Angelos Keromytis, Ph.D.

Network Security
Georgia Institute of Technology
Recruited: 2018

So much is at stake when it comes to safeguarding our nation’s power plants, financial networks, voting systems and all other foundations of our interconnected world. The brightest minds are needed to develop new technologies and shape effective policies in cybersecurity. Angelos Keromytis is one of those minds.

As a prominent network security researcher and advisor who counsels policy makers at the highest levels of government, Keromytis has contributed to a number of major cybersecurity initiatives. Much of his influence emerged in his roles as a program manager at both Defense Advanced Research Projects Agency (DARPA) and the National Science Foundation (NSF). Previously, he spent many years at Columbia University, where he founded the Network Security Lab, which led research on encryption, peer-to-peer networks, autonomic security and related topics.  

Keromytis emphasizes that effective cybersecurity is the product of interwoven technology and policy. His research pushes the limits of what technology can achieve in cybersecurity protection; he then applies this new knowledge when guiding those who create cyberdefense policy.

Many of the challenges he’s tackling come down to the difference between defense and offense. In tactical terms, an on-the-ground military operation must take into account the fact that attackers inherently have an advantage over defenders. The same principle might apply to online attacks — so far, that’s what the evidence suggests — but whether an attackers’ advantage is universal remains an open question, one that Keromytis is working to better understand.

For the most part, cybersecurity efforts have always focused on defense. The aim has been to build a system too secure for hackers to penetrate. When intrusions happen, the goal is to patch up the weak spot as quickly as possible and minimize the damage.

But maybe, Keromytis suggests, the best defense is a good offense. Instead of waiting for the attacker to breach our systems, we could build tools that would track malicious actors across the broader network and identify them before they strike.

That’s the goal of the “enhanced attribution” initiative he’s led. Instead of looking inward into our own systems, we could look at the internet at large and trace the adversaries back to where their attack originates, and then strike back at the devices or network from which they’re launching the attack.

Of course, there are technical challenges to such an approach. First, scanning all activity across the entire global network involves a massive amount of data processing. Second, in that vast sea of data, one particular set of malicious activities represent a very weak, small signal — the proverbial needle in a haystack. Keromytis is leading research on how to apply machine learning and other data analysis techniques to better distinguish such patterns.

One way this might work is by developing software agents with artificial intelligence and some degree of autonomy, empowered to carry out scanning and tracking actions and coordinate with other software agents to identify threats. Offloading threat identification to software agents would free up human analysts to focus on other high priorities, such as exploring the biggest threats.  

The enhanced attribution initiative goes hand-in-hand with another project, which provides the “defense” part of the equation. “Transparent computing” is about better identifying intrusions into the system. Today’s computing systems often act as black boxes, accepting inputs and delivering outputs, without creating a clear paper trail as to what happened and why. The goal of transparent computing is developing technologies to record and track all of the individual actions happening inside a system. This would more quickly reveal malicious actions, rather than waiting for malicious outcomes.

While enhanced attribution looks outward, transparent computing looks inward. It takes as a given the fact that hackers will sometimes still break into the system. But by making it easier to monitor and understand what’s happening at any given moment in a complex computing infrastructure — and why it’s happening —systems administrators could more easily identify threats and find attackers before they do too much damage.

In his new role at Georgia Tech, Keromytis is looking forward to fostering partnerships between university scholars and national security agencies. Fort Gordon in Augusta, Georgia offers one nearby NatSec presence where Keromytis can use his dual experience in academia and public service to advance dialogue and collaborations; the Augusta-based Georgia Cyber Center is another. With Georgia working to develop next-generation cyberdefenses, Keromytis is an essential addition to the research ecosystem. 


  • Investigate new computing paradigms for high-fidelity visibility into system operations
  • Develop novel cybersecurity capabilities at the intersection of the digital and analog domains
  • Develop techniques to reveal malicious actors across the internet 
  • Explore the opportunities that autonomous software agents offer to cyber operations
  • Investigate unconventional and indirect sensing modalities to better understand humans and the world around them

Choosing Georgia

“Over the years, especially during my time with the federal government, I came across a number of the faculty at Georgia Tech, and I had a chance to work with many of them. I was really impressed by the work that they did. Georgia Tech is a world-class university with excellent people, excellent research and excellent students. And I don’t even have to freeze in the winter.”

Intellectual Property

50 U.S. patents issued