Mohiuddin Ahmed, Ph.D.

Cyber Security Researcher @UNC Charlotte


Scalable-Hunter [August 2020 - December, 2023], Distributed Hierarchical Event Monitoring System for Attack Diagnosis through Active Investigation of Attacker Activities. Designed and implemented distributed hierarchical event monitoring system to reduce attack detection time, communication overhead and resource usages. Designed and developed low-level log collecting agents for windows system (ETW, event logs, syslog, NetFlow). Developed detectors to map low-level traces to MITRE ATT&CK technique and evidential reasoing framework which performs passive reasoning and active investigation on reported observables.
CIS Critical Security Control (CSC) Assessment [August 2018 - March 2024], This project aims to determine what to measure (observables), how to measure (tools required), and metrics to evaluate the enforcement of CSCs. I used prompt engineering (Few-shot learning, Chain-of-Thought, Tree-of-Though) with LLM (ChatGPT, LLAMA) to extract that information from the CIS CSC guidelines. Later, The CIS reviewed and published our proposed approach as guidelines for the industry to assess CSCs. I also published my works at HOTSOS 2018 as a novel way to develop measures and metrics for CIS CSC assessment.
  • Development Language: Python, Java, NLP, Prompt Engineering, gpt-3.5-turbo, LangChain.
  • Paper1

TTPDrill [January 2017 - July 2018], Automatic and Accurate Extraction of Threat Actions from Unstructured Text of CTI Sources and mapping of threat actions to MITRE ATT&CK techniques. Extracted threat action from CTI reports using NLP and mapped the extracted threat actions to MITRE ATT&CK techniques and tactics using document similarity measures TF-IDF.
FAKE-CTI: Automated generation of plausible fake CTI report using retrofitted word vector [August 2019 - December 2019], The lack of enough text data containing attacker actions and sematic meaning difference of a cyber security term when used in non-cyber security context make the generation of word embedding for cyber security text is a tough task. However, the retrofitting technique makes the word embedding generation for cyber security texts plausible. The generated word embedding can be used to generate an automated plausible fake cyber threat intelligence report (CTI report) given some keywords for the corresponding CTI report. In this project, All threat actions for each MITRE attack framework technique are extracted using an ontology as proposed in TTPDrill, which consists of the attacker action, object (cyber object), and intent of the attacker. Later, Semantic relations like synonyms of each attacker action and the cyber object will be extracted from Wordnet or thesaurus using scripting. In the end, each synonym list will be automatically examined to discard the synonyms that are not used in cyber security based on our common knowledge about commonly used cyber security terms. Using the extracted relationship and pre-trained word vector, a retrofitting technique will be used to generate a retrofitted word vector. After generating the refitted word embedding, A sentence can be generated based on the co-occurrence possibility of cyber security terms from the retrofitted word vector. The same task can be achieved in BERT using the Word Making model. After generating multiple sentences based on the provided keywords, we can consider a CTI report is generated.
  • Development Language: Python, ML.
  • Github

PKI-Middleware [May 2014 - December 2015], a PKCS#11 dynamic library developed for Windows, Linux, MAC and Android platform which complies KISA and FIPS standards. Implemented Multithreading and Multiprocessing, Smart Card Profile Initialization, key operation (RSA key, Secret key (DES3, AES, MAC, SEED) and Random Number Generation), and sign operation (Signature generation and verification, Symmetric and Asymmetric key encryption and decryption, MAC Generation and verification).
  • Development Language: C++, JNI.

Custom CSP [January 2016 - April 2016], Cryptographic Service Provider is a MSDN Compatible library that implements the Microsoft's CryptoAPI CAPI. This CSP is used to enable NFC-based smart card authentication in Windows OS. CSP implements encoding and decoding functions, which MSDN application may use, for example, to implement strong user authentication or for secure email. CSPs are independent modules that can be used by different applications. A user program calls CryptoAPI functions and these are redirected to CSP's functions. Since CSPs are responsible for implementing cryptographic algorithms and standards, applications do not need to be concerned about security details. Furthermore, one application can define which CSP it is going to use on its calls to CryptoAPI. In fact, all cryptographic activity is implemented in CSPs. CryptoAPI only works as a bridge between the application and the CSP.
  • Development Language: C++, Windows API, Cryptography, OpenSSL.

PKI-Middleware Wrapper, [January 2015 - March 2015] is a Java wrapper to use PKCS#11 middleware library in Java Application. It reduces maintenance complexity of JNI, so that application developer don't have to write core C code to handle function call of PKCS#11 library.
  • Development Language: Java.

CMS, [May 2015 - June 2015] (Cryptographic Message Syntax), a PKCS#7 based toolkit developed to support CA System during certificate Issue that supports all data types (Signed, Enveloped, SignedAndEnveloped, data) of PKCS#7 and their operations.
  • Development Language: Java.