Christopher Kruegel

E-Mail
Phone: +43 (1) 505 36 88
Fax: +43 (1) 505 88 88

Bio
Christopher Kruegel is an Assistant Professor and holder of the Eugene Aas Chair in Computer Science in the Computer Science Department at the University of California, Santa Barbara and closely cooperates with Secure Business Austria (Pathfinder project, PhD seminars, etc.).

Before that, he was working as a research post-doc for the Reliable Software Group at the University of California, Santa Barbara. He received his Ph.D. with honors in computer science from the Technical University Vienna while working as a research assistant for the Distributed Systems Group.

Christopher Kruegel has coauthored more than 50 peer-reviewed publications related to applied computer security and regularly serves on program committees of international security conferences. In 2005, he was the conference chair of the Conference on the Detections of Intrusions and Malware & Vulnerability Assessment (DIMVA). In 2006, he will be the program chair of the Symposium on Recent Advances in Intrusion Detection (RAID). His research interests include most aspects of computer security, with an emphasis on network security, intrusion detection and vulnerability analysis.

Publications

Manuel Egele and Leyla Bilge and Engin Kirda and Christopher Kruegel, "CAPTCHA Smuggling: Hijacking Web Browsing Sessions to Create CAPTCHA Farms," in 25th Symposium On Applied Computing (SAC), Track on Information Security Research and Applications,, 2010. BibTeX

@INPROCEEDINGS{Egele_CAPTCHASmugglingHijacking_2010, Author = {Manuel Egele and Leyla Bilge and Engin Kirda and Christopher Kruegel}, title = {CAPTCHA Smuggling: Hijacking Web Browsing Sessions to Create CAPTCHA Farms}, booktitle = {25th Symposium On Applied Computing (SAC), Track on Information Security Research and Applications,}, year = {2010}, month = {3}, }
Ulrich Bayer and Engin Kirda and Christopher Kruegel, "Improving the Efficiency of Dynamic Malware Analysis," in 25th Symposium On Applied Computing (SAC), Track on Information Security Research and Applications, 2010. BibTeX | PDF

@INPROCEEDINGS{Bayer_ImprovingEfficiencyof_2010, Author = {Ulrich Bayer and Engin Kirda and Christopher Kruegel}, title = {Improving the Efficiency of Dynamic Malware Analysis}, booktitle = {25th Symposium On Applied Computing (SAC), Track on Information Security Research and Applications}, year = {2010}, month = {3}, pdf = {Bayer_ImprovingEfficiencyof_2010.pdf}, note = {Lusanne, Switzerland}, }
Clemens Kolbitsch and Thorsten Holz and Christopher Kruegel and Engin Kirda, "Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries," in IEEE Security and Privacy 2010, 2010. BibTeX

@INPROCEEDINGS{Kolbitsch_AutomatedExtraction_2010, Author = {Clemens Kolbitsch and Thorsten Holz and Christopher Kruegel and Engin Kirda}, sbahotlist = {true}, title = {Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries}, booktitle = {IEEE Security and Privacy 2010}, year = {2010}, month = {1}, }
William Robertson and Federico Maggi and Christopher Kruegel and Giovanni Vigna, "Effective Anomaly Detection with Scarce Training Data," in Network and Distributed System Security Symposium (NDSS 2010), 2010. BibTeX

@INPROCEEDINGS{Robertson_Effective_Anomaly_Detection_wi_2010, Author = {William Robertson and Federico Maggi and Christopher Kruegel and Giovanni Vigna}, sbahotlist = {true}, title = {Effective Anomaly Detection with Scarce Training Data}, booktitle = {Network and Distributed System Security Symposium (NDSS 2010)}, year = {2010}, month = {2}, }
Paolo Milani Comparetti and Guido Salvaneschi and Engin Kirda and Clemens Kolbitsch and Christopher Kruegel and Stefano Zanero, "Identifying Dormant Functionality in Malware Programs," in IEEE Security and Privacy 2010, 2010. BibTeX

@INPROCEEDINGS{Milani_IdentifyingDormantFunctionalityMalware_2010, Author = {Paolo Milani Comparetti and Guido Salvaneschi and Engin Kirda and Clemens Kolbitsch and Christopher Kruegel and Stefano Zanero}, title = {Identifying Dormant Functionality in Malware Programs}, booktitle = {IEEE Security and Privacy 2010}, year = {2010}, month = {1}, }
Gianluca Stringhini and Christopher Kruegel and Giovanni Vigna, "Detecting Spammers On Social Networks," in 26th Annual Computer Security Applications Conference (ACSAC), 2010. BibTeX

@INPROCEEDINGS{Stringhini_Detecting_Spammers_On_Social_N_2010, Author = {Gianluca Stringhini and Christopher Kruegel and Giovanni Vigna}, sbahotlist = {true}, title = {Detecting Spammers On Social Networks}, booktitle = {26th Annual Computer Security Applications Conference (ACSAC)}, year = {2010}, month = {12}, }
Viktoria Felmetsger and Ludovico Cavedon and Christopher Kruegel and Giovanni Vigna, "Toward Automated Detection of Logic Vulnerabilities in Web Applications," in 19th Usenix Security Symposium, 2010. BibTeX

@INPROCEEDINGS{Felmetsger_Toward_Automated_Detection_of__2010, Author = {Viktoria Felmetsger and Ludovico Cavedon and Christopher Kruegel and Giovanni Vigna}, sbahotlist = {true}, title = {Toward Automated Detection of Logic Vulnerabilities in Web Applications}, booktitle = {19th Usenix Security Symposium}, year = {2010}, month = {8}, }
Davide Balzarotti and Marco Cova and Christoph Karlberger and Christopher Kruegel and Engin Kirda and Giovanni Vigna, "Efficient Detection of Split Personalities in Malware," in 17th Annual Network and Distributed System Security Symposium (NDSS 2010), 2010. BibTeX

@INPROCEEDINGS{Balzarotti_Efficient_Detection_of_Split_P_2010, Author = {Davide Balzarotti and Marco Cova and Christoph Karlberger and Christopher Kruegel and Engin Kirda and Giovanni Vigna}, sbahotlist = {true}, title = {Efficient Detection of Split Personalities in Malware}, booktitle = {17th Annual Network and Distributed System Security Symposium (NDSS 2010)}, year = {2010}, month = {2}, }
Andrea Lanzi and Davide Balzarotti and Christopher Kruegel and Mihai Christoderescu and Engin Kirda, "AccessMiner: Using System-Centric Models for Malware Protection," in 17th ACM Conference on Computer and Communications Security (CCS), 2010. BibTeX

@INPROCEEDINGS{Lanzi_AccessMiner_Using_System_Centr_2010, Author = {Andrea Lanzi and Davide Balzarotti and Christopher Kruegel and Mihai Christoderescu and Engin Kirda}, sbahotlist = {true}, title = {AccessMiner: Using System-Centric Models for Malware Protection}, booktitle = {17th ACM Conference on Computer and Communications Security (CCS)}, year = {2010}, month = {10}, }
Marco Cova and Christopher Kruegel and Giovanni Vigna, "Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code," in International World Wide Web Conference (WWW), 2010. BibTeX

@INPROCEEDINGS{Cova_Detection_and_Analysis_of_Driv_2010, Author = {Marco Cova and Christopher Kruegel and Giovanni Vigna}, sbahotlist = {true}, title = {Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code}, booktitle = {International World Wide Web Conference (WWW)}, year = {2010}, month = {4}, }
Gilbert Wondracek and Thorsten Holz and Christian Platzer and Engin Kirda and Christopher Kruegel, "Is the Internet for Porn? An Insight into the Online Adult Industry," in Proceedings of the Ninth Workshop on the Economics of Information Security (WEIS 2010), 2010. BibTeX | PDF

@INPROCEEDINGS{Wondracek_InternetPorn2010, Author = {Gilbert Wondracek and Thorsten Holz and Christian Platzer and Engin Kirda and Christopher Kruegel}, title = {Is the Internet for Porn? An Insight into the Online Adult Industry}, booktitle = {Proceedings of the Ninth Workshop on the Economics of Information Security (WEIS 2010)}, year = {2010}, month = {6}, pdf = {weis2010_wondracek.pdf}, }
Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Ulrich Bayer and Clemens Hlauschek, "Scalable, Behavior-Based Malware Clustering," in Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS 2009), 2009. BibTeX | PDF

@INPROCEEDINGS{Bayer_ScalableBehaviorBasedMalware_2009, Author = {Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Ulrich Bayer and Clemens Hlauschek}, sbahotlist = {true}, title = {Scalable, Behavior-Based Malware Clustering}, booktitle = {Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS 2009)}, year = {2009}, month = {1}, pdf = {Bayer_ScalableBehaviorBasedMalware_2009.pdf}, }
Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Xiaoyong Zhou and Xiaofeng Wang, "Effective and Efficient Malware Detection at the End Host," in in USENIX Security 09, 2009. BibTeX | PDF

@INPROCEEDINGS{Kolbitsch_EffectiveandEfficient_2009, Author = {Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Xiaoyong Zhou and Xiaofeng Wang}, sbahotlist = {true}, title = {Effective and Efficient Malware Detection at the End Host}, booktitle = {in USENIX Security 09}, year = {2009}, month = {8}, pdf = {Kolbitsch_EffectiveandEfficient_2009.pdf}, note = {Canada, August 2009}, }
Christopher Kruegel and Engin Kirda and Manuel Egele, "Removing Web Spam Links from Search Engine Results," in 31st International Conference on Software Engineering (ICSE), 2009. BibTeX | PDF

@INPROCEEDINGS{Egele_RemovingWebSpam_2009, Author = {Christopher Kruegel and Engin Kirda and Manuel Egele}, sbahotlist = {true}, title = {Removing Web Spam Links from Search Engine Results}, booktitle = {31st International Conference on Software Engineering (ICSE)}, year = {2009}, month = {5}, pdf = {Egele_RemovingWebSpam_2009.pdf}, publisher = {IEEE Computer Society}, note = {Vancouver, Canada}, }
Christopher Kruegel and Engin Kirda and Andreas Moser and Kevin Almaroth and Brett Stone Gross, "FIRE: FInding Rogue nEtworks," in 25th Annual Computer Security Applications Conference (ACSAC), 2009. BibTeX | PDF

@INPROCEEDINGS{StoneGross_FIREFIndingRogue_2009, Author = {Christopher Kruegel and Engin Kirda and Andreas Moser and Kevin Almaroth and Brett Stone Gross}, sbahotlist = {true}, title = {FIRE: FInding Rogue nEtworks}, booktitle = {25th Annual Computer Security Applications Conference (ACSAC)}, year = {2009}, month = {12}, pdf = {StoneGross_FIREFIndingRogue_2009.pdf}, }
Christopher Kruegel and Engin Kirda and Leyla Bilge and Thorsten Holz and Peter Wurzinger and Jan Goebel, "Automatically Generating Models for Botnet Detection," in 14th European Symposium on Research in Computer Security (ESORICS 2009), 2009. BibTeX | PDF

@INPROCEEDINGS{Wurzinger_AutomaticallyGeneratingModels_2009, Author = {Christopher Kruegel and Engin Kirda and Leyla Bilge and Thorsten Holz and Peter Wurzinger and Jan Goebel}, sbahotlist = {true}, title = {Automatically Generating Models for Botnet Detection}, booktitle = {14th European Symposium on Research in Computer Security (ESORICS 2009)}, year = {2009}, month = {9}, pdf = {Wurzinger_AutomaticallyGeneratingModels_2009.pdf}, note = {14th European Symposium on Research in Computer Security (ESORICS 2009), Saint Malo, Brittany, France}, }
Christopher Kruegel and Engin Kirda and Ulrich Bayer and Davide Balzarotti and Imam Habibi, "Insights Into Current Malware Behavior," in 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), Boston, 2009. BibTeX | PDF

@INPROCEEDINGS{Bayer_InsightsIntoCurrent_2009, Author = {Christopher Kruegel and Engin Kirda and Ulrich Bayer and Davide Balzarotti and Imam Habibi}, title = {Insights Into Current Malware Behavior}, booktitle = {2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), Boston}, year = {2009}, month = {4}, pdf = {Bayer_InsightsIntoCurrent_2009.pdf}, }
Christopher Kruegel and Engin Kirda and Christian Platzer and Christian Ludl and Peter Wurzinger, "SWAP: Mitigating XSS Attacks using a Reverse Proxy," in The 5th International Workshop on Software Engineering for Secure Systems SESS09 31st International Conference on Software Engineering ICSE, 2009. BibTeX | PDF

@INPROCEEDINGS{Wurzinger_SWAPMitigatingXSS_2009, Author = {Christopher Kruegel and Engin Kirda and Christian Platzer and Christian Ludl and Peter Wurzinger}, sbahotlist = {true}, title = {SWAP: Mitigating XSS Attacks using a Reverse Proxy}, booktitle = {The 5th International Workshop on Software Engineering for Secure Systems SESS09 31st International Conference on Software Engineering ICSE}, year = {2009}, month = {5}, pdf = {Wurzinger_SWAPMitigatingXSS_2009.pdf}, publisher = {IEEE Computer Society}, }
Christopher Kruegel and Engin Kirda and Guenther Starnberger, "A botnet protocol based on Kademlia," in International Conference on Security and Privacy in Communication Networks (SecureComm), 2008. BibTeX | PDF

@INPROCEEDINGS{Starnberger_botnetprotocolbased_2008, Author = {Christopher Kruegel and Engin Kirda and Guenther Starnberger}, sbahotlist = {true}, title = {A botnet protocol based on Kademlia}, booktitle = {International Conference on Security and Privacy in Communication Networks (SecureComm)}, year = {2008}, month = {9}, pdf = {Starnberger_botnetprotocolbased_2008.pdf}, note = {Istanbul, Turkey,}, }
Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Gilbert Wondracek, "Automatic Network Protocol Analysis," in 15th Annual Network and Distributed System Security Symposium (NDSS 2008), San Diego, February 2008, 2008. BibTeX | PDF

@INPROCEEDINGS{Wondracek_AutomaticNetworkProtocol_2008, Author = {Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Gilbert Wondracek}, sbahotlist = {true}, title = {Automatic Network Protocol Analysis}, booktitle = {15th Annual Network and Distributed System Security Symposium (NDSS 2008), San Diego, February 2008}, year = {2008}, month = {1}, pdf = {Wondracek_AutomaticNetworkProtocol_2008.pdf}, }
Christopher Kruegel and Engin Kirda and Guenther Starnberger, "Overbot – A botnet protocol based on Kademlia," in 4th International Conference on Security and Privacy in Communication Networks (SecureComm), 2008. BibTeX | PDF

@INPROCEEDINGS{Starnberger_Overbotbotnet_2008, Author = {Christopher Kruegel and Engin Kirda and Guenther Starnberger}, sbahotlist = {true}, title = {Overbot - A botnet protocol based on Kademlia}, booktitle = {4th International Conference on Security and Privacy in Communication Networks (SecureComm)}, year = {2008}, month = {9}, pdf = {Starnberger_Overbotbotnet_2008.pdf}, publisher = {Istanbul, Turkey}, }
Christopher Kruegel and Engin Kirda and Manuel Egele and Heng Yin and Dawn Song, "Dynamic Spyware Analysis," in Proceedings of the USENIX Annual Technical Conference, 2007. BibTeX

@INPROCEEDINGS{Egele_DynamicSpywareAnalysis_2007, Author = {Christopher Kruegel and Engin Kirda and Manuel Egele and Heng Yin and Dawn Song}, sbahotlist = {true}, title = {Dynamic Spyware Analysis}, booktitle = {Proceedings of the USENIX Annual Technical Conference}, year = {2007}, month = {6}, }
Christopher Kruegel and Davide Balzarotti and William Robertson and Giovanni Vigna, "Improving Signature Testing Through Dynamic Data Flow Analysis," in Proceedings of the 23rd Annual Computer Security Applications Conference ACSAC 2007, 2007. BibTeX

@INPROCEEDINGS{Balzarotti_ImprovingSignatureTesting_2007, Author = {Christopher Kruegel and Davide Balzarotti and William Robertson and Giovanni Vigna}, sbahotlist = {true}, title = {Improving Signature Testing Through Dynamic Data Flow Analysis}, booktitle = {Proceedings of the 23rd {A}nnual {C}omputer {S}ecurity {A}pplications {C}onference ACSAC 2007}, year = {2007}, month = {12}, }
Christopher Kruegel and Engin Kirda and Andreas Moser, "Exploring Multiple Execution Paths for Malware Analysis," in Proceedinga of the IEEE Symposium on Security and Privacy 2007, 2007. BibTeX

@INPROCEEDINGS{Moser_ExploringMultipleExecution_2007, Author = {Christopher Kruegel and Engin Kirda and Andreas Moser}, sbahotlist = {true}, title = {Exploring Multiple Execution Paths for Malware Analysis}, booktitle = {Proceedinga of the IEEE Symposium on Security and Privacy 2007}, year = {2007}, month = {5}, abstract = {Malicious code or malware is defined as software that fulfills the deliberately harmful intent of an attacker. Malware analysis is the process of determining the behavior and purpose of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques and removal tools. Currently, malware analysis is mostly a manual process that is tedious and time-intensive. To mitigate this problem, a number of analysis tools have been proposed that automatically extract the behavior of an unknown program by executing it in a restricted environment and recording the operating system calls that are invoked. The problem of dynamic analysis tools is that only a single program execution is observed. Unfortunately, however, it is possible that certain malicious actions are only triggered under specific circumstances (e.g., on a particular day, when a certain file is present, or when a certain command is received). In this paper, we propose a system that allows us to explore multiple execution paths and identify malicious actions that are executed only when certain conditions are met. This enables us to automatically extract a more complete view of the program under analysis and identify under which circumstances suspicious actions are carried out. Our experimental results demonstrate that many malware samples show different behavior depending on input read from the environment. Thus, by exploring multiple execution paths, we can obtain a more complete picture of their actions.}, publisher = {IEEE Computer Society Press}, }
Christopher Kruegel and Engin Kirda and Martin Szydlowski, "Secure Input for Web Applications," in Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC) 2007, 2007. BibTeX

@INPROCEEDINGS{Szydlowski_SecureInputWeb_2007, Author = {Christopher Kruegel and Engin Kirda and Martin Szydlowski}, sbahotlist = {true}, title = {Secure {I}nput for {W}eb {A}pplications}, booktitle = {Proceedings of the 23rd {A}nnual {C}omputer {S}ecurity {A}pplications {C}onference ({ACSAC}) 2007}, year = {2007}, month = {12}, }
Christopher Kruegel and Engin Kirda and Florian Nentwich and Giovanni Vigna and Nenad Jovanovic and Philipp Vogt, "Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis," in In Proceedings of 14th Annual Network and Distributed System Security Symposium (NDSS 2007), 2007. BibTeX

@INPROCEEDINGS{Vogt_CrossSiteScripting_2007, Author = {Christopher Kruegel and Engin Kirda and Florian Nentwich and Giovanni Vigna and Nenad Jovanovic and Philipp Vogt}, sbahotlist = {true}, title = {Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis}, booktitle = {In Proceedings of 14th Annual Network and Distributed System Security Symposium (NDSS 2007)}, year = {2007}, month = {2}, }
Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Gilbert Wondracek, "Automatic Network Protocol Analysis," in Proceedings of the Network and Distributed System Security Symposium Conference (NDSS), San Diego 2007, 2007. BibTeX

@INPROCEEDINGS{Wondracek_AutomaticNetworkProtocol_2007, Author = {Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Gilbert Wondracek}, sbahotlist = {true}, title = {Automatic {N}etwork {P}rotocol {A}nalysis}, booktitle = {Proceedings of the {N}etwork and {D}istributed {S}ystem {S}ecurity {S}ymposium {C}onference ({NDSS}), {S}an {D}iego 2007}, year = {2007}, month = {1}, }
Christopher Kruegel and Engin Kirda and Manuel Egele and Heng Yin and Dawn Song, "Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis," in Proceedings of the 14th ACM Conference on Computer and Communications Security, 2007. BibTeX

@INPROCEEDINGS{Yin_PanoramaCapturingSystemwide_2007, Author = {Christopher Kruegel and Engin Kirda and Manuel Egele and Heng Yin and Dawn Song}, sbahotlist = {true}, title = {Panorama: {C}apturing {S}ystem-wide {I}nformation {F}low for {M}alware {D}etection and {A}nalysis}, booktitle = {Proceedings of the 14th {ACM} {C}onference on {C}omputer and {C}ommunications {S}ecurity}, year = {2007}, month = {11}, }
Christopher Kruegel and Engin Kirda and Angelo Rosiello and Fabrizio Ferrandi, "A Layout-Similarity-Based Approach for Detecting Phishing Pages," in Proceedings of IEEE International Conference on Security and Privacy in Communication Networks (SecureComm)., 2007. BibTeX

@INPROCEEDINGS{Rosiello_LayoutSimilarityBasedApproachDetecting_2007, Author = {Christopher Kruegel and Engin Kirda and Angelo Rosiello and Fabrizio Ferrandi}, sbahotlist = {true}, title = {A Layout-Similarity-Based Approach for Detecting Phishing Pages}, booktitle = {Proceedings of IEEE International Conference on Security and Privacy in Communication Networks (SecureComm).}, year = {2007}, month = {1}, }
Christopher Kruegel and Engin Kirda and Thomas Raffetseder, "Building Anti-Phishing Browser Plug-Ins: An Experience Report," in Proceedings of the 3rd International Workshop on Software Engineering for Secure Systems (SESS) 29th International Conference on Software Engineering (ICSE), 2007. BibTeX

@INPROCEEDINGS{Raffetseder_BuildingAntiPhishingBrowser_2007, Author = {Christopher Kruegel and Engin Kirda and Thomas Raffetseder}, sbahotlist = {true}, title = {Building Anti-Phishing Browser Plug-Ins: An Experience Report}, booktitle = {Proceedings of the 3rd International Workshop on Software Engineering for Secure Systems (SESS) 29th International Conference on Software Engineering (ICSE)}, year = {2007}, month = {5}, publisher = {IEEE Computer Society Press}, }
Christopher Kruegel and Engin Kirda and Andreas Moser, "Limits of Static Analysis for Malware Detection," in Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC) 2007, 2007. BibTeX | PDF

@INPROCEEDINGS{Moser_LimitsofStatic_2007, Author = {Christopher Kruegel and Engin Kirda and Andreas Moser}, sbahotlist = {true}, title = {Limits of {S}tatic {A}nalysis for {M}alware {D}etection}, booktitle = {Proceedings of the 23rd {A}nnual {C}omputer {S}ecurity {A}pplications {C}onference ({ACSAC}) 2007}, year = {2007}, month = {12}, pdf = {Moser_LimitsofStatic_2007.pdf}, }
Christopher Kruegel and Engin Kirda and Nenad Jovanovic, "Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper).," in Proceedings of the IEEE Symposium on Security and Privacy 2006, 2006. BibTeX

@INPROCEEDINGS{Jovanovic_PixyStaticAnalysis_2006, Author = {Christopher Kruegel and Engin Kirda and Nenad Jovanovic}, sbahotlist = {true}, title = {Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper).}, booktitle = {Proceedings of the IEEE Symposium on Security and Privacy 2006}, year = {2006}, month = {5}, publisher = {IEEE Computer Society Press}, }
Christopher Kruegel and Engin Kirda and Nenad Jovanovic and Stefan Kals, "SecuBat: A Web Vulnerability Scanner," in Proceedings of The 15th International World Wide Web Conference (WWW 2006), 2006. BibTeX

@INPROCEEDINGS{Kals_SecuBatWebVulnerability_2006, Author = {Christopher Kruegel and Engin Kirda and Nenad Jovanovic and Stefan Kals}, sbahotlist = {true}, title = {SecuBat: A Web Vulnerability Scanner}, booktitle = {Proceedings of The 15th International World Wide Web Conference (WWW 2006)}, year = {2006}, month = {5}, abstract = {As the popularity of the web increases and web applications become tools of everyday use, the role of web security has been gaining importance as well. The last years have shown a significant increase in the number of web-based attacks. For example, there has been extensive press coverage of recent security incidences involving the loss of sensitive credit card information belonging to millions of customers. Many web application security vulnerabilities result from generic input validation problems. Examples of such vulnerabilities are SQL injection and Cross-Site Scripting (XSS). Although the majority of web vulnerabilities are easy to understand and to avoid, many web developers are, unfortunately, not security-aware. As a result, there exist many web sites on the Internet that are vulnerable. This paper demonstrates how easy it is for attackers to automatically discover and exploit application-level vulnerabilities in a large number of web applications. To this end, we developed SecuBat, a generic and modular web vulnerability scanner that, similar to a port scanner, automatically analyzes web sites with the aim of finding exploitable SQL injection and XSS vulnerabilities. Using SecuBat, we were able to find many potentially vulnerable web sites. To verify the accuracy of SecuBat, we picked one hundred interesting web sites from the potential victim list for further analysis and confirmed exploitable flaws in the identified web pages. Among our victims were well-known global companies and a finance ministry. Of course, we notified the administrators of vulnerable sites about potential security problems. More than fifty responded to request additional information or to report that the security hole was closed.}, }
Christopher Kruegel and Engin Kirda and Giovanni Vigna and Richard A. Kemmerer and Greg Banks, "Behavior-Based Spyware Detection," in Proceedings of USENIX Security 06, 2006. BibTeX

@INPROCEEDINGS{Kirda_BehaviorBasedSpywareDetection_2006, Author = {Christopher Kruegel and Engin Kirda and Giovanni Vigna and Richard A. Kemmerer and Greg Banks}, sbahotlist = {true}, title = {Behavior-Based Spyware Detection}, booktitle = {Proceedings of USENIX Security 06}, year = {2006}, month = {8}, }
Christopher Kruegel and Engin Kirda and Nenad Jovanovic, "Preventing Cross Site Request Forgery Attacks," in In Proceedings of IEEE International Conference on Security and Privacy in Communication Networks (SecureComm), 2006. BibTeX

@INPROCEEDINGS{Jovanovic_PreventingCrossSite_2006, Author = {Christopher Kruegel and Engin Kirda and Nenad Jovanovic}, sbahotlist = {true}, title = {Preventing Cross Site Request Forgery Attacks}, booktitle = {In Proceedings of IEEE International Conference on Security and Privacy in Communication Networks (SecureComm)}, year = {2006}, month = {8}, abstract = {The web has become an indispensable part of our lives. Unfortunately, as our dependency on the web increases, so does the interest of attackers in exploiting web applications and web-based information systems. Previous work in the field of web application security has mainly focused on the mitigation of Cross Site Scripting (XSS) and SQL injection attacks. In contrast, Cross Site Request Forgery (XSRF) attacks have not received much attention. In an XSRF attack, the trust of a web application in its authenticated users is exploited by letting the attacker make arbitrary HTTP requests on behalf of a victim user. The problem is that web applications typically act upon such requests without verifying that the performed actions are indeed intentional. Because XSRF is a relatively new security problem, it is largely unknown by web application developers. As a result, there exist many web applications that are vulnerable to XSRF. Unfortunately, existing mitigation approaches are time-consuming and error-prone, as they require manual effort to integrate defense techniques into existing systems. In this paper, we present a solution that provides a completely automatic protection from XSRF attacks. More precisely, our approach is based on a server-side proxy that detects and prevents XSRF attacks in a way that is transparent to users as well as to the web application itself. We provide experimental results that demonstrate that we can use our prototype to secure a number of popular open-source web applications, without negatively affecting their behavior.}, }

View all publications

Ulrich Bayer and Engin Kirda and Christopher Kruegel, "Improving the Efficiency of Dynamic Malware Analysis," in 25th Symposium On Applied Computing (SAC), Track on Information Security Research and Applications, 2010. BibTeX | PDF

@INPROCEEDINGS{Bayer_ImprovingEfficiencyof_2010, Author = {Ulrich Bayer and Engin Kirda and Christopher Kruegel}, title = {Improving the Efficiency of Dynamic Malware Analysis}, booktitle = {25th Symposium On Applied Computing (SAC), Track on Information Security Research and Applications}, year = {2010}, month = {3}, pdf = {Bayer_ImprovingEfficiencyof_2010.pdf}, note = {Lusanne, Switzerland}, }
Marco Cova and Christopher Kruegel and Giovanni Vigna, "Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code," in International World Wide Web Conference (WWW), 2010. BibTeX

@INPROCEEDINGS{Cova_Detection_and_Analysis_of_Driv_2010, Author = {Marco Cova and Christopher Kruegel and Giovanni Vigna}, sbahotlist = {true}, title = {Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code}, booktitle = {International World Wide Web Conference (WWW)}, year = {2010}, month = {4}, }
Paolo Milani Comparetti and Guido Salvaneschi and Engin Kirda and Clemens Kolbitsch and Christopher Kruegel and Stefano Zanero, "Identifying Dormant Functionality in Malware Programs," in IEEE Security and Privacy 2010, 2010. BibTeX

@INPROCEEDINGS{Milani_IdentifyingDormantFunctionalityMalware_2010, Author = {Paolo Milani Comparetti and Guido Salvaneschi and Engin Kirda and Clemens Kolbitsch and Christopher Kruegel and Stefano Zanero}, title = {Identifying Dormant Functionality in Malware Programs}, booktitle = {IEEE Security and Privacy 2010}, year = {2010}, month = {1}, }
Manuel Egele and Leyla Bilge and Engin Kirda and Christopher Kruegel, "CAPTCHA Smuggling: Hijacking Web Browsing Sessions to Create CAPTCHA Farms," in 25th Symposium On Applied Computing (SAC), Track on Information Security Research and Applications,, 2010. BibTeX

@INPROCEEDINGS{Egele_CAPTCHASmugglingHijacking_2010, Author = {Manuel Egele and Leyla Bilge and Engin Kirda and Christopher Kruegel}, title = {CAPTCHA Smuggling: Hijacking Web Browsing Sessions to Create CAPTCHA Farms}, booktitle = {25th Symposium On Applied Computing (SAC), Track on Information Security Research and Applications,}, year = {2010}, month = {3}, }
Clemens Kolbitsch and Thorsten Holz and Christopher Kruegel and Engin Kirda, "Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries," in IEEE Security and Privacy 2010, 2010. BibTeX

@INPROCEEDINGS{Kolbitsch_AutomatedExtraction_2010, Author = {Clemens Kolbitsch and Thorsten Holz and Christopher Kruegel and Engin Kirda}, sbahotlist = {true}, title = {Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries}, booktitle = {IEEE Security and Privacy 2010}, year = {2010}, month = {1}, }
Marco Balduzzi and Manuel Egele and Engin Kirda and Davide Balzarotti and Christopher Kruegel, "A Solution for the Automated Detection of Clickjacking Attacks," in ASIACCS, 2010. BibTeX

@INPROCEEDINGS{Balduzzi_A_Solution_for_the_Automated_D_2010, Author = {Marco Balduzzi and Manuel Egele and Engin Kirda and Davide Balzarotti and Christopher Kruegel}, title = {A Solution for the Automated Detection of Clickjacking Attacks}, booktitle = {ASIACCS}, year = {2010}, month = {4}, }
Gianluca Stringhini and Christopher Kruegel and Giovanni Vigna, "Detecting Spammers On Social Networks," in 26th Annual Computer Security Applications Conference (ACSAC), 2010. BibTeX

@INPROCEEDINGS{Stringhini_Detecting_Spammers_On_Social_N_2010, Author = {Gianluca Stringhini and Christopher Kruegel and Giovanni Vigna}, sbahotlist = {true}, title = {Detecting Spammers On Social Networks}, booktitle = {26th Annual Computer Security Applications Conference (ACSAC)}, year = {2010}, month = {12}, }
William Robertson and Federico Maggi and Christopher Kruegel and Giovanni Vigna, "Effective Anomaly Detection with Scarce Training Data," in Network and Distributed System Security Symposium (NDSS 2010), 2010. BibTeX

@INPROCEEDINGS{Robertson_Effective_Anomaly_Detection_wi_2010, Author = {William Robertson and Federico Maggi and Christopher Kruegel and Giovanni Vigna}, sbahotlist = {true}, title = {Effective Anomaly Detection with Scarce Training Data}, booktitle = {Network and Distributed System Security Symposium (NDSS 2010)}, year = {2010}, month = {2}, }
Gilbert Wondracek and Thorsten Holz and Engin Kirda and Christopher Kruegel, "A Practical Attack to De-Anonymize Social Network Users," in IEEE Security and Privacy, 2010. BibTeX

@INPROCEEDINGS{Wondracek_A_Practical_Attack_to_De_Anony_2010, Author = {Gilbert Wondracek and Thorsten Holz and Engin Kirda and Christopher Kruegel}, title = {A Practical Attack to De-Anonymize Social Network Users}, booktitle = {IEEE Security and Privacy}, year = {2010}, month = {5}, }
Marco Balduzzi and Christian Platzer and Thorsten Holz and Engin Kirda and Davide Balzarotti and Christopher Kruegel, "Abusing Social Networks for Automated User Profiling," in International Symposium on Recent Advances in Intrusion Detection (RAID 2010), 2010. BibTeX

@INPROCEEDINGS{Balduzzi_Abusing_Social_Networks_for_Au_2010, Author = {Marco Balduzzi and Christian Platzer and Thorsten Holz and Engin Kirda and Davide Balzarotti and Christopher Kruegel}, title = {Abusing Social Networks for Automated User Profiling}, booktitle = {International Symposium on Recent Advances in Intrusion Detection (RAID 2010)}, year = {2010}, month = {9}, }
Andrea Lanzi and Davide Balzarotti and Christopher Kruegel and Mihai Christoderescu and Engin Kirda, "AccessMiner: Using System-Centric Models for Malware Protection," in 17th ACM Conference on Computer and Communications Security (CCS), 2010. BibTeX

@INPROCEEDINGS{Lanzi_AccessMiner_Using_System_Centr_2010, Author = {Andrea Lanzi and Davide Balzarotti and Christopher Kruegel and Mihai Christoderescu and Engin Kirda}, sbahotlist = {true}, title = {AccessMiner: Using System-Centric Models for Malware Protection}, booktitle = {17th ACM Conference on Computer and Communications Security (CCS)}, year = {2010}, month = {10}, }
Nenad Jovanovic and Christopher Kruegel and Engin Kirda, "Static analysis for detecting taint-style vulnerabilities in web applications," Journal of Computer Security, vol. 18, 2010. BibTeX

@ARTICLE{Jovanovic_Static_analysis_for_detecting__2010, Author = {Nenad Jovanovic and Christopher Kruegel and Engin Kirda}, title = {Static analysis for detecting taint-style vulnerabilities in web applications}, journal = {Journal of Computer Security}, year = {2010}, month = {NA}, volume = {18}, }
Davide Balzarotti and Marco Cova and Christoph Karlberger and Christopher Kruegel and Engin Kirda and Giovanni Vigna, "Efficient Detection of Split Personalities in Malware," in 17th Annual Network and Distributed System Security Symposium (NDSS 2010), 2010. BibTeX

@INPROCEEDINGS{Balzarotti_Efficient_Detection_of_Split_P_2010, Author = {Davide Balzarotti and Marco Cova and Christoph Karlberger and Christopher Kruegel and Engin Kirda and Giovanni Vigna}, sbahotlist = {true}, title = {Efficient Detection of Split Personalities in Malware}, booktitle = {17th Annual Network and Distributed System Security Symposium (NDSS 2010)}, year = {2010}, month = {2}, }
Viktoria Felmetsger and Ludovico Cavedon and Christopher Kruegel and Giovanni Vigna, "Toward Automated Detection of Logic Vulnerabilities in Web Applications," in 19th Usenix Security Symposium, 2010. BibTeX

@INPROCEEDINGS{Felmetsger_Toward_Automated_Detection_of__2010, Author = {Viktoria Felmetsger and Ludovico Cavedon and Christopher Kruegel and Giovanni Vigna}, sbahotlist = {true}, title = {Toward Automated Detection of Logic Vulnerabilities in Web Applications}, booktitle = {19th Usenix Security Symposium}, year = {2010}, month = {8}, }
Clemens Kolbitsch and Christopher Kruegel and Engin Kirda, "Extending Mondrian Memory Protection," in NATO RTO IST-091 Symposium, 2010. BibTeX

@INPROCEEDINGS{Kolbitsch_Extending_Mondrian_Memory_Prot_2010, Author = {Clemens Kolbitsch and Christopher Kruegel and Engin Kirda}, title = {Extending Mondrian Memory Protection}, booktitle = {NATO RTO IST-091 Symposium}, year = {2010}, month = {4}, }
Gilbert Wondracek and Thorsten Holz and Christian Platzer and Engin Kirda and Christopher Kruegel, "Is the Internet for Porn? An Insight into the Online Adult Industry," in Proceedings of the Ninth Workshop on the Economics of Information Security (WEIS 2010), 2010. BibTeX | PDF

@INPROCEEDINGS{Wondracek_InternetPorn2010, Author = {Gilbert Wondracek and Thorsten Holz and Christian Platzer and Engin Kirda and Christopher Kruegel}, title = {Is the Internet for Porn? An Insight into the Online Adult Industry}, booktitle = {Proceedings of the Ninth Workshop on the Economics of Information Security (WEIS 2010)}, year = {2010}, month = {6}, pdf = {weis2010_wondracek.pdf}, }
Christopher Kruegel and Engin Kirda and Manuel Egele, "Removing Web Spam Links from Search Engine Results," in 31st International Conference on Software Engineering (ICSE), 2009. BibTeX | PDF

@INPROCEEDINGS{Egele_RemovingWebSpam_2009, Author = {Christopher Kruegel and Engin Kirda and Manuel Egele}, sbahotlist = {true}, title = {Removing Web Spam Links from Search Engine Results}, booktitle = {31st International Conference on Software Engineering (ICSE)}, year = {2009}, month = {5}, pdf = {Egele_RemovingWebSpam_2009.pdf}, publisher = {IEEE Computer Society}, note = {Vancouver, Canada}, }
Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Xiaoyong Zhou and Xiaofeng Wang, "Effective and Efficient Malware Detection at the End Host," in in USENIX Security 09, 2009. BibTeX | PDF

@INPROCEEDINGS{Kolbitsch_EffectiveandEfficient_2009, Author = {Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Xiaoyong Zhou and Xiaofeng Wang}, sbahotlist = {true}, title = {Effective and Efficient Malware Detection at the End Host}, booktitle = {in USENIX Security 09}, year = {2009}, month = {8}, pdf = {Kolbitsch_EffectiveandEfficient_2009.pdf}, note = {Canada, August 2009}, }
Christopher Kruegel and Engin Kirda and Andreas Moser and Kevin Almaroth and Brett Stone Gross, "FIRE: FInding Rogue nEtworks," in 25th Annual Computer Security Applications Conference (ACSAC), 2009. BibTeX | PDF

@INPROCEEDINGS{StoneGross_FIREFIndingRogue_2009, Author = {Christopher Kruegel and Engin Kirda and Andreas Moser and Kevin Almaroth and Brett Stone Gross}, sbahotlist = {true}, title = {FIRE: FInding Rogue nEtworks}, booktitle = {25th Annual Computer Security Applications Conference (ACSAC)}, year = {2009}, month = {12}, pdf = {StoneGross_FIREFIndingRogue_2009.pdf}, }
Christopher Kruegel and Engin Kirda and Manuel Egele, "Mitigating Drive-by Download Attacks: Challenges and Open Problems," in Open Research Problems in Network Security Workshop, 2009. BibTeX | PDF

@INPROCEEDINGS{Egele_MitigatingDrivebyDownload_2009, Author = {Christopher Kruegel and Engin Kirda and Manuel Egele}, title = {Mitigating Drive-by Download Attacks: Challenges and Open Problems}, booktitle = {Open Research Problems in Network Security Workshop}, year = {2009}, month = {4}, pdf = {Egele_MitigatingDrivebyDownload_2009.pdf}, publisher = {iNetSec 2009}, note = {Zurich}, }
Christopher Kruegel and Engin Kirda and Ulrich Bayer and Davide Balzarotti and Imam Habibi, "Insights Into Current Malware Behavior," in 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), Boston, 2009. BibTeX | PDF

@INPROCEEDINGS{Bayer_InsightsIntoCurrent_2009, Author = {Christopher Kruegel and Engin Kirda and Ulrich Bayer and Davide Balzarotti and Imam Habibi}, title = {Insights Into Current Malware Behavior}, booktitle = {2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), Boston}, year = {2009}, month = {4}, pdf = {Bayer_InsightsIntoCurrent_2009.pdf}, }
Christopher Kruegel and Engin Kirda and Christian Platzer and Christian Ludl and Peter Wurzinger, "SWAP: Mitigating XSS Attacks using a Reverse Proxy," in The 5th International Workshop on Software Engineering for Secure Systems SESS09 31st International Conference on Software Engineering ICSE, 2009. BibTeX | PDF

@INPROCEEDINGS{Wurzinger_SWAPMitigatingXSS_2009, Author = {Christopher Kruegel and Engin Kirda and Christian Platzer and Christian Ludl and Peter Wurzinger}, sbahotlist = {true}, title = {SWAP: Mitigating XSS Attacks using a Reverse Proxy}, booktitle = {The 5th International Workshop on Software Engineering for Secure Systems SESS09 31st International Conference on Software Engineering ICSE}, year = {2009}, month = {5}, pdf = {Wurzinger_SWAPMitigatingXSS_2009.pdf}, publisher = {IEEE Computer Society}, }
Christopher Kruegel and Engin Kirda and Leyla Bilge and Thorsten Holz and Peter Wurzinger and Jan Goebel, "Automatically Generating Models for Botnet Detection," in 14th European Symposium on Research in Computer Security (ESORICS 2009), 2009. BibTeX | PDF

@INPROCEEDINGS{Wurzinger_AutomaticallyGeneratingModels_2009, Author = {Christopher Kruegel and Engin Kirda and Leyla Bilge and Thorsten Holz and Peter Wurzinger and Jan Goebel}, sbahotlist = {true}, title = {Automatically Generating Models for Botnet Detection}, booktitle = {14th European Symposium on Research in Computer Security (ESORICS 2009)}, year = {2009}, month = {9}, pdf = {Wurzinger_AutomaticallyGeneratingModels_2009.pdf}, note = {14th European Symposium on Research in Computer Security (ESORICS 2009), Saint Malo, Brittany, France}, }
Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Ulrich Bayer and Clemens Hlauschek, "Scalable, Behavior-Based Malware Clustering," in Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS 2009), 2009. BibTeX | PDF

@INPROCEEDINGS{Bayer_ScalableBehaviorBasedMalware_2009, Author = {Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Ulrich Bayer and Clemens Hlauschek}, sbahotlist = {true}, title = {Scalable, Behavior-Based Malware Clustering}, booktitle = {Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS 2009)}, year = {2009}, month = {1}, pdf = {Bayer_ScalableBehaviorBasedMalware_2009.pdf}, }
Christopher Kruegel and Engin Kirda and Manuel Egele, "Prospex: Protocol Specification Extraction," in 18th European Institute for Computer Antivirus Research, 2009. BibTeX | PDF

@INPROCEEDINGS{Egele_ProspexProtocolSpecification_2009, Author = {Christopher Kruegel and Engin Kirda and Manuel Egele}, title = {Prospex: Protocol Specification Extraction}, booktitle = {18th European Institute for Computer Antivirus Research}, year = {2009}, month = {5}, pdf = {Egele_ProspexProtocolSpecification_2009.pdf}, publisher = {EICAR 2009 Annual Conference}, note = {Berlin}, }
Christopher Kruegel and Giovanni Vigna and Luca Foschini and Ashish Thypliyal and Lorenzo Cavallaro, "A Parallel Architecture for Stateful, High-Speed Intrusion Detection," in International Conference on Information Systems Security (ICISS) , Lecture Notes in Computer Science, 2008. BibTeX

@INPROCEEDINGS{Foschini_ParallelArchitectureStateful_2008, Author = {Christopher Kruegel and Giovanni Vigna and Luca Foschini and Ashish Thypliyal and Lorenzo Cavallaro}, title = {A Parallel Architecture for Stateful, High-Speed Intrusion Detection}, booktitle = {International Conference on Information Systems Security (ICISS) , Lecture Notes in Computer Science}, year = {2008}, month = {12}, publisher = {Springer Verlag}, }
Christopher Kruegel and Engin Kirda and Davide Balzarotti and Giovanni Vigna and Marco Cova and Vika Felmetsger and Nenad Jovanovic, "Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications," in Security and Privacy, 2008, p. 15. BibTeX | PDF

@INPROCEEDINGS{Cova_ComposingStaticand_2008, Author = {Christopher Kruegel and Engin Kirda and Davide Balzarotti and Giovanni Vigna and Marco Cova and Vika Felmetsger and Nenad Jovanovic}, title = {Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications}, booktitle = {Security and Privacy}, year = {2008}, month = {5}, pdf = {Cova_ComposingStaticand_.pdf}, pages = {15}, publisher = {IEEE Security and Privacy}, }
Christopher Kruegel and Giovanni Vigna and Marco Cova, "There Is No Free Phish: An Analysis of," in Usenix Workshop on Offensive Technologies (WOOT), 2008, p. 8. BibTeX | PDF

@INPROCEEDINGS{MarcoCova_ThereIsNo_2008, Author = {Christopher Kruegel and Giovanni Vigna and Marco Cova}, title = {There Is No Free Phish: An Analysis of }, booktitle = {Usenix Workshop on Offensive Technologies (WOOT)}, year = {2008}, month = {7}, pdf = {MarcoCova_ThereIsNo_2008.pdf}, pages = {8}, note = {Usenix Workshop on Offensive Technologies (WOOT),}, }
Christopher Kruegel and Engin Kirda and Guenther Starnberger, "Overbot – A botnet protocol based on Kademlia," in 4th International Conference on Security and Privacy in Communication Networks (SecureComm), 2008. BibTeX | PDF

@INPROCEEDINGS{Starnberger_Overbotbotnet_2008, Author = {Christopher Kruegel and Engin Kirda and Guenther Starnberger}, sbahotlist = {true}, title = {Overbot - A botnet protocol based on Kademlia}, booktitle = {4th International Conference on Security and Privacy in Communication Networks (SecureComm)}, year = {2008}, month = {9}, pdf = {Starnberger_Overbotbotnet_2008.pdf}, publisher = {Istanbul, Turkey}, }
Christopher Kruegel and Engin Kirda and Sean McAllister, "Leveraging User INteractions for IN-Depth- Testing of Weg Applications," in Symposium on Recent Advances in Intrusion Detection, 2008. BibTeX

@INPROCEEDINGS{Allister_SymposiumRecentAdvances_2008, Author = {Christopher Kruegel and Engin Kirda and Sean McAllister}, title = {Leveraging User INteractions for IN-Depth- Testing of Weg Applications}, booktitle = {Symposium on Recent Advances in Intrusion Detection}, year = {2008}, month = {1}, }
Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Gilbert Wondracek, "Automatic Network Protocol Analysis," in 15th Annual Network and Distributed System Security Symposium (NDSS 2008), San Diego, February 2008, 2008. BibTeX | PDF

@INPROCEEDINGS{Wondracek_AutomaticNetworkProtocol_2008, Author = {Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Gilbert Wondracek}, sbahotlist = {true}, title = {Automatic Network Protocol Analysis}, booktitle = {15th Annual Network and Distributed System Security Symposium (NDSS 2008), San Diego, February 2008}, year = {2008}, month = {1}, pdf = {Wondracek_AutomaticNetworkProtocol_2008.pdf}, }
Christopher Kruegel and Engin Kirda and Guenther Starnberger, "A botnet protocol based on Kademlia," in International Conference on Security and Privacy in Communication Networks (SecureComm), 2008. BibTeX | PDF

@INPROCEEDINGS{Starnberger_botnetprotocolbased_2008, Author = {Christopher Kruegel and Engin Kirda and Guenther Starnberger}, sbahotlist = {true}, title = {A botnet protocol based on Kademlia}, booktitle = {International Conference on Security and Privacy in Communication Networks (SecureComm)}, year = {2008}, month = {9}, pdf = {Starnberger_botnetprotocolbased_2008.pdf}, note = {Istanbul, Turkey,}, }
Christopher Kruegel and Engin Kirda and Sean McAllister, "Expanding Human Interactions for In-Depth Testing of Web Applications," in 11th Symposium on Recent Advances in Intrusion Detection (RAID), Boston, MA, 2008. BibTeX | PDF

@INPROCEEDINGS{McAllister_ExpandingHumanInteractions_2008, Author = {Christopher Kruegel and Engin Kirda and Sean McAllister}, title = {Expanding Human Interactions for In-Depth Testing of Web Applications}, booktitle = {11th Symposium on Recent Advances in Intrusion Detection (RAID), Boston, MA}, year = {2008}, month = {9}, pdf = {McAllister_ExpandingHumanInteractions_2008.pdf}, }
Christopher Kruegel and Engin Kirda and Sean McAllister, "Leveraging User Interactions for In-Depth Testing of Web Applications," RAID ’08: Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection, pp. 191-210, 2008. BibTeX

@ARTICLE{1433021, Author = {Christopher Kruegel and Engin Kirda and Sean McAllister}, title = {Leveraging User Interactions for In-Depth Testing of Web Applications}, journal = {RAID '08: Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection}, year = {2008}, month = {1}, pages = {191--210}, publisher = {Springer-Verlag}, }
Christopher Kruegel and Engin Kirda and Eric Medvet, "Visual Similarity-Based Phishing Detection," in IEEE International Conference on Security and Privacy for Emerging Areas in Communication Networks, 2008. BibTeX | PDF

@INPROCEEDINGS{Medvet_VisualSimilarityBasedPhishing_2008, Author = {Christopher Kruegel and Engin Kirda and Eric Medvet}, title = {Visual Similarity-Based Phishing Detection}, booktitle = {IEEE International Conference on Security and Privacy for Emerging Areas in Communication Networks}, year = {2008}, month = {9}, pdf = {Medvet_VisualSimilarityBasedPhishing_2008.pdf}, }
Christopher Kruegel and Mihai Christodorescu and Somesh Jha, "Mining Specifications of Malicious Behavior," in Proceedings of the European Software Engineering Conference and the ACM Symposium on the Foundations of Software Engineering (ESEC FSE)., 2007. BibTeX

@INPROCEEDINGS{Christodorescu_MiningSpecificationsof_2007, Author = {Christopher Kruegel and Mihai Christodorescu and Somesh Jha}, title = {Mining Specifications of Malicious Behavior}, booktitle = {Proceedings of the European Software Engineering Conference and the ACM Symposium on the Foundations of Software Engineering (ESEC FSE).}, year = {2007}, month = {9}, }
Christopher Kruegel and Engin Kirda and Sean McAllister and Christian Ludl, "On the Effectiveness of Techniques to Detect Phishing Sites," in Proceedings of the Conference on the Detection of Intrusions and Malware \& Vulnerability Assessment (DIMVA)., 2007. BibTeX

@INPROCEEDINGS{Ludl_EffectivenessofTechniques_2007, Author = {Christopher Kruegel and Engin Kirda and Sean McAllister and Christian Ludl}, title = {On the Effectiveness of Techniques to Detect Phishing Sites}, booktitle = {Proceedings of the Conference on the Detection of Intrusions and Malware \& Vulnerability Assessment (DIMVA).}, year = {2007}, month = {1}, abstract = {Phishing is an electronic online identity theft in which the attackers use a combination of social engineering and web site spoofing techniques to trick a user into revealing confidential information. This information is typically used to make an illegal economic profit (e.g., by online banking transactions, purchase of goods using stolen credentials, etc.). Although simple, phishing attacks are remarkably effective. As a re- sult, the numbers of successful phishing attacks have been continuously increasing and many anti-phishing solutions have been proposed. One popular and widely-deployed solution is the integration of blacklist-based anti-phishing techniques into browsers. However, it is currently unclear how effective such blacklisting approaches are in mitigating phishing at- tacks in real-life. In this paper, we report our findings on analyzing the effectiveness of two popular anti-phishing solutions. Over a period of three weeks, we automatically tested the effectiveness of the blacklists maintained by Google and Microsoft with 10,000 phishing URLs. Fur- thermore, by analyzing a large number of phishing pages, we explored the existence of page properties that can be used to identify phishing pages.}, }
Christopher Kruegel and Engin Kirda and Manuel Egele and Heng Yin and Dawn Song, "Dynamic Spyware Analysis," in Proceedings of the USENIX Annual Technical Conference, 2007. BibTeX

@INPROCEEDINGS{Egele_DynamicSpywareAnalysis_2007, Author = {Christopher Kruegel and Engin Kirda and Manuel Egele and Heng Yin and Dawn Song}, sbahotlist = {true}, title = {Dynamic Spyware Analysis}, booktitle = {Proceedings of the USENIX Annual Technical Conference}, year = {2007}, month = {6}, }
Christopher Kruegel and Engin Kirda and Martin Szydlowski, "Secure Input for Web Applications," in Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC) 2007, 2007. BibTeX

@INPROCEEDINGS{Szydlowski_SecureInputWeb_2007, Author = {Christopher Kruegel and Engin Kirda and Martin Szydlowski}, sbahotlist = {true}, title = {Secure {I}nput for {W}eb {A}pplications}, booktitle = {Proceedings of the 23rd {A}nnual {C}omputer {S}ecurity {A}pplications {C}onference ({ACSAC}) 2007}, year = {2007}, month = {12}, }
Christopher Kruegel and Engin Kirda and Florian Nentwich and Giovanni Vigna and Nenad Jovanovic and Philipp Vogt, "Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis," in In Proceedings of 14th Annual Network and Distributed System Security Symposium (NDSS 2007), 2007. BibTeX

@INPROCEEDINGS{Vogt_CrossSiteScripting_2007, Author = {Christopher Kruegel and Engin Kirda and Florian Nentwich and Giovanni Vigna and Nenad Jovanovic and Philipp Vogt}, sbahotlist = {true}, title = {Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis}, booktitle = {In Proceedings of 14th Annual Network and Distributed System Security Symposium (NDSS 2007)}, year = {2007}, month = {2}, }
Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Gilbert Wondracek, "Automatic Network Protocol Analysis," in Proceedings of the Network and Distributed System Security Symposium Conference (NDSS), San Diego 2007, 2007. BibTeX

@INPROCEEDINGS{Wondracek_AutomaticNetworkProtocol_2007, Author = {Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Gilbert Wondracek}, sbahotlist = {true}, title = {Automatic {N}etwork {P}rotocol {A}nalysis}, booktitle = {Proceedings of the {N}etwork and {D}istributed {S}ystem {S}ecurity {S}ymposium {C}onference ({NDSS}), {S}an {D}iego 2007}, year = {2007}, month = {1}, }
Christopher Kruegel and Engin Kirda and Manuel Egele and Heng Yin and Dawn Song, "Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis," in Proceedings of the 14th ACM Conference on Computer and Communications Security, 2007. BibTeX

@INPROCEEDINGS{Yin_PanoramaCapturingSystemwide_2007, Author = {Christopher Kruegel and Engin Kirda and Manuel Egele and Heng Yin and Dawn Song}, sbahotlist = {true}, title = {Panorama: {C}apturing {S}ystem-wide {I}nformation {F}low for {M}alware {D}etection and {A}nalysis}, booktitle = {Proceedings of the 14th {ACM} {C}onference on {C}omputer and {C}ommunications {S}ecurity}, year = {2007}, month = {11}, }
Christopher Kruegel and Engin Kirda and Angelo Rosiello and Fabrizio Ferrandi, "A Layout-Similarity-Based Approach for Detecting Phishing Pages," in Proceedings of IEEE International Conference on Security and Privacy in Communication Networks (SecureComm)., 2007. BibTeX

@INPROCEEDINGS{Rosiello_LayoutSimilarityBasedApproachDetecting_2007, Author = {Christopher Kruegel and Engin Kirda and Angelo Rosiello and Fabrizio Ferrandi}, sbahotlist = {true}, title = {A Layout-Similarity-Based Approach for Detecting Phishing Pages}, booktitle = {Proceedings of IEEE International Conference on Security and Privacy in Communication Networks (SecureComm).}, year = {2007}, month = {1}, }
Christopher Kruegel and Engin Kirda and Thomas Raffetseder, "Detecting System Emulators," in Proceedings of the Information Security Conference (ISC), 2007. BibTeX

@INPROCEEDINGS{Raffetseder_DetectingSystemEmulators_2007, Author = {Christopher Kruegel and Engin Kirda and Thomas Raffetseder}, title = {Detecting System Emulators}, booktitle = {Proceedings of the Information Security Conference (ISC)}, year = {2007}, month = {10}, }
Christopher Kruegel and Davide Balzarotti and William Robertson and Giovanni Vigna, "Improving Signature Testing Through Dynamic Data Flow Analysis," in Proceedings of the 23rd Annual Computer Security Applications Conference ACSAC 2007, 2007. BibTeX

@INPROCEEDINGS{Balzarotti_ImprovingSignatureTesting_2007, Author = {Christopher Kruegel and Davide Balzarotti and William Robertson and Giovanni Vigna}, sbahotlist = {true}, title = {Improving Signature Testing Through Dynamic Data Flow Analysis}, booktitle = {Proceedings of the 23rd {A}nnual {C}omputer {S}ecurity {A}pplications {C}onference ACSAC 2007}, year = {2007}, month = {12}, }
Christopher Kruegel and Engin Kirda and Andreas Moser, "Exploring Multiple Execution Paths for Malware Analysis," in Proceedinga of the IEEE Symposium on Security and Privacy 2007, 2007. BibTeX

@INPROCEEDINGS{Moser_ExploringMultipleExecution_2007, Author = {Christopher Kruegel and Engin Kirda and Andreas Moser}, sbahotlist = {true}, title = {Exploring Multiple Execution Paths for Malware Analysis}, booktitle = {Proceedinga of the IEEE Symposium on Security and Privacy 2007}, year = {2007}, month = {5}, abstract = {Malicious code or malware is defined as software that fulfills the deliberately harmful intent of an attacker. Malware analysis is the process of determining the behavior and purpose of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques and removal tools. Currently, malware analysis is mostly a manual process that is tedious and time-intensive. To mitigate this problem, a number of analysis tools have been proposed that automatically extract the behavior of an unknown program by executing it in a restricted environment and recording the operating system calls that are invoked. The problem of dynamic analysis tools is that only a single program execution is observed. Unfortunately, however, it is possible that certain malicious actions are only triggered under specific circumstances (e.g., on a particular day, when a certain file is present, or when a certain command is received). In this paper, we propose a system that allows us to explore multiple execution paths and identify malicious actions that are executed only when certain conditions are met. This enables us to automatically extract a more complete view of the program under analysis and identify under which circumstances suspicious actions are carried out. Our experimental results demonstrate that many malware samples show different behavior depending on input read from the environment. Thus, by exploring multiple execution paths, we can obtain a more complete picture of their actions.}, publisher = {IEEE Computer Society Press}, }
Christopher Kruegel and Engin Kirda and Andreas Moser, "Limits of Static Analysis for Malware Detection," in Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC) 2007, 2007. BibTeX | PDF

@INPROCEEDINGS{Moser_LimitsofStatic_2007, Author = {Christopher Kruegel and Engin Kirda and Andreas Moser}, sbahotlist = {true}, title = {Limits of {S}tatic {A}nalysis for {M}alware {D}etection}, booktitle = {Proceedings of the 23rd {A}nnual {C}omputer {S}ecurity {A}pplications {C}onference ({ACSAC}) 2007}, year = {2007}, month = {12}, pdf = {Moser_LimitsofStatic_2007.pdf}, }
Christopher Kruegel and Engin Kirda and Thomas Raffetseder, "Building Anti-Phishing Browser Plug-Ins: An Experience Report," in Proceedings of the 3rd International Workshop on Software Engineering for Secure Systems (SESS) 29th International Conference on Software Engineering (ICSE), 2007. BibTeX

@INPROCEEDINGS{Raffetseder_BuildingAntiPhishingBrowser_2007, Author = {Christopher Kruegel and Engin Kirda and Thomas Raffetseder}, sbahotlist = {true}, title = {Building Anti-Phishing Browser Plug-Ins: An Experience Report}, booktitle = {Proceedings of the 3rd International Workshop on Software Engineering for Secure Systems (SESS) 29th International Conference on Software Engineering (ICSE)}, year = {2007}, month = {5}, publisher = {IEEE Computer Society Press}, }
Christopher Kruegel and Engin Kirda and Giovanni Vigna and Richard A. Kemmerer and Greg Banks, "Behavior-Based Spyware Detection," in Proceedings of USENIX Security 06, 2006. BibTeX

@INPROCEEDINGS{Kirda_BehaviorBasedSpywareDetection_2006, Author = {Christopher Kruegel and Engin Kirda and Giovanni Vigna and Richard A. Kemmerer and Greg Banks}, sbahotlist = {true}, title = {Behavior-Based Spyware Detection}, booktitle = {Proceedings of USENIX Security 06}, year = {2006}, month = {8}, }
Christopher Kruegel and Engin Kirda and Ulrich Bayer, "TTAnalyze: A Tool for Analyzing Malware," in Proceedings of the 15th European Institute for Computer Antivirus Research (EICAR 2006) Annual Conference, 2006. BibTeX

@INPROCEEDINGS{Bayer_TTAnalyzeToolAnalyzing_2006, Author = {Christopher Kruegel and Engin Kirda and Ulrich Bayer}, title = {TTAnalyze: A Tool for Analyzing Malware}, booktitle = {Proceedings of the 15th European Institute for Computer Antivirus Research (EICAR 2006) Annual Conference}, year = {2006}, month = {4}, note = {Best Paper Award}, }
Christopher Kruegel and Engin Kirda and Nenad Jovanovic and Stefan Kals, "SecuBat: A Web Vulnerability Scanner," in Proceedings of The 15th International World Wide Web Conference (WWW 2006), 2006. BibTeX

@INPROCEEDINGS{Kals_SecuBatWebVulnerability_2006, Author = {Christopher Kruegel and Engin Kirda and Nenad Jovanovic and Stefan Kals}, sbahotlist = {true}, title = {SecuBat: A Web Vulnerability Scanner}, booktitle = {Proceedings of The 15th International World Wide Web Conference (WWW 2006)}, year = {2006}, month = {5}, abstract = {As the popularity of the web increases and web applications become tools of everyday use, the role of web security has been gaining importance as well. The last years have shown a significant increase in the number of web-based attacks. For example, there has been extensive press coverage of recent security incidences involving the loss of sensitive credit card information belonging to millions of customers. Many web application security vulnerabilities result from generic input validation problems. Examples of such vulnerabilities are SQL injection and Cross-Site Scripting (XSS). Although the majority of web vulnerabilities are easy to understand and to avoid, many web developers are, unfortunately, not security-aware. As a result, there exist many web sites on the Internet that are vulnerable. This paper demonstrates how easy it is for attackers to automatically discover and exploit application-level vulnerabilities in a large number of web applications. To this end, we developed SecuBat, a generic and modular web vulnerability scanner that, similar to a port scanner, automatically analyzes web sites with the aim of finding exploitable SQL injection and XSS vulnerabilities. Using SecuBat, we were able to find many potentially vulnerable web sites. To verify the accuracy of SecuBat, we picked one hundred interesting web sites from the potential victim list for further analysis and confirmed exploitable flaws in the identified web pages. Among our victims were well-known global companies and a finance ministry. Of course, we notified the administrators of vulnerable sites about potential security problems. More than fifty responded to request additional information or to report that the security hole was closed.}, }
Christopher Kruegel and Engin Kirda and Giovanni Vigna and Patrick Klinkoff, "Extending .NET Security to Unmanaged Code," in In Proceedings of the 9th Information Security Conference (ISC 2006), 2006. BibTeX

@INPROCEEDINGS{Klinkoff_Extending.NETSecurity_2006, Author = {Christopher Kruegel and Engin Kirda and Giovanni Vigna and Patrick Klinkoff}, title = {Extending .NET Security to Unmanaged Code}, booktitle = {In Proceedings of the 9th Information Security Conference (ISC 2006)}, year = {2006}, month = {September}, abstract = {The number of applications that are downloaded from the Internet and executed on-the-fly is increasing every day. Unfortunately, not all of these applications are benign, and, often, users are unsuspecting and unaware of the intentions of a program. To facilitate and secure this growing class of mobile code, Microsoft introduced the .NET framework, a new development and runtime environment where machineindependent byte-code is executed by a virtual machine. An important feature of this framework is that it allows access to native libraries to support legacy code or to directly invoke the Windows API. Such native code is called unmanaged (as opposed to managed code). Unfortunately, the execution of unmanaged native code is not restricted by the .NET security model, and, thus, provides the attacker with a mechanism to completely circumvent the framework's security mechanisms. The approach described in this paper uses a sandboxing mechanism to prevent an attacker from executing malicious, unmanaged code that is not permitted by the security policy. Our sandbox is implemented as two security layers, one on top of the Windows API and one in the kernel. Also, managed and unmanaged parts of an application are automatically separated and executed in two different processes. This ensures that potentially unsafe code can neither issue system calls not permitted by the .NET security policy nor tamper with the memory of the .NET runtime. Our proof-of-concept implementation is transparent to applications and secures unmanaged code with a generally acceptable performance penalty. To the best of our knowledge, the presented architecture and implementation is the first solution to secure unmanaged code in .NET.}, }
Christopher Kruegel and Engin Kirda and Nenad Jovanovic, "Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper).," in Proceedings of the IEEE Symposium on Security and Privacy 2006, 2006. BibTeX

@INPROCEEDINGS{Jovanovic_PixyStaticAnalysis_2006, Author = {Christopher Kruegel and Engin Kirda and Nenad Jovanovic}, sbahotlist = {true}, title = {Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper).}, booktitle = {Proceedings of the IEEE Symposium on Security and Privacy 2006}, year = {2006}, month = {5}, publisher = {IEEE Computer Society Press}, }
Christopher Kruegel and Engin Kirda and Nenad Jovanovic, "Preventing Cross Site Request Forgery Attacks," in In Proceedings of IEEE International Conference on Security and Privacy in Communication Networks (SecureComm), 2006. BibTeX

@INPROCEEDINGS{Jovanovic_PreventingCrossSite_2006, Author = {Christopher Kruegel and Engin Kirda and Nenad Jovanovic}, sbahotlist = {true}, title = {Preventing Cross Site Request Forgery Attacks}, booktitle = {In Proceedings of IEEE International Conference on Security and Privacy in Communication Networks (SecureComm)}, year = {2006}, month = {8}, abstract = {The web has become an indispensable part of our lives. Unfortunately, as our dependency on the web increases, so does the interest of attackers in exploiting web applications and web-based information systems. Previous work in the field of web application security has mainly focused on the mitigation of Cross Site Scripting (XSS) and SQL injection attacks. In contrast, Cross Site Request Forgery (XSRF) attacks have not received much attention. In an XSRF attack, the trust of a web application in its authenticated users is exploited by letting the attacker make arbitrary HTTP requests on behalf of a victim user. The problem is that web applications typically act upon such requests without verifying that the performed actions are indeed intentional. Because XSRF is a relatively new security problem, it is largely unknown by web application developers. As a result, there exist many web applications that are vulnerable to XSRF. Unfortunately, existing mitigation approaches are time-consuming and error-prone, as they require manual effort to integrate defense techniques into existing systems. In this paper, we present a solution that provides a completely automatic protection from XSRF attacks. More precisely, our approach is based on a server-side proxy that detects and prevents XSRF attacks in a way that is transparent to users as well as to the web application itself. We provide experimental results that demonstrate that we can use our prototype to secure a number of popular open-source web applications, without negatively affecting their behavior.}, }
Christopher Kruegel and Engin Kirda and Ulrich Bayer and Andreas Moser, "Dynamic Analysis of Malicious Code," Journal in Computer Virology, 2006. BibTeX

@ARTICLE{Bayer_DynamicAnalysisof_2006, Author = {Christopher Kruegel and Engin Kirda and Ulrich Bayer and Andreas Moser}, title = {Dynamic Analysis of Malicious Code}, journal = {Journal in Computer Virology}, year = {2006}, month = {1}, abstract = {Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques for malicious code. In addition, it is an important prerequisite for the development of removal tools that can thoroughly delete malware from an infected machine. Traditionally, malware analysis has been a manual process that is tedious and time-intensive. Unfortunately, the number of samples that need to be analyzed by security vendors on a daily basis is constantly increasing. This clearly reveals the need for tools that automate and simplify parts of the analysis process. In this paper, we present TTAnalyze, a tool for dynamically analyzing the behavior of Windows executables. To this end, the binary is run in an emulated operating system environment and its (security-relevant) actions are monitored. In particular, we record the Windows native system calls and Windows API functions that the program invokes. One important feature of our system is that it does not modify the program that it executes (e.g., through API call hooking or breakpoints), making it more difficult to detect by malicious code. Also, our tool runs binaries in an unmodified Windows environment, which leads to excellent emulation accuracy. These factors make TTAnalyze an ideal tool for quickly understanding the behavior of an unknown malware.}, publisher = {Springer Computer Science}, }
Christopher Kruegel and Engin Kirda and Manuel Egele and Martin Szydlowski, "Using Static Program Analysis to Aid Intrusion Detection," in Proceedings of Detection of Intrusions and Malware and Vulnerability Assessment, 2006. BibTeX

@INPROCEEDINGS{Egele_UsingStaticProgram_2006, Author = {Christopher Kruegel and Engin Kirda and Manuel Egele and Martin Szydlowski}, title = {Using Static Program Analysis to Aid Intrusion Detection}, booktitle = {Proceedings of Detection of Intrusions and Malware and Vulnerability Assessment}, year = {2006}, month = {7}, abstract = {The Internet, and in particular the world-wide web, have become part of the everyday life of millions of people. With the growth of the web, the demand for on-line services rapidly increased. Today, whole industry branches rely on the Internet to do business. Unfortunately, the success of the web has recently been overshadowed by frequent reports of security breaches. Attackers have discovered that poorly written web applications are the Achilles heel of many organizations. The reason is that these applications are directly available through firewalls and are often developed by programmers who focus on features and tight schedules instead of security. In previous work, we developed an anomaly-based intrusion detection system that uses learning techniques to identify attacks against webbased applications. That system focuses on the analysis of the request parameters in client queries, but does not take into account any information about the protected web applications themselves. The result are imprecise models that lead to more false positives and false negatives than necessary. In this paper, we describe a novel static source code analysis approach for PHP that allows us to incorporate information about a web application into the intrusion detection models. The goal is to obtain a more precise characterization of web request parameters by analyzing their usage by the program. This allows us to generate more precise intrusion detection models. In particular, our analysis allows us to determine the names of request parameters expected by a program and provides information about their types, structure, or even concrete value sets. Our experimental evaluation demonstrates that the information derived statically from web applications closely characterizes the parameter values observed in real-world traffic.}, }