Carnegie Mellon University
Soo-Jin Moon is a Ph.D. candidate in Electrical and Computer Engineering at Carnegie Mellon University (CMU), advised by Vyas Sekar. She is a part of CyLab, CMU’s Security and Privacy Institute. She is broadly interested in Network Security and Networking. Currently, her research works focus on network modeling, network verification, and uncovering security vulnerabilities in network protocols and devices. Her research work has been recognized with the NSA Best Scientific Cybersecurity Paper Award and the CSAW Applied Security Research Prize. Before starting at Carnegie Mellon University in 2014, she earned her bachelor’s degree in Electrical Engineering from the University of Waterloo, Canada.
Modern networks (e.g., IoT, enterprise, wide-area networks) are exploding with network devices with largely unknown internal structures and/or protocol formats n. The security implications and behavior of these devices are not fully understood, leaving them exposed to network attacks (e.g., data exfiltration, distributed denial-of-service). Unfortunately, we currently lack tools to systematically understand their behavior(s) and identify security weaknesses. Existing approaches either manually analyze these network devices or utilize automated analysis of the source code and binary. Unfortunately, access to binary for instrumentation and source code for analysis may be difficult due to their proprietary nature. The network administrators may be only left with the input and output interfaces of these devices and limited knowledge of their internal workings.
In my research, I develop systems and algorithms to shed light on these black-box network devices. Specifically, I show how we can 1) automatically infer the behavioral models of devices from black-box observations, and 2) directly identify potential attack inputs (i.e., packets creating DoS). As a use case of automatically inferring a behavioral model, I demonstrated how we can infer a precise, behavioral model of network functions such as firewalls and NATs. These models enable more accurate network verification, identifying potential security vulnerabilities. As a use case of identifying attack inputs, I developed an Internet-scale network measurement tool that directly identifies network packets that cause high amplification (for denial of service attacks).