I am

...a scientist, researcher, and engineer solving real-life systems security problems. I secure computers and the Internet—but occasionally enjoy offensive security research, too.

Today I'm an architect with Akamai's Information Security team. During the day I shift between helping Akamai engineers build a secure cloud platform and educating our customers on our security stance. At night I don my white coat and collaborate with an international team of scientists on academic research projects. I'm active in many branches of systems security research, with a focus on exploring the human factors therein and engineering practical technologies. I'm oddly excited about the resurgent web proxy and cache attacks.

I'm also part-time faculty at Northeastern University's Khoury College of Computer Sciences, doing science with my team at SecLab, and teaching security courses.

Previously I worked as a research assistant at SecLab, Northeastern University, and as a visiting researcher at iSecLab, Eurecom in Sophia Antipolis, France.

I hold a PhD in Information Assurance (now called Cybersecurity) from Northeastern University, Boston, and MS & BS degrees in Computer Engineering from Bilkent University, Ankara.

Student FAQ

TA opportunities? Directed study? PhD? Auditing a class? Referrals?

All of your questions are answered in the FAQ.

Please read the page before sending me an email. I delete emails without a trace of remorse if the answer is in the FAQ.

Teaching

CY 3740 / CY 5770 prospective students, read the course description here.

Now: CY 3740 Systems Security, Fall 2024
Later: CY 3740 Systems Security, Spring 2025
Much later: ?

Before:
CY 5770 Software Vulnerabilities and Security, Summer 2024
CY 3740 Systems Security, Spring 2024
CY 3740 Systems Security, Fall 2023
CY 5770 Software Vulnerabilities and Security, Summer 2023
CY 3740 Systems Security, Spring 2023
CY 3740 Systems Security, Fall 2022
CY 5770 Software Vulnerabilities and Security, Summer 2022
CY 5770 Software Vulnerabilities and Security, Spring 2022
CY 3740 Systems Security, Spring 2022
CY 3740 Systems Security, Fall 2021
CS 5770 Software Vulnerabilities and Security, Spring 2018

Writing

My non-academic pieces go to...

Dark Reading
APNIC Blog

Publications

Gudifu: Guided Differential Fuzzing for HTTP Request Parsing Discrepancies
Bahruz Jabiyev, Anthony Gavazzi, Kaan Onarlioglu, Engin Kirda
International Symposium on Research in Attacks, Intrusions and Defenses (RAID)
Padua, Italy, September 2024
Untangle: Multi-Layer Web Server Fingerprinting
Cem Topcuoglu, Kaan Onarlioglu, Bahruz Jabiyev, Engin Kirda
Network and Distributed System Security Symposium (NDSS)
San Diego, CA, USA, February 2024
OAuth 2.0 Redirect URI Validation Falls Short, Literally
Tommaso Innocenti, Matteo Golinelli, Kaan Onarlioglu, Ali Mirheidari, Bruno Crispo, Engin Kirda
Annual Computer Security Applications Conference (ACSAC)
Austin, TX, USA, December 2023
FRAMESHIFTER: Security Implications of HTTP/2-to-HTTP/1 Conversion Anomalies
Bahruz Jabiyev, Steven Sprecher, Anthony Gavazzi, Tommaso Innocenti, Kaan Onarlioglu, Engin Kirda
USENIX Security Symposium
Boston, MA, USA, August 2022
Web Cache Deception Escalates!
Seyed Ali Mirheidari, Matteo Golinelli, Kaan Onarlioglu, Engin Kirda, Bruno Crispo
USENIX Security Symposium
Boston, MA, USA, August 2022
T-Reqs: HTTP Request Smuggling with Differential Fuzzing
Bahruz Jabiyev, Steven Sprecher, Kaan Onarlioglu, Engin Kirda
ACM Conference on Computer and Communications Security (CCS)
Seoul, South Korea, November 2021
FADE: Detecting Fake News Articles on the Web
Bahruz Jabiyev, Sinan Pehlivanoglu, Kaan Onarlioglu, Engin Kirda
International Conference on Availability, Reliability and Security (ARES)
Vienna, Austria, August 2021
Cached and Confused: Web Cache Deception in the Wild
Seyed Ali Mirheidari, Sajjad Arshad, Kaan Onarlioglu, Bruno Crispo, Engin Kirda, William Robertson
USENIX Security Symposium
Boston, MA, USA, August 2020
Eraser: Your Data Won't Be Back
Kaan Onarlioglu, William Robertson, Engin Kirda
IEEE European Symposium on Security and Privacy (EuroS&P)
London, United Kingdom, April 2018
Game of Registrars: An Empirical Analysis of Post-Expiration Domain Name Takeovers
Tobias Lauinger, Abdelberi Chaabane, Ahmet Salih Buyukkayhan, Kaan Onarlioglu, William Robertson
USENIX Security Symposium
Vancouver, BC, Canada, August 2017
WHOIS Lost in Translation: (Mis)Understanding Domain Name Expiration and Re-Registration
Tobias Lauinger, Kaan Onarlioglu, Abdelberi Chaabane, William Robertson, Engin Kirda
ACM Internet Measurement Conference (IMC)
Santa Monica, CA, USA, November 2016
Trellis: Privilege Separation for Multi-User Applications Made Easy
Andrea Mambretti, Kaan Onarlioglu, Collin Mulliner, William Robertson, Engin Kirda, Federico Maggi, Stefano Zanero
International Symposium on Research in Attacks, Intrusions and Defenses (RAID)
Paris, France, September 2016
Overhaul: Input-Driven Access Control for Better Privacy on Traditional Operating Systems
Kaan Onarlioglu, William Robertson, Engin Kirda
IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)
Toulouse, France, June 2016
CrossFire: An Analysis of Firefox Extension-Reuse Vulnerabilities
Ahmet Salih Buyukkayhan, Kaan Onarlioglu, William Robertson, Engin Kirda
Network and Distributed System Security Symposium (NDSS)
San Diego, CA, USA, February 2016
Sentinel: Securing Legacy Firefox Extensions
Kaan Onarlioglu, Ahmet Salih Buyukkayhan, William Robertson, Engin Kirda
Computers & Security
Elsevier, March 2015
BabelCrypt: The Universal Encryption Layer for Mobile Messaging Applications
Ahmet Talha Ozcan, Can Gemicioglu, Kaan Onarlioglu, Michael Weissbacher, Collin Mulliner, William Robertson, Engin Kirda
Financial Cryptography and Data Security (FC)
Isla Verde, Puerto Rico, January 2015
TrueClick: Automatically Distinguishing Trick Banners from Genuine Download Links
Sevtap Duman, Kaan Onarlioglu, Ali Osman Ulusoy, William Robertson, Engin Kirda
Annual Computer Security Applications Conference (ACSAC)
New Orleans, LA, USA, December 2014
Toward Robust Hidden Volumes using Write-Only Oblivious RAM
Erik-Oliver Blass, Travis Mayberry, Guevara Noubir, Kaan Onarlioglu
ACM Conference on Computer and Communications Security (CCS)
Scottsdale, AZ, USA, November 2014
Beehive: Large-Scale Log Analysis for Detecting Suspicious Activity in Enterprise Networks
Ting-Fang Yen, Alina Oprea, Kaan Onarlioglu, Todd Leetham, William Robertson, Ari Juels, Engin Kirda
Annual Computer Security Applications Conference (ACSAC)
New Orleans, LA, USA, December 2013
Holiday Pictures or Blockbuster Movies?
Insights into Copyright Infringement in User Uploads to One-Click File Hosters
Tobias Lauinger, Kaan Onarlioglu, Abdelberi Chaabane, Engin Kirda, William Robertson, Mohamed Ali Kaafar
International Symposium on Research in Attacks, Intrusions and Defenses (RAID)
Saint Lucia, October 2013
Securing Legacy Firefox Extensions with Sentinel
Kaan Onarlioglu, Mustafa Battal, William Robertson, Engin Kirda
Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA)
Berlin, Germany, July 2013
PrivExec: Private Execution as an Operating System Service
Kaan Onarlioglu, Collin Mulliner, William Robertson, Engin Kirda
IEEE Symposium on Security and Privacy (S&P)
San Francisco, CA, USA, May 2013
Clickonomics: Determining the Effect of Anti-Piracy Measures for One-Click Hosting
Tobias Lauinger, Martin Szydlowski, Kaan Onarlioglu, Gilbert Wondracek, Engin Kirda, Christopher Kruegel
Network and Distributed System Security Symposium (NDSS)
San Diego, CA, USA, February 2013
Insights into User Behavior in Dealing with Internet Attacks
Kaan Onarlioglu, Utku Ozan Yilmaz, Engin Kirda, Davide Balzarotti
Network and Distributed System Security Symposium (NDSS)
San Diego, CA, USA, February 2012
G-Free: Defeating Return-Oriented Programming through Gadget-less Binaries
Kaan Onarlioglu, Leyla Bilge, Andrea Lanzi, Davide Balzarotti, Engin Kirda
Annual Computer Security Applications Conference (ACSAC)
Austin, TX, USA, December 2010
Efficient Broadcast Encryption with User Profiles
Murat Ak, Kamer Kaya, Kaan Onarlioglu, Ali Aydin Selcuk
Information Sciences
Elsevier, March 2010

Patents

Behavioral Detection of Suspicious Host Activities in an Enterprise
Ting-Fang Yen, Alina Oprea, Kaan Onarlioglu, Todd Leetham, William Robertson, Ari Juels, Engin Kirda
US Patent 9,516,039
Detecting Suspicious Web Traffic from an Enterprise Network
Ting-Fang Yen, Alina Oprea, Kaan Onarlioglu
US Patent 9,503,468
Time Sanitization of Network Logs from a Geographically Distributed Computer System
Ting-Fang Yen, Ari Juels, Kaan Onarlioglu, Alina Oprea
US Patent 9,430,501
Anomaly Sensor Framework for Detecting Advanced Persistent Threat Attacks
Ting-Fang Yen, Ari Juels, Aditya Kuppa, Kaan Onarlioglu, Alina Oprea
US Patent 9,378,361
Framework for Mapping Network Addresses to Hosts in an Enterprise Network
Ting-Fang Yen, Kaan Onarlioglu
US Patent 9,124,585
Detecting Suspicious Web Traffic from an Enterprise Network
Ting-Fang Yen, Alina Oprea, Kaan Onarlioglu
US Patent 9,049,221