Engin Kirda

Engin Kirda

is key researcher at SBA Research and Professor at the Northeastern University, Boston.

  • E-Mail
  • Phone: +43 (1) 505 36 88
  • Fax: +43 (1) 505 88 88

Research Interests

His current research interests are in systems, software and network security (with focus on Web security, binary analysis, malware detection). Before that, he was mainly interested in distributed systems, software engineering and software architectures.

Bio

Currently, he is Professor at the College of Computer and Information Science and the Department of Electrical and Computer Engineering of Northeastern University in Boston. He is also Director of the Northeastern Information Assurance Institute.

Previously, he was tenured faculty at Institute Eurecom (Graduate School and Research Center) in the French Riviera and before that, faculty at the TU Wien where he co-founded the Secure Systems Lab. The lab has now become international and is distributed over five institutions and geographical locations.

For more information please see http://www.iseclab.org/people/ek/.

Top Publications:

  • Leveraging User Interactions for In-Depth Testing of Web Applications (2008)
    • ARTICLE--
    • Christopher Kruegel and Engin Kirda and Sean McAllister
    • RAID '08: Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
    @ARTICLE{1433021,
       author = {Christopher Kruegel and Engin Kirda and Sean McAllister},
       title = {Leveraging User Interactions for In-Depth Testing of Web Applications},
       journal = {RAID '08: Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection},
       year = {2008},
       month = {1},
       pages = {191--210},
       publisher = {Springer-Verlag},
    }
  • Leveraging User INteractions for IN-Depth- Testing of Weg Applications (2008)
    • INPROCEEDINGS--
    • Christopher Kruegel and Engin Kirda and Sean McAllister
    • Symposium on Recent Advances in Intrusion Detection
    @INPROCEEDINGS{Allister_SymposiumRecentAdvances_2008,
       author = {Christopher Kruegel and Engin Kirda and Sean McAllister},
       title = {Leveraging User INteractions for IN-Depth- Testing of Weg Applications},
       booktitle = {Symposium on Recent Advances in Intrusion Detection},
       year = {2008},
       month = {1},
    }
  • Abusing Social Networks for Automated User Profiling (2010)
    • INPROCEEDINGS--
    • Marco Balduzzi and Christian Platzer and Thorsten Holz and Engin Kirda and Davide Balzarotti and Christopher Kruegel
    • International Symposium on Recent Advances in Intrusion Detection (RAID 2010)
    @INPROCEEDINGS{Balduzzi_Abusing_Social_Networks_for_Au_2010,
       author = {Marco Balduzzi and Christian Platzer and Thorsten Holz and Engin Kirda and Davide Balzarotti and Christopher Kruegel},
       title = {Abusing Social Networks for Automated User Profiling},
       booktitle = {International Symposium on Recent Advances in Intrusion Detection (RAID 2010)},
       year = {2010},
       month = {9},
    }
  • A Solution for the Automated Detection of Clickjacking Attacks (2010)
    • INPROCEEDINGS--
    • Marco Balduzzi and Manuel Egele and Engin Kirda and Davide Balzarotti and Christopher Kruegel
    • ASIACCS
    @INPROCEEDINGS{Balduzzi_A_Solution_for_the_Automated_D_2010,
       author = {Marco Balduzzi and Manuel Egele and Engin Kirda and Davide Balzarotti and Christopher Kruegel},
       title = {A Solution for the Automated Detection of Clickjacking Attacks},
       booktitle = {ASIACCS},
       year = {2010},
       month = {4},
    }
  • Efficient Detection of Split Personalities in Malware (2010)
    • INPROCEEDINGS-true
    • Davide Balzarotti and Marco Cova and Christoph Karlberger and Christopher Kruegel and Engin Kirda and Giovanni Vigna
    • 17th Annual Network and Distributed System Security Symposium (NDSS 2010)
    @INPROCEEDINGS{Balzarotti_Efficient_Detection_of_Split_P_2010,
       author = {Davide Balzarotti and Marco Cova and Christoph Karlberger and Christopher Kruegel and Engin Kirda and Giovanni Vigna},
       authorhotlist = {true},
       title = {Efficient Detection of Split Personalities in Malware},
       booktitle = {17th Annual Network and Distributed System Security Symposium (NDSS 2010)},
       year = {2010},
       month = {2},
    }
  • Dynamic Analysis of Malicious Code (2006)
    • ARTICLE--
    • Christopher Kruegel and Engin Kirda and Ulrich Bayer and Andreas Moser
    • Journal in Computer Virology
    @ARTICLE{Bayer_DynamicAnalysisof_2006,
       author = {Christopher Kruegel and Engin Kirda and Ulrich Bayer and Andreas Moser},
       title = {Dynamic Analysis of Malicious Code},
       journal = {Journal in Computer Virology},
       year = {2006},
       month = {1},
       abstract = {Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus,
       worm,
       or Trojan horse). This process is a necessary step to be able to develop effective detection techniques for malicious code. In addition,
       it is an important prerequisite for the development of removal tools that can thoroughly delete malware from an infected machine. Traditionally,
       malware analysis has been a manual process that is tedious and time-intensive. Unfortunately,
       the number of samples that need to be analyzed by security vendors on a daily basis is constantly increasing. This clearly reveals the need for tools that automate and simplify parts of the analysis process. In this paper,
       we present TTAnalyze,
       a tool for dynamically analyzing the behavior of Windows executables. To this end,
       the binary is run in an emulated operating system environment and its (security-relevant) actions are monitored. In particular,
       we record the Windows native system calls and Windows API functions that the program invokes. One important feature of our system is that it does not modify the program that it executes (e.g.,
       through API call hooking or breakpoints),
       making it more difficult to detect by malicious code. Also,
       our tool runs binaries in an unmodified Windows environment,
       which leads to excellent emulation accuracy. These factors make TTAnalyze an ideal tool for quickly understanding the behavior of an unknown malware.},
       publisher = {Springer Computer Science},
    }
    Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques for malicious code. In addition, it is an important prerequisite for the development of removal tools that can thoroughly delete malware from an infected machine. Traditionally, malware analysis has been a manual process that is tedious and time-intensive. Unfortunately, the number of samples that need to be analyzed by security vendors on a daily basis is constantly increasing. This clearly reveals the need for tools that automate and simplify parts of the analysis process. In this paper, we present TTAnalyze, a tool for dynamically analyzing the behavior of Windows executables. To this end, the binary is run in an emulated operating system environment and its (security-relevant) actions are monitored. In particular, we record the Windows native system calls and Windows API functions that the program invokes. One important feature of our system is that it does not modify the program that it executes (e.g., through API call hooking or breakpoints), making it more difficult to detect by malicious code. Also, our tool runs binaries in an unmodified Windows environment, which leads to excellent emulation accuracy. These factors make TTAnalyze an ideal tool for quickly understanding the behavior of an unknown malware.
  • Improving the Efficiency of Dynamic Malware Analysis (2010)
    • INPROCEEDINGS-true
    • Ulrich Bayer and Engin Kirda and Christopher Kruegel
    • 25th Symposium On Applied Computing (SAC), Track on Information Security Research and Applications
    @INPROCEEDINGS{Bayer_ImprovingEfficiencyof_2010,
       author = {Ulrich Bayer and Engin Kirda and Christopher Kruegel},
       authorhotlist = {true},
       title = {Improving the Efficiency of Dynamic Malware Analysis},
       booktitle = {25th Symposium On Applied Computing (SAC),
       Track on Information Security Research and Applications},
       year = {2010},
       month = {3},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/Bayer_ImprovingEfficiencyof_2010.pdf},
       note = {Lusanne,
       Switzerland},
    }
  • A View on Current Malware Behaviors (2009)
    • INPROCEEDINGS-true
    • Ulrich Bayer and Imam Habibi and Davide Balzarotti and Engin Kirda and Christopher Kruegel
    • 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), Boston
    @INPROCEEDINGS{Bayer_InsightsIntoCurrent_2009,
       author = {Ulrich Bayer and Imam Habibi and Davide Balzarotti and Engin Kirda and Christopher Kruegel},
       authorhotlist = {true},
       title = {A View on Current Malware Behaviors},
       booktitle = {2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET),
       Boston},
       year = {2009},
       month = {4},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/Bayer_InsightsIntoCurrent_2009.pdf},
    }
  • Scalable, Behavior-Based Malware Clustering (2009)
    • INPROCEEDINGS-true
    • Ulrich Bayer and Paolo Milani Comparetti and Clemens Hlauschek and Christopher Kruegel and Engin Kirda
    • Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS 2009)
    @INPROCEEDINGS{Bayer_ScalableBehaviorBasedMalware_2009,
       author = {Ulrich Bayer and Paolo Milani Comparetti and Clemens Hlauschek and Christopher Kruegel and Engin Kirda},
       authorhotlist = {true},
       title = {Scalable,
       Behavior-Based Malware Clustering},
       booktitle = {Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS 2009)},
       year = {2009},
       month = {1},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/Bayer_ScalableBehaviorBasedMalware_2009.pdf},
    }
  • TTAnalyze: A Tool for Analyzing Malware (2006)
    • INPROCEEDINGS--
    • Christopher Kruegel and Engin Kirda and Ulrich Bayer
    • Proceedings of the 15th European Institute for Computer Antivirus Research (EICAR 2006) Annual Conference
    @INPROCEEDINGS{Bayer_TTAnalyzeToolAnalyzing_2006,
       author = {Christopher Kruegel and Engin Kirda and Ulrich Bayer},
       title = {TTAnalyze: A Tool for Analyzing Malware},
       booktitle = {Proceedings of the 15th European Institute for Computer Antivirus Research (EICAR 2006) Annual Conference},
       year = {2006},
       month = {4},
       note = {Best Paper Award},
    }
  • EXPOSURE: A Passive DNS Analysis Service to Detect and Report Malicious Domains (2014)
    • ARTICLE--
    • Leyla Bilge and Sevil Sen and Davide Balzarotti and Engin Kirda and Christopher Kruegel
    • ACM Transactions on Information and System Security
    @ARTICLE{Bilge2014EXPOSURE,
       author = {Leyla Bilge and Sevil Sen and Davide Balzarotti and Engin Kirda and Christopher Kruegel},
       title = {EXPOSURE: A Passive DNS Analysis Service to Detect and Report Malicious Domains},
       journal = {ACM Transactions on Information and System Security},
       year = {2014},
       month = {4},
       pdf = {http://seclab.ccs.neu.edu/static/publications/tissec14_exposure.pdf},
    }
  • All Your Contacts Are Belong to Us: Automated Identity Theft Attacks on Social Networks (2009)
    • INPROCEEDINGS-true
    • Engin Kirda and Davide Balzarotti and Leyla Bilge and Thorsten Strufe
    • 18th International World Wide Web Conference
    @INPROCEEDINGS{Bilge_AllYourContacts_2009,
       author = {Engin Kirda and Davide Balzarotti and Leyla Bilge and Thorsten Strufe},
       authorhotlist = {true},
       title = {All Your Contacts Are Belong to Us: Automated Identity Theft Attacks on Social Networks},
       booktitle = {18th International World Wide Web Conference},
       year = {2009},
       month = {4},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/Bilge_AllYourContacts_2009.pdf},
       publisher = {31st International Conference on Software Engineering IEEE Computer Society,
       Vancouver,
       Cana},
    }
  • Large Scale Malware Collection: Lessons Learned (2008)
    • INPROCEEDINGS--
    • Engin Kirda and Corrado Leita and Julio Canto and Marc Dacier
    • IEEE SRDS Workshop on Sharing Field Data and Experiment Measurements on Resilience of Distributed Computing System
    @INPROCEEDINGS{Canto_LargeScaleMalware_2008,
       author = {Engin Kirda and Corrado Leita and Julio Canto and Marc Dacier},
       title = {Large Scale Malware Collection: Lessons Learned},
       booktitle = {IEEE SRDS Workshop on Sharing Field Data and Experiment Measurements on Resilience of Distributed Computing System},
       year = {2008},
       month = {10},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/Canto_LargeScaleMalware_200.pdf},
       note = {Naples,
       Italy},
    }
  • CuriousDroid: Automated User Interface Interaction for Android Application Analysis Sandboxes (2016)
    • INPROCEEDINGS--
    • Patrick Carter and Collin Mulliner and Martina Lindorfer and William Robertson and Engin Kirda
    • 20th International Conference on Financial Cryptography and Data Security (FC)
    @INPROCEEDINGS{Carter2016CuriousDroid,
       author = {Patrick Carter and Collin Mulliner and Martina Lindorfer and William Robertson and Engin Kirda},
       title = {CuriousDroid: Automated User Interface Interaction for Android Application Analysis Sandboxes},
       booktitle = {20th International Conference on Financial Cryptography and Data Security (FC)},
       year = {2016},
       month = {2},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/curiousdroid_fc16.pdf},
    }
  • Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications (2008)
    • INPROCEEDINGS--
    • Christopher Kruegel and Engin Kirda and Davide Balzarotti and Giovanni Vigna and Marco Cova and Nenad Jovanovic and Viktoria Felmetsger
    • Security and Privacy
    @INPROCEEDINGS{Cova_ComposingStaticand_2008,
       author = {Christopher Kruegel and Engin Kirda and Davide Balzarotti and Giovanni Vigna and Marco Cova and Nenad Jovanovic and Viktoria Felmetsger},
       title = {Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications},
       booktitle = {Security and Privacy},
       year = {2008},
       month = {5},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/Cova_ComposingStaticand_.pdf},
       pages = {15},
       publisher = {IEEE Security and Privacy},
    }
  • TrueClick: Automatically Distinguishing Trick Banners from Genuine Download Links (2014)
    • INPROCEEDINGS--
    • Sevtap Duman and Kaan Onarlioglu and Ali Osman Ulusoy and William Robertson and Engin Kirda
    • Annual Computer Security Applications Conference (ACSAC)
    @INPROCEEDINGS{Duman2014TrueClick,
       author = {Sevtap Duman and Kaan Onarlioglu and {Ali Osman} Ulusoy and William Robertson and Engin Kirda},
       title = {TrueClick: Automatically Distinguishing Trick Banners from Genuine Download Links},
       booktitle = {Annual Computer Security Applications Conference (ACSAC)},
       year = {2014},
       month = {12},
       pdf = {https://wkr.io/assets/publications/acsac2014trueclick.pdf},
    }
  • CAPTCHA Smuggling: Hijacking Web Browsing Sessions to Create CAPTCHA Farms (2010)
    • INPROCEEDINGS-true
    • Manuel Egele and Leyla Bilge and Engin Kirda and Christopher Kruegel
    • 25th Symposium On Applied Computing (SAC), Track on Information Security Research and Applications,
    @INPROCEEDINGS{Egele_CAPTCHASmugglingHijacking_2010,
       author = {Manuel Egele and Leyla Bilge and Engin Kirda and Christopher Kruegel},
       authorhotlist = {true},
       title = {CAPTCHA Smuggling: Hijacking Web Browsing Sessions to Create CAPTCHA Farms},
       booktitle = {25th Symposium On Applied Computing (SAC),
       Track on Information Security Research and Applications,
      },
       year = {2010},
       month = {3},
    }
  • Dynamic Spyware Analysis (2007)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Manuel Egele and Heng Yin and Dawn Song
    • Proceedings of the USENIX Annual Technical Conference
    @INPROCEEDINGS{Egele_DynamicSpywareAnalysis_2007,
       author = {Christopher Kruegel and Engin Kirda and Manuel Egele and Heng Yin and Dawn Song},
       authorhotlist = {true},
       title = {Dynamic Spyware Analysis},
       booktitle = {Proceedings of the USENIX Annual Technical Conference},
       year = {2007},
       month = {6},
    }
  • Mitigating Drive-by Download Attacks: Challenges and Open Problems (2009)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Manuel Egele
    • Open Research Problems in Network Security Workshop
    @INPROCEEDINGS{Egele_MitigatingDrivebyDownload_2009,
       author = {Christopher Kruegel and Engin Kirda and Manuel Egele},
       authorhotlist = {true},
       title = {Mitigating Drive-by Download Attacks: Challenges and Open Problems},
       booktitle = {Open Research Problems in Network Security Workshop},
       year = {2009},
       month = {4},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/Egele_MitigatingDrivebyDownload_2009.pdf},
       publisher = {iNetSec 2009},
       note = {Zurich},
    }
  • Prospex: Protocol Specification Extraction (2009)
    • INPROCEEDINGS--
    • Christopher Kruegel and Engin Kirda and Manuel Egele
    • 18th European Institute for Computer Antivirus Research
    @INPROCEEDINGS{Egele_ProspexProtocolSpecification_2009,
       author = {Christopher Kruegel and Engin Kirda and Manuel Egele},
       title = {Prospex: Protocol Specification Extraction},
       booktitle = {18th European Institute for Computer Antivirus Research},
       year = {2009},
       month = {5},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/Egele_ProspexProtocolSpecification_2009.pdf},
       publisher = {EICAR 2009 Annual Conference},
       note = {Berlin},
    }
  • Removing Web Spam Links from Search Engine Results (2009)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Manuel Egele
    • 31st International Conference on Software Engineering (ICSE)
    @INPROCEEDINGS{Egele_RemovingWebSpam_2009,
       author = {Christopher Kruegel and Engin Kirda and Manuel Egele},
       authorhotlist = {true},
       title = {Removing Web Spam Links from Search Engine Results},
       booktitle = {31st International Conference on Software Engineering (ICSE)},
       year = {2009},
       month = {5},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/Egele_RemovingWebSpam_2009.pdf},
       publisher = {IEEE Computer Society},
       note = {Vancouver,
       Canada},
    }
  • Using Static Program Analysis to Aid Intrusion Detection (2006)
    • INPROCEEDINGS--
    • Christopher Kruegel and Engin Kirda and Manuel Egele and Martin Szydlowski
    • Proceedings of Detection of Intrusions and Malware and Vulnerability Assessment
    @INPROCEEDINGS{Egele_UsingStaticProgram_2006,
       author = {Christopher Kruegel and Engin Kirda and Manuel Egele and Martin Szydlowski},
       title = {Using Static Program Analysis to Aid Intrusion Detection},
       booktitle = {Proceedings of Detection of Intrusions and Malware and Vulnerability Assessment},
       year = {2006},
       month = {7},
       abstract = {The Internet,
       and in particular the world-wide web,
       have become part of the everyday life of millions of people. With the growth of the web,
       the demand for on-line services rapidly increased. Today,
       whole industry branches rely on the Internet to do business. Unfortunately,
       the success of the web has recently been overshadowed by frequent reports of security breaches. Attackers have discovered that poorly written web applications are the Achilles heel of many organizations. The reason is that these applications are directly available through firewalls and are often developed by programmers who focus on features and tight schedules instead of security. In previous work,
       we developed an anomaly-based intrusion detection system that uses learning techniques to identify attacks against webbased applications. That system focuses on the analysis of the request parameters in client queries,
       but does not take into account any information about the protected web applications themselves. The result are imprecise models that lead to more false positives and false negatives than necessary. In this paper,
       we describe a novel static source code analysis approach for PHP that allows us to incorporate information about a web application into the intrusion detection models. The goal is to obtain a more precise characterization of web request parameters by analyzing their usage by the program. This allows us to generate more precise intrusion detection models. In particular,
       our analysis allows us to determine the names of request parameters expected by a program and provides information about their types,
       structure,
       or even concrete value sets. Our experimental evaluation demonstrates that the information derived statically from web applications closely characterizes the parameter values observed in real-world traffic.},
    }
    The Internet, and in particular the world-wide web, have become part of the everyday life of millions of people. With the growth of the web, the demand for on-line services rapidly increased. Today, whole industry branches rely on the Internet to do business. Unfortunately, the success of the web has recently been overshadowed by frequent reports of security breaches. Attackers have discovered that poorly written web applications are the Achilles heel of many organizations. The reason is that these applications are directly available through firewalls and are often developed by programmers who focus on features and tight schedules instead of security. In previous work, we developed an anomaly-based intrusion detection system that uses learning techniques to identify attacks against webbased applications. That system focuses on the analysis of the request parameters in client queries, but does not take into account any information about the protected web applications themselves. The result are imprecise models that lead to more false positives and false negatives than necessary. In this paper, we describe a novel static source code analysis approach for PHP that allows us to incorporate information about a web application into the intrusion detection models. The goal is to obtain a more precise characterization of web request parameters by analyzing their usage by the program. This allows us to generate more precise intrusion detection models. In particular, our analysis allows us to determine the names of request parameters expected by a program and provides information about their types, structure, or even concrete value sets. Our experimental evaluation demonstrates that the information derived statically from web applications closely characterizes the parameter values observed in real-world traffic.
  • On the Security and Engineering Implications of Finer-Grained Access Controls for Android Developers and Users (2015)
    • INPROCEEDINGS--
    • Yanick Fratantonio and Antonio Bianchi and William Robertson and Manuel Egele and Christopher Kruegel and Engin Kirda and Giovanni Vigna
    • 12th Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA)
    @INPROCEEDINGS{Fratantonio2015Security,
       author = {Yanick Fratantonio and Antonio Bianchi and William Robertson and Manuel Egele and Christopher Kruegel and Engin Kirda and Giovanni Vigna},
       title = {On the Security and Engineering Implications of Finer-Grained Access Controls for Android Developers and Users},
       booktitle = {12th Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA)},
       year = {2015},
       month = {7},
       pdf = {http://seclab.ccs.neu.edu/static/publications/dimva2015android.pdf},
    }
  • Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper). (2006)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Nenad Jovanovic
    • Proceedings of the IEEE Symposium on Security and Privacy 2006
    @INPROCEEDINGS{Jovanovic_PixyStaticAnalysis_2006,
       author = {Christopher Kruegel and Engin Kirda and Nenad Jovanovic},
       authorhotlist = {true},
       title = {Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper).},
       booktitle = {Proceedings of the IEEE Symposium on Security and Privacy 2006},
       year = {2006},
       month = {5},
       publisher = {IEEE Computer Society Press},
    }
  • Preventing Cross Site Request Forgery Attacks (2006)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Nenad Jovanovic
    • In Proceedings of IEEE International Conference on Security and Privacy in Communication Networks (SecureComm)
    @INPROCEEDINGS{Jovanovic_PreventingCrossSite_2006,
       author = {Christopher Kruegel and Engin Kirda and Nenad Jovanovic},
       authorhotlist = {true},
       title = {Preventing Cross Site Request Forgery Attacks},
       booktitle = {In Proceedings of IEEE International Conference on Security and Privacy in Communication Networks (SecureComm)},
       year = {2006},
       month = {8},
       abstract = {The web has become an indispensable part of our lives. Unfortunately,
       as our dependency on the web increases,
       so does the interest of attackers in exploiting web applications and web-based information systems. Previous work in the field of web application security has mainly focused on the mitigation of Cross Site Scripting (XSS) and SQL injection attacks. In contrast,
       Cross Site Request Forgery (XSRF) attacks have not received much attention. In an XSRF attack,
       the trust of a web application in its authenticated users is exploited by letting the attacker make arbitrary HTTP requests on behalf of a victim user. The problem is that web applications typically act upon such requests without verifying that the performed actions are indeed intentional. Because XSRF is a relatively new security problem,
       it is largely unknown by web application developers. As a result,
       there exist many web applications that are vulnerable to XSRF. Unfortunately,
       existing mitigation approaches are time-consuming and error-prone,
       as they require manual effort to integrate defense techniques into existing systems. In this paper,
       we present a solution that provides a completely automatic protection from XSRF attacks. More precisely,
       our approach is based on a server-side proxy that detects and prevents XSRF attacks in a way that is transparent to users as well as to the web application itself. We provide experimental results that demonstrate that we can use our prototype to secure a number of popular open-source web applications,
       without negatively affecting their behavior.},
    }
    The web has become an indispensable part of our lives. Unfortunately, as our dependency on the web increases, so does the interest of attackers in exploiting web applications and web-based information systems. Previous work in the field of web application security has mainly focused on the mitigation of Cross Site Scripting (XSS) and SQL injection attacks. In contrast, Cross Site Request Forgery (XSRF) attacks have not received much attention. In an XSRF attack, the trust of a web application in its authenticated users is exploited by letting the attacker make arbitrary HTTP requests on behalf of a victim user. The problem is that web applications typically act upon such requests without verifying that the performed actions are indeed intentional. Because XSRF is a relatively new security problem, it is largely unknown by web application developers. As a result, there exist many web applications that are vulnerable to XSRF. Unfortunately, existing mitigation approaches are time-consuming and error-prone, as they require manual effort to integrate defense techniques into existing systems. In this paper, we present a solution that provides a completely automatic protection from XSRF attacks. More precisely, our approach is based on a server-side proxy that detects and prevents XSRF attacks in a way that is transparent to users as well as to the web application itself. We provide experimental results that demonstrate that we can use our prototype to secure a number of popular open-source web applications, without negatively affecting their behavior.
  • Static analysis for detecting taint-style vulnerabilities in web applications (2010)
    • ARTICLE--
    • Nenad Jovanovic and Christopher Kruegel and Engin Kirda
    • Journal of Computer Security
    @ARTICLE{Jovanovic_Static_analysis_for_detecting__2010,
       author = {Nenad Jovanovic and Christopher Kruegel and Engin Kirda},
       title = {Static analysis for detecting taint-style vulnerabilities in web applications},
       journal = {Journal of Computer Security},
       year = {2010},
       volume = {18},
    }
  • SecuBat: A Web Vulnerability Scanner (2006)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Nenad Jovanovic and Stefan Kals
    • Proceedings of The 15th International World Wide Web Conference (WWW 2006)
    @INPROCEEDINGS{Kals_SecuBatWebVulnerability_2006,
       author = {Christopher Kruegel and Engin Kirda and Nenad Jovanovic and Stefan Kals},
       authorhotlist = {true},
       title = {SecuBat: A Web Vulnerability Scanner},
       booktitle = {Proceedings of The 15th International World Wide Web Conference (WWW 2006)},
       year = {2006},
       month = {5},
       abstract = {As the popularity of the web increases and web applications become tools of everyday use,
       the role of web security has been gaining importance as well. The last years have shown a significant increase in the number of web-based attacks. For example,
       there has been extensive press coverage of recent security incidences involving the loss of sensitive credit card information belonging to millions of customers. Many web application security vulnerabilities result from generic input validation problems. Examples of such vulnerabilities are SQL injection and Cross-Site Scripting (XSS). Although the majority of web vulnerabilities are easy to understand and to avoid,
       many web developers are,
       unfortunately,
       not security-aware. As a result,
       there exist many web sites on the Internet that are vulnerable. This paper demonstrates how easy it is for attackers to automatically discover and exploit application-level vulnerabilities in a large number of web applications. To this end,
       we developed SecuBat,
       a generic and modular web vulnerability scanner that,
       similar to a port scanner,
       automatically analyzes web sites with the aim of finding exploitable SQL injection and XSS vulnerabilities. Using SecuBat,
       we were able to find many potentially vulnerable web sites. To verify the accuracy of SecuBat,
       we picked one hundred interesting web sites from the potential victim list for further analysis and confirmed exploitable flaws in the identified web pages. Among our victims were well-known global companies and a finance ministry. Of course,
       we notified the administrators of vulnerable sites about potential security problems. More than fifty responded to request additional information or to report that the security hole was closed.},
    }
    As the popularity of the web increases and web applications become tools of everyday use, the role of web security has been gaining importance as well. The last years have shown a significant increase in the number of web-based attacks. For example, there has been extensive press coverage of recent security incidences involving the loss of sensitive credit card information belonging to millions of customers. Many web application security vulnerabilities result from generic input validation problems. Examples of such vulnerabilities are SQL injection and Cross-Site Scripting (XSS). Although the majority of web vulnerabilities are easy to understand and to avoid, many web developers are, unfortunately, not security-aware. As a result, there exist many web sites on the Internet that are vulnerable. This paper demonstrates how easy it is for attackers to automatically discover and exploit application-level vulnerabilities in a large number of web applications. To this end, we developed SecuBat, a generic and modular web vulnerability scanner that, similar to a port scanner, automatically analyzes web sites with the aim of finding exploitable SQL injection and XSS vulnerabilities. Using SecuBat, we were able to find many potentially vulnerable web sites. To verify the accuracy of SecuBat, we picked one hundred interesting web sites from the potential victim list for further analysis and confirmed exploitable flaws in the identified web pages. Among our victims were well-known global companies and a finance ministry. Of course, we notified the administrators of vulnerable sites about potential security problems. More than fifty responded to request additional information or to report that the security hole was closed.
  • Optical Delusions: A Study of Malicious QR Codes in the Wild (2014)
    • INPROCEEDINGS--
    • Amin Kharraz and Engin Kirda and William Robertson and Davide Balzarotti and Aurelien Francillon
    • International Conference on Dependable Systems and Networks (DSN)
    @INPROCEEDINGS{Kharraz2014Optical,
       author = {Amin Kharraz and Engin Kirda and William Robertson and Davide Balzarotti and Aurelien Francillon},
       title = {Optical Delusions: A Study of Malicious QR Codes in the Wild},
       booktitle = {International Conference on Dependable Systems and Networks (DSN)},
       year = {2014},
       month = {6},
       pdf = {http://s3.eurecom.fr/docs/dsn14_amin.pdf},
    }
  • Behavior-Based Spyware Detection (2006)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Giovanni Vigna and Richard A. Kemmerer and Greg Banks
    • Proceedings of USENIX Security 06
    @INPROCEEDINGS{Kirda_BehaviorBasedSpywareDetection_2006,
       author = {Christopher Kruegel and Engin Kirda and Giovanni Vigna and Richard A. Kemmerer and Greg Banks},
       authorhotlist = {true},
       title = {Behavior-Based Spyware Detection},
       booktitle = {Proceedings of USENIX Security 06},
       year = {2006},
       month = {8},
    }
  • Extending .NET Security to Unmanaged Code (2006)
    • INPROCEEDINGS--
    • Christopher Kruegel and Engin Kirda and Giovanni Vigna and Patrick Klinkoff
    • In Proceedings of the 9th Information Security Conference (ISC 2006)
    @INPROCEEDINGS{Klinkoff_Extending_NETSecurity_2006,
       author = {Christopher Kruegel and Engin Kirda and Giovanni Vigna and Patrick Klinkoff},
       title = {Extending .NET Security to Unmanaged Code},
       booktitle = {In Proceedings of the 9th Information Security Conference (ISC 2006)},
       year = {2006},
       month = {9},
    }
  • Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries (2010)
    • INPROCEEDINGS-true
    • Clemens Kolbitsch and Thorsten Holz and Christopher Kruegel and Engin Kirda
    • IEEE Security and Privacy 2010
    @INPROCEEDINGS{Kolbitsch_AutomatedExtraction_2010,
       author = {Clemens Kolbitsch and Thorsten Holz and Christopher Kruegel and Engin Kirda},
       authorhotlist = {true},
       title = {Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries},
       booktitle = {IEEE Security and Privacy 2010},
       year = {2010},
       month = {1},
    }
  • Effective and Efficient Malware Detection at the End Host (2009)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Xiaoyong Zhou and Xiaofeng Wang
    • in USENIX Security 09
    @INPROCEEDINGS{Kolbitsch_EffectiveandEfficient_2009,
       author = {Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Xiaoyong Zhou and Xiaofeng Wang},
       authorhotlist = {true},
       title = {Effective and Efficient Malware Detection at the End Host},
       booktitle = {in USENIX Security 09},
       year = {2009},
       month = {8},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/Kolbitsch_EffectiveandEfficient_2009.pdf},
       note = {Canada,
       August 2009},
    }
  • Extending Mondrian Memory Protection (2010)
    • INPROCEEDINGS--
    • Clemens Kolbitsch and Christopher Kruegel and Engin Kirda
    • NATO RTO IST-091 Symposium
    @INPROCEEDINGS{Kolbitsch_Extending_Mondrian_Memory_Prot_2010,
       author = {Clemens Kolbitsch and Christopher Kruegel and Engin Kirda},
       title = {Extending Mondrian Memory Protection},
       booktitle = {NATO RTO IST-091 Symposium},
       year = {2010},
       month = {4},
    }
  • AccessMiner: Using System-Centric Models for Malware Protection (2010)
    • INPROCEEDINGS-true
    • Andrea Lanzi and Davide Balzarotti and Christopher Kruegel and Mihai Christodorescu and Engin Kirda
    • 17th ACM Conference on Computer and Communications Security (CCS)
    @INPROCEEDINGS{Lanzi_AccessMiner_Using_System_Centr_2010,
       author = {Andrea Lanzi and Davide Balzarotti and Christopher Kruegel and Mihai Christodorescu and Engin Kirda},
       authorhotlist = {true},
       title = {AccessMiner: Using System-Centric Models for Malware Protection},
       booktitle = {17th ACM Conference on Computer and Communications Security (CCS)},
       year = {2010},
       month = {10},
    }
  • Honeybot, Your Man in the Middle for Automated Social Engineering (2010)
    • INPROCEEDINGS-true
    • Tobias Lauinger and Veikko Pankakoski and Davide Balzarotti and Engin Kirda
    • Proceedings of the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET 2010)
    @INPROCEEDINGS{Lauinger_Honeybot2010,
       author = {Tobias Lauinger and Veikko Pankakoski and Davide Balzarotti and Engin Kirda},
       authorhotlist = {true},
       title = {Honeybot,
       Your Man in the Middle for Automated Social Engineering},
       booktitle = {Proceedings of the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET 2010)},
       year = {2010},
       month = {4},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/autosoc-leet2010.pdf},
    }
  • A Look at Targeted Attacks through the Lense of an NGO (2014)
    • INPROCEEDINGS--
    • Stevens Le Blond and Adina Uritesc and Cedric Gilbert and Zheng Leong Chua and Prateek Saxena and Engin Kirda
    • USENIX Security Symposium
    @INPROCEEDINGS{LeBlond2014Look,
       author = {Stevens {Le Blond} and Adina Uritesc and Cedric Gilbert and {Zheng Leong} Chua and Prateek Saxena and Engin Kirda},
       title = {A Look at Targeted Attacks through the Lense of an NGO},
       booktitle = {USENIX Security Symposium},
       year = {2014},
       month = {8},
       pdf = {https://www.mpi-sws.org/~stevens/pubs/sec14.pdf},
    }
  • Exploiting diverse observation perspectives to get insights on the malware landscape (2010)
    • INPROCEEDINGS-true
    • Engin Kirda and Ulrich Bayer and Corrado Leita
    • Dependable Systems and Networks (DSN) 2010 IEEE IFIP International Conference on
    @INPROCEEDINGS{leita2010exploiting,
       author = {Engin Kirda and Ulrich Bayer and Corrado Leita},
       authorhotlist = {true},
       title = {Exploiting diverse observation perspectives to get insights on the malware landscape},
       booktitle = {Dependable Systems and Networks (DSN) 2010 IEEE IFIP International Conference on},
       year = {2010},
       month = {1},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/dsn2010.pdf},
       pages = {393--402},
    }
  • The Leurre.com Project: Collecting Internet Threats Information using a Worldwide Distributed Honeynet (2008)
    • INPROCEEDINGS--
    • Engin Kirda and Corrado Leita and Marc Dacier and Olivier Thonnard and Fabian Pouget and Van Hau Pham and Eduardo Ramirez-Silva
    • In Proceedings of the 1st WOMBAT workshop
    @INPROCEEDINGS{Leita_LeurrecomProjectCollecting_2008,
       author = {Engin Kirda and Corrado Leita and Marc Dacier and Olivier Thonnard and Fabian Pouget and {Van Hau} Pham and Eduardo Ramirez-Silva},
       title = {The Leurre.com Project: Collecting Internet Threats Information using a Worldwide Distributed Honeynet},
       booktitle = {In Proceedings of the 1st WOMBAT workshop},
       year = {2008},
       month = {4},
       publisher = {IEEE Computer Society},
    }
  • On the Effectiveness of Techniques to Detect Phishing Sites (2007)
    • INPROCEEDINGS--
    • Christopher Kruegel and Engin Kirda and Sean McAllister and Christian Ludl
    • Proceedings of the Conference on the Detection of Intrusions and Malware \& Vulnerability Assessment (DIMVA).
    @INPROCEEDINGS{Ludl_EffectivenessofTechniques_2007,
       author = {Christopher Kruegel and Engin Kirda and Sean McAllister and Christian Ludl},
       title = {On the Effectiveness of Techniques to Detect Phishing Sites},
       booktitle = {Proceedings of the Conference on the Detection of Intrusions and Malware \& Vulnerability Assessment (DIMVA).},
       year = {2007},
       month = {1},
       abstract = {Phishing is an electronic online identity theft in which the attackers use a combination of social engineering and web site spoofing techniques to trick a user into revealing confidential information. This information is typically used to make an illegal economic profit (e.g.,
       by online banking transactions,
       purchase of goods using stolen credentials,
       etc.). Although simple,
       phishing attacks are remarkably effective. As a re- sult,
       the numbers of successful phishing attacks have been continuously increasing and many anti-phishing solutions have been proposed. One popular and widely-deployed solution is the integration of blacklist-based anti-phishing techniques into browsers. However,
       it is currently unclear how effective such blacklisting approaches are in mitigating phishing at- tacks in real-life. In this paper,
       we report our findings on analyzing the effectiveness of two popular anti-phishing solutions. Over a period of three weeks,
       we automatically tested the effectiveness of the blacklists maintained by Google and Microsoft with 10,
      000 phishing URLs. Fur- thermore,
       by analyzing a large number of phishing pages,
       we explored the existence of page properties that can be used to identify phishing pages.},
    }
    Phishing is an electronic online identity theft in which the attackers use a combination of social engineering and web site spoofing techniques to trick a user into revealing confidential information. This information is typically used to make an illegal economic profit (e.g., by online banking transactions, purchase of goods using stolen credentials, etc.). Although simple, phishing attacks are remarkably effective. As a re- sult, the numbers of successful phishing attacks have been continuously increasing and many anti-phishing solutions have been proposed. One popular and widely-deployed solution is the integration of blacklist-based anti-phishing techniques into browsers. However, it is currently unclear how effective such blacklisting approaches are in mitigating phishing at- tacks in real-life. In this paper, we report our findings on analyzing the effectiveness of two popular anti-phishing solutions. Over a period of three weeks, we automatically tested the effectiveness of the blacklists maintained by Google and Microsoft with 10,000 phishing URLs. Fur- thermore, by analyzing a large number of phishing pages, we explored the existence of page properties that can be used to identify phishing pages.
  • Expanding Human Interactions for In-Depth Testing of Web Applications (2008)
    • INPROCEEDINGS--
    • Christopher Kruegel and Engin Kirda and Sean McAllister
    • 11th Symposium on Recent Advances in Intrusion Detection (RAID), Boston, MA
    @INPROCEEDINGS{McAllister_ExpandingHumanInteractions_2008,
       author = {Christopher Kruegel and Engin Kirda and Sean McAllister},
       title = {Expanding Human Interactions for In-Depth Testing of Web Applications},
       booktitle = {11th Symposium on Recent Advances in Intrusion Detection (RAID),
       Boston,
       MA},
       year = {2008},
       month = {9},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/McAllister_ExpandingHumanInteractions_2008.pdf},
    }
  • Visual-Similarity-Based Phishing Detection (2008)
    • INPROCEEDINGS--
    • Christopher Kruegel and Engin Kirda and Eric Medvet
    • IEEE International Conference on Security and Privacy for Emerging Areas in Communication Networks
    @INPROCEEDINGS{Medvet_VisualSimilarityBasedPhishing_2008,
       author = {Christopher Kruegel and Engin Kirda and Eric Medvet},
       title = {Visual-Similarity-Based Phishing Detection},
       booktitle = {IEEE International Conference on Security and Privacy for Emerging Areas in Communication Networks},
       year = {2008},
       month = {9},
    }
  • Exploring Multiple Execution Paths for Malware Analysis (2007)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Andreas Moser
    • Proceedinga of the IEEE Symposium on Security and Privacy 2007
    @INPROCEEDINGS{Moser_ExploringMultipleExecution_2007,
       author = {Christopher Kruegel and Engin Kirda and Andreas Moser},
       authorhotlist = {true},
       title = {Exploring Multiple Execution Paths for Malware Analysis},
       booktitle = {Proceedinga of the IEEE Symposium on Security and Privacy 2007},
       year = {2007},
       month = {5},
       abstract = {Malicious code or malware is defined as software that fulfills the deliberately harmful intent of an attacker. Malware analysis is the process of determining the behavior and purpose of a given malware sample (such as a virus,
       worm,
       or Trojan horse). This process is a necessary step to be able to develop effective detection techniques and removal tools. Currently,
       malware analysis is mostly a manual process that is tedious and time-intensive. To mitigate this problem,
       a number of analysis tools have been proposed that automatically extract the behavior of an unknown program by executing it in a restricted environment and recording the operating system calls that are invoked. The problem of dynamic analysis tools is that only a single program execution is observed. Unfortunately,
       however,
       it is possible that certain malicious actions are only triggered under specific circumstances (e.g.,
       on a particular day,
       when a certain file is present,
       or when a certain command is received). In this paper,
       we propose a system that allows us to explore multiple execution paths and identify malicious actions that are executed only when certain conditions are met. This enables us to automatically extract a more complete view of the program under analysis and identify under which circumstances suspicious actions are carried out. Our experimental results demonstrate that many malware samples show different behavior depending on input read from the environment. Thus,
       by exploring multiple execution paths,
       we can obtain a more complete picture of their actions.},
       publisher = {IEEE Computer Society Press},
    }
    Malicious code or malware is defined as software that fulfills the deliberately harmful intent of an attacker. Malware analysis is the process of determining the behavior and purpose of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques and removal tools. Currently, malware analysis is mostly a manual process that is tedious and time-intensive. To mitigate this problem, a number of analysis tools have been proposed that automatically extract the behavior of an unknown program by executing it in a restricted environment and recording the operating system calls that are invoked. The problem of dynamic analysis tools is that only a single program execution is observed. Unfortunately, however, it is possible that certain malicious actions are only triggered under specific circumstances (e.g., on a particular day, when a certain file is present, or when a certain command is received). In this paper, we propose a system that allows us to explore multiple execution paths and identify malicious actions that are executed only when certain conditions are met. This enables us to automatically extract a more complete view of the program under analysis and identify under which circumstances suspicious actions are carried out. Our experimental results demonstrate that many malware samples show different behavior depending on input read from the environment. Thus, by exploring multiple execution paths, we can obtain a more complete picture of their actions.
  • Limits of {S}tatic {A}nalysis for {M}alware {D}etection (2007)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Andreas Moser
    • Proceedings of the 23rd {A}nnual {C}omputer {S}ecurity {A}pplications {C}onference ({ACSAC}) 2007
    @INPROCEEDINGS{Moser_LimitsofStatic_2007,
       author = {Christopher Kruegel and Engin Kirda and Andreas Moser},
       authorhotlist = {true},
       title = {Limits of {S}tatic {A}nalysis for {M}alware {D}etection},
       booktitle = {Proceedings of the 23rd {A}nnual {C}omputer {S}ecurity {A}pplications {C}onference ({ACSAC}) 2007},
       year = {2007},
       month = {12},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/Moser_LimitsofStatic_2007.pdf},
    }
  • Hidden GEMs: Automated Discovery of Access Control Vulnerabilities in Graphical User Interfaces (2014)
    • INPROCEEDINGS--
    • Collin Mulliner and William Robertson and Engin Kirda
    • IEEE Symposium on Security and Privacy (S&P)
    @INPROCEEDINGS{Mulliner2014Hidden,
       author = {Collin Mulliner and William Robertson and Engin Kirda},
       title = {Hidden GEMs: Automated Discovery of Access Control Vulnerabilities in Graphical User Interfaces},
       booktitle = {IEEE Symposium on Security and Privacy (S&P)},
       year = {2014},
       month = {5},
       pdf = {http://seclab.ccs.neu.edu/static/publications/sp2014gemminer.pdf},
       link_slides = {http://mulliner.org/collin/academic/publications/hiddengems.pdf},
    }
  • VirtualSwindle: An Automated Attack Against In-App Billing on Android (2014)
    • INPROCEEDINGS--
    • Collin Mulliner and William Robertson and Engin Kirda
    • ACM Symposium on Information, Computer and Communications Security (ASIACCS)
    @INPROCEEDINGS{Mulliner2014VirtualSwindle,
       author = {Collin Mulliner and William Robertson and Engin Kirda},
       title = {VirtualSwindle: An Automated Attack Against In-App Billing on Android},
       booktitle = {ACM Symposium on Information,
       Computer and Communications Security (ASIACCS)},
       year = {2014},
       month = {6},
       pdf = {http://www.mulliner.org/collin/academic/publications/asia226-mulliner.pdf},
    }
  • G-Free: Defeating Return-Oriented Programming through Gadget-less Binaries (2010)
    • INPROCEEDINGS-true
    • Kaan Onarlioglu and Leyla Bilge and Andrea Lanzi and Davide Balzarotti and Engin Kirda
    • 26th Annual Computer Security Applications Conference (ACSAC)
    @INPROCEEDINGS{Onarlioglu_G_Free_Defeating_Return_Orient_2010,
       author = {Kaan Onarlioglu and Leyla Bilge and Andrea Lanzi and Davide Balzarotti and Engin Kirda},
       authorhotlist = {true},
       title = {G-Free: Defeating Return-Oriented Programming through Gadget-less Binaries},
       booktitle = {26th Annual Computer Security Applications Conference (ACSAC)},
       year = {2010},
       month = {12},
    }
  • Building Anti-Phishing Browser Plug-Ins: An Experience Report (2007)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Thomas Raffetseder
    • Proceedings of the 3rd International Workshop on Software Engineering for Secure Systems (SESS) 29th International Conference on Software Engineering (ICSE)
    @INPROCEEDINGS{Raffetseder_BuildingAntiPhishingBrowser_2007,
       author = {Christopher Kruegel and Engin Kirda and Thomas Raffetseder},
       authorhotlist = {true},
       title = {Building Anti-Phishing Browser Plug-Ins: An Experience Report},
       booktitle = {Proceedings of the 3rd International Workshop on Software Engineering for Secure Systems (SESS) 29th International Conference on Software Engineering (ICSE)},
       year = {2007},
       month = {5},
       publisher = {IEEE Computer Society Press},
    }
  • Detecting System Emulators (2007)
    • INPROCEEDINGS--
    • Christopher Kruegel and Engin Kirda and Thomas Raffetseder
    • Proceedings of the Information Security Conference (ISC)
    @INPROCEEDINGS{Raffetseder_DetectingSystemEmulators_2007,
       author = {Christopher Kruegel and Engin Kirda and Thomas Raffetseder},
       title = {Detecting System Emulators},
       booktitle = {Proceedings of the Information Security Conference (ISC)},
       year = {2007},
       month = {10},
    }
  • A Layout-Similarity-Based Approach for Detecting Phishing Pages (2007)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Angelo Rosiello and Fabrizio Ferrandi
    • Proceedings of IEEE International Conference on Security and Privacy in Communication Networks (SecureComm).
    @INPROCEEDINGS{Rosiello_LayoutSimilarityBasedApproachDetecting_2007,
       author = {Christopher Kruegel and Engin Kirda and Angelo Rosiello and Fabrizio Ferrandi},
       authorhotlist = {true},
       title = {A Layout-Similarity-Based Approach for Detecting Phishing Pages},
       booktitle = {Proceedings of IEEE International Conference on Security and Privacy in Communication Networks (SecureComm).},
       year = {2007},
       month = {1},
    }
  • Overbot - A botnet protocol based on Kademlia (2008)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Guenther Starnberger
    • 4th International Conference on Security and Privacy in Communication Networks (SecureComm)
    @INPROCEEDINGS{Starnberger_Overbotbotnet_2008,
       author = {Christopher Kruegel and Engin Kirda and Guenther Starnberger},
       authorhotlist = {true},
       title = {Overbot - A botnet protocol based on Kademlia},
       booktitle = {4th International Conference on Security and Privacy in Communication Networks (SecureComm)},
       year = {2008},
       month = {9},
       publisher = {Istanbul,
       Turkey},
    }
  • FIRE: FInding Rogue nEtworks (2009)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Andreas Moser and Kevin Almaroth and Brett Stone-Gross
    • 25th Annual Computer Security Applications Conference (ACSAC)
    @INPROCEEDINGS{StoneGross_FIREFIndingRogue_2009,
       author = {Christopher Kruegel and Engin Kirda and Andreas Moser and Kevin Almaroth and Brett Stone-Gross},
       authorhotlist = {true},
       title = {FIRE: FInding Rogue nEtworks},
       booktitle = {25th Annual Computer Security Applications Conference (ACSAC)},
       year = {2009},
       month = {12},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/StoneGross_FIREFIndingRogue_2009.pdf},
    }
  • Secure {I}nput for {W}eb {A}pplications (2007)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Martin Szydlowski
    • Proceedings of the 23rd {A}nnual {C}omputer {S}ecurity {A}pplications {C}onference ({ACSAC}) 2007
    @INPROCEEDINGS{Szydlowski_SecureInputWeb_2007,
       author = {Christopher Kruegel and Engin Kirda and Martin Szydlowski},
       authorhotlist = {true},
       title = {Secure {I}nput for {W}eb {A}pplications},
       booktitle = {Proceedings of the 23rd {A}nnual {C}omputer {S}ecurity {A}pplications {C}onference ({ACSAC}) 2007},
       year = {2007},
       month = {12},
    }
  • Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis (2007)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Florian Nentwich and Giovanni Vigna and Nenad Jovanovic and Philipp Vogt
    • In Proceedings of 14th Annual Network and Distributed System Security Symposium (NDSS 2007)
    @INPROCEEDINGS{Vogt_CrossSiteScripting_2007,
       author = {Christopher Kruegel and Engin Kirda and Florian Nentwich and Giovanni Vigna and Nenad Jovanovic and Philipp Vogt},
       authorhotlist = {true},
       title = {Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis},
       booktitle = {In Proceedings of 14th Annual Network and Distributed System Security Symposium (NDSS 2007)},
       year = {2007},
       month = {2},
    }
  • ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities (2015)
    • INPROCEEDINGS--
    • Michael Weissbacher and William Robertson and Engin Kirda and Christopher Kruegel and Giovanni Vigna
    • 24th Usenix Security Symposium
    @INPROCEEDINGS{Weissbacher2015ZigZag,
       author = {Michael Weissbacher and William Robertson and Engin Kirda and Christopher Kruegel and Giovanni Vigna},
       title = {ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities},
       booktitle = {24th Usenix Security Symposium},
       year = {2015},
       month = {8},
       pdf = {http://seclab.ccs.neu.edu/static/publications/sec2015zigzag.pdf},
    }
  • Automatic {N}etwork {P}rotocol {A}nalysis (2007)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Gilbert Wondracek
    • Proceedings of the {N}etwork and {D}istributed {S}ystem {S}ecurity {S}ymposium {C}onference ({NDSS}), {S}an {D}iego 2007
    @INPROCEEDINGS{Wondracek_AutomaticNetworkProtocol_2007,
       author = {Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Gilbert Wondracek},
       authorhotlist = {true},
       title = {Automatic {N}etwork {P}rotocol {A}nalysis},
       booktitle = {Proceedings of the {N}etwork and {D}istributed {S}ystem {S}ecurity {S}ymposium {C}onference ({NDSS}),
       {S}an {D}iego 2007},
       year = {2007},
       month = {1},
    }
  • Automatic Network Protocol Analysis (2008)
    • INPROCEEDINGS-true
    • Gilbert Wondracek and Paolo Milani Comparetti and Christopher Kruegel and Engin Kirda
    • 15th Annual Network and Distributed System Security Symposium (NDSS 2008), San Diego, February 2008
    @INPROCEEDINGS{Wondracek_AutomaticNetworkProtocol_2008,
       author = {Gilbert Wondracek and Paolo Milani Comparetti and Christopher Kruegel and Engin Kirda},
       authorhotlist = {true},
       title = {Automatic Network Protocol Analysis},
       booktitle = {15th Annual Network and Distributed System Security Symposium (NDSS 2008),
       San Diego,
       February 2008},
       year = {2008},
       month = {1},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/ce-kirden-080215.pdf},
    }
  • Is the Internet for Porn? An Insight into the Online Adult Industry (2010)
    • INPROCEEDINGS-true
    • Gilbert Wondracek and Thorsten Holz and Christian Platzer and Engin Kirda and Christopher Kruegel
    • Proceedings of the Ninth Workshop on the Economics of Information Security (WEIS 2010)
    @INPROCEEDINGS{Wondracek_InternetPorn2010,
       author = {Gilbert Wondracek and Thorsten Holz and Christian Platzer and Engin Kirda and Christopher Kruegel},
       authorhotlist = {true},
       title = {Is the Internet for Porn? An Insight into the Online Adult Industry},
       booktitle = {Proceedings of the Ninth Workshop on the Economics of Information Security (WEIS 2010)},
       year = {2010},
       month = {6},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/weis2010_wondracek.pdf},
    }
  • Automatically Generating Models for Botnet Detection (2009)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Leyla Bilge and Thorsten Holz and Peter Wurzinger and Jan Goebel
    • 14th European Symposium on Research in Computer Security (ESORICS 2009)
    @INPROCEEDINGS{Wurzinger_AutomaticallyGeneratingModels_2009,
       author = {Christopher Kruegel and Engin Kirda and Leyla Bilge and Thorsten Holz and Peter Wurzinger and Jan Goebel},
       authorhotlist = {true},
       title = {Automatically Generating Models for Botnet Detection},
       booktitle = {14th European Symposium on Research in Computer Security (ESORICS 2009)},
       year = {2009},
       month = {9},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/Wurzinger_AutomaticallyGeneratingModels_2009.pdf},
       note = {14th European Symposium on Research in Computer Security (ESORICS 2009),
       Saint Malo,
       Brittany,
       France},
    }
  • SWAP: Mitigating XSS Attacks using a Reverse Proxy (2009)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Christian Platzer and Christian Ludl and Peter Wurzinger
    • The 5th International Workshop on Software Engineering for Secure Systems SESS09 31st International Conference on Software Engineering ICSE
    @INPROCEEDINGS{Wurzinger_SWAPMitigatingXSS_2009,
       author = {Christopher Kruegel and Engin Kirda and Christian Platzer and Christian Ludl and Peter Wurzinger},
       authorhotlist = {true},
       title = {SWAP: Mitigating XSS Attacks using a Reverse Proxy},
       booktitle = {The 5th International Workshop on Software Engineering for Secure Systems SESS09 31st International Conference on Software Engineering ICSE},
       year = {2009},
       month = {5},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/Wurzinger_SWAPMitigatingXSS_2009.pdf},
       publisher = {IEEE Computer Society},
    }
  • Panorama: {C}apturing {S}ystem-wide {I}nformation {F}low for {M}alware {D}etection and {A}nalysis (2007)
    • INPROCEEDINGS-true
    • Christopher Kruegel and Engin Kirda and Manuel Egele and Heng Yin and Dawn Song
    • Proceedings of the 14th {ACM} {C}onference on {C}omputer and {C}ommunications {S}ecurity
    @INPROCEEDINGS{Yin_PanoramaCapturingSystemwide_2007,
       author = {Christopher Kruegel and Engin Kirda and Manuel Egele and Heng Yin and Dawn Song},
       authorhotlist = {true},
       title = {Panorama: {C}apturing {S}ystem-wide {I}nformation {F}low for {M}alware {D}etection and {A}nalysis},
       booktitle = {Proceedings of the 14th {ACM} {C}onference on {C}omputer and {C}ommunications {S}ecurity},
       year = {2007},
       month = {11},
    }
  • An Empirical Analysis of Input Validation Mechanisms in Web Applications and Languages (2012)
    • INPROCEEDINGS--
    • Theodoor Scholte and Davide Balzarotti and William K Robertson and Engin Kirda
    • 27th ACM Symposium On Applied Computing (SAC)
    @INPROCEEDINGS{_An_Empirical_Analysis_of_Input_2012,
       author = {Theodoor Scholte and Davide Balzarotti and William K Robertson and Engin Kirda},
       title = {An Empirical Analysis of Input Validation Mechanisms in Web Applications and Languages},
       booktitle = {27th ACM Symposium On Applied Computing (SAC)},
       year = {2012},
       month = {3},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/paper_sac2012_theo.pdf},
    }
  • A Security Analysis of Amazons Elastic Compute Cloud Service (2012)
    • INPROCEEDINGS--
    • Marco Balduzzi and Jonnas Zaddach and Davide Balzarotti and Engin Kirda and Sergio Loureiro
    • 27th ACM Symposium On Applied Computing (SAC)
    @INPROCEEDINGS{_A_Security_Analysis_of_Amazon__2012,
       author = {Marco Balduzzi and Jonnas Zaddach and Davide Balzarotti and Engin Kirda and Sergio Loureiro},
       title = {A Security Analysis of Amazons Elastic Compute Cloud Service},
       booktitle = {27th ACM Symposium On Applied Computing (SAC)},
       year = {2012},
       month = {3},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/securecloud.pdf},
    }
  • A Survey on Automated Dynamic Malware Analysis Techniques and Tools (2012)
    • ARTICLE--
    • Manuel Egele and Theodoor Scholte and Engin Kirda and Christopher Kruegel
    • ACM Computing Surveys Journal
    @ARTICLE{_A_Survey_on_Automated_Dynamic__2012,
       author = {Manuel Egele and Theodoor Scholte and Engin Kirda and Christopher Kruegel},
       title = {A Survey on Automated Dynamic Malware Analysis Techniques and Tools},
       journal = {ACM Computing Surveys Journal},
       year = {2012},
       month = {2},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/malware_survey.pdf},
       volume = {44},
       number = {2},
    }
  • Disclosure: Detecting Botnet Command and Control Servers Through Large Scale NetFlow Analysis (2012)
    • INPROCEEDINGS--
    • Leyla Bilge and Davide Balzarotti and William K Robertson and Christopher Kruegel and Engin Kirda
    • Annual Computer Security Applications
    @INPROCEEDINGS{_Disclosure_Detecting_Botnet_Co_2012,
       author = {Leyla Bilge and Davide Balzarotti and William K Robertson and Christopher Kruegel and Engin Kirda},
       title = {Disclosure: Detecting Botnet Command and Control Servers Through Large Scale NetFlow Analysis},
       booktitle = {Annual Computer Security Applications},
       year = {2012},
       month = {12},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/acsac12_disclosure.pdf},
    }
  • Insights into User Behavior in Dealing with Internet Attacks (2012)
    • INPROCEEDINGS--
    • Kaan Onarlioglu and Utku Ozan Yilmaz and Engin Kirda and Davide Balzarotti
    • 19th Annual Network and Distributed System Security Symposium (NDSS 2012)
    @INPROCEEDINGS{_Insights_into_User_Behavior_in_2012,
       author = {Kaan Onarlioglu and Utku Ozan Yilmaz and Engin Kirda and Davide Balzarotti},
       title = {Insights into User Behavior in Dealing with Internet Attacks},
       booktitle = {19th Annual Network and Distributed System Security Symposium (NDSS 2012)},
       year = {2012},
       month = {2},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/onarlioglu_ndss12.pdf},
    }
  • Preventing Input Validation Vulnerabilities in Web Applications through Automated Type Analysis (2012)
    • INPROCEEDINGS--
    • Theodoor Scholte and William K Robertson and Davide Balzarotti and Engin Kirda
    • 36th IEEE Conference on Computers, Software, and Applications (COMPSAC)
    @INPROCEEDINGS{_Preventing_Input_Validation_Vu_2012,
       author = {Theodoor Scholte and William K Robertson and Davide Balzarotti and Engin Kirda},
       title = {Preventing Input Validation Vulnerabilities in Web Applications through Automated Type Analysis },
       booktitle = {36th IEEE Conference on Computers,
       Software,
       and Applications (COMPSAC)},
       year = {2012},
       month = {7},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/compsac-scholte.pdf},
    }
  • PUBCRAWL: Protecting Users and Businesses from CRAWLers (2012)
    • INPROCEEDINGS--
    • Gregoire Jacob and Engin Kirda and Christopher Kruegel and Giovanni Vigna
    • 21st Usenix Security Symposium
    @INPROCEEDINGS{_PUBCRAWL_Protecting_Users_and__2012,
       author = {Gregoire Jacob and Engin Kirda and Christopher Kruegel and Giovanni Vigna},
       title = {PUBCRAWL: Protecting Users and Businesses from CRAWLers},
       booktitle = {21st Usenix Security Symposium},
       year = {2012},
       month = {8},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/usenix12_pubcrawl.pdf},
    }

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close