About

Peter Andreas is the John Hay Professor of International Studies at Brown University, where he joined the Watson Institute in the fall of 2001. He holds a joint appointment with the Department of Political Science. Andreas has a distinguished academic background, including an M.A. and Ph.D. in government from Cornell University and a B.A. in political science from Swarthmore College. His research bridges the study of security, political economy, and transnational crime, with a particular focus on the clandestine dimensions of globalization involving illicit cross-border flows of people, goods, money, and information. He traces the interaction between states and illicit flows across time and place, emphasizing the practice and politics of government policing efforts along and across borders.

Research topics

• Computer Security
• Computer Science
• Artificial Intelligence
• Data science
• Computer network
• World Wide Web

Selected publications

• DEEPCASE: Semi-Supervised Contextual Analysis of Security Events

  2022 IEEE Symposium on Security and Privacy (SP) · 2022 · 80 citations

  • Computer Science
  • Computer Science
  • Computer Security

  Security monitoring systems detect potentially malicious activities in IT infrastructures, by either looking for known signatures or for anomalous behaviors. Security operators investigate these events to determine whether they pose a threat to their organization. In many cases, a single event may be insufficient to determine whether certain activity is indeed malicious. Therefore, a security operator frequently needs to correlate multiple events to identify if they pose a real threat. Unfortunately, the vast number of events that need to be correlated often overload security operators, forcing them to ignore some events and, thereby, potentially miss attacks. This work studies how to automatically correlate security events and, thus, automate parts of the security operator workload. We design and evaluate DEEPCASE, a system that leverages the context around events to determine which events require further inspection. This approach reduces the number of events that need to be inspected. In addition, the context provides valuable insights into why certain events are classified as malicious. We show that our approach automatically filters 86.72% of the events and reduces the manual workload of security operators by 90.53%, while underestimating the risk of potential threats in less than 0.001% of cases.

  DOI

• Automated Retrieval of ATT&CK Tactics and Techniques for Cyber Threat Reports

  2020 · 41 citations

  Senior authorCorresponding
  • Computer Science
  • Computer Security
  • Computer Science

  Over the last years, threat intelligence sharing has steadily grown, leading cybersecurity professionals to access increasingly larger amounts of heterogeneous data. Among those, cyber attacks’ Tactics, Techniques and Procedures (TTPs) have proven to be particularly valuable to characterize threat actors’ behaviors and, thus, improve defensive countermeasures. Unfortunately, this information is often hidden within human-readable textual reports and must be extracted manually. In this paper, we evaluate several classification approaches to automatically retrieve TTPs from unstructured text. To implement these approaches, we take advantage of the MITRE ATT&CK framework, an open knowledge base of adversarial tactics and techniques, to train classifiers and label results. Finally, we present rcATT, a tool built on top of our findings and freely distributed to the security community to support cyber threat report automated analysis.

• FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

  2020 · 293 citations

  Senior authorCorresponding
  • Computer Science
  • Computer Science
  • Computer network

  Mobile-application fingerprinting of network traffic is valuable for many security solutions as it provides insights into the apps active on a network. Unfortunately, existing techniques require prior knowledge of apps to be able to recognize them. However, mobile environments are constantly evolving, i.e., apps are regularly installed, updated, and uninstalled. Therefore, it is infeasible for existing fingerprinting approaches to cover all apps that may appear on a network. Moreover, most mobile traffic is encrypted, shows similarities with other apps, e.g., due to common libraries or the use of content delivery networks, and depends on user input, further complicating the fingerprinting process.

  DOI

Frequent coauthors

• Jameś T. Shotwell

  49 shared

• Helen V. Milner

  Princeton Public Schools

  49 shared

• Florian Hahn

  20 shared

• Stefan Katzenbeisser

  University of Passau

  19 shared

• D. G. Pitt

  RELX Group (Netherlands)

  16 shared

• Leonard Smith

  Institute of Natural Sciences

  16 shared

• C Bays

  Planetary Science Institute

  16 shared

• Richard V. Sims

  Planetary Science Institute

  16 shared

Awards & honors

• 2024 Distinguished Scholar Award from the International Asso…

Similar researchers at Brown University

• Shouheng Sunh-193
• Lai-Sheng Wangh-168
• Huajian Gaoh-156
• Christopher Schmidh-151
• Karen Furieh-148