About

Wajih Ul Hassan is an Assistant Professor of Computer Science at the University of Virginia. His research primarily focuses on system security, with a specialization in developing practical solutions to protect complex networked computer systems. He employs novel data-driven approaches alongside scalable system design to enhance security measures. At UVA, he leads the DART Lab, where his work has been recognized with the prestigious NSF CAREER Award in 2024.

Research topics

• Computer Science
• Computer Security
• Geology
• Internet privacy
• Materials science
• Nanotechnology
• Physics

Selected publications

• Accurate and Scalable Detection and Investigation of Cyber Persistence Threats

  IEEE Transactions on Dependable and Secure Computing · 2026-01-01 · 2 citations

  preprintOpen accessSenior author

  In Advanced Persistent Threat (APT) attacks, achieving stealthy persistence within target systems is often crucial for an attacker's success. This persistence allows adversaries to maintain prolonged access, often evading detection mechanisms. Recognizing its pivotal role in the APT lifecycle, this paper introduces Cyber Persistence Detector (CPD), a novel system dedicated to detecting cyber persistence through provenance analytics. CPD is founded on the insight that persistent operations typically manifest in two phases: the “persistence setup” and the subsequent “persistence execution”. By causally relating these phases, we enhance our ability to detect persistent threats. First, CPD discerns setups signaling an impending persistent threat and then traces processes linked to remote connections to identify persistence execution activities. A key feature of our system is the introduction of <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">pseudo-dependency edges</i> (pseudoedges), which effectively connect these disjoint phases using data provenance analysis, and <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">expert-guided edges</i>, which enable faster tracing and reduced log size. These edges empower us to detect persistence threats accurately and efficiently. Moreover, we propose a novel alert triage algorithm that further reduces false positives associated with persistence threats. Evaluations conducted on well-known datasets demonstrate that our system reduces the average false positive rate by 93% compared to stateof- the-art methods.

  PublisherDOI

• HADES: Detecting and Investigating Active Directory Attacks via Whole Network Provenance Analytics

  Repository KITopen (Karlsruhe Institute of Technology) · 2026-01-01

  articleOpen access

  Due to its crucial role in identity and access management in modern enterprise networks, Active Directory (AD) is a top target of Advanced Persistence Threat (APT) actors. Conventional intrusion detection systems (IDS) excel at identifying malicious behaviors caused by malware, but often fail to detect stealthy attacks launched by APT actors. Recent advance in provenance-based IDS (PIDS) shows promises by exposing malicious system activities in causal attack graphs. However, existing approaches are restricted to intra-machine tracing, and unable to reveal the scope of attackers' traversal inside a network. We propose HADES, the first PIDS capable of performing accurate causality-based cross-machine tracing by leveraging a novel concept called logon session based execution partitioning to overcome several challenges in cross-machine tracing. We design HADES as an efficient on-demand tracing system, which performs whole-network tracing only when it first identifies an authentication anomaly signifying an ongoing AD attack, for which we introduce a novel lightweight authentication anomaly detection model rooted in our extensive analysis of AD attacks. To triage attack alerts, we present a new algorithm integrating two key insights we identified in AD attacks. Our evaluations show that HADES outperforms both popular open-source detection systems and a prominent commercial AD attack detector.

  PublisherDOI

• Global Perspectives

  2026-04-15

  otherSenior author
  PublisherDOI

• Demo: Investigating Immersive Attacks with REALITYCHECK

  2025-10-23

  articleOpen accessSenior author

  RealityCheck, recently published at USENIX Security 2025, is the first provenance-based auditing framework that enables comprehensive root-cause and impact analysis of complex attacks against Augmented/Virtual-Reality (AR/VR) head-mounted devices. This demonstration paper describes the live, hands-on instantiation of RealityCheck, highlighting how security analysts can transparently capture multi-layer logs from commodity headsets, automatically transform these heterogeneous traces into concise multilayer provenance graphs, and perform real-time exploratory queries to isolate attack causality. We demonstrate RealityCheck reconstructing an end-to-end provenance graph for the Object-in-the-middle attack, published at USENIX Security 2024, on a Meta Quest 2, achieving millisecond-level query latency with negligible runtime overhead.

  PublisherOA PDFDOI

• Efficacy of Probiotics in Reducing Relapse in Ulcerative Colitis: A Meta-Analysis of Controlled Trials

  Indus journal of bioscience research. · 2025-05-18

  articleOpen access1st authorCorresponding

  Background: Ulcerative colitis (UC) is a chronic inflammatory bowel disease marked by periods of remission and relapse. While mesalazine remains a standard maintenance therapy, long-term use may lead to adverse effects. Probiotics, known to modulate gut microbiota and reduce intestinal inflammation, have emerged as a potential adjunct or alternative treatment to prevent relapse in UC. Objective: This meta-analysis aimed to evaluate the efficacy of probiotics compared to mesalazine in maintaining remission and reducing relapse rates in UC patients. Methods: A systematic search of PubMed, Embase, Scopus, and Cochrane CENTRAL was conducted to identify randomized controlled trials (RCTs) from 1990 to 2023 that compared probiotics with mesalazine in adult UC patients. Studies were screened based on predefined inclusion criteria. Data were extracted and pooled risk ratios (RRs) were calculated using a random-effects model. Heterogeneity was assessed using I² statistics, and risk of bias was evaluated via the Cochrane RoB 2.0 tool. Results: Four RCTs involving 533 patients were included. Among them, 264 received probiotic therapy and 269 received mesalazine. The pooled RR for relapse was 0.97 (95% CI: 0.79–1.20; p = 0.80), indicating no statistically significant difference between groups. Subgroup analysis at 12-month follow-up showed similar outcomes (RR = 0.96; 95% CI: 0.77–1.19; p = 0.68). Heterogeneity was low (I² = 0%). Conclusion: Probiotic therapy demonstrates comparable efficacy to mesalazine in preventing relapse in UC patients. Given their favorable safety profile and patient acceptability, probiotics may serve as a viable maintenance strategy, warranting further large-scale studies to confirm long-term outcomes.

  PublisherOA PDFDOI

• HADES: Detecting and Investigating Active Directory Attacks via Whole Network Provenance Analytics

  IEEE Transactions on Dependable and Secure Computing · 2025-09-22 · 4 citations

  preprintOpen access

  Due to its crucial role in identity and access management in modern enterprise networks, Active Directory (AD) is a top target of Advanced Persistence Threat (APT) actors. Conventional intrusion detection systems (IDS) excel at identifying malicious behaviors caused by malware, but often fail to detect stealthy attacks launched by APT actors. Recent advance in provenance-based IDS (PIDS) shows promises by exposing malicious system activities in causal attack graphs. However, existing approaches are restricted to intra-machine tracing, and unable to reveal the scope of attackers' traversal inside a network. We propose <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">HADES</small>, the first PIDS capable of performing accurate causality-based cross-machine tracing by leveraging a novel concept called <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">logon session based execution partitioning</i> to overcome several challenges in cross-machine tracing. We design <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">HADES</small> as an efficient on-demand tracing system, which performs whole-network tracing only when it first identifies an authentication anomaly signifying an ongoing AD attack, for which we introduce a novel lightweight authentication anomaly detection model rooted in our extensive analysis of AD attacks. To triage attack alerts, we present a new algorithm integrating two key insights we identified in AD attacks. Our evaluations show that <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">HADES</small> outperforms both popular open-source detection systems and a prominent commercial AD attack detector.

  PublisherDOI

• Are We There Yet? Unraveling the State-of-the-Art Graph Network Intrusion Detection Systems

  ArXiv.org · 2025-03-26

  preprintOpen accessSenior author

  Network Intrusion Detection Systems (NIDS) are vital for ensuring enterprise security. Recently, Graph-based NIDS (GIDS) have attracted considerable attention because of their capability to effectively capture the complex relationships within the graph structures of data communications. Despite their promise, the reproducibility and replicability of these GIDS remain largely unexplored, posing challenges for developing reliable and robust detection systems. This study bridges this gap by designing a systematic approach to evaluate state-of-the-art GIDS, which includes critically assessing, extending, and clarifying the findings of these systems. We further assess the robustness of GIDS under adversarial attacks. Evaluations were conducted on three public datasets as well as a newly collected large-scale enterprise dataset. Our findings reveal significant performance discrepancies, highlighting challenges related to dataset scale, model inputs, and implementation settings. We demonstrate difficulties in reproducing and replicating results, particularly concerning false positive rates and robustness against adversarial attacks. This work provides valuable insights and recommendations for future research, emphasizing the importance of rigorous reproduction and replication studies in developing robust and generalizable GIDS solutions.

  PublisherOA PDFDOI

• Endoscopic Excision of Colloid Cysts of the Third Ventricle: Six-Month Outcomes From a Single-Center Series of 22 Patients

  Cureus · 2025-10-04

  articleOpen access

  Objective The objective of the study is to evaluate the safety, efficacy, and short-term outcomes of endoscopic excision of third-ventricular colloid cysts at a single tertiary care center in a resource-constrained environment. Methodology A retrospective review was conducted at the Punjab Institute of Neurosciences, Lahore, from January 2022 to May 2024. The study included 22 patients identified from institutional records including the Picture Archiving and Communication System (PACS) comprising consecutive eligible individuals who underwent endoscopic excision during the study period. Results The mean (standard deviation (SD)) age was 34.1 (15.0) years; 12 (54.5%) were female. Headache was the most common presenting symptom, followed by vomiting, drop attacks, and loss of consciousness. Complete excision was achieved in 19 (86.4%) patients. An external ventricular drain (EVD) was placed in 13 (59.1%) patients, and five (22.7%) required ventriculoperitoneal (VP) shunts (two preoperative and three postoperative). Postoperative complications included chemical meningitis in four (18.2%) patients and ventriculitis in two (9.1%) patients; overall, postoperative complications occurred in six (27.3%) patients. One death (4.5%) occurred. At six months, 20 patients completed follow-up; none reported recurrence of primary symptoms. Conclusion Endoscopic excision of third-ventricular colloid cysts was feasible in our series, with most patients achieving complete excision and favorable short-term outcomes. Complications and one mortality highlight the need for careful patient selection and standardized perioperative protocols. These results suggest that endoscopy can be a viable option in resource-limited settings, though longer follow-up and larger comparative studies are needed to confirm safety and long-term efficacy.

  PublisherOA PDFDOI

• Rethinking Tamper-Evident Logging: A High-Performance, Co-Designed Auditing System

  2025-11-19 · 2 citations

  articleOpen accessSenior author

  Existing tamper-evident logging systems suffer from high overhead and severe data loss in high-load settings, yet only provide coarse-grained tamper detection. Moreover, installing such systems requires recompiling kernel code. To address these challenges, we present Nitro, a high-performance, tamper-evident audit logging system that supports fine-grained detection of log tampering. Even better, our system avoids kernel recompilation by using the eBPF technology. To formally justify the security of Nitro, we provide a new definitional framework for logging systems, and give a practical cryptographic construction meeting this new goal. Unlike prior work that focus only on the cryptographic processing, we codesign the cryptographic part with the pre- and post-processing of the logs to exploit all system-level optimizations. Our evaluations demonstrate Nitro's superior performance, achieving 10X-25X improvements in high-stress conditions and 2X-10X in real-world scenarios while maintaining near-zero data loss. We also provide an advanced variant, Nitro-R that introduces in-kernel log reduction techniques to reduce runtime overhead even further.

  PublisherOA PDFDOI

• R+R: From Claims to Crashes: A Systematic Re-evaluation of Graph-Based Network Intrusion Detection Systems

  2025-12-08

  articleSenior author

  Graph-based Network Intrusion Detection Systems (GIDS) are increasingly used to model complex communication patterns and detect sophisticated enterprise threats, yet the reproducibility and replicability of GIDS research remain underexplored, limiting the reliability and generalizability of published results. We present a rigorous reproduction and replication of five state-of-the-art GIDS across four public datasets and a new large-scale enterprise dataset. Even with original code and configurations, reproducing claimed performance is difficult; detection metrics vary by up to 40 percent due to undocumented assumptions, preprocessing discrepancies, and hyperparameter sensitivity. Models also fail to generalize to real-world enterprise traffic, exhibiting high false positive rates and scalability issues. We identify key implementation factors: graph snapshot size and threshold-setting strategies significantly affect detection performance but are inconsistently documented, and several GIDS are vulnerable to evasion attacks. Beyond confirming known challenges (e.g., parameter sensitivity), our results expose a critical reproducibility crisis in the GIDS literature: without transparent and systematic evaluation, reported results may mislead researchers and practitioners. We provide recommendations to improve reproducibility, replicability, and robustness, and urge the community to adopt rigorous standards for empirical evaluation.

  PublisherDOI

Frequent coauthors

• Adam Bates

  27 shared

• Riccardo Paccagnella

  Carnegie Mellon University

  10 shared

• Nova Ahmed

  North South University

  9 shared

• Laura S. Gaytán-Lugo

  Universidad de Colima

  9 shared

• Eric Hennenfent

  Institute of Electrical and Electronics Engineers

  9 shared

• Michelle L. Mazurek

  University of Maryland, College Park

  9 shared

• Ombeline Leclerc-Istria

  Regional Municipality of Niagara

  9 shared

• Vincent Nicomette

  Centre National de la Recherche Scientifique

  9 shared

Labs

• DART LabPI

  Detecting, Analyzing, and Responding to Cyber Threats (DART) Lab

Education

• Ph.D., Computer Science

  University of Virginia

Awards & honors

• NSF CAREER Award
• Symantec Research Labs Graduate Fellowship
• ACM SIGSOFT Distinguished Paper Award
• Young Researcher at the Heidelberg Laureate Forum