Ulrich Bayer

is senior researcher at SBA Research.

  • E-Mail
  • Phone: +43 (1) 505 36 88
  • Fax: +43 (1) 505 88 88

Research Interest

His research interests include systems security with a special focus on secure coding practices. He frequently conducts security assessments and penetration tests of new systems.

Bio

Ulrich has completed his Ph.D. in the beginning of 2010 under the guidance of Engin Kirda and Christopher Kruegel at the Vienna University of Technology. In this time Ulrich has performed research in the field of malware analysis and created and led the development of Anubis, a tool for the automated dynamic analysis of malware. He spent 1.5 years as a visiting scientist at the research center Eurecom in France. Ulrich is a CISSP and CEH. He regularly gives courses and talks on secure application development and penetration testing. He is an accredited auditor for ÖNORM A 7700, the official standard for web application security in Austria.

Publications

  • Ulrich Bayer and Engin Kirda and Christopher Kruegel, "Improving the Efficiency of Dynamic Malware Analysis," in 25th Symposium On Applied Computing (SAC), Track on Information Security Research and Applications, 2010. BibTeX | PDF
    @INPROCEEDINGS{Bayer_ImprovingEfficiencyof_2010,
      Author = {Ulrich Bayer and Engin Kirda and Christopher Kruegel},
      title = {Improving the Efficiency of Dynamic Malware Analysis},
      booktitle = {25th Symposium On Applied Computing (SAC), Track on Information Security Research and Applications},
      year = {2010},
      month = {3},
      pdf = {Bayer_ImprovingEfficiencyof_2010.pdf},
      note = {Lusanne, Switzerland},
      }
  • Matthias Neugschwandtner and Christian Platzer and Paolo Milani Comparetti and Ulrich Bayer, "DAnubis (Dynamic Device Driver Analysis Based on Virtual Machine Introspection)," in Seventh Conference on Detection of Intrusions and Malware & Vulnerability Assessment DIMVA, 2010. BibTeX | PDF
    @INPROCEEDINGS{Neugschwandtner_dAnubis_Dynamic_Device_Driver__null,
      Author = {Matthias Neugschwandtner and Christian Platzer and Paolo Milani Comparetti and Ulrich Bayer},
      title = {dAnubis (Dynamic Device Driver Analysis Based on Virtual Machine Introspection)},
      booktitle = {Seventh Conference on Detection of Intrusions and Malware & Vulnerability Assessment DIMVA},
      year = {2010},
      month = {7},
      abstract = {In the escalating arms race between malicious code and secu- rity tools designed to analyze it, detect it or mitigate its impact, malicious code running inside the operating system kernel provides an extremely powerful tool. Kernel-level code can introduce hard to detect backdoors, provide stealth by hiding fies, processes or other resources and in general tamper with operating system code and data in arbitrary ways. Under Windows, kernel-level malicious code typically takes the form of a device driver. In this work, we present dAnubis, a system for the real- time, dynamic analysis of malicious Windows device drivers. dAnubis can automatically provide a high-level, human-readable report of a driver's behavior on the system. We applied our system to a dataset of over 400 malware samples. The results of this analysis shed some light on the behavior of kernel-level malicious code that is in the wild today.},
      pdf = {dimva2010-dAnubis.pdf},
      }
  • Engin Kirda and Ulrich Bayer and Corrado Leita, "Exploiting diverse observation perspectives to get insights on the malware landscape," in Dependable Systems and Networks (DSN) 2010 IEEE IFIP International Conference on, 2010, pp. 393-402. BibTeX | PDF
    @INPROCEEDINGS{leita2010exploiting,
      Author = {Engin Kirda and Ulrich Bayer and Corrado Leita},
      title = {Exploiting diverse observation perspectives to get insights on the malware landscape},
      booktitle = {Dependable Systems and Networks (DSN) 2010 IEEE IFIP International Conference on},
      year = {2010},
      month = {1},
      pdf = {dsn2010.pdf},
      pages = {393--402},
      }
  • Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Ulrich Bayer and Clemens Hlauschek, "Scalable, Behavior-Based Malware Clustering," in Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS 2009), 2009. BibTeX | PDF
    @INPROCEEDINGS{Bayer_ScalableBehaviorBasedMalware_2009,
      Author = {Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Ulrich Bayer and Clemens Hlauschek},
      title = {Scalable, Behavior-Based Malware Clustering},
      booktitle = {Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS 2009)},
      year = {2009},
      month = {1},
      pdf = {Bayer_ScalableBehaviorBasedMalware_2009.pdf},
      }
  • Christopher Kruegel and Engin Kirda and Ulrich Bayer and Davide Balzarotti and Imam Habibi, "A View on Current Malware Behaviors," in 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), Boston, 2009. BibTeX | PDF
    @INPROCEEDINGS{Bayer_InsightsIntoCurrent_2009,
      Author = {Christopher Kruegel and Engin Kirda and Ulrich Bayer and Davide Balzarotti and Imam Habibi},
      title = {A View on Current Malware Behaviors},
      booktitle = {2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), Boston},
      year = {2009},
      month = {4},
      pdf = {Bayer_InsightsIntoCurrent_2009.pdf},
      }
  • Christopher Kruegel and Engin Kirda and Ulrich Bayer, "TTAnalyze: A Tool for Analyzing Malware," in Proceedings of the 15th European Institute for Computer Antivirus Research (EICAR 2006) Annual Conference, 2006. BibTeX
    @INPROCEEDINGS{Bayer_TTAnalyzeToolAnalyzing_2006,
      Author = {Christopher Kruegel and Engin Kirda and Ulrich Bayer},
      title = {TTAnalyze: A Tool for Analyzing Malware},
      booktitle = {Proceedings of the 15th European Institute for Computer Antivirus Research (EICAR 2006) Annual Conference},
      year = {2006},
      month = {4},
      note = {Best Paper Award},
      }
  • Christopher Kruegel and Engin Kirda and Ulrich Bayer and Andreas Moser, "Dynamic Analysis of Malicious Code," Journal in Computer Virology, 2006. BibTeX
    @ARTICLE{Bayer_DynamicAnalysisof_2006,
      Author = {Christopher Kruegel and Engin Kirda and Ulrich Bayer and Andreas Moser},
      title = {Dynamic Analysis of Malicious Code},
      journal = {Journal in Computer Virology},
      year = {2006},
      month = {1},
      abstract = {Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques for malicious code. In addition, it is an important prerequisite for the development of removal tools that can thoroughly delete malware from an infected machine. Traditionally, malware analysis has been a manual process that is tedious and time-intensive. Unfortunately, the number of samples that need to be analyzed by security vendors on a daily basis is constantly increasing. This clearly reveals the need for tools that automate and simplify parts of the analysis process. In this paper, we present TTAnalyze, a tool for dynamically analyzing the behavior of Windows executables. To this end, the binary is run in an emulated operating system environment and its (security-relevant) actions are monitored. In particular, we record the Windows native system calls and Windows API functions that the program invokes. One important feature of our system is that it does not modify the program that it executes (e.g., through API call hooking or breakpoints), making it more difficult to detect by malicious code. Also, our tool runs binaries in an unmodified Windows environment, which leads to excellent emulation accuracy. These factors make TTAnalyze an ideal tool for quickly understanding the behavior of an unknown malware.},
      publisher = {Springer Computer Science},
      }

View all publications