ABOUT
Welcome to my page. I'm Yu, a Ph.D candidate at WPI. My major research interest lies in Cybersecurity.
Though internet is already one of the most important basic infrastructure of the world, it keeps growing up and
will reach to the status that all physical instances are connected. (Internet Of Things). Attackers
will have more resources and targets, and get more benefits from malicious activities. Network complexity will
also impede defense. Therefore, creating a cosy internet environment for people, by removing their concerns about
privacy and security, will become extremely important.
Education
Zhengzhou University (China), Bachelor, Communication Engineer, 2011.8-2015.6
University of Delaware, Master, Electrical & Computer Engineer, 2015.8-2017.6
Worcester Polytech Institute, Ph.D, advised by Dr. Craig Shue, Computer Science, 2017.6-today
Research Interest & Activities
Cybersecurity: Residential network security, IOT Security
Computer Network: protocol, measurement, Software Defined Network
Operating System
ALAS Lab(Applied Logic and Security)
Experience
Research Assistant at University of Delaware
Time: Jun 2016 - Feb 2017
Advisor: Andrew Novocin
Role: Team leader
Topic: Embed fingerprint recognition into ATM machines.
Research Assistant at WPI
Time: June 2017 - Aug 2017
Advisor: Craig Shue
Role: Individual Researcher
Topic: Residential SDN network
Teaching Assistant at WPI
Time: Aug 2017 - May 2018
Courses: Operating System, Computer Network, Software Security Engineer
Work: Grading and answering questions from undergraduate students.
Research Assistant at WPI
Time: May 2018 - Current
Advisor: Craig Shue
Publication
4. Yu Liu, Craig A. Shue,
"Beyond the VPN: Practical Client Identity in an Internet with Widespread IP Address Sharing," IEEE Conference on Local Computer Networks (LCN), 2020, Sydney, Australia
[Abstract]
[Full Paper]
To support remote employees, organizations often use virtual private networks (VPNs) to provide confidential and
authenticated tunnels between the organization's networks and the employees' systems. With widespread end-to-end
application-layer encryption and authentication, the cryptographic features of VPNs are often redundant. However,
many organizations still rely upon VPNs. We examine the motivations and limitations associated with VPNs and find
that VPNs are often used to simplify access control and filtering for enterprise services.
To avoid limitations associated with VPNs, we propose an approach that allows straightforward filtering. Our
approach provides evidence a remote user belongs in a network, despite the address sharing present in tools like
Carrier-Grade Network Address Translation. We preserve simple access control and eliminate the need for VPN servers,
redundant cryptography, and VPN packet headers overheads. The approach is incrementally deployable and provides
a second factor for authenticating users and systems while minimizing performance overheads.
3. Yu Liu, Craig A. Shue,
"Community Cleanup: Incentivizing Network Hygiene via Distributed Attack Reporting," IEEE/IFIP Network Operations and Management Symposium(NOMS), 2020, Budapest, Hungary
[Abstract]
[Full Paper]
Residential networks are difficult to secure due to resource constraints and lack of local security expertise.
These networks primarily use consumer-grade routers that lack meaningful security mechanisms, providing a
safe-haven for adversaries to launch attacks, including damaging distributed denial-of-service (DDoS) attacks.
Prior efforts have suggested outsourcing residential network security to experts, but motivating user adoption
has been a challenge. This work explores combining residential SDN techniques with prior work on collaborative
DDoS reporting to identify residential network compromises. This combination provides incentives for end-users
to deploy the technique, including rapid notification of compromises on their own devices and reduced upstream
bandwidth consumption, while incurring minimal performance overheads.
2. Yu Liu, Matthew R. Squires, Curtis R. Taylor, Robert J. Walls, Craig A. Shue,
"Account Lockouts: Characterizing and Preventing Account Denial-of-Service Attacks," Conference on Security and Privacy in Communication Network (SecureComm), 2019, Orlando, USA.
[Abstract][Full Paper]
[Poster]
To stymie password guessing attacks, many systems lock an account after a given number of failed authentication
attempts, preventing access even if proper credentials are later provided. Combined with the proliferation of
single sign-on providers, adversaries can use relatively few resources to launch large-scale application-level
denial-of-service attacks against targeted user accounts by deliberately providing incorrect credentials across
multiple authentication attempts. In this paper, we measure the extent to which this vulnerability exists in
production systems. We focus on Microsoft services, which are used in many organizations, to identify exposed
authentication points. We measure 2,066 organizations and found between 58% and 77% of organizations expose
authentication portals that are vulnerable to account lockout attacks. Such attacks can be completely successful
with only 13 KBytes/second of attack traffic. We then propose and evaluate a set of lockout bypass mechanisms for
legitimate users. Our performance and security evaluation shows these solutions are effective while introducing
little overhead to the network and systems.
1. Yu Liu, Curtis R. Taylor, Craig A. Shue, "Authenticating Endpoints and Vetting Connections in Residential Networks," IEEE ICNC Workshop on Computing,
Networking and Communications (CNC), 2019, Hawaii, USA.
[Abstract][Full Paper]
[Poster]
The security of residential networks can vary greatly. These networks are often administrated by end-users who may
lack security expertise or the resources to adequately defend their networks. Insecure residential networks provide
attackers with opportunities to infiltrate systems and create a platform for launching powerful attacks. To address
these issues, we introduce a new approach that uses software-defined networking (SDN) to allow home users to outsource
their security maintenance to a cloud-based service provider. Using this architecture, we show how a novel
network-based two-factor authentication approach can be used to protect Internet of Things devices. Our approach
works without requiring modifications to end-devices. We further show how security modules can enforce protocol
messages to limit the attack surface in vulnerable devices. Our analysis shows that the system is effective and
adds less than 50 milliseconds of delay to the start of a connection with less than 100 microseconds of delay for
subsequent packets.
On-Going Projects
Android-hosted SDN for fine-grained security management
Opportunistic Middleboxes in home networks for highly-effective firewall system
