About

Tijay Chung is an Associate Professor in the Department of Computer Science at Virginia Tech. He holds a Ph.D. in computer science and engineering from Seoul National University, South Korea, obtained in 2015, and a B.S. in computer science and engineering from Pohang University of Science and Technology, South Korea, earned in 2009. His research interests include internet security and internet measurement. He is based at the Gilbert Place location in Blacksburg, VA, and is involved in the Institute for Advanced Computing. His contact information includes an email address (tijay@vt.edu) and a phone number (540-231-0667).

Research topics

• Computer Science
• Computer Security
• World Wide Web
• Computer network
• Algorithm
• Economics
• Internet privacy
• Microeconomics
• Operating system

Selected publications

• ASINT: Learning AS-to-Organization Mapping from Internet Metadata

  ArXiv.org · 2025-08-04

  preprintOpen accessSenior author

  Accurate AS-to-organization mapping underpins Internet measurement and security, yet registries are fragmented, PeeringDB is narrow, and routing views reflect connectivity rather than ownership. We take a pragmatic step: ASINT integrates curated web evidence with retrieval-guided LLM techniques and strict, evidence-cited validation to infer two relations (aliases and directed parent-child) and then revalidates them conservatively. To keep the dataset sustainable, we operate a public dashboard and API where operators can inspect per-ASN evidence and submit feedback that seeds refreshes. At scale, ASINT maps 112,172 ASNs into 82,840 organization families and, on overlapping AS sets, yields fewer, larger families with 21-24% more multi-AS groups than prior datasets (i.e., CAIDA AS2Org [11], AS2ORG+ [4], AS-Sibling [10], and Borges [28]). Quality is high in practice: ASINT achieves a precision of 0.9608, a recall of 0.9915 and an accuracy of 0.9752 under manual validation. Public deployment further drew operator-submitted reports for 595 ASNs across 106 organizations, with only 6 errors (99.0% observed clustering accuracy), with feedback coming from network operators across all RIR regions. Better organization context improves downstream analyses: +27.5% intra-organization RPKI misconfiguration detections, -9.4% benign hijack alerts, and -5.9% corrections to cases mislabeled as IP leasing. We release code, datasets, and the operator platform with APIs; given persistent ambiguity in organizational names and the continual evolution of corporate structures, an operator-in-the-loop process is essential; the platform records per ASN feedback with provenance and incorporates it into periodic refreshes and retraining. The methodology is model-agnostic and stands to improve further as base LLMs advance.

  PublisherOA PDFDOI

• An Analysis of Recent Advances in Deepfake Image Detection in an Evolving Threat Landscape

  arXiv (Cornell University) · 2024-04-24 · 2 citations

  preprintOpen access

  Deepfake or synthetic images produced using deep generative models pose serious risks to online platforms. This has triggered several research efforts to accurately detect deepfake images, achieving excellent performance on publicly available deepfake datasets. In this work, we study 8 state-of-the-art detectors and argue that they are far from being ready for deployment due to two recent developments. First, the emergence of lightweight methods to customize large generative models, can enable an attacker to create many customized generators (to create deepfakes), thereby substantially increasing the threat surface. We show that existing defenses fail to generalize well to such \emph{user-customized generative models} that are publicly available today. We discuss new machine learning approaches based on content-agnostic features, and ensemble modeling to improve generalization performance against user-customized models. Second, the emergence of \textit{vision foundation models} -- machine learning models trained on broad data that can be easily adapted to several downstream tasks -- can be misused by attackers to craft adversarial deepfakes that can evade existing defenses. We propose a simple adversarial attack that leverages existing foundation models to craft adversarial samples \textit{without adding any adversarial noise}, through careful semantic manipulation of the image content. We highlight the vulnerabilities of several defenses against our attack, and explore directions leveraging advanced foundation models and adversarial training to defend against this new threat.

  PublisherOA PDFDOI

• An Analysis of Recent Advances in Deepfake Image Detection in an Evolving Threat Landscape

  2024-05-19 · 25 citations

  article

  Deepfake or synthetic images produced using deep generative models pose serious risks to online platforms. This has triggered several research efforts to accurately detect deepfake images, achieving excellent performance on publicly available deepfake datasets. In this work, we study 8 state-of-the-art detectors and argue that they are far from being ready for deployment due to two recent developments. First, the emergence of lightweight methods to customize large generative models, can enable an attacker to create many customized generators (to create deepfakes), thereby substantially increasing the threat surface. We show that existing defenses fail to generalize well to such user-customized generative models that are publicly available today. We discuss new machine learning approaches based on content-agnostic features, and ensemble modeling to improve generalization performance against user-customized models. Second, the emergence of vision foundation models—machine learning models trained on broad data that can be easily adapted to several downstream tasks—can be misused by attackers to craft adversarial deepfakes that can evade existing defenses. We propose a simple adversarial attack that leverages existing foundation models to craft adversarial samples without adding any adversarial noise, through careful semantic manipulation of the image content. We highlight the vulnerabilities of several defenses against our attack, and explore directions leveraging advanced foundation models and adversarial training to defend against this new threat.

  PublisherDOI

• IRRedicator: Pruning IRR with RPKI-Valid BGP Insights

  2024-01-01 · 2 citations

  articleOpen accessSenior author

  Border Gateway Protocol (BGP) provides a way of exchanging routing information to help routers construct their routing tables. However, due to the lack of security considerations, BGP has been suffering from vulnerabilities such as BGP hijacking attacks. To mitigate these issues, two data sources have been used, Internet Routing Registry (IRR) and Resource Public Key Infrastructure (RPKI), to provide reliable mappings between IP prefixes and their authorized Autonomous Systems (ASes). Each of the data sources, however, has its own limitations. IRR has been well-known for its stale Route objects with outdated AS information since network operators do not have enough incentives to keep them up to date, and RPKI has been slowly deployed due to its operational complexities. In this paper, we measure the prevalent inconsistencies between Route objects in IRR and ROA objects in RPKI. We next characterize inconsistent and consistent Route objects, respectively, by focusing on their BGP announcement patterns. Based on this insight, we develop a technique that identifies stale Route objects by leveraging<br/>a machine learning algorithm and evaluate its performance. From real trace-based experiments, we show that our technique can offer advantages against the status quo by reducing the percentage of potentially stale Route objects from 72% to 40% (of the whole IRR Route objects). In this way, we achieve 93% of the accuracy of validating BGP announcements while covering 87% of BGP announcements.<br/>

  PublisherDOI

• Exploring the Evolution of TLS Certificates

  Lecture notes in computer science · 2023-01-01 · 5 citations

  book-chapterSenior authorCorresponding
  PublisherDOI

• TTL Violation of DNS Resolvers in the Wild

  Lecture notes in computer science · 2023-01-01 · 8 citations

  book-chapterSenior authorCorresponding
  PublisherDOI

• Hammurabi

  Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security · 2022-11-07 · 8 citations

  articleOpen access

  This paper proposes using a logic programming language to disentangle X.509 certificate validation policy from mechanism. Expressing validation policies in a logic programming language provides multiple benefits. First, policy and mechanism can be more independently written, augmented, and analyzed compared to the current practice of interweaving them within a C or C++ implementation. Once written, these policies can be easily shared and modified for use in different TLS clients. Further, logic programming allows us to determine when clients differ in their policies and use the power of imputation to automatically generate interesting certificates, e.g., a certificate that will be accepted by one browser but not by another.

  PublisherOA PDFDOI

• Privacy Guarantees of BLE Contact Tracing for COVID-19 and Beyond: A Case Study on COVIDWISE

  Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security · 2022-05-24 · 2 citations

  articleOpen access

  Google and Apple jointly introduced a digital contact tracing technology and an API called "exposure notification,'' to help health organizations and governments with contact tracing. The technology and its interplay with security and privacy constraints require investigation. In this study, we examine and analyze the security, privacy, and reliability of the technology with actual and typical scenarios (and expected typical adversary in mind), and quite realistic use cases. We do it in the context of Virginia's COVIDWISE app. This experimental analysis validates the properties of the system under the above conditions, a result that seems crucial for the peace of mind of the exposure notification technology adopting authorities, and may also help with the system's transparency and overall user trust.

  PublisherOA PDFDOI

• Under the Hood of DANE Mismanagement in SMTP

  University of Twente Research Information · 2022-12-01

  paratextOpen accessSenior author

  The DNS-based Authentication of Named Entities (DANE) is an Internet security protocol that enables a TLS connection without relying on trusted third parties like CAs by introducing a new DNS record type, TLSA. DANE leverages DNSSEC PKI to provide the integrity and authenticity of TLSA records. As DANE can solve security challenges in SMTP, such as STARTTLS downgrade attacks and receiver authentication, it has been increasingly deployed surpassing more than 1 M domains with SMTP servers that have TLSA records. A recent study, however, reported that there are prevalent misconfigurations on DANE SMTP servers, which hinders DANE from being proliferated. In this paper, we investigate the reasons why it is hard to deploy and manage DANE correctly. Our study uses largescale, longitudinal measurements to study DANE adoption and management, coupled with a survey of DANE operators, some of which serve more than 100 K domains. Overall, we find that keeping the TLSA records from a name server and certificates from an SMTP server synchronized is not straightforward even when the same entity manages the two servers. Furthermore, many of the certificates are configured to be reissued automatically, which may result in invalid TLSA records. From surveying 39 mail server operators, we also learn that the majority keeps using CA-issued certificates, despite this no longer being required with DANE, since they are worried about their certificates not being trusted by clients that have not deployed DANE. Having identified several operational challenges for correct DANE management, we release automated tools and shed light on unsolved challenges

  PublisherOA PDFDOI

• A comparative analysis of certificate pinning in Android &amp; iOS

  2022 · 16 citations

  • Computer Security
  • Computer Science
  • Computer Security

  TLS certificate pinning is a security mechanism used by applications (apps) to protect their network traffic against malicious certificate authorities (CAs), in-path monitoring, and other methods of TLS tampering. Pinning can provide enhanced security to defend against malicious third-party access to sensitive data in transit (e.g., to protect sensitive banking and health care information), but can also hide an app's personal data collection from users and auditors. Prior studies found pinning was rarely used in the Android ecosystem, except in high-profile, security-sensitive apps; and, little is known about its usage on iOS and across mobile platforms.

  PublisherDOI

Recent grants

• CRII: SaTC: Measuring and Improving the Management of Resource Public Key Infrastructure (RPKI)

  NSF · $167k · 2019–2020

• CNS Core: Large: Collaborative Research: Towards an Evolvable Public Key Infrastructure

  NSF · $274k · 2020–2023

• CRII: SaTC: Measuring and Improving the Management of Resource Public Key Infrastructure (RPKI)

  NSF · $149k · 2020–2022

• CNS Core: Large: Collaborative Research: Towards an Evolvable Public Key Infrastructure

  NSF · $214k · 2019–2020

Frequent coauthors

• Jinyoung Han

  18 shared

• Alan Mislove

  Northeastern University

  17 shared

• Yanghee Choi

  Yonsei University

  15 shared

• Bruce M. Maggs

  14 shared

• Ted Taekyoung Kwon

  Seoul National University

  14 shared

• Dave Levin

  12 shared

• Roland van Rijswijk-Deij

  University of Twente

  11 shared

• David Choffnes

  10 shared