I am an Assistant Research Professor of Electrical and Computer Engineering at Carnegie Mellon University, where I am affiliated with CyLab, our security lab. I also have courtesy faculty appointments in Engineering and Public Policy, and in the Information Networking Institute. I am Faculty Advisor for the Kobe Master's of Information Technology-Information Security (MSIT-IS) offered by the Information Networking Institute. I am also a core faculty in our Carnegie Mellon Usable Privacy and Security Doctoral Training Program, supported through an NSF IGERT grant.
I received a Diplôme d'Ingénieur (1999) from École Centrale de Lille, a Master's (2000) and a Ph.D. (2003) in Computer Science from the University of Virginia. In the final year (2002-2003) of my Ph.D., I was working at Nortel. I then spent two wonderful years (2003-2005) as a postdoctoral fellow in the School of Information at UC Berkeley, before joining Carnegie Mellon in July 2005. I was a faculty in residence for three years (2005-2008) in our research and education center in Japan, CyLab Japan, located in Kōbe, which remains one of my favorite cities. After coming back to the US, I served as Associate Director of the Information Networking Institute from 2008 through 2013.
My research interest is in computer and information systems security. Most of my work is at the boundary of systems, networking and policy research. While a good portion of my research activities could be qualified of applied research, I try as much as possible to rely on strong theoretical foundations in my work.
More specifically, the projects that I am currently involved are:
[in brackets, some of the venues where we published on the subject]
- Online crime modeling: Current security attacks are more often than not financially motivated. We postulate that, by getting a more precise picture of the economic interactions between the different actors involved, we can better understand how to disrupt or thwart these attacks. This line of work is very applied, and combines economic modeling, network measurements, and public policy research. [USENIX Sec'15, CCS'14, USENIX Sec'14, ESORICS'14, EC'13, WWW'13, CCS'11, USENIX Sec'11, CCS'10, ...]
- Security economics: We keep hearing about security attacks and breaches, despite the fact that most security problems have relatively low-cost solutions (e.g., patching, stronger access control, audits). I am interested in 1) understanding why, from an economic standpoint, people and corporations are seemingly either not investing enough in security, or investing in the wrong things, and 2) finding out if there are economic remedies or incentive compatible algorithms, that we, as a society, can use to improve this sad state of affairs. Behavioral economics, game theory as well as system design play a significant role in this cross-disciplinary work. [AAAI'15, IJCAI'13, CSF'11, ESORICS'10, FC'10, EC'08, WWW'08, ...]
- Usable and secure authentication: Making systems more secure has generally been at odds with what humans are good at; for instance, longer passwords are near-impossible to memorize, complex security policies are ignored and therefore useless, and so forth. This has resulted in large security meltdowns. Rather than treating human factors as a constraint in secure system design, we try to exploit what people are skilled at to make systems more secure. For instance, humans can very quickly recognize patterns, or make inferences from incomplete information. Our work in that space finds applications in authentication applications, mobile payment systems, automated teller machines, to name a few. [USENIX Sec'15, PETS'15, CHI'15, CHI'14, CCS'13, USENIX Sec'12, SOUPS'12, Oakland'12, CHI'11, FC'11, SOUPS'08, CHI'08, ...]
- Smart phone security: While computer operators are responsible for maintaining their machines, smart phone users are by and large at the mercy of their carriers; in fact a majority of users do not even have sufficient administrative privileges to install updated versions of their mobile operating systems on their own. At the same time, mobile devices concentrate even more private information than computers (e.g., GPS coordinates, call logs). Relatively slow, market economics-driven patch cycles, combined with the large amount of private information held on smart phones and the growing computational power that these devices can offer, pose some unique security and privacy challenges. Our goal here is to better understand the nature of these challenges, and what we can do to address them. [AsiaCCS'14, DFRWS'11, WOOT'11, MobiSys'09, ...]
Other topics I have been involved in, and am still interested in, include building systems that better support service differentiation, or, to use 21st century terminology, that better cope with "network discrimination," and economics-informed network topology design.
My current research work is partially supported by the National Science Foundation (CCF-0424422, DGE-0903659, CNS-1223762); the Department of Homeland Security Science and Technology Directorate, Cyber Security Division (DHS S&T/CSD), the Government of Australia and SPAWAR Systems Center Pacific (through BAA-11.02, contract number N66001-13-C-0131); and as part of an NSA Science of Security Lablet at Carnegie Mellon. I am also one of the co-PIs in the Army Research Lab Cyber-Security Collaborative Research Alliance (in collaboration with Penn State, Indiana University, UC Riverside and UC Davis; formally Cooperative Agreement Number W911NF-13-2-0045).
I am lucky to advise and work with some incredible people: six Ph.D. students, Timothy Vidas (ECE), Luís Brandão (ECE/University of Lisbon, co-advised with Alysson Bessani), Zachary Weinberg (ECE), Kyle Soska (ECE), János Szurdi (ECE), and Mahmood Sharif (ECE, co-advised with Lujo Bauer); and two post-doctoral scholars, Alain Forget (co-supervised with Alessandro Acquisti, Lorrie Cranor, and Rahul Telang) and Benjamin Johnson.
I also have had the pleasure of seeing a few Master's students graduating under my supervision (listed in reverse chronological order): Qingping Hou (M. Sc, INI, 2014), Ryo Hoshino (M. Sc., INI, 2013), Dong Liu (M. Sc., INI, 2013), Honglin Feng (M. Sc., INI, 2012), Norio Tanaka (M. Sc., INI, 2012), Daniel Votipka (M. Sc., INI, 2012), Carlos Lopes Pereira (M.Sc., INI, 2011), Theodoros Messinis (M.Sc., INI, 2011), Qin Chao (M.Sc., INI, 2010), Shinichi Mori (M.Sc., INI, 2010), Sérgio Serrano (M.Sc., INI and University of Lisbon, 2010), Yu-Lo Su (M.Sc., INI, 2010), Chengye Zheng (M.Sc., INI, 2010), Sally Yanagihara (M.Sc., INI, 2009), Madoka Hasegawa (M.Sc., INI, 2008), Komsit Prakobphol (M.Sc., INI, 2008), Wumaierjiang Simayi (M.Sc., INI, 2008), Hirokazu Sasamoto (M.Sc., INI, 2007), Eiji Hayashi (M.Sc., INI, 2006), Kazuhito Maruyama (M.Sc., INI, 2006), Hiroshi Miwa (M.Sc., INI, 2006), Takeshi Niiyama (M.Sc., INI, 2006), Soon Hin Khor (M.Sc., INI, 2006), and Mika Sashikata (M.Sc., INI, 2006).
Places of employment/positions after graduation include Software Engineering positions at Google, Facebook, LinkedIn, Oracle, Riot Games, Ph.D. studies at University of Tokyo, Carnegie Mellon Computer Science, and various engineering positions at Panasonic, Sharp, NTT West, NTT DoCoMo, Portugal Telecom...
Kyle Soska and
Automatically Detecting Vulnerable Websites Before They Turn Malicious. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security'14), pages 625-640. San Diego, CA. August 2014. Best student paper award.
Lorrie Faith Cranor,
Patrick Gage Kelley,
and Blase Ur.
Measuring Password Guessability for an Entire University.
Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS 2013). Berlin, Germany. November 2013.
Nicolas Christin. Traveling the Silk Road: A measurement analysis of a large anonymous online marketplace. In Proceedings of the 22nd International World Wide Web Conference (WWW'13), pages 213-224. Rio de Janeiro, Brazil. May 2013.
Nektarios Leontiadis, Tyler Moore, and Nicolas Christin. Measuring and Analyzing Search-Redirection Attacks in the Illicit Online Prescription Drug Trade. In Proceedings of the 20th USENIX Security Symposium (USENIX Security'11). San Francisco, CA. August 2011.
Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Cranor and Serge Egelman. Of Passwords and People: Measuring the Effect of Password-Composition Policies. In Proceedings of the 2011 ACM Conference on Human Factors in Computing Systems (CHI 2011), pages 2595-2604. Vancouver, BC, Canada. May 2011. Honorable Mention award.
Jens Grossklags, Nicolas Christin, and John Chuang. Secure or Insure? A Game-Theoretic Analysis of Information Security Games. In Proceedings of the 17th International World Wide Web Conference (WWW'08), pages 209-218. Beijing, China. April 2008.
Nicolas Christin, Andreas S. Weigend, and John Chuang. Content Availability, Pollution and Poisoning in Peer-to-Peer File Sharing Networks. In Proceedings of the Sixth ACM Conference on Electronic Commerce (EC'05), pages 68-77. Vancouver, BC, Canada. June 2005.
Nicolas Christin, Jörg Liebeherr, and Tarek F. Abdelzaher. Enhancing Class-Based Service Architectures with Adaptive Rate Allocation and Dropping Mechanisms. In IEEE/ACM Transactions on Networking 15(3), pages 669-682. June 2007.
I have been sporadically commenting on various security and policy issues in local (WTAE 4, WPXI 11, ...), national (Marketplace, National Public Radio (including All Things Considered), Wall Street Journal, ...), and international (MIT Technology Review, Canal Plus (France), ...) news media.
My own research gets quite a bit of exposure. Our measurement study of the Silk Road online anonymous marketplace received extensive press coverage: New Scientist (August 6, 2012), Wired UK (August 6, 2012), Forbes (August 6, 2012), Slashdot (August 7, 2012), Ars Technica (August 7, 2012), US News (August 7, 2012), Gawker (August 8, 2012), The Economist (September 29, 2012), and The New York Times (April 8, 2013) covered it among others, including some international press, e.g., Australia's Sydney Morning Herald (August 10, 2012), Spain's ABC (August 13, 2012), or Canada's The Globe and Mail (August 15, 2012). This research was also featured on Marketplace (August 28, 2012) (radio) on NTN24 (August 14, 2012) (television), and extensively discussed in a Surprisingly Free (August 28, 2012) podcast.
Somewhat surprisingly, a year after the study was published, it still attracts quite a bit of attention whenever articles appear about the "deep web." For instance, it was quoted in this long article in France's Le Nouvel Observateur (July 4, 2013). After Ross Ulbricht's sentencing, CNBC (June 1, 2015) rediscovered my 2013 paper.
Our Undercover project was featured on the CMU front page (January 14, 2008), in The Tartan (January 21, 2008), Dark Reading (February 5, 2008), Network World (February 8, 2008), PC World (February 10, 2008), and was "slashdotted" (February 8, 2008).
Our 2011 Financial Cryptography paper on figuring out how much it would take to incentivize people to adopt horrible security practices did not garner a lot of attention when it was originally published, but received extensive coverage after I presented the results at the 2014 Security and Human Behavior workshop: on Engadget (June 15, 2014), Business Insider (June 17, 2014), the Register (June 18, 2014), Slashdot (June 19, 2014), and Bruce Schneier's blog (June 19, 2014), among many others.
Our USENIX Security 2014 paper on predicting impending web server compromises was covered in the Daily Dot (August 21, 2014) and The Register (August 22, 2014).
Our research on passwords was the object of a feature article in Forbes (April 21, 2015).
The Register (June 22, 2015) wrote on the problems we identified with nation-scale brokered identification schemes; Computing (June 23, 2015) discussed the GDS response.
14-846: Special Topics: Elements of Web Security (M'15, in Silicon Valley).
14-741/18-631: Introduction to Information Security (F'05 (as 14-830), F'06, F'07, F'08, F'09, F'10, F'11, F'12, F'13, F'14).
18-731: Network Security (S'14).
14-742: Security in Networked Systems (S'06 (as 14-831), S'07, S'08, S'10).
14-813: Special Topics: Elements of Security in Networked Systems (M'09, in Japan).
14-709: Information Networking Thesis (Master's summer practicum, M'06, M'07, M'08, M'09, M'10).
I also taught a short course (MT-114: Introduction to Information Security) at EM Lyon Business School in June 2011.
Recent professional service
I am/have been a program committee member for a number of conferences and workshops, including IEEE S&P ("Oakland") (2014, 2015, 2016), NDSS (2014, 2015, 2016), WWW (2014, 2016), USENIX Security (2014, 2015), WPES 2015, MILCOM 2014, IEEE CNS 2014, WiSec 2014, BITCOIN 2014, ACM CCS 2013, APWG eCrime (2012, 2013, 2014), WEIS (2010, 2011, 2012, 2013, 2014, 2015), Financial Cryptography (2012, 2013, 2014, 2015), TrustCol 2012, GameSec 2012, BADGERS 2012, MedCOMM 2012, USENIX FOCI'11, WECSR 2011, ACM EC (2006, 2010), ACM SAC'09 (Information Security Research Track), ICEC'09, IEEE INFOCOM'07, IBC'06, and P2PECON'05, and I also routinely serve as a reviewer for a number of conferences and journals, including IEEE/ACM Transactions on Networking, IEEE Transactions on Parallel and Distributed Systems, IEEE Transactions on Mobile Computing...
I was the web and publicity chair for ACM SIGCOMM 2011.
The Silk Road paper eventually indirectly led to my silver screen debut: I got a few seconds of screen time in the Deep Web documentary movie by Alex Winter. So, I technically have a Bacon number of 3 or less (me, Keanu Reeves, Miriam Margolyes, Kevin Bacon) to go along my Erdös number of 4 or less (me, Jörg Liebeherr, Ian Akyildiz, Derbiau Hsu, Paul Erdös). I am writing "technically," because there is controversy about whether documentaries should count. But still, it is fun to have a plausible claim to being one of the few people to have a finite Erdös-Bacon number. An even more fun/random fact is that Tim Vidas and I might very well be the only advisor-advisee pair to both have a finite Erdös-Bacon number, since Tim appeared in the DEFCON documentary.
A long, long time ago, I was responsible for getting the ns-2/nam network simulator to compile and work natively under MS Windows/Cygwin. I have, however, transferred maintenance to the ns-2 development team more than a decade ago, so I am really not the right person to ask anymore, especially given that most of this has been made obsolete by ns-3.