Christopher Kruegel

Christopher Kruegel

is key researcher at SBA Research and Professor at the University of California, Santa Barbara.

  • E-Mail
  • Phone: +43 (1) 505 36 88
  • Fax: +43 (1) 505 88 88

Research Interest

His research interests include most aspects of computer security, with an emphasis on network security, intrusion detection and vulnerability analysis.

Bio

Christopher is a Professor and holder of the Eugene Aas Chair in Computer Science in the Computer Science Department at the University of California, Santa Barbara and closely cooperates with SBA Research (Pathfinder project, Ph.D. seminars, etc.).

Before that, he was working as a research post-doc for the Reliable Software Group at the University of California, Santa Barbara. He received his Ph.D. with honors in computer science from the Technical University Vienna while working as a research assistant for the Distributed Systems Group.

Christopher has coauthored more than 50 peer-reviewed publications related to applied computer security and regularly serves on program committees of international security conferences. In 2005, he was the conference chair of the Conference on the Detections of Intrusions and Malware & Vulnerability Assessment (DIMVA). In 2006, he will be the program chair of the Symposium on Recent Advances in Intrusion Detection (RAID).

For more information please see https://www.cs.ucsb.edu/people/faculty/kruegel

Top Publications:

  • Leveraging User Interactions for In-Depth Testing of Web Applications (2008)
    • ARTICLE--
    • Christopher Kruegel and Engin Kirda and Sean McAllister
    • RAID '08: Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
    @ARTICLE{1433021,
       author = {Christopher Kruegel and Engin Kirda and Sean McAllister},
       title = {Leveraging User Interactions for In-Depth Testing of Web Applications},
       journal = {RAID '08: Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection},
       year = {2008},
       month = {1},
       pages = {191--210},
       publisher = {Springer-Verlag},
    }
  • Leveraging User INteractions for IN-Depth- Testing of Weg Applications (2008)
    • INPROCEEDINGS--
    • Christopher Kruegel and Engin Kirda and Sean McAllister
    • Symposium on Recent Advances in Intrusion Detection
    @INPROCEEDINGS{Allister_SymposiumRecentAdvances_2008,
       author = {Christopher Kruegel and Engin Kirda and Sean McAllister},
       title = {Leveraging User INteractions for IN-Depth- Testing of Weg Applications},
       booktitle = {Symposium on Recent Advances in Intrusion Detection},
       year = {2008},
       month = {1},
    }
  • Abusing Social Networks for Automated User Profiling (2010)
    • INPROCEEDINGS--
    • Marco Balduzzi and Christian Platzer and Thorsten Holz and Engin Kirda and Davide Balzarotti and Christopher Kruegel
    • International Symposium on Recent Advances in Intrusion Detection (RAID 2010)
    @INPROCEEDINGS{Balduzzi_Abusing_Social_Networks_for_Au_2010,
       author = {Marco Balduzzi and Christian Platzer and Thorsten Holz and Engin Kirda and Davide Balzarotti and Christopher Kruegel},
       title = {Abusing Social Networks for Automated User Profiling},
       booktitle = {International Symposium on Recent Advances in Intrusion Detection (RAID 2010)},
       year = {2010},
       month = {9},
    }
  • A Solution for the Automated Detection of Clickjacking Attacks (2010)
    • INPROCEEDINGS--
    • Marco Balduzzi and Manuel Egele and Engin Kirda and Davide Balzarotti and Christopher Kruegel
    • ASIACCS
    @INPROCEEDINGS{Balduzzi_A_Solution_for_the_Automated_D_2010,
       author = {Marco Balduzzi and Manuel Egele and Engin Kirda and Davide Balzarotti and Christopher Kruegel},
       title = {A Solution for the Automated Detection of Clickjacking Attacks},
       booktitle = {ASIACCS},
       year = {2010},
       month = {4},
    }
  • Efficient Detection of Split Personalities in Malware (2010)
    • INPROCEEDINGS-true
    • Davide Balzarotti and Marco Cova and Christoph Karlberger and Christopher Kruegel and Engin Kirda and Giovanni Vigna
    • 17th Annual Network and Distributed System Security Symposium (NDSS 2010)
    @INPROCEEDINGS{Balzarotti_Efficient_Detection_of_Split_P_2010,
       author = {Davide Balzarotti and Marco Cova and Christoph Karlberger and Christopher Kruegel and Engin Kirda and Giovanni Vigna},
       authorhotlist = {true},
       title = {Efficient Detection of Split Personalities in Malware},
       booktitle = {17th Annual Network and Distributed System Security Symposium (NDSS 2010)},
       year = {2010},
       month = {2},
    }
  • Improving Signature Testing Through Dynamic Data Flow Analysis (2007)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Davide Balzarotti and William K Robertson and Giovanni Vigna
    • Proceedings of the 23rd {A}nnual {C}omputer {S}ecurity {A}pplications {C}onference ACSAC 2007
    @INPROCEEDINGS{Balzarotti_ImprovingSignatureTesting_2007,
       author = {Christopher Kruegel and Davide Balzarotti and William K Robertson and Giovanni Vigna},
       authorhotlist = {true},
       title = {Improving Signature Testing Through Dynamic Data Flow Analysis},
       booktitle = {Proceedings of the 23rd {A}nnual {C}omputer {S}ecurity {A}pplications {C}onference ACSAC 2007},
       year = {2007},
       month = {12},
    }
  • Dynamic Analysis of Malicious Code (2006)
    • ARTICLE--
    • Christopher Kruegel and Engin Kirda and Ulrich Bayer and Andreas Moser
    • Journal in Computer Virology
    @ARTICLE{Bayer_DynamicAnalysisof_2006,
       author = {Christopher Kruegel and Engin Kirda and Ulrich Bayer and Andreas Moser},
       title = {Dynamic Analysis of Malicious Code},
       journal = {Journal in Computer Virology},
       year = {2006},
       month = {1},
       abstract = {Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus,
       worm,
       or Trojan horse). This process is a necessary step to be able to develop effective detection techniques for malicious code. In addition,
       it is an important prerequisite for the development of removal tools that can thoroughly delete malware from an infected machine. Traditionally,
       malware analysis has been a manual process that is tedious and time-intensive. Unfortunately,
       the number of samples that need to be analyzed by security vendors on a daily basis is constantly increasing. This clearly reveals the need for tools that automate and simplify parts of the analysis process. In this paper,
       we present TTAnalyze,
       a tool for dynamically analyzing the behavior of Windows executables. To this end,
       the binary is run in an emulated operating system environment and its (security-relevant) actions are monitored. In particular,
       we record the Windows native system calls and Windows API functions that the program invokes. One important feature of our system is that it does not modify the program that it executes (e.g.,
       through API call hooking or breakpoints),
       making it more difficult to detect by malicious code. Also,
       our tool runs binaries in an unmodified Windows environment,
       which leads to excellent emulation accuracy. These factors make TTAnalyze an ideal tool for quickly understanding the behavior of an unknown malware.},
       publisher = {Springer Computer Science},
    }
    Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques for malicious code. In addition, it is an important prerequisite for the development of removal tools that can thoroughly delete malware from an infected machine. Traditionally, malware analysis has been a manual process that is tedious and time-intensive. Unfortunately, the number of samples that need to be analyzed by security vendors on a daily basis is constantly increasing. This clearly reveals the need for tools that automate and simplify parts of the analysis process. In this paper, we present TTAnalyze, a tool for dynamically analyzing the behavior of Windows executables. To this end, the binary is run in an emulated operating system environment and its (security-relevant) actions are monitored. In particular, we record the Windows native system calls and Windows API functions that the program invokes. One important feature of our system is that it does not modify the program that it executes (e.g., through API call hooking or breakpoints), making it more difficult to detect by malicious code. Also, our tool runs binaries in an unmodified Windows environment, which leads to excellent emulation accuracy. These factors make TTAnalyze an ideal tool for quickly understanding the behavior of an unknown malware.
  • Improving the Efficiency of Dynamic Malware Analysis (2010)
    • INPROCEEDINGS-true
    • Ulrich Bayer and Engin Kirda and Christopher Kruegel
    • 25th Symposium On Applied Computing (SAC), Track on Information Security Research and Applications
    @INPROCEEDINGS{Bayer_ImprovingEfficiencyof_2010,
       author = {Ulrich Bayer and Engin Kirda and Christopher Kruegel},
       authorhotlist = {true},
       title = {Improving the Efficiency of Dynamic Malware Analysis},
       booktitle = {25th Symposium On Applied Computing (SAC),
       Track on Information Security Research and Applications},
       year = {2010},
       month = {3},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/Bayer_ImprovingEfficiencyof_2010.pdf},
       note = {Lusanne,
       Switzerland},
    }
  • A View on Current Malware Behaviors (2009)
    • INPROCEEDINGS--
    • Ulrich Bayer and Imam Habibi and Davide Balzarotti and Engin Kirda and Christopher Kruegel
    • 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), Boston
    @INPROCEEDINGS{Bayer_InsightsIntoCurrent_2009,
       author = {Ulrich Bayer and Imam Habibi and Davide Balzarotti and Engin Kirda and Christopher Kruegel},
       title = {A View on Current Malware Behaviors},
       booktitle = {2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET),
       Boston},
       year = {2009},
       month = {4},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/Bayer_InsightsIntoCurrent_2009.pdf},
    }
  • Scalable, Behavior-Based Malware Clustering (2009)
    • INPROCEEDINGS-true
    • Ulrich Bayer and Paolo Milani Comparetti and Clemens Hlauschek and Christopher Kruegel and Engin Kirda
    • Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS 2009)
    @INPROCEEDINGS{Bayer_ScalableBehaviorBasedMalware_2009,
       author = {Ulrich Bayer and Paolo Milani Comparetti and Clemens Hlauschek and Christopher Kruegel and Engin Kirda},
       authorhotlist = {true},
       title = {Scalable,
       Behavior-Based Malware Clustering},
       booktitle = {Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS 2009)},
       year = {2009},
       month = {1},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/Bayer_ScalableBehaviorBasedMalware_2009.pdf},
    }
  • TTAnalyze: A Tool for Analyzing Malware (2006)
    • INPROCEEDINGS--
    • Christopher Kruegel and Engin Kirda and Ulrich Bayer
    • Proceedings of the 15th European Institute for Computer Antivirus Research (EICAR 2006) Annual Conference
    @INPROCEEDINGS{Bayer_TTAnalyzeToolAnalyzing_2006,
       author = {Christopher Kruegel and Engin Kirda and Ulrich Bayer},
       title = {TTAnalyze: A Tool for Analyzing Malware},
       booktitle = {Proceedings of the 15th European Institute for Computer Antivirus Research (EICAR 2006) Annual Conference},
       year = {2006},
       month = {4},
       note = {Best Paper Award},
    }
  • What the App is That? Deception and Countermeasures in the Android User Interface (2015)
    • INPROCEEDINGS--
    • Antonio Bianchi and Jacopo Corbetta and Luca Invernizzi and Yanick Fratantonio and Christopher Kruegel and Giovanni Vigna
    • IEEE Symposium on Security and Privacy
    @INPROCEEDINGS{Bianchi2015What,
       author = {Antonio Bianchi and Jacopo Corbetta and Luca Invernizzi and Yanick Fratantonio and Christopher Kruegel and Giovanni Vigna},
       title = {What the App is That? Deception and Countermeasures in the Android User Interface},
       booktitle = {IEEE Symposium on Security and Privacy},
       year = {2015},
       month = {5},
       pdf = {https://www.cs.ucsb.edu/~chris/research/doc/oakland15_uideception.pdf},
    }
  • EXPOSURE: A Passive DNS Analysis Service to Detect and Report Malicious Domains (2014)
    • ARTICLE--
    • Leyla Bilge and Sevil Sen and Davide Balzarotti and Engin Kirda and Christopher Kruegel
    • ACM Transactions on Information and System Security
    @ARTICLE{Bilge2014EXPOSURE,
       author = {Leyla Bilge and Sevil Sen and Davide Balzarotti and Engin Kirda and Christopher Kruegel},
       title = {EXPOSURE: A Passive DNS Analysis Service to Detect and Report Malicious Domains},
       journal = {ACM Transactions on Information and System Security},
       year = {2014},
       month = {4},
       pdf = {http://seclab.ccs.neu.edu/static/publications/tissec14_exposure.pdf},
    }
  • Meerkat: Detecting Website Defacements through Image-based Object Recognition (2015)
    • INPROCEEDINGS--
    • Kevin Borgolte and Christopher Kruegel and Giovanni Vigna
    • 24th Usenix Security Symposium
    @INPROCEEDINGS{Borgolte2015Meerkat,
       author = {Kevin Borgolte and Christopher Kruegel and Giovanni Vigna},
       title = {Meerkat: Detecting Website Defacements through Image-based Object Recognition},
       booktitle = {24th Usenix Security Symposium},
       year = {2015},
       month = {8},
       pdf = {https://seclab.cs.ucsb.edu/media/uploads/papers/sec2015-meerkat.pdf},
    }
  • Protecting Web-based Single Sign-on Protocols against Relying Party Impersonation Attacks through a Dedicated Bi-directional Authenticated Secure Channel (2014)
    • INPROCEEDINGS--
    • Yinzhi Cao and Yan Shoshitaishvili and Kevin Borgolte and Christopher Kruegel and Giovanni Vigna and Yan Chen
    • 17th International Symposium on Research in Attacks, Intrusions and Defenses (RAID)
    @INPROCEEDINGS{Cao2014Protecting,
       author = {Yinzhi Cao and Yan Shoshitaishvili and Kevin Borgolte and Christopher Kruegel and Giovanni Vigna and Yan Chen},
       title = {Protecting Web-based Single Sign-on Protocols against Relying Party Impersonation Attacks through a Dedicated Bi-directional Authenticated Secure Channel},
       booktitle = {17th International Symposium on Research in Attacks,
       Intrusions and Defenses (RAID)},
       year = {2014},
       month = {9},
       pdf = {http://link.springer.com/chapter/10.1007/978-3-319-11379-1_14},
    }
  • Mining Specifications of Malicious Behavior (2007)
    • INPROCEEDINGS--
    • Christopher Kruegel and Mihai Christodorescu and Somesh Jha
    • Proceedings of the European Software Engineering Conference and the ACM Symposium on the Foundations of Software Engineering (ESEC FSE).
    @INPROCEEDINGS{Christodorescu_MiningSpecificationsof_2007,
       author = {Christopher Kruegel and Mihai Christodorescu and Somesh Jha},
       title = {Mining Specifications of Malicious Behavior},
       booktitle = {Proceedings of the European Software Engineering Conference and the ACM Symposium on the Foundations of Software Engineering (ESEC FSE).},
       year = {2007},
       month = {9},
    }
  • 17th International Symposium on Research in Attacks, Intrusions and Defenses (RAID) (2014)
    • INPROCEEDINGS--
    • Jacopo Corbetta and Luca Invernizzi and Christopher Kruegel and Giovanni Vigna
    • Eyes of a Human, Eyes of a Program: Leveraging Different Views of the Web for Analysis and Detection
    @INPROCEEDINGS{Corbetta201417th,
       author = {Jacopo Corbetta and Luca Invernizzi and Christopher Kruegel and Giovanni Vigna},
       title = {17th International Symposium on Research in Attacks,
       Intrusions and Defenses (RAID)},
       booktitle = {Eyes of a Human,
       Eyes of a Program: Leveraging Different Views of the Web for Analysis and Detection},
       year = {2014},
       month = {9},
       pdf = {https://www.cs.ucsb.edu/~vigna/publications/2014_RAID_EagleEye.pdf},
    }
  • Eyes of a Human, Eyes of a Program: Leveraging Different Views of the Web for Analysis and Detection (2014)
    • INPROCEEDINGS--
    • Jacopo Corbetta and Luca Invernizzi and Christopher Kruegel and Giovanni Vigna
    • 17th International Symposium on Research in Attacks, Intrusions and Defenses (RAID)
    @INPROCEEDINGS{Corbetta2014Eyes,
       author = {Jacopo Corbetta and Luca Invernizzi and Christopher Kruegel and Giovanni Vigna},
       title = {Eyes of a Human,
       Eyes of a Program: Leveraging Different Views of the Web for Analysis and Detection},
       booktitle = {17th International Symposium on Research in Attacks,
       Intrusions and Defenses (RAID)},
       year = {2014},
       month = {9},
       pdf = {https://www.cs.ucsb.edu/~vigna/publications/2014_RAID_EagleEye.pdf},
    }
  • Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications (2008)
    • INPROCEEDINGS--
    • Christopher Kruegel and Engin Kirda and Davide Balzarotti and Giovanni Vigna and Marco Cova and Nenad Jovanovic and Viktoria Felmetsger
    • Security and Privacy
    @INPROCEEDINGS{Cova_ComposingStaticand_2008,
       author = {Christopher Kruegel and Engin Kirda and Davide Balzarotti and Giovanni Vigna and Marco Cova and Nenad Jovanovic and Viktoria Felmetsger},
       title = {Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications},
       booktitle = {Security and Privacy},
       year = {2008},
       month = {5},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/Cova_ComposingStaticand_.pdf},
       pages = {15},
       publisher = {IEEE Security and Privacy},
    }
  • Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code (2010)
    • INPROCEEDINGS-true
    • Marco Cova and Christopher Kruegel and Giovanni Vigna
    • International World Wide Web Conference (WWW)
    @INPROCEEDINGS{Cova_Detection_and_Analysis_of_Driv_2010,
       author = {Marco Cova and Christopher Kruegel and Giovanni Vigna},
       authorhotlist = {true},
       title = {Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code},
       booktitle = {International World Wide Web Conference (WWW)},
       year = {2010},
       month = {4},
    }
  • PExy: The other side of Exploit Kits (2014)
    • INPROCEEDINGS--
    • Giancarlo De Maio and Alexandros Kapravelos and Yan Shoshitaishvili and Christopher Kruegel and Giovanni Vigna
    • Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA)
    @INPROCEEDINGS{DeMaio2014PExy,
       author = {Giancarlo {De Maio} and Alexandros Kapravelos and Yan Shoshitaishvili and Christopher Kruegel and Giovanni Vigna},
       title = {PExy: The other side of Exploit Kits},
       booktitle = {Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA)},
       year = {2014},
       month = {7},
       pdf = {http://cs.ucsb.edu/~kapravel/publications/dimva14_pexy.pdf},
    }
  • CAPTCHA Smuggling: Hijacking Web Browsing Sessions to Create CAPTCHA Farms (2010)
    • INPROCEEDINGS-true
    • Manuel Egele and Leyla Bilge and Engin Kirda and Christopher Kruegel
    • 25th Symposium On Applied Computing (SAC), Track on Information Security Research and Applications,
    @INPROCEEDINGS{Egele_CAPTCHASmugglingHijacking_2010,
       author = {Manuel Egele and Leyla Bilge and Engin Kirda and Christopher Kruegel},
       authorhotlist = {true},
       title = {CAPTCHA Smuggling: Hijacking Web Browsing Sessions to Create CAPTCHA Farms},
       booktitle = {25th Symposium On Applied Computing (SAC),
       Track on Information Security Research and Applications,
      },
       year = {2010},
       month = {3},
    }
  • Dynamic Spyware Analysis (2007)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Manuel Egele and Heng Yin and Dawn Song
    • Proceedings of the USENIX Annual Technical Conference
    @INPROCEEDINGS{Egele_DynamicSpywareAnalysis_2007,
       author = {Christopher Kruegel and Engin Kirda and Manuel Egele and Heng Yin and Dawn Song},
       authorhotlist = {true},
       title = {Dynamic Spyware Analysis},
       booktitle = {Proceedings of the USENIX Annual Technical Conference},
       year = {2007},
       month = {6},
    }
  • Mitigating Drive-by Download Attacks: Challenges and Open Problems (2009)
    • INPROCEEDINGS--
    • Christopher Kruegel and Engin Kirda and Manuel Egele
    • Open Research Problems in Network Security Workshop
    @INPROCEEDINGS{Egele_MitigatingDrivebyDownload_2009,
       author = {Christopher Kruegel and Engin Kirda and Manuel Egele},
       title = {Mitigating Drive-by Download Attacks: Challenges and Open Problems},
       booktitle = {Open Research Problems in Network Security Workshop},
       year = {2009},
       month = {4},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/Egele_MitigatingDrivebyDownload_2009.pdf},
       publisher = {iNetSec 2009},
       note = {Zurich},
    }
  • Prospex: Protocol Specification Extraction (2009)
    • INPROCEEDINGS--
    • Christopher Kruegel and Engin Kirda and Manuel Egele
    • 18th European Institute for Computer Antivirus Research
    @INPROCEEDINGS{Egele_ProspexProtocolSpecification_2009,
       author = {Christopher Kruegel and Engin Kirda and Manuel Egele},
       title = {Prospex: Protocol Specification Extraction},
       booktitle = {18th European Institute for Computer Antivirus Research},
       year = {2009},
       month = {5},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/Egele_ProspexProtocolSpecification_2009.pdf},
       publisher = {EICAR 2009 Annual Conference},
       note = {Berlin},
    }
  • Removing Web Spam Links from Search Engine Results (2009)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Manuel Egele
    • 31st International Conference on Software Engineering (ICSE)
    @INPROCEEDINGS{Egele_RemovingWebSpam_2009,
       author = {Christopher Kruegel and Engin Kirda and Manuel Egele},
       authorhotlist = {true},
       title = {Removing Web Spam Links from Search Engine Results},
       booktitle = {31st International Conference on Software Engineering (ICSE)},
       year = {2009},
       month = {5},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/Egele_RemovingWebSpam_2009.pdf},
       publisher = {IEEE Computer Society},
       note = {Vancouver,
       Canada},
    }
  • Using Static Program Analysis to Aid Intrusion Detection (2006)
    • INPROCEEDINGS--
    • Christopher Kruegel and Engin Kirda and Manuel Egele and Martin Szydlowski
    • Proceedings of Detection of Intrusions and Malware and Vulnerability Assessment
    @INPROCEEDINGS{Egele_UsingStaticProgram_2006,
       author = {Christopher Kruegel and Engin Kirda and Manuel Egele and Martin Szydlowski},
       title = {Using Static Program Analysis to Aid Intrusion Detection},
       booktitle = {Proceedings of Detection of Intrusions and Malware and Vulnerability Assessment},
       year = {2006},
       month = {7},
       abstract = {The Internet,
       and in particular the world-wide web,
       have become part of the everyday life of millions of people. With the growth of the web,
       the demand for on-line services rapidly increased. Today,
       whole industry branches rely on the Internet to do business. Unfortunately,
       the success of the web has recently been overshadowed by frequent reports of security breaches. Attackers have discovered that poorly written web applications are the Achilles heel of many organizations. The reason is that these applications are directly available through firewalls and are often developed by programmers who focus on features and tight schedules instead of security. In previous work,
       we developed an anomaly-based intrusion detection system that uses learning techniques to identify attacks against webbased applications. That system focuses on the analysis of the request parameters in client queries,
       but does not take into account any information about the protected web applications themselves. The result are imprecise models that lead to more false positives and false negatives than necessary. In this paper,
       we describe a novel static source code analysis approach for PHP that allows us to incorporate information about a web application into the intrusion detection models. The goal is to obtain a more precise characterization of web request parameters by analyzing their usage by the program. This allows us to generate more precise intrusion detection models. In particular,
       our analysis allows us to determine the names of request parameters expected by a program and provides information about their types,
       structure,
       or even concrete value sets. Our experimental evaluation demonstrates that the information derived statically from web applications closely characterizes the parameter values observed in real-world traffic.},
    }
    The Internet, and in particular the world-wide web, have become part of the everyday life of millions of people. With the growth of the web, the demand for on-line services rapidly increased. Today, whole industry branches rely on the Internet to do business. Unfortunately, the success of the web has recently been overshadowed by frequent reports of security breaches. Attackers have discovered that poorly written web applications are the Achilles heel of many organizations. The reason is that these applications are directly available through firewalls and are often developed by programmers who focus on features and tight schedules instead of security. In previous work, we developed an anomaly-based intrusion detection system that uses learning techniques to identify attacks against webbased applications. That system focuses on the analysis of the request parameters in client queries, but does not take into account any information about the protected web applications themselves. The result are imprecise models that lead to more false positives and false negatives than necessary. In this paper, we describe a novel static source code analysis approach for PHP that allows us to incorporate information about a web application into the intrusion detection models. The goal is to obtain a more precise characterization of web request parameters by analyzing their usage by the program. This allows us to generate more precise intrusion detection models. In particular, our analysis allows us to determine the names of request parameters expected by a program and provides information about their types, structure, or even concrete value sets. Our experimental evaluation demonstrates that the information derived statically from web applications closely characterizes the parameter values observed in real-world traffic.
  • Toward Automated Detection of Logic Vulnerabilities in Web Applications (2010)
    • INPROCEEDINGS-true
    • Viktoria Felmetsger and Ludovico Cavedon and Christopher Kruegel and Giovanni Vigna
    • 19th Usenix Security Symposium
    @INPROCEEDINGS{Felmetsger_Toward_Automated_Detection_of__2010,
       author = {Viktoria Felmetsger and Ludovico Cavedon and Christopher Kruegel and Giovanni Vigna},
       authorhotlist = {true},
       title = {Toward Automated Detection of Logic Vulnerabilities in Web Applications},
       booktitle = {19th Usenix Security Symposium},
       year = {2010},
       month = {8},
    }
  • A Parallel Architecture for Stateful, High-Speed Intrusion Detection (2008)
    • INPROCEEDINGS--
    • Christopher Kruegel and Giovanni Vigna and Luca Foschini and Ashish Thypliyal and Lorenzo Cavallaro
    • International Conference on Information Systems Security (ICISS) , Lecture Notes in Computer Science
    @INPROCEEDINGS{Foschini_ParallelArchitectureStateful_2008,
       author = {Christopher Kruegel and Giovanni Vigna and Luca Foschini and Ashish Thypliyal and Lorenzo Cavallaro},
       title = {A Parallel Architecture for Stateful,
       High-Speed Intrusion Detection},
       booktitle = {International Conference on Information Systems Security (ICISS) ,
       Lecture Notes in Computer Science},
       year = {2008},
       month = {12},
       publisher = {Springer Verlag},
    }
  • CLAPP: Characterizing Loops in Android Applications (2015)
    • INPROCEEDINGS--
    • Yanick Fratantonio and Aravind Machiry and Antonio Bianchi and Christopher Kruegel and Giovanni Vigna
    • 10th Joint Meeting of the European Software Engineering Conference and the ACM Symposium on the Foundations of Software Engineering (ESEC FSE)
    @INPROCEEDINGS{Fratantonio2015CLAPP,
       author = {Yanick Fratantonio and Aravind Machiry and Antonio Bianchi and Christopher Kruegel and Giovanni Vigna},
       title = {CLAPP: Characterizing Loops in Android Applications},
       booktitle = {10th Joint Meeting of the European Software Engineering Conference and the ACM Symposium on the Foundations of Software Engineering (ESEC FSE)},
       year = {2015},
       month = {8},
       pdf = {http://cs.ucsb.edu/~yanick/publications/2015_fse_clapp.pdf},
    }
  • On the Security and Engineering Implications of Finer-Grained Access Controls for Android Developers and Users (2015)
    • INPROCEEDINGS--
    • Yanick Fratantonio and Antonio Bianchi and William Robertson and Manuel Egele and Christopher Kruegel and Engin Kirda and Giovanni Vigna
    • 12th Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA)
    @INPROCEEDINGS{Fratantonio2015Security,
       author = {Yanick Fratantonio and Antonio Bianchi and William Robertson and Manuel Egele and Christopher Kruegel and Engin Kirda and Giovanni Vigna},
       title = {On the Security and Engineering Implications of Finer-Grained Access Controls for Android Developers and Users},
       booktitle = {12th Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA)},
       year = {2015},
       month = {7},
       pdf = {http://seclab.ccs.neu.edu/static/publications/dimva2015android.pdf},
    }
  • The Tricks of the Trade: What Makes Spam Campaigns Successful? (2014)
    • INPROCEEDINGS--
    • Jane Iedemska and Gianluca Stringhini and Richard Kemmerer and Christopher Kruegel and Giovanni Vigna
    • International Workshop on Cyber Crime (IWCC)
    @INPROCEEDINGS{Iedemska2014Tricks,
       author = {Jane Iedemska and Gianluca Stringhini and Richard Kemmerer and Christopher Kruegel and Giovanni Vigna},
       title = {The Tricks of the Trade: What Makes Spam Campaigns Successful?},
       booktitle = {International Workshop on Cyber Crime (IWCC)},
       year = {2014},
       month = {5},
       pdf = {http://www0.cs.ucl.ac.uk/staff/G.Stringhini/papers/cutwail-iwcc.pdf},
       link_slides = {http://de.slideshare.net/gianlucastringhini/iwcc-2014},
    }
  • Nazca: Detecting Malware Distribution in Large-Scale Networks (2014)
    • INPROCEEDINGS--
    • Luca Invernizzi and Stanislav Miskovic and Ruben Torres and Sabyasachi Saha and Sung-Ju Lee and Marco Mellia and Christopher Kruegel and Giovanni Vigna
    • Usenix Network and Distributed System Security Symposium (NDSS)
    @INPROCEEDINGS{Invernizzi2014Nazca,
       author = {Luca Invernizzi and Stanislav Miskovic and Ruben Torres and Sabyasachi Saha and Sung-Ju Lee and Marco Mellia and Christopher Kruegel and Giovanni Vigna},
       title = {Nazca: Detecting Malware Distribution in Large-Scale Networks},
       booktitle = {Usenix Network and Distributed System Security Symposium (NDSS)},
       year = {2014},
       month = {2},
    }
  • Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper). (2006)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Nenad Jovanovic
    • Proceedings of the IEEE Symposium on Security and Privacy 2006
    @INPROCEEDINGS{Jovanovic_PixyStaticAnalysis_2006,
       author = {Christopher Kruegel and Engin Kirda and Nenad Jovanovic},
       authorhotlist = {true},
       title = {Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper).},
       booktitle = {Proceedings of the IEEE Symposium on Security and Privacy 2006},
       year = {2006},
       month = {5},
       publisher = {IEEE Computer Society Press},
    }
  • Preventing Cross Site Request Forgery Attacks (2006)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Nenad Jovanovic
    • In Proceedings of IEEE International Conference on Security and Privacy in Communication Networks (SecureComm)
    @INPROCEEDINGS{Jovanovic_PreventingCrossSite_2006,
       author = {Christopher Kruegel and Engin Kirda and Nenad Jovanovic},
       authorhotlist = {true},
       title = {Preventing Cross Site Request Forgery Attacks},
       booktitle = {In Proceedings of IEEE International Conference on Security and Privacy in Communication Networks (SecureComm)},
       year = {2006},
       month = {8},
       abstract = {The web has become an indispensable part of our lives. Unfortunately,
       as our dependency on the web increases,
       so does the interest of attackers in exploiting web applications and web-based information systems. Previous work in the field of web application security has mainly focused on the mitigation of Cross Site Scripting (XSS) and SQL injection attacks. In contrast,
       Cross Site Request Forgery (XSRF) attacks have not received much attention. In an XSRF attack,
       the trust of a web application in its authenticated users is exploited by letting the attacker make arbitrary HTTP requests on behalf of a victim user. The problem is that web applications typically act upon such requests without verifying that the performed actions are indeed intentional. Because XSRF is a relatively new security problem,
       it is largely unknown by web application developers. As a result,
       there exist many web applications that are vulnerable to XSRF. Unfortunately,
       existing mitigation approaches are time-consuming and error-prone,
       as they require manual effort to integrate defense techniques into existing systems. In this paper,
       we present a solution that provides a completely automatic protection from XSRF attacks. More precisely,
       our approach is based on a server-side proxy that detects and prevents XSRF attacks in a way that is transparent to users as well as to the web application itself. We provide experimental results that demonstrate that we can use our prototype to secure a number of popular open-source web applications,
       without negatively affecting their behavior.},
    }
    The web has become an indispensable part of our lives. Unfortunately, as our dependency on the web increases, so does the interest of attackers in exploiting web applications and web-based information systems. Previous work in the field of web application security has mainly focused on the mitigation of Cross Site Scripting (XSS) and SQL injection attacks. In contrast, Cross Site Request Forgery (XSRF) attacks have not received much attention. In an XSRF attack, the trust of a web application in its authenticated users is exploited by letting the attacker make arbitrary HTTP requests on behalf of a victim user. The problem is that web applications typically act upon such requests without verifying that the performed actions are indeed intentional. Because XSRF is a relatively new security problem, it is largely unknown by web application developers. As a result, there exist many web applications that are vulnerable to XSRF. Unfortunately, existing mitigation approaches are time-consuming and error-prone, as they require manual effort to integrate defense techniques into existing systems. In this paper, we present a solution that provides a completely automatic protection from XSRF attacks. More precisely, our approach is based on a server-side proxy that detects and prevents XSRF attacks in a way that is transparent to users as well as to the web application itself. We provide experimental results that demonstrate that we can use our prototype to secure a number of popular open-source web applications, without negatively affecting their behavior.
  • Static analysis for detecting taint-style vulnerabilities in web applications (2010)
    • ARTICLE--
    • Nenad Jovanovic and Christopher Kruegel and Engin Kirda
    • Journal of Computer Security
    @ARTICLE{Jovanovic_Static_analysis_for_detecting__2010,
       author = {Nenad Jovanovic and Christopher Kruegel and Engin Kirda},
       title = {Static analysis for detecting taint-style vulnerabilities in web applications},
       journal = {Journal of Computer Security},
       year = {2010},
       month = {0},
       volume = {18},
    }
  • SecuBat: A Web Vulnerability Scanner (2006)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Nenad Jovanovic and Stefan Kals
    • Proceedings of The 15th International World Wide Web Conference (WWW 2006)
    @INPROCEEDINGS{Kals_SecuBatWebVulnerability_2006,
       author = {Christopher Kruegel and Engin Kirda and Nenad Jovanovic and Stefan Kals},
       authorhotlist = {true},
       title = {SecuBat: A Web Vulnerability Scanner},
       booktitle = {Proceedings of The 15th International World Wide Web Conference (WWW 2006)},
       year = {2006},
       month = {5},
       abstract = {As the popularity of the web increases and web applications become tools of everyday use,
       the role of web security has been gaining importance as well. The last years have shown a significant increase in the number of web-based attacks. For example,
       there has been extensive press coverage of recent security incidences involving the loss of sensitive credit card information belonging to millions of customers. Many web application security vulnerabilities result from generic input validation problems. Examples of such vulnerabilities are SQL injection and Cross-Site Scripting (XSS). Although the majority of web vulnerabilities are easy to understand and to avoid,
       many web developers are,
       unfortunately,
       not security-aware. As a result,
       there exist many web sites on the Internet that are vulnerable. This paper demonstrates how easy it is for attackers to automatically discover and exploit application-level vulnerabilities in a large number of web applications. To this end,
       we developed SecuBat,
       a generic and modular web vulnerability scanner that,
       similar to a port scanner,
       automatically analyzes web sites with the aim of finding exploitable SQL injection and XSS vulnerabilities. Using SecuBat,
       we were able to find many potentially vulnerable web sites. To verify the accuracy of SecuBat,
       we picked one hundred interesting web sites from the potential victim list for further analysis and confirmed exploitable flaws in the identified web pages. Among our victims were well-known global companies and a finance ministry. Of course,
       we notified the administrators of vulnerable sites about potential security problems. More than fifty responded to request additional information or to report that the security hole was closed.},
    }
    As the popularity of the web increases and web applications become tools of everyday use, the role of web security has been gaining importance as well. The last years have shown a significant increase in the number of web-based attacks. For example, there has been extensive press coverage of recent security incidences involving the loss of sensitive credit card information belonging to millions of customers. Many web application security vulnerabilities result from generic input validation problems. Examples of such vulnerabilities are SQL injection and Cross-Site Scripting (XSS). Although the majority of web vulnerabilities are easy to understand and to avoid, many web developers are, unfortunately, not security-aware. As a result, there exist many web sites on the Internet that are vulnerable. This paper demonstrates how easy it is for attackers to automatically discover and exploit application-level vulnerabilities in a large number of web applications. To this end, we developed SecuBat, a generic and modular web vulnerability scanner that, similar to a port scanner, automatically analyzes web sites with the aim of finding exploitable SQL injection and XSS vulnerabilities. Using SecuBat, we were able to find many potentially vulnerable web sites. To verify the accuracy of SecuBat, we picked one hundred interesting web sites from the potential victim list for further analysis and confirmed exploitable flaws in the identified web pages. Among our victims were well-known global companies and a finance ministry. Of course, we notified the administrators of vulnerable sites about potential security problems. More than fifty responded to request additional information or to report that the security hole was closed.
  • Hulk: Eliciting Malicious Behavior in Browser Extensions (2014)
    • INPROCEEDINGS--
    • Alexandros Kapravelos and Chris Grier and Neha Chachra and Christopher Kruegel and Giovanni Vigna and Vern Paxson
    • 23rd Usenix Security Symposium
    @INPROCEEDINGS{Kapravelos2014Hulk,
       author = {Alexandros Kapravelos and Chris Grier and Neha Chachra and Christopher Kruegel and Giovanni Vigna and Vern Paxson},
       title = {Hulk: Eliciting Malicious Behavior in Browser Extensions},
       booktitle = {23rd Usenix Security Symposium},
       year = {2014},
       month = {8},
       pdf = {http://www.icir.org/vern/papers/hulk-usesec14.pdf},
    }
  • Behavior-Based Spyware Detection (2006)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Giovanni Vigna and Richard A. Kemmerer and Greg Banks
    • Proceedings of USENIX Security 06
    @INPROCEEDINGS{Kirda_BehaviorBasedSpywareDetection_2006,
       author = {Christopher Kruegel and Engin Kirda and Giovanni Vigna and Richard A. Kemmerer and Greg Banks},
       authorhotlist = {true},
       title = {Behavior-Based Spyware Detection},
       booktitle = {Proceedings of USENIX Security 06},
       year = {2006},
       month = {8},
    }
  • Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries (2010)
    • INPROCEEDINGS-true
    • Clemens Kolbitsch and Thorsten Holz and Christopher Kruegel and Engin Kirda
    • IEEE Security and Privacy 2010
    @INPROCEEDINGS{Kolbitsch_AutomatedExtraction_2010,
       author = {Clemens Kolbitsch and Thorsten Holz and Christopher Kruegel and Engin Kirda},
       authorhotlist = {true},
       title = {Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries},
       booktitle = {IEEE Security and Privacy 2010},
       year = {2010},
       month = {1},
    }
  • Effective and Efficient Malware Detection at the End Host (2009)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Xiaoyong Zhou and Xiaofeng Wang
    • in USENIX Security 09
    @INPROCEEDINGS{Kolbitsch_EffectiveandEfficient_2009,
       author = {Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Xiaoyong Zhou and Xiaofeng Wang},
       authorhotlist = {true},
       title = {Effective and Efficient Malware Detection at the End Host},
       booktitle = {in USENIX Security 09},
       year = {2009},
       month = {8},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/Kolbitsch_EffectiveandEfficient_2009.pdf},
       note = {Canada,
       August 2009},
    }
  • Extending Mondrian Memory Protection (2010)
    • INPROCEEDINGS--
    • Clemens Kolbitsch and Christopher Kruegel and Engin Kirda
    • NATO RTO IST-091 Symposium
    @INPROCEEDINGS{Kolbitsch_Extending_Mondrian_Memory_Prot_2010,
       author = {Clemens Kolbitsch and Christopher Kruegel and Engin Kirda},
       title = {Extending Mondrian Memory Protection},
       booktitle = {NATO RTO IST-091 Symposium},
       year = {2010},
       month = {4},
    }
  • AccessMiner: Using System-Centric Models for Malware Protection (2010)
    • INPROCEEDINGS-true
    • Andrea Lanzi and Davide Balzarotti and Christopher Kruegel and Mihai Christodorescu and Engin Kirda
    • 17th ACM Conference on Computer and Communications Security (CCS)
    @INPROCEEDINGS{Lanzi_AccessMiner_Using_System_Centr_2010,
       author = {Andrea Lanzi and Davide Balzarotti and Christopher Kruegel and Mihai Christodorescu and Engin Kirda},
       authorhotlist = {true},
       title = {AccessMiner: Using System-Centric Models for Malware Protection},
       booktitle = {17th ACM Conference on Computer and Communications Security (CCS)},
       year = {2010},
       month = {10},
    }
  • On the Effectiveness of Techniques to Detect Phishing Sites (2007)
    • INPROCEEDINGS--
    • Christopher Kruegel and Engin Kirda and Sean McAllister and Christian Ludl
    • Proceedings of the Conference on the Detection of Intrusions and Malware \& Vulnerability Assessment (DIMVA).
    @INPROCEEDINGS{Ludl_EffectivenessofTechniques_2007,
       author = {Christopher Kruegel and Engin Kirda and Sean McAllister and Christian Ludl},
       title = {On the Effectiveness of Techniques to Detect Phishing Sites},
       booktitle = {Proceedings of the Conference on the Detection of Intrusions and Malware \& Vulnerability Assessment (DIMVA).},
       year = {2007},
       month = {1},
       abstract = {Phishing is an electronic online identity theft in which the attackers use a combination of social engineering and web site spoofing techniques to trick a user into revealing confidential information. This information is typically used to make an illegal economic profit (e.g.,
       by online banking transactions,
       purchase of goods using stolen credentials,
       etc.). Although simple,
       phishing attacks are remarkably effective. As a re- sult,
       the numbers of successful phishing attacks have been continuously increasing and many anti-phishing solutions have been proposed. One popular and widely-deployed solution is the integration of blacklist-based anti-phishing techniques into browsers. However,
       it is currently unclear how effective such blacklisting approaches are in mitigating phishing at- tacks in real-life. In this paper,
       we report our findings on analyzing the effectiveness of two popular anti-phishing solutions. Over a period of three weeks,
       we automatically tested the effectiveness of the blacklists maintained by Google and Microsoft with 10,
      000 phishing URLs. Fur- thermore,
       by analyzing a large number of phishing pages,
       we explored the existence of page properties that can be used to identify phishing pages.},
    }
    Phishing is an electronic online identity theft in which the attackers use a combination of social engineering and web site spoofing techniques to trick a user into revealing confidential information. This information is typically used to make an illegal economic profit (e.g., by online banking transactions, purchase of goods using stolen credentials, etc.). Although simple, phishing attacks are remarkably effective. As a re- sult, the numbers of successful phishing attacks have been continuously increasing and many anti-phishing solutions have been proposed. One popular and widely-deployed solution is the integration of blacklist-based anti-phishing techniques into browsers. However, it is currently unclear how effective such blacklisting approaches are in mitigating phishing at- tacks in real-life. In this paper, we report our findings on analyzing the effectiveness of two popular anti-phishing solutions. Over a period of three weeks, we automatically tested the effectiveness of the blacklists maintained by Google and Microsoft with 10,000 phishing URLs. Fur- thermore, by analyzing a large number of phishing pages, we explored the existence of page properties that can be used to identify phishing pages.
  • There Is No Free Phish: An Analysis of free and live phishing kits (2008)
    • INPROCEEDINGS--
    • Christopher Kruegel and Giovanni Vigna and Marco Cova
    • Usenix Workshop on Offensive Technologies (WOOT)
    @INPROCEEDINGS{MarcoCova_ThereIsNo_2008,
       author = {Christopher Kruegel and Giovanni Vigna and Marco Cova},
       title = {There Is No Free Phish: An Analysis of free and live phishing kits},
       booktitle = {Usenix Workshop on Offensive Technologies (WOOT)},
       year = {2008},
       month = {7},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/MarcoCova_ThereIsNo_2008.pdf},
       pages = {8},
       note = {Usenix Workshop on Offensive Technologies (WOOT),
      },
    }
  • Expanding Human Interactions for In-Depth Testing of Web Applications (2008)
    • INPROCEEDINGS--
    • Christopher Kruegel and Engin Kirda and Sean McAllister
    • 11th Symposium on Recent Advances in Intrusion Detection (RAID), Boston, MA
    @INPROCEEDINGS{McAllister_ExpandingHumanInteractions_2008,
       author = {Christopher Kruegel and Engin Kirda and Sean McAllister},
       title = {Expanding Human Interactions for In-Depth Testing of Web Applications},
       booktitle = {11th Symposium on Recent Advances in Intrusion Detection (RAID),
       Boston,
       MA},
       year = {2008},
       month = {9},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/McAllister_ExpandingHumanInteractions_2008.pdf},
    }
  • Visual-Similarity-Based Phishing Detection (2008)
    • INPROCEEDINGS--
    • Christopher Kruegel and Engin Kirda and Eric Medvet
    • IEEE International Conference on Security and Privacy for Emerging Areas in Communication Networks
    @INPROCEEDINGS{Medvet_VisualSimilarityBasedPhishing_2008,
       author = {Christopher Kruegel and Engin Kirda and Eric Medvet},
       title = {Visual-Similarity-Based Phishing Detection},
       booktitle = {IEEE International Conference on Security and Privacy for Emerging Areas in Communication Networks},
       year = {2008},
       month = {9},
    }
  • Exploring Multiple Execution Paths for Malware Analysis (2007)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Andreas Moser
    • Proceedinga of the IEEE Symposium on Security and Privacy 2007
    @INPROCEEDINGS{Moser_ExploringMultipleExecution_2007,
       author = {Christopher Kruegel and Engin Kirda and Andreas Moser},
       authorhotlist = {true},
       title = {Exploring Multiple Execution Paths for Malware Analysis},
       booktitle = {Proceedinga of the IEEE Symposium on Security and Privacy 2007},
       year = {2007},
       month = {5},
       abstract = {Malicious code or malware is defined as software that fulfills the deliberately harmful intent of an attacker. Malware analysis is the process of determining the behavior and purpose of a given malware sample (such as a virus,
       worm,
       or Trojan horse). This process is a necessary step to be able to develop effective detection techniques and removal tools. Currently,
       malware analysis is mostly a manual process that is tedious and time-intensive. To mitigate this problem,
       a number of analysis tools have been proposed that automatically extract the behavior of an unknown program by executing it in a restricted environment and recording the operating system calls that are invoked. The problem of dynamic analysis tools is that only a single program execution is observed. Unfortunately,
       however,
       it is possible that certain malicious actions are only triggered under specific circumstances (e.g.,
       on a particular day,
       when a certain file is present,
       or when a certain command is received). In this paper,
       we propose a system that allows us to explore multiple execution paths and identify malicious actions that are executed only when certain conditions are met. This enables us to automatically extract a more complete view of the program under analysis and identify under which circumstances suspicious actions are carried out. Our experimental results demonstrate that many malware samples show different behavior depending on input read from the environment. Thus,
       by exploring multiple execution paths,
       we can obtain a more complete picture of their actions.},
       publisher = {IEEE Computer Society Press},
    }
    Malicious code or malware is defined as software that fulfills the deliberately harmful intent of an attacker. Malware analysis is the process of determining the behavior and purpose of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques and removal tools. Currently, malware analysis is mostly a manual process that is tedious and time-intensive. To mitigate this problem, a number of analysis tools have been proposed that automatically extract the behavior of an unknown program by executing it in a restricted environment and recording the operating system calls that are invoked. The problem of dynamic analysis tools is that only a single program execution is observed. Unfortunately, however, it is possible that certain malicious actions are only triggered under specific circumstances (e.g., on a particular day, when a certain file is present, or when a certain command is received). In this paper, we propose a system that allows us to explore multiple execution paths and identify malicious actions that are executed only when certain conditions are met. This enables us to automatically extract a more complete view of the program under analysis and identify under which circumstances suspicious actions are carried out. Our experimental results demonstrate that many malware samples show different behavior depending on input read from the environment. Thus, by exploring multiple execution paths, we can obtain a more complete picture of their actions.
  • Limits of {S}tatic {A}nalysis for {M}alware {D}etection (2007)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Andreas Moser
    • Proceedings of the 23rd {A}nnual {C}omputer {S}ecurity {A}pplications {C}onference ({ACSAC}) 2007
    @INPROCEEDINGS{Moser_LimitsofStatic_2007,
       author = {Christopher Kruegel and Engin Kirda and Andreas Moser},
       authorhotlist = {true},
       title = {Limits of {S}tatic {A}nalysis for {M}alware {D}etection},
       booktitle = {Proceedings of the 23rd {A}nnual {C}omputer {S}ecurity {A}pplications {C}onference ({ACSAC}) 2007},
       year = {2007},
       month = {12},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/Moser_LimitsofStatic_2007.pdf},
    }
  • A Large-Scale Study of Mobile Web App Security (2015)
    • INPROCEEDINGS--
    • Patrick Mutchler and Adam Doupé and John Mitchell and Christopher Kruegel and Giovanni Vigna
    • Mobile Security Technologies Workshop (MoST)
    @INPROCEEDINGS{Mutchler2015LargeScale,
       author = {Patrick Mutchler and Adam Doupé and John Mitchell and Christopher Kruegel and Giovanni Vigna},
       title = {A Large-Scale Study of Mobile Web App Security},
       booktitle = {Mobile Security Technologies Workshop (MoST)},
       year = {2015},
       month = {5},
       pdf = {http://ieee-security.org/TC/SPW2015/MoST/papers/s2p3.pdf},
    }
  • Stranger Danger: Exploring the Ecosystem of Ad-based URL Shortening Services (2014)
    • INPROCEEDINGS--
    • Nick Nikiforakis and Federico Maggi and Gianluca Stringhini and M. Zubair Rafique and Wouter Joosen and Christopher Kruegel and Frank Piessens and Giovanni Vigna and Stefano Zanero
    • International World Wide Web Conference (WWW)
    @INPROCEEDINGS{Nikiforakis2014Stranger,
       author = {Nick Nikiforakis and Federico Maggi and Gianluca Stringhini and {M. Zubair} Rafique and Wouter Joosen and Christopher Kruegel and Frank Piessens and Giovanni Vigna and Stefano Zanero},
       title = {Stranger Danger: Exploring the Ecosystem of Ad-based URL Shortening Services},
       booktitle = {International World Wide Web Conference (WWW)},
       year = {2014},
       month = {4},
    }
  • Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications (2014)
    • INPROCEEDINGS--
    • Sebastian Poeplau and Yanick Fratantonio and Antonio Bianchi and Christopher Kruegel and Giovanni Vigna
    • Usenix Network and Distributed System Security Symposium (NDSS)
    @INPROCEEDINGS{Poeplau2014Execute,
       author = {Sebastian Poeplau and Yanick Fratantonio and Antonio Bianchi and Christopher Kruegel and Giovanni Vigna},
       title = {Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications},
       booktitle = {Usenix Network and Distributed System Security Symposium (NDSS)},
       year = {2014},
       month = {2},
    }
  • Building Anti-Phishing Browser Plug-Ins: An Experience Report (2007)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Thomas Raffetseder
    • Proceedings of the 3rd International Workshop on Software Engineering for Secure Systems (SESS) 29th International Conference on Software Engineering (ICSE)
    @INPROCEEDINGS{Raffetseder_BuildingAntiPhishingBrowser_2007,
       author = {Christopher Kruegel and Engin Kirda and Thomas Raffetseder},
       authorhotlist = {true},
       title = {Building Anti-Phishing Browser Plug-Ins: An Experience Report},
       booktitle = {Proceedings of the 3rd International Workshop on Software Engineering for Secure Systems (SESS) 29th International Conference on Software Engineering (ICSE)},
       year = {2007},
       month = {5},
       publisher = {IEEE Computer Society Press},
    }
  • Detecting System Emulators (2007)
    • INPROCEEDINGS--
    • Christopher Kruegel and Engin Kirda and Thomas Raffetseder
    • Proceedings of the Information Security Conference (ISC)
    @INPROCEEDINGS{Raffetseder_DetectingSystemEmulators_2007,
       author = {Christopher Kruegel and Engin Kirda and Thomas Raffetseder},
       title = {Detecting System Emulators},
       booktitle = {Proceedings of the Information Security Conference (ISC)},
       year = {2007},
       month = {10},
    }
  • Effective Anomaly Detection with Scarce Training Data (2010)
    • INPROCEEDINGS-true
    • William K Robertson and Federico Maggi and Christopher Kruegel and Giovanni Vigna
    • Network and Distributed System Security Symposium (NDSS 2010)
    @INPROCEEDINGS{Robertson_Effective_Anomaly_Detection_wi_2010,
       author = {William K Robertson and Federico Maggi and Christopher Kruegel and Giovanni Vigna},
       authorhotlist = {true},
       title = {Effective Anomaly Detection with Scarce Training Data},
       booktitle = {Network and Distributed System Security Symposium (NDSS 2010)},
       year = {2010},
       month = {2},
    }
  • A Layout-Similarity-Based Approach for Detecting Phishing Pages (2007)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Angelo Rosiello and Fabrizio Ferrandi
    • Proceedings of IEEE International Conference on Security and Privacy in Communication Networks (SecureComm).
    @INPROCEEDINGS{Rosiello_LayoutSimilarityBasedApproachDetecting_2007,
       author = {Christopher Kruegel and Engin Kirda and Angelo Rosiello and Fabrizio Ferrandi},
       authorhotlist = {true},
       title = {A Layout-Similarity-Based Approach for Detecting Phishing Pages},
       booktitle = {Proceedings of IEEE International Conference on Security and Privacy in Communication Networks (SecureComm).},
       year = {2007},
       month = {1},
    }
  • Portrait of a Privacy Invasion - Detecting Relationships Through Large-scale Photo Analysis (2015)
    • INPROCEEDINGS--
    • Yan Shoshitaishvili and Christopher Kruegel and Giovanni Vigna
    • 15th Privacy Enhancing Technologies Symposium (PETS)
    @INPROCEEDINGS{Shoshitaishvili2015Portrait,
       author = {Yan Shoshitaishvili and Christopher Kruegel and Giovanni Vigna},
       title = {Portrait of a Privacy Invasion - Detecting Relationships Through Large-scale Photo Analysis},
       booktitle = {15th Privacy Enhancing Technologies Symposium (PETS)},
       year = {2015},
       month = {6},
       pdf = {https://www.cs.ucsb.edu/~chris/research/doc/pets15_creepic.pdf},
    }
  • Overbot - A botnet protocol based on Kademlia (2008)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Guenther Starnberger
    • 4th International Conference on Security and Privacy in Communication Networks (SecureComm)
    @INPROCEEDINGS{Starnberger_Overbotbotnet_2008,
       author = {Christopher Kruegel and Engin Kirda and Guenther Starnberger},
       authorhotlist = {true},
       title = {Overbot - A botnet protocol based on Kademlia},
       booktitle = {4th International Conference on Security and Privacy in Communication Networks (SecureComm)},
       year = {2008},
       month = {9},
       publisher = {Istanbul,
       Turkey},
    }
  • FIRE: FInding Rogue nEtworks (2009)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Andreas Moser and Kevin Almaroth and Brett Stone-Gross
    • 25th Annual Computer Security Applications Conference (ACSAC)
    @INPROCEEDINGS{StoneGross_FIREFIndingRogue_2009,
       author = {Christopher Kruegel and Engin Kirda and Andreas Moser and Kevin Almaroth and Brett Stone-Gross},
       authorhotlist = {true},
       title = {FIRE: FInding Rogue nEtworks},
       booktitle = {25th Annual Computer Security Applications Conference (ACSAC)},
       year = {2009},
       month = {12},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/StoneGross_FIREFIndingRogue_2009.pdf},
    }
  • The Harvester, the Botmaster, and the Spammer: On the Relations Between the Different Actors in the Spam Landscape (2014)
    • INPROCEEDINGS--
    • Gianluca Stringhini and Oliver Hohlfeld and Christopher Kruegel and Giovanni Vigna
    • ACM Symposium on InformAtion, Computer and Communications Security (ASIACCS)
    @INPROCEEDINGS{Stringhini2014Harvester,
       author = {Gianluca Stringhini and Oliver Hohlfeld and Christopher Kruegel and Giovanni Vigna},
       title = {The Harvester,
       the Botmaster,
       and the Spammer: On the Relations Between the Different Actors in the Spam Landscape},
       booktitle = {ACM Symposium on InformAtion,
       Computer and Communications Security (ASIACCS)},
       year = {2014},
       month = {6},
       pdf = {http://cs.ucsb.edu/~gianluca/papers/harvesters-asiaccs2014.pdf},
    }
  • EvilCohort: Detecting Communities of Malicious Accounts on Online Services (2015)
    • INPROCEEDINGS--
    • Gianluca Stringhini and Pierre Mourlanne and Gregoire Jacob and Manuel Egele and Christopher Kruegel and Giovanni Vigna
    • 24th Usenix Security Symposium
    @INPROCEEDINGS{Stringhini2015EvilCohort,
       author = {Gianluca Stringhini and Pierre Mourlanne and Gregoire Jacob and Manuel Egele and Christopher Kruegel and Giovanni Vigna},
       title = {EvilCohort: Detecting Communities of Malicious Accounts on Online Services},
       booktitle = {24th Usenix Security Symposium},
       year = {2015},
       month = {8},
       pdf = {http://www0.cs.ucl.ac.uk/staff/G.Stringhini/papers/evilcohort-usenix2015.pdf},
    }
  • Detecting Spammers On Social Networks (2010)
    • INPROCEEDINGS-true
    • Gianluca Stringhini and Christopher Kruegel and Giovanni Vigna
    • 26th Annual Computer Security Applications Conference (ACSAC)
    @INPROCEEDINGS{Stringhini_Detecting_Spammers_On_Social_N_2010,
       author = {Gianluca Stringhini and Christopher Kruegel and Giovanni Vigna},
       authorhotlist = {true},
       title = {Detecting Spammers On Social Networks},
       booktitle = {26th Annual Computer Security Applications Conference (ACSAC)},
       year = {2010},
       month = {12},
    }
  • Secure {I}nput for {W}eb {A}pplications (2007)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Martin Szydlowski
    • Proceedings of the 23rd {A}nnual {C}omputer {S}ecurity {A}pplications {C}onference ({ACSAC}) 2007
    @INPROCEEDINGS{Szydlowski_SecureInputWeb_2007,
       author = {Christopher Kruegel and Engin Kirda and Martin Szydlowski},
       authorhotlist = {true},
       title = {Secure {I}nput for {W}eb {A}pplications},
       booktitle = {Proceedings of the 23rd {A}nnual {C}omputer {S}ecurity {A}pplications {C}onference ({ACSAC}) 2007},
       year = {2007},
       month = {12},
    }
  • Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis (2007)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Florian Nentwich and Giovanni Vigna and Nenad Jovanovic and Philipp Vogt
    • In Proceedings of 14th Annual Network and Distributed System Security Symposium (NDSS 2007)
    @INPROCEEDINGS{Vogt_CrossSiteScripting_2007,
       author = {Christopher Kruegel and Engin Kirda and Florian Nentwich and Giovanni Vigna and Nenad Jovanovic and Philipp Vogt},
       authorhotlist = {true},
       title = {Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis},
       booktitle = {In Proceedings of 14th Annual Network and Distributed System Security Symposium (NDSS 2007)},
       year = {2007},
       month = {2},
    }
  • ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities (2015)
    • INPROCEEDINGS--
    • Michael Weissbacher and William Robertson and Engin Kirda and Christopher Kruegel and Giovanni Vigna
    • 24th Usenix Security Symposium
    @INPROCEEDINGS{Weissbacher2015ZigZag,
       author = {Michael Weissbacher and William Robertson and Engin Kirda and Christopher Kruegel and Giovanni Vigna},
       title = {ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities},
       booktitle = {24th Usenix Security Symposium},
       year = {2015},
       month = {8},
       pdf = {http://seclab.ccs.neu.edu/static/publications/sec2015zigzag.pdf},
    }
  • Automatic {N}etwork {P}rotocol {A}nalysis (2007)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Gilbert Wondracek
    • Proceedings of the {N}etwork and {D}istributed {S}ystem {S}ecurity {S}ymposium {C}onference ({NDSS}), {S}an {D}iego 2007
    @INPROCEEDINGS{Wondracek_AutomaticNetworkProtocol_2007,
       author = {Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Gilbert Wondracek},
       authorhotlist = {true},
       title = {Automatic {N}etwork {P}rotocol {A}nalysis},
       booktitle = {Proceedings of the {N}etwork and {D}istributed {S}ystem {S}ecurity {S}ymposium {C}onference ({NDSS}),
       {S}an {D}iego 2007},
       year = {2007},
       month = {1},
    }
  • Automatic Network Protocol Analysis (2008)
    • INPROCEEDINGS-true
    • Gilbert Wondracek and Paolo Milani Comparetti and Christopher Kruegel and Engin Kirda
    • 15th Annual Network and Distributed System Security Symposium (NDSS 2008), San Diego, February 2008
    @INPROCEEDINGS{Wondracek_AutomaticNetworkProtocol_2008,
       author = {Gilbert Wondracek and Paolo Milani Comparetti and Christopher Kruegel and Engin Kirda},
       authorhotlist = {true},
       title = {Automatic Network Protocol Analysis},
       booktitle = {15th Annual Network and Distributed System Security Symposium (NDSS 2008),
       San Diego,
       February 2008},
       year = {2008},
       month = {1},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/ce-kirden-080215.pdf},
    }
  • Is the Internet for Porn? An Insight into the Online Adult Industry (2010)
    • INPROCEEDINGS-true
    • Gilbert Wondracek and Thorsten Holz and Christian Platzer and Engin Kirda and Christopher Kruegel
    • Proceedings of the Ninth Workshop on the Economics of Information Security (WEIS 2010)
    @INPROCEEDINGS{Wondracek_InternetPorn2010,
       author = {Gilbert Wondracek and Thorsten Holz and Christian Platzer and Engin Kirda and Christopher Kruegel},
       authorhotlist = {true},
       title = {Is the Internet for Porn? An Insight into the Online Adult Industry},
       booktitle = {Proceedings of the Ninth Workshop on the Economics of Information Security (WEIS 2010)},
       year = {2010},
       month = {6},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/weis2010_wondracek.pdf},
    }
  • Automatically Generating Models for Botnet Detection (2009)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Leyla Bilge and Thorsten Holz and Peter Wurzinger and Jan Goebel
    • 14th European Symposium on Research in Computer Security (ESORICS 2009)
    @INPROCEEDINGS{Wurzinger_AutomaticallyGeneratingModels_2009,
       author = {Christopher Kruegel and Engin Kirda and Leyla Bilge and Thorsten Holz and Peter Wurzinger and Jan Goebel},
       authorhotlist = {true},
       title = {Automatically Generating Models for Botnet Detection},
       booktitle = {14th European Symposium on Research in Computer Security (ESORICS 2009)},
       year = {2009},
       month = {9},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/Wurzinger_AutomaticallyGeneratingModels_2009.pdf},
       note = {14th European Symposium on Research in Computer Security (ESORICS 2009),
       Saint Malo,
       Brittany,
       France},
    }
  • SWAP: Mitigating XSS Attacks using a Reverse Proxy (2009)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Christian Platzer and Christian Ludl and Peter Wurzinger
    • The 5th International Workshop on Software Engineering for Secure Systems SESS09 31st International Conference on Software Engineering ICSE
    @INPROCEEDINGS{Wurzinger_SWAPMitigatingXSS_2009,
       author = {Christopher Kruegel and Engin Kirda and Christian Platzer and Christian Ludl and Peter Wurzinger},
       authorhotlist = {true},
       title = {SWAP: Mitigating XSS Attacks using a Reverse Proxy},
       booktitle = {The 5th International Workshop on Software Engineering for Secure Systems SESS09 31st International Conference on Software Engineering ICSE},
       year = {2009},
       month = {5},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/Wurzinger_SWAPMitigatingXSS_2009.pdf},
       publisher = {IEEE Computer Society},
    }
  • Panorama: {C}apturing {S}ystem-wide {I}nformation {F}low for {M}alware {D}etection and {A}nalysis (2007)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Manuel Egele and Heng Yin and Dawn Song
    • Proceedings of the 14th {ACM} {C}onference on {C}omputer and {C}ommunications {S}ecurity
    @INPROCEEDINGS{Yin_PanoramaCapturingSystemwide_2007,
       author = {Christopher Kruegel and Engin Kirda and Manuel Egele and Heng Yin and Dawn Song},
       authorhotlist = {true},
       title = {Panorama: {C}apturing {S}ystem-wide {I}nformation {F}low for {M}alware {D}etection and {A}nalysis},
       booktitle = {Proceedings of the 14th {ACM} {C}onference on {C}omputer and {C}ommunications {S}ecurity},
       year = {2007},
       month = {11},
    }
  • Extracting Probable Command and Control Signatures for Detecting Botnets (2014)
    • INPROCEEDINGS--
    • Ali Zand and Giovanni Vigna and Xifeng Yan and Christopher Kruegel
    • ACM Symposium on Applied Computing (SAC)
    @INPROCEEDINGS{Zand2014Extracting,
       author = {Ali Zand and Giovanni Vigna and Xifeng Yan and Christopher Kruegel},
       title = {Extracting Probable Command and Control Signatures for Detecting Botnets},
       booktitle = {ACM Symposium on Applied Computing (SAC)},
       year = {2014},
       month = {3},
    }
  • Rippler: Delay Injection for Service Dependency Detection (2014)
    • INPROCEEDINGS--
    • Ali Zand and Giovanni Vigna and Richard Kemmerer and Christopher Kruegel
    • IEEE International Conference on Computer Communications (INFOCOM)
    @INPROCEEDINGS{Zand2014Rippler,
       author = {Ali Zand and Giovanni Vigna and Richard Kemmerer and Christopher Kruegel},
       title = {Rippler: Delay Injection for Service Dependency Detection},
       booktitle = {IEEE International Conference on Computer Communications (INFOCOM)},
       year = {2014},
       month = {4},
    }
  • A Survey on Automated Dynamic Malware Analysis Techniques and Tools (2012)
    • ARTICLE--
    • Manuel Egele and Theodoor Scholte and Engin Kirda and Christopher Kruegel
    • ACM Computing Surveys Journal
    @ARTICLE{_A_Survey_on_Automated_Dynamic__2012,
       author = {Manuel Egele and Theodoor Scholte and Engin Kirda and Christopher Kruegel},
       title = {A Survey on Automated Dynamic Malware Analysis Techniques and Tools},
       journal = {ACM Computing Surveys Journal},
       year = {2012},
       month = {2},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/malware_survey.pdf},
       volume = {44},
       number = {2},
    }
  • Babel: Leveraging Email Delivery for Spam Mitigation (2012)
    • INPROCEEDINGS--
    • Gianluca Stringhini and Manuel Egele and Apostolis Zarras and Thorsten Holz and Christopher Kruegel and Giovanni Vigna
    • 21st Usenix Security Symposium
    @INPROCEEDINGS{_Babel_Leveraging_Email_Deliver_2012,
       author = {Gianluca Stringhini and Manuel Egele and Apostolis Zarras and Thorsten Holz and Christopher Kruegel and Giovanni Vigna},
       title = {Babel: Leveraging Email Delivery for Spam Mitigation},
       booktitle = {21st Usenix Security Symposium},
       year = {2012},
       month = {8},
       abstract = {usenix12_babel.pdf},
    }
    usenix12_babel.pdf
  • Blacksheep: Detecting Compromised Hosts in Homogeneous Crowds (2012)
    • INPROCEEDINGS--
    • Antonio Bianchi and Yan Shoshitaishvili and Christopher Kruegel and Giovanni Vigna
    • ACM Conference on Computer and Communications Security (CCS)
    @INPROCEEDINGS{_Blacksheep_Detecting_Compromis_2012,
       author = {Antonio Bianchi and Yan Shoshitaishvili and Christopher Kruegel and Giovanni Vigna},
       title = {Blacksheep: Detecting Compromised Hosts in Homogeneous Crowds},
       booktitle = {ACM Conference on Computer and Communications Security (CCS)},
       year = {2012},
       month = {10},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/ccs12_blacksheep.pdf},
    }
  • BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection (2012)
    • INPROCEEDINGS--
    • Florian Tegeler and Xiaoming Fu and Christopher Kruegel and Giovanni Vigna
    • International Conference on emerging Networking EXperiments and Technologies
    @INPROCEEDINGS{_BotFinder_Finding_Bots_in_Netw_2012,
       author = {Florian Tegeler and Xiaoming Fu and Christopher Kruegel and Giovanni Vigna},
       title = {BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection},
       booktitle = {International Conference on emerging Networking EXperiments and Technologies},
       year = {2012},
       month = {12},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/conext12_botfinder.pdf},
    }
  • Disclosure: Detecting Botnet Command and Control Servers Through Large Scale NetFlow Analysis (2012)
    • INPROCEEDINGS--
    • Leyla Bilge and Davide Balzarotti and William K Robertson and Christopher Kruegel and Engin Kirda
    • Annual Computer Security Applications
    @INPROCEEDINGS{_Disclosure_Detecting_Botnet_Co_2012,
       author = {Leyla Bilge and Davide Balzarotti and William K Robertson and Christopher Kruegel and Engin Kirda},
       title = {Disclosure: Detecting Botnet Command and Control Servers Through Large Scale NetFlow Analysis},
       booktitle = {Annual Computer Security Applications},
       year = {2012},
       month = {12},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/acsac12_disclosure.pdf},
    }
  • Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner (2012)
    • INPROCEEDINGS--
    • Adam Doupe and Ludovico Cavedon and Christopher Kruegel and Giovanni Vigna
    • 21st Usenix Security Symposium
    @INPROCEEDINGS{_Enemy_of_the_State_A_State_Awa_2012,
       author = {Adam Doupe and Ludovico Cavedon and Christopher Kruegel and Giovanni Vigna},
       title = {Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner},
       booktitle = {21st Usenix Security Symposium},
       year = {2012},
       month = {8},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/usenix12_statecrawl.pdf},
    }
  • Jarhead: Analysis and Detection of Malicious Java Applets (2012)
    • INPROCEEDINGS--
    • Johannes Schlumberger and Christopher Kruegel and Giovanni Vigna
    • Annual Computer Security Applications
    @INPROCEEDINGS{_Jarhead_Analysis_and_Detection_2012,
       author = {Johannes Schlumberger and Christopher Kruegel and Giovanni Vigna},
       title = {Jarhead: Analysis and Detection of Malicious Java Applets},
       booktitle = {Annual Computer Security Applications},
       year = {2012},
       month = {12},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/acsac12_jarhead.pdf},
    }
  • PUBCRAWL: Protecting Users and Businesses from CRAWLers (2012)
    • INPROCEEDINGS--
    • Gregoire Jacob and Engin Kirda and Christopher Kruegel and Giovanni Vigna
    • 21st Usenix Security Symposium
    @INPROCEEDINGS{_PUBCRAWL_Protecting_Users_and__2012,
       author = {Gregoire Jacob and Engin Kirda and Christopher Kruegel and Giovanni Vigna},
       title = {PUBCRAWL: Protecting Users and Businesses from CRAWLers},
       booktitle = {21st Usenix Security Symposium},
       year = {2012},
       month = {8},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/usenix12_pubcrawl.pdf},
    }

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close