Two UAH CCRE doctoral researchers secure patents to defend against sophisticated cyber attacks

HUNTSVILLE, Ala. - February 6, 2026 – Transforming doctoral research into patented technology is a challenging achievement, particularly while completing a Ph.D. Dr. Aaron Werth and Dr. Rishabh Das, former doctoral students at The University of Alabama in Huntsville (UAH), a part of The University of Alabama System, successfully navigated this process, earning U.S. patents for innovative cybersecurity technologies developed through their dissertation research at UAH's Center for Cybersecurity Research and Education (CCRE).

Based on his dissertation, Werth's patent, titled "Embedded intrusion prevention system for industrial controllers," detects and protects programming logic controllers, or PLCs, from commands or ladder logic uploads that would harm the physical process that the PLC manages. A PLC is a specialized "hardened" industrial computer that automates, controls and monitors critical infrastructure, such as manufacturing or power grids. Due to increased networking, PLCs are high-value targets; breaches can cause significant production shutdowns, equipment damage or public safety hazards.

Werth developed the project as a Ph.D. student and subsequently a Ph.D. candidate, spending over three years evolving the concept.

"Other graduate students were focusing more on anomaly-based detection methods, and they developed comprehensive approaches for anomaly detection which were very good," the researcher explains. "I wanted to focus on a different threat – one that appears very normal and not anomalous in its behavior."

Werth reports the biggest challenge proved to be developing "an effective mechanism to detect harmful packets and ladder logic, which appear normal," adding it was "not completely apparent how to create such a mechanism." Malicious ladder logic is code inserted into PLCs to manipulate processes, cause physical damage or hide unauthorized activity, while harmful packets are network data packets used to deliver this malicious logic, manipulate data or disrupt communication between controllers, often exploiting insecure protocols.

Werth recalls a "eureka" moment he and Dr. Tommy Morris, director of the CCRE, shared during a demo of the prototype. "This demo illustrated the concept of the PLC hardware housing a rapid simulation of a model of the PLC interacting with the physical system," Werth says. "Essentially, the PLC had a digital twin of itself within itself so that it could very quickly simulate and determine what would happen if the actual PLC were to process an incoming packet."

Digital twins protect against cyberattacks by creating real-time, virtual replicas of physical systems, allowing organizations to proactively simulate, detect and mitigate threats without risking operational downtime. The advance led to Dr. Morris encouraging Werth to pursue a patent, who filed the invention disclosure just days after successfully defending his dissertation and later filed the patent application.

Buzzing with innovation

Das' patent, titled "Embedded intrusion detection system for industrial controllers," develops and tests a multilayer intrusion detection approach that operates within industrial controllers, serving as the final line of defense against cyber attacks. Das compares the notion to a "hive full of bees" as an easier way to understand this concept.

"Each 'bee' (controller) performs local sensing, collecting process measurements," the researcher says. "The 'bees' simultaneously 'signal' one another by sharing compact summaries of their security state. When a threat is confirmed, the 'hive' responds by escalating alerts to operators. In this way, the system leverages swarm-like behavior."

Das was a Ph.D. candidate when he started working on his "hivemind" idea, and, including the research and evaluation process, he estimates the entire process took about two years to complete. He received approval for his patent in fall 2025.

Das recounts the clock as being the biggest challenge during the development process. "To realize the hivemind concept, I had to ensure that each controller was precisely time-synchronized so that, whenever a controller received a message from a neighboring controller, it knew exactly when that message was sent, making reliable and consistent time synchronization significantly more difficult."

Another major challenge was the detection algorithm, requiring the researcher to make aggressive changes to improve detection performance, which "required re-architecting and rewriting thousands of lines of code in a highly efficient manner, ensuring the algorithms could run in real time on constrained hardware without impacting controller performance."

Das says the greatest satisfaction during the entire process was the moment his concept finally worked. "I still remember executing a network attack on my simulated oil terminal testbed and carefully watching the pressure readings creep toward the safety limit. They identified the issue and shared their alerts, exactly as I had envisioned."

Seeing the forest as well as the trees

Both researchers cite the impact Morris had on their respective projects. "Dr. Morris guided me overall through his knowledge of cybersecurity and SCADA systems and provided input based on his knowledge," Werth says. "He was instrumental in the process of reviewing and editing. We had several research papers based on the dissertation, some submitted before and after I graduated. He helped me to consider many scenarios in which the technology could be applied and various edge cases and coached me on how to formulate hypotheses about the technology. I then had to test these hypotheses through experimentation."

Das cites Dr. Morris's guidance as pivotal as well. "He is both a mentor and a motivator. Having a mentor who can simultaneously see the 30,000-foot view of a research project and also dive into the granular theoretical and developmental details is a true privilege."

The researcher recalls in particular a meeting with Dr. Morris from 2017. "I had just completed a foundational project on industrial control system virtualization and was starting to explore ideas related to intrusion detection. He picked up an orange marker and began filling a whiteboard with potential research questions and directions. Little did I know that many of those questions would eventually shape the core trajectory of my Ph.D. journey. One of those discussions led directly to the conceptualization of the interdependent controller defense. I took a snapshot of that whiteboard, and I still have that picture with me to this day."

The patents awarded to Werth and Das underscore the strength of UAH's doctoral programs and CCRE's mission to advance cybersecurity research while preparing the next generation of technical leaders.

"I have two research roles at UAH," Morris says. "I lead the Center for Cybersecurity Research and Education and I work with Ph.D. students from the Electrical and Computer Engineering department. CCRE researchers tend to work on applied research. Often, we work to take proven ideas and apply them to specific systems such as Industrial Control Systems or weapon systems. The Ph.D. level research is more basic in nature. There we try to look ahead and explore new ideas and technologies. Working in both areas allows me to help transition the work of Ph.D. graduates into applications useful to industry and government. That is a great place to be."