Research
My research develops practical systems that bring security and privacy to real-world networks — without compromising performance. Most existing solutions treat the Internet as a black box, adding protections on top that slow applications or demand tech-savvy users. In contrast, my work pushes security functions into the network itself and uses hardware–software co-design to make defenses scalable, performant, and deployable today.
My research philosophy is guided by three principles:
- Security and privacy functions should run in-network or be natively network-aware, rather than bolted on at endpoints.
- Hardware–software co-design is essential for scalable defenses — programmable data planes (P4, eBPF) unlock performance that software alone cannot match.
- Cooperation among incentive-aligned actors enables deployable, collective mechanisms that protect users at Internet scale.
Across all efforts, I emphasize building prototypes, open-source artifacts, and deployable systems to ensure real-world impact. Taken together, my work lays the foundation for ubiquitous, deployable network security and privacy — protecting users at Internet scale.
Projects
A layered hardware–software defense that blocks large-scale SYN-flood attacks without degrading legitimate user performance. SmartCookie splits the SYN-cookie computation between a P4 programmable switch (hardware) and a software proxy, achieving line-rate protection while maintaining correct TCP semantics. It is currently patent-pending and was supported by three years of NSF GRFP funding.
A study uncovering new integrity vulnerabilities in 5G fronthaul protocols — the critical link between base station antennas and the baseband processing unit. This work (with Microsoft Research) demonstrates practical attack scenarios and prompts calls for stronger integrity protections in emerging cellular standards. Currently patent-pending.
A system for secure collaborative route control across the public Internet. Cooperating edge networks use only existing BGP mechanisms to jointly discover and select safer, higher-quality Internet paths — with no changes to core routers. TANGO received the IETF/IRTF Applied Networking Research Prize for outstanding applied networking research.
A generalization of SmartCookie's layered split-proxy design to a broader class of volumetric DDoS attacks. Sieve introduces a principled framework for deploying layered, in-network defenses that compose hardware filtering with software intelligence.
A principled, network-aware model for splitting traffic across multiple paths to jointly optimize privacy and performance, mitigating website-fingerprinting attacks. PraxiGuard secured Princeton's Wallace Memorial Fellowship — the highest honor for graduate engineering research excellence.
At Amherst
I am excited to extend this research agenda at Amherst in directions that invite hands-on undergraduate participation:
- Measurement studies closer to the user — turning campus and home networks into living laboratories for identifying vulnerabilities in emerging devices such as IoT sensors and drones.
- A unifying framework for split-functionality defenses — combining centralized reasoning with distributed enforcement using accessible platforms like eBPF.
- Security and performance challenges of AI workloads — large-language-model inference stresses networks in new ways and opens novel attack surfaces.
Please reach out if you are interested in collaborating or joining my research group.