Johnny So

Johnny So

PhD Candidate

Stony Brook University


I am currently a third-year Ph.D. candidate advised by Professor Nick Nikiforakis at the PragSec Lab in Stony Brook University. I investigate (the lack of) web integrity in various contexts (e.g., domain names and JavaScript) through large-scale experiments, and subsequently design and evaluate defenses that improve the integrity of the web.

  • Web Security
  • Distributed Systems
  • Network Security
  • Algorithms
  • PhD in Computer Science, 2020 - Present

    Stony Brook University

  • BSc in Computer Science, 2020

    Stony Brook University

  • BSc in Applied Math and Statistics, 2020

    Stony Brook University


Research Assistant
Aug 2020 – Present Stony Brook, New York


  • Designing an application-agnostic link management system that prevents access to external dependencies of websites if such links violate customizable integrity policies
  • Demonstrated that strict integrity verification of scripts cannot protect the web and provided insight for future methods through a large-scale, data-driven analysis (Things Change)
  • Profiled the behavior of bots that monitor Certificate Transparency logs, analyzing how bots of various intentions and origins react to new certificates within seconds (Uninvited Guests)
  • Illustrated the capability of adversaries to potentially affect millions of IP addresses in tens of thousands of autonomous systems by re-registering a few hundred domains (Domains Change)
  • Proposed and evaluated deceptive web authentication mechanisms that remove the integrity of a web application from the attacker’s arsenal, and instead place the lack of it in the defender’s arsenal (Click This, Not That)
Software Engineering Intern
Jun 2023 – Aug 2023 Remote
Analyzing API traffic to reduce attack surface, detect malicious bot activity, and identify anomalous server-side behavior
PhD Research Intern
May 2022 – Aug 2022 Remote
Analyzing the integrity of Android applications through dynamic analysis (ongoing)
Software Development Engineer Intern
Jun 2019 – Aug 2019 Seattle, Washington
Created an intent recommendation service for third-party Alexa skills using short utterance text data
Software Engineer Intern
Jun 2018 – Dec 2018 Stony Brook, New York
Built the prototype of a new state health exchange platform and established a preprocessing library used to build machine learning models


WSE 380 Rotation: Honeypots and Intrusion Detection
WSE 380 Rotation: Honeypots and Intrusion Detection
CSE 331: Computer Security Fundamentals
CSE 214: Data Structures


Quickly discover relevant content by filtering publications.
(2023). The More Things Change, the More They Stay the Same: Integrity of Modern JavaScript. In Proceedings of the ACM Web Conference (WWW), 2023.

PDF Cite Teaser

(2022). Uninvited Guests: Analyzing the Identity and Behavior of Certificate Transparency Bots. In Proceedings of the USENIX Security Symposium (USENIX Security), 2022.

PDF Cite Talk

(2021). Domains Do Change Their Spots: Quantifying Potential Abuse of Residual Trust. In Proceedings of the IEEE Symposium on Security and Privacy (IEEE S&P), 2022.

PDF Cite Teaser Talk

(2021). Click This, Not That: Extending Web Authentication with Deception. In ACM Asia Conference on Computer and Communications Security (AsiaCCS), 2021.

PDF Cite


Artifact Evaluation Committee Member


  • josso [at] cs [dot] stonybrook [dot] edu
  • Computer Science Building, Engineering Dr, Stony Brook, NY 11794