Research Focus
In FIU SecLab, we do empricial research. That is, we focus on building systems to facilitate a data-driven approach to security. The primary goal of our research is to apply this methodology to rigorously analyze the behavior of online attacks and facilitate developing platforms to discover and mitigate emerging threats in a scalable and reliable manner. The problems that we tackle often involve the intersection of society, technology, and security. We seek to create solutions to evaluate the security and privacy implications of new technologies, identify associated threats, and improve the agility of defenders in responding to those threats.
Web and Browser Security
Web browsers have played a key in enabling many of the facinitating services we have over the Web. Over the last 20 years, the Web has changed a lot. The evolved from a set of static web pages to a very dynamic ecosystem that has changed our life and how we interc One of the defining elements of the Web is the ability to link third-party web content. Using third-party content can be viewed as an assertion of trust that the content is benign. This assertion can be violated in several ways, however, due to the dynamic nature of the Web. A common theme of today’s online attacks, which include web-based scams or malicious code distribution, is that adversaries exploit the dynamicity of the Web ecosystem and perform operations that tend to be almost indistinguishable from legitimate behavior. A major thrust of my recent work focuses on improving the security and privacy of online users and restoring their confidence in transactions over the internet. Four recent projects stand out in this thrust as significant examples of my research style.
Malicious Code Research
Automated malware analysis systems (or sandboxes) are one of the most sophisticated tools in the malware research arsenal. These systems execute unknown binaries in an instrumented environment and monitor their execution. An important question is how to build the analysis environment so that the tool reveals the actual behavior of malicious code while resisting evasive attacks that try to fingerprint the analysis environment. As part of an NSF project, I developed an analysis environment, called Unveil, that generates semantically rich traces of malware activity by instrumenting different areas of Windows kernel, making the approach resistant to common anti-analysis fingerprinting techniques. The tool also incorporated a multi-class machine learning model to automatically label different classes of malware families, including 26 different ransomware families. Unveil quickly gained popularity among security professionals and researchers, and had been used as a malware sample repository by security researchers. Unveil analyzed over two million samples for 27 months and created a dataset of more than 280,000 ransomware samples from 26 different families and 132,000 trojans. We shared over 10 TB of data, which was used in 20+ academic papers in the malware research domain. The paper entitled “UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware” appeared in the proceedings of USENIX 2016.