About

Yan Chen is a Professor of Computer Science at Northwestern University, affiliated with the Northwestern Lab for Internet and Security Technology. His research interests focus on security, measurement, and diagnosis for networking and large-scale distributed systems. He leads the Northwestern LIST (Lab for Internet and Security Technology) and has made significant contributions in these areas. Professor Chen has received several prestigious awards, including the DOE Early CAREER Award in 2005, the DOD Young Investigator Award in 2007, and the Most Influential Paper Award of ACM ASPLOS in 2018. His scholarly work has been widely recognized, with his papers cited approximately 17,000 times and an h-index of 63 as of January 2026. He is a Fellow of IEEE, reflecting his notable impact in the field of computer science and network security.

Research topics

• Computer Security
• Computer Science
• Data Mining
• Artificial Intelligence
• Theoretical computer science
• Operating system
• Distributed computing

Selected publications

• FaaSTracker: Efficient Cross-Layer Provenance Tracking of Serverless Applications With Multi-Source Correlation

  IEEE Transactions on Information Forensics and Security · 2025-01-01

  articleSenior author

  Serverless computing, also known as Function-as-a-Service (FaaS), has gained popularity due to its flexibility, scala bility, and transparent development. However, attacks against serverless are also increasing. Unfortunately, complex multi-layer FaaS architecture and frequently launched lightweight functions help attackers conceal their tracks. Specifically, (<italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">i</i>) fully tracking the behavior of a function requires crossing multiple layers of FaaS. (<italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">ii</i>) Intrusive auditing components in functions affect function startup latency and performance. (<italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">iii</i>) Accurately provenance cross-layer function invocations require integrating data from multiple sources. In this paper, we propose FAASTRACKER, a cross-layer, non-intrusive, efficient provenance framework for accurately tracking user function behaviors in FaaS. FAASTRACKER tracks function behaviors across layers using a non-intrusive agent without any modifications to the function. In addition, it correlates data from multiple sources to construct a provenance graph of function workflows to locate attackers. We implement FAASTRACKER on the OpenFaaS platform and evaluate its performance using real-world serverless applications. Compared with state-of-the-art serverless provenance systems, FAASTRACKER provides a more accurate and complete view of provenance graphs and reduces 54.0% CPU and 48.9% memory resources.

  PublisherDOI

• Real-Time Synchronization of Building Information Modelling (BIM) and Windows Forms Application (WFA)

  Advances in transdisciplinary engineering · 2025-05-23

  book-chapterOpen accessSenior author

  In order to promote the digital transformation of the AEC engineering industry towards data-driven high-quality development, efficient information integration and real-time synchronization of Building Information Modelling (BIM) are crucial. However, existing research, especially in the field of bridges, is not deep and mature enough. Therefore, this study aims to develop a Windows Forms Application (WFA) based system for rapid modelling and real-time synchronization in the BIM software. The four main objectives are as follows: the development of structural parameter acquisition application for steel box girder bridge; the secondary development of 3D modeling software; the development of the BIM co-design platform for steel box girder-bridge; and the study of the application of the BIM co-design platform for steel box girder bridge in the project. To achieve these objectives, a software development life cycle (SDLC) approach is used to develop a system applied to steel box girder bridges through five phases: planning, analysis, design, implementation, and testing. Fundamentally, the platform consisting of the developed WFA and BIM software saves resources, dramatically reduces repetitive work, ensures the effectiveness of model information transfer and real-time data update, improves information integration of steel box girder bridges, and realizes the construction of a digital city.

  PublisherOA PDFDOI

• AutoSeg: Automatic micro-segmentation policy generation via configuration analysis

  Computers & Security · 2025-07-29

  article
  PublisherDOI

• CRUcialG: Reconstruct Integrated Attack Scenario Graphs by Cyber Threat Intelligence Reports

  IEEE Transactions on Dependable and Secure Computing · 2025-06-30 · 4 citations

  articleSenior author

  Cyber Threat Intelligence (CTI) reports are factual records compiled by security analysts through their observations of threat events or their own practical experience with attacks. In order to utilize CTI reports for attack detection, existing methods have attempted to map the content of reports onto system-level attack provenance graphs to clearly depict attack procedures. However, existing studies on constructing graphs from CTI reports suffer from problems such as weak Natural Language Processing (NLP) capabilities, discrete and fragmented graphs, and insufficient attack semantic representation. Therefore, we propose a system called CRUcialG for the automated reconstruction of Attack Scenario Graphs (ASGs) by CTI reports. First, we use NLP models to extract systematic attack knowledge from CTI reports to form preliminary ASGs. Then, we propose a four-phase attack rationality validation framework from the tactical phase with attack procedure to evaluate the reasonability of ASGs. Finally, we implement the relation repair and phase supplement of ASGs by adopting a serialized graph generation model. We collect a total of 10,607 CTI reports and generate 5,761 complete ASGs. Experimental results on CTI reports from 30 security vendors and DARPA show that the similarity of ASG reconstruction by CRUcialG can reach 84.54%. Compared with SOTA (EXTRACTOR and AttackG), the recall of CRUcialG (extraction of real attack events) can reach 88.13% and 94.46% respectively, which is 40% higher than SOTA on average. The F1-score of attack phase validation is able to reach 90.04%.

  PublisherDOI

• PentestAgent: Incorporating LLM Agents to Automated Penetration Testing

  2025-08-13 · 18 citations

  articleOpen access
  PublisherDOI

• Incorporating Gradients to Rules: Toward Online, Adaptive Provenance-Based Intrusion Detection

  IEEE Transactions on Dependable and Secure Computing · 2025-09-18 · 1 citations

  article
  PublisherDOI

• Radiation Characteristics and Optimization Design of a Flexural Ring Transducer with Single-Mode Excitation

  SSRN Electronic Journal · 2025-01-01

  preprintOpen accessSenior author
  PublisherDOI

• Poster: Obfuscating Function Activity States to Enhance Privacy in Serverless Applications

  2025-11-19

  articleOpen accessSenior author

  Serverless computing, also known as Function-as-a-Service (FaaS), is widely used in modern applications. Function instances share the underlying physical infrastructure, which makes co-location attacks possible and leads to the leakage of sensitive information such as function activity states. Existing work has respective limitations in serverless scenarios because of incomplete detection coverage, long training time, and intrusion into the function's runtime environment. In this paper, we propose FaaSGuard, an obfuscation framework to protect function activity states in network side-channels and enhance privacy in serverless applications. To be specific, we design an adaptive obfuscation strategy selection mechanism to make FaaSGuard flexible. We design a traffic camouflage method to make obfuscated traffic indistinguishable from normal traffic, making FaaSGuard invisible. In order not to affect normal traffic, we propose a tag-based obfuscation mechanism to identify obfuscated packets. The preliminary evaluation results show that FaaSGuard can conceal function activity states with negligible resource overhead.

  PublisherOA PDFDOI

• TAGAPT: Toward Automatic Generation of APT Samples With Provenance-Level Granularity

  IEEE Transactions on Information Forensics and Security · 2025-01-01 · 2 citations

  articleSenior author

  Detecting advanced persistent threats (APTs) at a host via data provenance has emerged as a valuable yet challenging task. Compared with attack rule matching, machine learning approaches offer new perspectives for efficiently detecting attacks by leveraging their inherent ability to autonomously learn from data and adapt to dynamic environments. However, the scarcity of APT samples poses a significant limitation, rendering supervised learning methods that have demonstrated remarkable capabilities in other domains (e.g., malware detection) impractical. Therefore, we propose a system called TAGAPT, which is able to automatically generate numerous APT samples with provenance-level granularity. First, we introduce a deep graph generation model to generalize various graph structures that represent new attack patterns. Second, we propose an attack stage division algorithm to divide each generated graph structure into stage subgraphs. Finally, we design a genetic algorithm to find the optimal attack technique explanation for each subgraph and obtain fully instantiated APT samples. Experimental results demonstrate that TAGAPT can learn from existing attack patterns and generalize to novel attack patterns. Furthermore, the generated APT samples 1) exhibit the ability to help with efficient threat hunting and 2) provide additional assistance to the state-of-the-art (SOTA) attack detection system (Kairos) by filtering out 73% of the observed false positives. We have open-sourced the code and the generated samples to support the development of the security community.

  PublisherDOI

• Programming knowledge tracing based on heterogeneous graph representation

  Knowledge-Based Systems · 2024-06-22 · 5 citations

  article
  PublisherDOI

Recent grants

• CT-ISG: Router-Based Signature Generation for Zero-Day Polymorphic Worms

  NSF · $200k · 2006–2009

• TWC: TTP Option: Medium: Collaborative: Identifying and Mitigating Trust Violations in the Smartphone Ecosystem

  NSF · $534k · 2014–2018

• NeTS: Small: WaveCube: A Scalable, Fault-Tolerant, High-Performance Optical Data Center Architecture

  NSF · $400k · 2012–2015

• CT-ISG: High-Speed Network Defense with Massive and Diverse Vulnerability Signatures

  NSF · $400k · 2008–2012

• RINGS: Accelerating the NextG Protocols Definition to Code Generation with an Automatic and Secure Verification-Compilation Tool-Chain

  NSF · $900k · 2022–2026

Frequent coauthors

• Yinzhi Cao

  Johns Hopkins University

  15 shared

• Vaibhav Rastogi

  13 shared

• Chunlin Xiong

  11 shared

• Tiantian Zhu

  9 shared

• Kai Chen

  Nanjing University

  9 shared

• Yao Zhao

  8 shared

• Xitao Wen

  7 shared

• Tieming Chen

  Zhejiang University of Technology

  6 shared

Awards & honors

• DOE Early CAREER Award (2005)
• DOD (Air Force of Scientific Research) Young Investigator Aw…
• Most Influential Paper Award of ACM ASPLOS (2018)
• Fellow of IEEE