• Publications
  • Influence
BinHunt: Automatically Finding Semantic Differences in Binary Programs
TLDR
We introduce BinHunt, a novel technique for finding semantic differences in binary programs using a new graph isomorphism technique, symbolic execution and theorem proving. Expand
  • 174
  • 14
  • PDF
Gray-box extraction of execution graphs for anomaly detection
TLDR
In this paper we introduce a new model of system call behavior, called an <i>execution graph</i>. Expand
  • 151
  • 9
  • PDF
On Challenges in Evaluating Malware Clustering
TLDR
In this paper, we report the results of our attempt to confirm our conjecture that the method of selecting ground-truth data in prior evaluations biases their results toward high accuracy. Expand
  • 94
  • 8
  • PDF
On Gray-Box Program Tracking for Anomaly Detection
TLDR
We show that prior approaches can be organized along three axes, revealing new possibilities for system-call-based program tracking, including some that outperform previous approaches. Expand
  • 98
  • 6
  • PDF
Behavioral Distance for Intrusion Detection
TLDR
We introduce a notion, behavioral distance, for evaluating the extent to which processes—potentially running different programs and executing on different platforms—behave similarly in response to a common input. Expand
  • 103
  • 5
  • PDF
I can be You: Questioning the use of Keystroke Dynamics as Biometrics
TLDR
We show that even for targets whose typing patterns are only partially known, training with Mimesis allows attackers to defeat one of the best anomaly detection engines using keystroke biometrics. Expand
  • 68
  • 5
  • PDF
Behavioral Distance Measurement Using Hidden Markov Models
TLDR
We propose a new approach to behavioral distance calculation using a new type of Hidden Markov Model that detects intrusions with substantially greater accuracy and with performance overhead comparable to that of prior proposals. Expand
  • 99
  • 4
  • PDF
MobiPot: Understanding Mobile Telephony Threats with Honeycards
TLDR
In this paper, we introduce and deploy the first mobile phone honeypot called MobiPot that allow us to collect fraudulent calls and SMS messages. Expand
  • 24
  • 4
  • PDF
Software Watermarking using Return-Oriented Programming
TLDR
We propose a novel dynamic software watermarking design based on Return-Oriented Programming (ROP), a well-known software exploit technique that works surprisingly well. Expand
  • 20
  • 4
  • PDF
Beyond Output Voting: Detecting Compromised Replicas Using HMM-Based Behavioral Distance
TLDR
In this paper, we present a novel approach to behavioral distance measurement using a new type of hidden Markov model, and present an architecture realizing this new approach. Expand
  • 38
  • 3
  • PDF
...
1
2
3
4
5
...