Linux kernel eBPF for ransomware detection and protection.

Prismo is a cutting-edge Cyber Security startup backed by Sequoia Capital• System Agents - OS monitoring with kernel audit. Rewrote libaudit parsing code to reduce overhead. - Tracepoint-based event capture in kernel driver. Added code to dig deeper info from kernel (e.g. absolute file path, conntrack, thread id to pid). Worked around the kernel limitation in eBPF mode. - Container and Kubenetes event monitoring from host kernel. Cross-namespace container scanning and enforcement. - Event-triggered executable scan. Support of various attack analysis (e.g. reverse shell, rootkit, ransomware). - DNS cache for reverse lookup (both Linux and Windows). - Event buffering during cluster downtime for HA. - Optimization for Azure IoT with ultra-low bandwidth • Collector - Process-activity (child processes, file accesses, network sessions, Windows ETW and registry changes etc) state machine from OS events streaming. Event reordering and state synchronization. - Multi-core performance optimization and scaling for tracking (near real-time) process-activity graphs of many agents. - Policy Engine: Column-based fast lookup with many rules. Rule management and statistics. Enforcement of network micro-segmentation, file quarantine, incident generation, or event suppression.• Performance Debugging (C++/Python/Go). Instruments to profile CPU / memory in production, and debug thread-hang issues. Use of memory pool to reduce performance impacts of Garbage Collection in Go. Memory release from glibc to OS. • Analytics Engine: maintained Python analytics code (e.g. asynchronous and continuous process-activity graph buildup from the data lake, attack source traceback with lateral movement, executable provenance), and machine learning code (DBSCAN clustering).• Application Execution Signature: call-graph profiling for anomaly detection. Significantly improved accuracy, memory usage, and search speed. Tested against attacks like dynamic library injection.

• Topology discovery and firewall-rule auto generation / deploying for multi-tier applications spanning multiple available-zones and datacenters.• Host-based traffic isolation between containers. WAN latency simulation within a local cluster.• LBaaS and HAProxy scaling. High Availability with KeepLived or ExaBGP.• Container-based application provisioning and auto-scaling for Security as a Service

• Brought up Open vSwitch and OpenDaylight controller. Fixed bugs of OpenFlow library of OpenDaylight.• Flow management for Quarantine, Redirection, and Proxy. On-demand DNAT under network namespaces.• Traffic mirroring with meta info. Packet sniffing and inspection with Java PCAP• Extended Bro IDS to track connections' layer-2 and MTU info, for traffic classification in Splunk.• libvirt-based virtual machine management. Libguestfs-based guest customization. Modifying guest Windows registry with hivex.• Boot-up scaling with many VMs.• Stability troubleshooting and performance analysis: libvirt/KVM, qcow2 snapshot, Open vSwitch, OpenDaylight, Bro IDS. Deep-dive into open-source code for root-cause identification.

• Project Lead for Virtualization and Cloud - Covered L2-L7 on VMWare, KVM (VirtIO and SR-IOV), Amazon EC2 (Xen), and OpenStack. - Performance optimization for para-virtualized Ethernet drivers. Addressed issues related to hardware-assisted VLAN/checksum/GRO. Performance tuning on KVM host. - Extended OpenStack for SR-IOV management. Fixed Neutron OVS issues. Worked on static and LACP trunk. Setup OpenStack cluster with Nested KVM. - Passed AWS Marketplace and qualifications. Ported 64bit Xen support to old version of Linux kernel. Brought up VRRP under AWS VPC constraints on multicast and GARP. - Single IP Mode in Cloud: with port-based demux, the same DHCP IP can be used for both user-land cross traffic and kernel-based host traffic.• Systems and Device Drivers - SSL acceleration: Refactored the code for easy updates of the asynchronous user-land driver. Improved stability, debuggability, and scalability. Enhanced throughput (CPU-bound with L4/L7 processing and I/O-bound) dramatically against the competition. Identified the root-cause of a blocking issue for IPSec throughput. - New hardware model bring-up. - Misc. System Enhancement and Fixes: bootup and upgrade, CPU binding / accounting, memory management (e.g. SMP buffers, HugeTLB, memory corruption), FPGA-based packet I/O, PCIe issues, kernel small coredump, watchdog, mysterious reboots.• Layer3 Virtualization - VirtualRouters and their OSPF/IS-IS bring-up (based on IP Infusion) - Data-plane multi tenancies - Extended Linux kernel to enable duplicate IPs and connection tuples. - Scaling and performance optimization for 1K VirtualRouters. - Socket intercept and customization in Linux kernel for third-party daemons.• Enhancement and fixes for TCP-Proxy. TCP behavior analysis for customer tickets.

• Kernel and Replication Champion for Chassis-based High-End Security Router SRX - Kernel-based state depository and distribution, with Graceful Switchover, inter-chassis High-Availability (HA) and In-Service Software Upgrade (ISSU), for routing states such as interfaces, routes, nexthops, aggregations and policies. Supports distributed ID management. - Extended kernel protocol stacks for host traffic with load balancing. - Responsible for control-plane QoS, scaling, and performance tuning. - Solved a number of customer issues, including a critical one right before the very first and also the largest deal.• Device drivers for hardware-based acceleration (a) RegX Matching Engine for Intrusion Detection/Protection (IDP); (b) Compression/Decompression Engine. • Participated in the design of Application-Level Gateway (ALG) of SS7 over SCTP • Member of TCP Proxy Work Group. Participated in the design of a session-level framework for security services based on layer 5~7 payloads. Led the investigation of RFC compliance.

• Conducted research on computer networks and distributed computing: - Designed an autonomic communication middleware for multi-party multimedia collaboration, based on SIP and RTP. Tuned the performances of audio and video - Studied traffic monitoring and analysis by integrating Cisco Netflow and NLANR PMA - Researched network protocols for high-performance Grid. • Taught courses on computer networks, operating systems, distributed systems, and Grid computing.

• Linux Software for InfiniBand Bridges: Maintained the Linux driver for an InfiniBridge PMC board. Extended the software for InfiniBand subnet management. Wrote programs to measure the system throughput. Identified the system bottleneck and conducted PCI performance optimization. Implemented a Windows application talking to a USB driver.• Embedded Software for Network Processors on the Control Plane of DWDM Networks: Altered reference programs (C and Microcode) for standard protocols (PPP, Ethernet and IP) and Packet Pre-Classifier. Extended codes for Ethernet PHY control and Sonet monitoring. Developed a proprietary protocol of voice over packet. Implemented the traffic engineering module. Conducted performance tuning and manufacturing test. Worked out software workarounds for hardware bugs. Implemented an Ethernet packet generator.

Developed a Windows platform for browsing, processing, and analyzing MRI image archives according to the DICOM protocol. Proposed a method to accurately estimate the transformation parameters for an image search engine.

Designed and implemented a semantic ink-matching algorithm based on dynamic programming, in a system that enables users to retrieve their personal handwritten notes via handwritten queries. The matching rate and speed were improved significantly.

Developed segmentation algorithms to adaptively and effectively extract bone contours from color medical images. The luminance and chrominance information were integrated according to the psychology and physiology of color vision.