Resume-aware faculty matching

Find professors who actually fit you

Upload your resume. Four AI agents analyze your background, rank the faculty who fit, inspect their recent research, and help you draft outreach — grounded in their actual work, not templates.

Free to startNo credit cardCancel anytime
Top matches Balanced preset
Dr. Sarah Chen
Stanford · Interpretability · NLP
91
Dr. Marcus Holloway
MIT · Robotics · RL
84
Dr. Aisha Okonkwo
CMU · Fairness · HCI
82
Nova · Professor Researcher · re-ranking top 20…
Engin Kirda

Engin Kirda

Verified

Northeastern University · Electrical and Energy Engineering

Active 2000–2025

h-index62
Citations16.5k
Papers24639 last 5y
Funding$2.0M
Faculty page
See your match with Engin Kirda — sign in to PhdFit.Sign in

About

Engin Kirda is a professor at Northeastern University, serving in the Khoury College of Computer Sciences and the College of Engineering. He is the director of the Information Assurance Program, a joint PhD program offered by these colleges. His research focuses on security issues that have the potential to affect a large number of people, including malware analysis and detection, web security, social network security, reverse engineering, and intrusion detection. Professor Kirda is the co-founder and co-director of the International Secure Systems Lab, a collaborative effort of European and U.S. researchers dedicated to web security, malware and vulnerability analysis, and intrusion detection. He has contributed to the development of tools such as Anubis, FIRE, and Pixy, which are used for malware analysis, detecting hacked internet services, and vulnerability assessments for web pages, respectively. His academic background includes a PhD from the Technical University of Vienna, earned in 2002. He has been recognized as an IEEE Fellow and has received numerous awards for his contributions to cybersecurity research.

Research topics

  • Computer Science
  • Artificial Intelligence
  • Computer Security
  • Computer hardware
  • Human–computer interaction
  • Computer network
  • Operating system

Selected publications

  • Enhancing Network Security Through Vulnerability Monitoring

    Lecture notes in computer science · 2025-01-01

    book-chapterSenior author
    PublisherDOI

  • DRIFT: Debug-based Trace Inference for Firmware Testing

    2025-11-16

    articleSenior author

    Binary firmware fuzzing has garnered attention in recent years. Compared to source-code-based approaches, binary approaches require less semantic information and are therefore more applicable. This is particularly relevant in firmware analysis, as most firmware vendors distribute only binaries, withholding source code due to proprietary concerns.Pivoting away from the traditional hardware-in-the-loop (HiL) methodology, researchers are exploring more efficient ways to engage real hardware for fuzzing. However, existing approaches have inherent drawbacks, such as reliance on high-end hardware features, inability to recover complete coverage, and slow execution speeds. We propose DRIFT, a novel approach for on-device binary firmware testing that follows the semihosting methodology. DRIFT addresses all the aforementioned drawbacks. The core insight of DRIFT is to use the Debug Monitor (DM) for firmware fuzzing. DM is a Arm Cortex-M CPU feature that allows triggering interrupt when a breakpoint is hit. Through chaining the DM interrupts, DRIFT is able let firmware to trace itself. This self-tracing approach minimizes interference from the workstation, significantly boosting fuzzing performance.We designed DRIFT to be highly flexible, accommodating a number of hardware resource limitations. When applied to new firmware, DRIFT discovered three previously unknown bugs that were not identified by existing binary fuzzing techniques. Furthermore, DRIFT outperforms all state-of-the-art binary firmware fuzzers in terms of speed and fidelity, trailing only SHiFT, an approach that requires source code.

    PublisherDOI

  • H2Fuzz: Guided, Black-box, Differential Fuzzing for HTTP/2-to-HTTP/1 Conversion Anomalies

    2025-10-19

    articleSenior author

    HTTP/2 is by far the most popular HTTP version, yet in practice, HTTP connections rarely occur over end-toend HTTP/2. This is due in large part to the fact that reverse proxies such as Content Delivery Networks (CDNs) between the client and server universally support HTTP/2 on the client side of the connection, but rarely on the server side. Proxies must therefore dynamically convert between HTTP/2 and HTTP/1, and anomalies in this conversion process can lead to critical vulnerabilities. Prior work proposed generational fuzzing techniques to discover these anomalies. However, such an approach lacks meaningful feedback, limiting the expressiveness of the generated requests and the number of anomalies it can induce. We, therefore, propose H2Fuzz, a black-box differential fuzzer for HTTP/2 which uses a comprehensive mutator and novel feedback system to drive a set of reverse proxies to increasingly divergent behavior, uncovering conversion anomalies in the process. We fuzz a set of 11 standalone reverse proxies and 5 CDNs with H2FUZZ, and find that it induces $50 \%$ more conversion anomalies than the state-of-the-art, many of which have immediate security implications.

    PublisherDOI

  • Diversity Perspectives on Access Control and Authentication in Shared IoT Devices

    2025-01-11

    articleSenior author

    As smart IoT devices become more common in shared spaces, users are looking into utilizing access control and authentication mechanisms. This paper analyzes how different race and ethnicity groups perceive access control and authentication concerns with smart IoT devices. Additionally, little is known about the attitudes and expressions of different race and ethnicity groups towards providing temporary access to guests. Our findings aim to improve smart device design for greater inclusivity.

    PublisherDOI

  • “Only as Strong as the Weakest Link”: On the Security of Brokered Single Sign-On on the Web

    2025-05-12 · 1 citations

    articleSenior author

    Single Sign-On (SSO) is an authentication process that allows users to access multiple services with a single set of login credentials. Although SSO improves the user experience, it poses challenges to developers to implement complex authentication protocols securely. External services, called brokers, simplify the integration of SSO. In this paper, we shed light on the emerging brokered SSO ecosystem, focusing on the security of the newly introduced actor, the broker. We systematically evaluate the landscape of brokered SSO, uncovering significant blind spots in previous research. Our study reveals that 25% of the websites with SSO integrate brokers for authentication, an area that has not been covered by any previous research. Through our comprehensive security evaluation, we identify three categories of threats associated with brokered SSO: (1) insufficient validation of redirect chains enabling injection attacks, (2) unauthorized data access enabling account takeovers, and (3) violations of security best current practices. We expose vulnerabilities in over 50 brokers, compromising the security of more than 2k websites. These findings represent only a lower bound of a critical situation, underscoring the urgent need for improved security measures and protocols to safeguard the integrity of brokered SSO systems.

    PublisherDOI

  • Malware Behavior Clustering

    2025-01-01

    book-chapter1st authorCorresponding
    PublisherDOI

  • Secure IP Address Allocation at Cloud Scale

    2025-01-01 · 2 citations

    articleOpen access

    Public clouds necessitate dynamic resource allocation and sharing.However, the dynamic allocation of IP addresses can be abused by adversaries to source malicious traffic, bypass rate limiting systems, and even capture traffic intended for other cloud tenants.As a result, both the cloud provider and their customers are put at risk, and defending against these threats requires a rigorous analysis of tenant behavior, adversarial strategies, and cloud provider policies.In this paper, we develop a practical defense for IP address allocation through such an analysis.We first develop a statistical model of cloud tenant deployment behavior based on literature and measurement of deployed systems.Through this, we analyze IP allocation policies under existing and novel threat models.In response to our stronger proposed threat model, we design IP scan segmentation, an IP allocation policy that protects the address pool against adversarial scanning even when an adversary is not limited by number of cloud tenants.Through empirical evaluation on both synthetic and real-world allocation traces, we show that IP scan segmentation reduces adversaries' ability to rapidly allocate addresses, protecting both address space reputation and cloud tenant data.In this way, we show that principled analysis and implementation of cloud IP address allocation can lead to substantial security gains for tenants and their users.

    PublisherDOI

  • ENOLA: Efficient Control-Flow Attestation for Embedded Systems

    ArXiv.org · 2025-01-20

    preprintOpen access

    Microcontroller-based embedded systems are vital in daily life, but are especially vulnerable to control-flow hijacking attacks due to hardware and software constraints. Control-Flow Attestation (CFA) aims to precisely attest the execution path of a program to a remote verifier. However, existing CFA solutions face challenges with large measurement and/or trace data, limiting these solutions to small programs. In addition, slow software-based measurement calculations limit their feasibility for microcontroller systems. In this paper, we present ENOLA, an efficient control-flow attestation solution for low-end embedded systems. ENOLA introduces a novel authenticator that achieves linear space complexity. Moreover, ENOLA capitalizes on the latest hardware-assisted message authentication code computation capabilities found in commercially-available devices for measurement computation. ENOLA employs a trusted execution environment, and allocates general-purpose registers to thwart memory corruption attacks. We have developed the ENOLA compiler through LLVM passes and attestation engine on the ARMv8.1-M architecture. Our evaluations demonstrate ENOLA's effectiveness in minimizing data transmission, while achieving lower or comparable performance to the existing works.

    PublisherOA PDFDOI

  • WAFFLED: Exploiting Parsing Discrepancies to Bypass Web Application Firewalls

    2025-12-08

    articleOpen accessSenior author

    Web Application Firewalls (WAFs) have been introduced as essential and popular security gates that inspect incoming HTTP traffic to filter out malicious requests and provide defenses against a diverse array of web-based threats. Evading WAFs can compromise these defenses, potentially harming Internet users. In recent years, parsing discrepancies have plagued many entities in the communication path; however, their potential impact on WAF evasion and request smuggling remains largely unexplored. In this work, we present an innovative approach to bypassing WAFs by uncovering and exploiting parsing discrepancies through advanced fuzzing techniques. By targeting non-malicious components such as headers and segments of the body and using widely used content-types such as application/ json, multipart/form-data, and application/xml, we identified and confirmed 1207 bypasses across 5 well-known WAFs, AWS, Azure, Cloud Armor, Cloudflare, and Mod-Security. To validate our findings, we conducted a study in the wild, revealing that more than 90 % of websites ac-cepted both application/x-www-form-urlencoded and multipart/form-data interchangeably, highlighting a significant vulnerability and the broad applicability of our bypass techniques. We have reported these vulnerabilities to the affected parties and received acknowledgments from all, as well as bug bounty rewards from some vendors. Further, to mitigate these vulnerabilities, we introduce HTTP-Normalizer, a robust proxy tool designed to rigorously validate HTTP requests against current RFC standards. Our results demonstrate its effectiveness in normalizing or blocking all bypass attempts presented in this work.

    PublisherOA PDFDOI

  • Cross Site Scripting Attacks

    2025-01-01

    book-chapter1st authorCorresponding
    PublisherDOI

Recent grants

Frequent coauthors

Labs

  • Northeastern University Systems Security LabPI

Education

  • Ph.D., Computer Science

    University of California, Santa Barbara

    2002

  • M.S., Computer Science

    University of California, Santa Barbara

    1998

  • B.S., Computer Engineering

    Middle East Technical University

    1996

Awards & honors

  • Sy and Laurie Sternberg Interdisciplinary Chaired Professors…
  • IEEE Fellow (2025)
  • Resume-aware match score
  • Save to shortlist
  • AI-drafted outreach

See your match with Engin Kirda

PhdFit ranks faculty by your research interests, methods, and publications — grounded in their actual work, not templates.

Join the waitlistHow it works
  • Free to start
  • No credit card
  • 30-second signup