I am a PhD student at Georgia Institute of Technology performing research in the areas of network and computer security. I am currently being advised by Manos Antonakakis, but I was formerly advised by Patrick Traynor. I currently hold degrees from Wake Forest University (M.S., Computer Science, ’11) and Duke University (B.S., Computer Science, ’06).
From 2006-2009, I lived and worked in Atlanta, GA as a software engineer doing development in the financial services and distributed assets industries. My first employer during that time was a smaller company, Obvient Strategies, focused on developing business intelligence and data warehousing solutions. After a year, I left Obvient for a position at Global Payments, Inc (once listed by Forbes as one of The 400 Best Big Companies) where I spent the next two years working on a web-based transactions processing platform.
An article about our paper on expired domains and the problems caused by DNS ownership changes appeared in Dark Reading.
Our research discussing the current state of mobile malware and low infection rates was picked up by the Economist.
More news coverage of our paper discussing low malware infection rates and how you probably don't need that AV tool on your Android device.
More coverage of our paper paper discussing low malware infection rates for mobile devices.
A study by Google confirms the results of our paper, The Core of the Matter: Analyzing Malicious Traffic in Cellular Carriers, showing low malware infection rates for mobile devices.
Performed research into characterizing the malicious threats seen in cellular data networks.
Performed research into exploiting graph structure for identity resolution and de-anonymization.
Performed research in the area of cyber security and helped to setup and deploy a network security testbed.
Development of virtual terminal web application and payment gateway for the company's transaction processing engine.
Developed business intelligence and data warehousing solutions for the Distributed Asset Industry.
Domains are frequently used as trust anchors, but any individual that re-registers an expired domain implicitly inherits the residual trust associated with the domain's prior use. We find that adversaries can, and do, use malicious re-registration to exploit domain ownership changes—undermining the security of both users and systems. In fact, we find that many seemingly disparate security problems share a root cause in residual domain trust abuse. With this study we shed light on the seemingly unnoticed problem of residual domain trust by measuring the scope and growth of this abuse over the past six years. During this time, we identified 27,758 domains from public blacklists and 238,279 domains resolved by malware that expired and then were maliciously re-registered. To help address this problem, we propose a technical remedy and discuss several policy remedies. For the former, we develop Alembic, a lightweight algorithm that uses only passive observations from the Domain Name System (DNS) to flag potential domain ownership changes. Using this algorithm, we identify several instances of residual trust abuse, including an expired APT domain that was available for immediate re-registration.
Garbled circuits offer a powerful primitive for computation on a user’s personal data while keeping that data private. Despite recent improvements, constructing and evaluating circuits of any useful size remains expensive on the limited hardware resources of a smartphone, the primary computational device available to most users around the world. In this work, we develop a new technique for securely outsourcing the generation of garbled circuits to a Cloud provider. By outsourcing the circuit generation, we are able to eliminate the most costly operations from the mobile device, including oblivious transfers. After proving the security of our techniques in the malicious model, we experimentally demonstrate that our new protocol, built on this role reversal, decreases execution time by 98% and reduces network costs by as much as 92% compared to previous outsourcing protocols. In so doing, we demonstrate that the use of garbled circuits on mobile devices can be made nearly as practical as it is becoming for server-class machines.
Much of the attention surrounding mobile malware has focused on the in-depth analysis of malicious applications. While bringing the community valuable information about the methods used and data targeted by malware writers, such work has not yet been able to quantify the prevalence with which mobile devices are actually infected. In this paper, we present the first such attempt through a study of the hosting infrastructure used by mobile applications. Using DNS traffic collected over the course of three months from a major US cellular provider as well as a major US non-cellular Internet service provider, we identify the DNS domains looked up by mobile applications, and analyze information related to the Internet hosts pointed to by these domains. We make several important observations. The mobile malware found by the research community thus far appears in a minuscule number of devices in the network: 3,492 out of over 380 million (less than 0.0009%) observed during the course of our analysis. This result lends credence to the argument that, while not perfect, mobile application markets are currently providing adequate security for the majority of mobile device users. Second, we find that users of iOS devices are virtually identically as likely to communicate with known low reputation domains as the owners of other mobile platforms, calling into question the conventional wisdom of one platform demonstrably providing greater security than another. Finally, we observe two malware campaigns from the upper levels of the DNS hierarchy and analyze the lifetimes and network properties of these threats. We also note that one of these campaigns ceases to operate long before the malware associated with it is discovered suggesting that network-based countermeasures may be useful in the identification and mitigation of future threats.
An important component of network resource management and security enforcement is recognizing the applications active on a network. Unfortunately payload encryption and the use of non-standard ports render traditional application identification methods marginally useful. Newer in-the-dark application discovery methods can contend with these conditions, but still rely on packet level information that may not be readily available to administrators.
This paper describes the initial findings and future directions of a technique that uses network motifs (e.g. overrepresented interaction subgraphs) to identify network activity. Modeling the flow-level network interactions as a graph, the proposed approach identifies sets of frequently occurring subgraphs useful to infer the applications. Initial results show this approach can achieve an average accuracy of 85% in mapping motifs to applications. We argue that performance can be improved by incorporating features into motifs that provide information about vertices and edges while preserving the ability for system administrators to gather such feature information from flow-level traces. Specific issues that arise in the collection of computer network interaction data and in dealing with the scale of such data are also highlighted.