About

Yih-Chun Hu is an Associate Professor in the Electrical and Computer Engineering department at the University of Illinois Urbana-Champaign, affiliated with the Siebel School of Computing and Data Science. He earned his Ph.D. in Computer Science from Carnegie Mellon University in May 2003, where his dissertation focused on enabling secure high-performance wireless ad hoc networking. His research interests are centered on security and systems, with particular emphasis on secure systems and mobile communications. His work has contributed to the fields of secure Internet routing, secure routing in wireless ad hoc networks, security and anonymity in peer-to-peer networks, and the design and evaluation of ad hoc network routing protocols. Hu's future research aims to develop lightweight, minimally intrusive security systems that preserve privacy and anonymity in wireless networks, address attacker correlation of wireless transmissions, and incentivize user cooperation in environments where cooperation benefits the public. He also focuses on creating evaluation frameworks to measure the performance of secure systems under attack and on designing backwards-compatible, incrementally-deployable security mechanisms for widely-used protocols with insufficient security.

Research topics

• Computer Science
• Computer Security
• Artificial Intelligence
• Operating system
• Algorithm
• World Wide Web
• Telecommunications
• Distributed computing
• Real-time computing
• Database

Selected publications

• Lightweight Internet Bandwidth Allocation and Isolation with Fractional Fair Shares

  2026-01-01

  articleOpen access

  Ensuring fair bandwidth allocations on the public Internet is challenging.Congestion control algorithms (CCAs) often fail in achieving fairness, especially when different CCAs operate simultaneously.This challenge becomes even more pronounced during volumetric distributed denial-of-service (DDoS) attacks, where legitimate traffic can be starved entirely.One approach to address this challenge is to enforce fairness by allocating bandwidth directly at routers.However, existing solutions generally fall into two categories: those that are easy to deploy but fail to provide secure in-network bandwidth isolation, and those that offer strong isolation guarantees but rely on complex assumptions that hinder real-world deployment.To bridge the gap between these two categories, we introduce a new fairness model based on the notion of a per-stream Fractional Fair Share (FFS).At each on-path node, a stream's FFS, represented as packet labels and updated along the forwarding path, conveys its current fair share of egress bandwidth.The combination of a packet-carried FFS and probabilistic forwarding enables effective and scalable isolation of streams with minimal overhead.FFS is the first system to combine low implementation and deployment overhead with effective bandwidth isolation, while remaining robust against source address spoofing and volumetric DDoS attacks, and delivering high performance, scalability, as well as minimal latency and jitter.We show that FFS effectively isolates bandwidth across 15 different CCAs while keeping latency and jitter minimal.Our high-speed implementation sustains a 160 Gbps line rate on commodity hardware.Evaluated on realistic Internet topologies, FFS outperforms several of the most recent and secure bandwidth isolation systems in both median and total bandwidth allocation.In our security analysis, we prove that FFS guarantees a non-zero lower bound on bandwidth allocation for every traffic stream, ensuring that volumetric DDoS attacks, even when combined with source address spoofing, cannot prevent legitimate communication.Finally, we present an extension of FFS that provides accurate and secure rate feedback to the sender, allowing rapid rate adaptation with minimal packet loss.

  PublisherDOI

• Polaris: End-to-End Path Optimization by End Hosts

  2025-07-02

  article

  Path-aware networking (PAN) enables endpoints to locally select end-to-end network paths based on path properties. This approach contrasts with the traditional Internet architecture, where routers determine the next hop towards the destination based on the routing information provided by the Border Gateway Protocol (BGP). By providing this additional transparency and control, PAN opens up opportunities to optimize path selection, with the potential to enhance network performance and user experience metrics. In this paper, we evaluate the potential benefits of PAN for enhancing end-to-end performance. We design Polaris, a concrete feedback-driven path optimization mechanism for PAN, and study its impact on Quality of Service (QoS) as compared to current Internet mechanisms. Our extensive simulation results show the viability and effectiveness of Polaris, revealing that it outperforms the current Internet mechanisms by an average of <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">${4 2 \%}$</tex> improvement in receiving rate and <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">${8 1 \%}$</tex> reduction in median loss, in the presence of background traffic.

  PublisherDOI

• vRetention

  2024-04-15 · 2 citations

  articleOpen accessSenior author

  Adaptive bitrate streaming (ABR) and quality of experience (QoE) metrics are proposed to enhance video streaming quality across various Internet connections. Traditional approaches to evaluating these metrics often ignore common user behaviors like seeking, jumping, or replaying video segments, leading to gaps in QoE understanding. Addressing this, we collected 229,178 audience retention curves from YouTube and Bilibili, offering a thorough view of viewer engagement and diverse watching styles. Our analysis reveals notable behavioral differences across countries, categories, and platforms. The YouTube data highlights varied content preferences, such as gaming and entertainment in some countries, and music, travel, and pets & animals in others. Additionally, Bilibili shows trends of early video abandonment, possibly influenced by platform-specific factors and shorter video formats. This enhanced grasp of user engagement aids in refining ABR and QoE metrics. We also highlight several potential applications of our dataset.

  PublisherOA PDFDOI

• Debuglet: Programmable and Verifiable Inter-Domain Network Telemetry

  2024-07-23 · 1 citations

  article

  On today's Internet, end-user debugging is largely limited to simple tools such as ping and traceroute, supplemented by purpose-built services such as bandwidth measurement, and website uptime monitors. Unfortunately, these tools do not provide sufficient data to isolate specific network faults, nor do they give the user results that can be validated by external entities. Furthermore, since networks disparately treat measurement packets, as our empirical results confirm, measurement packets need to be indistinguishable from data packets. In this paper, we argue for a distributed network debugging infrastructure and describe Debuglet, a deployable and incentivized architecture that allows inter-domain network debugging using real data packets and user-defined code, which facilitates accurate and flexible measurements of the network performance experienced by data packets. We implement the Debuglet system, and demonstrate its feasibility by deploying it on a network testbed, evaluating its measurement accuracy, and analyzing its deployment costs.

  PublisherDOI

• FlowBot: A Learning-Based Co-bottleneck Flow Detector for Video Servers

  2023-10-10 · 2 citations

  articleSenior author

  Recent research has proposed that Content Delivery Networks (CDNs) can use better bandwidth allocation to improve video streaming services through congested links. Because CDNs are usually not located at the bottleneck link, shared bottleneck (co-bottleneck) detection on the video servers is necessary for joint flow shaping and the Quality of Experience (QoE) improvements. However, co-bottleneck detection is challenging in such environments due to the large number of flows, possible network topologies, and traffic patterns. Current detectors fail to balance detection accuracy, speed and overhead, and suffer performance degradation in the scale of thousands of flows on each video server. We propose FlowBot, a novel model-based passive co-bottleneck detector designed for deployment on a video server. FlowBot uses Siamese model to learn flow representations, and combines the training procedure with its clustering algorithm to continue to provide strong performance with up to thousands of flows. Our evaluations show that FlowBot can achieve consistently high accuracy (over 70% F1 with around 90% precision) in most tested scenarios, while maintaining a short detection delay of 3 s and overhead similar to the fastest benchmark algorithms.

  PublisherDOI

• TASC: Transparent, Agnostic, Secure Channel for CBTC Under Failure or Cyberattack

  Lecture notes in computer science · 2022-01-01

  book-chapterSenior author
  PublisherDOI

• Secure and Ultra-Reliable Provenance Recovery in Sparse Networks: Strategies and Performance Bounds

  arXiv (Cornell University) · 2022-04-01

  preprintOpen accessSenior author

  Provenance embedding algorithms are well known for tracking the footprints of information flow in wireless networks. Recently, low-latency provenance embedding algorithms have received traction in vehicular networks owing to strict deadlines on the delivery of packets. While existing low-latency provenance embedding methods focus on reducing the packet delay, they assume a complete graph on the underlying topology due to the mobility of the participating nodes. We identify that the complete graph assumption leads to sub-optimal performance in provenance recovery, especially when the vehicular network is sparse, which is usually observed outside peak-hour traffic conditions. As a result, we propose a two-part approach to design provenance embedding algorithms for sparse vehicular networks. In the first part, we propose secure and practical topology-learning strategies, whereas in the second part, we design provenance embedding algorithms that guarantee ultra-reliability by incorporating the topology knowledge at the destination during the provenance recovery process. Besides the novel idea of using topology knowledge for provenance recovery, a distinguishing feature for achieving ultra-reliability is the use of hash-chains in the packet, which trade communication-overhead of the packet with the complexity-overhead at the destination. We derive tight upper bounds on the performance of our strategies, and show that the derived bounds, when optimized with appropriate constraints, deliver design parameters that outperform existing methods. Finally, we also implement our ideas on OMNeT++ based simulation environment to show that their latency benefits indeed make them suitable for vehicular network applications.

  PublisherOA PDFDOI

• Secure and ultra-reliable provenance recovery in sparse networks: Strategies and performance bounds

  Ad Hoc Networks · 2022-04-18 · 3 citations

  articleSenior author
  PublisherDOI

• Caching-based Multicast Message Authentication in Time-critical Industrial Control Systems

  IEEE INFOCOM 2022 - IEEE Conference on Computer Communications · 2022-05-02 · 14 citations

  articleOpen accessSenior author

  Attacks against industrial control systems (ICSs) often exploit the insufficiency of authentication mechanisms. Verifying whether the received messages are intact and issued by legitimate sources can prevent malicious data/command injection by illegitimate or compromised devices. However, the key challenge is to introduce message authentication for various ICS communication models, including multicast or broadcast, with a messaging rate that can be as high as thousands of messages per second, within very stringent latency constraints. For example, certain commands for protection in smart grids must be delivered within 2 milliseconds, ruling out public-key cryptography. This paper proposes two lightweight message authentication schemes, named CMA and its multicast variant CMMA, that perform precomputation and caching to authenticate future messages. With minimal precomputation and communication overhead, C(M)MA eliminates all cryptographic operations for the source after the message is given, and all expensive cryptographic operations for the destinations after the message is received. C(M)MA considers the urgency profile (or likelihood) of a set of future messages for even faster verification of the most time-critical (or likely) messages. We demonstrate the feasibility of C(M)MA in an ICS setting based on a substation automation system in smart grids.

  PublisherOA PDFDOI

• HeadStart: Efficiently Verifiable and Low-Latency Participatory Randomness Generation at Scale

  2022-01-01 · 5 citations

  articleOpen access

  Generating randomness by public participation allows participants to directly contribute randomness and verify the result's security. Ideally, the difficulty of participating in such activities should be as low as possible to reduce the computational burden of being a contributor. However, existing randomness generation protocols are unsuitable for this scenario because of scalability or usability issues. Hence, this paper presents HeadStart, a participatory randomness protocol designed for public participation at scale. HeadStart allows contributors to verify the result on commodity devices efficiently and provides a parameter L that can make the result-publication latency L times lower. Additionally, we propose two implementation improvements to speed up the verification further and reduce the proof size. The verification complexity of HeadStart is only O(L polylog(T ) + log C) for a contribution phase lasting for time T with C contributions.

  PublisherDOI

Recent grants

• CAREER: Protecting against Layer-Violating Attacks in Wireless Networks

  NSF · $476k · 2010–2017

• SaTC: CORE: Small: Hybrid Capability-Enforcement for Endpoint-Driven Traffic Control

  NSF · $500k · 2017–2021

• I-Corps: In-cloud Destination-driven Distributed Denial of Service Filtering

  NSF · $50k · 2017–2019

Frequent coauthors

• Adrian Perrig

  ETH Zurich

  29 shared

• Sang‐Yoon Chang

  University of Colorado Colorado Springs

  27 shared

• Jerry T. Chiang

  Agency for Science, Technology and Research

  16 shared

• David B. Johnson

  Los Alamos National Laboratory

  15 shared

• Zhuotao Liu

  Tsinghua University

  14 shared

• Jason J. Haas

  Sandia National Laboratories

  13 shared

• J. Harshan

  11 shared

• Sristi Lakshmi Sravana Kumar

  Advanced Digital Sciences Center

  9 shared

Education

• Ph.D., Computer Science

  University of Illinois at Urbana-Champaign

  1990

• M.S., Computer Science

  University of Illinois at Urbana-Champaign

  1986

• B.S., Computer Science

  National Tsinghua University

  1982

Awards & honors

• NSF CAREER Award (2018)