Alumni Profiles Series: Chong Xu

 December 2, 2020

Chong Xu, Ph.D.

Chong Xu is a prominent technologist and leader in the area of network security. He received his Ph.D. in Computer Science from Duke University in 2000. Currently, he is the head of security research at the McAfee network security business unit. He leads McAfee vulnerability research, intrusion prevention, and cloud security.


Tell us about yourself. Why did you pursue a Ph.D. at Duke?

I am originally from Beijing, China. Towards the end of my undergrad, I decided to go for a master’s because I thought my knowledge was lacking in my particular areas of interest. I had done a senior thesis, but I felt like it wasn’t up to the mark. So I went to the Institute of Software, Chinese Academy of Sciences for my master’s. After finishing my master’s, I worked in industry for a year, but I didn’t feel satisfied. I had developed an interest in computer networking and I wanted to be part of the advancement of the internet. I decided to get a Ph.D. so that I could pursue research in networking. I applied to some of the research universities in the U.S. Duke was one of the institutions that awarded me a fellowship. Given Duke’s reputation, both in Computer Science and in general, I decided to go to Duke.

How did your Ph.D. go?

My research situation at Duke was a little complicated. I wanted to do computer networking, but at the time, there was no faculty member in the Computer Science department working in networking. So I had difficulty choosing my advisor. Ultimately, I connected with Professor Gershon Kedem and he became my advisor. Dr. Kedem had diverse interests. His Ph.D. was in scientific computing, and later he worked on computer architecture. He wanted to work in collaborative computing—cloud computing in today’s terms.  Collaborative computing at that time was as close as I could get to networking, where my true interest lay.

Fortunately, during my second year, I interned at Microelectronic Center of North Carolina (MCNC). There, I worked on a Defense Advanced Research Projects Agency (DARPA)-funded project related to network security. Because of this project, my Ph.D. pivoted towards network security. For the rest of my Ph.D., I was funded through MCNC. It was tough for me because the funding situation was complicated, and also because my research focus was different from my advisor’s. I struggled to find people at Duke who could provide technical guidance in my work. It is hard for a student to drive productive research in such a situation.

At the time, this experience was frustrating. But afterwards, since I had successfully handled such a difficult scenario, I felt like I could do anything, and solve any problem of my choosing. So it was very beneficial to me in the long run, and when I look back, it was extremely rewarding. My tough experience made me mentally stronger, and prepared me for whatever life would throw at me in the future.

What is the most valuable piece of guidance that you received at Duke?

In 1999, the dot-com bubble was raging, and a lot of IT companies were riding the wave. If you were part of such a company, and the company went public, you instantly became a millionaire. At that time, I got an offer from Cosine Communications, which was one of the hottest companies then. They said they were going public within a month’s time, so I was very tempted. I talked to Dr. Kedem about it. He suggested that I think about it carefully. If I finished my Ph.D., it would be with me for life. As for this opportunity, I might think it’s very lucrative right now, but opportunities will always come. I thought about it and I decided to finish my Ph.D. It took me six months to finish, and I joined Cosine afterwards. Fortunately, Cosine’s IPO was delayed, so I joined a week before the IPO. It was a successful IPO. The company’s worth instantly became 7 billion dollars. But the market crashed soon after and the company started struggling. Looking back, Dr. Kedem’s advice was really valuable to me. Because of his advice, I completed my Ph.D. instead of chasing an opportunity that didn’t work out well in the end.

So you did become a millionaire right out of grad school? That’s incredible!

On paper, yes. But I also lost all that money very soon afterwards [when the market crashed].

Did you consider a career in academia? How did you decide to go to industry?

I thought about it seriously. But I’m in the computer networks and security business. At the time I was finishing my Ph.D., Silicon Valley was blowing up. It was the holy land where we could join a company and lead the world in technology. It was a dream for everyone in the tech business back then. I decided to go for an industry position where I could help people by solving real problems through products.

Especially in computer science, there is a gap between industry and academia in research. Even at that time, the industry had started working on Gigabit ethernet switches and technology that was not really accessible to academia. Nowadays, if we talk about malware, academics have limited access to samples, but in industry we have a lot of different ways of collecting samples. Many large companies even share those samples. Industry has access to data, equipment, and infrastructure that is far ahead of what academia can obtain. That’s one of the reasons I decided to go into industry.

You have been at McAfee for 17 years now—that’s a long time. What has your experience been like?

I started at Cosine working on a firewall product. We had the first firewall on the market that implemented the virtualization concept. The IntruShield arm through which I joined McAfee was working on an Intrusion Prevention System, IPS. Intrusion prevention is a whole different beast from a firewall. There is deeper packet inspection, detecting different kinds of network behavior, exploits, threats, malware and its evolution. I have gradually moved up to lead different teams. Dealing with so many aspects of the attacks and countermeasures is challenging because we see new attacks daily and we have to think ahead. That makes our job interesting, and that’s the main reason I stayed this long.

The teams I have led over time support the research and security content development for different McAfee products, including network IPS, host IPS, McAfee Application Control, the enterprise firewall, next generation firewall, web gateway, and the unified cloud edge solution. We have to understand how the exploit and attack work, as well as the techniques used by the attackers to compromise the victims, such that we provide detection guidance and solutions. Then these detection and prevention solutions are implemented in different McAfee products, from detection signatures to advanced signatureless engines. Those satisfy my desire of solving real world problems through products.

My team used to be under McAfee Labs. About five years ago, we moved back to the network security business unit. We currently support mainly network IPS, but I also help with web gateway and DLP, which are now part of the unified cloud edge solution. Although I have to spend time on management duties, I still try my best to look into the threats and techniques so that I am still ahead of the game in this tug-of-war between the attackers and the defense. For example, I discuss new ideas with my team members and they continue to research and see whether we can end up with a successful PoC before we can integrate such innovations into products and release them. As a byproduct of work, some results of such advanced research are presented at conferences. We have, on average, about two such talks per year. I think we have done a good job in innovation and in sharing our work with the security community.

What parts of Ph.D. training matter most to your success in industry?

For an industry job, your publication record is not that important. Even for Ph.D.s, it means that you have a better starting point. But then after that, it’s all about performance.

The breadth of your knowledge is important. Whatever your area is, you should have a broad understanding and visibility into the relevant issues and how they are evolving. After that, depth is important. Combined together, those two will give you vision. After you’ve become senior in the industry, your vision is what will carry you. Say you’ve been around for twenty years, and there’s someone who’s fresh. The fresh person may have a better grip on a modern programming language, or understand certain new technology detail better than you do. But you should have the ability to foresee the future, and you should be able to see where the technology should go. Knowing where to go, and how to get there is the thing you bring to the table as a senior person.

What is your favorite part of your job?

It is two things. One is to innovate and to be able to solve real-world problems; that is one of the reasons I joined industry in the first place. I am always excited about going beyond the proof of concept and building an actual product. That product must be useful and solve pain points in order for us to sell and survive. That is my favorite part about my job.

Another thing is that I want to help people excel. I want to help my team members be more successful. If any of my team members is more successful than I am, then I did a good job.

What are you most proud of?

During my Ph.D., I did a lot of work on reverse analysis of security protocols used for authentication and key exchange in the secure communications. The objective was to try to find design flaws in the protocols. A lot of the exploits we see in industry are not targeting design flaws, but they’re targeting flaws in implementation. I found that work really interesting because design flaws are hard to find. At McAfee, we built engines for generic detection algorithms for malicious PDF, SQL injection, malicious Flash. I would say the engines we built were quite ahead of our competition. I don’t think our competitions have those engines even now. I really enjoyed working on such innovations at McAfee.

Some of the techniques being used by attackers such as heap spray and return-oriented programming are very good tricks. A lot of attack mechanisms were not actually designed for malicious purposes, but it is interesting to see attackers adapt them for their own attacks. This defend and attack is always like a cat-and-mouse game. The attacker may be ahead of you, so you have to start early to keep up with the attackers. We have to look ahead to really protect our customers before a threat or a technique becomes prevalent. That’s something I really like about this work.

Can you tell me about your future plans?

I think I’m at a place now where I can do a certain degree of research, and there’s a lot of management responsibility. The balance is right for me. I want to stay highly involved in technology, especially attack scenarios and techniques. I want to be the one who sees what’s going on and be the one who leads the future of this industry.

Nowadays, it is getting more and more difficult for smaller companies to compete because the breadth of a bigger company and the solutions they can provide together as a portfolio are hard to match for a smaller company. But that doesn’t mean there won’t be innovation. I have incorporated some of my ideas into the McAfee products, but sometimes it’s hard to incorporate new things into a big company. So I’m open to a startup as well.

What advice can you offer to graduate students on dealing with setbacks?

Industry has this saying, “Fail, but fail fast.” This means that it’s okay to fail, but you have to get up fast and find the right direction, reorient yourself. If you analyze them, and learn from your failures, you can never be defeated. Failure is fine, but you can’t just give up. Students like yourself who have gotten into Duke have already proven that you have the ability and knowledge. It is now a question of the right mentality.

You have to love what you do. Then, whatever the challenge or difficulty is, you can face it. Whether it is publishing a paper, or finishing your Ph.D. If you are passionate about it, you will find the courage to keep going. Otherwise, you’ll burn out very fast.

Things get easier if you have a mentor, in grad school and in industry. Your mentor can help you accelerate your growth. So, in school, work closely with your advisor, turn them into a good resource for yourself, and things can get easier for you.

What’s one of your favorite memories from your time at Duke?

I really enjoyed the whole five years. During the first two years, when we had to take classes and satisfy qualifier requirements, it was very busy. We worked very late into the night, and then we had to call the Duke van to drop us to our apartments. That is a very vivid memory, actually. I still remember that for the algorithms class, the problems were very difficult, and we stayed up very late working on the problem sets. We used to ping each other at 3 a.m. to see if our classmates were still up and working.

Duke basketball was the biggest part of it, though. With some of my friends, I camped out in the second year to get the graduate student season tickets. I didn’t get them, but I later got a game ticket for Duke vs. UNC. Elton Brand and company were playing for Duke at that time, and Duke was the top-ranked team in the country. During the game, it was so loud that I couldn’t hear the person next to me. They totally destroyed UNC. That game is still like yesterday in my memory.


Waqar Aqeel
Waqar Aqeel

Ph.D. candidate, Computer Science

Waqar Aqeel is a Ph.D. candidate in the Department of Computer Science at Duke University. Before coming to Duke, Waqar received his B.S. from National University of Science and Technology, Pakistan and worked as a software engineer. His research focuses on Internet performance, privacy, and security.