I am a Senior Researcher in the Networking and Security Group at the International Computer Science Institute, an independent non-profit research institute affiliated with the University of California, Berkeley. I am also a co-founder, and the CTO, of Corelight, a startup offering professional Bro solutions to corporations and government. I am further an affiliate member of the Data Science and Technology Department at Lawrence Berkeley National Laboratory, and I work with the Lab’s cyber security team. Before coming out to Berkeley, I was a research assistant at TU München, Germany. Before that, I received a diploma in Computer Science from University of Paderborn, Germany.
Much of my work focuses on securing networks, with a particular emphasis on high-performance network monitoring in operational settings. More generally, I’m interested in understanding the capabilities and limitations of network technology, as well as the characteristics of real-world network traffic.
Please see the seperate list of publications.
The Bro network security monitor, for which I’m leading the development team.
The Time Machine, a high-performance packet bulk recorder.
The ICSI Notary, a near-realtime database of SSL certificates seen in the wild.
HILTI, a virtual machine for network traffic analysis.
Spicy (aka BinPAC++), a next-generation parser generator.
Secure and Resilient Architecture: Effective and Economical Protection for High-Performance Research and Education Networks (National Science Foundation, 2016-2019, with ESnet)
Bro at Scale: a Network Monitoring Solution for Nationally and Globally Distributed Critical Infrastructure (Department of Energy, 2016-2018, at Broala)
Understanding the State of TLS Using Large-scale Passive Measurements (National Science Foundation, 2015-2018)
Semantic Security Monitoring for Industrial Control Systems (National Science Foundation, 2013-2017, with NCSA and UIUC)
Understanding and Exploiting Parallelism in Deep Packet Inspection on Concurrent Architectures (National Science Foundation, 2012-2017, with University of Wisconsin - Madison)
Understanding and Managing the Impact of Global Inference on Online Privacy (National Science Foundation, 2011-2015)
A Concurrency Model for Deep Stateful Network Security Monitoring (Cisco Research, 2011-2012)
Cybersecurity and Networking: NIDS Front-End for Load Balancing at 100 Gigabits (Department of Energy, 2011-2013, with cPacket Networks and NERSC)
Enhancing Bro for Operational Network Security Monitoring in Scientific Environments (National Science Foundation, 2010-2013, with NCSA)
A Mathematical and Data-Driven Approach to Intrusion Detection for High-Performance Computing (Department of Energy, 2010-2012, with LBNL and UC Davis)
A High-Performance Abstract Machine for Network Intrusion Detection (National Science Foundation, 2009-2013)
Invigorating Empirical Network Research via Mediated Trace Analysis (National Science Foundation, 2009-2012)
Network Monitoring Infrastructure For Research in a Large-Scale Operational Environment (National Science Foundation, 2009-2011)
High Performance Networks - Compilation and Optimization of Protocol Analyzers (Department of Energy, 2009-2011, with Reservoir Labs)
Collaborative Research: Comprehensive Application Analysis and Control (National Science Foundation, 2008-2013)
Establishing a Cross-Institutional Platform for Cooperative Security Monitoring and Forensics (National Science Foundation, 2007-2011)
Exploiting Multi-Core CPUs for Parallelizing Network Intrusion Prevention (National Science Foundation, 2007-2010)
Approaches to Network Defense Proven in Open Scientific Environments (National Science Foundation, 2007-2009)
Program Chair DIMVA 2007
Program Committee USENIX Security 2017
Program Committee CPS-SPC 2015
Program Committee CLHS 2013
Program Committee SAC 2010 - INFSEC Track
Program Committee CoNGN 2008
Program Committee ICISS 2008
Program Committee IEEE MCN 2008
Program Committee CRITIS 2007
My implementation of a hook script for git to send out notification emails, git-notifier.
A set of scripts, BTest, providing a simple framework for shell-based unit tests.
A Python script, trace-summary, which generates summaries of network traffic from either libpcap traces or Bro connection logs.
The Python module PySubnetTree provides an efficient data structure for doing longest-prefix CIDR lookups.
A small tool called capstats to collect real-time statistics from a network interface.
A Linux kernel patch for capturing network packets by non-roots.