Archive for category Publications

[NDSS 2016] It’s Free for a Reason: Exploring the Ecosystem of Free Live Streaming Services


Abstract: Recent years have seen extensive growth of services enabling free broadcasts of live streams on the Web. Free live streaming (FLIS) services attract millions of viewers and make heavy use of deceptive advertisements. Despite the immense popularity of these services, little is known about the parties that facilitate it and maintain webpages to index links for free viewership. more

Coverage: WashingtonTimes  BBC  Fortune  Wired  ITProPorta  TechWeekEurope  BoxCryptorAnonymous Trusted Reviews  Advanced Television  After Dawn  Dream Team FC  Anonymous Headquarter  KU-Leuven

Clarification on media quoting me:

“[To watch the stream] users are typically asked (or lured) to install the browser extensions, and once the user installs the extension, it can potentially change any website inside the computer browser (e.g., through ad injection etc.).

So, if a person installs an extension while watching a stream, and then visits a site like (or any other site), these extensions can potentially change the contents of *in the user browser* and can include malicious links.”

, , , , , ,

Leave a comment

[ACSAC 2014] Network Dialog Minimization and Network Dialog Diffing: Two Novel Primitives for Network Security Applications

In this work, we present two fundamental primitives for network security: network dialog minimization and network dialog diffing. Network dialog minimization (NDM) simplifies an original dialog with respect to a goal, so that the minimized dialog when replayed still achieves the goal, but requires minimal network communication, achieving significant time and bandwidth savings. We present network delta debugging, the first technique to solve NDM. Network dialog diffing compares two dialogs, aligns them, and identifies their common and different parts. We propose a novel dialog diffing technique that aligns two dialogs by finding a mapping that maximizes similarity.
We have applied our techniques to 5 applications. We apply our dialog minimization approach for: building drive-by download milkers for 9 exploit kits, integrating them in a infrastructure that has collected over 14,000 malware samples running from a single machine; efficiently measuring the percentage of popular sites that allow cookie replay, finding that 31% do not destroy the server-side state when a user logs out and that 17% provide cookies that live over a month; simplifying a cumbersome user interface, saving our institution 3 hours of time per year and employee; and finding a new vulnerability in a SIP server. We apply our dialog diffing approach for clustering benign (F-Measure = 100%) and malicious (F-Measure = 87.6%) dialogs.

BibTex                                     Download

author = {M. Zubair Rafique and Juan Caballero and Christophe Huygens and Wouter Joosen},
title = {{Network Dialog Minimization and Network Dialog Diffing: Two Novel Primitives for Network Security Applications}},
booktitle = {Proceedings of the 2014 Annual Computer Security Applications Conference},
address = {New Orleans, LA},
month = {December},
year = {2014},

, , , , , , , , , , , , ,

Leave a comment

[GECCO 2014] Evolutionary Algorithms for Classification of Malware Families through Different Network Behaviors

Evolutionary Algorithms for Classification of Malware Families through Different Network Behaviors

, , , , , , , , , ,

Leave a comment

[RAID 2013] FIRMA: Malware Clustering and Network Signature Generation with Mixed Network Behaviors.

FIRMA: Malware Clustering and Network Signature Generation with Mixed Network Behaviors.

The ever-increasing number of malware families and polymorphic variants creates a pressing need for automatic tools to cluster the collected malware into families and generate behavioral signatures for their detection. Among these, network traffic is a powerful behavioral signature and network signatures are widely used by network administrators. In this paper we present FIRMA, a tool that given a large pool of network traffic obtained by executing unlabeled malware binaries, generates a clustering of the malware binaries into families and a set of network signatures for each family. Compared with prior tools, FIRMA produces network signatures for each of the network behaviors of a family, regardless of the type of traffic the malware uses (e.g., HTTP, IRC, SMTP, TCP, UDP). We have implemented FIRMA and evaluated it on two recent datasets comprising nearly 16,000 unique malware binaries. Our results show that FIRMA’s clustering has very high precision (100% on a labeled dataset) and recall (97.7%). We compare FIRMA’s signatures with manually generated ones, showing that they are as good (often better), while generated in a fraction of the time.

Some Reviews: ICT-Networks

, , , ,

Leave a comment