Stefan Savage (born 1969) is an American computer science researcher, currently a Professor in the Systems and Networking Group at the University of California, San Diego. There, he holds the Irwin and Joan Jacobs Chair in Information and Computer Science. Savage is widely cited in computer security, particularly in the areas of email spam, network worms and malware propagation, distributed denial of service (DDOS) mitigation and traceback, automotive hacking and wireless security. He received his undergraduate degree at Carnegie Mellon and his Ph.D. from the University of Washington.
In 1999, Savage's research team published TCP Congestion Control with a Misbehaving Receiver, which uncovered protocol flaws in the TCP protocol that carries most Internet traffic. By exploiting these flaws, Savage proposed means for attackers to evade congestion control, allowing attackers to monopolize crowded network connections that would otherwise be shared by multiple users. This was the first paper to address congestion control evasion as a vulnerability, rather than as a theoretical design implication. That same year, Savage published "Sting", a paper and software tool that presented a mechanism to abuse quirks in the TCP protocol to allow a single party to infer bidirectional packet loss, a valuable contribution to traffic measurement.
In 2000, Savage's team published Practical Network Support for IP Traceback, which proposed a simple stochastic extension to internet routers that would enable them to trace floods of traffic back to their origin. IP traceback is a major open networking research question, with significant implications towards DDOS mitigation: if IP traffic can be traced, Internet Service Providers can track down and halt DDOS floods. Savage later co-founded Asta Networks, which offered a product that addressed these problems.
In 2001, Savage, with colleagues at UCSD and CAIDA, published Inferring Internet Denial-of-Service Activity, which introduced the idea of the network telescope and provided major empirical results regarding DDOS attacks. Follow-on work has provided insight into the spread of network worms, including Code Red II and SQL Slammer.
In 2003, John Bellardo and Savage published 802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions, which introduced practical attacks on 802.11 wireless protocol flaws that would allow attackers to force legitimate clients off wireless networks. The paper is also a notable example of applied reverse engineering in an academic setting; Bellardo and Savage reverse engineered the Intersil wireless chipset, finding an undocumented diagnostic mode that allowed them to directly inject malicious wireless packets onto a network.
In 2004, Savage and George Varghese led a research team that published Automated Worm Fingerprinting, which introduced a novel hashing technique that allowed network operators to monitor network traffic and uncover data patterns that were "propagating", spreading across the network at an unusual rate. Propagating traffic is a strong indicator for network worm outbreaks, a key unsolved problem in network security. Varghese later co-founded Netsift to capitalize on this research; Cisco purchased Netsift in 2005.
In 2005, Ishwar Ramani and Stefan Savage developed Syncscan algorithm that cuts the time needed to switch between Wi-Fi access points.
In 2010 he was named a Fellow of the Association for Computing Machinery.
In 2013, Savage received the ACM SIGOPS Mark Weiser Award.
In 2015, he received the ACM Prize in Computing for "innovative research in network security, privacy, and reliability that has taught us to view attacks and attackers as elements of an integrated technological, societal, and economic system."
In 2017, he was named a MacArthur Foundation Fellow (the "genius grant") for his body of work.