Publication

You can also find my articles on my Google Scholar profile.

* Indicates equal contribution.

In the Pipeline

1. Zhang, H., Ahmed, F. A., Fatih, D., Kitessa, A., Alhanahnah, M., Leitner, P., & Ali-Eldin, A. (2022). Machine Learning Containers are Bloated and Vulnerable. arXiv. https://doi.org/10.48550/ARXIV.2212.09437

   @misc{https://doi.org/10.48550/arxiv.2212.09437,
     doi = {10.48550/ARXIV.2212.09437},
     url = {https://arxiv.org/abs/2212.09437},
     author = {Zhang, Huaifeng and Ahmed, Fahmi Abdulqadir and Fatih, Dyako and Kitessa, Akayou and Alhanahnah, Mohannad and Leitner, Philipp and Ali-Eldin, Ahmed},
     keywords = {Software Engineering (cs.SE), Machine Learning (cs.LG), FOS: Computer and information sciences, FOS: Computer and information sciences},
     title = {Machine Learning Containers are Bloated and Vulnerable},
     publisher = {arXiv},
     year = {2022},
     copyright = {arXiv.org perpetual, non-exclusive license}
   }
   
2. Alhanahnah, M. (2020). Software Quality Assessment for Robot Operating System. arXiv. https://doi.org/10.48550/ARXIV.2012.07196

   @misc{https://doi.org/10.48550/arxiv.2012.07196,
     doi = {10.48550/ARXIV.2012.07196},
     url = {https://arxiv.org/abs/2012.07196},
     author = {Alhanahnah, Mohannad},
     keywords = {Software Engineering (cs.SE), Cryptography and Security (cs.CR), Robotics (cs.RO), FOS: Computer and information sciences, FOS: Computer and information sciences},
     title = {Software Quality Assessment for Robot Operating System},
     publisher = {arXiv},
     year = {2020},
     copyright = {Creative Commons Attribution 4.0 International}
   }
   

IoT Safety and Privacy

1. Alhanahnah, M., Stevens, C., & Bagheri, H. (2020). Scalable Analysis of Interaction Threats in IoT Systems. Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis, 272–285. https://doi.org/10.1145/3395363.3397347

   @inproceedings{10.1145/3395363.3397347,
     author = {Alhanahnah, Mohannad and Stevens, Clay and Bagheri, Hamid},
     title = {Scalable Analysis of Interaction Threats in IoT Systems},
     year = {2020},
     isbn = {9781450380089},
     publisher = {Association for Computing Machinery},
     address = {New York, NY, USA},
     url = {https://doi.org/10.1145/3395363.3397347},
     doi = {10.1145/3395363.3397347},
     booktitle = {Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis},
     pages = {272–285},
     numpages = {14},
     keywords = {Formal Verification, IoT Safety, Interaction Threats},
     location = {Virtual Event, USA},
     series = {ISSTA 2020}
   }
   

   The ubiquity of Internet of Things (IoT) and our growing reliance on IoT apps are leaving us more vulnerable to safety and security threats than ever before. Many of these threats are manifested at the interaction level, where undesired or malicious coordinations between apps and physical devices can lead to intricate safety and security issues. This paper presents IoTCOM, an approach to automatically discover such hidden and unsafe interaction threats in a compositional and scalable fashion. It is backed with auto-mated program analysis and formally rigorous violation detection engines. IoTCOM relies on program analysis to automatically infer the relevant app’s behavior. Leveraging a novel strategy to trim the extracted app’s behavior prior to translating them to analyzable formal specifications,IoTCOM mitigates the state explosion associated with formal analysis. Our experiments with numerous bundles of real-world IoT apps have corroborated IoTCOM’s ability to effectively detect a broad spectrum of interaction threats triggered through cyber and physical channels, many of which were previously unknown, and to significantly outperform the existing techniques in terms of scalability.
2. Chen, Y., Alhanahnah, M., Sabelfeld, A., Chatterjee, R., & Fernandes, E. (2022). Practical Data Access Minimization in Trigger-Action Platforms. 31st USENIX Security Symposium (USENIX Security 22), 2929–2945. https://www.usenix.org/conference/usenixsecurity22/presentation/chen-yunang-practical

   @inproceedings{277182,
     author = {Chen, Yunang and Alhanahnah, Mohannad and Sabelfeld, Andrei and Chatterjee, Rahul and Fernandes, Earlence},
     title = {Practical Data Access Minimization in {Trigger-Action} Platforms},
     booktitle = {31st USENIX Security Symposium (USENIX Security 22)},
     year = {2022},
     isbn = {978-1-939133-31-1},
     address = {Boston, MA},
     pages = {2929--2945},
     url = {https://www.usenix.org/conference/usenixsecurity22/presentation/chen-yunang-practical},
     publisher = {USENIX Association},
     month = aug
   }
   
3. Stevens, C., Alhanahnah, M., Yan, Q., & Bagheri, H. (2020). Comparing formal models of IoT app coordination analysis. Proceedings of the 3rd ACM SIGSOFT International Workshop on Software Security from Design to Deployment, 3–10.

   @inproceedings{stevens2020comparing,
     title = {Comparing formal models of IoT app coordination analysis},
     author = {Stevens, Clay and Alhanahnah, Mohannad and Yan, Qiben and Bagheri, Hamid},
     booktitle = {Proceedings of the 3rd ACM SIGSOFT International Workshop on Software Security from Design to Deployment},
     pages = {3--10},
     year = {2020}
   }
   
4. Alhanahnah, M., Stevens, C., Chen, B., Yan, Q., & Bagheri, H. (2022). IoTCOM: Dissecting Interaction Threats in IoT Systems. IEEE Transactions on Software Engineering, 1–1. https://doi.org/10.1109/TSE.2022.3179294

   @article{9785922,
     author = {Alhanahnah, Mohannad and Stevens, Clay and Chen, Bocheng and Yan, Qiben and Bagheri, Hamid},
     journal = {IEEE Transactions on Software Engineering},
     title = {IoTCOM: Dissecting Interaction Threats in IoT Systems},
     year = {2022},
     volume = {},
     number = {},
     pages = {1-1},
     doi = {10.1109/TSE.2022.3179294}
   }
   

Software Debloating

1. Alhanahnah, M., Jain, R., Rastogi, V., Jha, S., & Reps, T. (2022). Lightweight, Multi-Stage, Compiler-Assisted Application Specialization. 2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P), 251–269. https://doi.org/10.1109/EuroSP53844.2022.00024

   @inproceedings{9797349,
     author = {Alhanahnah, Mohannad and Jain, Rithik and Rastogi, Vaibhav and Jha, Somesh and Reps, Thomas},
     booktitle = {2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P)},
     title = {Lightweight, Multi-Stage, Compiler-Assisted Application Specialization},
     year = {2022},
     volume = {},
     number = {},
     pages = {251-269},
     doi = {10.1109/EuroSP53844.2022.00024}
   }
   
2. Alhanahnah, M., & Yan, Q. (2018). Towards best secure coding practice for implementing SSL/TLS. IEEE INFOCOM 2018 - IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), 1–6. https://doi.org/10.1109/INFCOMW.2018.8407011

   @inproceedings{8407011,
     author = {Alhanahnah, Mohannad and Yan, Qiben},
     booktitle = {IEEE INFOCOM 2018 - IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS)},
     title = {Towards best secure coding practice for implementing SSL/TLS},
     year = {2018},
     volume = {},
     number = {},
     pages = {1-6},
     doi = {10.1109/INFCOMW.2018.8407011}
   }
   

Adversarial ML

1. Wang, Y., Alhanahnah, M., Meng, X., Wang, K., Christodorescu, M., & Jha, S. (2022). Robust Learning against Relational Adversaries. In A. H. Oh, A. Agarwal, D. Belgrave, & K. Cho (Eds.), Advances in Neural Information Processing Systems. https://openreview.net/forum?id=WBp4dli3No6

   @inproceedings{wang2022robust,
     title = {Robust Learning against Relational Adversaries},
     author = {Wang, Yizhen and Alhanahnah, Mohannad and Meng, Xiaozhu and Wang, Ke and Christodorescu, Mihai and Jha, Somesh},
     booktitle = {Advances in Neural Information Processing Systems},
     editor = {Oh, Alice H. and Agarwal, Alekh and Belgrave, Danielle and Cho, Kyunghyun},
     year = {2022},
     url = {https://openreview.net/forum?id=WBp4dli3No6}
   }
   

Android Security

1. Alhanahnah, M., Yan, Q., Bagheri, H., Zhou, H., Tsutano, Y., Srisa-An, W., & Luo, X. (2020). DINA: Detecting Hidden Android Inter-App Communication in Dynamic Loaded Code. IEEE Transactions on Information Forensics and Security, 15, 2782–2797. https://doi.org/10.1109/TIFS.2020.2976556

   @article{9017933,
     author = {Alhanahnah, Mohannad and Yan, Qiben and Bagheri, Hamid and Zhou, Hao and Tsutano, Yutaka and Srisa-An, Witawas and Luo, Xiapu},
     journal = {IEEE Transactions on Information Forensics and Security},
     title = {DINA: Detecting Hidden Android Inter-App Communication in Dynamic Loaded Code},
     year = {2020},
     volume = {15},
     number = {},
     pages = {2782-2797},
     doi = {10.1109/TIFS.2020.2976556}
   }
   
2. Alhanahnah, M., Yan, Q., Bagheri, H., Zhou, H., Tsutano, Y., Srisa-an, W., & Luo, X. (2019). Detecting Vulnerable Android Inter-App Communication in Dynamically Loaded Code. IEEE INFOCOM 2019 - IEEE Conference on Computer Communications, 550–558. https://doi.org/10.1109/INFOCOM.2019.8737637

   @inproceedings{8737637,
     author = {Alhanahnah, Mohannad and Yan, Qiben and Bagheri, Hamid and Zhou, Hao and Tsutano, Yutaka and Srisa-an, Witawas and Luo, Xiapu},
     booktitle = {IEEE INFOCOM 2019 - IEEE Conference on Computer Communications},
     title = {Detecting Vulnerable Android Inter-App Communication in Dynamically Loaded Code},
     year = {2019},
     volume = {},
     number = {},
     pages = {550-558},
     doi = {10.1109/INFOCOM.2019.8737637}
   }
   

Cloud Trust

1. Alhanahnah, M. J., Jhumka, A., & Alouneh, S. (2016). A Multidimension Taxonomy of Insider Threats in Cloud Computing. The Computer Journal, 59(11), 1612–1622. https://doi.org/10.1093/comjnl/bxw020

   @article{10.1093/comjnl/bxw020,
     author = {Alhanahnah, Mohannad J. and Jhumka, Arshad and Alouneh, Sahel},
     title = {{A Multidimension Taxonomy of Insider Threats in Cloud Computing}},
     journal = {The Computer Journal},
     volume = {59},
     number = {11},
     pages = {1612-1622},
     year = {2016},
     month = nov,
     issn = {0010-4620},
     doi = {10.1093/comjnl/bxw020},
     url = {https://doi.org/10.1093/comjnl/bxw020},
     eprint = {https://academic.oup.com/comjnl/article-pdf/59/11/1612/7300451/bxw020.pdf}
   }
   

   Security is considered a significant deficiency in cloud computing, and insider threats problem exacerbate security concerns in the cloud. In addition to that, cloud computing is very complex by itself, because it encompasses numerous technologies and concepts. Apparently, overcoming these challenges requires substantial efforts from information security researchers to develop powerful mitigation solutions for this emerging problem. This entails developing a taxonomy of insider threats in cloud environments encompassing all potential abnormal activities in the cloud and can be useful for conducting security assessment. This article describes the first phase of an ongoing research to develop a framework for mitigating insider threats in cloud computing environments. Primarily, it presents a multidimensional taxonomy of insider threats in cloud computing and demonstrates its viability. The taxonomy provides a fundamental understanding for this complicated problem by identifying five dimensions; it also supports security engineers in identifying hidden paths, thus determining proper countermeasures, and presents a guidance that covers all bounders of insiders’ threats issue in clouds; hence, it facilitates researchers’ endeavours in tackling this problem. For instance, according to the hierarchical taxonomy, clearly many significant issues exist in public cloud, while conventional insider mitigation solutions can be used in private clouds. Finally, the taxonomy assists in identifying future research directions in this emerging area.
2. Alhanahnah, M., Bertok, P., & Tari, Z. (2017). Trusting Cloud Service Providers: Trust Phases and a Taxonomy of Trust Factors. IEEE Cloud Computing, 4(1), 44–54. https://doi.org/10.1109/MCC.2017.20

   @article{7879115,
     author = {Alhanahnah, Mohannad and Bertok, Peter and Tari, Zahir},
     journal = {IEEE Cloud Computing},
     title = {Trusting Cloud Service Providers: Trust Phases and a Taxonomy of Trust Factors},
     year = {2017},
     volume = {4},
     number = {1},
     pages = {44-54},
     doi = {10.1109/MCC.2017.20}
   }
   
3. Alhanahnah, M., Bertok, P., Tari, Z., & Alouneh, S. (2018). Context-Aware Multifaceted Trust Framework For Evaluating Trustworthiness of Cloud Providers. Future Generation Computer Systems, 79, 488–499. https://doi.org/https://doi.org/10.1016/j.future.2017.09.071

   @article{ALHANAHNAH2018488,
     title = {Context-Aware Multifaceted Trust Framework For Evaluating Trustworthiness of Cloud Providers},
     journal = {Future Generation Computer Systems},
     volume = {79},
     pages = {488-499},
     year = {2018},
     issn = {0167-739X},
     doi = {https://doi.org/10.1016/j.future.2017.09.071},
     url = {https://www.sciencedirect.com/science/article/pii/S0167739X17300717},
     author = {Alhanahnah, Mohannad and Bertok, Peter and Tari, Zahir and Alouneh, Sahel},
     keywords = {Analytic hierarchy process, Cloud computing, Trust, Fuzzy simple additive weighting, Multifaceted}
   }
   

   With the rapidly increasing number of cloud-based services, selecting a service provider is becoming more and more difficult. Among the many factors to be considered, trust in a given service and in a service provider is often critical. Appraisal of trust is a complex process, information about the offered service’s quality needs to be collected from a number of sources, while user requirements may place different emphasis on the various quality indicators. Several frameworks have been proposed to facilitate service provider selection, however, only very few of them are built on existing cloud standards, and adaptability to different contexts is still a challenge. This paper proposes a new trust framework, called Context-Aware Multifaceted Trust Framework (CAMFT), to assist in evaluating trust in cloud service providers. CAMTF is flexible and context aware: it considers trust factors, users and services. When making recommendations, CAMFT employs a combination of mathematical methods that depend on the type of trust factors, and it takes both service characteristics and user perspective into account. A case study is also presented to demonstrate CAMFT’s applicability to practical cases.
4. Alhanahnah, M., Ma, S., Gehani, A., Ciocarlie, G. F., Yegneswaran, V., Jha, S., & Zhang, X. (2022). autoMPI: Automated Multiple Perspective Attack Investigation with Semantics Aware Execution Partitioning. IEEE Transactions on Software Engineering, 1–14. https://doi.org/10.1109/TSE.2022.3231242

   @article{9996963,
     author = {Alhanahnah, Mohannad and Ma, Shiqing and Gehani, Ashish and Ciocarlie, Gabriela F. and Yegneswaran, Vinod and Jha, Somesh and Zhang, Xiangyu},
     journal = {IEEE Transactions on Software Engineering},
     title = {autoMPI: Automated Multiple Perspective Attack Investigation with Semantics Aware Execution Partitioning},
     year = {2022},
     volume = {},
     number = {},
     pages = {1-14},
     doi = {10.1109/TSE.2022.3231242}
   }
   
5. Alhanahnah, M., & Chadwick, D. (2016). Boosting Usability for Protecting Online Banking Applications Against APTs. 2016 Cybersecurity and Cyberforensics Conference (CCC), 70–76. https://doi.org/10.1109/CCC.2016.13

   @inproceedings{7600213,
     author = {Alhanahnah, Mohannad and Chadwick, David},
     booktitle = {2016 Cybersecurity and Cyberforensics Conference (CCC)},
     title = {Boosting Usability for Protecting Online Banking Applications Against APTs},
     year = {2016},
     volume = {},
     number = {},
     pages = {70-76},
     doi = {10.1109/CCC.2016.13}
   }