I am working on cloud security stuff at Symantec. I earned a Ph.D in Computer Science from K-State. I was very fortunate to be advised by Dr.Xinming Ou. My dissertation topic is Quantitative Risk Assessment under Multi-Context Environment, which is made from several research projects including network risk assessment, zero-day vulnerability evaluation, software dependency risk analysis and cloud platform risk assessment.
I am also one of the major contributors of MulVAL (An open-source, logic-based, data-driven enterprise security analyzer).
An Effective Approach of Mitigating Inter-VM Attacks.
Su Zhang. (Journal submission)
Assessing Attack Surface with Component-based Package Dependency.
Su Zhang, Xinwen Zhang, Xinming Ou, Liqun Chen, Nigel Edwards, and Jing Jin. (Journal submission: a short version published in NSS'15)
Improving the accuracy and scalability of attack graph-based vulnerability assessment through model abstraction.
Su Zhang, and Xinming Ou. (Journal submission)
Predicting Cyber Risks through National Vulnerability Database.
Su Zhang, Doina Caragea, and Xinming Ou. Accepted to appear In: Information Security Journal: A Global Perspective, Taylor & Francis, 2016 (Published online: 30 Nov 2015).
Assessing Attack Surface with Component-based Package Dependency.
Su Zhang, Xinwen Zhang, Xinming Ou, Liqun Chen, Nigel Edwards, and Jing Jin. In: Proceedings of 9th International Conference on Network and System Security(NSS 15)
New York, USA, November, 2015. (Acceptance ratio: 41/112= 36%)
Quantitative Risk Assessment under Multi-context Environment.
Su Zhang. Ph.D Dissertation 2014
After We Knew It: Empirical Study and Modeling of Cost-effectiveness of Exploiting Prevalent Known Vulnerabilities Across IaaS Cloud.
Su Zhang, Xinwen Zhang, and Xinming Ou. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (ASIACCS 14),
Kyoto, Japan, June, 2014.(Acceptance ratio: 52/260= 20%)
Model-driven, Moving-Target Defense for Enterprise Network Security.
Scott DeLoach, Xinming Ou, Rui Zhuang, Su Zhang.
In Uwe Aßmann, Nelly Bencomo, Gordon Blair, Betty H. C. Cheng, Robert France (eds) State-of-the-Art Survey Volume on Models @run.time. Springer LNCS, Volume 8378, 2014, pp 137-161.
Aggregating vulnerability metrics in enterprise networks using attack graphs.
John Homer, Su Zhang, Xinming Ou, David Schmidt, Yanhui Du, S. Raj Rajagopalan and Anoop Singhal. Journal of Computer Security (JCS), Vol 21, No 4, September, 2013.
Deep-diving into an Easily-overlooked Threat: Inter-VM Attacks.
Su Zhang (Technical Report) .
Investigating the Application of Moving Target Defenses to Network Security.
Rui Zhuang, Su Zhang, Alex Bardas, Scott A. DeLoach, Xinming Ou, and Anoop Singhal. In: Proceedings of the 1st International Symposium on Resilient Cyber Systems (ISRCS),
San Francisco, CA, USA, August 2013.
Simulation-based Approaches to Studying Effectiveness of Moving-Target Network Defense.
Rui Zhuang, Su Zhang, Scott A. DeLoach, Xinming Ou, and Anoop Singhal. In: Proceedings of National Symposium on Moving Target Research ,
Annapolis, MD, USA, June 2012.
Distilling Critical Attack Graph Surface iteratively through Minimum-Cost SAT Solving. (Best Student Paper)
Heqing Huang, Su Zhang, Xinming Ou, Atul Prakash, and Karem Sakallah. In: Proceedings of Annual Computer Security Applications Conference (ACSAC 11) ,
Orlando, Florida, USA, December 2011. (Acceptance ratio: 39/195= 20%)
An empirical study on using the National Vulnerability Database to predict software vulnerability.
Su Zhang, Doina Caragea, and Xinming Ou. In: Proceedings of the 22nd International Conference on Database and Expert Systems Applications (DEXA 11) ,
Toulouse, France, August 2011. (Acceptance ratio: 52/207= 25.1%)
Effective network vulnerability assessment through model abstraction.
Su Zhang, Xinming Ou, and John Homer. In: Proceedings
of the Eighth SIG SIDAR Conference on
Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 11),
Amsterdam, The Netherlands, July 2011. (Acceptance ratio: 13/41= 31.7%)
An empirical study of a vulnerability metric aggregation method.
Su Zhang, Xinming Ou, Anoop Singhal, and John Homer. In: Proceedings of the
2011 International Conference on Security and Management (SAM 11),
Las Vegas, NV, U.S.A., July 2011.
Technical Program Committee
- ACM Conference on Data and Applications Security and Privacy (CODASPY) 2016, 2017
- IEEE Consumer Communications and Networking Conference (CCNC) 2016, 2017
Journal & Conference & Book Reviewer
- IEEE Transactions on Dependable and Secure Computing (TDSC)
- IEEE Transactions on Information Forensics & Security (TIFS)
- IEEE Transactions on Services Computing (TSC)
- IEEE Access Journal
- ACM Transactions on Embedded Computing Systems (TECS)
- Springer International Journal of Information Security (IJIS)
- Springer Multimedia Tools and Applications (MTAP)
- The Computer Journal (COMPJ)
- Elsevier Computers & Security (COSE)
- Information Security Journal: A Global Perspective (ISJ)
- Journal of Medical Systems (JOMS)
- ACM Conference on Computer and Communications Security (CCS) 2015
- ACM Conference on Computer and Communications Security (CCS) 2016
- ACM Conference on Data and Applications Security and Privacy (CODASPY) 2015
- ACM Conference on Data and Applications Security and Privacy (CODASPY) 2016
- ACM Symposium on Information, Computer and Communications Security (ASIACCS) 2015
- International Conference on Network and System Security (NSS) 2015
- International Conference on Privacy, Security and Trust (PST) 2014
- International Conference on Trustworthy Systems (TSA) 2014
- China International Conference on Information Security and Cryptology (INSCRYPT) 2013
- IEEE Conference on Communications and Network Security (CNS) 2015
- IEEE World Forum on Internet of Things (WF-IoT) 2015
- The Third International Workshop on Security in Cloud Computing (SCC) 2015
- IEEE International Conference on Machine Learning and Applications (ICMLA) 2013
- Book Review: Elsevier Wireless Cloud Computing 2015
- Senior Security Engineer , Cloud Platform Engineering, Feb 2015 - Present, Symantec Corporation., Mountain View, CA, USA.
Building a world class secure cloud for Symantec.
- Security Engineer, Sep 2014 - Jan 2015, Apigee Corporation., San Jose, CA, USA.
RESTful API Penetration Test
Cloud risk/vulnerability assessment
- Research Intern, Innovation Centers, Fall 2012, Huawei Technologies Co. Ltd., Santa Clara, CA, USA.
Mathematically modeled the significantly dropped cost effectiveness ratio
for attackers on a public cloud platform (Amazon EC2) compared with traditional
- Member of Technical Staff Intern, Platform Security, Summer 2012, VMware Inc., Palo Alto, CA, USA.
Developed an attack surface analyzer for different VMware products.
- Member of Technical Staff Intern, Platform Security, Summer 2011, VMware Inc., Palo Alto, CA, USA.
Developed a vulnerability analyzer for component-based weakness analysis over
Worked on Product Security Policy update.