Publications of Xinming Ou
-
Security analysis of trust on the controller in the Matter protocol specification.
Kumar Shashwat, Francis Hahn, Xinming Ou, and Anoop Singhal.
In IEEE Conference on Communications and Network Security, Cyber-physical Systems Security Workshop,
Oct 2023.
-
Revealing human attacker behaviors using an adaptive Internet of Things honeypot ecosystem.
Armin Ziaie Tabari, Guojun Liu, Xinming Ou, and Anoop Singhal.
In Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics XIX. DigitalForensics 2023. IFIP Advances in Information and Communication Technology, vol 687. Springer, Cham.,
Oct 2023.
-
Co-creation in secure software development: Applied ethnography and the interface of software
and development.
Daniel Lende, Alexis Monkhouse, Jay Ligatti, and Xinming Ou.
Human Organization, 82(1), March, 2023.
-
Towards optimal triage and mitigation of context-sensitive cyber vulnerabilities.
Soumyadeep Hore, Fariha Moomtaheen, Ankit Shah, and Xinming Ou.
IEEE Transactions on Dependable and Secure Computing (TDSC), Feb, 2022.
-
An analysis of the role of situated learning in starting a security culture in a software company.
Anwesh Tuladhar, Daniel Lende, Jay Ligatti, and Xinming Ou.
In Seventeenth Symposium on Usable Privacy and Security (SOUPS), Aug, 2021.
(Distinguished Paper Award. Acceptance rate: 26.5%)
-
Cyber-physical-social interdependencies and organizational resilience: A review of water, transportation, and cyber infrastructure systems and processes.
Shima Mohebbi, Qiong Zhang, E Christian Wells, Tingting Zhao, Hung Nguyen, Mingyang Li, Noha Abdel-Mottaleb, Shihab Uddin, Qing Lu, Mathews J Wakhungu, Zhiqiang Wu, Yu Zhang, Anwesh Tuladhar, and Xinming Ou.
Sustainable Cities and Society, Vol 62, Nov 2020.
-
An ethnographic understanding of software (in)security and a co-creation model to improve secure software development.
Hernan Palombo, Armin Ziaie Tabari, Daniel Lende, Jay Ligatti, and Xinming Ou.
In Sixteenth Symposium on Usable Privacy and Security (SOUPS), Aug, 2020. (Acceptance rate: 19.8%)
-
Hybrid analysis of Android apps for security vetting using deep learning.
Dewan Chaulagain, Prabesh Poudel, Prabesh Pathak, Sankardas Roy, Doina Caragea, Guojun Liu, and Xinming Ou.
In IEEE Conference on Communications and Network Security (CNS), June, 2020.
-
GPU-based static data-flow analysis for fast and scalable Android app vetting.
Xiaodong Yu, Fengguo Wei, Xinming Ou, Michela Becchi, Tekin Bicer, and Danfeng Yao.
In IEEE International Symposium on Parallel and Distributed Processing (IPDPS), May, 2020.
-
Experimental study of machine learning based malware detection systems' practical utility.
Yuping Li, Doina Caragea, Lawrence Hall, and Xinming Ou.
In HICSS Symposium on Cybersecurity Big Data Analytics, Wailea, Hawaii, U.S.A, Jan 2020.
-
Topology-aware hashing for effective control flow graph similarity analysis.
Yuping Li, Jiyong Jang, and Xinming Ou.
In 15th EAI International Conference on Security and Privacy in Communication Networks (SecureComm),
Orlando, U.S.A., Oct 2019.
-
JNSAF: Precise and efficient NDK/JNI-aware inter-language static analysis framework for security vetting of Android applications with native code.
Fengguo Wei, Xingwei Lin, Xinming Ou, Ting Chen, and Xiaosong Zhang.
In 25th ACM Conference on Computer and Communications Security (CCS), Toronto, Canada, Oct 2018. (Acceptance rate: 16.6%)
-
Amandroid: A precise and general inter- component data flow analysis framework for security vetting of Android apps.
Fengguo Wei, Sankardas Roy, Xinming Ou, and Robby.
ACM Transactions on Privacy and Security (TOPS), 21(3), June 2018. (supersedes CCS'14 paper)
-
InstaGuard: Instantly deployable hot-patches for vulnerable system programs on Android.
Yaohui Chen, Yuping Li, Long Lu, Yueh-Hsun Lin, Hayawardh Vijayakumar, Zhi Wang, and Xinming Ou.
In The Network and Distributed System Security Symposium (NDSS),
San Diego, CA, Feb 18-21, 2018.
-
Android malware clustering through malicious payload mining.
Yuping Li, Jiyong Jang, Xin Hu, and Xinming Ou.
In the 20th International Symposium on Research on Attacks, Intrusions and Defenses (RAID 2017),
Atlanta, GA, September 18-20, 2017. (Acceptance rate: 20%)
-
MTD CBITS: Moving target defense for cloud-based IT systems.
In 22nd European Symposium on Research in Computer Security (ESORICS'17),
Oslo, Norway, September 11-13, 2017. (Acceptance rate: 16%)
-
Deep ground truth analysis of current Android malware.
Fengguo Wei, Yuping Li, Sankardas Roy, Xinming Ou, and Wu Zhou.
In 14th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2017),
Bonn, Germany. July 6-7, 2017. (Acceptance rate: 27%)
-
Enhanced security of building automation systems through microkernel-based controller platforms.
Xiaolong Wang, Richard Habeeb, Xinming Ou, Siddharth Amaravadi, John Hatcliff,
Masaaki Mizuno, Mitchell Neilsen, S. Raj Rajagopalan, and Srivatsan Varadarajan.
In The Second IEEE International Workshop on Communication, Computing, and
Networking in Cyber Physical Systems (CCNCPS 2017),
Atlanta, GA, USA, June 5, 2017.
-
Humans are dynamic - our tools should be too.
Sathya Chandran Sundaramurthy, Michael Wesch, Xinming Ou, John McHugh,
S. Raj Rajagopalan, and Alexandru G. Bardas.
IEEE Internet Computing,
Volume: 21, Issue: 3, May-June 2017.
-
Risk analysis with execution-based model generation.
Jaime C. Acosta, Edgar Padilla, John Homer, and Xinming Ou.
Journal of Cyber Security and Information Systems,
Vol 5, No. 1, December, 2016.
-
Android malware detection with weak ground truth data.
Jordan DeLoach, Doina Caragea, and Xinming Ou.
In 3rd International Workshop on Pattern Mining and Application of Big Data (BigPMA),
Washington D.C., USA, December 5-8, 2016.
-
A bottom-up approach to applying graphical models in security analysis (invited
paper).
Xinming Ou.
In Third International Workshop on Graphical Models for Security (GramSec'16),
Lisbon, Portugal, June
27, 2016. Lecture Notes in Computer Science, Vol 9987, pp 1-24, September, 2016.
-
Turning contradictions into innovations or: How we learned to stop whining and improve security operations.
Sathya Chandran Sundaramurthy, John McHugh, Xinming Ou, Michael Wesch, Alexandru G. Bardas, and S. Raj Rajagopalan.
In Symposium On Usable Privacy and Security (SOUPS 2016), Denver, CO, USA,
June 22-24, 2016. (Acceptance rate: 28%)
-
Experimental study with real-world data for Android app security analysis using machine learning.
Sankardas Roy, Jordan DeLoach, Yuping Li, Nic Herndon, Doina Caragea, Xinming Ou,
Venkatesh Prasad Ranganath, Hongmin Li, and Nicolais Guevara.
31st Annual Computer Security Applications Conference (ACSAC'15), Los Angeles, California, USA,
Dec 7-11, 2015. (Acceptance rate: 24%)
-
Predicting cyber risks through national vulnerability database.
Su Zhang, Xinming Ou and Doina Caragea,
Information Security Journal: A Global Perspective 24:4-6, 194-206, Taylor & Francis, Nov 30, 2015.
-
Assessing attack surface with component-based package dependency.
Su Zhang, Xinwen Zhang, Xinming Ou, Nigel Edwards, Jing Jin, and Liqun Chen.
In the 9th International Conference on Network and System Security (NSS),
New York, USA, November, 2015. (Acceptance rate: 36%)
-
Secure RTOS architecture for building automation.
Xiaolong Wang, Masaaki Mizuno, Mitch Neilsen, Xinming Ou, S. Raj Rajagopalan,
Will G. Baldwin, and Bryan Phillips.
In First ACM Workshop on Cyber-Physical Systems Security and Privacy (CPS-SPC)},
Denver, CO, USA, October, 2015.
-
An empirical study on current models for reasoning about digital evidence.
Stefan Nagy, Imani Palmer, Sathya Chandran Sundaramurthy, Xinming Ou, and Roy Campbell.
In 10th International Conference on Systematic Approaches to Digital Forensic Engineering (SADFE),
Málaga, Spain, Sept 30-Oct 2, 2015.
-
A theory of cyber attacks -- a step towards analyzing MTD systems.
Rui Zhuang, Alexandru G. Bardas, Scott A. Deloach, and Xinming Ou.
In CCS 2015 MTD Workshop, Denver, CO, USA, October, 2015.
-
Experimental study of fuzzy hashing in malware clustering analysis.
Yuping Li, Sathya Chandran Sundaramurthy, Alexandru G. Bardas, Xinming Ou, Doina Caragea, Xin Hu, and Jiyong Jang.
8th Workshop on Cyber Security Experimentation and Test (CSET'15), Washington, D.C.,
USA, Aug 10, 2015. (Acceptance rate: 31%)
-
A human capital model for mitigating security analyst burnout.
Sathya Chandran Sundaramurthy, Alexandru G. Bardas, Jacob Case,
Xinming Ou, Michael Wesch, John McHugh, and S. Raj Rajagopalan.
Symposium On Usable Privacy and Security (SOUPS 2015), Ottawa,
Canada, July 22-24, 2015. (Distinguished Paper Award. Acceptance rate: 25%)
-
Practical always-on taint tracking on mobile devices.
Justin Paupore, Earlence Fernandes, Atul Prakash, Sankardas Roy, and Xinming Ou.
15th Workshop on Hot Topics in Operating Systems (HotOS'15), Kartause,
Switzerland, May 18-20, 2015. (Acceptance rate: 32%)
-
Security optimization of dynamic networks with probabilistic graph modeling and linear programming.
Hussain M.J. Almohri, Layne T. Watson, Danfeng Yao, and Xinming Ou,
IEEE Transactions on Dependable and Secure Computing (TDSC), vol.PP, no.99, March 2015.
-
Compiling abstract specifications into concrete systems - bringing order to the cloud.
Ian Unruh, Alexandru G. Bardas, Rui Zhuang, Xinming Ou, and Scott A. DeLoach. In
28th Large Installation System Administration Conference (LISA'14), Seattle, WA, USA, Nov, 2014. (Acceptance rate: 27%)
-
Amandroid: A precise and general inter-component data flow analysis framework for security vetting of Android apps.
Fengguo Wei, Sankardas Roy, Xinming Ou, and Robby. In
21st ACM Conference on Computer and Communications Security (CCS 2014), Scottsdale, AZ, USA, Nov, 2014. (Acceptance rate: 20%)
-
Towards a theory of moving target defense.
Rui Zhuang, Scott A. DeLoach, and Xinming Ou. In
First ACM Workshop on Moving Target Defense (MTD 2014), Scottsdale, AZ, USA, Nov, 2014.
-
Metrics of security.
Yi Cheng, Julia Deng, Jason Li, Scott A. DeLoach, Anoop Singhal, and Xinming Ou.
In Alexander Kott, Cliff Wang, Robert F. Erbacher (eds) Cyber Defense and Situational Awareness. Springer
Advances in Information Security Volume 62, 2014, pp 263-295. Oct 3, 2014.
-
An anthropological approach to studying CSIRTs.
Sathya Chandran Sundaramurthy, John McHugh, Xinming Ou, S. Raj Rajagopalan, and Michael Wesch. IEEE Security & Privacy
Special Issue on CSIRTs, Sept/Oct, 2014.
Preprint.
-
After we knew it: Empirical study and modeling of cost-effectiveness of exploiting prevalent known vulnerabilities across IaaS cloud.
Su Zhang, Xinwen Zhang, and Xinming Ou.
9th ACM Symposium on Information, Computer and Communications Security (ASIACCS), Kyoto, Japan, June, 2014. (Acceptance rate: 15%)
-
A model for analyzing the effect of moving target defenses on enterprise networks.
Rui Zhuang, Scott A. DeLoach, and Xinming Ou.
9th Cyber and Information Security Research Conference (CSIRC), Oak Ridge, Tennessee, USA, April, 2014
-
Model-driven, moving-target defense for enterprise network security.
Scott DeLoach, Xinming Ou, Rui Zhuang, and Su Zhang.
In Uwe Aßmann, Nelly Bencomo, Gordon Blair, Betty H. C. Cheng, Robert France (eds) State-of-the-Art Survey Volume on Models @run.time. Springer LNCS, Volume 8378, 2014, pp 137-161.
-
Aiding intrusion analysis using machine learning.
Loai Zomlot, Sathya Chandran Sundaramurthy, Doina Caragea, and Xinming Ou.
12th International Conference on Machine Learning and Applications (ICMLA'13), Miami, Florida, USA, December, 2013. (Acceptance rate: 26%)
-
Aggregating vulnerability metrics in enterprise networks using attack graphs.
John Homer, Su Zhang, Xinming Ou, David Schmidt, Yanhui Du, S. Raj Rajagopalan, and Anoop Singhal.
Journal of Computer Security, Vol 21, No 4., September, 2013.
-
Investigating the application of moving target defenses to network security.
Rui Zhuang, Su Zhang, Alexandru G. Bardas, Scott A. DeLoach, Xinming Ou, and Anoop Singhal.
6th International Symposium on Resilient Control Systems (ISRCS), San Francisco, CA, August, 2013.
-
Setting up and using a cyber security lab for education purposes.
Alexandru G. Bardas and Xinming Ou.
Journal of Computing Sciences in Colleges, Vol. 28, Issue 5, May 2013.
-
Mission-oriented moving target defense based on cryptographically strong network dynamics.
Justin Yackoski, Jason Li, Scott A. DeLoach, and Xinming Ou.
The 8th Annual Cyber Security and Information Intelligence Research Workshop (CSIIRW), Oak Ridge, TN, Jan 2013.
-
Investigative response modeling and predictive data collection.
Dan Moor, S. Raj Rajagopalan, Sathya Chandran Sundaramurthy, and Xinming Ou.
The seventh IEEE eCrime Researchers Summit (eCrime'12), Las Croabas, Puerto Rico, USA, October, 2012.
-
Simulation-based approaches to studying effectiveness of moving-target network defense.
Rui Zhuang, Su Zhang, Scott A. DeLoach, Xinming Ou, and Anoop Singhal.
National Symposium on Moving Target Research, Annapolis, MD, USA, June, 2012.
-
Classification of UDP traffic for DDoS detection.
Alexandru G. Bardas, Loai Zomlot, Sathya Chandran Sundaramurthy, Xinming Ou, S. Raj Rajagopalan, and
Marc R. Eisenbarth.
5th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), San Jose, CA, USA, March, 2012.
-
A certificate infrastructure for machine-checked proofs of conditional information flow.
Torben Amtoft, Josiah Dodds, Zhi Zhang, Andrew Appel, Lennart Beringer,
John Hatcliff, Xinming Ou, and Andrew Cousino.
First conference on Principles of Security and Trust (POST'12, part of ETAPS 2012),
Tallinn, Estonia, March 2012. (Acceptance rate: 30%)
-
Distilling critical attack graph surface iteratively through minimum-cost SAT solving.
Heqing Huang, Su Zhang, Xinming Ou, Atul Prakash, and Karem Sakallah.
27th Annual Computer Security Applications Conference (ACSAC), Orlando, FL, USA.
Dec. 2011. (Best Student Paper Award. Acceptance rate: 20%).
-
Quantitative security risk assessment of enterprise networks.
Xinming Ou and Anoop Singhal.
SpringerBrief Series, Information Security, 2011.
-
Prioritizing intrusion analysis using Dempster-Shafer theory.
Loai Zomlot, Sathya Chandran Sundaramurthy, Kui Luo, Xinming Ou, and S. Raj Rajagopalan.
4TH ACM Workshop on Artificial Intelligence and Security (AISec),
Chicago, USA, Oct. 2011.
-
Security risk analysis of enterprise networks using probabilistic attack graphs.
Anoop Singhal and Xinming Ou.
NIST Interagency Report 7788. Aug. 2011.
-
An empirical study of using the National Vulnerability Database to predict software vulnerabilities.
Su Zhang, Doina Caragea, and Xinming Ou.
22nd International Conference on Database and Expert Systems Applications (DEXA),
Toulouse, France, August, 2011. (Acceptance rate: 25%)
-
Practical IDS alert correlation in the face of dynamic threats.
Sathya Chandran Sundaramurthy, Loai Zomlot, and Xinming Ou.
The 2011 International Conference on Security and Management (SAM'11),
Las Vegas, USA, July 2011. (Acceptance rate: 23%)
-
An empirical study of a vulnerability metric aggregation method.
Su Zhang, Xinming Ou, Anoop Singhal and John Homer.
The 2011 International Conference on Security and Management (SAM'11), special track on
Mission Assurance and Critical Infrastructure Protection (STMACIP'11),
Las Vegas, USA, July 2011. (Acceptance rate: 23%)
-
Effective network vulnerability assessment through model abstraction.
Su Zhang, Xinming Ou, and John Homer.
the Eighth Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA),
Amsterdam, The Netherlands, July 2011. (Acceptance rate: 32%)
-
Using Bayesian Networks for cyber security analysis.
Peng Xie, Jason H Li, Xinming Ou, Peng Liu, and Renato Levy.
The 40th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2010),
Chicago, USA, June 2010. (Acceptance rate: 23%) Awarded
DSN Test of Time Award, 2020.
-
An empirical approach to modeling uncertainty in intrusion analysis.
Xinming Ou, S. Raj Rajagopalan, and Sakthiyuvaraja Sakthivelmurugan.
Annual Computer Security Applications Conference (ACSAC),
Honolulu, Hawaii, USA, Dec 2009. (Acceptance rate: 20%)
-
Uncertainty and risk management in cyber situational awareness.
Jason Li, Xinming Ou, and Raj Rajagopalan.
In Sushil Jajodia et al., editor, Cyber Situational Awareness: Issues and Research , chapter 4. Springer, Nov. 2009.
-
A sound and practical approach to quantifying security risk in enterprise networks.
John Homer, Xinming Ou, and David Schmidt.
Technical report 2009-3,
Kansas State University, Computing and Information Sciences Department.
August 2009.
-
A host-based security assessment architecture for industrial control systems.
Abhishek Rakshit and Xinming Ou.
2nd International Symposium on Resilient Control Systems (ISRCS),
Idaho Falls, ID, USA, August 2009.
-
Techniques for enterprise network security metrics.
Anoop Singhal and Xinming Ou.
Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research:
Cyber Security and Information Intelligence Challenges and Strategies (CSIIRW) ,
Extended Abstract, April, 2009.
-
SAT-solving approaches to context-aware enterprise network security management.
John Homer and Xinming Ou,
IEEE JSAC Special Issue on Network Infrastructure Configuration, Vol. 27, No. 3, April 2009. (Acceptance rate: 25%)
-
A practical approach to modeling uncertainty in intrusion analysis.
Xinming Ou, Raj Rajagopalan, and Sakthiyuvaraja Sakthivelmurugan.
Technical report 2008-2,
Kansas State University, Computing and Information Sciences Department.
November 2008.
-
Identifying critical attack assets in dependency attack graphs.
Reginald Sawilla and Xinming Ou.
13th European Symposium on Research in Computer Security (ESORICS 2008),
Malaga, Spain, October 2008. (Acceptance rate: 22%)
The extended version.
-
Improving attack graph visualization through data reduction and attack grouping.
John Homer, Ashok Varikuti, Xinming Ou, and Miles A. McQueen.
5th International Workshop on Visualization for Cyber Security (VizSEC 2008),
Cambridge, MA, U.S.A., September 2008.
-
From attack graphs to automated configuration management - an iterative approach.
John Homer, Xinming Ou, and Miles A. McQueen.
Technical report 2008-1,
Kansas State University, Computing and Information Sciences Department.
January 2008.
-
Googling attack graphs.
Reginald Sawilla and Xinming Ou.
Technical report, Defence R & D Canada -- Ottawa TM 2007-205,
September 2007.
-
A scalable approach to attack graph generation.
Xinming Ou, Wayne F. Boyer, and Miles A. McQueen.
13th ACM Conference on Computer and
Communications Security (CCS 2006), Alexandria, VA, U.S.A., October 2006.
(Acceptance rate: 15%)
-
Authorization strategies for virtualized environments in grid
computing systems.
Xinming Ou, Anna Squicciarini, Sebastien Goasguen,
and Elisa Bertino.
IEEE Workshop on Web Services Security (WSSS),
Berkeley, CA, U.S.A., May, 2006.
-
A logic-programming approach to network security analysis.
Xinming Ou.
PhD dissertation, Princeton University, 2005.
-
MulVAL: A logic-based network security analyzer.
Xinming Ou, Sudhakar Govindavajhala, and Andrew W. Appel.
14th USENIX Security Symposium, Baltimore, Maryland, U.S.A.,
August 2005. (Acceptance rate: 15%)
-
A two-tier technique for supporting quantifiers in a
lazily proof-explicating theorem prover.
K. Rustan M. Leino, Madan Musuvathi, and Xinming Ou.
11th International Conference on
Tools and Algorithms for the Construction
and Analysis of Systems (TACAS 05),
Edinburgh, U.K.,
April 2005.
-
Dynamic typing with dependent types.
Xinming Ou, Gang Tan, Yitzhak Mandelbaum, and David Walker.
3rd IFIP International Conference on
Theoretical Computer Science (TCS 04), Toulouse, France, August 2004.
-
Theorem proving using lazy proof explication.
Cormac Flanagan, Rajeev Joshi, Xinming Ou, and James B. Saxe.
15th Computer-Aided Verification conference (CAV 2003),
Boulder, CO, U.S.A., July 2003.
-
Enforcing resource usage protocols via scoped methods.
Gang Tan, Xinming Ou, and David Walker. 10th International
Workshop on Foundations of Object-Oriented Languages
(FOOL 10),
New Orleans, LA, U.S.A., January 2003.
The documents contained in these pages are included
to ensure timely
dissemination of scholarly and technical work on a
non-commercial basis. Copyright and all rights therein
are maintained by the authors or by other copyright
holders, notwithstanding that they have offered their
works here electronically. It is understood that all
persons copying this information will adhere to the terms
and constraints invoked by each author's copyright.
These works may not be reposted without the explicit
permission of the copyright holder.
|