I am an associate professor in the Khoury College of Computer
Sciences at Northeastern University, Executive Director of the Cybersecurity and Privacy Institute, and
affiliate faculty at the Center for Law, Innovation and Creativity (CLIC).
My research is primarily in the areas of distributed systems and
networking, with a recent focus on privacy, security, transparency, and mobile systems.
My research approach is to combine science and engineering to understand and improve the performance, reliability, and security of Internet systems. With respect to science, I empirically measure computer systems that interact over the Internet to understand how well they match existing models and assumptions, then investigate the root causes for violations of those models/assumptions—often then leading to the design of new models. In many cases, our observations also suggest the design of systems that exploit previously unknown information about how our Internet-enabled systems work, and as an engineer I build and evaluate such systems in a way that other researchers, users, and policy makers can benefit from the result. To date, the software artifacts of my research have more than one million users, and my research teams have produced reports and datasets that informed additional research, policy debates, regulators, and legislators.
- 7/22/21 My team's work on Personal Virtual Networks and IoT privacy and security were mentioned in the UK Telecom Regulator,
Ofcom, Internet Futures report.
- 7/20/21 I penned an article about how Wehe is enabling crowdsourced detection of
net neutrality violations worldwide and adapting to new applications as part of the
Arcep 2021 State of the Internet report.
- 7/6/21 Another batch of updates:
- 6/29/21 Time for another batch update on things that have happened since... a while ago:
- Our paper titled AnyOpt: Predicting and Optimizing IP Anycast Performance, was accepted for publication at SIGCOMM 2021.
This was fantastic work led by Shane (Xiao) Zhang at Duke, along with Tanmoy Sen, Zheyuan Zhang, Tim April, Balakrishnan Chandrasekaran, Bruce M. Maggs, Haiying Shen, Ramesh K. Sitaraman, and Xiaowei Yang.
We show how you don't have to compromise on latency performance when building an anycast-based service.
- Our paper titled Blocking without Breaking: Identification and Mitigation of Non-Essential IoT Traffic was accepted to appear in PETS 2021.
Learn how we can block unnecessary IoT traffic to reduce privacy and security issues. Joint work with Anna Maria Mandalari (Imperial College London), Daniel J. Dubois (Northeastern University), Roman Kolcun (Imperial College London), Muhammad Talha Paracha (Northeastern University), Hamed Haddadi (Imperial College London).
- Our prototype proposal “IoTrimmer: Defending against IoT privacy threats” reached the TOP 10 (among 180 submissions) at the Telekom Challenge by T-Labs. We're planning to make our privacy- and security-enhancing technology into a product for widespread use.
- Theo Benson and I will be the Program Committee co-Chairs for the 2022 Internet Measurement Conference. I can't wait to see everyone's fascinating submissions!
- I am part of a team that has been awarded a $10M NSF SaTC Frontier grant for improving privacy via a multimodal, interdisciplinary approach. Learn more about our project at: https://properdata.eng.uci.edu/
- 9/9/20 It's been a busy pandemic, and there quite a few updates since last time:
- I spent my sabbatical as a Security Architect at Akamai Technologies. I learned a great deal and worked with extremely talented and welcoming people.
- My team's work on smart speakers inadvertently waking up was published and presented at PETS 2020. You learn more about it here.
- Along with collaborators from the UK, and Germany, my team's work on detecting IoT devices from highly sampled network traffic was accepted to IMC 2020. You can find a preprint here.
- I'm now an affiliate faculty member at Northeastern's Center for Law, Innovation and Creativity (CLIC). I'm thrilled to join such an esteemed group of collegues and work with them at the intersection of empirical neworking research and consumer protection policy.
- 2/20/20 Happy to announce that FlowPrint will appear in NDSS 2020! This project focuses on an approach to fingerprinting apps based ono network traffic that works both in semi-supervised and entirely unsuperrvised settings. This is joint work led by Thijs van Ede, along with Riccardo Bortolameotti, Andrea Continella, Jingjing Ren, Daniel Dubois, Martina Lindorfer, Maarten van Steen, Andreas Peter.
- 7/19/19 Very excited to report that two papers I coauthored will appear at IMC 2019.
- In Information Exposure From Consumer IoT Devices: A Multidimensional, Network-Informed Measurement Approach, led by my recently graduated PhD student Dr. Jingjing Ren, we conduct a multidimensional analysis of privacy exposure from 81 devices located in labs in the US and UK, using more than 34,000 automated and manual experiments. We characterize privacy exposure in terms of destinations of Internet traffic, whether the contents of communication are protected by encryption, what are the IoT-device interactions that each destination learns about, and whether there are unexpected exposures of sensitive information (eg video surreptitiously transmitted by a recording device). This is joint work with Daniel J. Dubois, Anna Maria Mandalari, Roman Kolcun, and Hamed Haddadi.
- In RPKI is Coming of Age: A Longitudinal Study of RPKI Deployment and Invalid Route Origins, led by former NEU postdoc Taejoong Chung, we study the evolution of the RPKI deployment using a unique dataset containing all RPKI Route Origin Authorizations (ROAs) from the moment RPKI was first deployed. We find that the RPKI has seen a rapid increase in adoption over the past two years, and recently misconfigurations are rare, meaning that the deployment is ready for prime time and ready for ISPs to drop RPKI invalid routes. This is joint work with Emile Aben, Tim Bruijnzeels, Balakrishnan Chandrasekaran, Dave Levin, Bruce Maggs, Alan Mislove, Roland van Rijswijk-Deij, John P. Rula, and Nick Sullivan.
- 6/7/19 Tenure achievement unlocked! I am beyond excited to report that the President and Board of Trustees of Northeastern University have approved my promotion to Associate Professor with tenure. I have so many people to thank, including all of my outstanding collaborators and colleagues, and of course my family for supporting me along this long and fruitful journey.
- 5/3/19 Beyond proud to report that my PhD student's work on analyzing global net neutrality violations using Wehe was accepted to SIGCOMM 2019! This was a multiyear effort with tons of support from the rest of the research team (Arian Niaki and Phililpa Gill from UMass, and Alan Mislove and me at NEU), along with important contributions to app and system development from Kirill Voloshin, Harsh Modi, I-Farn Chen, and more. I'd also like to think the 100,000+ users who have run tests using our Wehe apps, Arcep for our collaboration on auditing net neutrality violations in France, and our other partners/sponsors (the NSF, Google, Verizon Labs, and Measurement-Lab, and Amazon AWS).
- 8/3/18 I will be co-chairing the program committee for the 20th edition of the Passive and Active Measurement (PAM) Conference, to be held in Chilean Patagonia (Puerto Varas)! More details at the PAM 2019 website. Looking forward to seeing great measurement submissions.
- 7/31/18 Pleased to report that our work on measuring whether we're ready to move to HTTPS certificate validation via OSCP was accepted to IMC '18. Joint work with Taejoong Chung, Jay Lok, Balakrishnan Chandrasekaran, Dave Levin, Bruce Maggs, Alan Mislove, John Rula, Nick Sullivan (Cloudflare) and Christo Wilson.
- 7/3/18 Coverage of our work on apps that spy on you. TL;DR: We didn't see abuse of microphone or cameras, but we did see how apps are recording your every move and sending images/videos of this to third parties. We responsibly disclosed to Google and others, they took action to mitigate this privacy risk. More details in our paper.
- 5/4/18 My recently graduated Ph.D. student, Dr. Arash Molavi Kakhki, won the 2018 Northeastern CCIS Excellence in Research Award. Congrats, Arash!
- 5/2/18 Just a few end-of-semester updates:
- Our paper "Panoptispy: Characterizing Audio and Video Exfiltration from Android Applications" was accepted to PETs 2018. We found some scary stuff and are in the process of responsible disclosure, so stay tuned.
- Our paper "A First Look at Certification Authority Authorization (CAA)" appeared in SIGCOMM CCR's April issue. This is joint work with TUM, RWTH Aachen, University of Twente, and University of Sydney.
- I'm co-chairing the IRTF Applied Networking Research Workshop to be held at IETF 102. We received over 40 submissions in this reboot of the workshop, which promises to feature a great program.
- My PhD student Jingjing Ren presented her NDSS work on privacy leaks over time at the FTC's annual PrivacyCon event.
- I testified again at the MA state legislature on the topic of net neutrality.
- We've now received more than a half million tests from our Wehe app. Download it now for iOS and Android, learn if your ISP is violating net neutrality.
- 2/20/18 Our paper, Automated Attack Discovery in TCP Congestion Control Using a Model-guided Approach, won the Cisco Network Security Best Paper Award at NDSS! Joint work with Samuel Jero, Endadul Hoque, Alan Mislove, and Cristina Nita-Rotaru.
- 2/12/18 First update of the new year. Just a few things happened...
- Our Wehe app for detecting net neutrality violations got quite a bit of attention, in large part due to Apple rejecting our app and then later reversing its decision. Our work was subsequently covered by dozens of news outlets, and a piece about net neutrality featuring this work appeared on VICE News. Thanks to this publicity we have received over 100,000 tests worldwide, and we will be updating our website with our findings as we process the data.
- I testified to the Massachusetts State Senate Committee on Net Neutrality and Consumer Protection, you can find coverage here.
- Arash Molavi Kakhki, my recently graduated PhD student, won the IRTF's Applied Networking Research Prize for his work on QUIC that was published at IMC 2017.
- 12/24/17 Year-end update:
- Our longitudinal study on app privacy (to appear in NDSS'18) was selected for presentation at FTC PrivacyCon 2018.
- A first look at in-flight WiFi (joint work with Northwestern) was accepted to WWW'18.
- I led a panel on tools for data transparency at the DTL'17 conference, featuring Ashkan Soltani, Kashmir Hill, Justin Brookman, Franck Baudot, and Andrea Martens.
- ReCon was awarded a grant from the Comcast Innovation Fund.
- Wehe, our tool for detecting net neutrality violations, has been selected by ARCEP (the French telecom regulator) for providing consumers in France the ability to monitor and report ISPs that unlawfully differentiate network traffic.
- More exciting news to report in 2018!
- 10/30/17 Excited to report that I will have two papers appearing at NDSS 2018! "Bug Fixes, Improvements, ... and Privacy Leaks - A Longitudinal Study of PII Leaks Across Android App Versions" -- joint work with UCSB, U of Helsinki and IMDEA/ICSI -- explores how app privacy leaks change over time. "Automated Attack Discovery in TCP Congestion Control Using a Model-guided Approach" -- joint work with Purdue and FIU -- combines the generality of implementation-agnostic fuzzing with the precision of runtime analysis to find attacks against implementations of TCP congestion control.
- 9/8/17 I gave a talk about DPI middleboxes and their implications for policymakers at TPRC 45. Read my paper on the topic here.
- 8/21/17 The Harvest documentary film, which is based on data gathered from the ReCon Project, is now available online for free! This short film (11 minutes) appeared at several presitigious film festivals, including Aspen Shortsfest, HotDocs, Seattle International Film Festival, and Rooftop Films summer series.
- 8/16/17 Our paper on studying DNSSEC and its improper deployments won the Distinguished Paper award at USENIX Security '17! Congratulations to the lead author, Taejoong Chung, and all the rest of our coauthors!
- 7/28/17 Northeastern continues its strong presence in IMC, with four papers appearing in the conference! I am involved all four of them:
More details to come after camera-ready versions are prepared.
- "Taking a Long Look at QUIC: An Approach for Rigorous Evaluation of Rapidly Evolving Transport Protocols"
- "lib·erate, (n): A library for exposing (traffic-classification) rules and avoiding them efficiently" (with UMass-Amherst)
- "Understanding the Role of Registrars in DNSSEC Deployment" (with Maryland, Duke/Akamai, University of Twente)
- "The Record Route Option is an Option!" (with Rutgers/USC/Columbia/Microsoft and Waikato)
- 6/23/17 Many updates after a long hiatus.
- Harvest will appear at Rooftop Films in NYC, where we will be running an interactive event using ReCon. It's a free event, register here.
- Our paper on studying DNSSEC and its improper deployments was accepted to USENIX Security. This completes my first-ever "cycle" for top security conferences (CCS, NDSS, Oakland, USENIX). Wouldn't have been able to do it without the my ridiculously talented collaborators.
- Our poster on studying the DNSSEC root key rollover event was accepted to the SIGCOMM poster session.
- Our traffic differentiation work was covered in the ARCEP (French national telecom regulator) annual report (page 73).
- ReCon was in the news (again)! A great article by Fast Company and a TV story by NBC News Boston.
- 5/4/17 Harvest continues its film festival appearances, with announcments today that it will appear at BAMcinemaFest in NYC and the Seattle International Film Festival.
- 4/26/17 After a successful world premiere in Aspen, the Harvest documentary film will have its international premeiere at the HotDocs Film Festival in Toronto this weekend!
- 3/14/17 Thrilled to announce that Harvest, a documentary film that used our ReCon project to identify and highlight privacy risks when using mobile apps, will be premiering at the Aspen Film Festival in April!
- 3/10/17 ReCon was mentioned in the Danish news site Version2.
- 2/15/17 Our ReCon project was mentioned in a Boston Globe article about mobile privacy.
- 2/14/17 Renata Teixeira (Inria) and I were awarded a Google Faculty Research Award for our proposal on diagnoising and improving QoE. Thanks, Google!
- Older news...
For those who don't know me, the following passage has become a theme
that runs through my life. In short, I "push the rock," just like Sisyphus from Greek
mythology. But Camus tells it better:
As for this myth, one
sees merely the whole effort of a body straining to raise the huge
stone, to roll it and push it up a slope a hundred times over; one sees
the face screwed up, the cheek tight against the stone, the shoulder
bracing the clay-covered mass, the foot wedging it, the fresh start
with arms outstretched, the wholly human security of two earth-clotted
hands. At the very end of his long effort measured by skyless space and
time without depth, the purpose is achieved. Then Sisyphus watches the
stone rush down in a few moments toward that lower world whence he will
have to push it up again toward the summit. He goes back down to the
plain. It is during that return, that pause, that Sisyphus interests
me. A face that toils so close to stones is already stone itself! I see
that man going back down with a heavy yet measured step toward the
torment of which he will never know the end. That hour like a
breathing-space which returns as surely as his suffering, that is the
hour of consciousness. At each of those moments when he leaves the
heights and gradually sinks toward the lairs of the gods, he is
superior to his fate. He is stronger than his rock.
-- Albert Camus, The Myth of Sisyphus