I am a PhD student at Georgia Institute of Technology performing research in the areas of network and computer security under the advisement of Patrick Traynor. I currently have degrees from Wake Forest University (M.S., Computer Science, ’11) and Duke University (B.S., Computer Science, ’06).
From 2006-2009, I lived and worked in Atlanta, GA as a software engineer doing development in the financial services and distributed assets industries. My first employer during that time was a smaller company, Obvient Strategies, focused on developing business intelligence and data warehousing solutions. After a year, I left Obvient for a position at Global Payments, Inc (once listed by Forbes as one of The 400 Best Big Companies) where I spent the next two years working on a web-based transactions processing platform.
Our research discussing the current state of mobile malware and low infection rates was picked up by the Economist.
More news coverage of our paper discussing low malware infection rates and how you probably don't need that AV tool on your Android device.
More coverage of our paper paper discussing low malware infection rates for mobile devices.
A study by Google confirms the results of our paper, The Core of the Matter: Analyzing Malicious Traffic in Cellular Carriers, showing low malware infection rates for mobile devices.
Performed research into characterizing the malicious threats seen in cellular data networks.
Performed research into exploiting graph structure for identity resolution and de-anonymization.
Performed research in the area of cyber security and helped to setup and deploy a network security testbed.
Development of virtual terminal web application and payment gateway for the company's transaction processing engine.
Developed business intelligence and data warehousing solutions for the Distributed Asset Industry.
Much of the attention surrounding mobile malware has focused on the in-depth analysis of malicious applications. While bringing the community valuable information about the methods used and data targeted by malware writers, such work has not yet been able to quantify the prevalence with which mobile devices are actually infected. In this paper, we present the first such attempt through a study of the hosting infrastructure used by mobile applications. Using DNS traffic collected over the course of three months from a major US cellular provider as well as a major US non-cellular Internet service provider, we identify the DNS domains looked up by mobile applications, and analyze information related to the Internet hosts pointed to by these domains. We make several important observations. The mobile malware found by the research community thus far appears in a minuscule number of devices in the network: 3,492 out of over 380 million (less than 0.0009%) observed during the course of our analysis. This result lends credence to the argument that, while not perfect, mobile application markets are currently providing adequate security for the majority of mobile device users. Second, we find that users of iOS devices are virtually identically as likely to communicate with known low reputation domains as the owners of other mobile platforms, calling into question the conventional wisdom of one platform demonstrably providing greater security than another. Finally, we observe two malware campaigns from the upper levels of the DNS hierarchy and analyze the lifetimes and network properties of these threats. We also note that one of these campaigns ceases to operate long before the malware associated with it is discovered suggesting that network-based countermeasures may be useful in the identification and mitigation of future threats.
An important component of network resource management and security enforcement is recognizing the applications active on a network. Unfortunately payload encryption and the use of non-standard ports render traditional application identification methods marginally useful. Newer in-the-dark application discovery methods can contend with these conditions, but still rely on packet level information that may not be readily available to administrators.
This paper describes the initial findings and future directions of a technique that uses network motifs (e.g. overrepresented interaction subgraphs) to identify network activity. Modeling the flow-level network interactions as a graph, the proposed approach identifies sets of frequently occurring subgraphs useful to infer the applications. Initial results show this approach can achieve an average accuracy of 85% in mapping motifs to applications. We argue that performance can be improved by incorporating features into motifs that provide information about vertices and edges while preserving the ability for system administrators to gather such feature information from flow-level traces. Specific issues that arise in the collection of computer network interaction data and in dealing with the scale of such data are also highlighted.