Larry Koved is a Principal Research Staff Member in the Information Security Department at the IBM T. J. Watson Research Center in Hawthorne, N.Y. Larry has worked in security since 1999.
Current research is in the areas of FINTECH, blockchain, mobile, cloud, and web security.
Larry founded and co-chairs the Mobile Security Technology (MoST) workshop co-located with the IEEE Symposium on Security and Privacy. He previously co-chaired Web 2.0 Security and Privacy (W2SP), co-located with the MoST workshop. In 2015 a special issue of IEEE Software contained articles related to W2SP submissions. Tyrone Grandison and I gave an introduction to this special issue.
Larry has also been organizing workshops on usable security topics in at the Symposium on Usable Privacy and Security (SOUPS): Who are you?! Adventures in Authentication (WAY) in 2014 and 2016, Workshop on Risk Perception in IT Security and Privacy in 2013, and the Workshop on Inclusive Privacy and Security (WIPS) in 2015.
Initially Larry's security research focused on Java (J2SE and J2EE). Larry, Tony Nadalin, Nataraj Nagaratnam and Bruce Rich worked very closely with Sun Microsystems on the early specifications and implementations of J2SE and J2EE security. In 2008 they were recognized by IBM with a corporate award for their contributions to Java security due to its broad and significant impact on IBM's business. One outgrowth of the work on J2EE security was the book Enterprise Java Security: Building Secure J2EE Applications coauthored with Marco Pistoia, Nataraj Nagaratnam and Tony Nadalin. A significant part of Java research was focused on language-based security techniques. This included security development tools. SWORD4J, a collaboration with Ted Habeck, Aaron Kershenbaum and Marco Pistoia, was previously available from IBM's alphaWorks web site.
A related research effort was a project on detecting coding flaws in large web (J2EE) applications. The SABER project, used static analysis techniques to identify when programmers had incorrectly used Java / web programming frameworks that would result in incorrect results and/or performance / scalability issues.
Larry's most recent research is in usable and mobile device security. One of the projects focuses on the use of alternative authentication techniques, including biometrics, and the use of risk-based authorization to account for the imprecision in the use of machine learning and other probabilistic techniques for user identification and authorization. The majority of this work is being funded by a U.S. Department of Homeland Security contract. An overview of the project can be found here. A (not very good) presentation can be found here.
Earlier research was in the area of Web 2.0 security:
- In 2007, Larry organized the Web 2.0 Security and Privacy (W2SP) workshop in conjunction with the IEEE Symposium on Security and Privacy. Larry co-chaired the workshop 2007-2015. This successful series of workshops has attracted participation from both academia and industry, and participants from around the world.
- Larry was the chair of the OpenAjax Alliance Security Task Force, that produced a specification and reference implementation of secure mashups (a.k.a. SMash). The reference implementation was a collaboration led by Sumeer Bhola, with contributions from Michael Steiner, Suresh Chari, Frederik De Keukelaere, Javier Pedemonte, Jon Ferriaolo, among others. This technology was incorporated into the OpenAjax Alliance Hub 2.0 reference implementation. This technology is now part of a number of IBM and 3rd party products, including Lotus Mashups.
- Identity and federation are other key areas for Web 2.0, and Larry regularly consults with his colleagues and business partners on this topic.
- Use of social network information to make security more usable. This is an area of ongoing interest.
Along with colleagues at the IBM T.J. Watson Research Center and the IBM Haifa Research Lab, worked on high performance fraud detection. This work was at intersection of information security and business analytics. Fraudsters have become adept at bypassing traditional security mechanisms using techniques such as man-in-the-browser, card skimming, identity theft, bust-out, among many others. To combat this type of fraud, it is increasingly necessary to perform cross-channel fraud detection in real-time. Larry worked with an interdisciplinary team that includes machine learning, parallel systems and database design to support high throughput / low latency real-time transaction scoring. The more general issue is risk-based authorization, based in the use of IT security information as well as transactional data.
Previous research included mobile computing, a variety of user interface technologies (including Virtual Reality), and real-time collaborative computing. See the publications list for additional details.
ACM Senior Member
IEEE Senior Member