Current Research Projects

  1. Transparency of information access on the Internet: identifying censorship attempts and developing techniques to circumvent/defeat censorship, funded by NSF and the industry.
  2. PEASOUP: Preventing Exploits Against Software of Uncertain Provenance, funded by Air Force (led by GrammaTech).
  3. Botnet modeling, analysis, detection and attribution, funded by NSF, DHS, and ONR MURI.
  4. "CLEANSE: Cross-Layer Large-Scale Efficient Analysis of Network Activities to Secure the Internet", funded by NSF (Large Team project).
  5. Malware analysis algorithms and platforms, funded by NSF and industry.
  6. Host-based Security, in particular, virtual machine monitoring techniques, funded by NSF, IARPA, and industry.
  7. Web security and privacy, in particular, access control and information flow, funded by industry.
  8. Foundational and Systems Support for Quantitative Trust Management, ONR MURI (led by U Penn).

Technology Transfer Efforts

  1. Co-founded Damballa in 2006, based on the botnet detection technologies developed by my research group.

Current Ph.D. Students

  1. David Dagon (graduating ?)
  2. Long Lu (graduating 2013)
  3. Brendan Dolan-Gavitt
  4. Yacin Nadji
  5. Chengyu Song
  6. Yeongjin Jang
  7. Xinyu Xing
  8. Byoungyoung Lee
  9. Yizheng Chen
  10. Wei Meng
  11. Ruian Duan
  12. Kangjie Liu
  13. Santosh Ananthakrishnan

Current Post-Doc Research Fellows

  1. Dr. Pak Ho Chung (Ph.D. in Computer Science, UT Austin)
  2. Dr. Tielei Wang (Ph.D. in Computer Science, Peking University)

Ph.D. Alumni

  1. Dr. Xinzhou Qin, 2005, now at Juniper Networks
  2. Dr. Yian Huang, 2006, now at Google
  3. Dr. Prahlad Fogla, 2007, now at Google
  4. Dr. Guofei Gu, 2008, now tenure-track assistant professor at the Texas A&M University
  5. Dr. Bryan Payne, 2010, now at the Sandia National Labs
  6. Dr. Monirul Sharif, 2010, now at Google
  7. Dr. Kapil Singh, 2011, now at IBM T.J. Watson Research Center
  8. Dr. Martim Carbone, 2012, now at VMware
  9. Dr. Manos Antonakakis, 2012, now at Damballa Inc.
  10. Dr. Junjie Zhang, 2012, now tenure-track assistant professor at the Wright State University

Post-Doc Alumni

  1. Dr. Daniel Xiapu Luo, 2010, now at Hong Kong Polytechnic University
  2. Dr. Roberto Perdisci, 2010, now tenure-track assistant professor at the University of Georgia

Past Research Activities

  1. An Information-Theoretic Framework for Evaluating and Optimizing Intrusion Detection Performance, funded by Army Research Office.
  2. Preventing SQL Code Injection by Combining Static and Runtime Analysis, funded by Department of Homeland Security.
  3. Anomaly and Misuse Detection in Network Traffic Streams -Checking and Machine Learning Approaches, funded by Office of Naval Research (ONR MURI).
  4. Intrusion Detection Techniques for Mobile Ad Hoc Networks, funded by NSF.
  5. CAREER: Adaptive Intrusion Detection Systems, funded by NSF.
  6. Agile Security for Storing Sensitive and Critical Information, funded by NSF.
  7. Guarding the Next Internet Frontier: Countering Denial of Information, funded by NSF.
  8. Vulnerability Assessment Tools for Complex Information Networks, funded by Army Research Office (ARO MURI).
  9. Cost-sensitive intrusion detection, funded by DARPA, 5/200-8/2003.
  10. From Fall 1996 through Summer 1999, I was at the Parallel and Distributed Intelligent Systems Laboratory (PI: Sal Stolfo), Computer Science Department, Columbia University.  We developed JAM (Java Agents for Meta-learning), which is an infrastructure to support collaborative learning over distributed database. We applied JAM technologies to fraud and intrusion detection.

    Ph.D. Thesis: A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems
    My thesis research automates the development process for Intrusion Detection Systems (IDSs). I designed and developed a data mining framework for adaptively building intrusion detection models. The central idea is to use system audit programs to extract an extensive set of features that describe each network connection or host session, and apply data mining programs to learn rules that accurately capture the behavior of intrusions and normal activities. These rules are then automatically converted into executable modules for real-time intrusion detection. Detection models for new intrusions or specific (new) components of a network system are incorporated into an existing IDS through a meta-learning (or co-operative learning) process, which produces a meta detection model that combines evidence from multiple models. To efficiently compute only the "useful" patterns from the large amount of audit data, I modified the basic association rules and frequent episodes algorithms to use axis attribute(s) and reference attribute(s) as forms of item constraints to encode domain knowledge, and an iterative level-wise approximate mining procedure as a means to uncover the low frequency but important patterns.

    We participated in the 1998 DARPA Intrusion Detection Evaluation program. The results showed that our system was one of the best IDSs among those submitted to the evaluation. It performed comparably well with the best knowledge engineered system. The detection models (classification rules) automatically constructed by our data mining framework were very effective (with high detection rates and low false positive rates) in detecting "known" intrusions (with instances in the training data) and "new" intrusions (with no instance seen in the training data) in several attack categories.

  11. In Summer 1997, I was at IBM T. J. Watson Research Center, doing research in Information Economy. I implemented a prototype multi-agent system to simulate the market dynamics of information filtering.

  12. In Summer 1996, I was at the Network Services Research Lab, AT&T Labs - Research, Murray Hill, New Jersey, where I did research in distributed data visualization environments. I designed and implemented a Java-based DAGs drawing and viewing system.

  13. From Fall 1994 through Spring 1996, I was at the Programming Systems Laboratory (PI: Gail Kaiser), Computer Science Department, Columbia University. I did research in software development environments and collaborative workflow systems. I developed several modules of Oz, a workflow system, and applied Oz technologies to healthcare.