Computer Scientist | Machine Learning & Security


Not very many years ago, the President of Columbia met with the Engineering school faculty at the yearly meeting with the President and Provost. To paraphrase, he expressed his own thoughts about engineering and stated in clear terms that the faculty needed to decide whether to remain “pure” and do their work within the confines of the Ivy tower or be tainted and involve themselves with the “real-world”. I heard a clear gasp from the 100+ faculty present. He apparently did not well understand that the “real-world” is the true laboratory for engineering. The president received quite a bit of blowback, and had subsequently appointed an advisor to teach about entrepreneurship and transition of engineering science and technology to the “real-world”.

This is now the age of entrepreneurship in academia. That’s a good thing. But it is very difficult to succeed and win in both the academic community and the “real-world” community.

I’ve tried mightily to do both and I’m not sure I’ve succeeded in either, but I keep trying. I believe it is important for the future of academic institutions to be engaged with a complex and dangerous “real-world”.

There are considerable forces within academia that complicate one’s career and academic life. The origin’s of the well known adage that “academic politics is so vicious because the stakes are so low” is debated among academics. My academic colleagues might appreciate the slight snarkiness of some of my writings since we are all steeped in the low stakes culture of academia.


Among my (perceived) achievements from an academic perspective, I’ve published at what is regarded as a reasonable rate, as well as participating in the premier academic forums, and the top conferences.

  • Over a 4 decade career as a professor there are well over 230 papers, many having received best paper awards, and an overall citation count of nearly 30,000, if Google Scholar can be trusted for accuracy. According to the recently awarded RAID most influential paper award, the award committee analyzing my publication record posits “His 6 most quoted papers  have been published in 6 distinct venues (!): Usenix Security, IEEE SSP, ACM Sigmod Record, App. Of Data mining in computer security, ACM TISSEC, Data Mining and Knowledge Discovery.”

  • Among the most important scientific contributions, it is evident machine learning applied to security, the “sorted neighborhood algorithm” for the merge/purge problem, the formal treatment of cost-based intrusion detection systems, content based anomaly detection algorithms, the Symbiote for embedded devices,  and even the DADO machine all have had wide impact in research community and the “real-world”.  Recently I was elevated to IEEE Fellow for my contributions to machine learning applied to computer security. Well, at least one academic merit badge was earned. Took long enough; I finally paid attention.

  • At this time, a standard academic measure of faculty productivity is the H-index, a number N, the count of publications that are cited at least N times. Mine is 81. Many object to the H-index for good reason, it measures quantity not “academic quality”. But it is still used as one element in faculty promotion cases. (I  proposed, tongue in cheek, the W-index, a measure of the number of faculty innovations used in the laptops of other faculty. Sadly, most faculty object to this concept, preferring citation counts, rather than “real-world” impact measures.)

  • To date, 73 patents have issued, although patents have never been considered an adequate academic measure of productivity and success. (There goes that “real-world” impact thing again.)

  • I have participated on many conference  Program Committees, and chaired a few over the years. I continue to participate and contribute to the research community.

  • I have been proud to have advised and mentored about 30 students all of whom seem to be successful and happy in their careers. This pride extends to the many dozens of masters students I have had the unique pleasure to support and mentor.

  • Funding of the research enterprise in academia is crucial, and faculty are often judged on their “grant writing”. I’ve been fortunate to have raised over $50MM in research funding, primarily from government sources, and gift giving, although some in academia consider this to be either standard practice and expected, or  the consequence of a “beltway bandit” mentality. No matter, I have accomplished many technical goals having been well funded and able to support students and equipment in my lab.

  • It is our duty to contribute to society and make ourselves available when called upon for specific reasons to advise the government. I have been fortunate and at times honored to be an advisor to government agencies in various capacities. I remain actively engaged with National Academy committees and the DNI ISTEG committee, and other various committees as invited from time to time. These government activities provide me with a sobering view of the “real-world” of security that has a tremendous impact on the kinds of problems I challenge myself to pursue.

  • In my early collaboration with Herbert Shor, at the time the executive director of USC/ISI, we collaborated to produce a formal report under NSF sponsorship that proposed the Digital Government of the 21st Century as a sponsored research objective. The Digital Government Society, dg.o, is still going strong after these many years since the original report was issued in 1998 ( I am eternally grateful to Herb for his kind support of me when I was a new Assistant Professor and awarded me with the IBM Faculty Development Award. Our collaboration on dg.o was among the most enjoyable of my career.


Perhaps my “real-world” achievements are harder to substantiate without a clear printed record (there is no site), but these are the facts.

  • AT&T’s first national speech recognition service was deployed largely based upon my work on the DADO parallel computer.

  • Although the work on DADO is nearly 3 decades old, and easily forgotten by the latest generation of researchers, DADO’s Broadcast/Match/Resolve/Report functionality really is the core functionality of widely used Hadoop and MapReduce. That work of course does not cite DADO, but knowledgeable parallel computer architects can clearly see the progenitor of these modern large scale Data Science computing facilities is conceptually linked to DADO’s functionality.

  • I have had a broad range of conceptions in machine learning applied to security, primarily Anomaly Detection algorithms that are in use in a number of security products. These are very hard to “prove” without the unfortunate need to litigate to the truth, an activity that is unfortunately an ongoing and long process.

  • Spinout companies from my IDS lab, most recently Allure Security Technology providing deception technology in scale and Red Balloon Security providing host based IDS for IoT devices. (This is the age of entrepreneurship, as I said.)

  • All of the spin out companies from my Lab were funded in the capital markets, including iPrivacy, System Detection (later rebranded CounterStorm and acquired), as well as Allure and RBS.  

  • The transition of the Symbiote technology to industry is evidenced not only by industry awards, such as Popular Science’s recognition as one of the most innovative developments in security, but also by the public announcement of a major licensing deal with HP.

I am an odd mixture of a pure academic researcher who loves to study hard problems and build systems, and transition great ideas to the real-world. It is hard to succeed in business. It is hard to succeed in academia. It has been hard trying to succeed in both, but it can be done. Perhaps that is the best lesson and impact I can have on my students.