Research Interests

In the past ten years, the Internet has evolved in terms of both the type of services and applications being deployed and the kind of malicious activity being carried out. Web applications have become tremendously popular, and, nowadays, they are routinely used in security-critical environments, such as medical, financial, and military systems. As the use of web applications for critical services has increased, the number and sophistication of attacks against these applications have grown as well. In addition, the hosts that are compromised by means of vulnerable web applications often become part of large-scale botnets and are used to spread malware (e.g., through drive-by downloads) or to host scam and phishing sites, as black-hat hackers move from "hacking-for-fun to" to "hacking-for-profit."

My research focuses on a number of different topics: how to protect web applications (by finding vulnerabilities before they are deployed and also by detecting web-based attacks), how to detect and block malicious software, and how to develop, test, and evaluate intrusion detection systems.

In addition, my expertise in vulnerability analysis and penetration testing got me involved in two large-scale efforts to evaluate the security of the voting systems in use in California and Ohio.

Below, a description of the current active projects is included.


Malware Analysis

Wepawet: Detection of Web-based Malware

Wepawet combines anomaly detection with emulation to automatically identify malicious JavaScript code and support its analysis. Wepawet uses a number of features and machine-learning techniques to establish the characteristics of normal JavaScript code. Then, during detection, the Wepawet is able to identify anomalous JavaScript code by emulating its behavior and comparing it to the established profiles. In addition to identifying malicious code, the system is able to support the analysis of obfuscated code and generate detection signatures for signature-based systems. The Wepawet system has recently been extended to analyze also Flash files.

Wepawet is available online at

Botnet Analysis

We developed an approach that aims to detect bot-infected hosts, which is independent on the underlying botnet structure, is able to detect individually infected hosts, deals with encrypted communication, does not rely on the presence of noisy malicious activities and can thus detect legitimate-resembling communication patterns, and has a low false positive rate.

Our approach applies clustering techniques on the network flows generated by bot samples to identify periodic behaviors. Our analysis automatically produces a network behavior model of the bot that is deployed on a Bro NIDS sensor, and can operate on real-world networks in real-time.

Web Vulnerability Analysis

WALER: Detection of Logic Vulnerabilities in Web Applications

WALER is a tool to identify application logic vulnerabilities in web applications. These vulnerabilities are specific to the functionality of particular programs, and thus, they are difficult to characterize and identify. WALER infers specifications that capture the intended logic of the program. Then, it performs program analysis to identify code paths that likely violate these specifications, and, thus, indicate the presence of application logic flaws.

MiMoSa: Identification of Multi-step Attacks in Web Applications

MiMoSa is a vulnerability analysis tool for web applications. MiMoSa characterizes both the extended state and the intended workflow of a web application. By doing this, our analysis is able to take into account inter-module relationships as well as the interaction of an application's modules with back-end databases. As a result, it is possible to identify sophisticated multi-step attacks against the application's workflow.

Saner: Analysis of Sanitization Procedures in Web Applications

Saner is a novel approach to the analysis of the sanitization process. Most research on vulnerability analysis has focused on identifying cases in which a web application directly uses external unsanitized input in critical operations. However, little research has been performed to analyze the correctness of the sanitization process itself.

Saner is a tool that combines static and dynamic analysis techniques to identify faulty custom sanitization procedures that can be bypassed by an attacker.

Detection of Web-based Attacks


WebAnomaly is an anomaly-based web application firewall. WebAnomaly uses a number of different statistical models to characterize the normal usage patterns associated with a web application.

More precisely, in a first phase, the models' parameters are learned by observing the users' interactions with the monitored web applications. Then, in a second phase, the models are used to detect anomalous requests. By using machine-learning and anomaly detection techniques WebAnomaly does not need to rely on signature and can detect previously unseen attacks against custom applications.

Swaddler: Anomaly-based Detection of Web State Violations

Swaddler is an approach that characterizes the internal state of an application and learn its relationships with critical points in the application's execution. More precisely, the internal state of the application is monitored during a learning phase. During this phase, the approach derives the profiles that describe the normal values for the application's state variables at specific points in the application's lifetime. Then, during the detection phase, the application's execution is monitored to identify anomalous states.


For a list of current and past students please check out the "People" page of the Seclab site.