Scott Coull, PhD

BIO

Currently, I direct the Mandiant Data Science Research group, where I work with an outstanding team of data scientists, engineers, and security researchers. In addition to my management responsibilities, I still occasionally get the opportunity to play with massive amounts of data, develop unique solutions to challenging problems, and push the boundaries on our current understanding of security and privacy.

Before joining Mandiant, I was a senior research scientist at RedJack and an NSF/CRA Computing Innovation Fellow at the University of North Carolina - Chapel Hill, where I was mentored by Prof. Michael Reiter. I completed my Ph.D. in computer science at Johns Hopkins University under the guidance of Prof. Fabian Monrose, and received a M.Sc. and B.Sc. at Rensselaer Polytechnic Institute under Prof. Boleslaw Szymanski.

My research interests focus on the use of data mining, machine learning, and cryptography to protect users from a variety of attacks and violations of their privacy. Lately, I have been working on understanding how machine learning approaches, and deep learning in particular, can be used to detect attacks, as well as the practical limitations of that technology when attackers try to evade detection.

In some of my earlier work, I developed technologies to evade deep packet inspection (DPI) and other network monitoring devices that are used by oppressive nation-states to censor the Internet, as well as ways to safely share important data without violating user privacy for the DHS PREDICT and FCC Measuring Mobile Broadband projects.

Director, Data Science Research

Mandiant

Research is about discovering new frontiers. In the field of computer and network security, that often means pushing the boundaries on seemingly contradictory technologies.

As a data scientist, I create both privacy-enhancing technologies and cutting-edge security tools. I also break existing systems to understand their weaknesses and, ultimately, to improve their security. In all cases, I try to focus on practical solutions to real-world problems.

In some of my recent research projects, I have developed technologies to:

automate security operations using large language models
detect malicious Windows binaries using deep learning
circumvent Internet censorship
eavesdrop on encrypted Voice over IP (VoIP) and iMessage traffic
stop child exploitation on the Internet
understand complex network behaviors
improve data privacy for the FCC and DHS

BIO

PUBLICATIONS

Book Chapters:

S. Coull. Traffic Analysis. In H. van Tilborg and S. Jajodia (Eds.) Encyclopedia of Cryptography and Security (2nd Edition). Springer Publishing. 2011. pp.1311 - 1313.
[article] [book]

Journal Articles:

E. Rudd, D. Krisiloff, S. Coull, D. Olszewski, E. Raff, and J. Holt. Efficient Malware Analysis Using Metric Embeddings. In Submission.
[arXiv]

L. Demetrio, S. Coull, B. Bigio, G. Lagorio, A. Armando, and F. Roli. Adversarial EXEmples: A Survey and Experimental Evaluation of Practical Attacks on Machine Learning for Windows Malware Detection. ACM Transactions on Privacy and Security, 24(4), November, 2021.
[paper] [arXiv] [code]

S. Coull and K. Dyer. Traffic Analysis of Encrypted Messaging Services: Apple iMessage and Beyond. ACM SIGCOMM Computer Communications Review, 44(4), October, 2014.
(Featured in: MIT Tech Review)
[paper] [ePrint] [arXiv] [code]
S. Coull, A. White, T. F. Yen, F. Monrose, and M. Reiter. Understanding Domain Registration Abuses. Computers & Security, 31(7), October, 2012. pp. 806-815.
(Invited Paper)
[paper]
S. Coull, M. Green, and S. Hohenberger. Access Controls for Oblivious and Anonymous Systems. ACM Transactions on Information and Systems Security, 14(1), May, 2011. pp. 1-28.
[paper]
C. Wright, L. Ballard, S. Coull, F. Monrose, and G. Masson. Uncovering Spoken Phrases in Encrypted Voice over IP Conversations. ACM Transactions on Information and Systems Security, 13(4), December, 2010. pp. 1-30.
(Featured in: Slashdot)
[paper]
S. Coull, and B. Szymanski. On the Development of an Internetwork-centric Defense for Scanning Worms. Computers & Security, 28(7), October, 2009. pp. 637-647.
(Featured in: New Scientist)
[paper]
S. Coull, and B. Szymanski. Sequence Alignment for Masquerade Detection. Computational Statistics and Data Analysis, 52(8), April, 2008. pp. 4116-4131.
[paper] [code]

Conference Papers:

S. Rahman, S. Coull, M. Wright. On the Limitations of Continual Learning for Malware Classification. In Proceedings of the 1st Conference on Lifelong Learning Agents (CoLLA), August 2022.
[paper] [arXiv] [code]

G. Severi, J. Meyer, S. Coull, and A. Oprea. Explanation-Guided Backdoor Poisoning Attacks Against Malware Classifiers. In Proceedings of the 30th USENIX Security Symposium, August 2021.
(Acceptance rate: 18.7%)
[paper] [arXiv] [code]

K. Dyer, S. Coull, and T. Shrimpton. Marionette: A Programmable Network-Traffic Obfuscation System. In Proceedings of the 24th USENIX Security Symposium, August, 2015.
(Acceptance rate: 15.7%)
(Featured in: MIT Tech Review, Engadget)
[paper][code]
S. Coull and E. Kenneally. Toward a Comprehensive Disclosure Control Framework for Shared Data. In Proceedings of the IEEE International Conference on Technologies for Homeland Security (HST), November, 2013.
[paper]
K. Dyer, S. Coull, T. Ristenpart, and T. Shrimpton. Protocol Misidentification Made Easy with Format-Transforming Encryption. In Proceedings of the 20th ACM Conference on Computer and Communications Security, November, 2013.
(Acceptance rate: 19.8%)
(2014 PET Award Runner Up)
[paper] [ePrint] [code]
T. Taylor, S. Coull, F. Monrose, and J. McHugh. Toward Efficient Querying of Compressed Network Payloads. In Proceedings of the USENIX Annual Technical Conference, June, 2012.
(Acceptance rate: 14.1%)
[paper]
K. Dyer, S. Coull, T. Ristenpart, and T. Shrimpton. Peek-a-Boo, I Still See You: Why Efficient Traffic Analysis Countermeasures Fail. In Proceedings of the 33rd IEEE Symposium on Security and Privacy, May, 2012.
(Acceptance rate: 13.0%)
[paper] [code]
L. Wei, S. Coull, and M. Reiter. Bounded Vector Signatures and their Applications.In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS '11), March, 2011. pp. 277-285.
(Acceptance rate: 16.1%)
[paper] [ePrint]
S. Coull, F. Monrose, and M. Bailey. On Measuring the Similarity of Network Hosts: Pitfalls, New Metrics, and Empirical Analyses. In Proceedings of the 18th Annual Network and Distributed Systems Security Symposium, February, 2011.
[paper]
S. Coull, A. White, T. F. Yen, F. Monrose, and M. Reiter. Understanding Domain Registration Abuses. In Proceedings of the 25th IFIP International Information Security Conference, September, 2010. pp. 68-79.
[paper]
S. Coull, M. Green, and S. Hohenberger. Controlling Access to an Oblivious Database using Stateful Anonymous Credentials. In Proceedings of the 12th International Conference on Practice and Theory of Public Key Cryptography (PKC), 2009. pp 501-520.
[paper] [ePrint]
S. Coull, F. Monrose, M. Reiter, and M. Bailey. The Challenges of Effectively Anonymizing Network Data. In Proceedings of the DHS Cybersecurity Applications and Technology Conference for Homeland Security (CATCH), 2009. pp. 230-236.
[paper]
C. Wright, S. Coull, and F. Monrose. Traffic Morphing: An Efficient Defense Against Statistical Traffic Analysis. In Proceedings of the 16th Annual Network and Distributed Systems Security Symposium, 2009. pp. 237-250.
(Acceptance rate: 11.7%)
[paper]
C. Wright, L. Ballard, S. Coull, F. Monrose, and G. Masson. Spot Me If You Can: Uncovering Spoken Phrases in Encrypted VoIP Conversations. In Proceedings of the 29th IEEE Symposium on Security and Privacy, May, 2008. pp. 35-49
(Acceptance rate: 11.2%)
(Featured in: Slashdot, New Scientist, The Register, MIT Technology Review)
[paper]
S. Coull, C. Wright, A. Keromytis, F. Monrose, and M. Reiter. Taming the Devil: Techniques for Evaluating Anonymized Network Data. In Proceedings of the 15th Annual Network and Distributed Systems Security Symposium, Februrary, 2008. pp. 125-135
(Acceptance rate: 17.8%)
[paper]
S. Coull, M. Collins, C. Wright, F. Monrose, and M. Reiter. On Web Browsing Privacy in Anonymized NetFlows. In Proceedings of the 16th USENIX Security Symposium, August, 2007. pp. 339-352
(Acceptance rate: 12.3%)
[paper]
S. Coull, C. Wright, F. Monrose, M. Collins, and M. Reiter. Playing Devil's Advocate: Inferring Sensitive Information from Anonymized Network Traces. In Proceedings of the 14th Annual Network and Distributed Systems Security Symposium, February 2007. pp. 35-47
(Acceptance rate: 15.0%)
[paper]
S. Coull and B. Szymanski. On the Development of an Internetwork-Centric Defense for Internet Worms. In Proceedings of the 40th Annual Hawaiian International Conference on System Sciences, Waikoloa, HI, January 2007.
[paper]
S. Coull, J. Branch, B. Szymanski and E. Breimer. Intrusion Detection: A Bioinformatics Approach. In Proceedings of the 19th Annual Computer Security Applications Conference, Las Vegas, NV, December 2003. pp. 24-33
(Best Student Paper Award)
[paper]

Workshop Papers:

O. Suciu, S. Coull, and J. Johns. Exploring Adversarial Examples in Malware Detection. In Proceedings of the 2nd Deep Learning and Security Workshop (DLS), San Francisco, CA, May, 2019.

[paper] [arXiv] [poster] [IEEE]

S. Coull and C. Gardner. Activation Analysis of a Byte-Based Deep Neural Network for Malware Classification. In Proceedings of the 2nd Deep Learning and Security Workshop (DLS), San Francisco, CA, May 2019.

[paper] [arXiv] [IEEE]

Manuscripts:

S. Coull, J. Branch, B. Szymanski, and E. Breimer. Sequence Alignment for Masquerade Detection. Rensselaer Polytechnic Institute Computer Science Technical Report 06-14.
[paper]
S. Coull and B. Szymanski. A Reputation-based System for the Quarantine of Random Scanning Worms. Rensselaer Polytechnic Institute Computer Science Technical Report 05-01.
[paper]
S. Coull and B. Szymanski. Reputation-based Security in Routed Networks.(Extended Abstract) In Supplemental Proceedings of the International Conference on Dependable Systems and Networks (DSN), Florence, Italy, June 2004.
[paper]

Invited Talks:

S. Coull. “Paper to Practice: The Importance of Systems Thinking in Machine Learning for Cybersecurity." Keynote at AAAI Artificial Intelligence for Cyber Security (AICS) Workshop, Vancouver, Canada, February 2024.
[slides]

S. Coull. “Efficient Malware Analysis Using Metric Embeddings.” Presented at Machine Learning Security (MLSec) Seminar Series, University of Cagliari, Italy, May 2023.
[slides][recording]

S. Coull. “Promises and Challenges of Security in Trustworthy AI.” Presented at the 5th Deep Learning and Security Workshop (DLS), San Francisco, CA, May 2022.

S. Coull. “Activation Analysis of a Byte-based Deep Neural Network for Malware Classification.” Presented at Conference on Applied Machine Learning for Information Security (CAMLIS), Washington, DC. October 12, 2018.
[slides][recording]
S. Coull. Privacy vs. Security. Presented at the NIST Cloud Computing Forum. Gaithersburg, MD. July 8, 2015.
S. Coull. How (Not) to Apply Differential Privacy in Anonymity NetworksPresented at the DIMACS Working Group on Measuring Anonymity. Rutgers University, New Brunswick, NJ. May 30, 2013.
[slides][paper]
S. Coull and E. Kenneally. A Qualitative Risk Assessment Framework for Sharing Computer Network Data Presented at the 40th Research Conference on Communication, Information, and Internet Policy (TPRC). Arlington, VA. September 23, 2012.
[slides][paper]
S. Coull. Information Leakage in Encrypted Network Traffic: Attacks and Countermeasures. Presented at University of Maryland Computer Science Colloquium. College Park, MD. September 20, 2011.
[slides]
S. Coull. Network Data Anonymization. Presented at Pennsylvania State University Computer Science and Engineering Colloquium. State College, PA. March 25, 2010.
[slides]
S. Coull. Toward Privacy Definitions for Anonymized Network Data. Presented at the 23rd Annual IEEE Computer Communications Workshop. Lenox, MA. October 21, 2009.
[slides]

CONTACT