Engin Kirda

Engin Kirda

is key researcher at SBA Research and Professor at the Northeastern University, Boston.

  • E-Mail
  • Phone: +43 (1) 505 36 88
  • Fax: +43 (1) 505 88 88

Research Interests

His current research interests are in systems, software and network security (with focus on Web security, binary analysis, malware detection). Before that, he was mainly interested in distributed systems, software engineering and software architectures.

Bio

Currently, he is Professor at the College of Computer and Information Science and the Department of Electrical and Computer Engineering of Northeastern University in Boston. He is also Director of the Northeastern Information Assurance Institute.

Previously, he was tenured faculty at Institute Eurecom (Graduate School and Research Center) in the French Riviera and before that, faculty at the TU Wien where he co-founded the Secure Systems Lab. The lab has now become international and is distributed over five institutions and geographical locations.

For more information please see http://www.iseclab.org/people/ek/.

Publications

  • Kaan Onarlioglu and Leyla Bilge and Andrea Lanzi and Davide Balzarotti and Engin Kirda, "G-Free: Defeating Return-Oriented Programming through Gadget-less Binaries," in 26th Annual Computer Security Applications Conference (ACSAC), 2010. BibTeX
    @INPROCEEDINGS{Onarlioglu_G_Free_Defeating_Return_Orient_2010,
      Author = {Kaan Onarlioglu and Leyla Bilge and Andrea Lanzi and Davide Balzarotti and Engin Kirda},
      title = {G-Free: Defeating Return-Oriented Programming through Gadget-less Binaries},
      booktitle = {26th Annual Computer Security Applications Conference (ACSAC)},
      year = {2010},
      month = {12},
      }
  • Davide Balzarotti and Marco Cova and Christoph Karlberger and Christopher Kruegel and Engin Kirda and Giovanni Vigna, "Efficient Detection of Split Personalities in Malware," in 17th Annual Network and Distributed System Security Symposium (NDSS 2010), 2010. BibTeX
    @INPROCEEDINGS{Balzarotti_Efficient_Detection_of_Split_P_2010,
      Author = {Davide Balzarotti and Marco Cova and Christoph Karlberger and Christopher Kruegel and Engin Kirda and Giovanni Vigna},
      title = {Efficient Detection of Split Personalities in Malware},
      booktitle = {17th Annual Network and Distributed System Security Symposium (NDSS 2010)},
      year = {2010},
      month = {2},
      }
  • Engin Kirda and Ulrich Bayer and Corrado Leita, "Exploiting diverse observation perspectives to get insights on the malware landscape," in Dependable Systems and Networks (DSN) 2010 IEEE IFIP International Conference on, 2010, pp. 393-402. BibTeX | PDF
    @INPROCEEDINGS{leita2010exploiting,
      Author = {Engin Kirda and Ulrich Bayer and Corrado Leita},
      title = {Exploiting diverse observation perspectives to get insights on the malware landscape},
      booktitle = {Dependable Systems and Networks (DSN) 2010 IEEE IFIP International Conference on},
      year = {2010},
      month = {1},
      pdf = {dsn2010.pdf},
      pages = {393--402},
      }
  • Andrea Lanzi and Davide Balzarotti and Christopher Kruegel and Mihai Christodorescu and Engin Kirda, "AccessMiner: Using System-Centric Models for Malware Protection," in 17th ACM Conference on Computer and Communications Security (CCS), 2010. BibTeX
    @INPROCEEDINGS{Lanzi_AccessMiner_Using_System_Centr_2010,
      Author = {Andrea Lanzi and Davide Balzarotti and Christopher Kruegel and Mihai Christodorescu and Engin Kirda},
      title = {AccessMiner: Using System-Centric Models for Malware Protection},
      booktitle = {17th ACM Conference on Computer and Communications Security (CCS)},
      year = {2010},
      month = {10},
      }
  • Clemens Kolbitsch and Thorsten Holz and Christopher Kruegel and Engin Kirda, "Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries," in IEEE Security and Privacy 2010, 2010. BibTeX
    @INPROCEEDINGS{Kolbitsch_AutomatedExtraction_2010,
      Author = {Clemens Kolbitsch and Thorsten Holz and Christopher Kruegel and Engin Kirda},
      title = {Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries},
      booktitle = {IEEE Security and Privacy 2010},
      year = {2010},
      month = {1},
      }
  • Ulrich Bayer and Engin Kirda and Christopher Kruegel, "Improving the Efficiency of Dynamic Malware Analysis," in 25th Symposium On Applied Computing (SAC), Track on Information Security Research and Applications, 2010. BibTeX | PDF
    @INPROCEEDINGS{Bayer_ImprovingEfficiencyof_2010,
      Author = {Ulrich Bayer and Engin Kirda and Christopher Kruegel},
      title = {Improving the Efficiency of Dynamic Malware Analysis},
      booktitle = {25th Symposium On Applied Computing (SAC), Track on Information Security Research and Applications},
      year = {2010},
      month = {3},
      pdf = {Bayer_ImprovingEfficiencyof_2010.pdf},
      note = {Lusanne, Switzerland},
      }
  • Manuel Egele and Leyla Bilge and Engin Kirda and Christopher Kruegel, "CAPTCHA Smuggling: Hijacking Web Browsing Sessions to Create CAPTCHA Farms," in 25th Symposium On Applied Computing (SAC), Track on Information Security Research and Applications,, 2010. BibTeX
    @INPROCEEDINGS{Egele_CAPTCHASmugglingHijacking_2010,
      Author = {Manuel Egele and Leyla Bilge and Engin Kirda and Christopher Kruegel},
      title = {CAPTCHA Smuggling: Hijacking Web Browsing Sessions to Create CAPTCHA Farms},
      booktitle = {25th Symposium On Applied Computing (SAC), Track on Information Security Research and Applications,},
      year = {2010},
      month = {3},
      }
  • Tobias Lauinger and Veikko Pankakoski and Davide Balzarotti and Engin Kirda, "Honeybot, Your Man in the Middle for Automated Social Engineering," in Proceedings of the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET 2010), 2010. BibTeX | PDF
    @INPROCEEDINGS{Lauinger_Honeybot2010,
      Author = {Tobias Lauinger and Veikko Pankakoski and Davide Balzarotti and Engin Kirda},
      title = {Honeybot, Your Man in the Middle for Automated Social Engineering},
      booktitle = {Proceedings of the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET 2010)},
      year = {2010},
      month = {4},
      pdf = {autosoc-leet2010.pdf},
      }
  • Gilbert Wondracek and Thorsten Holz and Christian Platzer and Engin Kirda and Christopher Kruegel, "Is the Internet for Porn? An Insight into the Online Adult Industry," in Proceedings of the Ninth Workshop on the Economics of Information Security (WEIS 2010), 2010. BibTeX | PDF
    @INPROCEEDINGS{Wondracek_InternetPorn2010,
      Author = {Gilbert Wondracek and Thorsten Holz and Christian Platzer and Engin Kirda and Christopher Kruegel},
      title = {Is the Internet for Porn? An Insight into the Online Adult Industry},
      booktitle = {Proceedings of the Ninth Workshop on the Economics of Information Security (WEIS 2010)},
      year = {2010},
      month = {6},
      pdf = {weis2010_wondracek.pdf},
      }
  • Christopher Kruegel and Engin Kirda and Leyla Bilge and Thorsten Holz and Peter Wurzinger and Jan Goebel, "Automatically Generating Models for Botnet Detection," in 14th European Symposium on Research in Computer Security (ESORICS 2009), 2009. BibTeX | PDF
    @INPROCEEDINGS{Wurzinger_AutomaticallyGeneratingModels_2009,
      Author = {Christopher Kruegel and Engin Kirda and Leyla Bilge and Thorsten Holz and Peter Wurzinger and Jan Goebel},
      title = {Automatically Generating Models for Botnet Detection},
      booktitle = {14th European Symposium on Research in Computer Security (ESORICS 2009)},
      year = {2009},
      month = {9},
      pdf = {Wurzinger_AutomaticallyGeneratingModels_2009.pdf},
      note = {14th European Symposium on Research in Computer Security (ESORICS 2009), Saint Malo, Brittany, France},
      }
  • Christopher Kruegel and Engin Kirda and Christian Platzer and Christian Ludl and Peter Wurzinger, "SWAP: Mitigating XSS Attacks using a Reverse Proxy," in The 5th International Workshop on Software Engineering for Secure Systems SESS09 31st International Conference on Software Engineering ICSE, 2009. BibTeX | PDF
    @INPROCEEDINGS{Wurzinger_SWAPMitigatingXSS_2009,
      Author = {Christopher Kruegel and Engin Kirda and Christian Platzer and Christian Ludl and Peter Wurzinger},
      title = {SWAP: Mitigating XSS Attacks using a Reverse Proxy},
      booktitle = {The 5th International Workshop on Software Engineering for Secure Systems SESS09 31st International Conference on Software Engineering ICSE},
      year = {2009},
      month = {5},
      pdf = {Wurzinger_SWAPMitigatingXSS_2009.pdf},
      publisher = {IEEE Computer Society},
      }
  • Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Ulrich Bayer and Clemens Hlauschek, "Scalable, Behavior-Based Malware Clustering," in Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS 2009), 2009. BibTeX | PDF
    @INPROCEEDINGS{Bayer_ScalableBehaviorBasedMalware_2009,
      Author = {Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Ulrich Bayer and Clemens Hlauschek},
      title = {Scalable, Behavior-Based Malware Clustering},
      booktitle = {Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS 2009)},
      year = {2009},
      month = {1},
      pdf = {Bayer_ScalableBehaviorBasedMalware_2009.pdf},
      }
  • Engin Kirda and Davide Balzarotti and Leyla Bilge and Thorsten Strufe, "All Your Contacts Are Belong to Us: Automated Identity Theft Attacks on Social Networks," in 18th International World Wide Web Conference, 2009. BibTeX | PDF
    @INPROCEEDINGS{Bilge_AllYourContacts_2009,
      Author = {Engin Kirda and Davide Balzarotti and Leyla Bilge and Thorsten Strufe},
      title = {All Your Contacts Are Belong to Us: Automated Identity Theft Attacks on Social Networks},
      booktitle = {18th International World Wide Web Conference},
      year = {2009},
      month = {4},
      pdf = {Bilge_AllYourContacts_2009.pdf},
      publisher = {31st International Conference on Software Engineering IEEE Computer Society, Vancouver, Cana},
      }
  • Christopher Kruegel and Engin Kirda and Manuel Egele, "Mitigating Drive-by Download Attacks: Challenges and Open Problems," in Open Research Problems in Network Security Workshop, 2009. BibTeX | PDF
    @INPROCEEDINGS{Egele_MitigatingDrivebyDownload_2009,
      Author = {Christopher Kruegel and Engin Kirda and Manuel Egele},
      title = {Mitigating Drive-by Download Attacks: Challenges and Open Problems},
      booktitle = {Open Research Problems in Network Security Workshop},
      year = {2009},
      month = {4},
      pdf = {Egele_MitigatingDrivebyDownload_2009.pdf},
      publisher = {iNetSec 2009},
      note = {Zurich},
      }
  • Christopher Kruegel and Engin Kirda and Manuel Egele, "Removing Web Spam Links from Search Engine Results," in 31st International Conference on Software Engineering (ICSE), 2009. BibTeX | PDF
    @INPROCEEDINGS{Egele_RemovingWebSpam_2009,
      Author = {Christopher Kruegel and Engin Kirda and Manuel Egele},
      title = {Removing Web Spam Links from Search Engine Results},
      booktitle = {31st International Conference on Software Engineering (ICSE)},
      year = {2009},
      month = {5},
      pdf = {Egele_RemovingWebSpam_2009.pdf},
      publisher = {IEEE Computer Society},
      note = {Vancouver, Canada},
      }
  • Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Xiaoyong Zhou and Xiaofeng Wang, "Effective and Efficient Malware Detection at the End Host," in in USENIX Security 09, 2009. BibTeX | PDF
    @INPROCEEDINGS{Kolbitsch_EffectiveandEfficient_2009,
      Author = {Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Xiaoyong Zhou and Xiaofeng Wang},
      title = {Effective and Efficient Malware Detection at the End Host},
      booktitle = {in USENIX Security 09},
      year = {2009},
      month = {8},
      pdf = {Kolbitsch_EffectiveandEfficient_2009.pdf},
      note = {Canada, August 2009},
      }
  • Christopher Kruegel and Engin Kirda and Andreas Moser and Kevin Almaroth and Brett Stone-Gross, "FIRE: FInding Rogue nEtworks," in 25th Annual Computer Security Applications Conference (ACSAC), 2009. BibTeX | PDF
    @INPROCEEDINGS{StoneGross_FIREFIndingRogue_2009,
      Author = {Christopher Kruegel and Engin Kirda and Andreas Moser and Kevin Almaroth and Brett Stone-Gross},
      title = {FIRE: FInding Rogue nEtworks},
      booktitle = {25th Annual Computer Security Applications Conference (ACSAC)},
      year = {2009},
      month = {12},
      pdf = {StoneGross_FIREFIndingRogue_2009.pdf},
      }
  • Christopher Kruegel and Engin Kirda and Guenther Starnberger, "Overbot – A botnet protocol based on Kademlia," in 4th International Conference on Security and Privacy in Communication Networks (SecureComm), 2008. BibTeX
    @INPROCEEDINGS{Starnberger_Overbotbotnet_2008,
      Author = {Christopher Kruegel and Engin Kirda and Guenther Starnberger},
      title = {Overbot - A botnet protocol based on Kademlia},
      booktitle = {4th International Conference on Security and Privacy in Communication Networks (SecureComm)},
      year = {2008},
      month = {9},
      publisher = {Istanbul, Turkey},
      }
  • Gilbert Wondracek and Paolo Milani Comparetti and Christopher Kruegel and Engin Kirda, "Automatic Network Protocol Analysis," in 15th Annual Network and Distributed System Security Symposium (NDSS 2008), San Diego, February 2008, 2008. BibTeX | PDF
    @INPROCEEDINGS{Wondracek_AutomaticNetworkProtocol_2008,
      Author = {Gilbert Wondracek and Paolo Milani Comparetti and Christopher Kruegel and Engin Kirda},
      title = {Automatic Network Protocol Analysis},
      booktitle = {15th Annual Network and Distributed System Security Symposium (NDSS 2008), San Diego, February 2008},
      year = {2008},
      month = {1},
      pdf = {ce-kirden-080215.pdf},
      }
  • Christopher Kruegel and Engin Kirda and Manuel Egele and Heng Yin and Dawn Song, "Dynamic Spyware Analysis," in Proceedings of the USENIX Annual Technical Conference, 2007. BibTeX
    @INPROCEEDINGS{Egele_DynamicSpywareAnalysis_2007,
      Author = {Christopher Kruegel and Engin Kirda and Manuel Egele and Heng Yin and Dawn Song},
      title = {Dynamic Spyware Analysis},
      booktitle = {Proceedings of the USENIX Annual Technical Conference},
      year = {2007},
      month = {6},
      }
  • Christopher Kruegel and Engin Kirda and Angelo Rosiello and Fabrizio Ferrandi, "A Layout-Similarity-Based Approach for Detecting Phishing Pages," in Proceedings of IEEE International Conference on Security and Privacy in Communication Networks (SecureComm)., 2007. BibTeX
    @INPROCEEDINGS{Rosiello_LayoutSimilarityBasedApproachDetecting_2007,
      Author = {Christopher Kruegel and Engin Kirda and Angelo Rosiello and Fabrizio Ferrandi},
      title = {A Layout-Similarity-Based Approach for Detecting Phishing Pages},
      booktitle = {Proceedings of IEEE International Conference on Security and Privacy in Communication Networks (SecureComm).},
      year = {2007},
      month = {1},
      }
  • Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Gilbert Wondracek, "Automatic Network Protocol Analysis," in Proceedings of the Network and Distributed System Security Symposium Conference (NDSS), San Diego 2007, 2007. BibTeX
    @INPROCEEDINGS{Wondracek_AutomaticNetworkProtocol_2007,
      Author = {Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Gilbert Wondracek},
      title = {Automatic {N}etwork {P}rotocol {A}nalysis},
      booktitle = {Proceedings of the {N}etwork and {D}istributed {S}ystem {S}ecurity {S}ymposium {C}onference ({NDSS}), {S}an {D}iego 2007},
      year = {2007},
      month = {1},
      }
  • Christopher Kruegel and Engin Kirda and Thomas Raffetseder, "Building Anti-Phishing Browser Plug-Ins: An Experience Report," in Proceedings of the 3rd International Workshop on Software Engineering for Secure Systems (SESS) 29th International Conference on Software Engineering (ICSE), 2007. BibTeX
    @INPROCEEDINGS{Raffetseder_BuildingAntiPhishingBrowser_2007,
      Author = {Christopher Kruegel and Engin Kirda and Thomas Raffetseder},
      title = {Building Anti-Phishing Browser Plug-Ins: An Experience Report},
      booktitle = {Proceedings of the 3rd International Workshop on Software Engineering for Secure Systems (SESS) 29th International Conference on Software Engineering (ICSE)},
      year = {2007},
      month = {5},
      publisher = {IEEE Computer Society Press},
      }
  • Christopher Kruegel and Engin Kirda and Manuel Egele and Heng Yin and Dawn Song, "Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis," in Proceedings of the 14th ACM Conference on Computer and Communications Security, 2007. BibTeX
    @INPROCEEDINGS{Yin_PanoramaCapturingSystemwide_2007,
      Author = {Christopher Kruegel and Engin Kirda and Manuel Egele and Heng Yin and Dawn Song},
      title = {Panorama: {C}apturing {S}ystem-wide {I}nformation {F}low for {M}alware {D}etection and {A}nalysis},
      booktitle = {Proceedings of the 14th {ACM} {C}onference on {C}omputer and {C}ommunications {S}ecurity},
      year = {2007},
      month = {11},
      }
  • Christopher Kruegel and Engin Kirda and Andreas Moser, "Exploring Multiple Execution Paths for Malware Analysis," in Proceedinga of the IEEE Symposium on Security and Privacy 2007, 2007. BibTeX
    @INPROCEEDINGS{Moser_ExploringMultipleExecution_2007,
      Author = {Christopher Kruegel and Engin Kirda and Andreas Moser},
      title = {Exploring Multiple Execution Paths for Malware Analysis},
      booktitle = {Proceedinga of the IEEE Symposium on Security and Privacy 2007},
      year = {2007},
      month = {5},
      abstract = {Malicious code or malware is defined as software that fulfills the deliberately harmful intent of an attacker. Malware analysis is the process of determining the behavior and purpose of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques and removal tools. Currently, malware analysis is mostly a manual process that is tedious and time-intensive. To mitigate this problem, a number of analysis tools have been proposed that automatically extract the behavior of an unknown program by executing it in a restricted environment and recording the operating system calls that are invoked. The problem of dynamic analysis tools is that only a single program execution is observed. Unfortunately, however, it is possible that certain malicious actions are only triggered under specific circumstances (e.g., on a particular day, when a certain file is present, or when a certain command is received). In this paper, we propose a system that allows us to explore multiple execution paths and identify malicious actions that are executed only when certain conditions are met. This enables us to automatically extract a more complete view of the program under analysis and identify under which circumstances suspicious actions are carried out. Our experimental results demonstrate that many malware samples show different behavior depending on input read from the environment. Thus, by exploring multiple execution paths, we can obtain a more complete picture of their actions.},
      publisher = {IEEE Computer Society Press},
      }
  • Christopher Kruegel and Engin Kirda and Andreas Moser, "Limits of Static Analysis for Malware Detection," in Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC) 2007, 2007. BibTeX | PDF
    @INPROCEEDINGS{Moser_LimitsofStatic_2007,
      Author = {Christopher Kruegel and Engin Kirda and Andreas Moser},
      title = {Limits of {S}tatic {A}nalysis for {M}alware {D}etection},
      booktitle = {Proceedings of the 23rd {A}nnual {C}omputer {S}ecurity {A}pplications {C}onference ({ACSAC}) 2007},
      year = {2007},
      month = {12},
      pdf = {Moser_LimitsofStatic_2007.pdf},
      }
  • Christopher Kruegel and Engin Kirda and Florian Nentwich and Giovanni Vigna and Nenad Jovanovic and Philipp Vogt, "Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis," in In Proceedings of 14th Annual Network and Distributed System Security Symposium (NDSS 2007), 2007. BibTeX
    @INPROCEEDINGS{Vogt_CrossSiteScripting_2007,
      Author = {Christopher Kruegel and Engin Kirda and Florian Nentwich and Giovanni Vigna and Nenad Jovanovic and Philipp Vogt},
      title = {Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis},
      booktitle = {In Proceedings of 14th Annual Network and Distributed System Security Symposium (NDSS 2007)},
      year = {2007},
      month = {2},
      }
  • Christopher Kruegel and Engin Kirda and Martin Szydlowski, "Secure Input for Web Applications," in Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC) 2007, 2007. BibTeX
    @INPROCEEDINGS{Szydlowski_SecureInputWeb_2007,
      Author = {Christopher Kruegel and Engin Kirda and Martin Szydlowski},
      title = {Secure {I}nput for {W}eb {A}pplications},
      booktitle = {Proceedings of the 23rd {A}nnual {C}omputer {S}ecurity {A}pplications {C}onference ({ACSAC}) 2007},
      year = {2007},
      month = {12},
      }
  • Christopher Kruegel and Engin Kirda and Giovanni Vigna and Richard A. Kemmerer and Greg Banks, "Behavior-Based Spyware Detection," in Proceedings of USENIX Security 06, 2006. BibTeX
    @INPROCEEDINGS{Kirda_BehaviorBasedSpywareDetection_2006,
      Author = {Christopher Kruegel and Engin Kirda and Giovanni Vigna and Richard A. Kemmerer and Greg Banks},
      title = {Behavior-Based Spyware Detection},
      booktitle = {Proceedings of USENIX Security 06},
      year = {2006},
      month = {8},
      }
  • Christopher Kruegel and Engin Kirda and Nenad Jovanovic, "Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper).," in Proceedings of the IEEE Symposium on Security and Privacy 2006, 2006. BibTeX
    @INPROCEEDINGS{Jovanovic_PixyStaticAnalysis_2006,
      Author = {Christopher Kruegel and Engin Kirda and Nenad Jovanovic},
      title = {Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper).},
      booktitle = {Proceedings of the IEEE Symposium on Security and Privacy 2006},
      year = {2006},
      month = {5},
      publisher = {IEEE Computer Society Press},
      }
  • Christopher Kruegel and Engin Kirda and Nenad Jovanovic and Stefan Kals, "SecuBat: A Web Vulnerability Scanner," in Proceedings of The 15th International World Wide Web Conference (WWW 2006), 2006. BibTeX
    @INPROCEEDINGS{Kals_SecuBatWebVulnerability_2006,
      Author = {Christopher Kruegel and Engin Kirda and Nenad Jovanovic and Stefan Kals},
      title = {SecuBat: A Web Vulnerability Scanner},
      booktitle = {Proceedings of The 15th International World Wide Web Conference (WWW 2006)},
      year = {2006},
      month = {5},
      abstract = {As the popularity of the web increases and web applications become tools of everyday use, the role of web security has been gaining importance as well. The last years have shown a significant increase in the number of web-based attacks. For example, there has been extensive press coverage of recent security incidences involving the loss of sensitive credit card information belonging to millions of customers. Many web application security vulnerabilities result from generic input validation problems. Examples of such vulnerabilities are SQL injection and Cross-Site Scripting (XSS). Although the majority of web vulnerabilities are easy to understand and to avoid, many web developers are, unfortunately, not security-aware. As a result, there exist many web sites on the Internet that are vulnerable. This paper demonstrates how easy it is for attackers to automatically discover and exploit application-level vulnerabilities in a large number of web applications. To this end, we developed SecuBat, a generic and modular web vulnerability scanner that, similar to a port scanner, automatically analyzes web sites with the aim of finding exploitable SQL injection and XSS vulnerabilities. Using SecuBat, we were able to find many potentially vulnerable web sites. To verify the accuracy of SecuBat, we picked one hundred interesting web sites from the potential victim list for further analysis and confirmed exploitable flaws in the identified web pages. Among our victims were well-known global companies and a finance ministry. Of course, we notified the administrators of vulnerable sites about potential security problems. More than fifty responded to request additional information or to report that the security hole was closed.},
      }
  • Christopher Kruegel and Engin Kirda and Nenad Jovanovic, "Preventing Cross Site Request Forgery Attacks," in In Proceedings of IEEE International Conference on Security and Privacy in Communication Networks (SecureComm), 2006. BibTeX
    @INPROCEEDINGS{Jovanovic_PreventingCrossSite_2006,
      Author = {Christopher Kruegel and Engin Kirda and Nenad Jovanovic},
      title = {Preventing Cross Site Request Forgery Attacks},
      booktitle = {In Proceedings of IEEE International Conference on Security and Privacy in Communication Networks (SecureComm)},
      year = {2006},
      month = {8},
      abstract = {The web has become an indispensable part of our lives. Unfortunately, as our dependency on the web increases, so does the interest of attackers in exploiting web applications and web-based information systems. Previous work in the field of web application security has mainly focused on the mitigation of Cross Site Scripting (XSS) and SQL injection attacks. In contrast, Cross Site Request Forgery (XSRF) attacks have not received much attention. In an XSRF attack, the trust of a web application in its authenticated users is exploited by letting the attacker make arbitrary HTTP requests on behalf of a victim user. The problem is that web applications typically act upon such requests without verifying that the performed actions are indeed intentional. Because XSRF is a relatively new security problem, it is largely unknown by web application developers. As a result, there exist many web applications that are vulnerable to XSRF. Unfortunately, existing mitigation approaches are time-consuming and error-prone, as they require manual effort to integrate defense techniques into existing systems. In this paper, we present a solution that provides a completely automatic protection from XSRF attacks. More precisely, our approach is based on a server-side proxy that detects and prevents XSRF attacks in a way that is transparent to users as well as to the web application itself. We provide experimental results that demonstrate that we can use our prototype to secure a number of popular open-source web applications, without negatively affecting their behavior.},
      }

View all publications

  • Stevens Le Blond and Adina Uritesc and Cedric Gilbert and Zheng Leong Chua and Prateek Saxena and Engin Kirda, "A Look at Targeted Attacks through the Lense of an NGO," in USENIX Security Symposium, 2014. BibTeX | PDF
    @INPROCEEDINGS{LeBlond2014Look,
      Author = {Stevens {Le Blond} and Adina Uritesc and Cedric Gilbert and {Zheng Leong} Chua and Prateek Saxena and Engin Kirda},
      title = {A Look at Targeted Attacks through the Lense of an NGO},
      booktitle = {USENIX Security Symposium},
      year = {2014},
      month = {8},
      pdf = {https://www.mpi-sws.org/~stevens/pubs/sec14.pdf},
      }
  • Leyla Bilge and Sevil Sen and Davide Balzarotti and Engin Kirda and Christopher Kruegel, "EXPOSURE: A Passive DNS Analysis Service to Detect and Report Malicious Domains," ACM Transactions on Information and System Security, 2014. BibTeX | PDF
    @ARTICLE{Bilge2014EXPOSURE,
      Author = {Leyla Bilge and Sevil Sen and Davide Balzarotti and Engin Kirda and Christopher Kruegel},
      title = {EXPOSURE: A Passive DNS Analysis Service to Detect and Report Malicious Domains},
      journal = {ACM Transactions on Information and System Security},
      year = {2014},
      month = {4},
      pdf = {http://seclab.ccs.neu.edu/static/publications/tissec14_exposure.pdf},
      }
  • Sevtap Duman and Kaan Onarlioglu and Ali Osman Ulusoy and William Robertson and Engin Kirda, "TrueClick: Automatically Distinguishing Trick Banners from Genuine Download Links," in Annual Computer Security Applications Conference (ACSAC), 2014. BibTeX | PDF
    @INPROCEEDINGS{Duman2014TrueClick,
      Author = {Sevtap Duman and Kaan Onarlioglu and {Ali Osman} Ulusoy and William Robertson and Engin Kirda},
      title = {TrueClick: Automatically Distinguishing Trick Banners from Genuine Download Links},
      booktitle = {Annual Computer Security Applications Conference (ACSAC)},
      year = {2014},
      month = {12},
      pdf = {https://wkr.io/assets/publications/acsac2014trueclick.pdf},
      }
  • Amin Kharraz and Engin Kirda and William Robertson and Davide Balzarotti and Aurelien Francillon, "Optical Delusions: A Study of Malicious QR Codes in the Wild," in International Conference on Dependable Systems and Networks (DSN), 2014. BibTeX | PDF
    @INPROCEEDINGS{Kharraz2014Optical,
      Author = {Amin Kharraz and Engin Kirda and William Robertson and Davide Balzarotti and Aurelien Francillon},
      title = {Optical Delusions: A Study of Malicious QR Codes in the Wild},
      booktitle = {International Conference on Dependable Systems and Networks (DSN)},
      year = {2014},
      month = {6},
      pdf = {http://s3.eurecom.fr/docs/dsn14_amin.pdf},
      }
  • Collin Mulliner and William Robertson and Engin Kirda, "Hidden GEMs: Automated Discovery of Access Control Vulnerabilities in Graphical User Interfaces," in IEEE Symposium on Security and Privacy (S&P), 2014. BibTeX | PDF | Slides
    @INPROCEEDINGS{Mulliner2014Hidden,
      Author = {Collin Mulliner and William Robertson and Engin Kirda},
      title = {Hidden GEMs: Automated Discovery of Access Control Vulnerabilities in Graphical User Interfaces},
      booktitle = {IEEE Symposium on Security and Privacy (S&P)},
      year = {2014},
      month = {5},
      pdf = {http://seclab.ccs.neu.edu/static/publications/sp2014gemminer.pdf},
      link_slides = {http://mulliner.org/collin/academic/publications/hiddengems.pdf},
      }
  • Collin Mulliner and William Robertson and Engin Kirda, "VirtualSwindle: An Automated Attack Against In-App Billing on Android," in ACM Symposium on Information, Computer and Communications Security (ASIACCS), 2014. BibTeX | PDF
    @INPROCEEDINGS{Mulliner2014VirtualSwindle,
      Author = {Collin Mulliner and William Robertson and Engin Kirda},
      title = {VirtualSwindle: An Automated Attack Against In-App Billing on Android},
      booktitle = {ACM Symposium on Information, Computer and Communications Security (ASIACCS)},
      year = {2014},
      month = {6},
      pdf = {http://www.mulliner.org/collin/academic/publications/asia226-mulliner.pdf},
      }
  • Kaan Onarlioglu and Utku Ozan Yilmaz and Engin Kirda and Davide Balzarotti, "Insights into User Behavior in Dealing with Internet Attacks," in 19th Annual Network and Distributed System Security Symposium (NDSS 2012), 2012. BibTeX | PDF
    @INPROCEEDINGS{_Insights_into_User_Behavior_in_2012,
      Author = {Kaan Onarlioglu and Utku Ozan Yilmaz and Engin Kirda and Davide Balzarotti},
      title = {Insights into User Behavior in Dealing with Internet Attacks},
      booktitle = {19th Annual Network and Distributed System Security Symposium (NDSS 2012)},
      year = {2012},
      month = {2},
      pdf = {onarlioglu_ndss12.pdf},
      }
  • Theodoor Scholte and William K Robertson and Davide Balzarotti and Engin Kirda, "Preventing Input Validation Vulnerabilities in Web Applications through Automated Type Analysis," in 36th IEEE Conference on Computers, Software, and Applications (COMPSAC), 2012. BibTeX | PDF
    @INPROCEEDINGS{_Preventing_Input_Validation_Vu_2012,
      Author = {Theodoor Scholte and William K Robertson and Davide Balzarotti and Engin Kirda},
      title = {Preventing Input Validation Vulnerabilities in Web Applications through Automated Type Analysis },
      booktitle = {36th IEEE Conference on Computers, Software, and Applications (COMPSAC)},
      year = {2012},
      month = {7},
      pdf = {compsac-scholte.pdf},
      }
  • Marco Balduzzi and Jonnas Zaddach and Davide Balzarotti and Engin Kirda and Sergio Loureiro, "A Security Analysis of Amazons Elastic Compute Cloud Service," in 27th ACM Symposium On Applied Computing (SAC), 2012. BibTeX | PDF
    @INPROCEEDINGS{_A_Security_Analysis_of_Amazon__2012,
      Author = {Marco Balduzzi and Jonnas Zaddach and Davide Balzarotti and Engin Kirda and Sergio Loureiro},
      title = {A Security Analysis of Amazons Elastic Compute Cloud Service},
      booktitle = {27th ACM Symposium On Applied Computing (SAC)},
      year = {2012},
      month = {3},
      pdf = {securecloud.pdf},
      }
  • Theodoor Scholte and Davide Balzarotti and William K Robertson and Engin Kirda, "An Empirical Analysis of Input Validation Mechanisms in Web Applications and Languages," in 27th ACM Symposium On Applied Computing (SAC), 2012. BibTeX | PDF
    @INPROCEEDINGS{_An_Empirical_Analysis_of_Input_2012,
      Author = {Theodoor Scholte and Davide Balzarotti and William K Robertson and Engin Kirda},
      title = {An Empirical Analysis of Input Validation Mechanisms in Web Applications and Languages},
      booktitle = {27th ACM Symposium On Applied Computing (SAC)},
      year = {2012},
      month = {3},
      pdf = {paper_sac2012_theo.pdf},
      }
  • Gregoire Jacob and Engin Kirda and Christopher Kruegel and Giovanni Vigna, "PUBCRAWL: Protecting Users and Businesses from CRAWLers," in 21st Usenix Security Symposium, 2012. BibTeX | PDF
    @INPROCEEDINGS{_PUBCRAWL_Protecting_Users_and__2012,
      Author = {Gregoire Jacob and Engin Kirda and Christopher Kruegel and Giovanni Vigna},
      title = {PUBCRAWL: Protecting Users and Businesses from CRAWLers},
      booktitle = {21st Usenix Security Symposium},
      year = {2012},
      month = {8},
      pdf = {usenix12_pubcrawl.pdf},
      }
  • Leyla Bilge and Davide Balzarotti and William K Robertson and Christopher Kruegel and Engin Kirda, "Disclosure: Detecting Botnet Command and Control Servers Through Large Scale NetFlow Analysis," in Annual Computer Security Applications, 2012. BibTeX | PDF
    @INPROCEEDINGS{_Disclosure_Detecting_Botnet_Co_2012,
      Author = {Leyla Bilge and Davide Balzarotti and William K Robertson and Christopher Kruegel and Engin Kirda},
      title = {Disclosure: Detecting Botnet Command and Control Servers Through Large Scale NetFlow Analysis},
      booktitle = {Annual Computer Security Applications},
      year = {2012},
      month = {12},
      pdf = {acsac12_disclosure.pdf},
      }
  • Manuel Egele and Theodoor Scholte and Engin Kirda and Christopher Kruegel, "A Survey on Automated Dynamic Malware Analysis Techniques and Tools," ACM Computing Surveys Journal, vol. 44, iss. 2, 2012. BibTeX | PDF
    @ARTICLE{_A_Survey_on_Automated_Dynamic__2012,
      Author = {Manuel Egele and Theodoor Scholte and Engin Kirda and Christopher Kruegel},
      title = {A Survey on Automated Dynamic Malware Analysis Techniques and Tools},
      journal = {ACM Computing Surveys Journal},
      year = {2012},
      month = {2},
      pdf = {malware_survey.pdf},
      volume = {44},
      number = {2},
      }
  • Clemens Kolbitsch and Christopher Kruegel and Engin Kirda, "Extending Mondrian Memory Protection," in NATO RTO IST-091 Symposium, 2010. BibTeX
    @INPROCEEDINGS{Kolbitsch_Extending_Mondrian_Memory_Prot_2010,
      Author = {Clemens Kolbitsch and Christopher Kruegel and Engin Kirda},
      title = {Extending Mondrian Memory Protection},
      booktitle = {NATO RTO IST-091 Symposium},
      year = {2010},
      month = {4},
      }
  • Marco Balduzzi and Manuel Egele and Engin Kirda and Davide Balzarotti and Christopher Kruegel, "A Solution for the Automated Detection of Clickjacking Attacks," in ASIACCS, 2010. BibTeX
    @INPROCEEDINGS{Balduzzi_A_Solution_for_the_Automated_D_2010,
      Author = {Marco Balduzzi and Manuel Egele and Engin Kirda and Davide Balzarotti and Christopher Kruegel},
      title = {A Solution for the Automated Detection of Clickjacking Attacks},
      booktitle = {ASIACCS},
      year = {2010},
      month = {4},
      }
  • Kaan Onarlioglu and Leyla Bilge and Andrea Lanzi and Davide Balzarotti and Engin Kirda, "G-Free: Defeating Return-Oriented Programming through Gadget-less Binaries," in 26th Annual Computer Security Applications Conference (ACSAC), 2010. BibTeX
    @INPROCEEDINGS{Onarlioglu_G_Free_Defeating_Return_Orient_2010,
      Author = {Kaan Onarlioglu and Leyla Bilge and Andrea Lanzi and Davide Balzarotti and Engin Kirda},
      title = {G-Free: Defeating Return-Oriented Programming through Gadget-less Binaries},
      booktitle = {26th Annual Computer Security Applications Conference (ACSAC)},
      year = {2010},
      month = {12},
      }
  • Ulrich Bayer and Engin Kirda and Christopher Kruegel, "Improving the Efficiency of Dynamic Malware Analysis," in 25th Symposium On Applied Computing (SAC), Track on Information Security Research and Applications, 2010. BibTeX | PDF
    @INPROCEEDINGS{Bayer_ImprovingEfficiencyof_2010,
      Author = {Ulrich Bayer and Engin Kirda and Christopher Kruegel},
      title = {Improving the Efficiency of Dynamic Malware Analysis},
      booktitle = {25th Symposium On Applied Computing (SAC), Track on Information Security Research and Applications},
      year = {2010},
      month = {3},
      pdf = {Bayer_ImprovingEfficiencyof_2010.pdf},
      note = {Lusanne, Switzerland},
      }
  • Manuel Egele and Leyla Bilge and Engin Kirda and Christopher Kruegel, "CAPTCHA Smuggling: Hijacking Web Browsing Sessions to Create CAPTCHA Farms," in 25th Symposium On Applied Computing (SAC), Track on Information Security Research and Applications,, 2010. BibTeX
    @INPROCEEDINGS{Egele_CAPTCHASmugglingHijacking_2010,
      Author = {Manuel Egele and Leyla Bilge and Engin Kirda and Christopher Kruegel},
      title = {CAPTCHA Smuggling: Hijacking Web Browsing Sessions to Create CAPTCHA Farms},
      booktitle = {25th Symposium On Applied Computing (SAC), Track on Information Security Research and Applications,},
      year = {2010},
      month = {3},
      }
  • Marco Balduzzi and Christian Platzer and Thorsten Holz and Engin Kirda and Davide Balzarotti and Christopher Kruegel, "Abusing Social Networks for Automated User Profiling," in International Symposium on Recent Advances in Intrusion Detection (RAID 2010), 2010. BibTeX
    @INPROCEEDINGS{Balduzzi_Abusing_Social_Networks_for_Au_2010,
      Author = {Marco Balduzzi and Christian Platzer and Thorsten Holz and Engin Kirda and Davide Balzarotti and Christopher Kruegel},
      title = {Abusing Social Networks for Automated User Profiling},
      booktitle = {International Symposium on Recent Advances in Intrusion Detection (RAID 2010)},
      year = {2010},
      month = {9},
      }
  • Tobias Lauinger and Veikko Pankakoski and Davide Balzarotti and Engin Kirda, "Honeybot, Your Man in the Middle for Automated Social Engineering," in Proceedings of the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET 2010), 2010. BibTeX | PDF
    @INPROCEEDINGS{Lauinger_Honeybot2010,
      Author = {Tobias Lauinger and Veikko Pankakoski and Davide Balzarotti and Engin Kirda},
      title = {Honeybot, Your Man in the Middle for Automated Social Engineering},
      booktitle = {Proceedings of the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET 2010)},
      year = {2010},
      month = {4},
      pdf = {autosoc-leet2010.pdf},
      }
  • Nenad Jovanovic and Christopher Kruegel and Engin Kirda, "Static analysis for detecting taint-style vulnerabilities in web applications," Journal of Computer Security, vol. 18, 2010. BibTeX
    @ARTICLE{Jovanovic_Static_analysis_for_detecting__2010,
      Author = {Nenad Jovanovic and Christopher Kruegel and Engin Kirda},
      title = {Static analysis for detecting taint-style vulnerabilities in web applications},
      journal = {Journal of Computer Security},
      year = {2010},
      month = {0},
      volume = {18},
      }
  • Clemens Kolbitsch and Thorsten Holz and Christopher Kruegel and Engin Kirda, "Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries," in IEEE Security and Privacy 2010, 2010. BibTeX
    @INPROCEEDINGS{Kolbitsch_AutomatedExtraction_2010,
      Author = {Clemens Kolbitsch and Thorsten Holz and Christopher Kruegel and Engin Kirda},
      title = {Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries},
      booktitle = {IEEE Security and Privacy 2010},
      year = {2010},
      month = {1},
      }
  • Andrea Lanzi and Davide Balzarotti and Christopher Kruegel and Mihai Christodorescu and Engin Kirda, "AccessMiner: Using System-Centric Models for Malware Protection," in 17th ACM Conference on Computer and Communications Security (CCS), 2010. BibTeX
    @INPROCEEDINGS{Lanzi_AccessMiner_Using_System_Centr_2010,
      Author = {Andrea Lanzi and Davide Balzarotti and Christopher Kruegel and Mihai Christodorescu and Engin Kirda},
      title = {AccessMiner: Using System-Centric Models for Malware Protection},
      booktitle = {17th ACM Conference on Computer and Communications Security (CCS)},
      year = {2010},
      month = {10},
      }
  • Engin Kirda and Ulrich Bayer and Corrado Leita, "Exploiting diverse observation perspectives to get insights on the malware landscape," in Dependable Systems and Networks (DSN) 2010 IEEE IFIP International Conference on, 2010, pp. 393-402. BibTeX | PDF
    @INPROCEEDINGS{leita2010exploiting,
      Author = {Engin Kirda and Ulrich Bayer and Corrado Leita},
      title = {Exploiting diverse observation perspectives to get insights on the malware landscape},
      booktitle = {Dependable Systems and Networks (DSN) 2010 IEEE IFIP International Conference on},
      year = {2010},
      month = {1},
      pdf = {dsn2010.pdf},
      pages = {393--402},
      }
  • Gilbert Wondracek and Thorsten Holz and Christian Platzer and Engin Kirda and Christopher Kruegel, "Is the Internet for Porn? An Insight into the Online Adult Industry," in Proceedings of the Ninth Workshop on the Economics of Information Security (WEIS 2010), 2010. BibTeX | PDF
    @INPROCEEDINGS{Wondracek_InternetPorn2010,
      Author = {Gilbert Wondracek and Thorsten Holz and Christian Platzer and Engin Kirda and Christopher Kruegel},
      title = {Is the Internet for Porn? An Insight into the Online Adult Industry},
      booktitle = {Proceedings of the Ninth Workshop on the Economics of Information Security (WEIS 2010)},
      year = {2010},
      month = {6},
      pdf = {weis2010_wondracek.pdf},
      }
  • Davide Balzarotti and Marco Cova and Christoph Karlberger and Christopher Kruegel and Engin Kirda and Giovanni Vigna, "Efficient Detection of Split Personalities in Malware," in 17th Annual Network and Distributed System Security Symposium (NDSS 2010), 2010. BibTeX
    @INPROCEEDINGS{Balzarotti_Efficient_Detection_of_Split_P_2010,
      Author = {Davide Balzarotti and Marco Cova and Christoph Karlberger and Christopher Kruegel and Engin Kirda and Giovanni Vigna},
      title = {Efficient Detection of Split Personalities in Malware},
      booktitle = {17th Annual Network and Distributed System Security Symposium (NDSS 2010)},
      year = {2010},
      month = {2},
      }
  • Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Xiaoyong Zhou and Xiaofeng Wang, "Effective and Efficient Malware Detection at the End Host," in in USENIX Security 09, 2009. BibTeX | PDF
    @INPROCEEDINGS{Kolbitsch_EffectiveandEfficient_2009,
      Author = {Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Xiaoyong Zhou and Xiaofeng Wang},
      title = {Effective and Efficient Malware Detection at the End Host},
      booktitle = {in USENIX Security 09},
      year = {2009},
      month = {8},
      pdf = {Kolbitsch_EffectiveandEfficient_2009.pdf},
      note = {Canada, August 2009},
      }
  • Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Ulrich Bayer and Clemens Hlauschek, "Scalable, Behavior-Based Malware Clustering," in Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS 2009), 2009. BibTeX | PDF
    @INPROCEEDINGS{Bayer_ScalableBehaviorBasedMalware_2009,
      Author = {Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Ulrich Bayer and Clemens Hlauschek},
      title = {Scalable, Behavior-Based Malware Clustering},
      booktitle = {Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS 2009)},
      year = {2009},
      month = {1},
      pdf = {Bayer_ScalableBehaviorBasedMalware_2009.pdf},
      }
  • Engin Kirda and Davide Balzarotti and Leyla Bilge and Thorsten Strufe, "All Your Contacts Are Belong to Us: Automated Identity Theft Attacks on Social Networks," in 18th International World Wide Web Conference, 2009. BibTeX | PDF
    @INPROCEEDINGS{Bilge_AllYourContacts_2009,
      Author = {Engin Kirda and Davide Balzarotti and Leyla Bilge and Thorsten Strufe},
      title = {All Your Contacts Are Belong to Us: Automated Identity Theft Attacks on Social Networks},
      booktitle = {18th International World Wide Web Conference},
      year = {2009},
      month = {4},
      pdf = {Bilge_AllYourContacts_2009.pdf},
      publisher = {31st International Conference on Software Engineering IEEE Computer Society, Vancouver, Cana},
      }
  • Christopher Kruegel and Engin Kirda and Ulrich Bayer and Davide Balzarotti and Imam Habibi, "A View on Current Malware Behaviors," in 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), Boston, 2009. BibTeX | PDF
    @INPROCEEDINGS{Bayer_InsightsIntoCurrent_2009,
      Author = {Christopher Kruegel and Engin Kirda and Ulrich Bayer and Davide Balzarotti and Imam Habibi},
      title = {A View on Current Malware Behaviors},
      booktitle = {2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), Boston},
      year = {2009},
      month = {4},
      pdf = {Bayer_InsightsIntoCurrent_2009.pdf},
      }
  • Christopher Kruegel and Engin Kirda and Manuel Egele, "Mitigating Drive-by Download Attacks: Challenges and Open Problems," in Open Research Problems in Network Security Workshop, 2009. BibTeX | PDF
    @INPROCEEDINGS{Egele_MitigatingDrivebyDownload_2009,
      Author = {Christopher Kruegel and Engin Kirda and Manuel Egele},
      title = {Mitigating Drive-by Download Attacks: Challenges and Open Problems},
      booktitle = {Open Research Problems in Network Security Workshop},
      year = {2009},
      month = {4},
      pdf = {Egele_MitigatingDrivebyDownload_2009.pdf},
      publisher = {iNetSec 2009},
      note = {Zurich},
      }
  • Christopher Kruegel and Engin Kirda and Christian Platzer and Christian Ludl and Peter Wurzinger, "SWAP: Mitigating XSS Attacks using a Reverse Proxy," in The 5th International Workshop on Software Engineering for Secure Systems SESS09 31st International Conference on Software Engineering ICSE, 2009. BibTeX | PDF
    @INPROCEEDINGS{Wurzinger_SWAPMitigatingXSS_2009,
      Author = {Christopher Kruegel and Engin Kirda and Christian Platzer and Christian Ludl and Peter Wurzinger},
      title = {SWAP: Mitigating XSS Attacks using a Reverse Proxy},
      booktitle = {The 5th International Workshop on Software Engineering for Secure Systems SESS09 31st International Conference on Software Engineering ICSE},
      year = {2009},
      month = {5},
      pdf = {Wurzinger_SWAPMitigatingXSS_2009.pdf},
      publisher = {IEEE Computer Society},
      }
  • Christopher Kruegel and Engin Kirda and Leyla Bilge and Thorsten Holz and Peter Wurzinger and Jan Goebel, "Automatically Generating Models for Botnet Detection," in 14th European Symposium on Research in Computer Security (ESORICS 2009), 2009. BibTeX | PDF
    @INPROCEEDINGS{Wurzinger_AutomaticallyGeneratingModels_2009,
      Author = {Christopher Kruegel and Engin Kirda and Leyla Bilge and Thorsten Holz and Peter Wurzinger and Jan Goebel},
      title = {Automatically Generating Models for Botnet Detection},
      booktitle = {14th European Symposium on Research in Computer Security (ESORICS 2009)},
      year = {2009},
      month = {9},
      pdf = {Wurzinger_AutomaticallyGeneratingModels_2009.pdf},
      note = {14th European Symposium on Research in Computer Security (ESORICS 2009), Saint Malo, Brittany, France},
      }
  • Christopher Kruegel and Engin Kirda and Manuel Egele, "Removing Web Spam Links from Search Engine Results," in 31st International Conference on Software Engineering (ICSE), 2009. BibTeX | PDF
    @INPROCEEDINGS{Egele_RemovingWebSpam_2009,
      Author = {Christopher Kruegel and Engin Kirda and Manuel Egele},
      title = {Removing Web Spam Links from Search Engine Results},
      booktitle = {31st International Conference on Software Engineering (ICSE)},
      year = {2009},
      month = {5},
      pdf = {Egele_RemovingWebSpam_2009.pdf},
      publisher = {IEEE Computer Society},
      note = {Vancouver, Canada},
      }
  • Christopher Kruegel and Engin Kirda and Andreas Moser and Kevin Almaroth and Brett Stone-Gross, "FIRE: FInding Rogue nEtworks," in 25th Annual Computer Security Applications Conference (ACSAC), 2009. BibTeX | PDF
    @INPROCEEDINGS{StoneGross_FIREFIndingRogue_2009,
      Author = {Christopher Kruegel and Engin Kirda and Andreas Moser and Kevin Almaroth and Brett Stone-Gross},
      title = {FIRE: FInding Rogue nEtworks},
      booktitle = {25th Annual Computer Security Applications Conference (ACSAC)},
      year = {2009},
      month = {12},
      pdf = {StoneGross_FIREFIndingRogue_2009.pdf},
      }
  • Christopher Kruegel and Engin Kirda and Manuel Egele, "Prospex: Protocol Specification Extraction," in 18th European Institute for Computer Antivirus Research, 2009. BibTeX | PDF
    @INPROCEEDINGS{Egele_ProspexProtocolSpecification_2009,
      Author = {Christopher Kruegel and Engin Kirda and Manuel Egele},
      title = {Prospex: Protocol Specification Extraction},
      booktitle = {18th European Institute for Computer Antivirus Research},
      year = {2009},
      month = {5},
      pdf = {Egele_ProspexProtocolSpecification_2009.pdf},
      publisher = {EICAR 2009 Annual Conference},
      note = {Berlin},
      }
  • Christopher Kruegel and Engin Kirda and Davide Balzarotti and Giovanni Vigna and Marco Cova and Nenad Jovanovic and Viktoria Felmetsger, "Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications," in Security and Privacy, 2008, p. 15. BibTeX | PDF
    @INPROCEEDINGS{Cova_ComposingStaticand_2008,
      Author = {Christopher Kruegel and Engin Kirda and Davide Balzarotti and Giovanni Vigna and Marco Cova and Nenad Jovanovic and Viktoria Felmetsger},
      title = {Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications},
      booktitle = {Security and Privacy},
      year = {2008},
      month = {5},
      pdf = {Cova_ComposingStaticand_.pdf},
      pages = {15},
      publisher = {IEEE Security and Privacy},
      }
  • Gilbert Wondracek and Paolo Milani Comparetti and Christopher Kruegel and Engin Kirda, "Automatic Network Protocol Analysis," in 15th Annual Network and Distributed System Security Symposium (NDSS 2008), San Diego, February 2008, 2008. BibTeX | PDF
    @INPROCEEDINGS{Wondracek_AutomaticNetworkProtocol_2008,
      Author = {Gilbert Wondracek and Paolo Milani Comparetti and Christopher Kruegel and Engin Kirda},
      title = {Automatic Network Protocol Analysis},
      booktitle = {15th Annual Network and Distributed System Security Symposium (NDSS 2008), San Diego, February 2008},
      year = {2008},
      month = {1},
      pdf = {ce-kirden-080215.pdf},
      }
  • Christopher Kruegel and Engin Kirda and Eric Medvet, "Visual-Similarity-Based Phishing Detection," in IEEE International Conference on Security and Privacy for Emerging Areas in Communication Networks, 2008. BibTeX
    @INPROCEEDINGS{Medvet_VisualSimilarityBasedPhishing_2008,
      Author = {Christopher Kruegel and Engin Kirda and Eric Medvet},
      title = {Visual-Similarity-Based Phishing Detection},
      booktitle = {IEEE International Conference on Security and Privacy for Emerging Areas in Communication Networks},
      year = {2008},
      month = {9},
      }
  • Engin Kirda and Corrado Leita and Marc Dacier and Olivier Thonnard and Fabian Pouget and Van Hau Pham and Eduardo Ramirez-Silva, "The Leurre.com Project: Collecting Internet Threats Information using a Worldwide Distributed Honeynet," in In Proceedings of the 1st WOMBAT workshop, 2008. BibTeX
    @INPROCEEDINGS{Leita_LeurrecomProjectCollecting_2008,
      Author = {Engin Kirda and Corrado Leita and Marc Dacier and Olivier Thonnard and Fabian Pouget and {Van Hau} Pham and Eduardo Ramirez-Silva},
      title = {The Leurre.com Project: Collecting Internet Threats Information using a Worldwide Distributed Honeynet},
      booktitle = {In Proceedings of the 1st WOMBAT workshop},
      year = {2008},
      month = {4},
      publisher = {IEEE Computer Society},
      }
  • Christopher Kruegel and Engin Kirda and Sean McAllister, "Leveraging User INteractions for IN-Depth- Testing of Weg Applications," in Symposium on Recent Advances in Intrusion Detection, 2008. BibTeX
    @INPROCEEDINGS{Allister_SymposiumRecentAdvances_2008,
      Author = {Christopher Kruegel and Engin Kirda and Sean McAllister},
      title = {Leveraging User INteractions for IN-Depth- Testing of Weg Applications},
      booktitle = {Symposium on Recent Advances in Intrusion Detection},
      year = {2008},
      month = {1},
      }
  • Christopher Kruegel and Engin Kirda and Guenther Starnberger, "Overbot – A botnet protocol based on Kademlia," in 4th International Conference on Security and Privacy in Communication Networks (SecureComm), 2008. BibTeX
    @INPROCEEDINGS{Starnberger_Overbotbotnet_2008,
      Author = {Christopher Kruegel and Engin Kirda and Guenther Starnberger},
      title = {Overbot - A botnet protocol based on Kademlia},
      booktitle = {4th International Conference on Security and Privacy in Communication Networks (SecureComm)},
      year = {2008},
      month = {9},
      publisher = {Istanbul, Turkey},
      }
  • Christopher Kruegel and Engin Kirda and Sean McAllister, "Expanding Human Interactions for In-Depth Testing of Web Applications," in 11th Symposium on Recent Advances in Intrusion Detection (RAID), Boston, MA, 2008. BibTeX | PDF
    @INPROCEEDINGS{McAllister_ExpandingHumanInteractions_2008,
      Author = {Christopher Kruegel and Engin Kirda and Sean McAllister},
      title = {Expanding Human Interactions for In-Depth Testing of Web Applications},
      booktitle = {11th Symposium on Recent Advances in Intrusion Detection (RAID), Boston, MA},
      year = {2008},
      month = {9},
      pdf = {McAllister_ExpandingHumanInteractions_2008.pdf},
      }
  • Engin Kirda and Corrado Leita and Julio Canto and Marc Dacier, "Large Scale Malware Collection: Lessons Learned," in IEEE SRDS Workshop on Sharing Field Data and Experiment Measurements on Resilience of Distributed Computing System, 2008. BibTeX | PDF
    @INPROCEEDINGS{Canto_LargeScaleMalware_2008,
      Author = {Engin Kirda and Corrado Leita and Julio Canto and Marc Dacier},
      title = {Large Scale Malware Collection: Lessons Learned},
      booktitle = {IEEE SRDS Workshop on Sharing Field Data and Experiment Measurements on Resilience of Distributed Computing System},
      year = {2008},
      month = {10},
      pdf = {Canto_LargeScaleMalware_200.pdf},
      note = {Naples, Italy},
      }
  • Christopher Kruegel and Engin Kirda and Sean McAllister, "Leveraging User Interactions for In-Depth Testing of Web Applications," RAID ’08: Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection, pp. 191-210, 2008. BibTeX
    @ARTICLE{1433021,
      Author = {Christopher Kruegel and Engin Kirda and Sean McAllister},
      title = {Leveraging User Interactions for In-Depth Testing of Web Applications},
      journal = {RAID '08: Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection},
      year = {2008},
      month = {1},
      pages = {191--210},
      publisher = {Springer-Verlag},
      }
  • Christopher Kruegel and Engin Kirda and Manuel Egele and Heng Yin and Dawn Song, "Dynamic Spyware Analysis," in Proceedings of the USENIX Annual Technical Conference, 2007. BibTeX
    @INPROCEEDINGS{Egele_DynamicSpywareAnalysis_2007,
      Author = {Christopher Kruegel and Engin Kirda and Manuel Egele and Heng Yin and Dawn Song},
      title = {Dynamic Spyware Analysis},
      booktitle = {Proceedings of the USENIX Annual Technical Conference},
      year = {2007},
      month = {6},
      }
  • Christopher Kruegel and Engin Kirda and Andreas Moser, "Exploring Multiple Execution Paths for Malware Analysis," in Proceedinga of the IEEE Symposium on Security and Privacy 2007, 2007. BibTeX
    @INPROCEEDINGS{Moser_ExploringMultipleExecution_2007,
      Author = {Christopher Kruegel and Engin Kirda and Andreas Moser},
      title = {Exploring Multiple Execution Paths for Malware Analysis},
      booktitle = {Proceedinga of the IEEE Symposium on Security and Privacy 2007},
      year = {2007},
      month = {5},
      abstract = {Malicious code or malware is defined as software that fulfills the deliberately harmful intent of an attacker. Malware analysis is the process of determining the behavior and purpose of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques and removal tools. Currently, malware analysis is mostly a manual process that is tedious and time-intensive. To mitigate this problem, a number of analysis tools have been proposed that automatically extract the behavior of an unknown program by executing it in a restricted environment and recording the operating system calls that are invoked. The problem of dynamic analysis tools is that only a single program execution is observed. Unfortunately, however, it is possible that certain malicious actions are only triggered under specific circumstances (e.g., on a particular day, when a certain file is present, or when a certain command is received). In this paper, we propose a system that allows us to explore multiple execution paths and identify malicious actions that are executed only when certain conditions are met. This enables us to automatically extract a more complete view of the program under analysis and identify under which circumstances suspicious actions are carried out. Our experimental results demonstrate that many malware samples show different behavior depending on input read from the environment. Thus, by exploring multiple execution paths, we can obtain a more complete picture of their actions.},
      publisher = {IEEE Computer Society Press},
      }
  • Christopher Kruegel and Engin Kirda and Thomas Raffetseder, "Detecting System Emulators," in Proceedings of the Information Security Conference (ISC), 2007. BibTeX
    @INPROCEEDINGS{Raffetseder_DetectingSystemEmulators_2007,
      Author = {Christopher Kruegel and Engin Kirda and Thomas Raffetseder},
      title = {Detecting System Emulators},
      booktitle = {Proceedings of the Information Security Conference (ISC)},
      year = {2007},
      month = {10},
      }
  • Christopher Kruegel and Engin Kirda and Angelo Rosiello and Fabrizio Ferrandi, "A Layout-Similarity-Based Approach for Detecting Phishing Pages," in Proceedings of IEEE International Conference on Security and Privacy in Communication Networks (SecureComm)., 2007. BibTeX
    @INPROCEEDINGS{Rosiello_LayoutSimilarityBasedApproachDetecting_2007,
      Author = {Christopher Kruegel and Engin Kirda and Angelo Rosiello and Fabrizio Ferrandi},
      title = {A Layout-Similarity-Based Approach for Detecting Phishing Pages},
      booktitle = {Proceedings of IEEE International Conference on Security and Privacy in Communication Networks (SecureComm).},
      year = {2007},
      month = {1},
      }
  • Christopher Kruegel and Engin Kirda and Martin Szydlowski, "Secure Input for Web Applications," in Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC) 2007, 2007. BibTeX
    @INPROCEEDINGS{Szydlowski_SecureInputWeb_2007,
      Author = {Christopher Kruegel and Engin Kirda and Martin Szydlowski},
      title = {Secure {I}nput for {W}eb {A}pplications},
      booktitle = {Proceedings of the 23rd {A}nnual {C}omputer {S}ecurity {A}pplications {C}onference ({ACSAC}) 2007},
      year = {2007},
      month = {12},
      }
  • Christopher Kruegel and Engin Kirda and Florian Nentwich and Giovanni Vigna and Nenad Jovanovic and Philipp Vogt, "Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis," in In Proceedings of 14th Annual Network and Distributed System Security Symposium (NDSS 2007), 2007. BibTeX
    @INPROCEEDINGS{Vogt_CrossSiteScripting_2007,
      Author = {Christopher Kruegel and Engin Kirda and Florian Nentwich and Giovanni Vigna and Nenad Jovanovic and Philipp Vogt},
      title = {Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis},
      booktitle = {In Proceedings of 14th Annual Network and Distributed System Security Symposium (NDSS 2007)},
      year = {2007},
      month = {2},
      }
  • Christopher Kruegel and Engin Kirda and Manuel Egele and Heng Yin and Dawn Song, "Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis," in Proceedings of the 14th ACM Conference on Computer and Communications Security, 2007. BibTeX
    @INPROCEEDINGS{Yin_PanoramaCapturingSystemwide_2007,
      Author = {Christopher Kruegel and Engin Kirda and Manuel Egele and Heng Yin and Dawn Song},
      title = {Panorama: {C}apturing {S}ystem-wide {I}nformation {F}low for {M}alware {D}etection and {A}nalysis},
      booktitle = {Proceedings of the 14th {ACM} {C}onference on {C}omputer and {C}ommunications {S}ecurity},
      year = {2007},
      month = {11},
      }
  • Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Gilbert Wondracek, "Automatic Network Protocol Analysis," in Proceedings of the Network and Distributed System Security Symposium Conference (NDSS), San Diego 2007, 2007. BibTeX
    @INPROCEEDINGS{Wondracek_AutomaticNetworkProtocol_2007,
      Author = {Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Gilbert Wondracek},
      title = {Automatic {N}etwork {P}rotocol {A}nalysis},
      booktitle = {Proceedings of the {N}etwork and {D}istributed {S}ystem {S}ecurity {S}ymposium {C}onference ({NDSS}), {S}an {D}iego 2007},
      year = {2007},
      month = {1},
      }
  • Christopher Kruegel and Engin Kirda and Thomas Raffetseder, "Building Anti-Phishing Browser Plug-Ins: An Experience Report," in Proceedings of the 3rd International Workshop on Software Engineering for Secure Systems (SESS) 29th International Conference on Software Engineering (ICSE), 2007. BibTeX
    @INPROCEEDINGS{Raffetseder_BuildingAntiPhishingBrowser_2007,
      Author = {Christopher Kruegel and Engin Kirda and Thomas Raffetseder},
      title = {Building Anti-Phishing Browser Plug-Ins: An Experience Report},
      booktitle = {Proceedings of the 3rd International Workshop on Software Engineering for Secure Systems (SESS) 29th International Conference on Software Engineering (ICSE)},
      year = {2007},
      month = {5},
      publisher = {IEEE Computer Society Press},
      }
  • Christopher Kruegel and Engin Kirda and Andreas Moser, "Limits of Static Analysis for Malware Detection," in Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC) 2007, 2007. BibTeX | PDF
    @INPROCEEDINGS{Moser_LimitsofStatic_2007,
      Author = {Christopher Kruegel and Engin Kirda and Andreas Moser},
      title = {Limits of {S}tatic {A}nalysis for {M}alware {D}etection},
      booktitle = {Proceedings of the 23rd {A}nnual {C}omputer {S}ecurity {A}pplications {C}onference ({ACSAC}) 2007},
      year = {2007},
      month = {12},
      pdf = {Moser_LimitsofStatic_2007.pdf},
      }
  • Christopher Kruegel and Engin Kirda and Sean McAllister and Christian Ludl, "On the Effectiveness of Techniques to Detect Phishing Sites," in Proceedings of the Conference on the Detection of Intrusions and Malware \& Vulnerability Assessment (DIMVA)., 2007. BibTeX
    @INPROCEEDINGS{Ludl_EffectivenessofTechniques_2007,
      Author = {Christopher Kruegel and Engin Kirda and Sean McAllister and Christian Ludl},
      title = {On the Effectiveness of Techniques to Detect Phishing Sites},
      booktitle = {Proceedings of the Conference on the Detection of Intrusions and Malware \& Vulnerability Assessment (DIMVA).},
      year = {2007},
      month = {1},
      abstract = {Phishing is an electronic online identity theft in which the attackers use a combination of social engineering and web site spoofing techniques to trick a user into revealing confidential information. This information is typically used to make an illegal economic profit (e.g., by online banking transactions, purchase of goods using stolen credentials, etc.). Although simple, phishing attacks are remarkably effective. As a re- sult, the numbers of successful phishing attacks have been continuously increasing and many anti-phishing solutions have been proposed. One popular and widely-deployed solution is the integration of blacklist-based anti-phishing techniques into browsers. However, it is currently unclear how effective such blacklisting approaches are in mitigating phishing at- tacks in real-life. In this paper, we report our findings on analyzing the effectiveness of two popular anti-phishing solutions. Over a period of three weeks, we automatically tested the effectiveness of the blacklists maintained by Google and Microsoft with 10,000 phishing URLs. Fur- thermore, by analyzing a large number of phishing pages, we explored the existence of page properties that can be used to identify phishing pages.},
      }
  • Christopher Kruegel and Engin Kirda and Nenad Jovanovic and Stefan Kals, "SecuBat: A Web Vulnerability Scanner," in Proceedings of The 15th International World Wide Web Conference (WWW 2006), 2006. BibTeX
    @INPROCEEDINGS{Kals_SecuBatWebVulnerability_2006,
      Author = {Christopher Kruegel and Engin Kirda and Nenad Jovanovic and Stefan Kals},
      title = {SecuBat: A Web Vulnerability Scanner},
      booktitle = {Proceedings of The 15th International World Wide Web Conference (WWW 2006)},
      year = {2006},
      month = {5},
      abstract = {As the popularity of the web increases and web applications become tools of everyday use, the role of web security has been gaining importance as well. The last years have shown a significant increase in the number of web-based attacks. For example, there has been extensive press coverage of recent security incidences involving the loss of sensitive credit card information belonging to millions of customers. Many web application security vulnerabilities result from generic input validation problems. Examples of such vulnerabilities are SQL injection and Cross-Site Scripting (XSS). Although the majority of web vulnerabilities are easy to understand and to avoid, many web developers are, unfortunately, not security-aware. As a result, there exist many web sites on the Internet that are vulnerable. This paper demonstrates how easy it is for attackers to automatically discover and exploit application-level vulnerabilities in a large number of web applications. To this end, we developed SecuBat, a generic and modular web vulnerability scanner that, similar to a port scanner, automatically analyzes web sites with the aim of finding exploitable SQL injection and XSS vulnerabilities. Using SecuBat, we were able to find many potentially vulnerable web sites. To verify the accuracy of SecuBat, we picked one hundred interesting web sites from the potential victim list for further analysis and confirmed exploitable flaws in the identified web pages. Among our victims were well-known global companies and a finance ministry. Of course, we notified the administrators of vulnerable sites about potential security problems. More than fifty responded to request additional information or to report that the security hole was closed.},
      }
  • Christopher Kruegel and Engin Kirda and Nenad Jovanovic, "Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper).," in Proceedings of the IEEE Symposium on Security and Privacy 2006, 2006. BibTeX
    @INPROCEEDINGS{Jovanovic_PixyStaticAnalysis_2006,
      Author = {Christopher Kruegel and Engin Kirda and Nenad Jovanovic},
      title = {Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper).},
      booktitle = {Proceedings of the IEEE Symposium on Security and Privacy 2006},
      year = {2006},
      month = {5},
      publisher = {IEEE Computer Society Press},
      }
  • Christopher Kruegel and Engin Kirda and Nenad Jovanovic, "Preventing Cross Site Request Forgery Attacks," in In Proceedings of IEEE International Conference on Security and Privacy in Communication Networks (SecureComm), 2006. BibTeX
    @INPROCEEDINGS{Jovanovic_PreventingCrossSite_2006,
      Author = {Christopher Kruegel and Engin Kirda and Nenad Jovanovic},
      title = {Preventing Cross Site Request Forgery Attacks},
      booktitle = {In Proceedings of IEEE International Conference on Security and Privacy in Communication Networks (SecureComm)},
      year = {2006},
      month = {8},
      abstract = {The web has become an indispensable part of our lives. Unfortunately, as our dependency on the web increases, so does the interest of attackers in exploiting web applications and web-based information systems. Previous work in the field of web application security has mainly focused on the mitigation of Cross Site Scripting (XSS) and SQL injection attacks. In contrast, Cross Site Request Forgery (XSRF) attacks have not received much attention. In an XSRF attack, the trust of a web application in its authenticated users is exploited by letting the attacker make arbitrary HTTP requests on behalf of a victim user. The problem is that web applications typically act upon such requests without verifying that the performed actions are indeed intentional. Because XSRF is a relatively new security problem, it is largely unknown by web application developers. As a result, there exist many web applications that are vulnerable to XSRF. Unfortunately, existing mitigation approaches are time-consuming and error-prone, as they require manual effort to integrate defense techniques into existing systems. In this paper, we present a solution that provides a completely automatic protection from XSRF attacks. More precisely, our approach is based on a server-side proxy that detects and prevents XSRF attacks in a way that is transparent to users as well as to the web application itself. We provide experimental results that demonstrate that we can use our prototype to secure a number of popular open-source web applications, without negatively affecting their behavior.},
      }
  • Christopher Kruegel and Engin Kirda and Giovanni Vigna and Richard A. Kemmerer and Greg Banks, "Behavior-Based Spyware Detection," in Proceedings of USENIX Security 06, 2006. BibTeX
    @INPROCEEDINGS{Kirda_BehaviorBasedSpywareDetection_2006,
      Author = {Christopher Kruegel and Engin Kirda and Giovanni Vigna and Richard A. Kemmerer and Greg Banks},
      title = {Behavior-Based Spyware Detection},
      booktitle = {Proceedings of USENIX Security 06},
      year = {2006},
      month = {8},
      }
  • Christopher Kruegel and Engin Kirda and Giovanni Vigna and Patrick Klinkoff, "Extending .NET Security to Unmanaged Code," in In Proceedings of the 9th Information Security Conference (ISC 2006), 2006. BibTeX
    @INPROCEEDINGS{Klinkoff_Extending.NETSecurity_2006,
      Author = {Christopher Kruegel and Engin Kirda and Giovanni Vigna and Patrick Klinkoff},
      title = {Extending .NET Security to Unmanaged Code},
      booktitle = {In Proceedings of the 9th Information Security Conference (ISC 2006)},
      year = {2006},
      month = {9},
      abstract = {The number of applications that are downloaded from the Internet and executed on-the-fly is increasing every day. Unfortunately, not all of these applications are benign, and, often, users are unsuspecting and unaware of the intentions of a program. To facilitate and secure this growing class of mobile code, Microsoft introduced the .NET framework, a new development and runtime environment where machineindependent byte-code is executed by a virtual machine. An important feature of this framework is that it allows access to native libraries to support legacy code or to directly invoke the Windows API. Such native code is called unmanaged (as opposed to managed code). Unfortunately, the execution of unmanaged native code is not restricted by the .NET security model, and, thus, provides the attacker with a mechanism to completely circumvent the framework's security mechanisms. The approach described in this paper uses a sandboxing mechanism to prevent an attacker from executing malicious, unmanaged code that is not permitted by the security policy. Our sandbox is implemented as two security layers, one on top of the Windows API and one in the kernel. Also, managed and unmanaged parts of an application are automatically separated and executed in two different processes. This ensures that potentially unsafe code can neither issue system calls not permitted by the .NET security policy nor tamper with the memory of the .NET runtime. Our proof-of-concept implementation is transparent to applications and secures unmanaged code with a generally acceptable performance penalty. To the best of our knowledge, the presented architecture and implementation is the first solution to secure unmanaged code in .NET.},
      }
  • Christopher Kruegel and Engin Kirda and Ulrich Bayer and Andreas Moser, "Dynamic Analysis of Malicious Code," Journal in Computer Virology, 2006. BibTeX
    @ARTICLE{Bayer_DynamicAnalysisof_2006,
      Author = {Christopher Kruegel and Engin Kirda and Ulrich Bayer and Andreas Moser},
      title = {Dynamic Analysis of Malicious Code},
      journal = {Journal in Computer Virology},
      year = {2006},
      month = {1},
      abstract = {Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques for malicious code. In addition, it is an important prerequisite for the development of removal tools that can thoroughly delete malware from an infected machine. Traditionally, malware analysis has been a manual process that is tedious and time-intensive. Unfortunately, the number of samples that need to be analyzed by security vendors on a daily basis is constantly increasing. This clearly reveals the need for tools that automate and simplify parts of the analysis process. In this paper, we present TTAnalyze, a tool for dynamically analyzing the behavior of Windows executables. To this end, the binary is run in an emulated operating system environment and its (security-relevant) actions are monitored. In particular, we record the Windows native system calls and Windows API functions that the program invokes. One important feature of our system is that it does not modify the program that it executes (e.g., through API call hooking or breakpoints), making it more difficult to detect by malicious code. Also, our tool runs binaries in an unmodified Windows environment, which leads to excellent emulation accuracy. These factors make TTAnalyze an ideal tool for quickly understanding the behavior of an unknown malware.},
      publisher = {Springer Computer Science},
      }
  • Christopher Kruegel and Engin Kirda and Manuel Egele and Martin Szydlowski, "Using Static Program Analysis to Aid Intrusion Detection," in Proceedings of Detection of Intrusions and Malware and Vulnerability Assessment, 2006. BibTeX
    @INPROCEEDINGS{Egele_UsingStaticProgram_2006,
      Author = {Christopher Kruegel and Engin Kirda and Manuel Egele and Martin Szydlowski},
      title = {Using Static Program Analysis to Aid Intrusion Detection},
      booktitle = {Proceedings of Detection of Intrusions and Malware and Vulnerability Assessment},
      year = {2006},
      month = {7},
      abstract = {The Internet, and in particular the world-wide web, have become part of the everyday life of millions of people. With the growth of the web, the demand for on-line services rapidly increased. Today, whole industry branches rely on the Internet to do business. Unfortunately, the success of the web has recently been overshadowed by frequent reports of security breaches. Attackers have discovered that poorly written web applications are the Achilles heel of many organizations. The reason is that these applications are directly available through firewalls and are often developed by programmers who focus on features and tight schedules instead of security. In previous work, we developed an anomaly-based intrusion detection system that uses learning techniques to identify attacks against webbased applications. That system focuses on the analysis of the request parameters in client queries, but does not take into account any information about the protected web applications themselves. The result are imprecise models that lead to more false positives and false negatives than necessary. In this paper, we describe a novel static source code analysis approach for PHP that allows us to incorporate information about a web application into the intrusion detection models. The goal is to obtain a more precise characterization of web request parameters by analyzing their usage by the program. This allows us to generate more precise intrusion detection models. In particular, our analysis allows us to determine the names of request parameters expected by a program and provides information about their types, structure, or even concrete value sets. Our experimental evaluation demonstrates that the information derived statically from web applications closely characterizes the parameter values observed in real-world traffic.},
      }
  • Christopher Kruegel and Engin Kirda and Ulrich Bayer, "TTAnalyze: A Tool for Analyzing Malware," in Proceedings of the 15th European Institute for Computer Antivirus Research (EICAR 2006) Annual Conference, 2006. BibTeX
    @INPROCEEDINGS{Bayer_TTAnalyzeToolAnalyzing_2006,
      Author = {Christopher Kruegel and Engin Kirda and Ulrich Bayer},
      title = {TTAnalyze: A Tool for Analyzing Malware},
      booktitle = {Proceedings of the 15th European Institute for Computer Antivirus Research (EICAR 2006) Annual Conference},
      year = {2006},
      month = {4},
      note = {Best Paper Award},
      }