Selected Publications

In this work, we compare the performance of a passive eavesdropper in 802.11b/n/ac WLAN networks. In particular, we investigate the downlink of 802.11 networks in infrastructure mode (e. g. from an access point to a terminal) using Commercial-Of-The-Shelf (COTS) devices. Recent 802.11n/ac amendments introduced several physical and link layer features, such as MIMO, spatial diversity, and frame aggregation, to increase the throughput and the capacity of the channel. Several information theoretical studies state that some of those 802.11n/ac features (e. g. beamforming) should provide a degradation of performance for a passive eavesdropper. However, the real impact of those features has not yet been analyzed in a practical context and experimentally evaluated. We present a theoretical discussion and a statistical analysis (using path loss models) to estimate the effects of such features on a passive eavesdropper in 802.11n/ac, using 802.11b as a baseline. We use Signal-to-Noise-Ratio (SNR) and Packet-Error-Rate (PER) as our main metrics. We compute lower and upper bounds for the expected SNR difference between 802.11b and 802.11n/ac using high-level wireless channel characteristics. We show that the PER in 802.11n/ac increases up to 98% (compared to 802.11b) at a distance of 20 meters between the sender and the eavesdropper. To obtain a PER of 0.5 in 802.11n/ac, the attacker’s maximal distance is reduced by up to 129.5 m compared to 802.11b. We perform an extensive set of experiments, using COTS devices in an indoor office environment, to verify our theoretical estimations. The experimental results validate our predicted effects and show that every amendment add extra resiliency against passive COTS eavesdropping.
CANS, 2017.

In this work, we address the problem of designing and implementing honeypots for Industrial Control Systems (ICS). Honeypots are vulnerable systems that are set up with the intent to be probed and compromised by attackers. Analysis of those attacks then allows the defender to learn about novel attacks and general strategy of the attacker. Honeypots for ICS systems need to satisfy both traditional ICT requirements, such as cost and maintainability, and more specific ICS requirements, such as time and determinism. We propose the design of a virtual, high-interaction and server-based ICS honeypot to satisfy the requirements, and the deployment of a realistic, cost-effective, and maintainable ICS honeypot. An attacker model is introduced to complete the problem statement and requirements. Based on our design and the MiniCPS framework, we implemented a honeypot mimicking a water treatment testbed. To the best of our knowledge, the presented honeypot implementation is the first academic work targeting Ethernet/IP based ICS honeypots, the first ICS virtual honeypot that is high-interactive without the use of full virtualization technologies (such as a network of virtual machines), and the first ICS honeypot that can be managed with a Software-Defined Network (SDN) controller.
CPS-SCP (co-located with ACM CCS), 2016.

In recent years, tremendous effort has been spent to modernizing communication infrastructure in Cyber-Physical Systems (CPS) such as Industrial Control Systems (ICS) and related Supervisory Control and Data Acquisition (SCADA) systems. While a great amount of research has been conducted on network security of office and home networks, recently the security of CPS and related systems has gained increased attention. Unfortunately, real-world CPS are often not open to security researchers, and as a result very few reference physical-layer processes, control systems and communication topologies are available. In this work, we present MiniCPS, a toolkit intended to alleviate this problem. The goal of MiniCPS is to create an extensible, reproducible research environment for network communications, control systems, and physical-layer interactions in CPS. Instead of focusing on a customized simulation settings for specific subsystems, the main goal is to establish a framework to connect together real CPS soft- and hardware, simulation scripts for such components, and physical-layer simulation engines. MiniCPS builds on Mininet to provide lightweight real-time network emulation, and extends Mininet with tools to simulate typical CPS components such as programmable logic controllers, which use industrial protocols (eg. EtherNet/IP, Modbus/TCP). To capture physical-layer interactions, MiniCPS defines a simple API to connect to physical-layer simulations. We demonstrate applications of MiniCPS in two example scenarios, and show how MiniCPS can be used to develop attacks and defenses that are directly applicable to real systems.
CPS-SCP (co-located with ACM CCS), 2015.

Recent Publications

More Publications

. Gamifying ICS Security Training and Research: Design, Implementation, and Results of S3. CPS-SCP (co-located with ACM CCS), 2017.

Preprint PDF Code Project Slides

. Practical Evaluation of Passive COTS Eavesdropping in 802.11b/n/ac WLAN. CANS, 2017.

Preprint Slides

. Legacy-Compliant Data Authentication for Industrial Control System Traffic. ACNS, 2017.

PDF Slides

. Towards high-interaction virtual ICS honeypots-in-a-box. CPS-SCP (co-located with ACM CCS), 2016.

PDF Project Poster Slides

. MiniCPS: A toolkit for security research on CPS networks. CPS-SCP (co-located with ACM CCS), 2015.

Preprint PDF Code Project Poster Slides

. Design and Testing of RNG. University of Bologna and University of Massachussets Amherst, 2013.

PDF Slides

. On-chip lightweight implementation of reduced NIST randomness test suite. HOST, 2013.


Recent Posts

More Posts

After the post about connecting to SUTD’s VPN is now time to connect eduroam! Again, SUTD’s IT support for (Arch) Linux at the time of writing is none. SUTD runs a setup with only username-password (no certificates required) and the connection can be established using the GUI of NetworkManager. If your WiFi card is on and eduroam is in your range you should see the eduroam SSID on the list of the available WiFi networks.


I’ve recently came across the problem of connecting to the SUTD VPN server from overseas. SUTD’s IT support for (Arch) Linux at the time of writing is none, and after a bit of research I’ve found a quick and easy solution. SUTD runs Pulse Connect Secure (PCS) server, a commercial solution known as Juniper SSL VPN. Luckily there is an open-source client that supports PCS named OpenConnect. Arch has an openconnect package and a NetworkManager plugin called networkmanager-openconnect.


As part of my PhD I’ve recently joined as a visiting researcher the Department of Computer Science, University of Oxford 🇬🇧.

I’m going to spend around six months here, supervised by Prof. Kasper Rasmussen and co-supervised by Prof. Ivan Martinovic.

I’m very excited!


I’m happy to announce that our paper titled State-Aware Anomaly Detection for Industrial Control Systems has been accepted for the Symposium On Applied Computing (SAC) 2018 conference.

Congratulations to Hamid, and the co-authors!


This week I’ve been in Hong Kong for the Cryptology And Network Security Conference (CANS) 2017 conference.

I’ve presented our paper about: Practical Evaluation of Passive COTS Eavesdropping in 802.11b/n/ac WLAN.

Here I’m sharing some pictures with some new friends:

CANS17 Ferry

CANS17 Dinner




A framework for Cyber-Physical Systems real-time simulation, built on top of mininet


  • Fall 2017: TA 50.012 Networks SUTD Undergrad
  • Spring 2017: TA 50.020 Security SUTD Undergrad
  • 2013: External Commissioner Prof for High School Final Exams
    • LAMP stack, SQL, design and implementation of relational DB, MVC, paradigm, HTTP(S)
  • 2013-2015: Private teacher
    • Grad/undergrad: linear algebra, calculus, programming (C, Pascal)
    • High school: math, physics, programming (C++)