Cybersecurity and Privacy - Khoury College of Computer Sciences

Cybersecurity and Privacy - Khoury College of Computer Sciences
Cybersecurity and Privacy at Khoury College of Computer Sciences
Making the digital world safer — and training the next generation of cybersecurity professionals and researchers
Today’s connected world brings digital risks at every level. Network threats target data from personal to global — everything from bank accounts and the world’s satellites are vulnerable. The Cybersecurity and Privacy research area at Khoury College brings together one of the largest and most interdisciplinary groups of faculty experts in the academic world. Faculty in this area are experts in a broad range of cybersecurity topics including cryptography, systems and network security, wireless security, AI security, hardware risks in chips, online privacy, and psychology of disinformation.
Khoury College’s research strength spans the range of cybersecurity and privacy domains, encompassing theoretical computer science, security of software, hardware, and networked systems, and is fueled by a collaborative focus on understanding how human behaviors and technology interact.
Meet our faculty
Designing secure systems for all
Research from Khoury College faculty and graduate students is making browsers safer, identifying risks in GPS systems, and finding out how to make the internet-connected gadgets that fill our lives safe from hackers who could hijack them or steal personal data.
Khoury cybersecurity and privacy research is also helping address social engineering and cognitive hacks, such as misinformation campaigns, scams, and frauds.
Research on trustworthy AI identified new vulnerabilities in generative AI systems and new privacy risks in Large Language Models (LLMs), helping make AI more secure.
Research on human-centered security and privacy is dedicated to making security and privacy easy and accessible for everyday users, increasing their agency and trust in digital systems.
Sample research areas
Mobile system security
Wireless and distributed systems
Security and privacy of cloud computing
Systems security
Software security
Online privacy, including on web, mobile, and Internet of Things (IoT)
Network and distributed systems security, including blockchains
Cryptography
Trustworthy AI, including generative AI
Cyber-physical security
Algorithm auditing
Human-centered security and privacy, including sociotechnical
equity and agency
Deceptive “dark pattern” user interfaces
Trust and safety
Domains of interest
Cybersecurity and privacy
Information assurance
Internet of Things (IoT) privacy and security
Network and distributed systems security
Sociotechnical equity and agency
Secure systems
Khoury researchers: At the forefront
In researching internet-connected systems, David Choffnes aims to “help effect change that will improve things for consumers.”
Jonathan Ullman discusses his goals of designing effective data systems that don’t compromise individuals’ privacy.
Christo Wilson discusses his work in digital consumer protection, and the role of algorithm auditing in uncovering “what’s going on behind the curtain.”
Alan Mislove discusses the impact of large-scale platforms and how algorithmic auditing can help broaden understanding.
Daniel Wichs’ research is a novel approach to authenticating data in the cloud with digital signatures while ensuring it’s secure.
Faculty awards and achievements
2025 ACNS Test of Time Award
Philippe Golle, Jessica Staddon, Brent Waters
2024 ACM SACMAT Test of Time Award
Ziming Zhao
2024 AAAI ICWSM Honorable Mention Award
Desheng Hu, Jeffrey Gleason, Muhammad Abu Bakar Aziz, Nikolas Guggenberger, Ronald E. Robertson, Christo Wilson
2024 CMU Cylab Distinguished Alumni Award
Alina Oprea
2024 Caspar Bowden PET Award Runner-Up
Umar Iqbal, Pouneh Nikkhah Bahrami, Rahmadi Trimananda, Hao Cui, Alexander Gamero-Garrido, Daniel J. Dubois, David Choffnes, Athina Markopoulou, Franziska Roesner, Zubair Shafiq
2024 HCOMP Best Paper Award
Tianshi Li
2023 AAAI ICWSM Best Paper Award
Jeffrey Gleason, Desheng Hu, Ronald E. Robertson, Christo Wilson
2023 Caspar Bowden Award for Outstanding Research in Privacy Enhancing Technologies (runner-up)
Alina Oprea
2023 International Communication Association (ICA) Outstanding Applied or Public Research Award
Alan Mislove, Christo Wilson, Karrie Karahalios, Christian Sandvig
2023 Robert D. Klein University Lecturer at Northeastern University
Christo Wilson
2023 Internet Measurement Conference Best Paper Award
Umar Iqbal, Pouneh Nikkhah Bahrami, Rahmadi Trimananda, Hao Cui, Alexander Gamero-Garrido, Daniel J. Dubois, David Choffnes, Athina Markopoulou, Franziska Roesner, Zubair Shafiq
2023 Pervasive and Mobile Computing Best Research Papers 2019-2021 Award
Tianshi Li
2023 PETS Best Student Paper Runner-Up
Amogh Pradeep, Álvaro Feal, Julien Gamba, Ashwin Rao, Martina Lindorfer, Narseo Vallina-Rodriguez, David Choffnes
2022 CHI Best Paper Honorable Mention
Tianshi Li
Current project highlights
Security of LLM Agents
People:
Cristina Nita-Rotaru
Alina Oprea
AI agents are becoming more autonomous and are now being used in critical areas like health care, finance, and cybersecurity. Built on large language models (LLMs), these agents can automate complex human tasks by using tools on your device, accessing external resources, and even working with other AI agents. This often means they need access to sensitive personal information—your emails, calendar, photos, and location.
But as these agents become more capable, they also become more vulnerable. They face serious security risks like prompt injection attacks, agent hijacking, malware spread, and data leaks. We still need better ways to secure these systems, including safe methods for agents to find and communicate with each other, proper oversight mechanisms, and stronger defenses against attacks.
Learn more about Security of LLM Agents
Mon(IoT)r Lab: One-of-a-kind lab to test smart devices and network security
People:
David Choffnes
The Mon(IoT)r Lab at Northeastern University is a unique facility dedicated to understanding the security and privacy risks posed by internet-connected devices, or IoT. By replicating a typical home environment filled with smart gadgets, researchers can study how these devices behave in the real world. Unlike traditional computers, IoT devices often lack essential security features and are difficult to update, making them prime targets for hackers. The lab’s work is crucial for identifying vulnerabilities and developing strategies to protect our increasingly connected lives.
Learn more about the Mon(IoT)r Lab
PrivacyLens: Evaluating Privacy Norm Awareness of Language Models in Action
People:
Tianshi Li
Weiyan Shi
As language models are increasingly used in personalized communication and given more agency, ensuring they respect contextual privacy norms becomes critical. However, evaluating LMs’ privacy awareness is challenging due to the contextual nature of privacy cases and lack of realistic evaluation methods.
PrivacyLens is a data construction and multi-level evaluation framework to evaluate the privacy norm awareness of language models (LMs). Our experiment shows that GPT-4 agent leaks information that violates privacy norms in 25.68% of cases even without malicious attackers.
Learn more about PrivacyLens
Recent research publications
A sampling of research papers from the last one to two years, primarily drawn from area conferences and intended to be illustrative; see individual faculty websites (in bios below) for robust publications lists.
SIMplicity or eSIMplification? Privacy and Security Risks in the eSIM Ecosystem
Authors:
Maryam Motallebighomi, Jason Veara, Evangelos Bitsikas,
Aanjhan Ranganathan
Conference:
proceedings of USENIX Security Symposium, 2025
eSIM (Embedded Subscriber Identity Module) technology is rapidly reshaping mobile connectivity by enabling users to activate cellular services without a physical SIM card. While the flexibility of remote provisioning improves convenience and scalability, particularly for international travelers, it also introduces complex and underexplored privacy and security risks. This paper presents an empirical investigation of how eSIM adoption affects user privacy, focusing on routing transparency, reseller access, and profile control. We first show how travel eSIMs often route user data through third-party networks, including Chinese infrastructure, regardless of user location. This raises concerns about jurisdictional exposure. Second, we analyze the implications of opaque provisioning workflows, documenting how resellers can access sensitive user data, proactively communicate with devices, and assign public IPs without user awareness. Third, we validate operational risks such as deletion failures and profile lock-in using a private LTE testbed. In addition to these empirical contributions, we reflect on the evolving threat landscape of eSIM technology and analyze the shifting trust boundaries introduced by its global provisioning architecture. We conclude with actionable recommendations for improving eSIM transparency, user control, and regulatory enforcement as the technology becomes widespread across smartphones, IoT deployments, and private networks.
Read the paper
Promises, Promises: Understanding Claims Made in Social Robot Consumer Experiences
Authors:
Johanna Gunawan, Sarah Elizabeth Gillespie,
David Choffnes
, Woodrow Hartzog,
Christo Wilson
Conference:
proceedings of HI Conference on Human Factors in Computing Systems (CHI), 2025
Social robots are emerging consumer devices that promise sophisticated AI capabilities and emotional interaction. This study examines how four commercial social robots communicate their features to consumers and whether they deliver on these promises. We analyzed manufacturer claims against user experiences and reviews, finding significant variation in how robots advertise intelligent features and how consumers perceive their performance and capabilities. The findings reveal unique consumer risks associated with social robots and offer implications for regulators, developers, and researchers.
Read the paper
“Only as Strong as the Weakest Link”: On the Security of Brokered Single Sign-On on the Web
Authors:
Tommaso Innocenti, Louis Jannett, Christian Mainka, Vladislav Mladenov,
Engin Kirda
Conference:
proceedings of IEEE Symposium on Security and Privacy, 2025
Single Sign-On (SSO) lets user log into multiple websites using just one username and password, making things easier for users but harder for developers to implement securely. Many websites now use third-party “broker” services to handle this SSO process for them – in fact, about 25% of websites with SSO rely on these brokers. However, researchers found serious security problems with this approach: brokers often don’t properly check where users are being redirected (allowing hackers to inject malicious code), sometimes give unauthorized access to user data (leading to account takeovers), and frequently ignore basic security rules. The study discovered vulnerabilities in over 50 broker services that put more than 2,000 websites at risk, suggesting this is a widespread problem that needs immediate attention to protect users’ online accounts.
Read the paper
Riddle Me This! Stealthy Membership Inference for Retrieval-Augmented Generation
Authors:
Ali Naseh, Yuefeng Peng, Anshuman Suri, Harsh Chaudhari,
Alina Oprea
, Amir Houmansadr
Conference:
proceedings of ACM CCS, 2025
Retrieval-Augmented Generation (RAG) enables Large Language Models (LLMs) to generate grounded responses by leveraging external knowledge databases without altering model parameters. Although the absence of weight tuning prevents leakage via model parameters, it introduces the risk of inference adversaries exploiting retrieved documents in the model’s context. Existing methods for membership inference and data extraction often rely on jailbreaking or carefully crafted unnatural queries, which can be easily detected or thwarted with query rewriting techniques common in RAG systems. In this work, we present Interrogation Attack (IA), a membership inference technique targeting documents in the RAG datastore. By crafting natural-text queries that are answerable only with the target document’s presence, our approach demonstrates successful inference with just 30 queries while remaining stealthy; straightforward detectors identify adversarial prompts from existing methods up to ~76x more frequently than those generated by our attack. We observe a 2x improvement in TPR@1%FPR over prior inference attacks across diverse RAG configurations, all while costing less than $0.02 per document inference.
Read the paper
Characterizing the Usability and Usefulness of U.S. Ad Transparency Systems
Authors:
Kevin Bryson, Arthur Borem, Phoebe Moh, Omer Akgul,
Laura Edelson
, Tobias Lauinger, Michelle L. Mazurek, Damon McCoy, Blase Ur
Conference:
proceedings of IEEE Symposium on Security and Privacy, 2025
Researchers studied ad transparency systems (ATSs) on 22 popular websites to understand how they inform users about targeted advertising. We found major differences in what information platforms provide and how they present it, with consistent ambiguity about data usage and settings impact across all platforms. In a user study with 198 participants exploring eight representative ATSs, we found that current systems are both overly complex and lacking key details, leaving many user questions unanswered. We identify specific design decisions that better support users.
Read the paper
Rolling in the Shadows: Analyzing the Extraction of MEV Across Layer-2 Rollups
Authors:
Christof Ferreira Torres, Albin Mamuti, Ben Weintraub,
Cristina Nita-Rotaru
, Shweta Shinde
Conference:
proceedings of ACM SIGSAC, 2025
This research examines how Maximal Extractable Value (MEV) – exploitative practices that extract profit from blockchain transactions – operates across Ethereum and its Layer-2 rollup solutions like Arbitrum, Optimism, and zkSync. While rollups were designed to reduce transaction costs compared to Ethereum’s main network, they lack public mempools, which changes how MEV extraction works compared to traditional blockchain environments.
The study analyzed nearly three years of data and found that MEV activity is widespread on rollups with trading volumes similar to Ethereum, though the profits are significantly lower despite reduced costs. Interestingly, while traditional sandwich attacks weren’t detected on popular rollups, the researchers identified a new threat: cross-layer sandwich attacks that exploit transactions moving between rollups and Ethereum. They propose three novel attack methods and estimate that attackers could have already profited approximately $2 million through these cross-layer exploits, highlighting new security challenges as decentralized finance expands across multiple blockchain layers.
Read the paper
Related labs and groups
Cybersecurity and Privacy Institute
Mon(IOT)r Lab
Network and Distributed Systems Security (NDS2)
Sociotechnical Equity and Agency Lab
Systems Security Lab
Faculty members
Elettra Bietti
Assistant Professor, Jointly Appointed with School of Law
Elettra Bietti is an assistant professor jointly appointed between Khoury College and the School of Law. She became interested in tech while working as an antitrust and intellectual property litigator representing tech and pharmaceutical clients, and now researches how technology overlps with data law, privacy, and antitrust laws in the digital economy.
Read bio
Boston
Tamara Bonaci
Associate Teaching Professor
Tamara Bonaci is an associate teaching professor at Khoury College, as well as a faculty member at the University of Washington and part of a pre-public local Seattle startup that focuses on biometric methods. She specializes in the security and privacy of emerging and forthcoming biomedical technologies.
Read bio
Seattle
David Choffnes
Professor, Executive Director – Cybersecurity and Privacy Institute
David Choffnes is a professor at Khoury College and the executive director of the Cybersecurity and Privacy Institute. He works to improve the privacy, security, performance, and reliability of internet systems, and designs new models to measure these systems.
Read bio
Boston
Laura Edelson
Assistant Professor
Laura Edelson is an assistant professor at Khoury College and former chief technologist for the US Department of Justice Antitrust Division. She studies the spread of harmful content through large online networks with the goal of making social media platforms safer and more beneficial for users.
Read bio
Boston
Kevin Fu
Professor, Jointly Appointed with College of Engineering
Kevin Fu is a professor at Khoury College and the College of Engineering, and founder and director of the Archimedes Center for Health Care and Medical Device Cybersecurity. He strives to understand and improve the security of embedded systems and devices, particularly in health care.
Read bio
Boston
Joshua Gancher
Assistant Professor
Joshua Gancher is an assistant professor at Khoury College. His research into cryptographic software and formal methods seeks to mathematically verify the security of foundational software, and to create tools to do that process at scale.
Read bio
Boston
Zhengzhong Jin
Assistant Professor
Zhengzhong Jin is an assistant professor at Khoury College. He is interested in cryptography, teaching courses on the subject, and researching a proof system to delegate heavy computation to an untrusted server while ensuring the computation is correct.
Read bio
Boston
Engin Kirda
Professor, Jointly Appointed with College of Engineering
Engin Kirda is a professor at Khoury College, co-founder of the multinational Secure Systems Lab, and co-founder of Lastline, Inc., which detects and prevents advanced targeted malware. He has published more than 100 papers on malware analysis and detection, web application security, and social networking security.
Read bio
Boston
Ada Lerner
Assistant Professor, Director of BS in Cybersecurity Program
Ada Lerner is an assistant professor and the director of the undergraduate cybersecurity program at Khoury College. She researches human–computer interaction, security, and privacy.
Read bio
Boston
Tianshi Li
Assistant Professor
Tianshi Li is an assistant professor at Khoury College. She has sought to assist developers — even those who don’t specialize in privacy and security — to build mobile apps with native privacy support; she has also helped companies to comply with privacy, accessibility, and fairness requirements.
Read bio
Boston
Alan Mislove
Professor, Senior Associate Dean for Academic Affairs
Alan Mislove is a professor and the senior associate dean for academic affairs at Khoury College, and a core faculty member of the Cybersecurity and Privacy Institute. His research deals with distributed systems and networks, with a focus on using social networks to enhance the security, privacy, and efficiency of emerging systems.
Read bio
Boston
Cristina Nita-Rotaru
Professor
Cristina Nita-Rotaru is a professor at Khoury College and a founding member of the Cybersecurity and Privacy Institute. In her research, she designs and builds secure, resilient distributed systems and network protocols.
Read bio
Boston
Alina Oprea
Professor
Alina Oprea is a professor at Khoury College specializing in cloud security, applied cryptography, and security analytics. Over many years in industry and academia, she has researched and designed machine learning techniques to predict and protect against hacker behavior.
Read bio
Boston
Aanjhan Ranganathan
Associate Professor and Interim Director of BS in Cybersecurity Program
Aanjhan Ranganathan is an assistant professor and the interim director of the BS in Cybersecurity program at Khoury College. His research encompasses physical-layer security of wireless systems, secure localization and proximity verification, trusted computing architectures, and side channels.
Read bio
Boston
William Robertson
Professor, Jointly Appointed with College of Engineering
William Robertson is a professor at Khoury College, jointly appointed with the College of Engineering. Using techniques such as security by design, program analysis, and anomaly detection, he aims to enhance the security of operating systems, mobile devices, and the web.
Read bio
Boston
Abhi Shelat
Professor
Abhi Shelat is a professor at Khoury College specializing in cryptography and applied security. A recipient of awards from the NSF, Microsoft, Amazon, Google, and the ACM, he uses secure computation protocols to enable mutually distrusting parties, each with private inputs, to jointly compute functions while ensuring maximal privacy and correctness.
Read bio
Boston
Mohit Singhal
Assistant Teaching Professor
Mohit Singhal is an assistant teaching professor at Khoury College. He researches how content moderation, and biases in automated moderation and ranking systems in particular, affects users and platforms.
Read bio
Boston
Jessica Staddon
Professor of the Practice, Director of Computing Programs, Strategic – Oakland
Jessica Staddon is a professor of the practice and the director of graduate computing programs, strategic at Khoury College, based in Oakland. Her research explores AI safety, security, and privacy, and her role with Khoury College encompasses elements of teaching, research, and partnership development.
Read bio
Oakland
Cheng Tan
Assistant Professor
Cheng Tan is an assistant professor at Khoury College. His systems and security research focuses on building verifiable outsourced services and certified neural networks.
Read bio
Boston
Jonathan Ullman
Associate Professor
Jonathan Ullman is an associate professor at Khoury College whose research centers on the foundations of privacy for machine learning and statistics. Ullman has been recognized with an NSF CAREER award and the Ruth and Joel Spira Outstanding Teacher Award.
Read bio
Boston
Daniel Wichs
Professor
Daniel Wichs is a professor at Khoury College. An expert in modern cryptography, Wichs researches all aspects of the field, including its theoretical foundations and its applications to information security. Wichs’ work was recognized in 2018 with the prestigious Sloan Research Fellowship, which honors early-career scholars whose achievements mark them among the top scientific minds.
Read bio
Boston
Christo Wilson
Professor, Associate Dean of Undergraduate Programs
Christo Wilson is an associate professor and associate dean of undergraduate programs at Khoury College. His research, which draws on computational, political, and economic methods, delves into the data, security, and privacy issues at the heart of our internet use.
Read bio
Boston
Ziming Zhao
Associate Professor
Ziming Zhao is an associate professor at Khoury College. His passion for hacking informs his research into systems and software security, network security, and web security, as well as his use of capture the flag (CTF) cybersecurity competitions as a teaching tool.
Read bio
Boston