-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsecurity-privacy.html
More file actions
319 lines (300 loc) · 16.7 KB
/
security-privacy.html
File metadata and controls
319 lines (300 loc) · 16.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
<!DOCTYPE html>
<html lang="en">
<head>
<script src="vendor/jquery/jquery.min.js"></script>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="description" content="Security and Privacy Research">
<title>Security and Privacy</title>
<!-- Bootstrap core CSS -->
<link href="vendor/bootstrap/css/bootstrap.min.css" rel="stylesheet">
<!-- Custom styles for this template -->
<link href="css/modern-business.css" rel="stylesheet">
</head>
<body>
<div id="nav-placeholder"></div>
<script>
$.get("./navbar.html", function(data){
$("#nav-placeholder").replaceWith(data);
});
</script>
<!-- Page Content -->
<div class="container">
<!-- Page Heading -->
<h2 class="mt-4 mb-3">Security and Privacy</h2>
<p>
Our research group develops data-driven approaches to security and privacy, with a focus
on applying machine learning to detect and mitigate Internet-based attacks. Our work has
resulted in foundational systems for spam filtering, botnet detection, and IoT security,
as well as frameworks for analyzing privacy through the lens of contextual integrity.
</p>
<!-- Spam and Abuse Detection -->
<h4 class="mt-4 mb-3">Spam and Abuse Detection</h4>
<div class="row">
<div class="col-lg-8">
<p>
We pioneered network-level approaches to spam and abuse detection, developing systems
that identify malicious activity based on network behavior rather than content analysis.
</p>
<p>
<b><a href="https://www.usenix.org/conference/usenixsecurity09/technical-sessions/presentation/detecting-spammers-snare-spatio-temporal">SNARE</a></b> (Spatio-temporal Network-level Automatic Reputation Engine) was the first
spam filtering system based on network-level features, using lightweight traffic analysis
to identify spam senders without inspecting message content. Our earlier work on
<a href="https://dl.acm.org/doi/10.1145/1159913.1159947">understanding the network-level behavior of spammers</a> laid the foundation for this approach.
</p>
<p>
Our work on <b>DNS-based reputation systems</b> pioneered techniques for
detecting malicious domains. <b><a href="https://www.usenix.org/legacy/event/sec10/tech/full_papers/Antonakakis.pdf">Notos</a></b> (2010) introduced dynamic reputation scoring for DNS,
while <b><a href="https://dl.acm.org/doi/abs/10.1145/2976749.2978317">PREDATOR</a></b> (2016) enables proactive recognition and elimination of domain abuse
at time-of-registration, catching malicious domains before they can be used.
</p>
<p>
<b><a href="https://dl.acm.org/doi/10.1145/2785956.2787494">ASwatch</a></b> exposes bulletproof hosting providers by analyzing AS-level reputation,
identifying network operators that systematically harbor malicious activity.
</p>
</div>
<div class="col-lg-4 text-center">
<img class="img-fluid rounded mb-4" src="images/security-privacy-logo.png" alt="Security and Privacy" style="max-height: 200px;">
</div>
</div>
<!-- IoT Security and Privacy -->
<h4 class="mt-4 mb-3">IoT Security and Privacy</h4>
<div class="row">
<div class="col-lg-8">
<p>
The proliferation of smart home devices has created new security and privacy challenges.
We study these devices in our <a href="iot-lab.html">IoT Lab</a>, developing techniques to
understand and mitigate risks.
</p>
<p>
<b><a href="https://dl.acm.org/doi/abs/10.1145/3397333">IoT Inspector</a></b> enables crowdsourced collection of labeled network traffic from
smart home devices, creating datasets that support security and privacy research at scale.
</p>
<p>
Our research on <b><a href="https://dl.acm.org/doi/10.1145/3319535.3354198">smart TV tracking</a></b> revealed extensive data collection by streaming
devices, documenting how over-the-top TV platforms track viewing behavior and share
data with advertisers. Recent work examines <a href="https://www.ndss-symposium.org/ndss-paper/acoustic-keystroke-leakage-on-smart-televisions/">acoustic keystroke leakage</a> on smart TVs.
</p>
<p>
We have developed <b><a href="https://content.sciendo.com/view/journals/popets/2019/3/article-p128.xml">traffic shaping techniques</a></b> to protect smart home privacy from
network observers, hiding device activity patterns that could reveal sensitive information
about occupants' behavior. Our early work showed that <a href="http://datworkshop.org/papers/dat16-final37.pdf">a smart home is no castle</a>,
with encrypted IoT traffic revealing private activities.
</p>
</div>
<div class="col-lg-4 text-center">
<img class="img-fluid rounded mb-4" src="images/privacy-logo.png" alt="Privacy" style="max-height: 200px;">
</div>
</div>
<!-- Contextual Integrity and Privacy Policies -->
<h4 class="mt-4 mb-3">Contextual Integrity and Privacy Policies</h4>
<div class="row">
<div class="col-lg-12">
<p>
We apply the <b>contextual integrity</b> framework to analyze privacy in networked systems,
examining whether information flows align with user expectations and social norms.
</p>
<p>
Our work on <a href="https://dl.acm.org/doi/10.1145/3214262">discovering smart home IoT privacy norms</a> uses contextual integrity
to understand user expectations, while research on <a href="https://www.usenix.org/conference/usenixsecurity19/presentation/apthorpe">IoT toy privacy</a>
uncovered mismatches between privacy regulations (like COPPA) and parents' actual privacy norms.
</p>
<p>
We have developed <a href="https://www.aaai.org/ojs/index.php/HCOMP/article/download/5266/5118">contextual integrity approaches to privacy policy analysis</a>,
and studied <a href="https://dl.acm.org/doi/10.1145/3274469">user perceptions of smart home IoT privacy</a>.
</p>
<p>
Recently, we have studied <b>dark patterns in privacy opt-out processes</b>, examining
how companies make it difficult for users to exercise their rights under privacy laws
like the California Consumer Privacy Act (CCPA).
</p>
</div>
</div>
<!-- DNS Privacy -->
<h4 class="mt-4 mb-3">DNS Privacy</h4>
<div class="row">
<div class="col-lg-12">
<p>
DNS queries reveal sensitive information about user behavior. We develop protocols and
systems to improve DNS privacy while maintaining performance.
</p>
<p>
<b><a href="https://content.sciendo.com/view/journals/popets/2019/2/article-p228.xml">Oblivious DNS (ODNS)</a></b> protects user privacy against powerful adversaries by
preventing any single party from learning both who is making a query and what domain
they are querying. This work laid the foundation for the IETF's Oblivious HTTP standard.
</p>
<p>
We have extensively studied the <b>costs and benefits of encrypted DNS</b>, including
<a href="https://link.springer.com/content/pdf/10.1007%2F978-3-030-72582-2_26.pdf">performance analysis of DoH and DoT</a>,
<a href="https://dl.acm.org/authorize?N687423">cost-benefit analysis for the modern web</a>, and
<a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3427563">policy implications of DNS-over-HTTPS</a>.
</p>
<p>
We also study <a href="https://www.ndss-symposium.org/wp-content/uploads/dnspriv21-07-paper.pdf">user expectations and understanding of encrypted DNS settings</a>,
examining how users perceive and configure DNS privacy features.
</p>
</div>
</div>
<!-- Selected Publications -->
<h4 class="mt-4 mb-3">Selected Publications</h4>
<div class="row">
<div class="col-lg-12">
<p><b>Privacy</b></p>
<ul>
<li>
Dark Patterns in the Opt-Out Process and Compliance with the California Consumer Privacy Act (CCPA)<br />
Van Hong Tran, Aarushi Mehrotra, Ranya Sharma, Marshini Chetty, Nick Feamster, Jens Frankenreiter, Lior Strahilevitz.<br />
<em>ACM CHI Conference on Human Factors in Computing Systems.</em> 2025.
</li>
<p />
<li>
Understanding User Privacy Concerns of Shared Smart TVs<br />
Synthia Wang, Nick Feamster, Marshini Chetty.<br />
<em>ACM Conference on Computer-Supported Cooperative Work (CSCW).</em> 2025.
</li>
<p />
<li>
<a href="https://www.usenix.org/conference/usenixsecurity19/presentation/apthorpe">Evaluating the Contextual Integrity of Privacy Regulation: Parents' IoT Toy Privacy Norms Versus COPPA</a><br />
Noah Apthorpe, Sarah Varghese, Nick Feamster.<br />
<em>USENIX Security Symposium.</em> 2019.
</li>
<p />
<li>
<a href="https://www.aaai.org/ojs/index.php/HCOMP/article/download/5266/5118">Going Against the (Appropriate) Flow: A Contextual Integrity Approach to Privacy Policy Analysis</a><br />
Noah Apthorpe, Yan Shvartzshnaider, Nick Feamster, Helen Nissenbaum.<br />
<em>AAAI Conference on Human Computation and Crowdsourcing (HCOMP).</em> 2019.
</li>
<p />
<li>
<a href="https://dl.acm.org/doi/10.1145/3214262">Discovering Smart Home IoT Privacy Norms using Contextual Integrity</a><br />
Noah Apthorpe, Yan Shvartzshnaider, Dillon Reisman, Nick Feamster.<br />
<em>Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies (IMWUT).</em> 2018.
</li>
<p />
<li>
<a href="https://dl.acm.org/doi/10.1145/3274469">User Perceptions of Smart Home IoT Privacy</a><br />
Serena Zheng, Noah Apthorpe, Marshini Chetty, Nick Feamster.<br />
<em>ACM Conference on Computer Supported Cooperative Work (CSCW).</em> 2018.
</li>
<p />
<li>
<a href="https://link.springer.com/content/pdf/10.1007%2F978-3-030-72582-2_26.pdf">Can Encrypted DNS Be Fast?</a><br />
Austin Hounsel, Paul Schmitt, Kevin Borgolte, Nick Feamster.<br />
<em>Passive and Active Measurement Conference (PAM).</em> 2021.
</li>
<p />
<li>
<a href="https://www.ndss-symposium.org/wp-content/uploads/dnspriv21-07-paper.pdf">User Expectations and Understanding of Encrypted DNS Settings</a><br />
Alexandra Nisenoff, Nick Feamster, Madeleine Hoofnagle, Sydney Zink.<br />
<em>NDSS Workshop on DNS Privacy.</em> 2021.
</li>
<p />
<li>
<a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3427563">How DNS over HTTPS is Reshaping Privacy, Performance, and Policy in the Internet Ecosystem</a><br />
Tithi Chattopadhyay, Paul Schmitt, Kevin Borgolte, Jordan Holland, Austin Hounsel, Nick Feamster.<br />
<em>Research Conference on Communications, Information and Internet Policy (TPRC).</em> 2019.
</li>
<p />
<li>
<a href="https://content.sciendo.com/view/journals/popets/2019/2/article-p228.xml">Oblivious DNS: Practical Privacy for DNS Queries</a><br />
Paul Schmitt, Anne Edmundson, Nick Feamster.<br />
<em>Symposium on Privacy Enhancing Technologies (PETS).</em> 2019.
</li>
<p />
<li>
<a href="https://dl.acm.org/authorize?N687423">Analyzing the Costs (and Benefits) of DNS, DoT, and DoH for the Modern Web</a><br />
Austin Hounsel, Kevin Borgolte, Paul Schmitt, Jordan Holland, Nick Feamster.<br />
<em>IRTF Applied Networking Research Workshop (ANRW).</em> 2019.
</li>
</ul>
<p><b>IoT Security</b></p>
<ul>
<li>
<a href="https://ieeexplore.ieee.org/document/10628044">Can Allowlists Capture the Variability of Home IoT Device Network Behavior?</a><br />
Weijia He, Kevin Bryson, Ricardo Calderon, Vijay Prakash, Nick Feamster, Danny Yuxing Huang, Blase Ur.<br />
<em>IEEE European Symposium on Security and Privacy (EuroS&P).</em> 2024.
</li>
<p />
<li>
<a href="https://www.ndss-symposium.org/ndss-paper/acoustic-keystroke-leakage-on-smart-televisions/">Acoustic Keystroke Leakage on Smart Televisions</a><br />
Tejas Kannan, Synthia Qia Wang, Max Sunog, Abraham Bueno de Mesquita, Nick Feamster, Henry Hoffmann.<br />
<em>Network and Distributed System Security Symposium (NDSS).</em> 2024.
</li>
<p />
<li>
<a href="https://dl.acm.org/doi/abs/10.1145/3397333">IoT Inspector: Crowdsourcing Labeled Network Traffic from Smart Home Devices at Scale</a><br />
Danny Yuxing Huang, Noah Apthorpe, Frank Li, Gunes Acar, Nick Feamster.<br />
<em>Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies (IMWUT/UbiComp).</em> 2020.
</li>
<p />
<li>
<a href="https://dl.acm.org/doi/10.1145/3319535.3354198">Watching You Watch: The Tracking Ecosystem of Over-the-Top TV Streaming Devices</a><br />
Hooman Moghaddam, Gunes Acar, Arunesh Mathur, Danny Huang, Ben Burgess, Prateek Mittal, Nick Feamster, Arvind Narayanan, Ed Felten.<br />
<em>ACM Conference on Computer and Communications Security (CCS).</em> 2019.
</li>
<p />
<li>
<a href="https://content.sciendo.com/view/journals/popets/2019/3/article-p128.xml">Keeping the Smart Home Private with Smart(er) Traffic Shaping</a><br />
Noah Apthorpe, Danny Yuxing Huang, Dillon Reisman, Arvind Narayanan, Nick Feamster.<br />
<em>Symposium on Privacy Enhancing Technologies (PETS).</em> 2019.
</li>
<p />
<li>
<a href="https://ieeexplore.ieee.org/abstract/document/8443103">Security and Privacy Analyses of Internet of Things Children's Toys</a><br />
Gordon Chu, Noah Apthorpe, Nick Feamster.<br />
<em>IEEE Internet of Things Journal.</em> 2018.
</li>
<p />
<li>
<a href="http://datworkshop.org/papers/dat16-final37.pdf">A Smart Home is No Castle: Privacy Vulnerabilities of Encrypted IoT Traffic</a><br />
Noah Apthorpe, Dillon Reisman, Nick Feamster.<br />
<em>Workshop on Data and Algorithmic Transparency (DAT).</em> 2016.
</li>
</ul>
<p><b>Spam and Abuse Detection</b></p>
<ul>
<li>
<a href="https://dl.acm.org/doi/abs/10.1145/2976749.2978317">PREDATOR: Proactive Recognition and Elimination of Domain Abuse at Time-Of-Registration</a><br />
Shuang Hao, Alex Kantchelian, Brad Miller, Vern Paxson, Nick Feamster.<br />
<em>ACM Conference on Computer and Communications Security (CCS).</em> 2016.
</li>
<p />
<li>
<a href="https://dl.acm.org/doi/10.1145/2785956.2787494">ASwatch: An AS Reputation System to Expose Bulletproof Hosting ASes</a><br />
Maria Konte, Roberto Perdisci, Nick Feamster.<br />
<em>ACM SIGCOMM.</em> 2015.
</li>
<p />
<li>
<a href="https://www.usenix.org/legacy/event/sec10/tech/full_papers/Antonakakis.pdf">Building a Dynamic Reputation System for DNS (Notos)</a><br />
Manos Antonakakis, Roberto Perdisci, David Dagon, Wenke Lee, Nick Feamster.<br />
<em>USENIX Security Symposium.</em> 2010.
</li>
<p />
<li>
<a href="https://www.usenix.org/conference/usenixsecurity09/technical-sessions/presentation/detecting-spammers-snare-spatio-temporal">Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine</a><br />
Shuang Hao, Nadeem Ahmed Syed, Nick Feamster, Alexander G. Gray, Sven Krasser.<br />
<em>USENIX Security Symposium.</em> 2009.
</li>
<p />
<li>
<a href="https://dl.acm.org/doi/10.1145/1159913.1159947">Understanding the Network-Level Behavior of Spammers</a><br />
Anirudh Ramachandran, Nick Feamster.<br />
<em>ACM SIGCOMM.</em> 2006.
</li>
</ul>
</div>
</div>
</div>
<!-- /.container -->
<!-- Footer -->
<div id="footer-ph"></div>
<script>
$(function(){
$("#footer-ph").load("./footer.html");
});
</script>
<!-- Bootstrap core JavaScript -->
<script src="vendor/bootstrap/js/bootstrap.bundle.min.js"></script>
</body>
</html>