I am a sixth-year Ph.D. student in the School of Informatics, Computing, and Engineering at Indiana University, Bloomington. I joined the System Security Lab under the supervision of Prof. Xiaofeng Wang. So far, I have led successfully two research projects and published four papers on top security conferences. My research focuses on web security, threat intelligence, and AI security.
I had an internship in Tencent, CSIG to build a threat intelligence platform, which automatically collects the latest sink-holed domains from sinkhole operators. The product was integrated into their internal security system.
Mobile/Web SDK Security
- My previous research projects investigated the security impacts of mobile/web SDKs, including third-party proxy SDKs and P2P service SDKs. Through a large-scale scanning of over 2M Android APKs, we identified 963 Android apps integrated with third-party proxy SDKs, which utilize their customers as proxy peers without proper user consent. In another project, we also discovered 134 highly popular video websites and 38 Android apps integrated with a P2P video streaming service, which are proven to have serious security and privacy problems, including content pollution and IP leakage. Our findings revealed the concerning security issues on mobile/web SDKs, which may affect millions of end users. One of our work has been published by NDSS 2021 and the other is under peer review.
- Another important issue of my research is threat intelligence. In this area, one of the kernel challenges is to collect the security intelligence timely. To resolve such challenge, we came up with a novel solution to collect threat intelligence from social networks like Twitter. In one of our research, we collected over 20K spam SMS from tweets attached with SMS screenshots. We designed a framework, SpamHunter, to automatically recognize the reported spam SMS texts and URLs. Such dataset turns out to be more diverse and timely than existing spam SMS collections and threat intelligence engines, i.e., VirusTotal. We also designed an automatic evaluation framework to test the feasibility of these spam SMS texts against the existing anti-spam systems. Our submission has been accepted by CCS 2022 in the first cycle.
- Another direction of my recent research focus on AI security, more specifically, backdoor attack & detection in neural network. Backdoor is a specific type of adversarial examples which can be injected into a well trained machine learning model by poisoning a small set of data. In our recent research, we identified some interesting and fundamental properties of backdoors in neural networks and proposed novel algorithms to defense/attack with the use of such properies.