HBKU - QCRI
Our Contibutions to Cyber Research Community

2025

  • D. Popovic, A. Sadeghi, T. Yu, S. Chawla, and I. Khalil, Debackdoor: a deductive framework for detecting backdoor attacks on deep models with limited data, 2025.
    [BibTeX] [Download PDF]
    @misc{popovic2025debackdoor,
    title = {DeBackdoor: A Deductive Framework for Detecting Backdoor Attacks on Deep Models with Limited Data},
    author = {Popovic, Dorde and Sadeghi, Amin and Yu, Ting and Chawla, Sanjay and Khalil, Issa},
    year = 2025,
    url = {https://arxiv.org/abs/2503.21305},
    eprint = {2503.21305},
    archiveprefix = {arXiv},
    primaryclass = {cs.CR}
    }
  • F. Deniz, M. Nabeel, T. Yu, and I. Khalil, Mantis: detection of zero-day malicious domains leveraging low reputed hosting infrastructure, 2025.
    [BibTeX] [Download PDF]
    @misc{deniz2025mantis,
    title = {MANTIS: Detection of Zero-Day Malicious Domains Leveraging Low Reputed Hosting Infrastructure},
    author = {Deniz, Fatih and Nabeel, Mohamed and Yu, Ting and Khalil, Issa},
    year = 2025,
    url = {https://arxiv.org/abs/2502.09788},
    eprint = {2502.09788},
    archiveprefix = {arXiv},
    primaryclass = {cs.CR}
    }
  • P. Lai, G. Liu, N. Phan, I. Khalil, A. Khreishah, and X. Wu, A client-level assessment of collaborative backdoor poisoning in non-iid federated learning, 2025.
    [BibTeX] [Download PDF]
    @misc{lai2025clientlevel,
    title = {A Client-level Assessment of Collaborative Backdoor Poisoning in Non-IID Federated Learning},
    author = {Lai, Phung and Liu, Guanxiong and Phan, NhatHai and Khalil, Issa and Khreishah, Abdallah and Wu, Xintao},
    year = 2025,
    url = {https://arxiv.org/abs/2504.12875},
    eprint = {2504.12875},
    archiveprefix = {arXiv},
    primaryclass = {cs.LG}
    }
  • K. Tran, F. Fioretto, I. Khalil, M. T. Thai, L. T. X. Phan, and N. Phan, Fairdp: certified fairness with differential privacy, 2025.
    [BibTeX] [Download PDF]
    @misc{tran2025fairdp,
    title = {FairDP: Certified Fairness with Differential Privacy},
    author = {Tran, Khang and Fioretto, Ferdinando and Khalil, Issa and Thai, My T. and Phan, Linh Thi Xuan and Phan, NhatHai},
    year = 2025,
    url = {https://arxiv.org/abs/2305.16474},
    eprint = {2305.16474},
    archiveprefix = {arXiv},
    primaryclass = {cs.LG}
    }
  • S. Yoosuf, T. Ali, A. Lekssays, M. AlSabah, and I. Khalil, Structtransform: a scalable attack surface for safety-aligned large language models, 2025.
    [BibTeX] [Download PDF]
    @misc{yoosuf2025structtransform,
    title = {StructTransform: A Scalable Attack Surface for Safety-Aligned Large Language Models},
    author = {Yoosuf, Shehel and Ali, Temoor and Lekssays, Ahmed and AlSabah, Mashael and Khalil, Issa},
    year = 2025,
    url = {https://arxiv.org/abs/2502.11853},
    eprint = {2502.11853},
    archiveprefix = {arXiv},
    primaryclass = {cs.LG}
    }

2024

  • S. Thirumuruganathan, F. Deniz, I. Khalil, T. Yu, M. Nabeel, and M. Ouzzani, “Detecting and mitigating sampling bias in cybersecurity with unlabeled data,” in 33rd usenix security symposium (usenix security 24), Philadelphia, PA, 2024, p. 1741–1758.
    [BibTeX] [Download PDF]
    @inproceedings{thirumuruganathan2024detecting,
    title = {Detecting and Mitigating Sampling Bias in Cybersecurity with Unlabeled Data},
    author = {Thirumuruganathan, Saravanan and Deniz, Fatih and Khalil, Issa and Yu, Ting and Nabeel, Mohamed and Ouzzani, Mourad},
    year = 2024,
    month = {aug},
    booktitle = {33rd USENIX Security Symposium (USENIX Security 24)},
    publisher = {USENIX Association},
    address = {Philadelphia, PA},
    pages = {1741--1758},
    isbn = {978-1-939133-44-1},
    url = {https://www.usenix.org/conference/usenixsecurity24/presentation/thirumuruganathan}
    }
  • E. Choo, M. Nabeel, D. Kim, R. De Silva, T. Yu, and I. Khalil, “A large scale study and classification of virustotal reports on phishing and malware urls,” Sigmetrics perform. eval. rev., vol. 52, iss. 1, p. 55–56, 2024. doi:10.1145/3673660.3655042
    [BibTeX] [Download PDF]
    @article{choo2024large,
    title = {A Large Scale Study and Classification of VirusTotal Reports on Phishing and Malware URLs},
    author = {Choo, Euijin and Nabeel, Mohamed and Kim, Doowon and De Silva, Ravindu and Yu, Ting and Khalil, Issa},
    year = 2024,
    month = {jun},
    journal = {SIGMETRICS Perform. Eval. Rev.},
    publisher = {Association for Computing Machinery},
    address = {New York, NY, USA},
    volume = 52,
    number = 1,
    pages = {55--56},
    doi = {10.1145/3673660.3655042},
    issn = {0163-5999},
    url = {https://doi.org/10.1145/3673660.3655042},
    issue_date = {June 2024},
    numpages = 2,
    keywords = {attack type classifier, malicious urls, virustotal measurement}
    }
  • K. Ton, N. Nguyen, M. Nazzal, A. Khreishah, C. Borcea, N. Phan, R. Jin, I. Khalil, and Y. Shen, “Demo: sgcode: a flexible prompt-optimizing system for secure generation of code,” in Proceedings of the 2024 on acm sigsac conference on computer and communications security, New York, NY, USA, 2024, p. 5078–5080. doi:10.1145/3658644.3691367
    [BibTeX] [Download PDF]
    @inproceedings{ton2024sgcode,
    title = {Demo: SGCode: A Flexible Prompt-Optimizing System for Secure Generation of Code},
    author = {Ton, Khiem and Nguyen, Nhi and Nazzal, Mahmoud and Khreishah, Abdallah and Borcea, Cristian and Phan, NhatHai and Jin, Ruoming and Khalil, Issa and Shen, Yelong},
    year = 2024,
    booktitle = {Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security},
    location = {Salt Lake City, UT, USA},
    publisher = {Association for Computing Machinery},
    address = {New York, NY, USA},
    series = {CCS '24},
    pages = {5078--5080},
    doi = {10.1145/3658644.3691367},
    isbn = 9798400706363,
    url = {https://doi.org/10.1145/3658644.3691367},
    numpages = 3,
    keywords = {demonstration system, llms, prompt optimization, secure code}
    }
  • M. Nazzal, I. Khalil, A. Khreishah, and N. Phan, “Promsec: prompt optimization for secure generation of functional source code with large language models (llms),” in Proceedings of the 2024 on acm sigsac conference on computer and communications security, New York, NY, USA, 2024, p. 2266–2280. doi:10.1145/3658644.3690298
    [BibTeX] [Download PDF]
    @inproceedings{nazzal2024promsec,
    title = {PromSec: Prompt Optimization for Secure Generation of Functional Source Code with Large Language Models (LLMs)},
    author = {Nazzal, Mahmoud and Khalil, Issa and Khreishah, Abdallah and Phan, NhatHai},
    year = 2024,
    booktitle = {Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security},
    location = {Salt Lake City, UT, USA},
    publisher = {Association for Computing Machinery},
    address = {New York, NY, USA},
    series = {CCS '24},
    pages = {2266--2280},
    doi = {10.1145/3658644.3690298},
    isbn = 9798400706363,
    url = {https://doi.org/10.1145/3658644.3690298},
    numpages = 15,
    keywords = {LLMs, code generation, graph generative adversarial networks, secure and functioning codes}
    }
  • N. Khan, K. Ahmad, A. Al Tamimi, M. M. Alani, A. Bermak, and I. Khalil, Explainable ai-based intrusion detection system for industry 5.0: an overview of the literature, associated challenges, the existing solutions, and potential research directions, 2024.
    [BibTeX] [Download PDF]
    @misc{khan2024explainable,
    title = {Explainable AI-based Intrusion Detection System for Industry 5.0: An Overview of the Literature, associated Challenges, the existing Solutions, and Potential Research Directions},
    author = {Khan, Naseem and Ahmad, Kashif and Al Tamimi, Aref and Alani, Mohammed M. and Bermak, Amine and Khalil, Issa},
    year = 2024,
    url = {https://arxiv.org/abs/2408.03335},
    eprint = {2408.03335},
    archiveprefix = {arXiv},
    primaryclass = {cs.CR}
    }
  • M. Nazzal, I. Khalil, A. Khreishah, N. Phan, and Y. Ma, “Multi-instance adversarial attack on gnn-based malicious domain detection,” in 2024 ieee symposium on security and privacy (sp), 2024, p. 1236–1254. doi:10.1109/SP54263.2024.00006
    [BibTeX]
    @inproceedings{nazzal2024multi,
    title = {Multi-Instance Adversarial Attack on GNN-Based Malicious Domain Detection},
    author = {Nazzal, Mahmoud and Khalil, Issa and Khreishah, Abdallah and Phan, NhatHai and Ma, Yao},
    year = 2024,
    booktitle = {2024 IEEE Symposium on Security and Privacy (SP)},
    pages = {1236--1254},
    doi = {10.1109/SP54263.2024.00006},
    keywords = {Threat modeling, Privacy, Costs, Purification, Perturbation methods, Image edge detection, Graph neural networks, Adversarial attack, malicious domain detection, DNS logs, inference time attack}
    }
  • G. Liu, A. Khreishah, F. Sharadgah, and I. Khalil, “An adaptive black-box defense against trojan attacks (trojdef),” Ieee transactions on neural networks and learning systems, vol. 35, iss. 4, p. 5367–5381, 2024. doi:10.1109/TNNLS.2022.3204283
    [BibTeX]
    @article{liu2024adaptive,
    title = {An Adaptive Black-Box Defense Against Trojan Attacks (TrojDef)},
    author = {Liu, Guanxiong and Khreishah, Abdallah and Sharadgah, Fatima and Khalil, Issa},
    year = 2024,
    journal = {IEEE Transactions on Neural Networks and Learning Systems},
    volume = 35,
    number = 4,
    pages = {5367--5381},
    doi = {10.1109/TNNLS.2022.3204283},
    keywords = {Trojan horses, Training, Predictive models, Closed box, Strips, Artificial neural networks, Feature extraction, Black-box defense, neural network (NN), poisoning attack, Trojan backdoor}
    }

2023

  • E. Choo, M. Nabeel, D. Kim, R. De Silva, T. Yu, and I. Khalil, “A large scale study and classification of virustotal reports on phishing and malware urls,” Proc. acm meas. anal. comput. syst., vol. 7, iss. 3, 2023. doi:10.1145/3626790
    [BibTeX] [Download PDF]
    @article{choo2023large,
    title = {A Large Scale Study and Classification of VirusTotal Reports on Phishing and Malware URLs},
    author = {Choo, Euijin and Nabeel, Mohamed and Kim, Doowon and De Silva, Ravindu and Yu, Ting and Khalil, Issa},
    year = 2023,
    month = {dec},
    journal = {Proc. ACM Meas. Anal. Comput. Syst.},
    publisher = {Association for Computing Machinery},
    address = {New York, NY, USA},
    volume = 7,
    number = 3,
    doi = {10.1145/3626790},
    url = {https://doi.org/10.1145/3626790},
    issue_date = {December 2023},
    articleno = 59,
    numpages = 26,
    keywords = {malicious URLs, attack type classifier, VirusTotal measurement}
    }
  • E. Choo, M. Nabeel, M. Alsabah, I. Khalil, T. Yu, and W. Wang, “Devicewatch: a data-driven network analysis approach to identifying compromised mobile devices with graph-inference,” Acm transactions on privacy and security, vol. 26, iss. 1, p. 1–32, 2023. doi:10.1145/3558767
    [BibTeX] [Download PDF]
    @article{choo2023devicewatch,
    title = {DeviceWatch: A Data-Driven Network Analysis Approach to Identifying Compromised Mobile Devices with Graph-Inference},
    author = {Choo, Euijin and Nabeel, Mohamed and Alsabah, Mashael and Khalil, Issa and Yu, Ting and Wang, Wei},
    year = 2023,
    month = {feb},
    journal = {ACM Transactions on Privacy and Security},
    volume = 26,
    number = 1,
    pages = {1--32},
    doi = {10.1145/3558767},
    issn = {2471-2566, 2471-2574},
    url = {https://dl.acm.org/doi/10.1145/3558767}
    }
  • E. Altinisik, F. Deniz, and H. T. Sencar, “ProvG-Searcher: A Graph Representation Learning Approach for Efficient Provenance Graph Search,” in Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, Copenhagen Denmark, 2023, p. 2247–2261. doi:10.1145/3576915.3623187
    [BibTeX] [Download PDF]
    @inproceedings{altinisik_provg-searcher:_2023,
    address = {Copenhagen Denmark},
    title = {{ProvG}-{Searcher}: {A} {Graph} {Representation} {Learning} {Approach} for {Efficient} {Provenance} {Graph} {Search}},
    isbn = {9798400700507},
    shorttitle = {{ProvG}-{Searcher}},
    url = {https://dl.acm.org/doi/10.1145/3576915.3623187},
    doi = {10.1145/3576915.3623187},
    language = {en},
    urldate = {2025-04-24},
    booktitle = {Proceedings of the 2023 {ACM} {SIGSAC} {Conference} on {Computer} and {Communications} {Security}},
    publisher = {ACM},
    author = {Altinisik, Enes and Deniz, Fatih and Sencar, Hüsrev Taha},
    month = nov,
    year = {2023},
    pages = {2247--2261},
    }
  • Y. Boshmaf, I. Perera, U. Kumarasinghe, S. Liyanage, and H. Al Jawaheri, “Dizzy: Large-Scale Crawling and Analysis of Onion Services,” in Proceedings of the 18th International Conference on Availability, Reliability and Security, Benevento Italy, 2023, p. 1–11. doi:10.1145/3600160.3600167
    [BibTeX] [Download PDF]
    @inproceedings{boshmaf_dizzy:_2023,
    address = {Benevento Italy},
    title = {Dizzy: {Large}-{Scale} {Crawling} and {Analysis} of {Onion} {Services}},
    isbn = {9798400707728},
    shorttitle = {Dizzy},
    url = {https://dl.acm.org/doi/10.1145/3600160.3600167},
    doi = {10.1145/3600160.3600167},
    language = {en},
    urldate = {2025-04-24},
    booktitle = {Proceedings of the 18th {International} {Conference} on {Availability}, {Reliability} and {Security}},
    publisher = {ACM},
    author = {Boshmaf, Yazan and Perera, Isuranga and Kumarasinghe, Udesh and Liyanage, Sajitha and Al Jawaheri, Husam},
    month = aug,
    year = {2023},
    pages = {1--11},
    }
  • P. Lai, N. Phan, I. Khalil, A. Khreishah, and X. Wu, How to backdoor hypernetwork in personalized federated learning?, 2023.
    [BibTeX] [Download PDF]
    @misc{lai2023backdoor,
    title = {How to Backdoor HyperNetwork in Personalized Federated Learning?},
    author = {Lai, Phung and Phan, NhatHai and Khalil, Issa and Khreishah, Abdallah and Wu, Xintao},
    year = 2023,
    url = {https://arxiv.org/abs/2201.07063},
    eprint = {2201.07063},
    archiveprefix = {arXiv},
    primaryclass = {cs.LG}
    }

2022

  • M. AlSabah, M. Nabeel, Y. Boshmaf, and E. Choo, “Content-agnostic detection of phishing domains using certificate transparency and passive dns,” in 25th international symposium on research in attacks, intrusions and defenses, Limassol, Cyprus, 2022, p. 446–459. doi:10.1145/3545948.3545958
    [BibTeX] [Download PDF]
    @inproceedings{alsabah2022content,
    title = {Content-Agnostic Detection of Phishing Domains using Certificate Transparency and Passive DNS},
    author = {AlSabah, Mashael and Nabeel, Mohamed and Boshmaf, Yazan and Choo, Euijin},
    year = 2022,
    month = {oct},
    booktitle = {25th International Symposium on Research in Attacks, Intrusions and Defenses},
    publisher = {ACM},
    address = {Limassol, Cyprus},
    pages = {446--459},
    doi = {10.1145/3545948.3545958},
    isbn = 9781450397049,
    url = {https://dl.acm.org/doi/10.1145/3545948.3545958}
    }
  • E. Altinisik, H. T. Sencar, and D. Tabaa, Video source characterization using encoding and encapsulation characteristicsArxiv, 2022.
    [BibTeX] [Download PDF]
    @misc{altinisik2022video,
    title = {Video Source Characterization Using Encoding and Encapsulation Characteristics},
    author = {Altinisik, Enes and Sencar, Husrev Taha and Tabaa, Diram},
    year = 2022,
    month = {aug},
    publisher = {arXiv},
    url = {http://arxiv.org/abs/2201.02949},
    note = {arXiv:2201.02949 [cs]},
    keywords = {Computer Science - Cryptography and Security, Computer Science - Multimedia}
    }
  • M. Abdallah, D. Woods, P. Naghizadeh, I. Khalil, T. Cason, S. Sundaram, and S. Bagchi, “Tasharok: using mechanism design for enhancing security resource allocation in interdependent systems,” in 2022 ieee symposium on security and privacy (sp), San Francisco, CA, USA, 2022, p. 249–266. doi:10.1109/SP46214.2022.9833591
    [BibTeX] [Download PDF]
    @inproceedings{abdallah2022tasharok,
    title = {TASHAROK: Using Mechanism Design for Enhancing Security Resource Allocation in Interdependent Systems},
    author = {Abdallah, Mustafa and Woods, Daniel and Naghizadeh, Parinaz and Khalil, Issa and Cason, Timothy and Sundaram, Shreyas and Bagchi, Saurabh},
    year = 2022,
    month = {may},
    booktitle = {2022 IEEE Symposium on Security and Privacy (SP)},
    publisher = {IEEE},
    address = {San Francisco, CA, USA},
    pages = {249--266},
    doi = {10.1109/SP46214.2022.9833591},
    isbn = 9781665413169,
    url = {https://ieeexplore.ieee.org/document/9833591/}
    }
  • S. Thirumuruganathan, M. Nabeel, E. Choo, I. Khalil, and T. Yu, “Siraj: a unified framework for aggregation of malicious entity detectors,” in 2022 ieee symposium on security and privacy (sp), San Francisco, CA, USA, 2022, p. 507–521. doi:10.1109/SP46214.2022.9833725
    [BibTeX] [Download PDF]
    @inproceedings{thirumuruganathan2022siraj,
    title = {SIRAJ: A Unified Framework for Aggregation of Malicious Entity Detectors},
    author = {Thirumuruganathan, Saravanan and Nabeel, Mohamed and Choo, Euijin and Khalil, Issa and Yu, Ting},
    year = 2022,
    month = {may},
    booktitle = {2022 IEEE Symposium on Security and Privacy (SP)},
    publisher = {IEEE},
    address = {San Francisco, CA, USA},
    pages = {507--521},
    doi = {10.1109/SP46214.2022.9833725},
    isbn = 9781665413169,
    url = {https://ieeexplore.ieee.org/document/9833725/}
    }
  • S. Vidyakeerthi, M. Nabeel, C. Elvitigala, and C. Keppitiyagama, “Demo: phishchain: a decentralized and transparent system to blacklist phishing urls,” in Companion proceedings of the web conference 2022, Virtual Event, Lyon, France, 2022, p. 286–289. doi:10.1145/3487553.3524235
    [BibTeX] [Download PDF]
    @inproceedings{vidyakeerthi2022demo,
    title = {Demo: PhishChain: A Decentralized and Transparent System to Blacklist Phishing URLs},
    author = {Vidyakeerthi, Shehan and Nabeel, Mohamed and Elvitigala, Charith and Keppitiyagama, Chamath},
    year = 2022,
    month = {apr},
    booktitle = {Companion Proceedings of the Web Conference 2022},
    publisher = {ACM},
    address = {Virtual Event, Lyon, France},
    pages = {286--289},
    doi = {10.1145/3487553.3524235},
    isbn = 9781450391306,
    url = {https://dl.acm.org/doi/10.1145/3487553.3524235}
    }
  • P. Dodia, M. AlSabah, O. Alrawi, and T. Wang, “Exposing the rat in the tunnel: using traffic analysis for tor-based malware detection,” in Proceedings of the 2022 acm sigsac conference on computer and communications security, New York, NY, USA, 2022, p. 875–889. doi:10.1145/3548606.3560604
    [BibTeX] [Abstract] [Download PDF]
    Tor~citetor is the most widely used anonymous communication network with millions of daily users~citetormetrics. Since Tor provides server and client anonymity, hundreds of malware binaries found in the wild rely on it to hide their presence and hinder Command & Control (C&C) takedown operations. We believe Tor is a paramount tool enabling online freedom and privacy, and blocking it to defend against such malware is infeasible for both users and organizations. In this work, we present effective traffic analysis approaches that can accurately identify Tor-based malware communication. We collect hundreds of Tor-based malware binaries, execute and examine more than 47,000 active encrypted malware connections and compare them with benign browsing traffic. In addition to traditional traffic analysis features (which work at the connection level), we propose global host-level network features to capture peculiar malware communication fingerprints across host logs. Our experiments confirm that our models are able to detect “zero-day” malware connections with 0.7\% FPR even when malware connections constitute less than 5\% of Tor traces in the test set. Using multi-labeling approaches, we are able to accurately detect the malware behavior-based classes (grayware, ransomware, etc). Finally, we evaluate the robustness of our models on real-world enterprise logs and show that the classifiers can identify infected hosts even with missing features.
    @inproceedings{10.1145/3548606.3560604,
    author = {Dodia, Priyanka and AlSabah, Mashael and Alrawi, Omar and Wang, Tao},
    title = {Exposing the Rat in the Tunnel: Using Traffic Analysis for Tor-based Malware Detection},
    year = {2022},
    isbn = {9781450394505},
    publisher = {Association for Computing Machinery},
    address = {New York, NY, USA},
    url = {https://doi.org/10.1145/3548606.3560604},
    doi = {10.1145/3548606.3560604},
    abstract = {Tor~citetor is the most widely used anonymous communication network with millions of daily users~citetormetrics. Since Tor provides server and client anonymity, hundreds of malware binaries found in the wild rely on it to hide their presence and hinder Command \& Control (C&C) takedown operations. We believe Tor is a paramount tool enabling online freedom and privacy, and blocking it to defend against such malware is infeasible for both users and organizations. In this work, we present effective traffic analysis approaches that can accurately identify Tor-based malware communication. We collect hundreds of Tor-based malware binaries, execute and examine more than 47,000 active encrypted malware connections and compare them with benign browsing traffic. In addition to traditional traffic analysis features (which work at the connection level), we propose global host-level network features to capture peculiar malware communication fingerprints across host logs. Our experiments confirm that our models are able to detect "zero-day'' malware connections with 0.7\% FPR even when malware connections constitute less than 5\% of Tor traces in the test set. Using multi-labeling approaches, we are able to accurately detect the malware behavior-based classes (grayware, ransomware, etc). Finally, we evaluate the robustness of our models on real-world enterprise logs and show that the classifiers can identify infected hosts even with missing features.},
    booktitle = {Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security},
    pages = {875–889},
    numpages = {15},
    keywords = {traffic analysis, tor, malware},
    location = {Los Angeles, CA, USA},
    series = {CCS '22}
    }
  • M. AlSabah, M. Nabeel, Y. Boshmaf, and E. Choo, “Content-agnostic detection of phishing domains using certificate transparency and passive dns,” in Proceedings of the 25th international symposium on research in attacks, intrusions and defenses, New York, NY, USA, 2022, p. 446–459. doi:10.1145/3545948.3545958
    [BibTeX] [Abstract] [Download PDF]
    Existing phishing detection techniques mainly rely on blacklists or content-based analysis, which are not only evadable, but also exhibit considerable detection delays as they are reactive in nature. We observe through our deep dive analysis that artifacts of phishing are manifested in various sources of intelligence related to a domain even before its contents are online. In particular, we study various novel patterns and characteristics computed from viable sources of data including Certificate Transparency Logs, and passive DNS records. To compare benign and phishing domains, we construct thoroughly-verified realistic benign and phishing datasets. Our analysis shows clear differences between benign and phishing domains that can pave the way for content-agnostic approaches to predict phishing domains even before the contents of these webpages are up and running. To demonstrate the usefulness of our analysis, we train a classifier with distinctive features, and we show that we can (1) perform content-agnostic predictions with a very low FPR of 0.3\%, and high precision (98\%) and recall (90\%), and (2) predict phishing domains days before they are discovered by state-of-the-art content-based tools such as VirusTotal.
    @inproceedings{10.1145/3545948.3545958,
    title = {Content-Agnostic Detection of Phishing Domains using Certificate Transparency and Passive DNS},
    author = {AlSabah, Mashael and Nabeel, Mohamed and Boshmaf, Yazan and Choo, Euijin},
    year = 2022,
    booktitle = {Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses},
    location = {Limassol, Cyprus},
    publisher = {Association for Computing Machinery},
    address = {New York, NY, USA},
    series = {RAID '22},
    pages = {446–459},
    doi = {10.1145/3545948.3545958},
    isbn = 9781450397049,
    url = {https://doi.org/10.1145/3545948.3545958},
    abstract = {Existing phishing detection techniques mainly rely on blacklists or content-based analysis, which are not only evadable, but also exhibit considerable detection delays as they are reactive in nature. We observe through our deep dive analysis that artifacts of phishing are manifested in various sources of intelligence related to a domain even before its contents are online. In particular, we study various novel patterns and characteristics computed from viable sources of data including Certificate Transparency Logs, and passive DNS records. To compare benign and phishing domains, we construct thoroughly-verified realistic benign and phishing datasets. Our analysis shows clear differences between benign and phishing domains that can pave the way for content-agnostic approaches to predict phishing domains even before the contents of these webpages are up and running. To demonstrate the usefulness of our analysis, we train a classifier with distinctive features, and we show that we can (1) perform content-agnostic predictions with a very low FPR of 0.3\%, and high precision (98\%) and recall (90\%), and (2) predict phishing domains days before they are discovered by state-of-the-art content-based tools such as VirusTotal.},
    numpages = 14,
    keywords = {phishing domains detection, passive DNS, machine learning, certificate transparency}
    }
  • K. Tran, P. Lai, N. Phan, I. Khalil, Y. Ma, A. Khreishah, M. T. Thai, and X. Wu, “Heterogeneous randomized response for differential privacy in graph neural networks,” in 2022 ieee international conference on big data (big data), 2022, p. 1582–1587. doi:10.1109/BigData55660.2022.10020501
    [BibTeX]
    @inproceedings{tran2022heterogeneous,
    title = {Heterogeneous Randomized Response for Differential Privacy in Graph Neural Networks},
    author = {Tran, Khang and Lai, Phung and Phan, NhatHai and Khalil, Issa and Ma, Yao and Khreishah, Abdallah and Thai, My T. and Wu, Xintao},
    year = 2022,
    booktitle = {2022 IEEE International Conference on Big Data (Big Data)},
    pages = {1582--1587},
    doi = {10.1109/BigData55660.2022.10020501},
    keywords = {Training, Resistance, Differential privacy, Privacy, Sensitivity, Image edge detection, Big Data, differential privacy, GNNs, privacy inference}
    }

2021

  • M. Nabeel, E. Altinisik, H. Sun, I. Khalil, H. Wang, and T. Yu, “Cadue: content-agnostic detection of unwanted emails for enterprise security,” in 24th international symposium on research in attacks, intrusions and defenses, San Sebastian, Spain, 2021, p. 205–219. doi:10.1145/3471621.3471862
    [BibTeX] [Download PDF]
    @inproceedings{nabeel2021cadue,
    title = {CADUE: Content-Agnostic Detection of Unwanted Emails for Enterprise Security},
    author = {Nabeel, Mohamed and Altinisik, Enes and Sun, Haipei and Khalil, Issa and Wang, Hui and Yu, Ting},
    year = 2021,
    month = {oct},
    booktitle = {24th International Symposium on Research in Attacks, Intrusions and Defenses},
    publisher = {ACM},
    address = {San Sebastian, Spain},
    pages = {205--219},
    doi = {10.1145/3471621.3471862},
    isbn = 9781450390583,
    url = {https://dl.acm.org/doi/10.1145/3471621.3471862}
    }
  • L. Yuan, E. Choo, T. Yu, I. Khalil, and S. Zhu, “Time-window based group-behavior supported method for accurate detection of anomalous users,” in 2021 51st annual ieee/ifip international conference on dependable systems and networks (dsn), Taipei, Taiwan, 2021, p. 250–262. doi:10.1109/DSN48987.2021.00038
    [BibTeX] [Download PDF]
    @inproceedings{yuan2021time,
    title = {Time-Window Based Group-Behavior Supported Method for Accurate Detection of Anomalous Users},
    author = {Yuan, Lun-Pin and Choo, Euijin and Yu, Ting and Khalil, Issa and Zhu, Sencun},
    year = 2021,
    month = {jun},
    booktitle = {2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)},
    publisher = {IEEE},
    address = {Taipei, Taiwan},
    pages = {250--262},
    doi = {10.1109/DSN48987.2021.00038},
    isbn = 9781665435727,
    url = {https://ieeexplore.ieee.org/document/9505123/}
    }
  • M. Abdallah, D. Woods, P. Naghizadeh, I. Khalil, T. Cason, S. Sundaram, and S. Bagchi, “Morshed: guiding behavioral decision-makers towards better security investment in interdependent systems,” in Proceedings of the 2021 acm asia conference on computer and communications security, Virtual Event, Hong Kong, 2021, p. 378–392. doi:10.1145/3433210.3437534
    [BibTeX] [Download PDF]
    @inproceedings{abdallah2021morshed,
    title = {Morshed: Guiding Behavioral Decision-Makers towards Better Security Investment in Interdependent Systems},
    author = {Abdallah, Mustafa and Woods, Daniel and Naghizadeh, Parinaz and Khalil, Issa and Cason, Timothy and Sundaram, Shreyas and Bagchi, Saurabh},
    year = 2021,
    month = {may},
    booktitle = {Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security},
    publisher = {ACM},
    address = {Virtual Event, Hong Kong},
    pages = {378--392},
    doi = {10.1145/3433210.3437534},
    isbn = 9781450382878,
    url = {https://dl.acm.org/doi/10.1145/3433210.3437534}
    }
  • P. Xia, M. Nabeel, I. Khalil, H. Wang, and T. Yu, “Identifying and characterizing covid-19 themed malicious domain campaigns,” in Proceedings of the eleventh acm conference on data and application security and privacy, Virtual Event, USA, 2021, p. 209–220. doi:10.1145/3422337.3447840
    [BibTeX] [Download PDF]
    @inproceedings{xia2021identifying,
    title = {Identifying and Characterizing COVID-19 Themed Malicious Domain Campaigns},
    author = {Xia, Pengcheng and Nabeel, Mohamed and Khalil, Issa and Wang, Haoyu and Yu, Ting},
    year = 2021,
    month = {apr},
    booktitle = {Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy},
    publisher = {ACM},
    address = {Virtual Event, USA},
    pages = {209--220},
    doi = {10.1145/3422337.3447840},
    isbn = 9781450381437,
    url = {https://dl.acm.org/doi/10.1145/3422337.3447840}
    }
  • E. Altinisik, K. Tasdemir, and H. T. Sencar, “Prnu estimation from encoded videos using block-based weighting,” Electronic imaging, vol. 33, iss. 4, p. 338–1–338–7, 2021. doi:10.2352/ISSN.2470-1173.2021.4.MWSF-338
    [BibTeX] [Download PDF]
    @article{altinisik2021prnu,
    title = {PRNU Estimation from Encoded Videos Using Block-Based Weighting},
    author = {Altinisik, Enes and Tasdemir, Kasim and Sencar, H{\"u}srev Taha},
    year = 2021,
    month = {jan},
    journal = {Electronic Imaging},
    volume = 33,
    number = 4,
    pages = {338--1--338--7},
    doi = {10.2352/ISSN.2470-1173.2021.4.MWSF-338},
    issn = {2470-1173},
    url = {https://library.imaging.org/ei/articles/33/4/art00014}
    }
  • N. He, R. Zhang, H. Wang, L. Wu, X. Luo, Y. Guo, T. Yu, and X. Jiang, “Eosafe: security analysis of eosio smart contracts,” in 30th usenix security symposium (usenix security 21), 2021, p. 1271–1288.
    [BibTeX] [Download PDF]
    @inproceedings{he2021eosafe,
    title = {EOSAFE: Security Analysis of EOSIO Smart Contracts},
    author = {He, Ningyu and Zhang, Ruiyi and Wang, Haoyu and Wu, Lei and Luo, Xiapu and Guo, Yao and Yu, Ting and Jiang, Xuxian},
    year = 2021,
    booktitle = {30th USENIX Security Symposium (USENIX Security 21)},
    pages = {1271--1288},
    isbn = 9781939133243,
    url = {https://www.usenix.org/conference/usenixsecurity21/presentation/he-ningyu}
    }
  • E. Altinisik and H. T. Sencar, “Source camera verification for strongly stabilized videos,” Ieee transactions on information forensics and security, vol. 16, p. 643–657, 2021. doi:10.1109/TIFS.2020.3016830
    [BibTeX] [Download PDF]
    @article{altinisik2021source,
    title = {Source Camera Verification for Strongly Stabilized Videos},
    author = {Altinisik, Enes and Sencar, Husrev Taha},
    year = 2021,
    journal = {IEEE Transactions on Information Forensics and Security},
    volume = 16,
    pages = {643--657},
    doi = {10.1109/TIFS.2020.3016830},
    issn = {1556-6013, 1556-6021},
    url = {https://ieeexplore.ieee.org/document/9169924/}
    }
  • E. Altinisik and H. T. Sencar, “Automatic generation of h.264 parameter sets to recover video file fragments,” Ieee transactions on information forensics and security, vol. 16, p. 4857–4868, 2021. doi:10.1109/TIFS.2021.3118876
    [BibTeX] [Download PDF]
    @article{altinisik2021automatic,
    title = {Automatic Generation of H.264 Parameter Sets to Recover Video File Fragments},
    author = {Altinisik, Enes and Sencar, Husrev Taha},
    year = 2021,
    journal = {IEEE Transactions on Information Forensics and Security},
    volume = 16,
    pages = {4857--4868},
    doi = {10.1109/TIFS.2021.3118876},
    issn = {1556-6013, 1556-6021},
    url = {https://ieeexplore.ieee.org/document/9568891/}
    }

2020

  • M. Nabeel, I. M. Khalil, B. Guan, and T. Yu, “Following passive dns traces to detect stealthy malicious domains via graph inference,” Acm transactions on privacy and security, vol. 23, iss. 4, p. 1–36, 2020. doi:10.1145/3401897
    [BibTeX] [Download PDF]
    @article{nabeel2020following,
    title = {Following Passive DNS Traces to Detect Stealthy Malicious Domains Via Graph Inference},
    author = {Nabeel, Mohamed and Khalil, Issa M. and Guan, Bei and Yu, Ting},
    year = 2020,
    month = {nov},
    journal = {ACM Transactions on Privacy and Security},
    volume = 23,
    number = 4,
    pages = {1--36},
    doi = {10.1145/3401897},
    issn = {2471-2566, 2471-2574},
    url = {https://dl.acm.org/doi/10.1145/3401897}
    }
  • Y. Boshmaf, C. Elvitigala, H. Al Jawaheri, P. Wijesekera, and M. Al Sabah, “Investigating mmm ponzi scheme on bitcoin,” in Proceedings of the 15th acm asia conference on computer and communications security, Taipei, Taiwan, 2020, p. 519–530. doi:10.1145/3320269.3384719
    [BibTeX] [Download PDF]
    @inproceedings{boshmaf2020investigating,
    title = {Investigating MMM Ponzi Scheme on Bitcoin},
    author = {Boshmaf, Yazan and Elvitigala, Charitha and Al Jawaheri, Husam and Wijesekera, Primal and Al Sabah, Mashael},
    year = 2020,
    month = {oct},
    booktitle = {Proceedings of the 15th ACM Asia Conference on Computer and Communications Security},
    publisher = {ACM},
    address = {Taipei, Taiwan},
    pages = {519--530},
    doi = {10.1145/3320269.3384719},
    isbn = 9781450367509,
    url = {https://dl.acm.org/doi/10.1145/3320269.3384719}
    }
  • H. A. Jawaheri, M. A. Sabah, Y. Boshmaf, and A. Erbad, “Deanonymizing tor hidden service users through bitcoin transactions analysis,” Computers & security, vol. 89, p. 101684, 2020. doi:10.1016/j.cose.2019.101684
    [BibTeX] [Download PDF]
    @article{jawaheri2020deanonymizing,
    title = {Deanonymizing Tor hidden service users through Bitcoin transactions analysis},
    author = {Jawaheri, Husam Al and Sabah, Mashael Al and Boshmaf, Yazan and Erbad, Aiman},
    year = 2020,
    month = {feb},
    journal = {Computers \& Security},
    volume = 89,
    pages = 101684,
    doi = {10.1016/j.cose.2019.101684},
    issn = {01674048},
    url = {https://linkinghub.elsevier.com/retrieve/pii/S0167404818309908}
    }
  • H. A. Jawaheri, M. A. Sabah, Y. Boshmaf, and A. Erbad, “Deanonymizing tor hidden service users through bitcoin transactions analysis,” Computers & security, vol. 89, p. 101684, 2020. doi:https://doi.org/10.1016/j.cose.2019.101684
    [BibTeX] [Abstract] [Download PDF]
    With the rapid increase of threats on the Internet, people are continuously seeking privacy and anonymity. Services such as Bitcoin and Tor were introduced to provide anonymity for online transactions and Web browsing. Due to its pseudonymity model, Bitcoin lacks retroactive operational security, which means historical pieces of information could be used to identify a certain user. By exploiting publicly available information, we show how relying on Bitcoin for payments on Tor hidden services could lead to deanonymization of these services’ users. Such linking is possible by finding at least one past transaction in the Blockchain that involves their publicly declared Bitcoin addresses. To demonstrate the consequences of this deanonymization approach, we carried out a real-world experiment simulating a passive, limited adversary. We crawled 1.5K hidden services and collected 88 unique and active Bitcoin addresses. We then crawled 5B tweets and 1M BitcoinTalk forum pages and collected 4.2K and 41K unique Bitcoin addresses, respectively. Each user address was associated with an online identity along with its public profile information. By analyzing the transactions in the Blockchain, we were able to link 125 unique users to 20 hidden services, including sensitive ones, such as The Pirate Bay and Silk Road. We also analyzed two case studies in detail to demonstrate the implications of the information leakage on users anonymity. In particular, we confirm that Bitcoin addresses should be considered exploitable, as they can be used to deanonymize users retroactively. This is especially important for Tor hidden service users who actively seek and expect privacy and anonymity.
    @article{JAWAHERI2020101684,
    title = {Deanonymizing Tor hidden service users through Bitcoin transactions analysis},
    author = {Husam Al Jawaheri and Mashael Al Sabah and Yazan Boshmaf and Aiman Erbad},
    year = 2020,
    journal = {Computers & Security},
    volume = 89,
    pages = 101684,
    doi = {https://doi.org/10.1016/j.cose.2019.101684},
    issn = {0167-4048},
    url = {https://www.sciencedirect.com/science/article/pii/S0167404818309908},
    keywords = {Bitcoin, Tor hidden services, Privacy, Deanonymization, Attack},
    abstract = {With the rapid increase of threats on the Internet, people are continuously seeking privacy and anonymity. Services such as Bitcoin and Tor were introduced to provide anonymity for online transactions and Web browsing. Due to its pseudonymity model, Bitcoin lacks retroactive operational security, which means historical pieces of information could be used to identify a certain user. By exploiting publicly available information, we show how relying on Bitcoin for payments on Tor hidden services could lead to deanonymization of these services’ users. Such linking is possible by finding at least one past transaction in the Blockchain that involves their publicly declared Bitcoin addresses. To demonstrate the consequences of this deanonymization approach, we carried out a real-world experiment simulating a passive, limited adversary. We crawled 1.5K hidden services and collected 88 unique and active Bitcoin addresses. We then crawled 5B tweets and 1M BitcoinTalk forum pages and collected 4.2K and 41K unique Bitcoin addresses, respectively. Each user address was associated with an online identity along with its public profile information. By analyzing the transactions in the Blockchain, we were able to link 125 unique users to 20 hidden services, including sensitive ones, such as The Pirate Bay and Silk Road. We also analyzed two case studies in detail to demonstrate the implications of the information leakage on users anonymity. In particular, we confirm that Bitcoin addresses should be considered exploitable, as they can be used to deanonymize users retroactively. This is especially important for Tor hidden service users who actively seek and expect privacy and anonymity.}
    }
  • E. Altinisik, K. Tasdemir, and H. T. Sencar, “Mitigation of h.264 and h.265 video compression for reliable prnu estimation,” Ieee transactions on information forensics and security, vol. 15, p. 1557–1571, 2020. doi:10.1109/TIFS.2019.2945190
    [BibTeX] [Download PDF]
    @article{altinisik2020mitigation,
    title = {Mitigation of H.264 and H.265 Video Compression for Reliable PRNU Estimation},
    author = {Altinisik, Enes and Tasdemir, Kasim and Sencar, Husrev Taha},
    year = 2020,
    journal = {IEEE Transactions on Information Forensics and Security},
    volume = 15,
    pages = {1557--1571},
    doi = {10.1109/TIFS.2019.2945190},
    issn = {1556-6013, 1556-6021},
    url = {https://ieeexplore.ieee.org/document/8854840/}
    }
  • E. Uzun and H. T. Sencar, “Jpgscraper: an advanced carver for jpeg files,” Ieee transactions on information forensics and security, vol. 15, p. 1846–1857, 2020. doi:10.1109/TIFS.2019.2953382
    [BibTeX] [Download PDF]
    @article{uzun2020jpgscraper,
    title = {JPGScraper: An Advanced Carver for JPEG Files},
    author = {Uzun, Erkam and Sencar, Husrev Taha},
    year = 2020,
    journal = {IEEE Transactions on Information Forensics and Security},
    volume = 15,
    pages = {1846--1857},
    doi = {10.1109/TIFS.2019.2953382},
    issn = {1556-6013, 1556-6021},
    url = {https://ieeexplore.ieee.org/document/8897606/}
    }

2019

  • Y. Zhauniarovich, I. Khalil, T. Yu, and M. Dacier, “A survey on malicious domains detection through dns data analysis,” Acm computing surveys, vol. 51, iss. 4, p. 1–36, 2019. doi:10.1145/3191329
    [BibTeX] [Download PDF]
    @article{zhauniarovich2019survey,
    title = {A Survey on Malicious Domains Detection through DNS Data Analysis},
    author = {Zhauniarovich, Yury and Khalil, Issa and Yu, Ting and Dacier, Marc},
    year = 2019,
    month = {jul},
    journal = {ACM Computing Surveys},
    volume = 51,
    number = 4,
    pages = {1--36},
    doi = {10.1145/3191329},
    issn = {0360-0300, 1557-7341},
    url = {https://dl.acm.org/doi/10.1145/3191329}
    }
  • Y. Boshmaf, H. A. Jawaheri, and M. A. Sabah, Blocktag: design and applications of a tagging system for blockchain analysisArxiv, 2019.
    [BibTeX] [Download PDF]
    @misc{boshmaf2019blocktag,
    title = {BlockTag: Design and applications of a tagging system for blockchain analysis},
    author = {Boshmaf, Yazan and Jawaheri, Husam Al and Sabah, Mashael Al},
    year = 2019,
    month = {jul},
    publisher = {arXiv},
    url = {http://arxiv.org/abs/1809.06044},
    note = {arXiv:1809.06044 [cs]},
    keywords = {Computer Science - Cryptography and Security}
    }

2018

  • I. M. Khalil, B. Guan, M. Nabeel, and T. Yu, “A domain is only as good as its buddies: detecting stealthy malicious domains via graph inference,” in Proceedings of the eighth acm conference on data and application security and privacy, Tempe, AZ, USA, 2018, p. 330–341. doi:10.1145/3176258.3176329
    [BibTeX] [Download PDF]
    @inproceedings{khalil2018domain,
    title = {A Domain is only as Good as its Buddies: Detecting Stealthy Malicious Domains via Graph Inference},
    author = {Khalil, Issa M. and Guan, Bei and Nabeel, Mohamed and Yu, Ting},
    year = 2018,
    month = {mar},
    booktitle = {Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy},
    publisher = {ACM},
    address = {Tempe, AZ, USA},
    pages = {330--341},
    doi = {10.1145/3176258.3176329},
    isbn = 9781450356329,
    url = {https://dl.acm.org/doi/10.1145/3176258.3176329}
    }

2016

  • I. Khalil, T. Yu, and B. Guan, “Discovering malicious domains through passive dns data graph analysis,” in Proceedings of the 11th acm on asia conference on computer and communications security, Xi’an, China, 2016, p. 663–674. doi:10.1145/2897845.2897877
    [BibTeX] [Download PDF]
    @inproceedings{khalil2016discovering,
    title = {Discovering Malicious Domains through Passive DNS Data Graph Analysis},
    author = {Khalil, Issa and Yu, Ting and Guan, Bei},
    year = 2016,
    month = {may},
    booktitle = {Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security},
    publisher = {ACM},
    address = {Xi'an, China},
    pages = {663--674},
    doi = {10.1145/2897845.2897877},
    isbn = 9781450342339,
    url = {https://dl.acm.org/doi/10.1145/2897845.2897877}
    }