Current Research Projects

  1. Botnet modeling, analysis, detection and attribution, funded by NSF, DHS, and ONR MURI.
  2. "CLEANSE: Cross-Layer Large-Scale Efficient Analysis of Network Activities to Secure the Internet", funded by NSF (Large Team project).
  3. "SMITE: Scalable Monitoring in the Extreme", funded by BBN/DARPA.
  4. Malware analysis algorithms and platforms, funded by NSF and industry.
  5. Host-based Security, in particular, virtual machine monitoring techniques, funded by NSF, IARPA, and industry.
  6. Web secruity and privacy, in particular, access control and information flow, funded by industry.
  7. "Foundational and Systems Support for Quantitative Trust Management, ONR MURI" (led by U Penn).

Current Ph.D. Students

  1. David Dagon (graduating Feb. 2010)
  2. Bryan Payne (graduating Aug. 2010)
  3. Monirul Sharif (graduating Aug. 2010)
  4. Kapil Singh
  5. Martim Carbone
  6. Manos Antonakakis
  7. Junjie Zhang
  8. Long Lu

Current Post-Doc Research Fellows

  1. Dr. Daniel Xiapu Luo
  2. Dr. Roberto Perdisci

Ph.D. Alumni

  1. Dr. Xinzhou Qin, now at Cisco
  2. Dr. Yian Huang, now at Google
  3. Dr. Prahlad Fogla, now at Google
  4. Dr. Guofei Gu, now tenure-track assistant professor at Texas A&M University

Past Research Activities
  1. An Information-Theoretic Framework for Evaluating and Optimizing Intrusion Detection Performance, funded by Army Research Office.
  2. Preventing SQL Code Injection by Combining Static and Runtime Analysis, funded by Department of Homeland Security.
  3. Anomaly and Misuse Detection in Network Traffic Streams -Checking and Machine Learning Approaches, funded by Office of Naval Research (ONR MURI).
  4. Instrusion Detection Techniques for Mobile Ad Hoc Networks, funded by NSF.
  5. CAREER: Adaptive Intrusion Detection Systems, funded by NSF.
  6. Agile Security for Storing Sensitive and Critical Information, funded by NSF.
  7. Guarding the Next Internet Frontier: Countering Denial of Information, funded by NSF.
  8. Vulnerability Assessment Tools for Complex Information Networks, funded by Army Research Office (ARO MURI).
  9. Cost-sensitive intrusion detection, funded by DARPA, 5/200-8/2003.

  10. From Fall 1996 through Summer 1999, I was at the Parallel and Distributed Intelligent Systems Laboratory (PI: Sal Stolfo), Computer Science Department, Columbia University.  We developed JAM (Java Agents for Meta-learning), which is an infrastructure to support collaborative learning over distributed database. We applied JAM technologies to fraud and intrusion detection.

    Ph.D. Thesis: A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems
    My thesis research automates the development process for Intrusion Detection Systems (IDSs). I designed and developed a data mining framework for adaptively building intrusion detection models. The central idea is to use system audit programs to extract an extensive set of features that describe each network connection or host session, and apply data mining programs to learn rules that accurately capture the behavior of intrusions and normal activities. These rules are then automatically converted into executable modules for real-time intrusion detection. Detection models for new intrusions or specific (new) components of a network system are incorporated into an existing IDS through a meta-learning (or co-operative learning) process, which produces a meta detection model that combines evidence from multiple models. To efficiently compute only the "useful" patterns from the large amount of audit data, I modified the basic association rules and frequent episodes algorithms to use axis attribute(s) and reference attribute(s) as forms of item constraints to encode domain knowledge, and an iterative level-wise approximate mining procedure as a means to uncover the low frequency but important patterns.

    We participated in the 1998 DARPA Intrusion Detection Evaluation program. The results showed that our system was one of the best IDSs among those submitted to the evaluation. It performed comparably well with the best knowledge engineered system. The detection models (classification rules) automatically constructed by our data mining framework were very effective (with high detection rates and low false positive rates) in detecting "known" intrusions (with instances in the training data) and "new" intrusions (with no instance seen in the training data) in several attack categories.

  11. In Summer 1997, I was at IBM T. J. Watson Research Center, doing research in Information Economy. I implemented a prototype multi-agent system to simulate the market dynamics of information filtering.

  12. In Summer 1996, I was at the Network Services Research Lab, AT&T Labs - Research, Murray Hill, New Jersey, where I did research in distributed data visualization environments. I designed and implemented a Java-based DAGs drawing and viewing system.

  13. From Fall 1994 through Spring 1996, I was at the Programming Systems Laboratory (PI: Gail Kaiser), Computer Science Department, Columbia University. I did research in software development environments and collaborative workflow systems. I developed several modules of Oz, a workflow system, and applied Oz technologies to healthcare.