Abstract
I am a postdoctoral researcher at UC Berkeley working with David Wagner's security group. Previously, I was a research assistant with the UC Santa Barbara Computer Security Lab. I was advised by Professors Dick Kemmerer and Giovanni Vigna, and received my Ph.D. in June 2009. My thesis was entitled "Detecting and Preventing Attacks Against Web Applications."
My primary research interest is in protecting web applications from attacks. One line of research has focused on using statistical machine learning techniques to automatically construct models characterizing the normal behavior of web applications in order to perform accurate, black-box anomaly detection of web-based attacks. Recent work in this area has focused on addressing fundamental challenges to performing web application anomaly detection, such as reducing the rate of false positives, adapting to changes in web application behavior over time, and compensating for the scarcity of training data. Another approach I am investigating is the construction of development frameworks to build web applications that are automatically secure against certain classes of attacks by construction.
Other research interests include intrusion detection system testing and evasion, electronic voting security, and the verification of software security properties using static and dynamic analysis techniques.
I am a member of Shellphish and the International Secure Systems Lab. In 2005, Shellphish won the DEFCON Capture the Flag (CTF) hacking competition. I have also helped to organize the UCSB International Capture the Flag (iCTF) competition since its inception.
I was a co-founder of WebWise Security, Inc., a Santa Barbara-based security consulting firm that provides vulnerability assessment, penetration testing, and source code analysis services to clients worldwide.
In 2007, I participated as a Red Team member in the California Top-to-Bottom Review (TTBR) of electronic voting machines. In particular, I helped to find and exploit several critical vulnerabilities in the Sequoia voting system. I also participated as a Red Team member in the Ohio Evaluation and Validation of Election-Related Equipment, Standards, and Testing (EVEREST), again finding and exploiting several critical vulnerabilities in various components of the ES&S voting system.