My public contributions


My public contributions
On this page, you can view my published papers as well as some of my major projects. Alternatively, you can just visit my google scholar profile and check out my Gitlab or Github code repositories.


Why You Should Start with the Offense:
How to Best Teach Cybersecurity’s Core Concepts

Michael Kranch, in The 23rd Colloquium for Information Systems Security Education (CISSE 23), Las Vegas, NV, USA, Jun 2019.

This paper uses a comprehensive approach to demonstrate why offensive (hacking) techniques are the best method for teaching cybersecurity’s core competencies, even when the purpose of the program is to build defensive cybersecurity professionals. I analyze the concepts taught by both offensive and defensive techniques and evaluate these through several established curricular frameworks. These results demonstrate that both techniques teach the same core cybersecurity competencies. I then discuss the importance of the security mindset and lifelong learning in building successful cybersecurity practitioners, particularly due to the rapid evolution of the field, and analyze the psychological impacts of both teaching techniques. Ultimately, this analysis shows that offensive techniques, which teach the same core concepts as defensive techniques, are the best for developing the security mindset and lifelong learners - crucial outcomes from any effective cybersecurity education program.

  author = { Kranch, Michael},
  title = {Why You Should Start with the Offense: How to Best Teach Cybersecurity’s Core Concepts},
  booktitle = {23rd Colloquium for Information Systems Security Education (CISSE 23)},
  series = {CISSE '23},
  month= {June},
  year = {2019},
  location = {Las Vegas, NV, USA},
  keywords = {Cybersecurity Education, Offensive Techniques, Gamification, Lifelong Learning, CTFs, CDXs, Core Concepts},

Crafting a Foundation for Computing Majors

David Harvie, Tanya Estes, and Michael Kranch, in ACM’s Special Interest Group on Information Technology Education (SIGITE’18), Fort Lauderdale, FL, USA, Oct 2018.

This paper describes and evaluates a sophomore level survey course in the computing disciplines of computer science and information technology. This course is novel among ABET accredited computer science and information technology programs in the breadth of topics covered and that it serves as a common foundation to both computing disciplines. In addition, students are introduced to advanced computing topics that they may later choose to pursue further in upper-level electives. This paper discusses the motivation of a course for both programs and concludes with the results, challenges, and opportunities for future iterations. This single computing survey course helps students to ensure they selected the correct major early in their academic career. Additionally, it introduces advanced computing topics that students may choose later to pursue in electives.

  author = {Harvie, David and Estes, Tanya and Kranch, Michael},
  title = {Crafting a Foundation for Computing Majors},
  booktitle = {Proceedings of the 19th Annual SIG Conference on Information Technology Education},
  series = {SIGITE '18},
  month= {October},
  year = {2018},
  url = {},
  location = {Fort Lauderdale, Florida, USA},
  isbn = {978-1-4503-5954-2},
  pages = {13–17},
  numpages = {5},
  publisher = {ACM},
  address = {New York, NY, USA},
  keywords = {foundational course, survey course},

Identifying HTTPS-Protected Netflix Videos in Real-Time

Andrew Reed and Michael Kranch, in ACM’s Conference on Data and Application Security and Privacy (CODAPSY’17), Scottsdale, Arizona, USA. Mar 2017.

After more than a year of research and development, Netflix recently upgraded their infrastructure to provide HTTPS encryption of video streams in order to protect the privacy of their viewers. Despite this upgrade, we demonstrate that it is possible to accurately identify Netflix videos from passive traffic capture in real-time with very limited hardware requirements. Specifically, we developed a system that can report the Netflix video being delivered by a TCP connection using only the information provided by TCP/IP headers.

To support our analysis, we created a fingerprint database comprised of 42,027 Netflix videos. Given this collection of fingerprints, we show that our system can differentiate between videos with greater than 99.99% accuracy. Moreover, when tested against 200 random 20-minute video streams, our system identified 99.5% of the videos with the majority of the identifications occurring less than two and a half minutes into the video stream.

  author = {Reed, Andrew and Kranch, Michael},
  title = {Identifying HTTPS-Protected Netflix Videos in Real-Time},
  booktitle = {Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy},
  series = {CODASPY '17},
  year = {2017},
  month = {March},
  location = {Scottsdale, Arizona, USA},
  url = {},
  isbn = {978-1-4503-4523-1},
  pages = {361–368},
  numpages = {8},
  publisher = {ACM},
  address = {New York, NY, USA},
  keywords = {Netflix, dynamic adaptive streaming over HTTP, privacy, traffic analysis},

Upgrading HTTPS in Mid-Air: An Empirical Study of Strict Transport Security and Key Pinning

Michael Kranch and Joseph Bonneau, in The Network and Distributed System Security Symposium (NDSS’15), San Diego, California, USA, Feb 2015.

We have conducted the first in-depth empirical study of two important new web security features: strict transport security (HSTS) and public-key pinning. Both have been added to the web platform to harden HTTPS, the prevailing standard for secure web browsing. While HSTS is further along, both features still have very limited deployment at a few large websites and a long tail of small, security-conscious sites. We find evidence that many developers do not completely understand these features, with a substantial portion using them in invalid or illogical ways. The majority of sites we observed trying to set an HSTS header did so with basic errors that significantly undermine the security this feature is meant to provide. We also identify several subtle but important new pitfalls in deploying these features in practice. For example, the majority of pinned domains undermined the security benefits by loading non-pinned resources with the ability to hijack the page. A substantial portion of HSTS domains and nearly all pinned domains leaked cookie values, including login cookies, due to the poorly-understood interaction between HTTP cookies and the same-origin policy. Our findings highlight that the web platform, as well as modern web sites, are large and complicated enough to make even conceptually simple security upgrades challenging to deploy in practice.

   author = {Kranch, Michael and Bonneau, Joseph},
   title = {Upgrading HTTPS in Mid-Air: An Empirical Study of Strict Transport Security and Key Pinning},
   booktitle = {The 2015 Network and Distributed System Security Symposium},
   series = {NDSS '15},
   month = {February},
   year = {2015},
   location = {San Diego, CA, USA},
   url = {},
   keywords = {HTTPS, HSTS, HPKP},

Undetectable Monitoring in a Virtualized Environment - A Continuation of the HAL Keystroke Logger

Michael Kranch and Roy Ragsdale, in the 42st Hawaii International Conference on Systems Science (HICSS’09), Waikoloa, Hawaii, USA, Jan 2009.

Virtualization is ever an expanding research field and, as many predict, the way of the future for large scale business and server solutions. Originally designed as a method of centralizing physical resources and maintenance, recent research has developed methods of also utilizing virtualization for centralizing machine monitoring. Recently, there have been substantial advances in centralized monitoring in a virtualized environment[1]. Specifically, researchers at the Georgia Tech have developed XenAccess, a system for monitoring memory in a paravirtualized environment [2]. This paper highlights the differences between two popular virtualization methods, paravirtualization and full-system virtualization. A comparison between techniques used by XenAccess to those implemented in our undetectable Hardware Abstraction Layer (HAL) Keystroke Logger is then presented before expanding the original HAL template and finally discussing in detail methods to monitor disk access and memory management.

  author = {Kranch, Michael and Ragsdale, Roy},
  title = {Undetectable Monitoring in a Fully-Virtualized Environment - A Continuation of the HAL Keystroke Logger},
  booktitle = {2009 42nd Hawaii International Conference on System Sciences},
  series = {HICSS '09},
  month = {January},
  year = {2009},
  location = {Big Island, HI, USA},
  url = {},
  issn = {1530-1605},
  keywords = {system monitoring, Xen, paravirtualization, Hardware Abstraction Layer},


  • The Resource Collection and Analysis System behind “Upgrading HTTPS in Mid-Air”
    • Description: This is the collection and analysis system for the paper which tests the top 1 million websites for HSTS and HKPK security issues. The system includes the collection of static web content, the collection of dynamic web content via a custom Firefox Extension, and the analysis of both these resources to identify flaws.
    • Languages: Python2, JavaScript, TeX
  • Custom Static Site Generator featuring an Auto-updating Scoreboard for CS485
    • Description: This is a custom static site generator I developed to update my Ethical Hacking course website that included several auto-updating scoreboards without using dynamic code due to university server restrictions.
    • Languages & Frameworks: Hugo, JavaScript, Python3, CSS, HTML
  • Kingdoms Board Game
    • Description: This is an object-oriented (model-view-controller UI) implementation of the Kingdoms Board Game with computer-played strategies created for West Point’s CS403 (Object-oriented Concepts).
    • Languages: Java
  • Facebook Capture-the-Flag Platform (FBCTF) Feature Updates
    • Description: I fixed several issues and implemented a new multiple-choice feature in the Facebook CTF platform.
    • Languages: Hack, JavaScript
  • Intro CTF Platform
    • Description: I used this code to host an introductory CTF competition as part of a cybersecurity (hacking) club I created for my peers while attending the Army’s Command and General Staff College.
    • Languages & Frameworks: Django, JavaScript, Python3, CSS, HTML
  • RunCode Cybersecurity Programming Challenge Platform
    • Description: RunCode is a programming platform that focuses on cybersecurity challenges like scraping websites, parsing network captures, interacting with sockets, and image encoding. I have solved over 100 challenges and am in the top 10 of over 1700 users. NOTE: You will need to solve the challenge first before you can see my code.
    • Languages & Frameworks: Python, Bash, C

(Last modified on Thu, Jun 20, 2019)