Gateway courses play a key role in student success. These courses often control access to advanced coursework and can delay gradua- tion if students struggle to pass them. Identifying such courses is important for curriculum design and student support. However, ex- isting methods rely on heuristics or past grades and often overlook complex patterns in student enrollment data. In this paper, we propose a tensor decomposition-based method to identify gateway courses in a systematic way. We model student- course-semester interactions as a three-dimensional tensor. This captures relationships between students, courses, and time. Using PARAFAC tensor decomposition, we extract latent factors that represent course importance based on their structure in the data. Our analysis shows that this method highlights courses that are central, or distinctive in the curriculum. Courses with high latent factor magnitudes are likely to represent gateway courses or critical prerequisites. As future work, we plan to combine tensor decomposition with learning techniques. This could enable predictive models and pro- vide insights for curriculum design. Our goal is to develop a com- plete framework to analyze educational data, and support institu- tions in improving student outcomes.

    @inproceedings{diagne2025decomposing,
  title={Decomposing the Student Journey: A Tensor-Based Approach to Identifying Gateway Courses},
  author={Amssatou Diagne, Prateek Gupta, Aamir Ibrahim, Chris Wirgler, Wenying Wu, Maria Konte and David Joyner},
  booktitle={In Proceedings of the Twelfth ACM Conference on Learning @ Scale (L@S ’25)},
  year={2025}}
  }

Research opportunities offer students at the master's level a chance to apply their knowledge, create projects for their portfolio, and to gain an understanding of the research process in preparation for potential doctoral studies. The traditional structure of these opportunities, however, is not trivial to translate to online programs with asynchronous delivery. As online programs grow, it is important to examine ways that the traditional benefits of these opportunities can be extended to a broader range of students. In this poster, we discuss our experience building the infrastructure and running early efforts at reaching this goal. We discuss several dedicated courses and seminars developed to offer larger scale opportunities for students to pursue research. We also discuss efforts in active development to provide better infrastructure support to reduce the friction and complexity of pursuing research at scale.

    @inproceedings{eicher2025broadening,
  title={Broadening CS Research Opportunities for Online Graduate Students},
  author={Eicher, Bobbie L and Duncan, Alex S and Ciolfi, Dante and Konte, Maria and Lytle, Nicholas},
  booktitle={Proceedings of the 56th ACM Technical Symposium on Computer Science Education V. 2},
  pages={1445--1446},
  year={2025}}
}

The research focuses in academia are typically determined from the top down, with professors focusing on projects that align with their existing lab or can be readily supported by grants. This approach is pragmatic, but this focus may not align with the bottom-up interests of the available student body. As part of a broader effort to expand the available research opportunities in a graduate program in computer science, this work focuses on collecting data on what is motivating student interest in research and what specific fields students desire to study with the intention of using the results for decision-making about how to allocate resources to best match student interests. This work reports on the responses of 143 graduate students in computer science at a major research institution in the United States in a course-based program where access to research opportunities is not guaranteed. It examines both the fields of particular interest and the self-reported motivations leading these students to attempt to seek out research opportunities.

    @inproceedings{eicher2025examining,
  title={Examining Student Interest and Motivations in Graduate Computer Science Research},
  author={Eicher, Bobbie L and Duncan, Alex S and Ciolfi, Dante and Konte, Maria and Lytle, Nicholas},
  booktitle={Proceedings of the 56th ACM Technical Symposium on Computer Science Education V. 2},
  pages={1447--1448},
  year={2025}}
}

Distributed reflective denial of service (DRDoS) attacks are a popular choice among adversaries. In fact, one of the largest DDoS attacks ever recorded, reaching a peak of 1.3Tbps against GitHub, was a memcached-based DRDoS attack. More recently, a record-breaking 2.3Tbps attack against Amazon AWS was due to a CLDAP-based DRDoS attack. Although reflective attacks have been known for years, DRDoS attacks are unfortunately still popular and largely unmitigated.
In this paper, we measure in-the-wild DRDoS attacks as observed from a large Internet exchange point (IXP) and provide a number of security-relevant insights. To enable our measurements, we first developed IXmon, an open-source DRDoS detection system specifically designed for deployment at large IXP-like network connectivity providers and peering hubs. We deployed IXmon at Southern Crossroads (SoX), an IXP-like hub that provides both peering and upstream Internet connectivity services to more than 20 research and education (R&E) networks in the South-East United States. In a period of about 21 months, IXmon detected more than 900 DRDoS attacks towards 31 different victim ASes. An analysis of the real-world DRDoS attacks detected by our system shows that most DRDoS attacks are short lived, lasting only a few minutes, but that large-volume, long-lasting, and highly-distributed attacks against R&E networks are not uncommon. We then use the results of our analysis to discuss possible attack mitigation approaches that can be deployed at the IXP level, before the attack traffic overwhelms the victim's network bandwidth.

  @inproceedings{subramani2021detecting,
  title={Detecting and Measuring In-The-Wild DRDoS Attacks at IXPs},
  author={Subramani, Karthika and Perdisci, Roberto and Konte, Maria},
  booktitle={International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment},
  pages={42--67},
  year={2021},
  organization={DIMVA}
}

Bulletproof hosting Autonomous Systems (ASes)—maliciousASes fully dedicated to supporting cybercrime—provide free-dom and resources for a cyber-criminal to operate. Theirservices include hosting a wide range of illegal content, bot-net C&C servers, and other malicious resources. Thousandsof new ASes are registered every year, many of which areoften used exclusively to facilitate cybercrime. A natural ap-proach to squelching bulletproof hosting ASes is to develop areputation system that can identify them for takedown by lawenforcement and as input to other attack detection systems(e.g., spam filters, botnet detection systems). Unfortunately,current AS reputation systems rely primarily on data-planemonitoring of malicious activity from IP addresses (and thuscan only detect malicious ASes after attacks are underway),and are not able to distinguish betweenmaliciousandlegiti-mate but abusedASes.
As a complement to these systems, in this paper, we ex-plore a fundamentally different approach to establishing ASreputation. We presentASwatch, a system that identifies mali-cious ASes using exclusively thecontrol-plane(i.e., routing)behavior of ASes.ASwatch’s design is based on the intuitionthat, in an attempt to evade possible detection and remediationefforts, malicious ASes exhibit “agile” control plane behavior(e.g., short-lived routes, aggressive re-wiring). We evaluateour system on known malicious ASes; our results show thatASwatchdetects up to 93% of malicious ASes with a 5% falsepositive rate, which is reasonable to effectively complementexisting defense systems.

  @inproceedings{konte2015aswatch,
  title={Aswatch: An as reputation system to expose bulletproof hosting ases},
  author={Konte, Maria and Perdisci, Roberto and Feamster, Nick},
  booktitle={Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication},
  pages={625--638},
  year={2015}
}

This paper studies the AS-levelre-wiring dynamics(changes in theconnectivity) of malicious networks. Anecdotal evidence suggests that some ma-licious ASes that are primarily involved in nefarious activities on the Internet,were sequentially de-peered by providers before their final cut-off (as occurredin the well-publicized cases of Atrivo/Intercage). We present the first systematicstudy of the re-wiring dynamics of malicious ASes. We tracked the ASes thatwere listed by Hostexploit over the last two years and compared their AS-levelre-wiring dynamics with non-reported ASes. Using a publicly available dataset ofCustomer-Provider (CP) relations in the Internet’s AS graph, we studied how in-terconnection between autonomous systems evolves, both for ASes that provideconnectivity for attackers and ASes that were not reported as malicious. We findthat malicious networks are more aggressive both in forming links with providersand changing their upstream connectivity than other ASes. Our results indicatethat the re-wiring dynamics of the networks that host attacks are stable over time,despite the evolving nature of the attacks themselves, which suggests that existingdefense mechanisms could benefit from incorporating these features.

  @inproceedings{konte2012re,
  title={Re-wiring activity of malicious networks},
  author={Konte, Maria and Feamster, Nick},
  booktitle={International Conference on Passive and Active Network Measurement},
  pages={116--125},
  year={2012},
  organization={PAM}}
}

This paper studies the dynamics of scam hosting infrastructure, withan emphasis on the role of fast-flux service networks. By monitoring changes inDNS records of over 350 distinct spam-advertised domains collected from URLsin 115,000 spam emails received at a large spam sinkhole, we measure the ratesand locations of remapping DNS records, and the rates at which “fresh” IP ad-dresses are used. We find that, unlike the short-lived nature of the scams them-selves, the infrastructure that hosts these scams has relatively persistent featuresthat may ultimately assist detection.

  @inproceedings{konte2009dynamics,
  title={Dynamics of online scam hosting infrastructure},
  author={Konte, Maria and Feamster, Nick and Jung, Jaeyeon},
  booktitle={International conference on passive and active network measurement},
  pages={219--228},
  year={2009},
  organization={PAM}
}
}