Yuchen Zhou's research

Yuchen representing Palo Alto Networks (silver sponsor) at NDSS 2020

This is Yuchen Zhou. I currently work as an SWE in Facebook's integrity team since June 2020.

I previously (2015 - 2020) worked at Palo Alto Networks as a research team manager (2019-2020) principal security researcher (2018-2019) senior web security researcher (2016-2018) web security researcher (2015-2016). During my five happy years at Palo Alto Networks, I had the luck and privilige working with a group of super-bright colleagues e.g. Wei Xu (PSU PhD) and Dr. Jun "Javier" Wang (PSU PhD). I am also so proud to lead a talented team - Oleksii "Alex" Starov (Stony Brook PhD), Fang Liu (VT PhD), William "Billy" Melicher (CMU PhD), Peng Peng(VT MS), and Shresta Bellary Seetharam (UC Santa Cruz MS) to build impactful products/projects and publish practicality-focused security research papers. You can find details of select published projects on the left side, or scroll down the page for a brief introduction on each project.

Even though I left Palo Alto Networks, I still think very highly of the Palo Alto Networks security research teams and if you are a graduating PhD student looking for an industry job, definitely consider PAN and contact me or my colleagues listed above or below for referrals. Your job duty will consist of anywhere from 20%-50% research depending on your background and interest.

Highly recommended teams and their leads (accurate as of June 2020): [Click to show]

  • Web Security, DNS Security research: Oleksii "Alex" Starov, Daiping Liu, Wei Wang, Jun "Javier" Wang
  • Binary/malware analysis research: Xiao Zhang, Wenjun Hu, Royce Lu, Kyle Sanders
  • Hypervisor/anti-VM research: Abhiroop Dabral
  • Network security: Claud Xiao

Prior to my first job at Palo Alto Networks, I earned my Doctoral degree at University of Virginia, under advisor Prof. Dave Evans, with dissertation titled: Improving Security and Privacy of Integrated Web Applications. Most of my Ph.D work are focused on improving the security and privacy of web application/third-party service. My internship mentor at Microsoft Research is Dr. Shuo Chen. I have so far published five first-author papers, four of which in top-tier conferences such as IEEE S&P (Oakland) and USENIX.

Prof. Dave Evans is a super nice professor and I highly recommend you checking his works out, and consider him as your PhD advisor if you are thinking about getting a PhD in security. His most recent research areas include adversarial machine learning (Dr. Weilin Xu), differential privacy (Bargav Jayaraman), secure computation (Yan Huang, Samee Zahur), web security (myself), among other topics.

Detecting malicious campaigns in obfuscated JavaScript with scalable behavioral analysis

Different type of malicious Detections made using JavaScripts behavior analysis

By using light-weight browser instrumentation to catch dynamic behavior of JavaScripts, we can detect obfuscated cryptojacking JavaScripts, scams, and much more web-based threats by matching the observed behavior against set of rules and/or signatures.

Our paper will appear at WTMC 2019 (Workshop of IEEE S&P 2019).

Unsupervised Clustering for Identification of Malicious Domain Campaigns

Pipeline for clustering pDNS data and detecting new malicious campaigns

We show in this project that passive DNS data clustering can be used in conjunction with seeded known malicious domains to discover new trendy campaigns such as Equifax leak and Hurricane Harvey relief scams.

Our paper appeared at RESEC 2018 (Workshop of ASIACCS 2018).

Betrayed by Your Dashboard: Discovering Malicious Campaigns via Web Analytics

Detecting malicious sites using 'malicious analytic IDs'

This project aims to detect malicious website campaigns by association of their usage of third-party analytics IDs. Our key observation here is that the adversary would intentionally or unintentionally reuse analytics IDs throughout their phishing/scam/malware campaigns, so that we can identify them once we have a limited pool of seed malicious URLs.

Our paper appeared in the security track of WWW 2018.

Understanding and Monitoring Embedded Web Scripts

ScriptInspector workflow overview

The ScriptInspector project helps web developers understand and monitor the behavior of embedded third-party JavaScripts on their websites. The instrumented Firefox browser records access to sensitive resources and visualizes them to web developers. Policy can be generated and enforced on popular scripts to rein in their runtime behavior.

Our paper appeared at Oakland (IEEE Security & Privacy) 2015.

SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities

SSOScan workflow overview

SSOScan is an automated scanner of web applications for Single Sign-On (SSO) vulnerabilities. This tool requires no user interaction and revealed more than 300 authentication/authorization implementation bugs in high profile websites. Our paper is published at the 23rd USENIX Security Symoposium (2014).

Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization

Explication process overview

The goal of Explicating SDKs project is to systematically uncover implicit assumptions that are important to applications' security properties, this work is published at the 22nd USENIX Security Symposium (2013). I did this project while I interned at Microsoft Research, and I had the great honor to work with two excellent researchers Shuo Chen (my mentor) and Rui Wang (my co-first author).

DOMinator: Protecting Private Web Content from Embedded Scripts

DOMinator workflow overview

The goal of DOMinator is to build a browser that can enforce fine-grained access control policies for third-party JavaScripts. This work is published at ESORICS 11'.

Why Aren't HTTP-only Cookies More Widely Deployed?

HTTP-only Cookies deployment chronology

This short paper is presented at W2SP 10' (co-hosted with Oakland 10'), and I looked at the history and current status of how well HTTP-only cookies are deployed, and give some suggestions about how future security works can improve themselves to achieve a higher deploy rate.