About

My research focuses on making computer networks easier to monitor, understand, troubleshoot, and configure. I enjoy designing fast and accurate mechanisms that analyze real-world traffic and extract useful information for network practitioners. I am passionate about designing and implementing better tools and systems for next-generation applications and networks. I often use tools and mechanisms in software-defined networking (SDN), P4, and programmable data planes. I am also enthusiastic about applying new ideas to real operational networks.

Research topics

• Computer Science
• Computer network
• Real-time computing
• Computer Security
• Operating system
• Computer hardware
• Embedded system
• Database

Selected publications

• Passive Data-Plane Telemetry to Mitigate Long-Distance BGP Hijacks

  ArXiv.org · 2026-01-01

  articleOpen access

  Poor security of Internet routing enables adversaries to divert user data through unintended infrastructures in attacks known as hijacks. Of particular concern - and the focus of this paper - are cases where attackers reroute domestic traffic through foreign countries and still deliver it to the intended destination, exposing traffic to surveillance, bypassing legal privacy protections, and posing national security threats. Efforts to detect and mitigate such attacks have focused primarily on the control plane, while data-plane signals remain largely overlooked. In this paper, we argue that passively-monitored round-trip time (RTT) - and, in particular, changes in its propagation-delay component - offers a promising signal for detection: the increased propagation delay is unavoidable and directly observable from affected networks, enabling opportunities for faster detection and mitigation. We explore the practicality of using RTT variations for hijack detection, addressing two key questions: (1) What coverage can this provide, given its heavy dependence on the geolocations of the sender, receiver, and adversary? and (2) Can an always-on RTT-based detection system be deployed without disrupting normal network operations? Focusing on cross-country interception attacks, we find that coverage is high: 97% under ideal (i.e., data travels at the speed of light) conditions, and 91% and 86% with real traffic from two datasets. To demonstrate practicality, we design HiDe, which reliably detects delay surges from long-distance hijacks at line rate using commodity programmable hardware. We measure HiDe’s accuracy and false-positive rate on real-world data and validate it with ethically conducted hijacks.

  PublisherOA PDFDOI

• Delayed diagnosis and clinical outcomes in basilar artery occlusion: a retrospective study

  Journal of Korean Society of Geriatric Neurosurgery · 2026-04-29

  article
  PublisherDOI

• Scalable Video Conferencing Using SDN Principles

  ArXiv.org · 2025-03-14

  preprintOpen access

  Video-conferencing applications face an unwavering surge in traffic, stressing their underlying infrastructure in unprecedented ways. This paper rethinks the key building block for conferencing infrastructures -- selective forwarding units (SFUs). SFUs relay and adapt media streams between participants and, today, run in software on general-purpose servers. Our main insight, discerned from dissecting the operation of production SFU servers, is that SFUs largely mimic traditional packet-processing operations such as dropping and forwarding. Guided by this, we present Scallop, an SDN-inspired SFU that decouples video-conferencing applications into a hardware-based data plane for latency-sensitive and frequent media operations, and a software control plane for the (infrequent) remaining tasks, such as analyzing feedback signals. Our Tofino-based implementation fully supports WebRTC and delivers 7-210 times improved scaling over a 32-core commodity server, while reaping performance improvements by cutting forwarding-induced latency by 26 times.

  PublisherOA PDFDOI

• Spotlight: Shining a Light on Pivot Attacks Using In-network Computing

  Proceedings of the ACM on Networking · 2025-03-05 · 1 citations

  article

  Pivoting remains an economical and practical penetration method as it allows a malevolent actor to obtain access to a private network through compromised devices. There are various tools both on the web and native to many operating systems, making pivoting simple to execute, even with limited system access. Preventing these attacks is traditionally performed with detection software running on end hosts or with perimeter devices, e.g., firewalls. However, not all end-host devices are under administrator control, and attackers can work around defences using SSH tunnels or obscuring their IP addresses. Rather than relying on middleboxes or end hosts, we leverage a programmable data plane for both their unique vantage point and traffic processing capabilities. Our system makes no assumptions about the underlying traffic and requires no cooperation from end hosts. We showcase Spotlight, a P4-based system that reliably intercepts pivoting attacks while raising only a small number of alarms. We develop a prototype system and demonstrate its effectiveness against various attacks on real-world traces.

  PublisherDOI

• Scalable Video Conferencing Using SDN Principles

  2025-08-27 · 3 citations

  articleOpen access

  Video-conferencing applications face an unwavering surge in traffic, stressing their underlying infrastructure in unprecedented ways. This paper rethinks the key building block for conferencing infrastructures — selective forwarding units (SFUs). SFUs relay and adapt media streams between participants and, today, run in software on general-purpose servers. Our main insight, discerned from dissecting the operation of production SFU servers, is that SFUs largely mimic traditional packet-processing operations such as dropping and forwarding. Guided by this, we present Scallop, an SDN-inspired SFU that decouples video-conferencing applications into a hardware-based data plane for latency-sensitive and frequent media operations, and a software control plane for the (infrequent) remaining tasks, such as analyzing feedback signals and session management. Scallop is a general design that is suitable for a variety of hardware platforms, including programmable switches and SmartNICs. Our Tofino-based implementation fully supports WebRTC and delivers 7-422× improved scaling over a 32-core commodity server, while reaping performance improvements by cutting forwarding-induced latency by 26×. We also present an implementation of Scallop on the BlueField-3 SmartNIC.

  PublisherOA PDFDOI

• Computational interpretation of shape memory epoxy: processing and its operation

  2024-01-01

  articleOpen access

  The shape forming and restoration mechanisms of shape memory epoxy originate from the molecular-scale dynamics that epoxy molecules undergo during thermomechanical processes. In this study, the microstructural changes that occur at the molecular scale caused by heat and load during the programming and operation of the epoxy network were investigated using molecular dynamics simulations. The mechanical behaviors of each molecule were analyzed by classifying it into translation, rotation, and deformation based on the classical kinematic framework. Specifically, depending on its structural properties, each molecular component was rearranged to different levels, forming local residual stresses. The principle leading to shape recovery as the subsequent thermal load breaks the equilibrium of residual stresses and resulting changes in the mechanical anisotropy of entire epoxy network were also analyzed through a subcontinuum perspective. This study has the potential to be extended to a method for designing epoxy resins that satisfy desired physical properties and shape recovery performance

  PublisherDOI

• Computational interpretation of shape memory epoxy: processing and its operation

  2024-01-01

  articleOpen access

  The shape forming and restoration mechanisms of shape memory epoxy originate from the molecular-scale dynamics that epoxy molecules undergo during thermomechanical processes. In this study, the microstructural changes that occur at the molecular scale caused by heat and load during the programming and operation of the epoxy network were investigated using molecular dynamics simulations. The mechanical behaviors of each molecule were analyzed by classifying it into translation, rotation, and deformation based on the classical kinematic framework. Specifically, depending on its structural properties, each molecular component was rearranged to different levels, forming local residual stresses. The principle leading to shape recovery as the subsequent thermal load breaks the equilibrium of residual stresses and resulting changes in the mechanical anisotropy of entire epoxy network were also analyzed through a subcontinuum perspective. This study has the potential to be extended to a method for designing epoxy resins that satisfy desired physical properties and shape recovery performance

  PublisherOA PDFDOI

• Automating Distributed In-network Classification with Runtime Programmability

  2024-11-22

  articleSenior author

  This paper presents ACORN, a distributed system for in-network machine-learning classification applications. ACORN automatically translates user-level Python ML programs into network-level programs and deploys them with runtime programmability.

  PublisherDOI

• RAVEN: Stateless Rapid IP Address Variation for Enterprise Networks

  Proceedings on Privacy Enhancing Technologies · 2023-05-15 · 4 citations

  articleOpen access

  Enterprise networks face increasing threats against the privacy of their clients. Existing enterprise services like Network Address Translation (NAT) offer limited privacy protection, at the cost of requiring per-flow state. In this paper, we introduce RAVEN (Rapid Address Variation for Enterprise Networks), a network-based privacy solution that is complementary to application-layer defenses. RAVEN protects privacy by frequently changing the client's public IP address. With RAVEN, a client is not limited to using a single IP address at a given time, or even for a given connection. RAVEN goes further, breaking the association between packets that belong to the same connection by frequently changing the client's IP address within a single connection. RAVEN achieves this through a novel division of labor: the client uses a transport protocol, like QUIC, that supports seamless connection migration, and decides when to switch its IP address, while the enterprise network actually changes the client's IP address in a stateless manner at line rate and ensures end-to-end packet delivery. We implement RAVEN using QUIC and off-the-shelf programmable switches. We deploy RAVEN in a test IPv6 network and evaluate its defense against webpage fingerprinting attacks. Even with a strong adversary, the average precision of the best adaptive attacks drops from 0.96 to 0.84, with a 0.5% degradation in client throughput. When RAVEN changes IP addresses at unpredictable frequency, the precision of the best attacks falls to 0.78---the same effectiveness as WTF-PAD.

  PublisherOA PDFDOI

• NAP: Programming Data Planes with Approximate Data Structures

  2023-12-06 · 1 citations

  articleOpen access

  Many applications that run on programmable data planes rely on approximate data structures, due to insufficient in-network memory. However, programming with approximate data structures is challenging because it requires (1) expertise in streaming algorithms to select the data structures that best match an application's requirements, (2) meticulous configuration to minimize approximation error while fitting within the hardware constraints, and (3) proficiency in the low-level P4 language. To address these issues, we propose NAP, a high-level network programming language. The core of NAP is the versatile approximate dictionary abstraction that captures a wide range of compact data structures, while allowing programmers to simply specify the kinds of error an application can tolerate. We demonstrate the language's expressiveness, conciseness, and efficiency through a variety of network applications, each compiling to P4 for the Intel Tofino in less than a second and featuring 25X--50X fewer lines of code compared to the P4 output. We evaluate an approximate stateful firewall written in NAP with real campus traffic, achieving performance consistent with the predicted accuracy.

  PublisherOA PDFDOI

Frequent coauthors

• Nick Feamster

  University of Chicago

  23 shared

• Raymond Kapral

  11 shared

• Kook Joe Shin

  Seoul National University

  10 shared

• Jennifer Rexford

  9 shared

• Francesco Bronzino

  7 shared

• Sara Ayoubi

  Nokia (France)

  6 shared

• Paul Schmitt

  University of Hawaiʻi at Mānoa

  6 shared

• Renata Teixeira

  Netflix (United States)

  6 shared

Labs

• Hyojoon Kim LabPI

Education

• B.S., Computer Science

  University of Wisconsin - Madison

• M.S., Computer Science

  Georgia Tech

• Ph.D., Computer Science

  Georgia Tech