generic speaker image
Angelos Keromytis - Georgia Tech College of Engineering. Atlanta, GA, US

Angelos Keromytis

Professor, Electrical and Computer Engineering | Georgia Tech College of Engineering


Angelos Keromytis is an expert in systems and network security, and applied cryptography.






Innovation Sandbox: How To Get Funded - Panel Cybersecurity is walking, not running



Dr. Angelos D. Keromytis is Professor, John H. Weitnauer, Jr. Chair, and Georgia Research Alliance (GRA) Eminent Scholar at the Georgia Institute of Technology. His field of research is systems and network security, and applied cryptography.

He came to Georgia Tech from DARPA, where he served as Program Manager in the Information Innovation Office (I2O) from 2014 to 2018. During that time, he initiated five major research initiatives in cybersecurity and managed a portfolio of nine programs, and supervised technology transitions and partnerships with numerous elements of the Department of Defense, the Intelligence Community, Law Enforcement, and other parts of the U.S. government. For his work, he received the DAPRA Superior Public Service Medal, and the Results Matter Award. Prior to DARPA, he served as Program Director with the Computer and Network Systems Division in the Directorate for Computer and Information Science & Engineering (CISE) at the National Science Foundation (NSF), where he co-managed the Secure and Trustworthy Cyberspace (SaTC) program and helped initiate a number of cross-disciplinary and public-private programs. Prior to his public service tour, Dr. Keromytis was a faculty member with the Department of Computer Science at Columbia University, where he founded the Network Security Lab.

Dr. Keromytis is an elected Fellow of the ACM and the IEEE. He has 53 issued U.S. patents and over 250 refereed publications. His work has been cited over 20,000 times, with an h-index of 72 and i10-index of 229. He has founded two new technology ventures, StackSafe and Allure Security Technology. He received his Ph.D. (2001) and M.Sc. (1997) in Computer Science from the University of Pennsylvania, and his B.Sc. in Computer Science from the University of Crete, Greece. He is a certified PADI Master Instructor, with over 500 dives.

Areas of Expertise (7)

Computer and Network Security


Software Security

Network Security

Cryptography Software

Network Operations

Cryptographic Protocols

Selected Accomplishments (1)

ACM Distinguished Scientist,

ACM Distinguished Scientist, 2012

Education (3)

University of Pennsylvania: Ph.D., Computer Science 2001

University of Pennsylvania: M.Sc., Computer Science 1997

University of Crete: B.Sc., Computer Science

Affiliations (2)

  • IEEE - Fellow
  • ACM - Fellow

Selected Media Appearances (5)

Experts describe how hacking back can be done right

Tech Target  online


When asked whether it was a good idea to respond to offense with offense or if hacking back could result in destabilization or mutually assured destruction, Dr. Angelos Keromytis, program manager for DARPA, said he didn't see hacking back as an offensive action. "I view this as defense in the sense that I'm trying to increase the attackers' costs," Keromytis said. "If I can force the attacker to play defense ... if I can deny them use of these spread out infrastructures, then I think that's a very stabilizing factor."

view more

DARPA gives Kryptowire $5.1 million for smartphone-based health tracking

Healthcare IT News  online


"Currently, understanding and assessing the readiness of the warfighter involves medical intervention with the help of advanced equipment, such as electrocardiographs and other specialized medical devices, that are too expensive and cumbersome to employ continuously or without supervision in non-controlled environments," explained DARPA Program Manager Angelos Keromytis, MD...

view more

Advancements in Body Armor, Biometrics to Provide Protection

National Defence Magazine  online


The agency’s warfighter analytics using smartphones for health, or WASH, program, seeks to help identify potential health issues before they interfere with performance, said Angelos Keromytis, program manager. The concept is to detect physiological anomalies through a device’s built-in sensors “well before the user of the device might have reason to detect them,” he said. “If they’re coming down with the flu, could we detect it much earlier before the symptoms — the coughing and the fever — become noticeable?” For example, the way a user moves his or her hand across the screen could be an early indicator of illness or injury, he added. The inspiration for WASH came from a prior program for active authentication, where Keromytis worked to develop ways to verify registered users on a device using unobtrusive biometrics. A number of the techniques attracted interest for use in small military units “precisely because of devices that are used for communications … [where] it is inconvenient to type in a pin,” he said.

view more

Will biometrics "active authentication" help do away with passwords?

CBS This Morning  online


"Your phone has a number of radios: wifi radio, cellular radio, Bluetooth radio. These emit signals, the signals from a close up distance reflect off your skin. Well, it turns out they don't actually reflect off your skin… they actually penetrate the skin a few millimeters," Keromytis said. "So one of our performers figured out a way of not only sensing heartbeat but also extracting a high-fidelity signal that could be used to authenticate a user based on their individual heartbeat..."

view more

Steptoe Cyberlaw Podcast: An Interview with Angelos Keromytis

Lawfare  online


Episode 118 digs deep into DARPA’s cybersecurity research program with our guest, Angelos Keromytis, associate professor at Columbia and Program Manager for the Information Innovation Office at DARPA. Angelos paints a rich picture of a future in which we automate attribution across networks and international boundaries and then fuse bits of attribution data as though they were globules of the Terminator reassembling into human form...

view more

Patents (3)

Methods, systems, and media for authenticating users using multiple services


2014 Methods, systems, and media for automatically authenticating a user account using multiple services are provided. In accordance with some embodiments of the disclosed subject matter, methods for authenticating a user using multiple services are provided, the methods comprising: receiving, from a client device, first credentials for a target service account; authenticating the target service account based on the first credentials; issuing a redirecting request that directs the client device to at least one vouching service in response to authenticating the target service account; receiving a vouching response indicating that the client device has authenticated a vouching service account with the at least one vouching service, wherein the vouching response includes a vouching token; and providing the client device with access to the target service account in response to determining that the vouching service account is associated with the target service account.

view more

Methods, Systems, and Media for Detecting Covert Malware


2010 Methods, systems, and media for detecting covert malware are provided. In accordance with some embodiments, a method for detecting covert malware in a computing environment is provided, the method comprising: receiving a first set of user actions; generating a second set of user actions based on the first set of user actions and a model of user activity; conveying the second set of user actions to an application inside the computing environment; determining whether state information of the application matches an expected state after the second set of user actions is conveyed to the application; and determining whether covert malware is present in the computing environment based at least in part on the determination.

view more

Systems, methods, and media for detecting network anomalies using a trained probabilistic model


2009 Systems, methods, and media for detecting network anomalies are provided. In some embodiments, a training dataset of communication protocol messages having argument strings is received. The content and structure associated with each of the argument strings is determined and a probabilistic model is trained using the determined content and structure of each of the argument strings. A communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network is received. The received communication protocol message is compared to the probabilistic model and then it is determined whether the communication protocol message is anomalous.

view more

Selected Articles (5)

Kernel Protection Against Just-In-Time Code Reuse

ACM Transactions on Privacy and Security (TOPS)

2019 The abundance of memory corruption and disclosure vulnerabilities in kernel code necessitates the deployment of hardening techniques to prevent privilege escalation attacks. As stricter memory isolation mechanisms between the kernel and user space become commonplace, attackers increasingly rely on code reuse techniques to exploit kernel vulnerabilities. Contrary to similar attacks in more restrictive settings, as in web browsers, in kernel exploitation, non-privileged local adversaries have great flexibility in abusing memory disclosure vulnerabilities to dynamically discover, or infer, the location of code snippets in order to construct code-reuse payloads. Recent studies have shown that the coupling of code diversification with the enforcement of a “read XOR execute” (R∧X) memory safety policy is an effective defense against the exploitation of userland software, but so far this approach has not been applied for the protection of the kernel itself. In this article, we fill this gap by presenting kR∧X: a kernel-hardening scheme based on execute-only memory and code diversification. We study a previously unexplored point in the design space, where a hypervisor or a super-privileged component is not required. Implemented mostly as a set of GCC plugins, kR∧X is readily applicable to x86 Linux kernels (both 32b and 64b) and can benefit from hardware support (segmentation on x86, MPX on x86-64) to optimize performance. In full protection mode, kR∧X incurs a low runtime overhead of 4.04%, which drops to 2.32% when MPX is available, and 1.32% when memory segmentation is in use.

view more

A Methodology for Retrofitting Privacy and Its Application to e-Shopping Transactions

Advances in Cyber Security: Principles, Techniques, and Applications

2019 The huge growth of e-shopping has brought convenience to customers and increased revenue to merchants and financial entities. Moreover, e-shopping has evolved to possess many functions, features, and requirements (e.g., regulatory ones). However, customer privacy has been mostly ignored, and while it is easy to add simple privacy to an existing system, this typically causes loss of functions. What is needed is enhanced privacy on one hand, and retaining the critical functions and features on the other hand. This is a dilemma which typifies the “privacy versus utility” paradigm, especially when it is applied to an established primitive with operational systems, where applying conventional privacy-by-design principles is not possible and completely altering information flows and system topologies is not an option.

view more

Privacy in e-shopping transactions: Exploring and addressing the trade-offs

International Symposium on Cyber Security Cryptography and Machine Learning

2018 The huge growth of e-shopping has brought convenience to customers, increased revenue to merchants and financial entities and evolved to possess a rich set of functionalities and requirements (e.g., regulatory ones). However, enhancing customer privacy remains to be a challenging problem; while it is easy to create a simple system with privacy, this typically causes loss of functions.

view more

Slowfuzz: Automated domain-independent detection of algorithmic complexity vulnerabilities

Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

2017 Algorithmic complexity vulnerabilities occur when the worst-case time/space complexity of an application is significantly higher than the respective average case for particular user-controlled inputs. When such conditions are met, an attacker can launch Denial-of-Service attacks against a vulnerable application by providing inputs that trigger the worst-case behavior. Such attacks have been known to have serious effects on production systems, take down entire websites, or lead to bypasses of Web Application Firewalls.

view more

HVLearn: Automated black-box analysis of hostname verification in SSL/TLS implementations

IEEE Symposium on Security and Privacy (SP)

2017 SSL/TLS is the most commonly deployed family of protocols for securing network communications. The security guarantees of SSL/TLS are critically dependent on the correct validation of the X.509 server certificates presented during the handshake stage of the SSL/TLS protocol. Hostname verification is a critical component of the certificate validation process that verifies the remote server's identity by checking if the hostname of the server matches any of the names present in the X.509 certificate. Hostname verification is a highly complex process due to the presence of numerous features and corner cases such as wildcards, IP addresses, international domain names, and so forth. Therefore, testing hostname verification implementations present a challenging task. In this paper, we present HVLearn, a novel black-box testing framework for analyzing SSL/TLS hostname verification implementations, which is based on automata learning algorithms. HVLearn utilizes a number of certificate templates, i.e., certificates with a common name (CN) set to a specific pattern, in order to test different rules from the corresponding specification. For each certificate template, HVLearn uses automata learning algorithms to infer a Deterministic Finite Automaton (DFA) that describes the set of all hostnames that match the CN of a given certificate. Once a model is inferred for a certificate template, HVLearn checks the model for bugs by finding discrepancies with the inferred models from other implementations or by checking against regular-expression-based rules derived from the specification. The key insight behind our approach is that the acceptable hostnames for a given certificate template form a regular language. Therefore, we can leverage automata learning techniques to efficiently infer DFA models that accept the corresponding regular language.

view more