About

Currently

Previously

Before this, I was the CISO of Careem, resposible for securing ‘the everything app’ for the greater Middle East, with operations in over 100 cities, covering 12 countries across the Middle East, Africa, and South Asia regions.

As Chief Strategy Officer of Axiomatics, I worked with the Board, the CEO and executive leadership team to develop the growth strategy, identify and prioritize strategic investment opportunities, and define the innovation agenda for the company. Axiomatics is the worl's leading independent provider of dynamic authorization solutions. A few years before this I was also the Chief Product Officer, responsible for the overall vision, planning and delivery of our products.

My LinkedIn profile has more details.

Ph.D. years

I obtained my Ph.D. in Computer Science from Vrije Universiteit, Amsterdam, The Netherlands. The research carried out was in the area of distributed policy enforcement, secure computing, privacy, accountability and system & network security. My PhD advisers were Prof. Andrew S. Tanenbaum and Associate Prof. Bruno Crispo. The Ph.D. dissertation, titled "Remote Policy Enforcement Using Java Virtual Machine", is available for download (PDF).

While at VU, I led several projects - Trishul, DRM Paradiso and Floodgate. I also surprivised several Masters students' project work as well as taught several practicals courses.

More details on the work can be found in the archive of the university hosted site as well as the GitHub repositories with code and publicaion archives.

Patents

• US 8595480 B2 Published: Nov 26, 2013, Publication type: Grant
• US 8713636 B2 Published: Apr 29, 2014, Publication type: Grant
• US 9195851 B2 Published: Nov 24, 2015, Publication type: Grant

Publications

A list of my academic and non-academic publications can be found in the publications section. My DBLP listing, ACM profile and Research Gate profile also provide details of some of the publications.

Activities

• Fireside chat, "Shielding the Future: Middle East Cyber Threat Landscape Report", with Christian Reilly, Field CTO - EMEA, Cloudflare, GISEC, Dubai, 2025.
• Roundtable, "A Risk Analysis Framework for Cyber Security and Critical Infrastructure", GISEC, Dubai, 2025.
• Panelist, "Securing Digital Supply Chains & Third-Party Risks", GISEC, Dubai, 2025.
• Panel, Executive Summit, Forecasting Cloud: Privacy, Authentication, and Data Verification, Black Hat Middle East & Africa, Riyadh, KSA, 2024
• Panel Moderator, Defense Against the Dark Arts: Generate AI & Enterprise Risk, Black Hat Middle East & Africa, Riyadh, KSA, 2023
• Panelist, State of Cloud Security in Modern Enterprises - 2023 and Beyond, GCC Security Symposium, Riyadh, 2023
• Panelist, CyberNext Summit, Riyadh, 2023
• Panelist, Look into your OT Environments, GISEC, Dubai, 2023
• Keynote, IEEE International Conference on Computational Intelligence and Knowledge Economy (ICCIKE2023), Amithy University Dubai, Dubai, 2023
• Panelist, Cyberattacks are inevitable, Are you prepared?, 8th Cyber Warriors Conclave, Dubai, 2023
• Panelist, Challenges of using and protecting public vs. private data, Step Conference, Dubai, 2023
• Keynote Speaker, Arab International Cybersecurity Conference (>_ICS), Bahrain, 2022
• Panelist, Cybersecurity Challenges in the Cloud, Security Conclave & Awards, Dubai, 2022
• Speaker and Panelist, Zero trust, Cloud Security Challenges, Cyber Security Innovation Series (CSIS), Dubai, 2022
• Panelist, Securing Applications with Zero Trust, 7th Cyber Warriors Conclave, Dubai, 2022
• Panelist, Cloud Security & Zero Trust, MENA Cloud Security Summit, Dubai, 2022
• Panelist, Data Discovery: What Skeletons are Hiding in Your Unstructured Data? at PrivSec Global 2020
• Speaker, Consumer Identity World - Europe 2018 Amsterdam, 2018. Customer Identitiy and Access Management in a Data-informed, Agile Organisation
• In-house session, The Takshashila Institution, 2018. "Cyber Power - Fundamentals and Beyond" (public version)
• Reviewer, IEEE Transactions on Cloud Computing, 2015
• Speaker - Digital Enterprise Europe 2013, June 2013, Amsterdam
• Speaker - NordicAPIs Copenhagen Summer 2013, May 2013, Copenhagen
• Workshops and Tutorial Chair and Program Committee member, 6th IFIP WG 11.11 International Conference on Trust Management (IFIPTM), 2012
• Program Committee member, 11th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom-12), 2012
• Speaker, Takshashila Executive Programme on Public Policy, College of Defence Management, Secunderabad, July 2011
• Speaker, Information Security Forum (ISF) Annual Congress, Monaco, 6-9 November, 2010
• Reviewer, Wireless Networks, Springer, 2011
• Program Committee member, 3rd IEEE International Conference on Cloud Computing Technology and Science (IEEE CloudCom 2011)
• Technical Reviewer, International Conference on Communications and Signal Processing (ICCSP2011), 2011
• Program Committee member, 1st Optimising Cloud Services Workshop, Dec. 13, 2010 (to be held in conjunction with ServiceWave 2010)
• Program Committee member, 6th International Conference on Information Systems Security (ICISS 2010)
• Program Committee member, 8th European Conference on Web Services, Industry Track (ECOWS 2010)
• Invited speaker at CENS-GFF Workshop on "Cyber Security: Secure and Resilient Cyber-Space", 2010, Singapore. "Cyber Security: Impact on National Security and Business Operations (India's Perspective)"
• Speaker at BrightTALK webcast on Cloud security, 2009.
• Reviewer, ACM Transactions on Programming Languages and Systems (TOPLAS), 2009.
• Technical Reviewer, Security and Communication Networks (SCN), Wiley InterScience, 2009
• Technical Reviewer, AsiaCCS 2008, ACM Press
• Technical Reviewer, ESORICS 2007, Springer-Verlag
• Reviewer at ACM Reviews - Featured, Highlighted, Reader recommended
• Draft reviewer "PGP & GPG: Email for the Practical Paranoid" by Michael W. Lucas, ISBN: 1-59327-071-2

Dissertations

• "Remote Policy Enforcement Using Java Virtual Machine" - Ph.D. Dissertation, Department of Computer Science, Faculty of Sciences, Vrije Universiteit, Amsterdam, 2010. pdf
• "Improving the Performance of TCP Vegas and TCP SACK: Investigations and Solutions" - M.Sc. Thesis, School of Computing, National University of Singapore, 2002. pdf

Code

• Version 0.1 of Trishul, based on Kaffe JVM (v1.1.7) - tar.gz, github page (PhD work)
• Version 0.1 of DRM Paradiso, implemented on the Neuros OSD Board - download, github page (PhD work)
• Version 1.0 of Floodgate - tar.gz, github page (PhD work)
• Network Simulator ns-2 code for TCP Vegas-A - zip, github page (Masters project)
• Version 1.5 of OpenPGPComment (github.com) for MovableType blogging engine.

Supervision

• Stella Vorka (City University, Masters project)
• Bartosz Czerwinski (AGH University of Science and Technology, Masters placement)
• Pramod Pawar (City University, PhD. placed in BT)
• Ali Sajjad (City University, PhD. placed in BT)
• Mustafa Aydin (University of York, Eng.D, placed in BT)
• Yair Diaz Tellez (Queen Mary University of London, M.Phil, join supervision)
• Gabriela Gheorghe (University of Trento, scientific visit at BT)
• Matthew Simon (University of South Australia, placement at BT)
• Sakshi Porwal (University College London, placement at BT)
• Stelios Erotokritou (University College London, placement at BT)
• Ron Gerrits (Vrije Universiteit, Masters project)
• Patrick Simpson (Vrije Universiteit, Masters project)
• Erik Zentveld (Vrije Universiteit, Masters project)
• Ana Baos (Erasmus exchange student, Masters project)
• Mathew Joseph (University of Trento, Masters project)
• Sreejith K. S. (University of Trento, Masters project, along with Gabriela Gheorghe)
• Arun P. Mohan (University of Trento, Masters project, along with Gabriela Gheorghe)

Refereed Publications

• Pramod S. Pawar, Srijith K. Nair, Fadi Ali El-Moussa, Theo Dimitrakos, Muttukrishnan Rajarajan and Andrea Zisman, Opinion Model Based Security Reputation Enabling Cloud Broker Architecture, 3rd International Conference on Cloud Computing 24 - 26 Sep 2012, Wien, Austria. pdf, doi, Show Abstract
  Security and trust in service providers is a major concern in the use of cloud services and the associated process of selecting a cloud service provider that meets the expectations and needs of one’s security requirements is not easy. As a solution, we propose a broker architecture model that enables us to build a security reputation framework for cloud service providers, capturing comprehensive evidence of security information to build its trust and security reputation.
  
  
  
• Anirban Basu, Jaideep Vaidya, Hiroaki Kikuchi, Theo Dimitrakos and Srijith K Nair, Privacy preserving collaborative filtering for SaaS enabling PaaS clouds, Journal of Cloud Computing: Advances, Systems and Applications, Vol 1, Issue 1, Article 8, July 2012. pdf, doi, Show Abstract
  Recommender systems use, amongst others, a mechanism called collaborative filtering (CF) to predict the rating that a user will give to an item given the ratings of other items provided by other users. While reasonably accurate CF can be achieved with various well-known techniques, preserving the privacy of rating data from individual users poses a significant challenge. Several privacy preserving schemes have, so far, been proposed in prior work. However, while these schemes are theoretically feasible, there are many practical implementation difficulties on real world public cloud computing platforms. In this paper, we present our implementation experience and experimental results on two public Software-as-a-Service (SaaS) enabling Platform-as-a-Service (PaaS) clouds: the Google App Engine for Java (GAE/J) and the Amazon Web Services Elastic Beanstalk (AWS EBS).
  
  
  
• Yair Diaz-Tellez, Eliane L. Bodanese, Srijith K. Nair and Theo Dimitrakos, An Architecture for the Enforcement of Privacy and Security Requirements in Internet-Centric Services, 11th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom 2012), pp. 1024-1031, June 25-27, 2012, Liverpool, United Kingdom. doi, Show Abstract
  This paper focuses on the problem of how to protect personal data and privacy in the context of internet-centric services. Two main challenges are considered: how to enable individuals to express data protection requirements on their data in a disclosure request; and how to ensure data is actually protected and processed according to the intended purpose of use after being disclosed. As part of our solution, we introduce the notion of a distinctive online service and architectural component, called the Privacy and Security Broker (PSB), responsible for the protection of personal data. The PSB enables a user to express their data protection requirements and translates them into "Data Protection Property Policies" (DPPPs). A high level architecture and the corresponding protocols involving the interaction of the main actors of our solution are presented.
  
  
  
• P. S. Pawar, M. Rajarajan, S. Krishnan Nair and A. Zisman, Trust Model for Optimized Cloud Services, 6th IFIP WG 11.11 International Conference on Trust Management (IFIPTM 2012), pp. 97-112, May 21-25, 2012, Surat, India pdf, doi, Show Abstract
  Cloud computing with its inherent advantages draws attention for business critical applications, but concurrently expects high level of trust in cloud service providers. Reputation-based trust is emerging as a good choice to model trust of cloud service providers based on available evidence. Many existing reputation based systems either ignore or give less importance to uncertainty linked with the evidence. In this paper, we propose an uncertainty model and define our approach to compute opinion for cloud service providers. Using subjective logic operators along with the computed opinion values, we propose mechanisms to calculate the reputation of cloud service providers. We evaluate and compare our proposed model with existing reputation models.
  
  
  
• Django Amstrong, Karim Djemame, Srijith Nair, Johan Tordsson and Wolfgang Ziegler, Towards a Contextualization Solution for Cloud Platform Serices, 3rd IEEE International Conference on Cloud Computing Technology and Science (IEEE CloudCom 2011), pp.328-331, Nov 29 - Dec 1, 2011, Athens, Greece doi, Show Abstract
  We propose a cloud contextualization mechanism which operates in two stages, contextualization of VM images prior to service deployment (PaaS level) and self-contextualization of VM instances created from the image (IaaS level). The contextualization tools are implemented as part of the OPTIMIS Toolkit, a set of software components for simplified management of cloud services and infrastructures. We present the architecture of our contextualization tools and the feasibility of our contextualization mechanism is demonstrated in a three-tier web application scenario. Preliminary performance results suggest acceptable performance and scalability.
  
  
  
• Rajarajan, M., Sajjad, A., Zisman, A., Nair, S. K. and Dimitrakos, T., Dynamic virtual private network provisioning from multiple cloud infrastructure service providers. 4th European Conference ServiceWave 2011, 26 - 28 Oct 2011, Poznan, Poland. pdf, Show Abstract
  The Cloud infrastructure service providers currently provision basic virtualized computing resources as on demand and dynamic services but there is no common framework in existence that allows the seamless provisioning of even these basic services across multiple cloud service providers, although this is not due to any inherent incompatibility or proprietary nature of the foundation technologies on which these cloud platforms are built. We present a solution idea which aims to provide a dynamic and service oriented provisioning of secure virtual private networks on top of multiple cloud infrastructure service providers. This solution leverages the benefits of peer to peer overlay networks, i.e., the flexibility and scalability to handle the churn of nodes joining and leaving the VPNs and can adapt the topology of the VPN as per the requirements of the applications utilizing its intercloud secure communication framework.
  
  
  
• Johan Tordsson, Karim Djemame, Daniel Espling, Gregory Katsaros, Wolfgang Zielgler, Oliver Waldrich, Kleopatra Konstanteli, Ali Sajjad, Muttukrishnan Rajarajan, Georgina Gallizo and Srijith K. Nair, Towards Holistic Cloud Management, book chapter in "European Research Activities in Cloud Computing" pdf, Show Abstract
  Despite significant attention and substantial efforts both in industry and academia, cloud computing has yet to reach its full potential. Commonly stated obstacles for cloud adoption include confusion due to multiple delivery models (SaaS, PaaS, IaaS) and deployment scenarios (public clouds, private clouds, cloud bursting etc.). Other frequent concerns relate to risks with outsourcing, data legislation issues, inability to assess trust in external providers, etc. In addition to these obstacles to cloud computing as a concept, there are also technical thresholds in today's cloud offerings, making cloud infrastructure provisioning and service lifecycle management tedious processes. We aim to address these issues by research in five main directions: cloud service lifecycle optimization, adaptive self-preservation, self-management based on non-functional criteria, support for multiple cloud architectures, as well as market and legislative studies. The main outcome of our research is the OPTIMIS Toolkit, a set of flexible tools for service and infrastructure self-management.
  
  
  
• Chittaranjan Hota, Sunil Sanka, Muttukrishnan Rajarajan, Srijith K. Nair, Capability-based Cryptographic Data Access Control in Cloud Computing, International Journal of Advanced Networking and Applications (IJANA) (accepted) pdf, Show Abstract
  Cloud computing has emerged as a popular model in computing world to support processing large volumetric data using clusters of commodity computers. It is the latest effort in delivering computing resources as a service. It is used to describe both a platform and a type of application. A cloud computing platform dynamically provisions, configures, and deprovisions servers as needed. Cloud computing also describes applications that are extended to be accessible through the Internet. Data security and access control is one of the most challenging ongoing research work in cloud computing, because of users outsourcing their sensitive data to cloud providers. Existing solutions that use pure cryptographic techniques to mitigate these security and access control problems suffer from heavy computational overhead on the data owner as well as the cloud service provider for key distribution and management. This paper addresses this challenging open problem using capability based access control technique that ensures only valid users will access the outsourced data. This work also proposes a modified Diffie-Hellman key exchange protocol between cloud service provider and the user for secretly sharing a symmetric key for secure data access that alleviates the problem of key distribution and management at cloud service provider. The simulation run and analysis shows that the proposed approach is highly efficient and secure under existing security models.
  
  
  
• Sakshi Porwal, Srijith K. Nair and Theo Dimitrakos, "Regulatory Impact of Data Protection and Privacy in the Cloud", (short paper) 5th IFIP International Conference on Trust Management (IFIPTM 2011), June 29 - July 1, 2011, Copenhagen, Denmark. pdf, Show Abstract
  The use of cloud computing services has developed into a new method for deploying software and services and hosting data. The model has provided enormous social and economic benefits but at the same time it has also created potential privacy and security challenges for businesses, individuals and the governments. For example, the use of shared compute environment, data storage and access via internet has made information vulnerable to misuse, and thus, has made privacy a major concern for organisations adopting cloud services for storage and computation purpose. Generally, each country maintains their own laws and regulations to prevent frauds and protect their citizens from harm, including the potential dangers of data privacy, essential when internet and related technologies are involved. The European Union, for example, follows the overarching governmental regulations while the United States prefers the Sectoral Approach to Data Protection legislation, which relies on the combination of legislation, regulation and self regulation. This report discusses data protection issues related to cloud computing and identifies privacy laws enforced in the EU that can be applied to this model. Moreover, it also provides recommendations that cloud service providers can consider to implement in order to provide enhancements to their services and to demonstrate that they have taken all necessary measures to comply with the data protection principals in place.
  
  
  
• Srijith K. Nair, Sakshi Porwal, Theo Dimitrakos, Ana Juan Ferrer, Johan Tordsson, Tabassum Sharif, Craig Sheridan, Muttukrishnan Rajarajan and Afnan Ullah Khan, "Towards Secure Cloud Bursting, Brokerage and Aggregation", 8th European Conference on Web Services (ECOWS10), Industry Track, Dec. 1-3, 2010, Ayia Napa, Cyprus. pdf, Show Abstract
  The cloud based delivery model for IT resources is revolutionizing the IT industry. Despite the marketing hype around "the cloud", the paradigm itself is in a critical transition state from the laboratories to mass market. Many technical and business aspects of cloud computing need to mature before it is widely adopted for corporate use. For example, the inability to seamlessly burst between internal cloud and external cloud platforms, termed cloud bursting, is a significant shortcoming of current cloud solutions. Furthermore, the absence of a capability that would allow to broker between multiple cloud providers or to aggregate them into a composite service inhibits the free and open competition that would help the market mature. This paper describes the concepts of cloud bursting and cloud brokerage and discusses the open management and security issues associated with the two models. It also presents a possible architectural framework capable of powering the brokerage based cloud services that is currently being developed in the scope of OPTIMIS, an EU FP7 project.
  
  
  
• Ana Juan Ferrer, Francisco Hernández, Johan Tordsson, Erik Elmroth, Csilla Zsigri, Raül Sirvent, Jordi Guitart, Rosa M. Badia, Karim Djemame, Wolfgang Ziegler, Theo Dimitrakos, Srijith K. Nair, George Kousiouris, Kleopatra Konstanteli, Theodora Varvarigou, Benoit Hudzia, Alexander Kipp, Stefan Wesner, Marcelo Corrales, Nikolaus Forgó, Tabassum Sharif and CraigSheridan,OPTIMIS: a Holistic Approach to Cloud Service Provisioning, First International Conference on Utility and Cloud Computing (UCC 2010), December 14-16, 2010, Chennai, India. pdf, Show Abstract
  We present the fundamentals for a toolkit for scalable and dependable service platforms and architectures that enable flexible and dynamic provisioning of cloud services. The innovations behind the toolkit are aimed at optimizing the whole service life cycle, including service construction, deployment, and operation, on a basis of aspects such as trust, risk, eco-efficiency and cost. Notably, adaptive self-preservation is crucial to meet predicted and unforeseen changes in resource requirements. By addressing the whole service life cycle, taking into account the multitude of future cloud architectures, and a by taking a holistic approach to sustainable service provisioning, the toolkit is aimed to provide a foundation for a reliable, sustainable, and trustful cloud computing industry.
  
  
  
• Stelios Erotokritou, Srijith K. Nair, Theo Dimitrakos, "An efficient secure shared storage service with fault and investigative disruption tolerance", 2nd International Workshop on Security in Cloud Computing (SCC'2010), Sept. 13-16, 2010, San Diego, California, USA. pdf, Show Abstract
  In this work we focus on solutions to an emerging threat to cloud-based services - namely that of data seizures within a shared multiple customer architecture. We focus on the problem of securing distributed data storage in a cloud computing environment by designing a specialized multi- tenant data-storage architecture. The architecture we present not only provides high degrees of availability and confidentiality of customer data but is also able to offer these properties even after seizures of various parts of the infrastructure have been carried out through a judicial process. Our solution uses a novel way of storing customer data - combining the cryptographic scheme of secret sharing and combinatorial design theory, to ensure that the requirements of the architecture are met. Furthermore, we show that our proposed solution is efficient with respect to the amount of hardware infrastructure required, thus making the implementation and use of our proposed architecture cost- efficient for adoption by IT enterprises.
  
  
  
• Theo Dimitrakos, David Brossard, Pierre de Leusse and Srijith K. Nair, "Security of Service Networks", Handbook of Information and Communication Security, Stavroulakis, Peter; Stamp, Mark (Eds.), Springer, pp. 349--380, January 2010.
  
  
• Pierre de Leusse, Panos Periorellis, Theo Dimitrakos and Srijith K. Nair, "Self Managed Security Cell: A Security Model for the Internet of Things and Services",The First International Conference on Advances in Future Internet, AFIN 2009, 18-23 June 2009, Athens/Glyfada, Greece. pp. 47--52, IEEE Computer Society (Best Paper Award). pdf, Show Abstract
  The Internet of Things and Services is a rapidly growing concept that illustrates that the ever increasing amount of physical items of our daily life which become addressable through a network could be made more easily manageable and usable through the use of Services. This surge of exposed resources along with the level of privacy and value of the information they hold, together with the increase of their usage make for an augmentation in the number of the security threats and violation attempts that existing security systems do not appear robust enough to address. In this paper, the authors underline this increase in risk and identify the requirements for resources to be more resilient in this type of environment while keeping an important level of flexibility. In addition, the authors propose an architectural model of Self Managed Security Cell, which leverages on current knowledge in large scale security systems, information management and autonomous systems.
  
  
  
• Gian Paolo Jesi, Edoardo Mollona, Srijith K. Nair and Maarten van Steen, "Prestige-based Peer Sampling Service: Interdisciplinary Approach to Secure Gossip", 24th Annual ACM Symposium on Applied Computing, March 8-12, 2009, Honolulu, Hawaii, USA. pdf, Show Abstract
  The Peer Sampling Service (PSS) has been proposed as a mechanism to initiate and maintain the set of connections between nodes in unstructured peer to peer (P2P) networks. The PSS usually relies on gossip-style communication where participants exchange their links in a randomized way. However, the PSS network organization can be easily modified by malicious nodes running a "hub attack", in which they achieve a leading structural position. From this prestigious status, the malicious nodes can severely affect the overlay and achieve several application dependent advantages. We present a novel method to overcome this attack and provide results from simulation experiments that validate our claim. This method is inspired by a simple technique used to detect social leaders in firm's organizations that is based on the social (structural) "prestige" of actors.
  
  
  
• Mohammad T. Dashti, Srijith K. Nair and Hugo L. Jonker, "Nuovo DRM Paradiso:Designing a Secure, Verified Fair DRM Scheme", Fundamentae Informatica (FI), IOS Press, 89, pp. 1--25, 2008. pdf, IOS Press, Show Abstract
  We introduce Nuovo DRM, a digital rights management scheme aimed to be secure from both a formal and a practical point of view. The scheme is based on the recent DRM scheme of Nair et al., which we formally specify in the µcrl process algebraic language. Nair et al. state the following security requirements: effectiveness, secrecy, resistance of content masquerading and strong fairness. These security requirements are formalised and the scheme is formally checked against these requirements. The finite model-check uncovered several security weaknesses, which are addressed by Nuovo DRM. In addition to that, Nuovo DRM introduces several procedural practices to enhance the security of the scheme. A finite model of Nuovo is subsequently model-checked and shown to satisfy its design requirements, including secrecy, fairness and resistance to content masquerading.
  
  
  
• Srijith K. Nair, Gabriela Gheorghe, Bruno Crispo and Andrew S. Tanenbaum, "Enforcing DRM Policies Across Applications", 8th ACM DRM Workshop (DRM 2008), Co-located with ACM CCS 2008, pp. 87-94, October 27, 2008, Alexandria, Virginia, USA. pdf, Show Abstract
  In this paper we present Trishul-UCON (T-UCON), a DRM system based on the UCON_ABC model. T-UCON is designed to be capable of enforcing not only application-specific policies, as any existing software-based DRM solution does, but also DRM policies across applications. This is achieved by binding the DRM policy only to the content it protects with no relations to the application(s) which will use this content. Furthermore, to guarantee that the policy is continuously enforced, we designed T-UCON as a JVM-based middleware that mediates the usage requests of any Java application to the protected content. Each request is granted or denied according to the content policy. We illustrate the unique features of T-UCON by using typical examples of DRM policies such as the pay-per-use and the use only N times scenarios. Preliminary results on the overhead of our solution are also provided.
  
  
  
• Srijith K. Nair, Erik Zentveld, Bruno Crispo, Andrew S. Tanenbaum, "Floodgate: A Micropayment Incentivised P2P Content Delivery Network" - 17th IEEE International Conference on Computer Communications and Networks (ICCCN 2008), August 3 - 7, 2008, St. Thomas U.S. Virgin Islands, USA. pdf, Show Abstract
  As the sale of digital content is moving more and more online, the content providers are beginning to realise that bandwidth infrastructures are not easily scalable. The emergence of peer-to-peer content delivery networks presents these providers with a way to overcome this limitation. However, such networks have so far been ad-hoc in nature. One of the main reason for this has been the lack of incentives for end users to contribute their bandwidth to the network. In this paper we present the design and implementation of a peer-to-peer protocol named Floodgate that provides a micropayment based incentive for peers to contribute their bandwidth. Floodgate implements an optimistic fair exchange protocol and is designed to be resilient against targeted attacks. Performance measurements, including those conducted over the PlanetLab infrastructure, show that Floodgate's security and cryptographic overheads are low when compared to the popular BitTorrent protocol. (pre-proceedings version)
  
  
  
• Srijith K. Nair, Patrick N.D. Simpson, Bruno Crispo and Andrew S. Tanenbaum, "A Virtual Machine Based Information Flow Control System for Policy Enforcement" - Electronic Notes in Theoretical Computer Science, Vol. 197, Issue 1, 21 February 2008, pp. 3-16, Proc. of the First International Workshop on Run Time Enforcement for Mobile and Distributed Systems (REM 2007), Sep 27, 2007, Dresden, Germany. doi, pdf (pre-proceeding version), Show Abstract
  The ability to enforce usage policies attached to data in a fine grained manner requires that the system be able to trace and control the flow of information within it. This paper presents the design and implementation of such an information flow control system, named Trishul, as a Java Virtual Machine. In particular we address the hard problem of tracing implicit information flow, which had not been resolved by previous run-time systems and the intricacies added on by the Java architecture. We argue that the security benefits offered by Trishul are substantial enough to counter-weigh the performance overhead of the system as shown by our experiments.
  
  
  
• Srijith K. Nair, Ron Gerrits, Bruno Crispo, Andrew S. Tanenbaum "Turning Teenagers into Stores", IEEE Computer, vol. 41, no. 2, pp. 58-62, Feb., 2008. pdf, Show Abstract
  Paradiso is a prototype of a system that lets consumers contact content providers to buy songs and videos, and to buy optional content-resale rights. In essence, the scheme would turn customers into content distributors, provide wider reach, and free up content providers' bandwidth. However, such an architecture requires strict security precautions and interoperable digital rights management standards among player manufacturers and content providers.
  
  
  
• Srijith K. Nair, Ivan Djordjevic, Bruno Crispo, Theo Dimitrakos, "Secure Web Service Federation Management using TPM Virtualisation" - 4th ACM Workshop on Secure Web Services (SWS 2007), pp. 73-82, Nov 2, 2007, Alexandria, VA, USA. pdf Show Abstract
  Web Services and SOA provide interoperability and architectural baseline for flexible and dynamic cross-enterprise collaborations, where execution and use of the participating services contributes to the common objective. Relationships within these collaborations are complex, with services joining and leaving throughout the life cycle, or the same services being offered in several collaborations simultaneously. This provides strong requirements for federated security, where integrity and confidentiality of the collaboration must be maintained through membership control, security policy enforcement and separation of web service instance interactions in different collaborations.
  
  In this paper we propose a new Web Services (WS) framework for managing and controlling WS interactions in a federated environment, leveraging on platform virtualisation architecture and the functionalities provided by trusted secure hardware. The framework allows configuring policies that define collaboration membership, and enforce access to the collaboration per-WS instance. In addition, since the access to the configurations is restricted, it provides master-slave model where only authorised administrative entity can modify any of the above - either at the deployment or at the execution time. Some of the benefits of the proposed approach are: fine-grained external exposure of WSs, a flexible model for group membership control and revocation and hardware-enabled secure virtualised system providing functional process isolation and strong data security.
  
  
  
• Ivan Djordjevic, Srijith K. Nair, Theo Dimitrakos, "Virtualised Trusted Computing Platform for Adaptive Security Enforcement of Web Services Interactions" - IEEE 2007 International Conference on Web Services (ICWS07), pp. 615-622, July 9-13, 2007, Salt Lake City, Utah, USA. pdf, Show Abstract
  Security enforcement framework is an important aspect of any distributed system. With new requirements imposed by SOA-based business models, adaptive security enforcement on the application level becomes even more important.
  
  Our work on the enforcement framework to date has resulted in a comprehensive middleware-based solution leveraging on web services technologies. However, potential merits of hardware-based solutions to further secure application exposure have not been considered so far.
  
  This paper describes a method for combining software resource level security features offered by Web Services technologies, with the hardware-based security mechanisms offered by Trusted Computing Platform and system virtualisation approaches. In particular, we propose trust-based architecture for protecting the enforcement middleware deployed at the policy enforcement endpoints of web and grid services. The main motivation is to additionally secure execution environment of the applications, by providing virtual machine level separation that maps from logical domains imposed by web services level enforcement policies.
  
  
  
• Nair, S.,Dashti, M.,Crispo, B., and Tanenbaum, A., "A Hybrid PKI-IBC Based Ephemerizer System", 2007, in IFIP International Federation for Information Processing, Volume 232, New Approaches for Security, Privacy and Trust in Complex Environments, eds. Venter, H., Efloff, M.,Labuschagne, L., Eloff, J., von Solms, R., (Boston: Springer), pp. 241-252. pdf, SpringerLink, Show Abstract
  The concept of an Ephemerizer system has been introduced in earlier works as a mechanism to ensure that a file deleted from the persistent storage remains unrecoverable. The principle involved storing the data in an encrypted form in the user's machine and the key to de- crypt the data in a physically separate machine. However the schemes proposed so far do not provide support for fine-grained user settings on the lifetime of the data nor support any mechanism to check the in- tegrity of the system that is using the secret data. In addition we report the presence of a vulnerability in one version of the proposed scheme that can be exploited by an attacker to nullify the ephemeral nature of the keys. We propose and discuss in detail an alternate Identity Based cryptosystem powered scheme that overcomes the identified limitations of the original system.
  
  
  
• Mohammad T. Dashti, Srijith K. Nair, Hugo L. Jonker, "Nuovo DRM Paradiso: Towards a Verified Fair DRM Scheme" - Proceedings of IPM International Symposium on Fundamentals of Software Engineering (FSEN07), pp. 33-48, April 17-19 2007, Tehran, Iran. pdf, SpringerLink , Show Abstract
  We formally specify the recent DRM scheme of Nair et al. in the µcrl process algebraic language. The security requirements of the scheme are formalized and using them as the basis, the scheme is verifed. The verifcation shows the presence of security weaknesses in the original protocols, which are then addressed in our proposed extension to the scheme. A fnite model of the extended scheme is subsequently model checked and shown to satisfy its design requirements, including secrecy, fairness and resisting content masquerading. Our analysis was distributed over a cluster of machines, allowing us to check the whole extended scheme despite its complexity and high non-determinacy.
  
  
  
• Hugo Jonker, Srijith Krishnan Nair, Mohammad Torabi Dashti, "Nuovo DRM Paradiso: towards a verified fair DRM protocol", 1st Benelux Workshop on Information and System Security (WISSEC2006), November 8-9, 2006, Antwerpen, Belgium. pdf, Show Abstract
  The NPGCT DRM scheme, that proposes a unique concept of DRM-preserving content redistribution, has some security issues. These issues are addressed in this paper by an extension of NPGCT. A security mechanism that provides fairness in unsupervised exchanges is introduced, and the mechanism of detecting and revoking circumvented devices is reexamined devices. The resulting DRM scheme, Nuovo DRM, and its requirements are formally specifed. A fnite model of the scheme is subsequently model-checked and shown to satisfy its design requirements.
  
  
  
• Srijith K. Nair "Policy binding and enforcement in Java", Workshop on Run-time Software Integrity and Authenticity, September 18-19, 2006, Trento, Italy.
  
  
• Srijith K. Nair, Bruno Crispo, Andrew S. Tanenbaum, "Towards a Secure Application-semantic Aware Policy Enforcement Architecture", in Proceedings of the 14th International Workshop on Security Protocols 2006, Cambridge, UK, pages 26-31. Springer-Verlag LNCS 5087, 2009. (B. Christianson, B. Crispo, J.A. Malcolm, and M. Roe, editors). pdf, Show Abstract
  Even though policy enforcement has been studied from different angles including notation, negotiation and enforcement, the development of an application-semantic aware enforcement architecture remains an open problem. In this paper we present and discuss the design of such an architecture.
  
  
  
• Srijith K. Nair, Bogdan C. Popescu, Chandana Gamage, Bruno Cripso, Andrew S. Tanenbaum, "Enabling DRM-preserving Digital Content Redistribution" - Proceedings of 7th International IEEE Conference on E-Commerce Technology 2005 (CEC2005), pp. 151-158 July 19-22, 2005, Munich, Germany. pdf, IEEE Xplorer, DBLP, Show Abstract
  Traditionally, the process of online digital content distribution has involved a limited number of centralised distributors selling protected contents and licenses authorising the use of these contents, to consumers. In this paper, we extend this model by introducing a security scheme that enables DRM preserving digital content redistribution. Essentially consumers can not only buy the rights to use digital content but also the rights to redistribute it to other consumers in a DRM controlled fashion. We examine the threats associated with such a redistribution model and explain how our scheme addresses them.
  
  
  
• Srijith K. Nair, Lillykutty Jacob, Akkihebbal L. Ananda, "TCP Vegas-A: Improving the performance of TCP Vegas", Computer Communications, vol. 28, no. 4, pp. 429-440, March 2005. pdf, DBLP, Show Abstract
  While it has been shown that TCP Vegas provides better performance compared to TCP Reno, studies have identified various issues associated with the protocol. We propose modifications to the congestion avoidance mechanism of the TCP Vegas to overcome these limitations. Unlike the solutions proposed in the past, our solution, named TCP Vegas-A, is neither dependent on optimising any critical parameter values nor on the buffer management scheme implemented at the routers and hence can be implemented solely at the end host. Our simulation experiments over wired as well as over geosynchronous and lower earth orbit satellite links show that TCP Vegas-A is able to overcome several of the identified problems-it can obtain a fairer share of the network bandwidth in wired and satellite scenarios, tackle rerouting issues, rectify Vegas's bias against higher bandwidth flows and prevail over fluctuating RTT conditions of a lower earth orbit satellite link. At the same time, Vegas-A is able to preserve the unique properties of Vegas that had made it a noteworthy protocol.
  
  
  
• K.N. Srijith, Lillykutty Jacob and A.L. Ananda, "TCP Vegas-A: Solving the Fairness and Rerouting Issues of TCP Vegas", - Proceedings of 22nd IEEE International Performance, Computing, and Communications Conference (IPCCC) 2003, pp. 309-316, Phoenix, Arizona, April 9 - 11, 2003. pdf, IEEE Xplorer, Show Abstract
  In spite of the larger performance gain such as higher throughput and almost zero packet retransmissions compared to TCP Reno, TCP Vegas still has a few obstacles for it to be deployed in the Internet. Studies have shown unfair treatment to Vegas connections when they compete with Reno connections. Other issues identified with TCP Vegas are problems of rerouting, persistent congestion, and discrepancy in flow rate tied with starting times and link bandwidth. We reinvestigate these issues rind propose modifications to the congestion avoidance mechanism of the TCP Vegas, with the slow-start and congestion recovery algorithms of Vegas remaining untouched. Unlike the solutions proposed in the recent past to deal with some of these issues, our solution it neither dependent on any critical parameter values nor on the buffer management scheme at the routers (e.g., RED). Our experiments show that the modified TCP Vegas (Vegas-A) it able to obtain a fairer share of the network bandwidth when competing with other TCP flows. We also show that Vegas-A can tackle rerouting issues and rectify Vegas's bias against higher bandwidth flows. At the same time, our experiments prove that Vegas-A preserves the properties of Vegas that have made it a noteworthy protocol.
  
  
  
• K.N. Srijith, Lillykutty Jacob and A.L. Ananda, "Worst-case Performance Limitation of TCP SACK and a Feasible Solution", - Proceedings of 8th IEEE International Conference on Communications Systems (ICCS), pp. 1157-1161, November 25-28, 2002, Singapore. pdf, Citeseer Index, Show Abstract
  In the present implementation of the transmission control protocol (TCP) selective acknowledgment (SACK), every SACK block needs 8 bytes to carry information about the received packets, back to the sender. Since TCP options field has a fixed length, there is a limit on the number of SACK block that can be carried by the acknowledgment packets. Under some error conditions, this limitation can force the TCP sender to retransmit packets that have already been received successfully by the receiver. This paper puts forward a proposal to modify the present SACK implementation, in order to prevent these unwanted retransmissions. We show that the proposed implementation of SACK mechanism increases the throughput of SACK enabled TCP connections.
  
  
  
• Lillykutty Jacob, K.N. Srijith, Huang Duo and A.L.Ananda, "Effectiveness of TCP SACK, TCP HACK and TCP Trunk over Satellite Links" - IEEE International Conference on Communications (ICC 2002), Vol.5, pp. 3038 - 3043, April 28 - May 2, 2002. pdf, Citeseer Index, Show Abstract
  This paper reports a study on the performance enhancements of two extensions to the standard TCP implementation - Selective Acknowledgement (SACK) and Header Checksum (HACK) - over satellite links that are characterized by high latency and high bit error rate. We also examine the effectiveness of TCP Trunk, an edge-to-edge aggregation and congestion control mechanism, over the satellite link. Our study on the effect of varying the TCP window size over a long latency link for New Reno, SACK, HACK and TCP Trunk implementations show that increasing window size does improve the performance, but only up to a certain value of the window size, and a further increase actually reduces the performance. Other interesting observations from our experimental study are: SACK enabled TCP Trunk across the satellite link edge routers can improve the throughput regardless of the end host TCP implementation; disabling the link layer CRC and instead implementing the HACK extension to the TCP (and of course HACK+ SACK) can improve the throughput further.
  
  
  
• Yongxiang Liu, K.N. Srijith, L. Jacob and A.L.Ananda,"TCP-CM: A Transport Protocol for TCP-friendly Transmission of Continuous Media" - Proceedings of 21st IEEE International Performance, Computing and Communications Conference (IPCCC 2002), pp. 83-91, April 3-5, 2002, Phoenix, Arizona. pdf, Citeseer Index, Show Abstract
  We propose a new TCP friendly transport protocol, called TCP-CM, for continuous media applications over the Internet. TCP-CM is a direct modification of TCP to support continuous media applications without compromising the congestion control feature of TCP, which is critical to the stable functioning of the Internet. We design TCP-CM API to be compatible with the BSD socket interface, which requires minimum changes for applications to adopt TCP-CM. Continuous media applications that adopt TCP-CM as the transport protocol can be relieved from burdens such as rate control and scheduling for timely delivery, and hence can focus solely on advanced coding or compression techniques for adapting the content according to the available network bandwidth. We implement the TCP-CM in Linux 2.2.15 TCP/IP protocol stack, and run extensive experiments on TCP-CM using emulated video flows. Our experiments show that TCP-CM can be used for the timely delivery of continuous media data within the constraints of the available network bandwidth and can compete with TCP connections fairly.
  
  
  
• K.N. Srijith, V. Ranjit, B.S. Ooi, Y.C. Chan, Y.L. Lam, C.H. Kam, "Fabrication And Characterisation of Bandgap Tuned Lasers in GaAs/AlGaAs Quantum Well Structures Using Pulsed Laser Irradiation", Proceeding of 4th National Symposium On Progress in Materials Research, (Best Poster Award), pp. 137--139, March 27, 1998, Singapore, pdf.
  
  
• V. Ranjit, K.N. Srijith, B.S. Ooi, Y.C. Chan, Y.L. Lam, C.H. Kam, "Characterisation of GaAs/AlGaAs Extended Cavity lasers fabricated using dielectric cap induced quantum well intermixing", Proceeding of 4th National Symposium On Progress in Materials Research, pp. 133-136, Singapore, 27th March 1998.
  
  

Technical Reports

• Srijith K. Nair, Patrick N.D. Simpson, Bruno Crispo and Andrew S. Tanenbaum, Trishul: A Policy Enforcement Architecture for Java Virtual Machines - Technical Report IR-CS-045, Department of Computer Science, Vrije Universiteit, May 2008. pdf Show Abstract
  The standard Java execution environment provides only primitive support for specifying and enforcing access control policies both at the stack and method call level as well as the higher application level. The current implementation also falls short of providing a secure execution environment for Java applications because of its inability to trace information flow within the environment. In this paper we present the design and implementation of Trishul, a modular information flow control based policy enforcement framework for the Java Virtual Machine. A flexible and powerful policy expression language to implement Trishul's policy decision engine is also presented. Performance measurements show that though the prototype implementation does incur overhead, they are within usable limits.
  
  
  
• Srijith K. Nair, "On the Security of Peer Sampling Services" - ASCI a9 report, Vrije Universiteit, 2007. pdf
  
  
• Srijith K. Nair, Patrick N.D. Simpson, Bruno Crispo and Andrew S. Tanenbaum, "Design and Implementation of a Virtual Machine Based Information Flow Control System" - Technical Report IR-CS-040, Department of Computer Science, Vrije Universiteit, May 2007. pdf
  
  
• Srijith K. Nair, Chandana Gamage, Mohammad Torabi Dasti, Bruno Crispo and Andrew S. Tanenbaum, "Countering Digital Forensics: An Identity Based Ephemerizer Cryptosystem" - Technical Report IR-CS-024, Department of Computer Science, Vrije Universiteit, September 2006. pdf
  
  
• H. Jonker, S. Krishnan Nair and M. Torabi Dashti, "Nuovo DRM Paradiso: Formal specification and verification of a DRM protocol" - Technical Report IR-CS-019, Department of Computer Science, Vrije Universiteit, March 2006. pdf
  
  
• Srijith K. Nair, Analysis of Defacement of Indian Web Sites, First Monday, Volume 7, Number 12 (December 2002)
  
  
• Srijith K. Nair, "Study on Management of Open Source Software Projects", Software Project Management Project Report, School of Computing, National University of Singapore, 2002, pdf, CiteSeer Index
  
  
• Srijith K. Nair, "Information Privacy in the Internet Age", Project Report, School of Computing, National University of Singapore, 2002, pdf
  
  
• FlexOr file for graphical Java CASE Tool system. - FlexOr File
  
  
• Srijith K. Nair, Java CASE Tool System Report, JCASE Editor Assignment Report, School of Computing, National University of Singapore, 2001, Word File
  
  

Non-Refereed Publications

• Critical Cloud Computing - The European Union Agency for Cybersecurity (ENISA), Dec. 2012 (contribution)
  
  
• Security & Resilience in Governmental Clouds - The European Union Agency for Cybersecurity (ENISA), Jan. 2011 (contribution)
  
  
• Takshashila Institution Discussion Draft, 11 May, 2011 - Comments on “Discussion Draft on National Cyber Security Policy”, co-authored with Rohan Joshi
  
  
• Takshashila Institution Discussion Draft, 14 July 2010 - "The case for an India-US partnership in cyber security"
  
  
• The SOPA learning - Pragati, The Indian National Interest Review, Apr. 2012.
  
  
• Duqu: an indicator of the next Stuxnet? - Pragati, The Indian National Interest Review, Dec. 2011.
  
  
• Hacked and shamed - Pragati, The Indian National Interest Review, Aug. 2011.
  
  
• A revolution in 140 characters - Pragati, The Indian National Interest Review, Mar. 2011.
  
  
• The dawn of offensive cyberwarfare - Pragati, The Indian National Interest Review, Nov. 2010.
  
  
• The EVM and its critics - Pragati, The Indian National Interest Review, Oct. 2010.
  
  
• Zeros, ones and attackers - Pragati, The Indian National Interest Review, Jul. 2010.
  
  

Book Reviews

• Cyber security and the politics of time by T. Stevens
  
  
• Cyber warfare: a multidisciplinary analysis by J. Green (editor)
  
  
• The Net delusion : the dark side of Internet freedom by E. Morozov (book review)
  
  
• Cyber war: the next threat to national security and what to do about it by Clarke R., Knake R. (book review)
  
  
• Cyberpower and national security by Kramer F., Starr S., Wentz L. (book review)
  
  
• Inside cyber warfare: mapping the cyber underworld by Carr J. (book review)
  
  
• Bricklin on technology by Bricklin D. (book review)
  
  
• Beautiful security by Oram A. (ed), Viega J. (ed) (book review)
  
  
• Presentation Zen: simple ideas on presentation design and delivery by Reynolds G.(book review)
  
  
• The future of the Internet--and how to stop it by Zittrain J. (book review)
  
  
• Presentation Zen: simple ideas on presentation design and delivery by Reynolds G. (book review)
  
  
• Geekonomics : the real cost of insecure software by Rice D. (book review)
  
  
• The Aremac project by Weinberg G. (book review)
  
  
• Computer science reconsidered: the invocation model of process expression by Fant K. (book review)
  
  
• Dark hero of the information age: in search of Norbert Wiener the father of cybernetics by Conway F., Siegelman J., (book review)
  
  
• The Wealth of Networks : How Social Production Transforms Markets and Freedom by Benkler Y. (book review), Recommended by editors (Oct 28, 2007)
  
  
• Backup & recovery by Preston W. (book review), Recommended by editors (August 12 2007)
  
  
• Decrypted secrets: methods and maxims of cryptology by Friedrich L. Bauer (book review)
  
  
• Play Money: Or, How I Quit My Day Job and Made Millions Trading Virtual Loot by Julian Dibbell (book review), Recommended by editors (May 13 2007)
  
  
• A Madman Dreams of Turing Machines by Janna Levin (book review)
  
  
• The Economics of Attention: Style and Substance in the Age of Information by Richard A. Lanham (book review)
  
  
• Turing (A Novel about Computation) by Christos H. Papadimitriou (book review)
  
  
• The Long Tail by Chris Anderson (book review), Recommended by editors (Oct 16 2006)
  
  
• The Wisdom of the Crowds by James Surowiecki (book review)
  
  
• Security and Usability by Cranor L., Garfinkel S. (book review)
  
  
• The Art of Computer Virus Research and Defense by Szor P. (book review)
  
  
• "Trusted computing platforms : TCPA technology in context" by Pearson S. (book review)
  
  
• "The success of open source" by Weber S. (book review), Recommended by editors (Feb 6 2006)
  
  
• "Darknet: Hollywood’s war against the digital generation" by Lasica J. (book review)
  
  
• "Silence on the wire: a field guide to passive reconnaissance and indirect attacks" by Zalewski M. (book review)
  
  
• "The best software writing I" selected and introduced by Joel Spolsky. (book review)
  
  
• Richard Thieme's islands in the clickstream by Richard Thieme. (book review)
  
  
• "Network Security Hacks" by Andrew Lockhart. (book review), (Reader recommended).
  
  
• "The Bug" by Ullman E (book review)
  
  
• "A hacker manifesto" by Wark M. (book review)
  
  
• "Secrets and lies: digital security in a networked world" by Schneier B. (book review), Recommended by editors (Mar 20 2005)
  
  
• "Networks of innovation: change and meaning in the age of the Internet" by Tuomi I. (book review)
  
  
• "Security in wireless mobile and sensor networks" by Das S., Agah A., Basu K. (book chapter review)