Angelos Keromytis photo

I am an associate professor in the Computer Science department at Columbia University, in New York. I am also the director of the Network Security Lab. My research interests include systems and network security and applied cryptography. In 2001, I received my Ph.D. in Computer Science from the University of Pennsylvania. In 2012, I was elected ACM Distinguished Scientist.

I am currently on leave from Columbia, serving as a Program Director with the National Science Foundation (NSF), in the Computer and Network Systems (CNS) Division, Directorate for Computer & information Science & Engineering (CISE). My primary responsibility is with the Secure and Trustworthy Cyberspace (SaTC) program, which is the primary NSF source of funding for academic research in cybersecurity across the nation. With colleagues from the SBE and ENG Directorates, I helped create the Resilient Interdependent Infrastructure Processes and Systems (RIPS) program, which seeks to enhance the understanding and design of interdependent critical infrastructure systems (ICIs) and processes that provide essential goods and services despite disruptions and failures from any cause, natural, technological, or malicious. I also led the creation of the NSF/Intel Partnership on Cyber-Physical Systems Security and Privacy (CPS-Security) program, which seeks to foster a research community committed to advancing research and education at the confluence of cybersecurity, privacy, and cyber-physical systems, and to transitioning its findings into engineering practice. I have also been involved in the Secure, Trustworthy, Assured and Resilient Semiconductors and Systems (SaTC: STARSS) track, which represents a joint partnership between NSF and the Semiconductor Research Corporation (SRC) that supports research on new strategies for architecture, specification and verification, especially at the stages of design in which formal methods are currently weak or absent, with the aim of decreasing the likelihood of unintended behavior or access, increasing resistance and resilience to tampering, and improving the ability to provide authentication throughout the supply chain and in the field.

In the distant past, I worked on Active Networks, the predecessor to what is now called Software Defined Networks (SDN). Active Networks explored the idea of allowing routing elements to be extensively programmed by the packets passing through them, thus enabling optimizations and extensions of current protocols as well as the development of fundamentally new protocols. At the same time, I co-developed the KeyNote trust-management system, which is a widely used and cited decentralized access control mechanism used in a variety of tasks, including network-layer access control, distributed file systems, offline micro-payments, MANET security, network QoS, distributed firewalls, and the STRONGMAN access control management system. At the same time, I worked in the design and implementation of a high-performance and full-functionality open-source IPsec implementation (which is still in use as part of the OpenBSD project. This included a new kernel architecture for hardware-accelerated cryptography and firewall functionality. I had a part in developing a secure bootstrap architecture. I was also an active participant in the IETF (Internet Engineering Task Force), and in particular the IPsec and IPSP Working Groups.

Since I joined Columbia, I worked on a number of projects. Some of these include:

  • GRIDLOCK, which proposed the notion of Virtual Private Services as an abstraction for managing the access control policies for distributed, composable networked resources;
  • SOS, an overlay-based system for mitigating network denial of service attacks;
  • Autonomic Software Patching, a system for automatically generating software patches based on observed attacks;
  • Instruction Set Randomization, a general mechanism for denying execution of unauthorized (e.g., injected) code in a program or system (our CCS 2003 paper was awarded the Test of Time Award in 2013);
  • ASSURE, a system that introduces rescue points to recover software from unknown faults, while maintaining both system integrity and availability, by mimicking system behavior under known error conditions;
  • Elastic Block Ciphers, a black-box block cipher design methodology that offers increased use flexibility while providing the same security guarantees as the underlying cipher;
  • BARTER, a behavior-based network access control system;
  • FlowOS, a new operating system architecture that removes the memory and CPU from the data path, enabling the OS kernel to perform data-flow management while applications operate purely at the signaling level; and
  • D-NAD and P2P-IDS, which represent different explorations of the space of distributed anomaly and intrusion detection.

During my 2009 sabbatical leave, I educated myself on Voice over IP security and worked on understanding rogue anti-virus campaigns.

My current research projects include software hardening, system self-healing, high-performance dynamic information flow tracking, clean-slate system design, cloud security, information/network/system deception, virtual private social networks, auditable cloud services, and private information retrieval.

An up to date CV, including a complete list of publications, can be found here.

Contact Information

Department of Computer Science
Columbia University
1214 Amsterdam Avenue, M.C. 0401
New York, NY 10027-7003
+1 212 939 7095 (voice)
+1 212 666 0140 (fax)

Useful/Interesting Links

"Networking on the network"
a must-read for all Ph.D. students

"Why You Should Choose
Math in High School"

"Social Processes and Proofs
of Theorems and Programs"

Copyright © 2001-2014 Angelos D. Keromytis