Publications Papers from the NEU SecLab
SHiFT: Semi-hosted Fuzz Testing for Embedded Applications
33rd USENIX Security Symposium
August 2024, Philadelphia, PA
Untangle: Multi-Layer Web Server Fingerprinting
The Network and Distributed System Security Symposium (NDSS)
February 2024, San Diego
MacOS versus Microsoft Windows: A Study on the Cybersecurity and Privacy User Perception of Two Popular Operating Systems
Symposium on Usable Security and Privacy (USEC)
February 2024, San Diego, CA
Assessing the Feasibility of the Virtual Smartphone Paradigm in Countering Zero-Click Attacks
HICSS-57 Hawaii International Conference on System Sciences
January 2024, appear.
OAuth 2.0 Redirect URI Validation Falls Short, Literally
9th Applied Computer Security Applications Conference (ACSAC2023)
2023, appear.
PellucidAttachment: Protecting Users from Attacks via E-mail Attachments
IEEE Transactions on Dependable and Secure Computing
2023, to appear.
On the Complexity of the Web’s PKI: Evaluating Certificate Validation of Mobile Browsers
IEEE Transactions on Dependable and Secure Computing
2023, to appear.
Solder: Retrofitting Legacy Code with Cross-Language Patches
30th IEEE International Conference on
Software Analysis, Evolution and Reengineering (SANER)
Macao, China, March 2023
A Study of Multi-Factor and Risk-Based Authentication Availability
32nd USENIX Security Symposium
Anaheim, California, August 2023
A Recent Year On the Internet: Measuring and Understanding the Threats to Everyday Internet Devices
Annual Computer Security Applications Conference (ACSAC)
Austin, Texas, December 2022
FRAMESHIFTER: Security Implications of HTTP/2-to-HTTP/1 Conversion Anomalies
31st USENIX Security Symposium
Boston, MA, August 2022
Who's Controlling My Device? Multi-User Multi-Device-Aware Access Control System for Shared Smart Home Environment
ACM Transactions on Internet of Things
2022, to appear.
HotFuzz: Discovering Temporal and Spatial Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing
ACM Transactions on Privacy and Security
25(4): 33:1-33:35 (2022)
SoK: All or Nothing - A Postmortem of Solutions to the Third-Party Script Inclusion Permission Model and a Path Forward
7th IEEE European Symposium on Security and Privacy (EuroS&P 2022)
June 2022, Genoa, Italy
D-Box: DMA-enabled compartmentalization for embedded applications
29th Network and Distributed System Security Symposium
February 2022
T-Reqs: HTTP Request Smuggling with Differential Fuzzing
In ACM Conference on Computer and Communications Security (CCS)
November, 2021
Game of FAME: Automatic Detection of FAke MEmes
In Conference for Truth and Trust Online (TTO) 2021
October 2021
Browserprint: An Analysis of the Impact of Browser Features on Fingerprintability and Web Privacy
Information Security Conference (ISC)
November, 2021
In-Browser Cryptomining for Good: An Untold Story
3rd IEEE International Conference on Decentralized Applications and Infrastructures
August, 2021
FADE: Detecting Fake News Articles on the Web
16th International Conference on Availability, Reliability, and Security (ARES)
August, 2021
SCRUTINIZER: Detecting Code Reuse in Malware via Decompilation and Machine Learning
In 18th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA)
July 2021
You’ve Got (a Reset) Mail: A Security Analysis of Email-Based Password Reset Procedures
In 18th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA)
July 2021
SoK: Cryptojacking Malware
6th IEEE European Symposium on Security and Privacy, Vienna, Austria
September 2021
Bypassing memory safety mechanisms through speculative control flow hijacks
6th IEEE European Symposium on Security and Privacy, Vienna, Austria
September 2021
SoK: Enabling Security Analyses of Embedded Systems via Rehosting
Proceedings of the ACM Asia Conference on Computer and Communications Security (ASIACCS)
June 2021
GhostBuster: understanding and overcoming the pitfalls of transient execution vulnerability checkers
In 28th IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER 2021)
March 2021
KUBO: Precise and Scalable Detection of User-triggerable Undefined Behavior Bugs in OS Kernel
In 2021 NDSS Symposium
Feb 2021
Finding Bugs Using Your Own Code: Detecting Functionally-similar yet Inconsistent Code
In 30th USENIX Security Symposium
Aug 2021
PTAuth: Temporal Memory Safety via Robust Points-to Authentication
In 30th USENIX Security Symposium
Aug 2021
Preventing Server-Side Request Forgery Attacks
In 36th ACM Symposium on Applied Computing (SAC 2021)
Gwangju, Korea, May 2021
DICE: Automatic Emulation of DMA Input Channels for Dynamic Firmware Analysis
In IEEE Symposium on Security and Privacy (S&P)
May 2021
What’s in an Exploit? An Empirical Analysis of Reflected Server XSS Exploitation Techniques
In 23rd International Symposium on Research on Attacks, Intrusions, and Defenses (RAID)
San Sebastian, Spain, October 2020
KRATOS: Multi-User Multi-Device-Aware Access Control System for the Smart Home
In 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec '20)
Linz, Austria, Jul 2020
HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing
In Network and Distributed Systems Security Symposium (NDSS)
San Diego, CA, Feb 2020
Cached and Confused: Web Cache Deception in the Wild
In USENIX Security Symposium
Boston, MA, USA, Aug 2020
Speculator: A Tool to Analyze SpeculativeExecution Attacks and Mitigations
In Annual Computer Security Applications Conference (ACSAC)
San Juan, Puerto Rico, Dec 2019
USBeSafe: An End-Point Solution to Protect Against USB-Based Attacks
In 22nd International Symposium on Research on Attacks, Intrusions, and Defenses (RAID)
Beijing, China, Sep 2019
Getting Under Alexa`s Umbrella: Infiltration Attacks Against Internet Top Domain Lists
In 22nd Information Security Conference (ISC)
New York City, NY, Sep 2019
An Analysis of Malware Trends in Enterprise Networks
In 22nd Information Security Conference (ISC)
New York City, NY, Sep 2019
A Longitudinal Analysis of the ads.txt Standard
In ACM Internet Measurement Conference (IMC)
Amsterdam, Netherlands, Oct 2019
It`s Not What It Looks Like: Measuring Attacks and Defensive Registrations of Homograph Domains
In Conference on Communications and Network Security (CNS)
Washington D.C., Jun 2019
Clustering and the Weekend Effect: Recommendations for the Use of Top Domain Lists in Security Research
In Passive and Active Measurement Conference (PAM 2019)
Puerto Varas, Chile, Mar 2019
On the Effectiveness of Type-based Control Flow Integrity
In Annual Computer Security Applications Conference (ACSAC)
San Juan, Puerto Rico, USA, Dec 2018
From Deletion to Re-Registration in Zero Seconds: Domain Registrar Behaviour During the Drop
In ACM Internet Measurement Conference (IMC)
Boston, MA, Nov 2018
How Tracking Companies Circumvented Ad Blockers Using WebSockets
In ACM Internet Measurement Conference (IMC)
Boston, MA, Nov 2018
Large-Scale Analysis of Style Injection by Relative Path Overwrite
In World Wide Web Conference (WWW)
Lyon, France, Apr 2018
Eraser: Your Data Won't Be Back
In IEEE European Symposium on Security and Privacy (EuroS&P)
London, GB, Apr 2018
Surveylance: Automatically Detecting Online Survey Scams
In IEEE Symposium on Security and Privacy (S&P)
San Francisco, CA, May 2018
Ex-Ray: Detection of History-Leaking Browser Extensions
In Annual Computer Security Applications Conference (ACSAC)
Orlando, Florida, Dec 2017
Semi-automated Discovery of Server-Based Information Oversharing Vulnerabilities in Android Applications
In International Symposium on Software Testing and Analysis (ISSTA)
Santa Barbara, California, Jul 2017
Lens on the endpoint: Hunting for malicious software through endpoint data analysis
In International Symposium on Research in Attacks, Intrusions, and Defenses (RAID)
Atlanta, Georgia, Sep 2017
Redemption: Real-time In Protection Against Ransomware at End-Hosts
In International Symposium on Research in Attacks, Intrusions, and Defenses (RAID)
Atlanta, Georgia, Sep 2017
Game of Registrars: An Empirical Analysis of Post-Expiration Domain Name Takeovers
In USENIX Security Symposium
Vancouver, BC; Canada, Aug 2017
Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web [updated in September 2017]
In Network and Distributed Systems Security Symposium (NDSS)
San Diego, CA US, Feb 2017
WHOIS Lost in Translation: (Mis)Understanding Domain Name Expiration and Re-Registration
In ACM Internet Measurement Conference (IMC)
Santa Monica, CA US, Nov 2016
"Recommended For You": A First Look at Content Recommendation Networks
In ACM Internet Measurement Conference (IMC)
Santa Monica, CA US, Nov 2016
Trellis: Privilege Separation for Multi-User Applications Made Easy
In International Symposium on Research in Attacks, Intrusions, and Defenses (RAID)
Paris, FR, Sep 2016
Identifying Extension-based Ad Injection via Fine-grained Web Content Provenance
In International Symposium on Research in Attacks, Intrusions, and Defenses (RAID)
Paris, FR, Sep 2016
Runtime Integrity Checking for Exploit Mitigation on Lightweight Embedded Devices
In International Conference on Trust & Trustworthy Computing (TRUST)
Vienna, AT, Aug 2016
UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware
In USENIX Security Symposium
Austin, TX US, Aug 2016
Tracing Information Flows Between Ad Exchanges Using Retargeted Ads
In USENIX Security Symposium
Austin, TX US, Aug 2016
Overhaul: Input-Driven Access Control for Better Privacy on Traditional Operating Systems
In IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)
Toulouse, FR, Jun 2016
EmailProfiler: Spearphishing Filtering with Header and Stylometric Features of Emails
In IEEE Computer Society International Conference on Computers, Software & Applications (COMPSAC)
Atlanta, GA US, Jun 2016
LAVA: Large-scale Automated Vulnerability Addition
In IEEE Symposium on Security and Privacy (S&P)
San Jose, CA US, May 2016
TriggerScope: Towards Detecting Logic Bombs in Android Apps
In IEEE Symposium on Security and Privacy (S&P)
San Jose, CA US, May 2016
CuriousDroid: Automated User Interface Interaction for Android Application Analysis Sandboxes
In Financial Cryptography and Data Security (FC)
Barbados, Feb 2016
Include Me Out: In-Browser Detection of Malicious Third-Party Content Inclusions
In Financial Cryptography and Data Security (FC)
Barbados, Feb 2016
CrossFire: An Analysis of Firefox Extension-Reuse Vulnerabilities
In Network and Distributed Systems Security Symposium (NDSS)
San Diego, CA US, Feb 2016
ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities
In USENIX Security Symposium
Washington DC, US, Aug 2015
On the Security and Engineering Implications of Finer-Grained Access Controls for Android Developers and Users
In Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA)
Milan, IT, Jul 2015
Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks
In Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA)
Milan, IT, Jul 2015
BabelCrypt: The Universal Encryption Layer for Mobile Messaging Applications
In Financial Cryptography and Data Security (FC)
Isla Verde, PR, Jan 2015
TrueClick: Automatically Distinguishing Trick Banners from Genuine Download Links
In Annual Computer Security Applications Conference (ACSAC)
New Orleans, LA US, Dec 2014
Toward Robust Hidden Volumes using Write-Only Oblivious RAM
In ACM Conference on Computer and Communications Security (CCS)
Scottsdale, AZ US, Nov 2014
Why is CSP Failing? Trends and Challenges in CSP Adoption
In International Symposium on Research in Attacks, Intrusions, and Defenses (RAID)
Gothenburg, SE, Sep 2014
A Look at Targeted Attacks through the Lense of an NGO
In USENIX Security Symposium
San Diego, CA US, Aug 2014
Optical Delusions: A Study of Malicious QR Codes in the Wild
In IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)
Atlanta, GA US, Jun 2014
EXPOSURE: A Passive DNS Analysis Service to Detect and Report Malicious Domains
In ACM Transactions on Information and System Security (TISSEC), 16(4), 2014
ACM
VirtualSwindle: An Automated Attack Against In-App Billing on Android
In ACM Symposium on Information, Computer and Communications Security (ASIACCS)
Kyoto, JP, Jun 2014
Hidden GEMs: Automated Discovery of Access Control Vulnerabilities in Graphical User Interfaces
In IEEE Symposium on Security and Privacy (S&P)
San Jose, CA US, May 2014
Beehive: Large-Scale Log Analysis for Detecting Suspicious Activity in Enterprise Networks
In Annual Computer Security Applications Conference (ACSAC)
New Orleans, LA US, Dec 2013
PatchDroid: Scalable Third-Party Patches for Android Devices
In Annual Computer Security Applications Conference (ACSAC)
New Orleans, LA US, Dec 2013
Holiday Pictures or Blockbuster Movies? Insights into Copyright Infringement in User Uploads to One-Click File Hosters
In International Symposium on Research in Attacks, Intrusions and Defenses (RAID)
St. Lucia, LC, Oct 2013
Securing Legacy Firefox Extensions with Sentinel
In Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA)
Berlin, DE, Jul 2013
PrivExec: Private Execution as an Operating System Service
In IEEE Symposium on Security and Privacy (S&P)
San Francisco, CA US, May 2013
A Practical, Targeted, and Stealthy Attack Against WPA Enterprise Authentication
In Network and Distributed Systems Security Symposium (NDSS)
San Diego, CA US, Feb 2013
Clickonomics: Determining the Effect of Anti-Piracy Measures for One-Click Hosting
In Network and Distributed Systems Security Symposium (NDSS)
San Diego, CA US, Feb 2013
DISCLOSURE: Detecting Botnet Command and Control Servers Through Large-Scale NetFlow Analysis
In Annual Computer Security Applications Conference (ACSAC)
Orlando, FL US, Dec 2012
Paying for Piracy? An Analysis of One-Click Hosters' Controversial Reward Schemes
In International Symposium on Research in Attacks, Intrusions, and Defenses (RAID)
Amsterdam, NL, Sep 2012
A Quantitative Study of Accuracy in System Call-Based Malware Detection
In International Symposium on Software Testing and Analysis (ISSTA)
Minneapolis, MN US, Aug 2012
PoX: Protecting Users from Malicious Facebook Applications
In Computer Communications Journal, 0(0), 2012
Elsevier
Protecting Users and Businesses from CRAWLers
In USENIX Security Symposium
Bellevue, WA US, Aug 2012
Preventing Input Validation Vulnerabilities in Web Applications through Automated Type Analysis
In IEEE Computer Software and Applications Conference
Izmir, TR, Jul 2012
A Security Analysis of Amazon's Elastic Compute Cloud Service
In ACM Symposium on Applied Computing (SAC)
Trento, IT, Mar 2012
An Empirical Analysis of Input Validation Mechanisms in Web Applications and Languages
In ACM Symposium on Applied Computing (SAC)
Trento, IT, Mar 2012
Insights into User Behavior in Dealing with Internet Attacks
In Network and Distributed Systems Security Symposium (NDSS)
San Diego, CA US, Feb 2012
A Survey on Automated Dynamic Malware Analysis Techniques and Tools
In ACM Computing Surveys, 44(2), 2012
ACM
Have Things Changed Now? An Empirical Study on Input Validation Vulnerabilities in Web Applications
In Computers & Security, 31(3), 2012
Elsevier
The Power of Procrastination: Detection and Mitigation of Execution-Stalling Malicious Code
In ACM Conference on Computer and Communications Security (CCS)
Chicago, IL US, Oct 2011
BTLab: A System-Centric, Data-Driven Analysis and Measurement Platform for BitTorrent Clients
In International Conference on Computer Communication Networks (ICCCN)
Maui, HI US, Aug 2011
Reverse Social Engineering Attacks in Online Social Networks
In Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA)
Amsterdam, NL, Jul 2011
PoX: Protecting Users from Malicious Facebook Applications
In IEEE International Workshop on Security and Social Networking (SESOC)
Seattle, WA US, Mar 2011
Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications
In Network and Distributed Systems Security Symposium (NDSS)
San Diego, CA US, Feb 2011
PiOS: Detecting Privacy Leaks in iOS Applications
In Network and Distributed Systems Security Symposium (NDSS)
San Diego, CA US, Feb 2011
EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis
In Network and Distributed Systems Security Symposium (NDSS)
San Diego, CA US, Feb 2011
Quo Vadis? A Study of the Evolution of Input Validation Vulnerabilities in Web Applications
In International Conference on Financial Cryptography and Data Security
St. Lucia, LC, Feb 2011
G-Free: Defeating Return-Oriented Programming through Gadget-less Binaries
In Annual Computer Security Applications Conference (ACSAC)
Austin, TX US, Dec 2010
Static Analysis for Detecting Taint-Style Vulnerabilities in Web Applications
In Journal of Computer Security, 18(0), 2010
IOS Press
AccessMiner: Using System-Centric Models for Malware Protection
In ACM Conference on Computer and Communications Security (CCS)
Chicago, IL US, Oct 2010
Abusing Social Networks for Automated User Profiling
In International Symposium on Recent Advances in Intrusion Detection (RAID)
Ottawa, ON CA, Sep 2010
An Experience in Testing the Security of a Real-World Electronic Voting System
In IEEE Transactions on Software Engineering, 36(4), 2010
IEEE Computer Society
Is the Internet for Porn? An Insight into the Online Adult Industry
In Workshop on the Economics of Information Security (WEIS)
Boston, MA US, Jun 2010
Identifying Dormant Functionality in Malware Programs
In IEEE Symposium on Security and Privacy
Oakland, CA US, May 2010
Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries
In IEEE Symposium on Security and Privacy
Oakland, CA US, May 2010
A Practical Attack to De-Anonymize Social Network Users
In IEEE Symposium on Security and Privacy
Oakland, CA US, May 2010
A Solution for the Automated Detection of Clickjacking Attacks
In ACM Symposium on Information, Computer, and Communications Security (ASIACCS)
Beijing, CN, Apr 2010
Honeybot: Your Man in the Middle for Automated Social Engineering
In USENIX Workshp on Large-Scale Exploits and Emergent Threats
San Jose, CA US, Apr 2010
Improving the Efficiency of Dynamic Malware Analysis
In ACM Symposium on Applied Computing (SAC)
Lausanne, CH, Mar 2010
CAPTCHA Smuggling: Hijacking Web Browsing Sessions to Create CAPTCHA Farms
In ACM Symposium on Applied Computing (SAC)
Lausanne, CH, Mar 2010
Efficient Detection of Split Personalities in Malware
In Network and Distributed Systems Security Symposium (NDSS)
San Diego, CA US, Feb 2010
FIRE: FInding Rogue nEtworks
In Annual Computer Security Applications Conference (ACSAC)
Honolulu, HI US, Dec 2009
Automated Spyware Collection and Analysis
In Information Security Conference (ISC)
Pisa, IT, Sep 2009
Automatically Generating Models for Botnet Detection
In European Symposium on Research in Computer Security (ESORICS)
Saint-Malo, FR, Sep 2009
Effective and Efficient Malware Detection at the End Host
In USENIX Security Symposium
Montreal, QC CA, Aug 2009
Defending Browsers Against Drive-by Downloads: Mitigating Heap-spraying Code Injection Attacks
In Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA)
Milan, IT, Jun 2009
All Your Contacts Are Belong to Us: Automated Identity Theft Attacks on Social Networks
In International World Wide Web Conference (WWW)
Madrid, ES, May 2009
Server-side Bot Detection in Massively Multiplayer Online Games
In IEEE Security & Privacy Magazine, 0(0), 2009
IEEE Computer Society
Prospex: Protocol Specification Extraction
In IEEE Symposium on Security and Privacy
Oakland, CA US, May 2009
SWAP: Mitigating XSS Attacks Using a Reverse Proxy
In Internation Workshop on Software Engineering for Secure Systems
Vancouver, BC CA, May 2009
Removing Web Spam Links from Search Engine Results
In European Institute for Computer Antivirus Research Conference (EICAR)
Berlin, DE, May 2009
Reducing Errors in the Anomaly-based Detection of Web-based Attacks Through the Combined Analysis of Web Requests and SQL Queries
In Journal of Computer Security, 17(3), 2009
IOS Press
Insights into Current Malware Behavior
In USENIX Workshop on Large-Scale Exploits and Emergent Threats
Boston, MA US, Apr 2009
Mitigating Drive-by Download Attacks: Challenges and Open Problems
In Open Research Problems in Network Security Workshop (iNetSec)
Zurich, CH, Apr 2009
Scalable, Behavior-Based Malware Clustering
In Network and Distributed Systems Security Symposium (NDSS)
San Diego, CA US, Feb 2009
Large-Scale Malware Collection: Lessons Learned
In IEEE SRDS Workshop on Sharing Field Data and Experiment Measurements on Resilience of Distributed Computing Systems
Naples, IT, Oct 2008
Visual-Similarity-Based Phishing Detection
In International Conference on Security and Privacy in Communication Networks (SECURECOMM)
Istanbul, TR, Sep 2008
Expanding Human Interactions for In-Depth Testing of Web Applications
In International Symposium on Recent Advances in Intrusion Detection (RAID)
Boston, MA US, Sep 2008
Overbot - A Botnet Protocol Based on Kademlia
In International Conference on Security and Privacy in Communication Networks (SECURECOMM)
Istanbul, TR, Sep 2008
Are Your Votes Really Counted? Testing the Security of Real-world Voting Systems
In International Symposium on Software Testing and Analysis (ISSTA)
Seattle, WA US, Jul 2008
Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications
In IEEE Symposium on Security and Privacy
Oakland, CA US, May 2008
The Leurre.com Project: Collecting Internet Threats Information using a Worldwide Distributed Honeynet
In WOMBAT Workshop
Amsterdam, NL, Apr 2008
Automatic Network Protocol Analysis
In Network and Distributed Systems Security Symposium (NDSS)
San Diego, CA US, Feb 2008
Secure Input for Web Applications
In Annual Computer Security Applications Conference (ACSAC)
Miami Beach, FL US, Dec 2007
Limits of Static Analysis for Malware Detection
In Annual Computer Security Applications Conference (ACSAC)
Miami Beach, FL US, Dec 2007
Improving Signature Testing Through Dynamic Data Flow Analysis
In Annual Computer Security Applications Conference (ACSAC)
Miami Beach, FL US, Dec 2007
Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis
In ACM Conference on Computer and Communications Security (CCS)
Alexandria, VA US, Nov 2007
A Layout-Similarity-Based Approach for Detecting Phishing Pages
In International Conference on Security and Privacy in Communication Networks (SECURECOMM)
Nice, FR, Sep 2007
Exploiting Execution Context for the Detection of Anomalous System Calls
In International Symposium on Recent Advances in Intrusion Detection (RAID)
Gold Coast, QLD AU, Sep 2007
Exploiting Redundancy in Natural Language to Penetrate Bayesian Spam Filters
In USENIX Workshop on Offensive Technologies (WOOT)
Boston, MA US, Aug 2007
On the Effectiveness of Techniques to Detect Phishing Sites
In Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA)
Lucerne, CH, Jul 2007
Building Anti-Phishing Browser Plug-Ins: An Experience Report
In Internation Workshop on Software Engineering for Secure Systems
Minneapolis, MN US, May 2007
Exploring Multiple Execution Paths for Malware Analysis
In IEEE Symposium on Security and Privacy
Oakland, CA US, May 2007
Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis
In Network and Distributed Systems Security Symposium (NDSS)
San Diego, CA US, Feb 2007
Extending .NET Security to Unmanaged Code
In Information Security Conference (ISC)
Samos, GR, Sep 2006
Preventing Cross-Site Request Forgery Attacks
In International Conference on Security and Privacy in Communication Networks (SECURECOMM)
Baltimore, MD US, Aug 2006
Using Static Program Analysis to Aid Intrusion Detection
In Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA)
Berlin, DE, Jul 2006
Precise Alias Analysis for Syntactic Detection of Web Application Vulnerabilities
In ACM SIGPLAN Workshop on Programming Languages and Analysis for Security
Ottawa, ON CA, Jun 2006
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)
In IEEE Symposium on Security and Privacy
Oakland, CA US, May 2006
SecuBat: A Web Vulnerability Scanner
In International World Wide Web Conference (WWW)
Edingurgh, GB, May 2006
Noxes: A Client-Side Solution for Mitigating Cross-Site Scripting Attacks
In ACM Symposium on Applied Computing (SAC)
Dijon, FR, Apr 2006
An Anomaly-Driven Reverse Proxy for Web Applications
In ACM Symposium on Applied Computing (SAC)
Dijon, FR, Apr 2006
Protecting Users Against Phishing Attacks
In The Computer Journal, 0(0), 2006
Oxford University Press
TTAnalyze: A Tool for Analyzing Malware
In European Institute for Computer Antivirus Research Conference (EICAR)
Hamburg, DE, Apr 2006
Polymorphic Worm Detection Using Structural Information of Executables
In International Symposium on Recent Advances in Intrusion Detection (RAID)
Seattle, WA US, Sep 2005
Protecting Users Against Phishing Attacks with AntiPhish
In International Computer Software and Applications Conference
Edinburgh, GB, Jul 2005
Automating Mimicry Attacks Using Static Binary Analysis
In USENIX Security Symposium
Baltimore, MD US, Jul 2005