Carnegie Mellon University

Nicolas Christin

Dr. Nicolas Christin

Professor and Department Head, Software and Societal Systems

Address
5000 Forbes Avenue
Pittsburgh, PA 15213

Bio

I am a Professor at Carnegie Mellon University, in the School of Computer Science, where I am the head of the Software and Societal Systems Department.

I am also affiliated with the department of Engineering and Public Policy in the College of Engineering; am a core faculty member of CyLab, our university-wide security institute; and have a courtesy appointments in the Electrical and Computer Engineering department.

I received a Diplôme d'Ingénieur (1999) from École Centrale de Lille, a Master's (2000) and a Ph.D. (2003) in Computer Science from the University of Virginia. In the final year (2002-2003) of my Ph.D., I was working at Nortel Networks. I then spent two wonderful years (2003-2005) as a postdoctoral fellow in the School of Information at UC Berkeley, before joining Carnegie Mellon in July 2005. I was a faculty in residence for three years (2005-2008) at CyLab Japan, the research and education center CMU used to have in Kōbe, which remains one of my favorite cities. After coming back to the US, I served as Associate Director of the Information Networking Institute from 2008 through 2013, as a research faculty (Assistant Research Professor) in Electrical and Computer Engineering from 2013 through 2016, as a research faculty (Associate Research Professor) in my current departments from 2016 through 2019, and subsequently as a tenured Associate Professor from 2019 through 2022. I was the director of the Societal Computing Ph.D. program from 2019 through 2024, in which I remain very active.

Research

My research interest is in computer and information systems security. Most of my work is at the boundary of systems, networking and policy research. While a good portion of my research activities could be qualified of applied research, I try as much as possible to rely on strong theoretical foundations in my work. In addition, most of my recent work is informed by empirical data measurements (of users, networks, economic transactions, ...), so that the term "security analytics" is an appropriate short qualifier.

More specifically, the different inter-related research threads in which I am currently involved are:
[in brackets, some of the venues where we published on the subject]

  • Online crime modeling: Current security attacks are more often than not financially motivated. We postulate that, by getting a more precise picture of the economic interactions between the different actors involved, we can better understand how to disrupt or thwart these attacks. This line of work is very applied, and combines economic modeling, network measurements, and public policy research. [USENIX Sec'15, CCS'14, USENIX Sec'14, ESORICS'14, EC'13, WWW'13, CCS'11, USENIX Sec'11, CCS'10, ...]
  • Usable and secure authentication and passwords: Making systems more secure has generally been at odds with what humans are good at; for instance, longer passwords are near-impossible to memorize, complex security policies are ignored and therefore useless, and so forth. This has resulted in large security meltdowns. Rather than treating human factors as a constraint in secure system design, we try to exploit what people are skilled at to make systems more secure. For instance, humans can very quickly recognize patterns, make inferences from incomplete information, and respond positively to proper messaging. Our work in that space finds applications in authentication applications, smart password meters, mobile payment systems, automated teller machines, to name a few. [CHI'17, USENIX Sec'16, CHI'16, USENIX Sec'15, PETS'15, CHI'15, CHI'14, CCS'13, USENIX Sec'12, SOUPS'12, Oakland'12, CHI'11, FC'11, SOUPS'08, CHI'08, ...]
    Software highlights include our open-source Carnegie Mellon password meter, and our neural network-based password cracker.
  • Security economics: We keep hearing about security attacks and breaches, despite the fact that most security problems have relatively low-cost solutions (e.g., patching, stronger access control, audits). I am interested in 1) understanding why, from an economic standpoint, people and corporations are seemingly either not investing enough in security, or investing in the wrong things, and 2) finding out if there are economic remedies or incentive compatible algorithms, that we, as a society, can use to improve this sad state of affairs. Behavioral economics, game theory as well as system design play a significant role in this cross-disciplinary work. [AAAI'15, IJCAI'13, CSF'11, ESORICS'10, FC'10, EC'08, WWW'08, ...]

Other topics I have been involved in, and am still interested in, include building systems that better support service differentiation, or, to use 21st century terminology, that better cope with "network discrimination," economics-informed network topology design, and smart phone security.

Publications

Blase Ur, Felicia Alfieri, Maung Aung, Lujo Bauer, Nicolas Christin, Jessica Colnago, Lorrie Faith Cranor, Harold Dixon, Pardis Emami Naeini, Hana Habib, Noah Johnson, and William Melicher. Design and Evaluation of a Data-Driven Password Meter. In Proceedings of the 2017 ACM Conference on Human Factors in Computing Systems (CHI 2017), pages 3775-3786. Denver, CO. May 2017. Best paper award.

William Melicher, Blase Ur, Sean Segreti, Saranga Komanduri, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. Fast, lean, and accurate: modeling password guessability using neural networks. In Proceedings of the 25th USENIX Security Symposium (USENIX Security'16). Austin, TX. August 2016. Best paper award.

Kyle Soska and Nicolas Christin. Automatically Detecting Vulnerable Websites Before They Turn Malicious. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security'14), pages 625-640. San Diego, CA. August 2014. Best student paper award.

Michelle Mazurek, Saranga Komanduri, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Patrick Gage Kelley, Richard Shay, and Blase Ur. Measuring Password Guessability for an Entire University. In Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS 2013). Berlin, Germany. November 2013.

Nicolas Christin. Traveling the Silk Road: A measurement analysis of a large anonymous online marketplace. In Proceedings of the 22nd International World Wide Web Conference (WWW'13), pages 213-224. Rio de Janeiro, Brazil. May 2013.

Nektarios Leontiadis, Tyler Moore, and Nicolas Christin. Measuring and Analyzing Search-Redirection Attacks in the Illicit Online Prescription Drug Trade. In Proceedings of the 20th USENIX Security Symposium (USENIX Security'11). San Francisco, CA. August 2011.

Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Cranor and Serge Egelman. Of Passwords and People: Measuring the Effect of Password-Composition Policies. In Proceedings of the 2011 ACM Conference on Human Factors in Computing Systems (CHI 2011), pages 2595-2604. Vancouver, BC, Canada. May 2011. Honorable mention award.

Jens Grossklags, Nicolas Christin, and John Chuang. Secure or Insure? A Game-Theoretic Analysis of Information Security Games. In Proceedings of the 17th International World Wide Web Conference (WWW'08), pages 209-218. Beijing, China. April 2008.

Nicolas Christin, Andreas S. Weigend, and John Chuang. Content Availability, Pollution and Poisoning in Peer-to-Peer File Sharing Networks. In Proceedings of the Sixth ACM Conference on Electronic Commerce (EC'05), pages 68-77. Vancouver, BC, Canada. June 2005.

Nicolas Christin, Jörg Liebeherr, and Tarek F. Abdelzaher. Enhancing Class-Based Service Architectures with Adaptive Rate Allocation and Dropping Mechanisms. In IEEE/ACM Transactions on Networking 15(3), pages 669-682. June 2007.

[Full list of publications]