I'm Yu Liu.

Ph.D student of Computer Science at WPI



Welcome to my page. I'm Yu, a Ph.D candidate at WPI. My major research interest lies in Cybersecurity. Though internet is already one of the most important basic infrastructure of the world, it keeps growing up and will reach to the status that all physical instances are connected. (Internet Of Things). Attackers will have more resources and targets, and get more benefits from malicious activities. Network complexity will also impede defense. Therefore, creating a cosy internet environment for people, by removing their concerns about privacy and security, will become extremely important.


Zhengzhou University (China), Bachelor, Communication Engineer, 2011.8-2015.6

University of Delaware, Master, Electrical & Computer Engineer, 2015.8-2017.6

Worcester Polytech Institute, Ph.D, advised by Dr. Craig Shue, Computer Science, 2017.6-today

Research Interest & Activities

Cybersecurity: Residential network security, IOT Security

Computer Network: protocol, measurement, Software Defined Network

Operating System

ALAS Lab(Applied Logic and Security)


Research Assistant at University of Delaware

Time: Jun 2016 - Feb 2017

Advisor: Andrew Novocin

Role: Team leader

Topic: Embed fingerprint recognition into ATM machines.

Research Assistant at WPI

Time: June 2017 - Aug 2017

Advisor: Craig Shue

Role: Individual Researcher

Topic: Residential SDN network

Teaching Assistant at WPI

Time: Aug 2017 - May 2018

Courses: Operating System, Computer Network, Software Security Engineer

Work: Grading and answering questions from undergraduate students.

Research Assistant at WPI

Time: May 2018 - Current

Advisor: Craig Shue


4. Yu Liu, Craig A. Shue, "Beyond the VPN: Practical Client Identity in an Internet with Widespread IP Address Sharing," IEEE Conference on Local Computer Networks (LCN), 2020, Sydney, Australia

[Abstract] [Full Paper]

To support remote employees, organizations often use virtual private networks (VPNs) to provide confidential and authenticated tunnels between the organization's networks and the employees' systems. With widespread end-to-end application-layer encryption and authentication, the cryptographic features of VPNs are often redundant. However, many organizations still rely upon VPNs. We examine the motivations and limitations associated with VPNs and find that VPNs are often used to simplify access control and filtering for enterprise services.
To avoid limitations associated with VPNs, we propose an approach that allows straightforward filtering. Our approach provides evidence a remote user belongs in a network, despite the address sharing present in tools like Carrier-Grade Network Address Translation. We preserve simple access control and eliminate the need for VPN servers, redundant cryptography, and VPN packet headers overheads. The approach is incrementally deployable and provides a second factor for authenticating users and systems while minimizing performance overheads.

3. Yu Liu, Craig A. Shue, "Community Cleanup: Incentivizing Network Hygiene via Distributed Attack Reporting," IEEE/IFIP Network Operations and Management Symposium(NOMS), 2020, Budapest, Hungary

[Abstract] [Full Paper]

Residential networks are difficult to secure due to resource constraints and lack of local security expertise. These networks primarily use consumer-grade routers that lack meaningful security mechanisms, providing a safe-haven for adversaries to launch attacks, including damaging distributed denial-of-service (DDoS) attacks. Prior efforts have suggested outsourcing residential network security to experts, but motivating user adoption has been a challenge. This work explores combining residential SDN techniques with prior work on collaborative DDoS reporting to identify residential network compromises. This combination provides incentives for end-users to deploy the technique, including rapid notification of compromises on their own devices and reduced upstream bandwidth consumption, while incurring minimal performance overheads.

2. Yu Liu, Matthew R. Squires, Curtis R. Taylor, Robert J. Walls, Craig A. Shue, "Account Lockouts: Characterizing and Preventing Account Denial-of-Service Attacks," Conference on Security and Privacy in Communication Network (SecureComm), 2019, Orlando, USA.

[Abstract][Full Paper] [Poster]

To stymie password guessing attacks, many systems lock an account after a given number of failed authentication attempts, preventing access even if proper credentials are later provided. Combined with the proliferation of single sign-on providers, adversaries can use relatively few resources to launch large-scale application-level denial-of-service attacks against targeted user accounts by deliberately providing incorrect credentials across multiple authentication attempts. In this paper, we measure the extent to which this vulnerability exists in production systems. We focus on Microsoft services, which are used in many organizations, to identify exposed authentication points. We measure 2,066 organizations and found between 58% and 77% of organizations expose authentication portals that are vulnerable to account lockout attacks. Such attacks can be completely successful with only 13 KBytes/second of attack traffic. We then propose and evaluate a set of lockout bypass mechanisms for legitimate users. Our performance and security evaluation shows these solutions are effective while introducing little overhead to the network and systems.

1. Yu Liu, Curtis R. Taylor, Craig A. Shue, "Authenticating Endpoints and Vetting Connections in Residential Networks," IEEE ICNC Workshop on Computing, Networking and Communications (CNC), 2019, Hawaii, USA.

[Abstract][Full Paper] [Poster]

The security of residential networks can vary greatly. These networks are often administrated by end-users who may lack security expertise or the resources to adequately defend their networks. Insecure residential networks provide attackers with opportunities to infiltrate systems and create a platform for launching powerful attacks. To address these issues, we introduce a new approach that uses software-defined networking (SDN) to allow home users to outsource their security maintenance to a cloud-based service provider. Using this architecture, we show how a novel network-based two-factor authentication approach can be used to protect Internet of Things devices. Our approach works without requiring modifications to end-devices. We further show how security modules can enforce protocol messages to limit the attack surface in vulnerable devices. Our analysis shows that the system is effective and adds less than 50 milliseconds of delay to the start of a connection with less than 100 microseconds of delay for subsequent packets.

On-Going Projects

Android-hosted SDN for fine-grained security management

Opportunistic Middleboxes in home networks for highly-effective firewall system


Email Addresses: yliu25@wpi.edu


Find me on other socials:


Payment Required

$10 please

Good Boy, thanks for support!