I am a research scientist in the Computer Science and Mathematics Division at Oak Ridge National Laboratory. I received Ph.D. and M.S. degrees in Informatics from the School of Informatics, Computing, and Engineering at Indiana University Bloomington. Previously, I received M.S. and B.S. degrees in Electrical Engineering at Pontificia Universidad Javeriana in Colombia. I am the recipient of best paper awards at the 9th International Workshop on Managing Insider Security Threats (MIST) 2017 in conjuntion with CCS and the 4th International Workshop on Automative and Autonomous Vehicle Security (AutoSec) 2022 in conjunction with NDSS. In the past, I have done research internships at Cisco Systems, Inc. with the Advanced Security Research Group. I am a senior member of IEEE, and a member of ACM and SIAM. Here is a link to an official bio and my CV.
My research lies at the intersection of data science, network science, and cybersecurity. In particular, I use data-driven and computational methods to discover and understand anomalous behavior in large-scale networked systems. I rely on this approach to design and develop innovative solutions to address these. Applications of my research range across multiple disciplines, including, the detection of exceptional events in social media, Internet route hijacking, insider threat behavior in version control systems, and intrusion detection in cyber-physical systems. Here is a word cloud built out of the abstracts of my papers.
By leveraging these contribution graphs, our research shows the potential of using graph-based ML to improve Just-In-Time (JIT) defect prediction. We hypothesize that features extracted from the contribution graphs may be better predictors of defect-prone changes than intrinsic features derived from software characteristics. We corroborate our hypothesis using graph-based ML for classifying edges that represent defect-prone changes. This new framing of the JIT defect prediction problem leads to remarkably better results.
We show that the similarity of time series clusters under benign conditions exhibits statistically significant differences from the similarity of time series clusters under attack conditions. We demonstrated these differences under different attack scenarios with different levels of sophistication using data from the ROAD dataset. This work shows that it is possible to detect masquerade attacks by effectively using the time series clustering representation of signals in the CAN bus and appropriate choices of parameters to group them.
We developed a method for detecting routing anomalies based on the analysis of bursty BGP announcements. I hypothesize that BGP announcements that are associated with disruptive updates tend to occur in groups of relatively high frequency, followed by periods of infrequent activity or high burstiness. I demonstrate the efficacy of this method across different case studies ranging from a hundred thousand to a dozen compromised prefixes.
We proposed a method for detecting large events based on the structure of temporal communication networks. I hypothesize that global events trigger viral information cascades that easily cross community boundaries and can thus be detected by monitoring intra- and inter-community communications. By comparing the amount of communications within and across communities, I show that it is possible to detect large-scale events, even when they do not trigger a significantly larger communication volume.
We proposed an unsupervised learning framework to evaluate whether potential insider threat events are triggered following precipitating events. The analysis leverages a bipartite graph of user and system interactions. The approach shows a clear correlation between precipitating events and the number of apparent anomalies. The results of this empirical analysis evidence a clear shift in behaviors after events that previously have shown to increase insider threat incidents.
We analyzed reported routing anomalies and macroeconomic indicators over a four-year period. There are well-documented hijacks resulting from errors, for profit, or for national security and national intelligence purposes. Any individual hijack could be an accident, a crime, or an attack. I report on an empirical investigation into the macroeconomics of routing anomalies that addresses these three explanations.
Graduate
Undergraduate
Please email me if you are applying for an internship to work with me directly. There are five main programs: SULI (undergrad, STEM fields), NSF MSGI (graduate, math-related fields), OMNI (graduate, CS-related fields), GEM (graduate, STEM fields), and SCGSR (graduate, STEM fields).
Note: Deadlines vary and some require coordination with an ORNL sponsor. Therefore, contact me well in advance if you are interested.
Journal Referee
Technical Program Committees