My cybersecurity journey started with my penetration testing work at Cyberwise, one of the largest cybersecurity firms in Istanbul, where I worked for about three years. In addition to gaining "white-hat hacking" skills (which eventually got me an OSCP certificate), I designed and taught "offensive web and network security" training as a service offered to customer companies.

This period ended with my coming to Boston for my PhD. My thesis work that earned me the cybersecurity PhD degree is about parsing differences between HTTP servers. The first work brought James Kettle's HTTP Desync attack research "into the lab" and not only found fundamental conditions for the success of the attack, but also provided a systematic search technique for the new vectors of this attack and eventually revealed previously hidden parts of the iceberg. The product of this work, T-Reqs, has been adopted by many software and security teams around the world. The second work discovered how parsing differences create enhanced fingerprinting capabilities for attackers. The third (ongoing) work found how parsing differences serve as a completely new (and very effective) way of bypassing WAFs.

The two most prominent software projects of mine are the T-Reqs and Frameshifter tools, both of which have been developed for searching for new attack vectors in the parsing layer of HTTP servers (as a part of the research projects). Faced with the challenges of automation of the experiment tasks and the automated analysis of the vast experiment data, I also mastered scripting with bash and awk.

At Facebook, I developed code with the Online Safety team to expand an investigation tool for terrorism to also enable the investigation of child abuse and human trafficking cases. And recently at Google, I extended my research in the lab and developed a set of tools for differential fuzzing of HTTP servers in Google Cloud.  

My ML knowledge comes primarily from two classes I took with Virgil Pavlu and Predrag Radivojac at Northeastern and the book titled "Natural Language Processing in Action". These sources gave me an opportunity to get hands-on experience with various ML techniques such as classification, clustering and topic modeling.

I used these ML techniques in various "online safety" research projects. In the FADE paper, I developed a fully-automated detection pipeline for fake news articles where each article is searched in a search engine and the reputation of the relevant search results are fed into an ML model for the classification. In the FAME paper, I built an ML model for the detection of fabricated or misattributed quote memes and used image-specific techniques such as OCR and facial recognition to extract features. Finally, in another project, I used a topic modeling technique on Snopes fact-check reports to understand manual fact-checking techniques and how online fake news is created.

I have taken the leadership role in several teams in various settings usually with the size of 4-6 people for projects that took several months with one of them still going on. For example, in the Frameshifter project, I decided to build a team to get the paper ready by the deadline. I invited my labmates and built a team of four students. Following the principles I learned from the book titled "HBR Guide to Leading Teams", I split the project into four parts and assigned them to the team members based on their strengths. In addition to doing my own part, I helped them overcome difficulties in theirs. In a period as short as two months, we finished the project and had our paper accepted at USENIX Security in the first attempt.

At the beginning of my PhD career, my advisor advised me to read the book titled "Writing Science", and it prepared me for the rest of the papers I was going to write during my academic career. All of my papers have received positive comments on writing such as "very pleasant to read", "well-written", "fun to read", "really enjoyed reading this paper" from reviewers.

I have also spent a lot of time working on my verbal communication skills as I presented many papers and gave many talks during my academic career. I usually receive positive comments from the people in the audience after the talk about the delivery and the talk itself. For example, after seeing me giving a talk, Sergey Bratus recently invited me to give an invited talk to a bigger audience at the "LangSec" workshop at IEEE Security and Privacy Symposium.