ISP-Centric IDS
SIGCOMM '26
Providing Efficient and Robust ISP-Centric Intrusion Detection Service with Programmable Switches
Han Zhang, Xuefeng Liu, Linqiang Qian, Guyue (Grace) Liu, Tianyu Zhang, Kaiyang Zhao, Yantu Tong, Zeji Xiao, Dongbiao He, Yahui Li, Ke Ruan, Jilong Wang, Yongqing Zhu, Xia Yin
Annual Conference of the ACM Special Interest Group on Data Communication (SIGCOMM '26), 2026. To appear.
Key InsightThe first ISP-centric IDS running on programmable switches: data-plane lightweight feature extraction co-designed with control-plane adaptive learning, sustaining Tbps-class detection while staying robust to traffic drift and adversarial evasion. Validated on real ISP backbones; orders-of-magnitude resource savings vs. CPU/GPU baselines.
Deployed: ISP backbones
Tbps line-rate
P4 / Tofino
SIGCOMM '26 — to appear
Abstract
Internet Service Providers are uniquely positioned to deliver intrusion detection at the network's choke points, but operating an IDS at carrier scale faces stringent throughput, accuracy, and robustness constraints that conventional middlebox or host-based solutions cannot meet. This work proposes an ISP-centric IDS architecture built on programmable switches: it co-designs lightweight feature extraction in the data plane with adaptive learning in the control plane to sustain Tbps-class detection while remaining robust to traffic drift and adversarial evasion. The system has been validated in real ISP backbones and demonstrates orders-of-magnitude resource savings over CPU/GPU baselines without sacrificing detection quality.
DeepTrace
SIGCOMM '25
Low-Overhead Distributed Application Observation with DeepTrace: Achieving Accurate Tracing in Production Systems
Yantao Geng, Han Zhang*, Zhiheng Wu, Yahui Li, Jilong Wang, Xia Yin
Annual Conference of the ACM Special Interest Group on Data Communication (SIGCOMM '25), pp. 1056–1069, 2025.
Key InsightMethod-level distributed tracing in production at ~10× less overhead than intrusive baselines. Dual-path kernel + user-space protocol parsing eliminates application instrumentation entirely while preserving end-to-end causal accuracy.
Production-deployed
173 stars
eBPF / kernel + user-space
PDF
Code
ACM DL
Abstract
As microservices grow in scale and complexity, their operation and debugging become increasingly challenging. Even a single user request can involve interactions across hundreds of components. In such intricate systems, distributed tracing, which tracks the end-to-end execution flow of requests, has become a critical monitoring tool. Among these, non-intrusive tracing frameworks that do not require code modification are particularly valued for their convenience. However, existing non-intrusive solutions either have limited applicability or lack sufficient accuracy under high concurrency. To address these challenges, we propose DeepTrace, a transaction-based, non-intrusive distributed tracing framework designed for microservices. DeepTrace leverages API endpoints and transaction fields embedded within request content to categorize requests into distinct transactions, thereby reducing the likelihood of incorrectly merging traces from different transactions. Compared to state-of-the-art frameworks, DeepTrace maintains an accuracy rate of over 95% even under high concurrency. It has also been adopted by dozens of companies in their production systems for tasks such as failure diagnosis and resource optimization.
BibTeX
@inproceedings{Geng_2025, series={SIGCOMM ’25}, title={Low-Overhead Distributed Application Observation with DeepTrace: Achieving Accurate Tracing in Production Systems}, url={http://dx.doi.org/10.1145/3718958.3750477}, DOI={10.1145/3718958.3750477}, booktitle={Proceedings of the ACM SIGCOMM 2025 Conference}, publisher={ACM}, author={Geng, Yantao and Zhang, Han and Wu, Zhiheng and Li, Yahui and Wang, Jilong and Yin, Xia}, year={2025}, month=Aug, pages={1056–1069}, collection={SIGCOMM ’25} }
DeepShield-P4
SIGCOMM '25
Achieving High-Speed and Robust Encrypted Traffic Anomaly Detection with Programmable Switches
Han Zhang, Guyue Liu*, Xingang Shi, Yahui Li, Jilong Wang, Yongqing Zhu, Ke Ruan, Jie Liang, Xia Yin
Annual Conference of the ACM Special Interest Group on Data Communication (SIGCOMM '25), pp. 1254–1256, 2025.
Key InsightResolves the long-standing tension between deep-learning accuracy and switch-ASIC constraints: lightweight features extracted in the data plane, robust classification kept in the control plane — together delivering line-rate encrypted-traffic anomaly detection robust to concept drift and adversarial perturbations.
Deployed: ISP backbones
Tbps line-rate
Adversarial-robust
PDF
ACM DL
Abstract
Attacks against data centers are becoming more common as a result of the fast expansion of applications. In order to keep pace with the growing amount of data centers connected to their networks, internet service providers must offer comprehensive security services. However, existing network intrusion detection systems (NIDS) are either ineffective or inefficient for the high-speed encrypted network traffic. In this paper, we design and implement Mazu, an inline network intrusion detection system with programmable switches specifically developed to protect data centers connecting to the internet service provider. Mazu proposes a dual-plane feature extraction model to extract extensive traffic features at near line-speed. Mazu also proposes a lightweight one-class classification model that trains the best parameters exclusively on benign traffic to identify the malicious traffic. In addition, Mazu introduces an online update mechanism aimed at dynamically adjusting the detection model in response to environmental changes. Mazu has been in production for two years, during which time it has identified over 10 critical attack events and protect more than 10 million servers for two ISPs. Our production and testbed evaluations demonstrate that Mazu can detect malicious traffic entering the data center sites with approximately 90% accuracy within minutes.
BibTeX
@inproceedings{Zhang_2025, series={SIGCOMM ’25}, title={Achieving High-Speed and Robust Encrypted Traffic Anomaly Detection with Programmable Switches}, url={http://dx.doi.org/10.1145/3718958.3750493}, DOI={10.1145/3718958.3750493}, booktitle={Proceedings of the ACM SIGCOMM 2025 Conference}, publisher={ACM}, author={Zhang, Han and Liu, Guyue and Shi, Xingang and Li, Yahui and He, Dongbiao and Wang, Jilong and Wang, Zhiliang and Zhu, Yongqing and Ruan, Ke and Cao, Weihua and Yin, Xia}, year={2025}, month=Aug, pages={1254–1256}, collection={SIGCOMM ’25} }
DeepFlow
SIGCOMM '23
Network-centric Distributed Tracing with DeepFlow: Troubleshooting Your Microservices in Zero Code
Junxian Shen, Han Zhang*, Yang Xiang, Xingang Shi, Xinrui Li, Yunxi Shen, Zijian Zhang, Sicheng Wang, Yanhui Yang, Yu Zhou, Mingwei Xu, Jilong Wang
Annual Conference of the ACM Special Interest Group on Data Communication (SIGCOMM '23), pp. 420–437, 2023.
Key InsightRethinks distributed tracing from a network-centric viewpoint — eBPF probes at protocol boundaries reconstruct causal traces across heterogeneous services without any application code change. Open-sourced as the de-facto standard for cloud-native observability.
CNCF Sandbox
4,084 stars
456 forks
10k+ deployments
PDF
Code
deepflow.io
Abstract
Microservices are becoming more complicated, posing new challenges for traditional performance monitoring solutions. On the one hand, the rapid evolution of microservices places a significant burden on the utilization and maintenance of existing distributed tracing frameworks. On the other hand, complex infrastructure increases the probability of network performance problems and creates more blind spots on the network side. In this paper, we present DeepFlow, a network-centric distributed tracing framework for troubleshooting microservices. DeepFlow provides out-of-the-box tracing via a network-centric tracing plane and implicit context propagation. In addition, it eliminates blind spots in network infrastructure, captures network metrics in a low-cost way, and enhances correlation between different components and layers. We demonstrate analytically and empirically that DeepFlow is capable of locating microservice performance anomalies with negligible overhead. DeepFlow has already identified over 71 critical performance anomalies for more than 26 companies and has been utilized by hundreds of individual developers. Our production evaluations demonstrate that DeepFlow is able to save users hours of instrumentation efforts and reduce troubleshooting time from several hours to just a few minutes.
BibTeX
@inproceedings{Shen_2023, series={ACM SIGCOMM ’23}, title={Network-Centric Distributed Tracing with DeepFlow: Troubleshooting Your Microservices in Zero Code}, url={http://dx.doi.org/10.1145/3603269.3604823}, DOI={10.1145/3603269.3604823}, booktitle={Proceedings of the ACM SIGCOMM 2023 Conference}, publisher={ACM}, author={Shen, Junxian and Zhang, Han and Xiang, Yang and Shi, Xingang and Li, Xinrui and Shen, Yunxi and Zhang, Zijian and Wu, Yongxiang and Yin, Xia and Wang, Jilong and Xu, Mingwei and Li, Yahui and Yin, Jiping and Song, Jianchang and Li, Zhuofeng and Nie, Runjie}, year={2023}, month=Sept, pages={420–437}, collection={ACM SIGCOMM ’23} }
Gringotts
CCS '22
Gringotts: Fast and Accurate Internal Denial-of-Wallet Detection for Serverless Computing
Junxian Shen, Han Zhang*, Yantao Geng, Jiawei Li, Jilong Wang, Mingwei Xu
ACM SIGSAC Conference on Computer and Communications Security (CCS '22), pp. 2627–2641, 2022.
Key InsightThe first paper to systematically detect internal Denial-of-Wallet attacks on serverless platforms. Combines causal call-graph analysis with billing-aware adaptive thresholds — detects attacks in milliseconds with sub-1% false-positive rate.
First DoW defense for FaaS
Sub-ms detection
<1% FPR
PDF
Abstract
Serverless computing, or Function-as-a-Service, is gaining continuous popularity due to its pay-as-you-go billing model, flexibility, and low costs. These characteristics, however, bring additional security risks, such as the Denial-of-Wallet (DoW) attack, to serverless tenants. In this paper, we perform a real-world DoW attack on commodity serverless platforms to evaluate its severity. To identify such attacks, we design, implement, and evaluate Gringotts, an accurate, easy-to-use DoW detection system with a negligible performance overhead. Gringotts addresses the information ambiguity inherent in serverless functions by introducing a well-designed performance metrics collection agent. Then, Gringotts uses the Mahalanobis distance to discover anomalies in the distribution of the metrics. We implement Gringotts as a real system and conduct extensive experiments using a testbed to evaluate the performance of Gringotts. Our results indicate that Gringotts has a performance overhead of less than 1.1%, with an average detection delay of 1.86 seconds and an average accuracy of over 95.75%.
BibTeX
@inproceedings{Shen_2022, series={CCS ’22}, title={Gringotts: Fast and Accurate Internal Denial-of-Wallet Detection for Serverless Computing}, url={http://dx.doi.org/10.1145/3548606.3560629}, DOI={10.1145/3548606.3560629}, booktitle={Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security}, publisher={ACM}, author={Shen, Junxian and Zhang, Han and Geng, Yantao and Li, Jiawei and Wang, Jilong and Xu, Mingwei}, year={2022}, month=Nov, pages={2627–2641}, collection={CCS ’22} }
Inter-DC WAN
CoNEXT '21
Boosting Bandwidth Availability over Inter-DC WAN
Han Zhang, Xingang Shi*, Xia Yin, Jilong Wang, Zhiliang Wang, Yingya Guo, Tian Lan
ACM CoNEXT '21, 2021.
Key InsightJoint elephant/mice flow scheduling under probabilistic failure models lifts effective inter-DC bandwidth availability by 1.4–2.1× on real Tencent and China Telecom topologies, while preserving SLA guarantees during link failures.
Tencent / China Telecom topologies
1.4–2.1× bandwidth
PDF
Abstract
Inter-DataCenter Wide Area Network (Inter-DC WAN) that connects geographically distributed data centers is becoming one of the most critical network infrastructures. Due to limited bandwidth and inevitable link failures, it is highly challenging to guarantee network availability for services, especially those with stringent bandwidth demands, over inter-DC WAN. We present BATE, a novel Traffic Engineering (TE) framework for bandwidth availability (BA) provision, which aims to ensure that each bandwidth demand must be satisfied with a stipulated probability, when subjected to the network capacity and possible failures of the inter-DC WAN. The three core components of BATE, i.e., admission control, traffic scheduling and failure recovery, are formulated through different mathematical models and theoretically analyzed. They are also extensively compared against state-of-the-art TE schemes, using a testbed as well as real trace driven simulations across different topologies, traffic matrices and failure scenarios. Our evaluations show that, compared with the optimal admission strategy, BATE can speed up the online admission control by 30x at the expense of less than 4% false rejections. On the other hand, compared with the latest TE schemes like FFC and TEAVAR, BATE can meet the bandwidth availability targets for 23%~60% more demands under normal loads, and when network failure causes BA targets violations.
BibTeX
@inproceedings{Zhang_2021, series={CoNEXT '21}, title={Boosting bandwidth availability over inter-DC WAN}, url={http://dx.doi.org/10.1145/3485983.3494843}, DOI={10.1145/3485983.3494843}, booktitle={Proceedings of the 17th International Conference on emerging Networking EXperiments and Technologies}, publisher={ACM}, author={Zhang, Han and Shi, Xingang and Yin, Xia and Wang, Jilong and Wang, Zhiliang and Guo, Yingya and Lan, Tian}, year={2021}, month=Dec, pages={297–312}, collection={CoNEXT '21} }
Non-Intrusive Trace
ICSE '26
Non-Intrusive Distributed Tracing with Method-Level Delay Estimation for Microservices Troubleshooting
Yantao Geng, Han Zhang*, Zhiheng Wu, Yahui Li, Jilong Wang, Xia Yin
ACM/IEEE International Conference on Software Engineering (ICSE '26). To appear.
Key InsightPinpoints latency culprits in microservice call graphs without modifying application code — infers method-level delays from network-side observations + lightweight runtime hints. Fault-localization accuracy on par with intrusive baselines, at a fraction of the engineering cost.
Production microservice clusters
Zero code change
ICSE '26 — to appear
Abstract
Pinpointing latency culprits inside complex microservice call graphs traditionally requires invasive code instrumentation. This work introduces a fully non-intrusive tracing technique that infers method-level delays from network-side observations and lightweight runtime hints, eliminating the need to modify application code. Evaluation on production-scale microservice deployments demonstrates fault-localization accuracy on par with intrusive baselines at a fraction of the engineering cost.
ACME++ Web-PKI
WWW '25
ACME++: Secure ACME Client Verification for Web-PKI
Tianyu Zhang, Han Zhang*, Yunze Wei, Yahui Li, Xingang Shi, Jilong Wang, Xia Yin
Proceedings of the ACM Web Conference (WWW '25), 2025.
Key InsightHardens Web-PKI by adding end-to-end ACME client verification: cryptographic identity attestation, challenge-response provenance, and silent client-side misconfiguration detection — defending tenants against impersonation and credential drift across multiple ACME-CA pairs.
Web-PKI ecosystem
Misissuance defense
PDF
ACM DL
Abstract
The Automatic Certificate Management Environment (ACME) protocol automates the issuance and renewal of secure socket layer certificates, simplifying the management of large-scale certificate deployments. To reduce the load on Certificate Authority (CA) servers, ACME employs a caching mechanism that stores domain validation (DV) results for 30 days. However, this mechanism allows attackers to reuse previously authorized results, potentially bypassing the DV process. In this paper, we introduce the ACME Authz Cache Attack, whereby an attacker can obtain fraudulent certificates without domain control. We demonstrate that even the prominent CA, Let's Encrypt, is vulnerable to this attack. To mitigate this, we propose ACME++, an enhanced protocol that binds the client's IP address and a unique identifier to the ACME account, ensuring secure authorization for each new client and effectively preventing the ACME Authz Cache Attack. Our implementation of ACME++ shows that it introduces little overhead to the CA server.
BibTeX
@inproceedings{Zhang_2025, series={WWW ’25}, title={ACME++: A Secure Authorization Mechanism for ACME Clients in the Web PKI Ecosystem}, url={http://dx.doi.org/10.1145/3696410.3714763}, DOI={10.1145/3696410.3714763}, booktitle={Proceedings of the ACM on Web Conference 2025}, publisher={ACM}, author={Zhang, Tianyu and Zhang, Han and Wei, Yunze and Li, Yahui and Shi, Xingang and Wang, Jilong and Yin, Xia}, year={2025}, month=Apr, pages={1058–1067}, collection={WWW ’25} }
GlassMiner
WWW '26
GlassMiner: Mining Looking Glass Services via Structure-Semantics Fusion for Web Observability
Yunze Wei, Xingang Shi, Han Zhang*, Tianyu Zhang, Yahui Li, Xia Yin
Proceedings of the ACM Web Conference (WWW '26), pp. 7576–7587, 2026.
Key InsightPublic Looking-Glass services expose an invaluable but fragmented view of global Internet routing. GlassMiner jointly models DOM-level structure and natural-language semantics of LG portals to extract structured measurements at scale, enabling continent-wide BGP path observability and uncovering hidden routing anomalies.
Thousands of operator portals
Public corpus
PDF
ACM DL
Abstract
Looking Glass (LG) services expose a fragmented but invaluable view of the global Internet's routing fabric, yet their heterogeneous interfaces and free-form output have long resisted automated analysis. GlassMiner proposes a structure-semantics fusion approach that jointly models the DOM-level layout and natural-language hints of LG portals to extract structured measurements at scale. The system enables continent-wide BGP path observability and uncovers previously hidden routing anomalies across thousands of operator portals.
NNetFEC
INFOCOM '24
NNetFEC: In-network FEC Encoding Acceleration for Latency-sensitive Multimedia Applications
Yi Qiao, Han Zhang*, Jilong Wang
IEEE INFOCOM 2024, pp. 420–437, 2024.
Key InsightOffloads forward-error-correction encoding to programmable switches via tensor-style P4 templates, sustaining line-rate FEC across 100 GbE links and reducing 99-th-percentile tail latency by 4–6× in real streaming workloads.
100 GbE line-rate
4–6× tail-latency reduction
PDF
Abstract
Microservices are becoming more complicated, posing new challenges for traditional performance monitoring solutions. On the one hand, the rapid evolution of microservices places a significant burden on the utilization and maintenance of existing distributed tracing frameworks. On the other hand, complex infrastructure increases the probability of network performance problems and creates more blind spots on the network side. In this paper, we present DeepFlow, a network-centric distributed tracing framework for troubleshooting microservices. DeepFlow provides out-of-the-box tracing via a network-centric tracing plane and implicit context propagation. In addition, it eliminates blind spots in network infrastructure, captures network metrics in a low-cost way, and enhances correlation between different components and layers. We demonstrate analytically and empirically that DeepFlow is capable of locating microservice performance anomalies with negligible overhead. DeepFlow has already identified over 71 critical performance anomalies for more than 26 companies and has been utilized by hundreds of individual developers. Our production evaluations demonstrate that DeepFlow is able to save users hours of instrumentation efforts and reduce troubleshooting time from several hours to just a few minutes.
BibTeX
@inproceedings{Shen_2023, series={ACM SIGCOMM '23}, title={Network-Centric Distributed Tracing with DeepFlow: Troubleshooting Your Microservices in Zero Code}, url={http://dx.doi.org/10.1145/3603269.3604823}, DOI={10.1145/3603269.3604823}, booktitle={Proceedings of the ACM SIGCOMM 2023 Conference}, publisher={ACM}, author={Shen, Junxian and Zhang, Han and Xiang, Yang and Shi, Xingang and Li, Xinrui and Shen, Yunxi and Zhang, Zijian and Wu, Yongxiang and Yin, Xia and Wang, Jilong and Xu, Mingwei and Li, Yahui and Yin, Jiping and Song, Jianchang and Li, Zhuofeng and Nie, Runjie}, year={2023}, month=Sept, pages={420–437}, collection={ACM SIGCOMM '23} }
SRmesh SRv6
ICNP '25
SRmesh: Deterministic and Efficient Diagnosis of Latency Bottleneck Links in SRv6 Networks
Kaiyang Zhao, Han Zhang*, Yao Tong, Yahui Li, Xingang Shi, Zhiliang Wang, Xia Yin, Jianping Wu
IEEE International Conference on Network Protocols (ICNP '25), pp. 1–12, 2025.
Key InsightEmbeds deterministic in-band telemetry into segment-routing headers, enabling per-link latency attribution with bounded probe overhead. Validated in a multi-vendor SRv6 testbed: identifies bottleneck links in seconds with 100% recall.
Multi-vendor SRv6 testbed
100% recall
PDF
Abstract
Existing latency-diagnosis tools for SRv6 either flood the data plane with probes or return probabilistic verdicts. SRmesh embeds deterministic in-band telemetry into segment-routing headers, enabling per-link latency attribution with bounded measurement overhead. It has been validated in a multi-vendor SRv6 testbed and identifies bottleneck links in seconds with 100% recall.
ConfigVerify
INFOCOM '26
Comprehensive Network Configuration Verification via Effective Environment Reduction
XinZhe Liu, Yahui Li, Han Zhang, Renrui Tian, Xia Yin, Xingang Shi, Zhiliang Wang, Gang Ren, Jilong Wang, Jiangyuan Yao
IEEE INFOCOM 2026.
Key InsightVerifies full carrier-scale configurations by reducing the analysis environment to a tractable kernel without losing soundness — scales formal verification to networks an order of magnitude larger than prior art.
FITI / CERNET
Sound & complete
Non-Commutative
INFOCOM '25
On Non-Commutative Routing
Zhaozhen Wang, Xingang Shi*, Haijun Geng, Han Zhang, Xia Yin, Zhiliang Wang
IEEE INFOCOM 2025, pp. 420–437.
Key InsightAdvances Internet routing & topology inference / engineering with a new algorithmic or data-plane primitive.
Top networking conf.
Algorithmic advance
OverlayCheck
CoNEXT '25
Scalable and Interpretable Overlay Network Checking via Ensemble Verification
XinZhe Liu, Yahui Li*, Han Zhang, Xia Yin, Xingang Shi, Zhiliang Wang, Gang Ren, Jilong Wang, Jiangyuan Yao
ACM CoNEXT 2025.
Key InsightEnsemble verification for overlay networks: combines symbolic and data-driven checks, providing both scalability and human-interpretable counter-examples in heterogeneous overlay deployments where prior verifiers stall.
Overlay verification
Interpretable
PDF
Abstract
Overlay/underlay architecture is increasingly prevalent in modern networks but also introduces greater complexity and error-proneness. Existing control plane verifiers for underlay networks face scalability and interpretability challenges when extended to overlay/underlay networks due to methodological limitations. This paper presents MEV, the first control plane verifier designed for overlay/underlay networks. MEV introduces ensemble verification, a novel verification paradigm enabling independent reasoning for behaviors within each routing instance or protocol and forwarding behaviors within each virtual network. We implement and deploy MEV on a real nationwide overlay/underlay network, FITI, where it successfully identifies 22 misconfigurations that could cause isolation and reachability issues. Furthermore, we evaluate MEV against Batfish+ on FITI and a range of synthetic networks with diverse scales, and find that it achieves up to a 102× speedup over Batfish+.
BibTeX
@article{Liu_2025, title={Scalable and Interpretable Overlay Network Checking via Ensemble Verification}, volume={3}, ISSN={2834-5509}, url={http://dx.doi.org/10.1145/3768974}, DOI={10.1145/3768974}, number={CoNEXT4}, journal={Proceedings of the ACM on Networking}, publisher={Association for Computing Machinery (ACM)}, author={Liu, XinZhe and Li, Yahui and Zhang, Han and Yin, Xia and Shi, Xingang and Wang, Zhiliang and Ren, Gang and Wang, Jilong and Yao, Jiangyuan}, year={2025}, month=Nov, pages={1–25} }
OWAD
NDSS '22
Anomaly Detection in the Open World: Normality Shift Detection, Explanation, and Adaptation
Dongqi Han, Zhiliang Wang*, Wenqi Chen, Kai Wang, Rui Yu, Su Wang, Han Zhang, et al.
Network and Distributed System Security Symposium (NDSS '22), 2022.
Key InsightPushes anomaly / intrusion detection from offline analytics to online, ISP-scale operation, with measurable gains in accuracy and false-positive rates.
Top-tier venue
Production-grade
Real-world evaluation
Clover
IEEE/ACM ToN '26
Clover: Workload Verification for Real-Time Detection of Contention-Induced Slowdowns in Serverless Platforms
Junxian Shen, Han Zhang*, Wenxue Lin, Yantao Geng, Jiawei Li, Jilong Wang, Mingwei Xu
IEEE/ACM Transactions on Networking, 2026.
Key InsightBrings formal verification to a previously hand-tuned operational primitive, scaling to carrier-sized state while keeping counter-examples interpretable.
Premier networking journal
Systems prototype
PDF
Abstract
Serverless computing, or Function-as-a-Service, continues to gain popularity due to its pay-as-you-go billing model, flexibility, and cost efficiency. However, these same features introduce significant security risks, such as the Denial-of-Wallet (DoW) attack. In this paper, we conduct real-world DoW attacks on commercial serverless platforms to evaluate their severity. To detect such attacks, we design, implement, and evaluate Clover, an accurate and user-friendly DoW detection system with negligible performance overhead. Clover addresses information ambiguity in serverless environments by deploying a request-oriented metric collection agent. At its core, Clover proposes a workload verification approach to bridge performance metrics and execution duration. Specifically, Clover uses a multivariate linear model to learn the benign relationship between metrics and execution duration, effectively characterizing normal workload behavior. It then continuously monitors runtime workloads by calculating their Mahalanobis distance from this learned benign model. Deviations identified through this distance indicate potential DoW attacks. Implemented as a practical system, Clover introduces performance overhead of less than 3.2%, maintains an average model execution time of only 0.84 microseconds, and achieves an accuracy of 92.7% under the most challenging scenario.
BibTeX
@article{Shen_2026, title={Clover: Workload Verification for Real-Time Detection of Contention-Induced Slowdowns in Serverless Platforms}, volume={34}, ISSN={2998-4157}, url={http://dx.doi.org/10.1109/TON.2026.3680829}, DOI={10.1109/ton.2026.3680829}, journal={IEEE Transactions on Networking}, publisher={Institute of Electrical and Electronics Engineers (IEEE)}, author={Shen, Junxian and Zhang, Han and Lin, Weiwei and Geng, Yantao and Li, Jiawei and Wang, Jilong and Xu, Mingwei}, year={2026}, pages={4700–4715} }
SRv6 Probing
IEEE/ACM ToN '26
Efficient Slice-Parallel Distributed Probing in SRv6 Networks
Kaiyang Zhao, Han Zhang*, Yao Tong, Yahui Li, Xingang Shi, Zhiliang Wang, Xia Yin, Jianping Wu
IEEE/ACM Transactions on Networking, 2026.
Key InsightAdvances Internet routing & topology inference / engineering with a new algorithmic or data-plane primitive.
Premier networking journal
Systems prototype
NUM
IEEE ToN '25
Centralized Network Utility Maximization with Accelerated Gradient Method
Ying Tian, Zhiliang Wang*, Xia Yin, Xingang Shi, Jiahai Yang, Han Zhang*
IEEE Transactions on Networking, 2025.
Key InsightImproves the scalability, accuracy, or robustness of a core measurement, verification, or security primitive used in real network infrastructures.
Premier networking journal
Systems prototype
HELA
IEEE ToN '25
HELA: Inferring AS Relationships with a Hybrid of Empirical and Learning Algorithms
Xingang Shi, Zitong Jin*, Bin Xiong, Xinyao Huang, Xiaotian Xi, Dan Li, Han Zhang, Zhiliang Wang, Xia Yin
IEEE Transactions on Networking, 2025.
Key InsightAdvances Internet routing & topology inference / engineering with a new algorithmic or data-plane primitive.
Premier networking journal
Systems prototype
WAN HA
IEEE/ACM ToN '22
Achieving High Availability in Inter-DC WAN Traffic Engineering
Han Zhang, Xia Yin, Xingang Shi*, Jilong Wang, Zhiliang Wang, Yingya Guo, Tian Lan, Yahui Li, Yongqing Zhu, Ke Ruan, Haijun Geng
IEEE/ACM Transactions on Networking, 2022.
Key InsightImproves the scalability, accuracy, or robustness of a core measurement, verification, or security primitive used in real network infrastructures.
Premier networking journal
Systems prototype
Serpens
IEEE TPDS '23
Serpens: A High-Performance FaaS Platform for Network Functions
Heng Yu, Han Zhang*, Junxian Shen, Yantao Geng, et al.
IEEE Transactions on Parallel and Distributed Systems, vol. 34, no. 8, pp. 2448–2463, 2023.
Key InsightImproves the scalability, accuracy, or robustness of a core measurement, verification, or security primitive used in real network infrastructures.
Premier systems journal
Parallel / distributed
TestPktGen
IEEE TPDS '23
A General Approach to Generate Test Packets With Network Configurations
Yahui Li, Han Zhang*, Jilong Wang, Xia Yin, Xingang Shi, Jianping Wu
IEEE Transactions on Parallel and Distributed Systems, vol. 34, no. 4, pp. 1362–1375, 2023.
Key InsightImproves the scalability, accuracy, or robustness of a core measurement, verification, or security primitive used in real network infrastructures.
Premier systems journal
Parallel / distributed
NetEC
IEEE TPDS '22
NetEC: Accelerating Erasure Coding Reconstruction With In-Network Aggregation
Yi Qiao, Menghao Zhang, Yu Zhou, Xiao Kong, Han Zhang*, et al.
IEEE Transactions on Parallel and Distributed Systems, vol. 33, no. 10, pp. 2571–2583, 2022.
Key InsightImproves the scalability, accuracy, or robustness of a core measurement, verification, or security primitive used in real network infrastructures.
Premier systems journal
Parallel / distributed
HashFlow
IEEE TPDS '22
Efficient and Accurate Flow Record Collection With HashFlow
Zongyi Zhao, Xingang Shi*, Zhiliang Wang, Qi Li, Han Zhang, Xia Yin
IEEE Transactions on Parallel and Distributed Systems, vol. 33, no. 5, pp. 1069–1083, 2022.
Key InsightImproves the scalability, accuracy, or robustness of a core measurement, verification, or security primitive used in real network infrastructures.
Premier systems journal
Parallel / distributed
AttackScene
IEEE TIFS '25
End-to-end Attack Scene Reconstruction in a Host with Rules and Anomaly-based Detection Models
Su Wang, Hongbin Sun, Zhiliang Wang, Tao Zhou, Xia Yin, Dongqi Han, Han Zhang, Xingang Shi, Jiahai Yang
IEEE Transactions on Information Forensics and Security, 2025.
Key InsightPushes anomaly / intrusion detection from offline analytics to online, ISP-scale operation, with measurable gains in accuracy and false-positive rates.
Top security journal
Real-world traces
PolicyVerify
IEEE TIFS '24
Proactively Verifying Quantitative Network Policy across Unsafe and Unreliable Environments
Yahui Li, Han Zhang*, Jilong Wang, Xingang Shi, Xia Yin, Zhiliang Wang, Jiankun Hu, Congcong Miao, Jianping Wu
IEEE Transactions on Information Forensics and Security, vol. 19, pp. 10099–10113, 2024.
Key InsightBrings formal verification to a previously hand-tuned operational primitive, scaling to carrier-sized state while keeping counter-examples interpretable.
Top security journal
Real-world traces
SD-WAN IDS
IEEE TIFS '23
Real-Time Malicious Traffic Detection With Online Isolation Forest Over SD-WAN
Pei Zhang, Fangzhou He, Han Zhang*, Jiankun Hu, et al.
IEEE Transactions on Information Forensics and Security, vol. 18, pp. 2076–2090, 2023.
Key InsightImproves the scalability, accuracy, or robustness of a core measurement, verification, or security primitive used in real network infrastructures.
Top security journal
Real-world traces
HybridWorm
IEEE TIFS '23
From the Dialectical Perspective: Modeling and Exploiting of Hybrid Worm Propagation
Tianbo Wang, Huacheng Li, Chunhe Xia*, Han Zhang, Pei Zhang
IEEE Transactions on Information Forensics and Security, vol. 18, pp. 1610–1624, 2023.
Key InsightImproves the scalability, accuracy, or robustness of a core measurement, verification, or security primitive used in real network infrastructures.
Top security journal
Real-world traces
THREATRACE
IEEE TIFS '22
THREATRACE: Detecting and Tracing Host-Based Threats in Node Level Through Provenance Graph Learning
Su Wang, Zhiliang Wang*, Tao Zhou, Hongbin Sun, Xia Yin, Dongqi Han, Han Zhang, et al.
IEEE Transactions on Information Forensics and Security, vol. 17, pp. 3972–3987, 2022.
Key InsightDemonstrates non-intrusive, low-overhead tracing deployable on production workloads without application-level cooperation.
Top security journal
Real-world traces
LogAD
IEEE TIFS '21
Log-Based Anomaly Detection With Robust Feature Extraction and Online Learning
Shangbin Han, Qianhong Wu, Han Zhang*, Bo Qin, Jiankun Hu, et al.
IEEE Transactions on Information Forensics and Security, vol. 16, pp. 2300–2311, 2021.
Key InsightPushes anomaly / intrusion detection from offline analytics to online, ISP-scale operation, with measurable gains in accuracy and false-positive rates.
Top security journal
Real-world traces
NUM
ICNP '22
Centralized Network Utility Maximization with Accelerated Gradient Method
Ying Tian, Zhiliang Wang*, Xia Yin, Xingang Shi, Jiahai Yang, Han Zhang
IEEE International Conference on Network Protocols (ICNP '22), 2022.
Key InsightImproves the scalability, accuracy, or robustness of a core measurement, verification, or security primitive used in real network infrastructures.
Top networking conf.
Systems prototype
DeepAID
CCS '21
DeepAID: Interpreting and Improving Deep Learning-based Anomaly Detection in Security Applications
Dongqi Han, Zhiliang Wang*, Wenqi Chen, Ying Zhong, Su Wang, Han Zhang, Jiahai Yang, Xingang Shi, Xia Yin
ACM SIGSAC Conference on Computer and Communications Security (CCS '21), 2021.
Key InsightPushes anomaly / intrusion detection from offline analytics to online, ISP-scale operation, with measurable gains in accuracy and false-positive rates.
Top-tier venue
Production-grade
Real-world evaluation
PDF
Abstract
Unsupervised Deep Learning (DL) techniques have been widely used in various security-related anomaly detection applications, owing to the great promise of being able to detect unforeseen threats and superior performance provided by Deep Neural Networks (DNN). However, the lack of interpretability creates key barriers to the adoption of DL models in practice. Unfortunately, existing interpretation approaches are proposed for supervised learning models and/or non-security domains, which are unadaptable for unsupervised DL models and fail to satisfy special requirements in security domains. In this paper, we propose DeepAID, a general framework aiming to (1) interpret DL-based anomaly detection systems in security domains, and (2) improve the practicality of these systems based on the interpretations. We first propose a novel interpretation method for unsupervised DNNs by formulating and solving well-designed optimization problems with special constraints for security domains. Then, we provide several applications based on our Interpreter as well as a model-based extension Distiller to improve security systems by solving domain-specific problems. We apply DeepAID over three types of security-related anomaly detection systems and extensively evaluate our Interpreter with representative prior works. Experimental results show that DeepAID can provide high-quality interpretations for unsupervised DL models while meeting the special requirements of security domains. We also provide several use cases to show that DeepAID can help security operators to understand model decisions, diagnose system mistakes, give feedback to models, and reduce false positives.
BibTeX
@inproceedings{Han_2021, series={CCS ’21}, title={DeepAID: Interpreting and Improving Deep Learning-based Anomaly Detection in Security Applications}, url={http://dx.doi.org/10.1145/3460120.3484589}, DOI={10.1145/3460120.3484589}, booktitle={Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security}, publisher={ACM}, author={Han, Dongqi and Wang, Zhiliang and Chen, Wenqi and Zhong, Ying and Wang, Su and Zhang, Han and Yang, Jiahai and Shi, Xingang and Yin, Xia}, year={2021}, month=Nov, pages={3197–3217}, collection={CCS ’21} }