Bio sketch

I am an Associate Research Professor in the School of Computer Science and in Engineering and Public Policy at Carnegie Mellon University. I am affiliated with the Institute for Software Research, and am a core faculty member of CyLab, our university-wide security institute. I also have courtesy appointments in the Electrical and Computer Engineering department, and in the Information Networking Institute.

I received a Diplôme d'Ingénieur (1999) from École Centrale de Lille, a Master's (2000) and a Ph.D. (2003) in Computer Science from the University of Virginia. In the final year (2002-2003) of my Ph.D., I was working at Nortel. I then spent two wonderful years (2003-2005) as a postdoctoral fellow in the School of Information at UC Berkeley, before joining Carnegie Mellon in July 2005. I was a faculty in residence for three years (2005-2008) in our research and education center in Japan (then known as CyLab Japan) located in Kōbe, which remains one of my favorite cities. After coming back to the US, I served as Associate Director of the Information Networking Institute from 2008 through 2013, and as a research faculty in ECE from 2013 through 2016.

I am on Twitter as @nc2y.

Research overview

My research interest is in computer and information systems security. Most of my work is at the boundary of systems, networking and policy research. While a good portion of my research activities could be qualified of applied research, I try as much as possible to rely on strong theoretical foundations in my work. In addition, most of my recent work is informed by empirical data measurements (of users, networks, economic transactions, ...), so that the term "security analytics" is an appropriate short qualifier.

More specifically, the different inter-related research threads in which I am currently involved are:
[in brackets, some of the venues where we published on the subject]

  • Online crime modeling: Current security attacks are more often than not financially motivated. We postulate that, by getting a more precise picture of the economic interactions between the different actors involved, we can better understand how to disrupt or thwart these attacks. This line of work is very applied, and combines economic modeling, network measurements, and public policy research. [USENIX Sec'15, CCS'14, USENIX Sec'14, ESORICS'14, EC'13, WWW'13, CCS'11, USENIX Sec'11, CCS'10, ...]
  • Security economics: We keep hearing about security attacks and breaches, despite the fact that most security problems have relatively low-cost solutions (e.g., patching, stronger access control, audits). I am interested in 1) understanding why, from an economic standpoint, people and corporations are seemingly either not investing enough in security, or investing in the wrong things, and 2) finding out if there are economic remedies or incentive compatible algorithms, that we, as a society, can use to improve this sad state of affairs. Behavioral economics, game theory as well as system design play a significant role in this cross-disciplinary work. [AAAI'15, IJCAI'13, CSF'11, ESORICS'10, FC'10, EC'08, WWW'08, ...]
  • Usable and secure authentication: Making systems more secure has generally been at odds with what humans are good at; for instance, longer passwords are near-impossible to memorize, complex security policies are ignored and therefore useless, and so forth. This has resulted in large security meltdowns. Rather than treating human factors as a constraint in secure system design, we try to exploit what people are skilled at to make systems more secure. For instance, humans can very quickly recognize patterns, or make inferences from incomplete information. Our work in that space finds applications in authentication applications, mobile payment systems, automated teller machines, to name a few. [CHI'17, USENIX Sec'16, CHI'16, USENIX Sec'15, PETS'15, CHI'15, CHI'14, CCS'13, USENIX Sec'12, SOUPS'12, Oakland'12, CHI'11, FC'11, SOUPS'08, CHI'08, ...]

Other topics I have been involved in, and am still interested in, include building systems that better support service differentiation, or, to use 21st century terminology, that better cope with "network discrimination," economics-informed network topology design, and smart phone security.

My current research work is partially supported by the National Science Foundation (CCF-0424422, CNS-1223762); as part of an NSA Science of Security Lablet at Carnegie Mellon; and through a gift from KDDI R&D Laboratories. I am also one of the co-PIs in the Army Research Lab Cyber-Security Collaborative Research Alliance (in collaboration with Penn State, Indiana University, UC Riverside and UC Davis; formally Cooperative Agreement Number W911NF-13-2-0045).

Past support sources include the Department of Homeland Security Science and Technology Directorate, Cyber Security Division (DHS S&T/CSD), the Government of Australia and SPAWAR Systems Center Pacific (through BAA-11.02, contract number N66001-13-C-0131); the National Science Foundation (CNS-1116776, DGE-0903659), ICANN, the Army Research Office (DAAD19-02-1-0389), Toshiba Corp. and Booz Allen Hamilton.

Research group

I am lucky to advise and work with four incredible Ph.D. students, Zachary Weinberg (ECE), Kyle Soska (ECE), János Szurdi (ECE), and Mahmood Sharif (ECE, co-advised with Lujo Bauer).

I am the proud academic parent of:
Nektarios Leontiadis (Ph.D., EPP, 2014), now a research scientist at Facebook;
Timothy Vidas (Ph.D., ECE, 2016), now a security researcher at SecureWorks; and
Luís Brandão (PhD., ECE/U. Lisbon, 2016; co-advised with Alysson Bessani).

Alain Forget (now at Google) and Benjamin Johnson did their postdocs in my research group.

I also have had the pleasure of seeing a few Master's students graduating under my supervision (listed in reverse chronological order): Qingping Hou (M. Sc, INI, 2014), Ryo Hoshino (M. Sc., INI, 2013), Dong Liu (M. Sc., INI, 2013), Honglin Feng (M. Sc., INI, 2012), Norio Tanaka (M. Sc., INI, 2012), Daniel Votipka (M. Sc., INI, 2012), Carlos Lopes Pereira (M.Sc., INI, 2011), Theodoros Messinis (M.Sc., INI, 2011), Qin Chao (M.Sc., INI, 2010), Shinichi Mori (M.Sc., INI, 2010), Sérgio Serrano (M.Sc., INI and University of Lisbon, 2010), Yu-Lo Su (M.Sc., INI, 2010), Chengye Zheng (M.Sc., INI, 2010), Sally Yanagihara (M.Sc., INI, 2009), Madoka Hasegawa (M.Sc., INI, 2008), Komsit Prakobphol (M.Sc., INI, 2008), Wumaierjiang Simayi (M.Sc., INI, 2008), Hirokazu Sasamoto (M.Sc., INI, 2007), Eiji Hayashi (M.Sc., INI, 2006), Kazuhito Maruyama (M.Sc., INI, 2006), Hiroshi Miwa (M.Sc., INI, 2006), Takeshi Niiyama (M.Sc., INI, 2006), Soon Hin Khor (M.Sc., INI, 2006), and Mika Sashikata (M.Sc., INI, 2006).

Places of employment/positions after graduation include Software Engineering positions at Google, Facebook, LinkedIn, Oracle, Riot Games, Ph.D. studies at University of Tokyo, Carnegie Mellon Computer Science, and various engineering positions at Panasonic, Sharp, NTT West, NTT DoCoMo, Portugal Telecom...

Selected publications

Blase Ur, Felicia Alfieri, Maung Aung, Lujo Bauer, Nicolas Christin, Jessica Colnago, Lorrie Faith Cranor, Harold Dixon, Pardis Emami Naeini, Hana Habib, Noah Johnson, and William Melicher. Design and Evaluation of a Data-Driven Password Meter. To appear in Proceedings of the 2017 ACM Conference on Human Factors in Computing Systems (CHI 2017). Denver, CO. May 2017. Best paper award.

William Melicher, Blase Ur, Sean Segreti, Saranga Komanduri, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. Fast, lean, and accurate: modeling password guessability using neural networks. In Proceedings of the 25th USENIX Security Symposium (USENIX Security'16). Austin, TX. August 2016. Best paper award.

Kyle Soska and Nicolas Christin. Automatically Detecting Vulnerable Websites Before They Turn Malicious. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security'14), pages 625-640. San Diego, CA. August 2014. Best student paper award.

Michelle Mazurek, Saranga Komanduri, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Patrick Gage Kelley, Richard Shay, and Blase Ur. Measuring Password Guessability for an Entire University. In Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS 2013). Berlin, Germany. November 2013.

Nicolas Christin. Traveling the Silk Road: A measurement analysis of a large anonymous online marketplace. In Proceedings of the 22nd International World Wide Web Conference (WWW'13), pages 213-224. Rio de Janeiro, Brazil. May 2013.

Nektarios Leontiadis, Tyler Moore, and Nicolas Christin. Measuring and Analyzing Search-Redirection Attacks in the Illicit Online Prescription Drug Trade. In Proceedings of the 20th USENIX Security Symposium (USENIX Security'11). San Francisco, CA. August 2011.

Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Cranor and Serge Egelman. Of Passwords and People: Measuring the Effect of Password-Composition Policies. In Proceedings of the 2011 ACM Conference on Human Factors in Computing Systems (CHI 2011), pages 2595-2604. Vancouver, BC, Canada. May 2011. Honorable mention award.

Jens Grossklags, Nicolas Christin, and John Chuang. Secure or Insure? A Game-Theoretic Analysis of Information Security Games. In Proceedings of the 17th International World Wide Web Conference (WWW'08), pages 209-218. Beijing, China. April 2008.

Nicolas Christin, Andreas S. Weigend, and John Chuang. Content Availability, Pollution and Poisoning in Peer-to-Peer File Sharing Networks. In Proceedings of the Sixth ACM Conference on Electronic Commerce (EC'05), pages 68-77. Vancouver, BC, Canada. June 2005.

Nicolas Christin, Jörg Liebeherr, and Tarek F. Abdelzaher. Enhancing Class-Based Service Architectures with Adaptive Rate Allocation and Dropping Mechanisms. In IEEE/ACM Transactions on Networking 15(3), pages 669-682. June 2007.

[Full list of publications]


I have been sporadically commenting on various security and policy issues in local (WTAE 4, WPXI 11, ...), national (Marketplace, National Public Radio (including All Things Considered), Wall Street Journal, ...), and international (MIT Technology Review, Canal Plus (France), ...) news media.

My (and my group's) own research gets quite a bit of exposure. Our measurement study of the Silk Road online anonymous marketplace received extensive press coverage: New Scientist (August 6, 2012), Wired UK (August 6, 2012), Forbes (August 6, 2012), Slashdot (August 7, 2012), Ars Technica (August 7, 2012), US News (August 7, 2012), Gawker (August 8, 2012), The Economist (September 29, 2012), and The New York Times (April 8, 2013) covered it among others, including some international press, e.g., Australia's Sydney Morning Herald (August 10, 2012), Spain's ABC (August 13, 2012), or Canada's The Globe and Mail (August 15, 2012). This research was also featured on Marketplace (August 28, 2012) (radio) on NTN24 (August 14, 2012) (television), and extensively discussed in a Surprisingly Free (August 28, 2012) podcast. This piece of research has continued attracting a bit of attention whenever articles appear about the "deep web." For instance, it was quoted in this long article in France's Le Nouvel Observateur (July 4, 2013). After the trial of the Silk Road founder concluded, CNBC (June 1, 2015) rediscovered it.

Our follow-up work on the anonymous marketplace ecosystem was extensively covered in Wired (August 12, 2015), Motherboard (August 12, 2015), the Washington Post (August 12, 2015), the Daily Beast (August 20, 2015), in French in Le Monde (August 13, 2015), and in German in the Frankfurter Allgemeine Zeitung (August 14, 2015). It is also cited in CoinDesk (August 16, 2015), and the New Zealand Herald (August 14, 2015).

Our loosely related work on Bitcoin exchanges was discussed in Wired UK (April 26, 2013).

Our 2011 Financial Cryptography paper on figuring out how much it would take to incentivize people to adopt horrible security practices did not garner a lot of attention when it was originally published, but received extensive coverage after I presented the results at the 2014 Security and Human Behavior workshop: on Engadget (June 15, 2014), Business Insider (June 17, 2014), the Register (June 18, 2014), Slashdot (June 19, 2014), and Bruce Schneier's blog (June 19, 2014), among many others.

Our USENIX Security 2014 paper on predicting impending web server compromises was covered in the Daily Dot (August 21, 2014) and The Register (August 22, 2014).

Earlier in my career, our work on illicit online pharmacies got a bit of coverage: CMU front page (August 11, 2011), Pittsburgh Post-Gazette, Pittsburgh Tribune, National Public Radio (August 12, 2011).

Even earlier, our Undercover project was featured on the CMU front page (January 14, 2008), in The Tartan (January 21, 2008), Dark Reading (February 5, 2008), Network World (February 8, 2008), PC World (February 10, 2008), and was "slashdotted" (February 8, 2008).

Our research on passwords was the object of a feature article in Forbes (April 21, 2015). Along with our work on online crime, it was also prominently featured in a Nature article (May 12, 2016).

The Register (June 22, 2015) wrote on the problems we identified with nation-scale brokered identification schemes; Computing (June 23, 2015) discussed the GDS response.

Courses taught

08-303/19-355: Cryptocurrencies, Blockchains, and Applications (S'17).
14-741/18-631: Introduction to Information Security (F'05 (as 14-830), F'06, F'07, F'08, F'09, F'10, F'11, F'12, F'13, F'14, F'15, S'16, F'16).
08-734/08-534/05-836/05-436/19-734/19-534: Usable Privacy and Security (S'16).
14-846: Special Topics: Elements of Web Security (M'15, in Silicon Valley).
18-731: Network Security (S'14).
14-742: Security in Networked Systems (S'06 (as 14-831), S'07, S'08, S'10).
14-813: Special Topics: Elements of Security in Networked Systems (M'09, in Japan).
14-709: Information Networking Thesis (Master's summer practicum, M'06, M'07, M'08, M'09, M'10).
I also taught a short course (MT-114: Introduction to Information Security) at EM Lyon Business School in June 2011.

Recent professional service

I co-chaired the program committees for Financial Cryptography 2014, the Security, Privacy, Trust & Abuse Track at WWW 2014, and the BITCOIN 2015 workshop.

I am/have been a program committee member for a number of conferences and workshops, including USENIX Security (2014, 2015, 2016, 2017), NDSS (2014, 2015, 2016, 2017), WWW (2014, 2016, 2017), IEEE S&P ("Oakland") (2014, 2015, 2016), ACM CCS 2013, CoNext 2016, WEIS (2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017), APWG eCrime (2012, 2013, 2014, 2016), NETECON 2016, Financial Cryptography (2012, 2013, 2014, 2015, 2017), BITCOIN (2014, 2015, 2016), WPES 2015, MILCOM 2014, IEEE CNS 2014, WiSec 2014, TrustCol 2012, GameSec 2012, BADGERS 2012, MedCOMM 2012, USENIX FOCI'11, WECSR 2011, ACM EC (2006, 2010), ACM SAC'09 (Information Security Research Track), ICEC'09, IEEE INFOCOM'07, IBC'06, and P2PECON'05, and I also routinely serve as a reviewer for some journals, including IEEE/ACM Transactions on Networking, IEEE Transactions on Parallel and Distributed Systems, IEEE Transactions on Mobile Computing...

I was the web and publicity chair for ACM SIGCOMM 2011.


The Silk Road paper eventually indirectly led to my silver screen debut: I got a few seconds of screen time in the Deep Web documentary movie by Alex Winter. So, I technically have a Bacon number of 3 or less (me, Keanu Reeves, Miriam Margolyes, Kevin Bacon) to go along my Erdös number of 4 or less (me, Jörg Liebeherr, Ian Akyildiz, Derbiau Hsu, Paul Erdös). I am writing "technically," because there is controversy about whether documentaries should count. But still, it is fun to have a plausible claim to being one of the people to have a finite Erdös-Bacon number. A more fun/random fact is that Tim Vidas and I might very well be the only advisor-advisee pair to both have (independently computable) finite Erdös-Bacon numbers, since Tim appeared in the DEFCON documentary.

A long, long time ago, I was responsible for getting the ns-2/nam network simulator to compile and work natively under MS Windows/Cygwin. I have, however, transferred maintenance to the ns-2 development team more than a decade ago, so I am really not the right person to ask anymore, especially given that most of this has been made obsolete by ns-3.