accelerating cybersecurity workforce development through reskilling and upskilling of workers can be a pragmatic means in resolving this issue. This action, supported by verifiable and digital records through a stackable credentialing system, presents a viable model of workforce shortage solution, not only for cybersecurity but also, for other careers as well. This paper is an exposition of our on-going project on Cybersecurity workforce development through upskilling and reskilling efforts enhanced with digital and stackable credentials.

The rapid pace with which connected and autonomous vehicles is evolving presents security challenges that are prevalent on communication technologies. Although it is universally accepted that tremendous benefits can be derived from this emerging technology, we need to make sure that this critical infrastructure is secured and protected. Recent attacks on vehicle networks have validated the urgent need for a robust and sustained effort to stem the tide of these debilitating incursions. Our ever-increasing dependence on this type of transport system brings us to new crossroads and challenges that are confronting our economic security, privacy protection, and well-being. One major challenge is the education and training of the current and future workforce in this emerging technology. This paper explores key curriculum issues in securing modem automobiles, including the essential tools necessary to implement meaningful hands-on laboratory experiments and learning scenarios.