Cybersecurity Demo Day

(From L to R) Judges Kevin Skapentiz of IBM Security and Blake Patton or Tech Square Ventures; Winners Ruian Duan and Ashish Bijlani, School of Computer Science; Judge and Founding Donor of Create-X Christopher Klaus, and IISP's Dr. Wenke Lee.


Congratulations to the 2017-2018 Winners!


Grand Prize - Create-X Startup LAUNCH incubator seat

"OSS Police"
Ashish Bijlani & Ruian Duan
School of Computer Science


1st Place - Commercialization Track

"OSS Police"
Ashish Bijlani & Ruian Duan
School of Computer Science


1st Place - Research Track

"Deep Security: Toward Robust Deep Learning"
Taesik Na & Jong Hwan Ko
School of Electrical & Computer Engineering


People's Choice Award

"Tackling Cybersecurity Threats in Smart Grids"
Majid Ahmadi & Hanif Rahbari
School of Public Policy


Vetted and coached to enter the marketplace, students presented ideas for commercialization before venture capitalists, industry leaders, and the public at the Institute for Information Security & Privacy's Cybersecurity Demo Day Finale.

This year's prize pool included generous support from partners of the Institute for Information Security & Privacy, Create-X Startup LAUNCH, the National Science Foundation Innovation Corps (I-Corps) program at VentureLab, ATDC, and Speakeasy.


About This Contest
2017 Winner
2016 Winner


Thank you to our Judges and all of the Entrants for your hard work!



About the Finalists

Commercialization Track

"OSS Police"

Ashish Bijlani, Ruian Duan, and Meng Xu
School of Computer Science

In order to reduce time to market, mobile app developers often focus their efforts on creating new, unique features or workflows, and rely on third-party Open Source Software (OSS) for common elements of app code. Unfortunately, careless use of OSS can introduce significant legal and security risks that jeopardizes the security and privacy of end users, and may lead to high financial loss for the app developer. We propose OSS Police, a scalable and fully-automated tool for mobile app developers to quickly analyze their apps and identify free software license violations as well as known vulnerabilities in open-source software (OSS) code. OSS Police introduces a novel hierarchical indexing scheme to achieve both high scalability and accuracy, and is capable of efficiently comparing similarities of app binaries against a database of hundreds of thousands of OSS sources (billions of lines of code).


"RAIN: Refinable Attack Investigation with On-demand Inter-process Information Flow Tracking"

Yang Ji, with Evan Downing, Mattia Fazzini, Sangho Lee and Weiren Wang
School of Computer Science

As modern attacks become more stealthy and persistent, detecting or preventing them at their early stages becomes virtually impossible. Instead, an attack investigation or provenance system aims to continuously monitor and log interesting system events with minimal overhead. Later, if the system observes any anomalous behavior, it analyzes the log to identify who initiated the attack, which resources were affected by the attack, and how to recover from any damage incurred. We propose RAIN, a Refinable Attack INvestigation system based on a record-replay technology that records system-call events during runtime and performs instruction-level dynamic information flow tracking (DIFT) during on-demand process replay. Instead of replaying every process with DIFT, RAIN conducts system-call-level reachability analysis to filter out unrelated processes and minimize the number of processes to be replayed, making inter-process DIFT feasible. Evaluation results show that RAIN effectively prunes out unrelated processes and determines attack causality with negligible false positive rates. In addition, the runtime overhead of RAIN is similar to existing system-call level provenance systems and its analysis overhead is much smaller than full-system DIFT.


"Phish or Fish"

Tony Zhaocheng Tan, with Anisha Bandihari and Simon Chung
School of Computer Science

Phishing is the first step for many high-profile breaches, such as the Democratic National Convention hack of 2016. The current "solution" to phishing is basically user training; educate them to hover over links in emails, look for strange domain name, choose HTTP instead of HTTPS, watch for grammatical errors, etc., yet when this proves to be ineffective, we blame the user. In this work, we propose to improve the usability/user experience in such self-defense against phishing. Instead of asking users to "remember" to follow the rules, when a user clicks on a link in an email, we automatically present them with a proxy page that displays succinct and necessary information to help the user to make the right decision. Furthermore, to avoid the common fatigue that comes with security related user interfaces (UI), we only ask the user to make a decision for links targeting unpopular sites.



Erkam Uzun
School of Computer Science

More organizations are turning to facial and voice recognition, or other biometric identifiers, to authenticate users and grant access to their systems. In particular, some services (e.g. Mastercard Identity Check) allow users to authenticate themselves by simply showing their face in front of their phone's camera, or simply speaking into the phone. Unfortunately, it's been shown that this can be easily forged in real time to defeat such authentication systems. This project introduces "Real Time Captcha (rtCaptcha)," a new, practical approach that places a formidable computation burden before adversaries by leveraging the proven security infrastructure of CAPTCHAs. In particular, rtCaptcha authenticates a user by taking a live video/audio recording of the user whiel also solving a CAPTCHA challenge question. This is in sharp contrast to simpler detection systems that only ask the user to blink, smile, or nod. Our user study showed that -- thanks to the humans' speed of solving random CAPTCHA challenges -- adversaries will have to appear and sound like the intended victim and solve the same challenge in less than 2 seconds in order to trick an authentication system. This is not possible by today's best machine-based or human attackers.


"Tackling Cybersecurity Threats in Smart Grids"

Majid Ahmadi and Hanif Rahbari
School of Public Policy

Smart Grid is the next generation of electricity grids that provide a framework for using advanced technologies including telecommunications, distributed energy resources, and energy efficiency solutions.While Smart Grids are particularly advantageous, they are vulnerable to different forms of attacks. The portion of a Smart Grid that is especially vulnerable is the Advanced Metering Infrastructure (AMI). The AMI acts as a foundation for the Smart Grid since it consists of smart meters, communications networks, customer gateway, and data management systems that enable two-way communication between utility companies and customers that often is wireless. To counter wireless communications security attacks, we propose investigating various randomization techniques that hide the true characteristics of  wireless traffic. Specifically, we propose using signal processing and transmission scheduling techniques that can artificially alter the features of the traffic and confuse the eavesdropper about the true pattern, making it almost impossible to discern the residents’ private information. For example, the devices may transmit bogus packets when they are not active to evade the eavesdropper and force it to mistakenly assume that the residents are in home. The outcome of this project is the set of techniques that can be applied in different situations and for different levels of security.


Research Track

"Accelerating IoT Security Standards Adoption"

Karim Farhat, Karl Grindal and Ishan Mehta
School of Public Policy

IoT growth is exponential with 8 billion devices in 2012, 23 billion in 2016, and a projected 50 billion in 2020 [Cisco VNI, 2017]. Current risk management for IoT is reactive at best; most devices are constrained in crypto and computing. While nothing in the IoT is certain, most imagined futures would suggest consumers will continue to seek value out of devices regardless of ongoing manufacturer support. Security costs will have to be mitigated if the IoT promise is to be fulfilled. The market requires a scalable security approach and clear liability framework for the responsible use of these devices. Our proposed solution is a platform that combines inputs from the three data streams that comprise a server-side database: web scraping, public collaborative repository, and input from developers/deployers. As devices are sunsetted, we hope that our platform will help the management process of operational devices nearing obsolescence as well as help migrate orphaned devices to open-source firmware or the recycling bin. Our work will contribute towards setting up an environment where companies compete on privacy and security. This team is comprised of affiliated graduate students from the Internet Governance Project with backgrounds in security, engineering, and IoT.


"Deep Security: Toward Robust Deep Learning"

Taesik Na and Jong Hwan Ko
School of Electrical & Computer Engineering

A successful deep learning-based computer vision task is perceived as a key enabler for autonomous vehicles. However, there have been numerous reports that deep-learning classifiers are vulnerable to small input perturbations that have been carefully generated by adversaries. Vulnerabilities in deep learning can become potential threats to successful autonomous driving. The objective of this research is to build robust deep-learning classifiers for various adversarial attacks in order to better protect self-driving cars. To address this challenge, we propose embedding space for both classification and low-level (pixel-level) similarity learning that will ignore unknown pixel level perturbation. We also propose cascade adversarial training, which transfers the knowledge of the end results of adversarial training. This proposed approach shows improved accuracy compared to the current state-of-the-art adversarial training and ensemble adversarial training methodologies.

Each fall, students bring cybersecurity research ideas to the fall Georgia Tech Cyber Security Summit. Students then attend evidence-based entrepreneurial coaching by VentureLab and return six months later at the Cybersecurity Demo Day Finale for a TED-style talk about their project. A panel of business leaders and investors from across the United States critiques students and awards prizes from a pool valued at more than $125,000. Research with the best chance of commercialization or demonstrating the most impact toward an unmet need wins.

"The Institute for Information Security & Privacy wants to move good ideas to market," says Wenke Lee, co-director. "We know industry leans on academic researchers to raise new ideas and we lean on industry to take solutions to the public. Our hope is that by introducing students to business mentors early in the research timeline that we can help them naturally build productive relationships and reduce time to market. All students participating in Demo Day will benefit from the insight and critique of those closest to industry needs today."

The annual IISP Cybersecurity Demo Day program is open to all students who are enrolled in any degree program at Georgia Tech. Undergraduates must pair with at least one graduate student to form a team in order to qualify for all prizes in 2018.


How to Compete


1. Register your best cybersecurity research idea by Sept. 25, 2017 at 11:59 p.m. Projects may be in any stage -- nascent or near-ready! All ideas and inventions are welcome.

2. Download, complete and sign the Rules and Eligibility form, and the Public Disclosure Acknowledgement and Waiver form. Return signed forms to the contact specified on the form. Read more about Intellectual Property at Georgia Tech and the services to assist you.

Phase I

Present a research poster, Sept. 27.

  • Bring your research to the IISP Cybersecurity Demo Day at the Georgia Tech Cyber Security Summit (GT CSS '17) on Sept. 27.
  • Audience picks 3 finalists for initial cash prize of $500 and recognition as "People's Choice" winners; advances 3 teams to the IISP Cybersecurity Demo Day Finale in April 2018.
  • One team will win a fast-track "Golden Ticket" into Create-X Startup LAUNCH to work alongside business mentors and Atlanta investors. 
Phase II

All teams may continue to compete. Receive entrepreneurial coaching from VentureLab.

  • All teams may continue to compete for 3 remaining spots in the Finale with coaching by VentureLab. Choose a Track:
    • Commercialization Track: Learn to identify your market, customer, and every answer you’ll need to satisfy more investors. Taught by NSF I-Corps and VentureLab.
    • Research Track: Gain project funding, presentation coaching, and a private critique by faculty and business leaders to improve future pitches about your work.
  • Meet monthly, October - April.
  • Try out for one of 3 remaining spots in the Finale.
Phase III

Pitch business leaders at the IISP Cybersecurity Demo Day Finale on April 12, 2018.

  • Deliver your best presentation for a chance to win:
    –     up to $5,000 cash!
    –     spot in the Create-X Startup LAUNCH incubator, including $20,000 toward your prototype, $50,000 in free legal services, and 27-weeks of free business mentoring!
    –     eligibility for a $50,000 grant from National Science Foundation!


Eligibility Criteria
  • Presently enrolled in a degree program Georgia Tech and in good academic standing
  • Graduate students or undergraduates paired with at least one graduate student
  • Research project involves one of the core, cybersecurity areas at the Institute for Information Security & Privacy
  • Participation is endorsed by the research principal investigator (or, if not applicable, a faculty sponsor or lab director) from Georgia Tech
  • Must prepare a research poster and attend Fall 2017 Demo Day at the Georgia Tech Cyber Security Summit on Sept. 27 at 3 p.m.