Personal Information

First name: Niels

Last name: Provos

Nationality: German

Office address: Google Inc

1600 Amphitheatre

Mountain View, CA 94043

E-Mail: provos (at) citi.umich.edu

provos (at) monkey.org

Experience

• August 2003 - present
  Distinguished Engineer, Google, Inc., USA.
• Distributed Denial of Service Defense
• Software Load Balancing
• Safe Browsing
• September 1998 - August 2003
  Research Assistant for the Center of Information Technology Integration, University of Michigan, USA. 
• August 1998
  ISAKMP/Oakley (IKE) development for Ericsson Radio Systems AB, Sweden. 
• September 1997
  Development of an Epidemic Control System for the Institute of Epidemic Control of the federal state Schleswig-Holstein, Germany. 
• February 1997 - August 2002
  Part-time developer for the OpenBSD project: IPSEC, Key management (photuris, isakmpd), TCP/IP, OpenSSH, ... 
• August 1996 - August 1998
  LuGrid development, a graphical information system, for the the Department of Agricultural Examiniation and Research of the federal state Schleswig-Holstein, Germany. 
• August 1993 - July 1998
  Student System Administrator for UNIX and VMS cluster, responsibilites i.a. network security, Physics Department, Universität Hamburg, Germany. 
• February 1993 - June 1993
  Assisting Scientist at the Department of Oceanography, Universität Hamburg, Germany. 
• July 1991 - August 1996
  Development of database and statistical evaluation tools for the Medical Service for Health Insurances, Schleswig-Holstein, Germany. 
• August 1990 - June 1991
  Software Development for Dräger, Electronic Patient Monitoring. 

Education

• August 2003
  Ph.D. in Computer Science & Engineering, University of Michigan, Ann Arbor, Michigan, USA.
  Dissertation: "Statistical Steganalysis". 
• May 2000
  Ph.D. candidate in Computer Science & Engineering, University of Michigan, Ann Arbor, Michigan, USA. 
• April 2000
  Master of Science in Computer Science & Engineering, University of Michigan, Ann Arbor, Michigan, USA. 
• September 1998 - August 2003
  Graduate student in Computer Science, PhD program, University of Michigan, Michigan, USA.
  Academic Report: Current transcript.
  Advisor: Peter Honeyman.
  GPA: 8.685 on 9.00 scale.
• August 1998
  Diplom in Mathematics, Universität Hamburg, Hamburg, Germany. (Masters in Mathematics).
  Thesis: "Cryptography, especially the RSA algorithm on elliptic curves and Z/nZ". 
• March 1995
  Vordiplom in Mathematics, Universität Hamburg, Hamburg, Germany.
  Vordiplom in Physics, Universität Hamburg, Hamburg, Germany. 
• October 1992 - August 1998
  Physics and Mathematics student, Universität Hamburg, Hamburg, Germany. 
• May 1992
  Certificate in Latin, Großes Latinum, Leibniz Gymnasium, Bad Schwartau, Germany.
  General Certificate of Education, Abitur, Leibniz Gymnasium, Bad Schwartau, Germany. 
• August 1983 - May 1992
  Grammar school, Leibniz Gymnasium, Bad Schwartau, Germany. 

Publications

• ShellOS: Enabling fast detection and forensic analysis of code injection attacks
  K.Z. Snow, S. Krishnan, F. Monrose, and N, Provos, USENIX Security Symposium, August 2011.
• The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution
  Moheb Abu Rajab, Lucas Ballard, Panayiotis Mavrommatis, Niels Provos, Xin Zhao, 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats, April 2010.
• All Your iFrames Point to Us
  Niels Provos, Panayiotis Mavrommatis, Moheeb Rajab and Fabian Monrose, 17th USENIX Security Symposium, August 2008.
• To Catch a Predator: A Natural Language Approach for Eliciting Protocol Interaction
  Sam Small, Joshua Mason, Fabian Monrose, Niels Provos and Adam Stubblefield, 17th USENIX Security Symposium, August 2008.
• Peeking Through the Cloud
  Moheeb Abu Rajab, Fabian Monrose, Andreas Terzis, Niels Provos, 6th Conference on Applied Cryptography and Network Security (ACNS 2008).
• Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority
  David Dagon, Niels Provos, Chris Lee, and Wenke Lee, ISOC NDSS'08, February 2008.
• A Framework for Detection and Measurement of Phishing Attacks
  Sujata Garea, Niels Provos, Monica Chew and Aviel D. Rubin, 5th ACM Workshop on Recurring Malcode (WORM 2007), November 2007.
• The Ghost in the Browser: Analysis of Web-based Malware
  Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang, and Nagendra Modadugu, USENIX Workshop on Hot Topics in Understanding Botnets, April 2007.
• Search Worms
  Niels Provos, Joe McClain, Ke Wang, ACM WORM Workshop, November 2006.
• Cookies Along Trust-Boundaries (CAT): Accurate and Deployable Flood Protection
  Martin Casado, Aditya Akella, Pei Cao, Niels Provos, Scott Shenker, SRUTI, July 2006.
• Flow Cookies: Using Bandwidth Amplification to Defend Against DDoS Flooding Attacks
  Martin Casado, Pei Cao, Aditya Akella and Niels Provos, IWQoS 2006 (short paper).
• Data Reduction for the Scalable Automated Analysis of Distributed Darknet Traffic
  Michael Bailey, Evan Cooke, Farnam Jahanian, Niels Provos, Karl Rosaen, and David Watson, 2005 Internet Measurement Conference (IMC 2005) Berkeley, California October, 2005
• A Virtual Honeypot Framework
  Niels Provos, 13th USENIX Security Symposium, San Diego, CA, August 2004.
  (An earlier version of this paper is available as CITI Technical Report 03-1) 
• Improving Host Security with System Call Policies
  Niels Provos, 12th USENIX Security Symposium, Washington, DC, August 2003.
  (An earlier version of this paper is available as CITI Technical Report 02-3) 
• Preventing Privilege Escalation
  Niels Provos, Markus Friedl and Peter Honeyman, 12th USENIX Security Symposium, Washington, DC, August 2003.
  (An earlier version of this paper is available as CITI Technical Report 02-2) 
• Detecting Steganographic Content on the Internet
  Niels Provos and Peter Honeyman, ISOC NDSS'02, San Diego, CA, February 2002. [pdf]
  (An earlier version of this paper is available as CITI Technical Report 01-11: [ps.gz] [pdf].) 
• ScanSSH - Scanning the Internet for SSH Servers
  Niels Provos and Peter Honeyman, 16th USENIX Systems Administration Conference (LISA). San Diego, CA, December 2001. [pdf] 
• Defending Against Statistical Steganalysis
  Niels Provos, 10th USENIX Security Symposium. Washington, DC, August 2001.
  (An earlier version of this paper is available as CITI Technical Report 01-4) 
• Analyzing the Overload Behavior of a Simple Web Server
  Niels Provos, Chuck Lever and Stephen Tweedie, 4th Annual Linux Showcase & Conference. Atlanta, GA, October 2000.
  (Also available as "CITI Technical Report 00-7") 
• Encrypting Virtual Memory
  Niels Provos. 9th USENIX Security Symposium. Denver, CO, August 2000.
  (Also available as "CITI Technical Report 00-3") [ps] 
• Scalable Network I/O in Linux
  Niels Provos and Chuck Lever. USENIX 2000 Technical Conference, Freenix Track. San Diego, CA, June 2000.
  (Also available as "CITI Technical Report 00-4") [ps] 
• The Linux Scalability Project
  Peter Honeyman, Chuck E. Lever, Stephen Molloy, and Niels Provos. NLUUG Najaarsconerentie 1999, Netherlands, November 1999.
  (Also available as "CITI Technical Report 99-4") 
• Cryptography in OpenBSD: An Overview
  Theo de Raadt, Niklas Hallqvist, Artur Grabowski, Angelos D. Keromytis, and Niels Provos. USENIX '99, Freenix Track. Monterey, CA, June 1999. 
• A Future-Adaptable Password Scheme (the electronic version)
  Niels Provos and David Mazières. USENIX '99, Freenix Track. Monterey, CA, June 1999. From http://www.usenix.org/events/usenix99/provos.html. [ps]
  Note: If you cite this paper, please cite it as the electronic version and include the USENIX URL. USENIX accidentally printed our printer test document in the proceedings. 

Patents

• Intrusive feature classification model

M Palatucci, P Mavrommatis, N Provos, CK Monson, Y Zhou, KP Nigam, CW Bavor ...

US Patent 7,991,7102011

• Detecting an intrusive landing page

N Provos, Y Zhou, CW Bavor Jr, EL Davis, M Palatucci, KP Nigam, CK Monson, P ...

US Patent 8,019,7002011

• Systems and methods for detecting potential communications fraud

A Dingle, N Provos, F Schneider, M Cutts

US Patent 8,056,1282011

• INTRUSIVE SOFTWARE MANAGEMENT

N Provos, Y Zhou, CW Bavor Jr, EL Davis, M Palatucci, KP Nigam, CK Monson, P ...

US Patent 20,120,005,7532012

• Identification of possible scumware sites by a search engine

C Barton, S Baluja, A Garg, EL Davis, F Schneider, N Provos

US Patent 8,126,8662012

Board of Directors

• Director, USENIX Organization, elected by popular vote, 2 year term: 2012-2014.
• Director, USENIX Organization, elected by popular vote, 2 year term: 2010-2012.
• Director, USENIX Organization, elected by popular vote, 2 year term: 2008-2010.
• Director, USENIX Organization, elected by popular vote, 2 year term: 2006-2008

Program Committees

• Program Committee, 2012 ACM Conference on Computer and Communication Security (CCS)
• Program Committee, LEET Workshop 2012
• Program Committee, HotSec Workshop 2012
• Program Committee, 21th USENIX Security Symposium
• Program Committee, 2012 EuroSys Conference
• Program Committee, 2011 ACM Conference on Computer and Communication Security (CCS)
• Program Committee, 20th USENIX Security Symposium (2011)
• Program Committee, HotCloud (2010)
• Program Committee, ACM SIGCOMM (SIGCOMM 2010)
• Program Committee, 19th USENIX Security Symposium (2010)
• Program Committee, 17th Annual Network and Distributed System Security Symposium (NDSS 2010).
• Program Committee, 18th USENIX Security Symposium (2009)
• Program Committee, 2009 USENIX Annual Technical Conference (ATC 2009).
• Program Committee, 16th Annual Network and Distributed System Security Symposium (NDSS 2009).
• Program Committee, 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '09)
• Program Committee, ACM Web 2.0 Security & Privacy Workshop (W2SP 2008)
• Program Committee, ACM SIGCOMM (SIGCOMM 2008)
• Program Chair, 3rd Workshop on Hot Topics in Security (HotSec 2008).
• Program Committee, 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '08)
• Program Committee, 1st EuroSec Workshop (EuroSec 2008)
• Program Committee, Internet Measurement Conference (IMC 2008)
• Program Committee, IEEE Symposium on Security and Privacy (2008).
• Program Committee, 15th Annual Network and Distributed System Security Symposium (NDSS 2008).
• Program Committee, 1st Workshop On Offensive Technologies (2007)
• Program Committee, 2nd HotSec Workshop (2007)
• Program Committee, Internet Measurement Conference (IMC 2007)
• Program Committee, ACM SIGCOMM Workshop on Large-Scale Attack Defense (LSAD 2007)
• Program Chair, 1st Workshop on Hot Topics in Understanding Botnets (HotBots 2007)
• Program Chair, 16th USENIX Security Symposium (2007)
• Program Committee, WORM Workshop (2006).
• Program Committee, ACM SIGCOMM Workshop on Large-Scale Attack Defense (LSAD 2006)
• Program Committee, 2nd Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI 2006)
• Program Committee, 15th USENIX Security Symposium (2006).
• Program Committee, 13th Annual Network and Distributed System Security Symposium (NDSS 2006).
• Program Committee, WORM Workshop (2005).
• Program Committee, Applied Cryptography and Network Security (2005).
• Program Committee, IEEE Symposium on Security and Privacy (2005).
• Program Committee, 14th USENIX Security Symposium (2005).
• Program Committee, 14th International World Wide Web Conference (WWW2005), Security and Privacy track.
• Program Committee Chair, USENIX 2005 Freely Distributable Software Track (FREENIX).
• Program Committee, 12th Annual Network and Distributed System Security Symposium (NDSS 2005).
• Program Committee, 11th ACM Computer and Commmunications Security, Industry Track (2004).
• Program Committee, 13th USENIX Security Symposium (2004).
• Program Committee, 13th International World Wide Web Conference (WWW2004), Security and Privacy track.
• Program Committee, 12th DFN-CERT Workshop (2004), Hamburg, Germany.
• Co-chair, Security track, RMLL 2003.
• Program Committee, 12th USENIX Security Symposium (2003).
• Program Committee, USENIX 2002 Freely Distributable Software Track (FREENIX).
• Program Committee, USENIX 2000 Freely Distributable Software Track (FREENIX).

Additional Publications

• Virtual Honeypots: From Botnet Tracking to Intrusion Detection
  Niels Provos and Thorsten Holz, Addison Wesley, July 2007. 
• Diffie-Hellman Group Exchange for the SSH Transport Layer Protocol
  Markus Friedl, Niels Provos and William A. Simpson, Request For Comments (RFC 4419), March 2006. 
• Firewall
  Niels Provos, Encyclopedia of Information Security, pages to appear, Kluwer 2003. 
• Hide and Seek: An Introduction to Steganography
  Niels Provos and Peter Honeyman, IEEE Security & Privacy Magazine, May/June 2003. 
• Honeyd - A VirtualHoneypot Daemon (Extended Abstract) [ps]
  Niels Provos, 10th DFN-CERT Workshop, Hamburg, Germany, Feburary 2003. 
• Systrace - A tightly locked jail of legitimate system calls
  Marius A. Eriksen and Niels Provos, Linux Magazine, February 2003. 
• Enges Korsett: Systrace setzt Regeln für erlaubte Systemaufrufe durch
  Marius A. Eriksen and Niels Provos, Linux Magazin, January 2003. 
• The Use of HMAC-RIPEMD-160-96 within ESP and AH
  Angelos D. Keromytis and Niels Provos. Request for Comments (RFC 2857), June 2000. 

Technical Reports/Work in Progress

• Trends in circumventing web-malware detection
  M. A. Rajab, L. Ballard, N. Jagpal, P. Mavrommatis, D. Nojiri, N. Provos, and L. Schmidt, Google Technical Report, July 2011
• A Hybrid Honeypot Architecture for Scalable Network Monitoring
  CSE-TR-499-04. October, 2004. 
• Probabilistic Methods for Improving Information Hiding
  Niels Provos, CITI Technical Report 01-1, January 2001. 

Talks and Presentations

• "Real-World Challenges of Web-Based Malware", Distinguished Lecture in Computer Science and Engineering, University of Michigan, Ann Arbor, MI, October 2010.
• "Real-World Challenges of Web-Based Malware", Google Faculty Summit, Mountain View, CA, August 2010.
• "All Your iFrame are Point to Us", USENIX Security 2008, San Jose, CA, July 2008.
• "All Your iFrame are Point to Us", Yahoo Security Group, Sunnyvale, CA, July 2008.
• "The Ghost in the Browser: Analysis of Web-based Malware", OWASP, Palo Alto, CA, December 2007.
• "The Ghost in the Browser: Analysis of Web-based Malware", Stanford Security Seminar, Palo Alto, CA, September 2007.
• "The Ghost in the Browser: Analysis of Web-based Malware", USENIX Hot Topics in Understanding Botnets Cambridge, MA, April 2007.
• "Search Worms", ACM WORM 2006 Washington, DC, November 2006.
• "Search Worms", SPAR Seminar Johns Hopkins, Baltimore, MD, November 2006.
• "Google Safe Browsing", TIPPI Workshop, Stanford, CA, June 2006.
• "Honeyd Virtual Honeypots and Their Applications", NoAH Workshop, Catania, Italy, May 2006.
• "Limits of Virtualization", Panel Discussion, NDSS 2006, San Diego, February 2006.
• "Honeyd Virtual Honeypots and Their Applications", Five-College Speaker Series on Information Assurance, Amherst, MA, December 2005.
• "Honeyd Virtual Honeypots and Their Applications", Computer Science Colloquium, Perdue, IN, September 2005.
• "A Virtual Honeypot Framework", Colloquium, Sonoma State University, CA, March 2005.
• "Google: A Computer Scientist's Playground", Seminar, University of Michigan, Ann Arbor, MI, October 2004.
• "The Honeyd Honeypot", DoD Honeygrid Techexchange, Washington, DC, August 2004.
• "A Virtual Honeypot Framework", 13th USENIX Security Symposium, San Diego, CA, August 2004.
• "Honeyd - A Virtual Honeypot Framework", Security Workshop - Pervasive Technology Lab, Indiana University, Bloomington, IN, June 2004.
• "Honeyd - A Virtual Honeypot Framework", CESG, Cheltenham, UK, March 2004.
• "Systrace - Improving Host Security with System Call Policies", Apple, Cupertino, CA, December 2003.
• "Honeyd - A Virtual Honeypot Framework", Palo Alto Research Center, Palo Alto, CA, December 2003.
• "Honeyd - A Virtual Honeypot Framework", Stanford Security Seminar, Palo Alto, CA, November 2003.
• "Improving Host Security with System Call Policies", USENIX Security Symposium, Washington, DC, August 2003.
• "Preventing Privilege Escalation", USENIX Security Symposium, Washington, DC, August 2003.
• "The Honeynet Project - Virtual Honeypots", Lockdown, University of Wisconsin, Madison, July 2003.
• "Libevent - An Event Notification Library", Libre Software Meeting, Metz, France, July 2003.
• "Honeyd - A Virtual Honeypot Daemon", UW MSRT CMU Software Security Institute, June 2003.
• "The Practice of Steganalysis", Seminar, UCSD, San Diego, CA, March 2003.
• "Honeyd - A Virtual Honeypot Daemon", 10th DFN-CERT Workshop, Hamburg, Germany, February 2003.
• "Honeyd - Virtual Honeypots", Libre Software Meeting, Bordeaux, France, July 2002.
• "Systrace - Interactive Policy Generation for System Calls", Libre Software Meeting, Bordeaux, France, July 2002.
• "Detecting Steganographic Content on the Internet", Communication Security Establishment, Ottawa, ON, May 2002.
• "Virtual Honeypots and Hidden Content on the Internet", CanSecWest, Core02, Vancouver, BC, May 2002.
• "Detecting Steganographic Content on the Internet", Columbia Networking Research Center, Columbia University, New York, NY, February 2002.
• "Detecting Steganographic Content on the Internet", Network and Distributed System Security Symposium, San Diego, CA, February 2002.
• "ScanSSH - Scanning the Internet for SSH Servers", USENIX LISA, San Diego, CA, December 2001.
• "Detecting Steganographic Content on the Internet", CSL EE380 Colloquium, Stanford University, Palo Alto, CA, November 2001.
• "Detecting Steganographic Content on the Internet", USENIX Security Symposium, Washington, DC, August 2001.
• "Detecting Steganographic Content on the Internet", Hackers At Large, University of Twente, Netherlands, August 2001.
• "Defeating Statistical Steganalysis", LCS Applied Security Reading Group, MIT, Boston, March 2001.
• "The IPSec Architecture in OpenBSD", IPSEC 2000, Paris, October 2000.
• "Analyzing the Overload Behavior of a Simple Web Server", Atlanta Linux Showcase, Atlanta, October 2000.
• "Encrypting Virtual Memory", USENIX Security Symposium, Denver, August 2000.
• "Scalable Network I/O in Linux", USENIX Technical Conference, Freenix Track, San Diego, June 2000.
• "Encrypted Backing Store", UM ACM computer security seminar series, April 2000.
• "OutGuess - Practical Steganography", UM ACM computer security seminar series, November 1999.
• "A Future-Adaptable Password Scheme", USENIX Technical Conference, Freenix Track, Monterey, June 1999.
• "An overview of the OpenBSD project", Dug Song and Niels Provos, ACM Tech Luncheon, University of Michigan, April 1999.
• "TCP/IP Security", workshop, Hacking in Progress, Netherlands, August 1997.

Technical Skills and Areas of Interest

• Network Security and Protocols
  Knowledge in network protocols and techniques, especially network security and cryptography.
  Advisories: "A simple TCP spoofing attack", "BIND Vulnerabilities and Solutions". 
• Operating Systems
  Knowledge in operating system theory and research, especially security and performance for network intensive applications.
  Linux kernel development as part of the Linux Scalability: scaling of network I/O, poll()/select() improvements. 
• Number Theory and Cryptography
  Knowledge in the theory of numbers, finite fields and their relation to cryptography. Diploma thesis about elliptic curve cryptography. Steganography, some of my work resulted in OutGuess, a system for practical steganography. 
• Miscellaneous
  Knowledge of many UNIX-like operating systems: AIX, Linux, *BSD, Solaris, ... as well as VMS and others.
  Programming experience in: C, Perl, Pascal, C++, 680x0 assembly, and many other more esoteric ones.
  *BSD development: IPSEC and Key Management (photurisd, isakmpd), TCP/IP SACK and New Reno fast recovery, OpenSSH (press release), ...
  Compiler backend optimizations, esp. partial redundancy elimination. 

Teaching

• Teaching Assistant, EECS 598-1 Cryptography and Network Security, University of Michigan, Winter 2001.

Released Software

• dnsscan - a fast scanner for identifying open recursive dns resolvers
• SpyBye - helps web masters determine if their web pages have been compromised and install malware. Released in Feburary, 2007.
• Disconcert - a distributed computing framework for loosely-coupled workstations, part of the steganography detection framework. Released in January, 2003.
• Systrace - fine-grained confinement for multiple applications with multiple policies and interactive policy generation. Released in May, 2002.
• Honeyd - a small daemon for creating virtual honeypots. Released in April, 2002.
• Privilege Separated OpenSSH - use privilege separation to contain unknown programming errors in a completely unprivileged process. Released in March, 2002.
• Crawl - a small and efficient HTTP crawler that saves images it encounters. Released in June, 2001.
• Vomit - voice over misconfigured internet telephones - an VoIP debugging tool. Released in June, 2001.
• Stegdetect - a steganography detection framework. Released in April, 2001.
• libevent - an event notification library. Released in November, 2000.
• ScanSSH - an efficient SSH server version scanner. Released in September, 2000.
• OutGuess - a steganography tool for the JPEG image format that performs statistical corrections to avoid detection. Released in November, 1999.

Thesis Committees

• Ke Wang, Columbia University, 2006.
• Angelos Stavrou, Columbia University, 2007.
• Moheeb Rajab, Johns Hopkins University, 2008.

Awards

• Rackham Predoctoral Fellowship, University of Michigan, 2002.
• Distinguished Achievement Award in Computer Science, University of Michigan, 2002.