Hsu-Chun Hsiao

I completed my Ph.D. (2014) in Electrical and Computer Engineering at Carnegie Mellon University. I received my M.S. (2008) and B.S. (2006) degrees in Electrical Engineering at National Taiwan University.

Letters of Recommendation Policy: Please read this before requesting for letters of recommendation.

Interested in joining Network Security Lab (NSLab)? We are interested in the field of computer and network security, with focuses on DDoS defense, automated vulnerability discovery, and IoT security lately. Some of our members are also affiliated with the Balsn CTF team. We are actively recruiting highly motivated students and researchers! Email me or drop by R307 to chat with awesome nslab members.

• Mr. Lu Feng-Zhang Memorial Award 管理科學學會呂鳳章先生紀念獎章 (2023)
• ACNS Best Student Paper Award (2023)
• Privacy Enhancing Technologies Symposium (PETS) Best Artifact Award (2022)
• IEEE Symposium on Security and Privacy (S&P) Test-of-Time Award (2022)
• Ta-You Wu Memorial Award 國科會吳大猷先生紀念獎 (2021)
• Delta Research Excellence Award 台達傑出研究獎 (2020)
• Ren Min Outstanding Young Chair Professorship 仁民傑出青年學者講座 (2020)
• CyberW Early Career Award Honorable Mention by ACM Workshop for Women in Cybersecurity Research (2020)
• K. T. Li Young Researcher Award by IICM and ACM Taipei/Taiwan Chapter 資訊學會李國鼎青年研究獎 (2018)
• Young Scholar Fellowship by the Ministry of Science and Technology of Taiwan (2018-2023)
• Research Abroad Grant by Taiwan Information Security Center (2018)
• NTU Outstanding Teaching Award 教學優良獎 (2017, 2018, 2019, 2020, 2022, 2023)
• CCISA Master Thesis Supervision Award (2017, 2018, 2020)

Conferences and Journals

[C50] Uncovering Hidden Proxy Smart Contracts for Finding Collision Vulnerabilities in Ethereum. [code (TBA)]
Cheng-Kang Chen, Wen-Yi Chu, Muoi Tran, Laurent Vanbever, Hsu-Chun Hsiao
To appear in IEEE International Conference on Distributed Computing Systems (ICDCS), July 2025.

[C49] Bots can Snoop: Uncovering and Mitigating Privacy Risks of Bots in Group Chats. [code]
Kai-Hsiang Chou, Yi-Min Lin, Yi-An Wang, Jonathan Weiping Li, Tiffany Kim, Hsu-Chun Hsiao
To appear in the 34th USENIX Security Symposium, August 2025.

[C48] Verifying Loot-box Probability Without Source-code Disclosure.
J.-J. Wang, A.-J. Li, T.-Y. Fang, H.-C. Hsiao
In the 40th Annual Computer Security Applications Conference (ACSAC), December 2024.

[C47] AdapSan: Adaptive Input Sanitization in Medical Systems with eBPF.
S. Chang, A. Li, E. Jaff, Y. Chang, J. Wang, N. Zhang, H.-C. Hsiao
In ACM Workshop on Adaptive and Autonomous Cyber Defense (co-located with ACM CCS), October 2024.

[C46] Uncovering Recurring Vulnerabilities through Taint-Extracted Operator Sequences.
C.-M. Yang, C.-J. Hsu, T. Ban, T. Takahashi, H.-C. Hsiao
In IEEE Conference on Communications and Network Security (CNS), October 2024.

[J10] SPArch: A Hardware-oriented Sketch-based Architecture for High-speed Network Flow Measurements.
A. Sateesan, J. Vliegen, S. Scherrer, H.-C. Hsiao, A. Perrig, N. Mentens.
In ACM Transactions on Privacy and Security. (Accepted: August 2024)

[C45] Detecting IP Prefix Mismatches on SDN Data Plane.
S.-P. Tung, Y.-M. Lin, K.-L. Chang, H.-C. Hsiao and T. H.-J. Kim.
In the 33rd International Conference on Computer Communications and Networks (ICCCN), July 2024.

[C44] Risky Cohabitation: Understanding and Addressing Over-privilege Risks of Commodity Application Virtualization Platforms in Android. [code]
S.-C. Hsiao, S.-W. Li, H.-C. Hsiao.
In ACM Conference on Data and Application Security and Privacy (CODASPY), June 2024.

[C43] ALBUS: a Probabilistic Monitoring Algorithm to Counter Burst-Flood Attacks.
S. Scherrer, J. Vliegen, A. Sateesan, H.-C. Hsiao, N. Mentens, A. Perrig.
In International Symposium on Reliable Distributed Systems, September 2023.

[C42] Capturing Antique Browsers in Modern Devices: A Security Analysis of Captive Portal Mini-Browsers. [code]
P.-L. Wang, K.-H. Chou, S.-C. Hsiao, A. T. Low, T. H.-J. Kim and H.-C. Hsiao.
The 21st International Conference on Applied Cryptography and Network Security (ACNS), June 2023. (Best Student Paper Award)

[C41] OmniCrawl: Comprehensive Measurement of Web Tracking With Real Desktop and Mobile Browsers. [code]
D. Cassel, S.-C. Lin, A. Buraggina, W. Wang, A. Zhang, L. Bauer, H.-C. Hsiao, L. Jia, T. Libert.
In Privacy Enhancing Technologies Symposium (PETS), July 2022. (Best Artifact Award)

[C40] Tool: An Efficient and Flexible Simulator for Byzantine Fault-Tolerant Protocols. [code]
P.-L. Wang, T.-W. Chao, C.-C. Wu, H.-C. Hsiao.
In IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), June 2022.

[C39] LAEG: Leak-based AEG using Dynamic Binary Analysis to Defeat ASLR. [code (TBA)]
W.-L. Mow, S.-K. Huang, H.-C. Hsiao.
In The 6th International Workshop on Privacy, data Assurance, Security Solutions for Internet of Things, June 2022.

[C38] Investigating Advertisers' Domain-changing Behaviors and Their Impacts on Ad-blocker Filter Lists. [extended] [code & dataset]
S.-C. Lin, K.-H. Chou, Y. Chen, H.-C. Hsiao, D. Cassel, L. Bauer, and L. Jia.
In The Web Conference (TheWebConf, formerly known as WWW), April 2022.

[C37] HeadStart: Efficiently Verifiable and Low-Latency Participatory Randomness Generation at Scale. [code (TBA)]
H. Lee, Y.-M. Hsu, J.-J. Wang, H.-C. Yang, Y.-H. Chen, Y.-C. Hu, and H.-C. Hsiao.
In Network and Distributed System Security Symposium (NDSS), April 2022.

[C36] Low-Rate Overuse Flow Tracer (LOFT): An Efficient and Scalable Algorithm for Detecting Overuse Flows. [preprint]
S. Scherrer, C.-Y. Wu, Y.-H. Chiang, B. Rothenberger, D. Asoni, A. Sateesan, J. Vliegen, N. Mentens, H.-C. Hsiao, A. Perrig.
In International Symposium on Reliable Distributed Systems, September, 2021.

[C35] ProMutator: Detecting Vulnerable Price Oracles in DeFi by Mutated Transactions. [code & disclosure]
S.-H. Wang, C.-C. Wu, Y.-C. Liang, L.-H. Hsieh and H.-C. Hsiao.
In IEEE Workshop on Security & Privacy on the Blockchain (co-located with IEEE Euro S&P), September 2021.

[C34] Speed Records in Network Flow Measurement on FPGA.
A. Sateesan, J. Vliegen, S. Scherrer, H.-C. Hsiao, A. Perrig, and N. Mentens.
In International Conference on Field-Programmable Logic and Applications (FPL), August 2021.

[C33] icLibFuzzer: Isolated-context libFuzzer for Improving Fuzzer Comparability. [preprint] [code]
Y.-C. Liang, H.-C. Hsiao.
In NDSS workshop on Binary Analysis Research, February 2021.

[J9] A decentralized framework for cultivating research lifecycle transparency. [code]
W. Jeng, S.-H. Wang, H.-W. Chen, P.-W. Huang, Y.-J. Chen, H.-C. Hsiao.
PLOS ONE 15(11): e0241496, 2020.

[C32] On the Privacy Risks of Compromised Trigger-Action Platforms. [code]
Y.-H. Chiang, H.-C. Hsiao, C.-M. Yu and T. H.-J. Kim.
In European Symposium on Research in Computer Security (ESORICS), September 2020.

[C31] FALCO: Detecting JavaScript-based Cyber Attack UsingWebsite Fingerprints.
C.-C. Liu, H.-C. Hsiao, T. H.-J. Kim.
In International Conference on Security and Cryptography (SECRYPT), July 2020.

[C30] Practical and Verifiable Electronic Sortition.
H. Lee, H.-C. Hsiao.
In Workshop on Foundations of Computer Security, June 2020.

[C29] On Using Camera-based Visible Light Communication for Security Protocols.
W.-Y. Chu, T.-G. Yu, Y.-K. Lin, S.-C. Lee and H.-C. Hsiao.
In IEEE Workshop on the Internet of Safe Things (SafeThings), May 2020.

[J8] SAFECHAIN: Securing Trigger-Action Programming from Attack Chains. [code&dataset]
K.-H. Hsu, Y.-H. Chiang, H.-C. Hsiao.
IEEE Transactions on Information Forensics and Security, 14(10), pp.2607-2622, Oct. 2019.

[C28] On the Feasibility of Rerouting-based DDoS Defenses.
M. Tran, M. S. Kang, H.-C. Hsiao, W.-H. Chiang, S.-P. Tung and Y.-S. Wang.
In IEEE Symposium on Security and Privacy (IEEE S&P), May 2019.

[C27] An Investigation of Cyber Autonomy on Government Websites. (Short Paper) [dataset]
H.-C. Hsiao, T. H.-J. Kim, Y.-M. Ku, C.-M. Chang, H.-F. Chen, Y.-J. Chen, C.-W. Wang and W. Jeng.
In The Web Conference (TheWebConf, formerly known as WWW), May 2019.

[C26] Enhancing Symbolic Execution by Machine Learning Based Solver Selection. [code]
S.-H. Wen, W.-L. Mow, W.-N. Chen, C.-Y. Wang, H.-C. Hsiao.
In NDSS workshop on Binary Analysis Research, February 2019.

[J7] GROUPIT: Lightweight Group Key Management for Dynamic IoT Environments.
Y.-H. Kung, H.-C. Hsiao.
IEEE Internet of Things Journal, vol. 5, no. 6, pp. 5155-5165, Dec. 2018.

[C25] Dynamic Path Pruning in Symbolic Execution.
Y.-S. Chen, W.-N. Chen, C.-Y. Wu, H.-C. Hsiao, S.-K. Huang.
In IEEE Conference on Dependable and Secure Computing (DSC), December 2018.

[C24] CLEF: Limiting the Damage Caused by Large Flows in the Internet Core.
H. Wu, H.-C. Hsiao, D. E. Asoni, S. Scherrer, A. Perrig, Y.-C. Hu.
In International Conference on Cryptology and Network Security (CANS), September 2018.

[C23] SDNProbe: Lightweight Fault Localization in the Error-Prone Environment. [code]
Y.-M, Ke, H.-C. Hsiao, T. H.-J. Kim.
In IEEE International Conference on Distributed Computing Systems (ICDCS), July 2018.

[C22] DAMUP: Practical and Privacy-aware Cloud-based DDoS Mitigation. [code]
S.-C. Lin, P.-W. Huang, H.-Y. Wang, H.-C. Hsiao.
In IEEE/IFIP Workshop on Security for Emerging Distributed Network Technologies (DISSECT), April 2018.

[C21] INSTRIM: Lightweight Instrumentation for Coverage-guided Fuzzing. [code]
C.-C. Hsu, C.-Y. Wu, H.-C. Hsiao, S.-K. Huang.
In NDSS Workshop on Binary Analysis Research, February 2018.

[J6] Traffic-aware Patching for Cyber Security in Mobile IoT.
S.-M. Cheng, P.-Y. Chen, C.-C. Lin, H.-C. Hsiao.
IEEE Communications Magazine, 2017.

[C20] A Generic Web Application Testing and Attack Data Generation Method.
H.-Y. Shih, H.-L. Lu, C.-C. Yeh, H.-C. Hsiao, S.-K. Huang.
In International Conference on Security with Intelligent Computing and Big-data Services (SICBS), December 2017.

[C19] Security Implications of Redirection Trail in Popular Websites Worldwide.
L. Chang, W.-H. Lin, H.-C. Hsiao, W. Jeng, T. H.-J. Kim.
In 26th International World Wide Web Conference (WWW), April 2017.

[J5] Decapitation via Digital Epidemics: A Bio-Inspired Transmissive Attack.
P.-Y. Chen, C.-C. Lin, S.-M. Cheng, H.-C. Hsiao, and C.-Y. Huang.
IEEE Communications Magazine, 2016.

[J4] Insider Collusion Attack on Privacy-preserving Kernel-based Data Mining Systems.
P. S. Wang, F. Lai, H.-C. Hsiao, and J.-L. Wu.
IEEE Access, vol. 4, pp. 2244-2255, 2016.

[C18] SandUSB: An Installation-Free Sandbox for USB Peripherals.
E. L. Loe, H.-C. Hsiao, T. H.-J. Kim, S.-C. Lee, and S.-M. Cheng.
In IEEE World Forum on Internet of Things Workshop on User Centric Security, Privacy, and Interoperability in the Context of Internet of Things and Smart Cities, December 2016.

[C17] Migrant Attack: A Multi-resource DoS Attack on Cloud Virtual Machine Migration Schemes.
J.-R. Yeh, H.-C. Hsiao, A.-C. Pang.
In 11th Asia Joint Conference on Information Security (AsiaJCIS), August 2016.

[C16] Securing Data Planes in Software-Defined Networks.
T.-W. Chao, Y.-M. Ke, B.-H. Chen, J.-L. Chen, C. J. Hsieh, S.-C. Lee, H.-C. Hsiao.
In IEEE International Workshop on Security in Virtualized Networks (Sec-VirtNet), June 2016.

[C15] CICADAS: Congesting the Internet with Coordinated And Decentralized Pulsating Attacks.
Y.-M. Ke, C.-W. Chen, H.-C. Hsiao, A. Perrig, V. Sekar.
In ACM Asia Conference on Computer and Communications Security (ASIACCS), May 2016.

[C14] SIBRA: Scalable Internet Bandwidth Reservation Architecture.
C. Basescu, R. M. Reischuk, P. Szalachowski, A. Perrig, Y. Zhang, H.-C. Hsiao, A. Kubota, J. Urakawa.
In Networked & Distributed System Security Symposium (NDSS), February 2016.

[C13] A Secure Authorization System in PHR based on CP-ABE.
H.-H. Chung, P. Wang, T.-W. Ho, H.-C. Hsiao, F. Lai.
In IEEE E-Health and Bioengineering Conference (EHB), November 2015.

[C12] A Practical System for Guaranteed Access in the Presence of DDoS Attacks and Flash Crowds.
Y.-H. Kung, T. Lee, P.-N. Tseng, H.-C. Hsiao, T. H.-J. Kim, S. B. Lee, Y.-H. Lin, and A. Perrig.
In IEEE International Conference on Internet Protocols (ICNP), November 2015.

[C11] Efficient Large Flow Detection over Arbitrary Windows: An Algorithm Exact Outside An Ambiguity Region.
H. Wu, H.-C. Hsiao, and Y.-C. Hu.
In ACM Internet Measurement Conference (IMC), November 2014.

[C10] YourPassword: Applying Feedback Loops to Improve Security Behavior of Managing Multiple Passwords. (Short Paper)
T. H.-J. Kim, H. C. Stuart, H.-C. Hsiao, Y.-H. Lin, L. Zhang, L. Dabbish, and S. Kiesler.
In ACM Symposium on Information, Computer and Communications Security (ASIACCS), June 2014.

[C9] Policy-based secure deletion.
C. Cachin, K. Haralambiev, H.-C. Hsiao, and A. Sorniotti.
In ACM Conference on Computer and Communications Security (CCS), November 2013.

[C8] STRIDE: Sanctuary Trail -- Refuge from Internet DDoS Entrapment.
H.-C. Hsiao, T. H.-J. Kim, S. B. Lee, X. Zhang, S. Yoo, V. Gligor and A. Perrig.
In ACM Symposium on Information, Computer and Communications Security (ASIACCS), May 2013.

[C7] LAP: Lightweight Anonymity and Privacy.
H.-C. Hsiao, T. H.-J. Kim, A. Perrig, A. Yamada, S. C. Nelson, M. Gruteser, and W. Meng.
In IEEE Symposium on Security and Privacy (Oakland), May 2012.

[C6] ShortMAC: Efficient Data-Plane Fault Localization.
X. Zhang, Z. Zhou, H.-C. Hsiao, T. H.-J. Kim, A. Perrig, and P. Tague.
In Networked & Distributed System Security Symposium (NDSS), February 2012.

[J3] Secure Distributed Data Aggregation.
H. Chen, H.-C. Hsiao, A. Perrig, and D. Song.
Journal of Foundations and Trends in Databases, Vol. 3, No. 3, pp 149-201, 2011.

[C5] Flooding-Resilient Broadcast Authentication for VANETs.
H.-C. Hsiao, A. Studer, C. Chen, A. Perrig, F. Bai, B. Bellur, and A. Iyer.
In ACM Conference on Mobile Computing and Networking (MobiCom), September 2011.

[C4] Efficient and Secure Threshold-based Event Validation for VANETs.
H.-C. Hsiao, A. Studer, R. Dubey, E. Shi, and Adrian Perrig.
In ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), June 2011.

[C3] SCION: Scalability, Control, and Isolation On Next-Generation Networks.
X. Zhang, H.-C. Hsiao, G. Hasker, H. Chan, A. Perrig, and D. Andersen.
In IEEE Symposium on Security and Privacy (Oakland), May 2011. (2022 Test-of-Time Award)

[J2] SPATE: Small-group PKI-less Authenticated Trust Establishment.
Y.-H. Lin, A. Studer, Y.-H. Chen, H.-C. Hsiao, E. L.-H. Kuo, J. M. McCune, K.-H. Wang, M. Krohn, A. Perrig, B.-Y. Yang, H.-M. Sun, P.-L. Lin, and J. Lee.
IEEE Transactions on Mobile Computing, 9(12): 1666-1681, 2010.

[C2] A Study of User-Friendly Hash Comparison Schemes.
H.-C. Hsiao, Y.-H. Lin, A. Studer, C. Studer, K.-H. Wang, H. Kikuchi, A. Perrig, H.-M. Sun, and B.-Y. Yang.
In Annual Computer Security Applications Conference (ACSAC), December 2009.

[C1] SPATE: Small-group PKI-less Authenticated Trust Establishment.
Y.-H. Lin, A. Studer, H.-C. Hsiao, J. M. McCune, K.-H. Wang, M. Krohn, P.-L. Lin, A. Perrig, H.-M. Sun, and B.-Y. Yang.
In ACM Annual International Conference on Mobile Systems, Applications and Services (MobiSys) 2009.

[J1] A Survey of Secure Data Aggregation on Sensor Networks.
Y.-S. Chen, H.-C. Hsiao, and C.-L. Lei.
Communications of Chinese Cryptology and Information Security Association (CCISA), Vol.13 No.4 pp17-28, 2007.

Posters and Extended Abstracts

[P16] yFuzz: Data-Driven Fuzzing.
Y. Chang, C.-C. Huang, T. Mori, H.-C. Hsiao
In ACM Conference on Computer and Communications Security (CCS), October 2024.

[P15] 政府Android 應用程式的網路安全
Y.-J. Chen, H.-C. Hsiao
In the 34th Cryptology and Information Security Conference, August 2024.

[P14] 運用網路流群組化資訊之進階型分散式阻斷服務攻擊防護機制
Y.-H. Lin, H.-C. Hsiao
In the 34th Cryptology and Information Security Conference, August 2024.

[P13] "Prove it!" A user-centered design client for the blockchain-based research lifecycle transparency framework.
Y.-C. Chang, L.-F. Kang, H.-C. Hsiao, & W. Jeng
In ASIS&T AM, October 2022.

[P12] PluginPermCheck: Preventing Permission Escalation in App Virtualization.
S.-C. Hsiao, H.-C. Hsiao
In IEEE Symposium on Security and Privacy (IEEE S&P), May 2022.

[P11] Know Your Victim: Tor Browser Setting Identification via Network Traffic Analysis. [code]
C.-M. Chang, H.-C. Hsiao, T. Lynar, T. Mori
In the Poster Track of The Web Conference (TheWebConf), April 2022.

[P10] POSTER: Challenges in Stopping Ticket Scalping Bots.
H. C. Yang, H. Lee, H.-C. Hsiao
In ACM Asia Conference on Computer and Communications Security (ASIACCS), October 2020.

[P9] POSTER: Android IME Privacy Leakage Analyzer.
P. Lo, J.-C. Huo, H.-C. Hsiao, B. Sun, T. Ban, T. Takahashi
In IEEE Symposium on Security and Privacy (IEEE S&P), May 2020.

[P8] Keeping passwords in your pocket: Managing password locally with mobile fingerprint sensors.
P.-Y. Lin, Z.-Y. Zhou, C.-M. Chang, H.-W. Chen, S.-P. Tung, and H.-C. Hsiao
In the Poster Track of The Web Conference (TheWebConf), April 2020.

[P7] Detecting JavaScript Injection via Website Behavior Fingerprint.
C.-C. Liu, H.-C. Hsiao, and T.H.-J. Kim
In the Poster Track of The Web Conference (TheWebConf), April 2020.

[P6] Hybrid-Voting:A Hybrid Structured Electronic Voting System.
P.-L.Wang, S.-H.Yang, and H.-C. Hsiao
In the Poster Track of The Web Conference (TheWebConf), April 2020.

[P5] Secure Device Pairing.
H.-C. Hsiao
In Encyclopedia of Wireless Networks (Springer), 2019.

[P4] Poster: Protecting Campus Networks with Cost-effective DDoS Defense.
W.-H. Chiang, S.-P. Tung, Y.-S. Wang, I-J. Hsiao, H.-C. Hsiao
In IEEE Symposium on Security and Privacy (IEEE S&P), May 2019.

[P3] Challenges in Realizing Privacy-aware Cloud-based DDoS Mitigation Mechanism.
S.-C. Lin, W.-N. Chen, H.-C. Hsiao
In USENIX Security Symposium Poster Session, August 2018.

[P2] Need Tickets? A Case Study of Bot-enabled Ticket Scalping.
C.-C. Lin, H.-C. Hsiao
Extended Abstract in APWG.EU eCrime Cyber-Security Symposium, October 2017.

[P1] Poster: VLC-based Authenticated Key Exchange.
Y.-S. Chen, C.-L. Lin, H.-C. Hsiao, Y.-H. Lin, H.-M. Tsai
In IEEE Symposium on Security and Privacy (IEEE S&P), May 2016.

Preprints and Technical Reports

Patent