I am a Senior Researcher in the Networking and Security Group at the International Computer Science Institute, an independent non-profit research institute affiliated with the University of California, Berkeley. I am also an affiliate member of the Data Science and Technology Department at the Lawrence Berkeley National Laboratory, and I work with the Lab's cyber security team. I am leading the development for Bro, an open-source network security monitor, and I am a co-founder of Broala. Before coming out to Berkeley, I was part of Anja Feldmann's group at TU München, Germany (now at TU Berlin). Before that, I received a diploma in Computer Science from University of Paderborn, Germany.
My research focuses on network security, with a particular emphasis on high-performance network monitoring in operational settings. More generally, I'm interested in understanding the capabilities and limitations of network technology as well as the characteristics of real-world Internet traffic.
Please see the seperate list of publications.
The Bro network intrusion detection system.
The Time Machine, a high-performance packet bulk recorder.
The ICSI Notary, a near-realtime database of SSL certificates seen in the wild.
HILTI, virtual machine for network traffic analysis.
BinPAC++, a next-generation parser generator.
Semantic Security Monitoring for Industrial Control Systems (National Science Foundation, 2013-2016, with NCSA and UIUC)
Understanding and Exploiting Parallelism in Deep Packet Inspection on Concurrent Architectures (National Science Foundation, 2012-2015, with University of Wisconsin - Madison)
Understanding and Managing the Impact of Global Inference on Online Privacy (National Science Foundation, 2011-2014)
A Concurrency Model for Deep Stateful Network Security Monitoring (Cisco Research, 2011-2012)
Cybersecurity and Networking: NIDS Front-End for Load Balancing at 100 Gigabits (Department of Energy, 2011-2013, with cPacket Networks and NERSC)
Enhancing Bro for Operational Network Security Monitoring in Scientific Environments (National Science Foundation, 2010-2013, with NCSA)
A Mathematical and Data-Driven Approach to Intrusion Detection for High-Performance Computing (Department of Energy, 2010-2012, with LBNL and UC Davis)
A High-Performance Abstract Machine for Network Intrusion Detection (National Science Foundation, 2009-2013)
Invigorating Empirical Network Research via Mediated Trace Analysis (National Science Foundation, 2009-2012)
Network Monitoring Infrastructure For Research in a Large-Scale Operational Environment (National Science Foundation, 2009-2011)
High Performance Networks - Compilation and Optimization of Protocol Analyzers (Department of Energy, 2009-2011, with Reservoir Labs)
Collaborative Research: Comprehensive Application Analysis and Control (National Science Foundation, 2008-2013)
Establishing a Cross-Institutional Platform for Cooperative Security Monitoring and Forensics (National Science Foundation, 2007-2011)
Exploiting Multi-Core CPUs for Parallelizing Network Intrusion Prevention (National Science Foundation, 2007-2010)
Approaches to Network Defense Proven in Open Scientific Environments (National Science Foundation, 2007-2009)
General Chair IEEE S&P 2013
Vice Chair IEEE S&P 2012
Treasurer IEEE S&P 2011
Program Chair DIMVA 2007
Program Committee ACSAC 2014
Program Committee CLHS 2013
Program Committee HotMiddlebox 2013
Program Committee SAC 2010 - INFSEC Track
Program Committee CoNGN 2008
Program Committee ICISS 2008
Program Committee IEEE MCN 2008
Program Committee CRITIS 2007
My implementation of a hook script for git to send out notification emails, git-notifier.
A set of scripts, BTest, providing a simple framework for shell-based unit tests.
A Python script, trace-summary, which generates summaries of network traffic from either libpcap traces or Bro connection logs.
The Python module PySubnetTree provides an efficient data structure for doing longest-prefix CIDR lookups.
A small tool called capstats to collect real-time statistics from a network interface.
A Linux kernel patch for capturing network packets by non-roots.