AMIN KHARRAZ

Postdoctoral Researcher
kharraz[AT]illinois[DOT]edu

CONTACT

445 Coordinated Science Laboratory (CSL)
1308 W Main St
University of Illinois
Urbana, IL, 61801
United States
map

ABOUT ME

I am currently a post-doc researcher at University of Illinois at Urbana-Champaign. I am very fortunate to collaborate with top researchers of the field at UIUC. I am interested on all sorts of hands-on security research; The topics that I have been more active in are understanding cryber-crime, evaluating trustworthyness of online systems, enhancing client-side security against web and malware attacks.

I received my Ph.D. from Northeastern University in 2017. I am originally from Bushehr, in southwest Iran, along the shores of the Persian Gulf.


NEWS

05/29/2019 Our paper on detecting malicious transient devices got accepted at RAID'19
05/17/2019 Outguard won the best paper award at WWW'19
04/17/2019 Some of our team members attended Midwest Security Workshop (MSW'19)
02/20/2019 Our paper got accepted at WWW'19


PUBLICATION

    Amin Kharraz, Brandon Daley, Graham Baker, Wil Robertson, Engin Kirda, USBeSafe: An End-Point Solution to Protect Against USB-Based Attacks, The 22nd International Symposium on Research on Attacks, Intrusions, and Defenses (RAID), Beijing, China, September 2019

    Targeted attacks via transient devices are not new. However, the introduction of BadUSB attacks has shifted the attack paradigm tremendously. Such attacks embed malicious code in device firmware and exploit the lack of access control in the USB protocol. In this paper, we propose USBESAFE as a mediator of the USB communication mechanism. By leveraging the insights from millions of USB packets, we propose techniques to generate a protection model that can identify covert USB attacks by distinguishing BadUSB devices as a set of novel observations. Our results show that USBESAFE works well in practice by achieving a true positive [TP] rate of 95.7% with 0.21% false positives [FP] with latency as low as three malicious USB packets on USB traffic. We tested USBESAFE by deploying the model at several end-points for 20 days and running multiple types of BadUSB-style attacks with different levels of sophistication. Our analysis shows that USBESAFE can detect a large number of mimicry attacks without introducing any significant changes to the standard USB protocol or the underlying systems. The performance evaluation also shows that USBESAFE is transparent to the operating system, and imposes no discernible performance overhead during the enumeration phase or USB communication compared to the unmodified Linux USB subsystem.

    Amin Kharraz, Zane Ma, Paul Murley, Charles Lever, Joshua Mason, Andrew Miller, Nikita Borisov, Manos Antonakakis, Michael Bailey, OUTGUARD: Detecting In-Browser Covert Cryptocurrency Mining in the Wild, In the Proceeding of The Web Conference (WWW), San Francisco CA, May 2019.

    In-browser cryptojacking is a form of resource abuse that leverages end-users’ machines to mine cryptocurrency without obtaining the users’ consent. In this paper, we design, implement, and evaluate Outguard, an automated cryptojacking detection system. We con- struct a large ground-truth dataset, extract several features using an instrumented web browser, and ultimately select seven distinc- tive features that are used to build an SVM classification model. Outguard achieves a 97.9% TPR and 1.1% FPR and is reasonably tolerant to adversarial evasions. We utilized Outguard in the wild by deploying it across the Alexa Top 1M websites and found 6,302 cryptojacking sites, of which 3,600 are new detections that were ab- sent from the training data. These cryptojacking sites paint a broad picture of the cryptojacking ecosystem, with particular emphasis on the prevalence of cryptojacking websites and the shared infrastruc- ture that provides clues to the operators behind the cryptojacking phenomenon.

    Amin Kharraz, Wil Robertson, Engin Kirda, Surveylance: Automatically Detecting Online Survey Scams, In Proceedings of the IEEE Symposium on Security and Privacy (Oakland), San Francisco, CA, May 2018.

    Online surveys are a popular mechanism for performing market research in exchange for monetary compensation. Unfortunately, fraudulent survey websites are similarly rising in popularity among cyber-criminals as a means for executing social engineering attacks. In addition to the sizable population of users that participate in online surveys as a secondary revenue stream, unsuspecting users who search the web for free content or access codes to commercial software can also be exposed to survey scams. This occurs through redirection to websites that ask the user to complete a survey in order to receive the promised content or a reward. In this paper, we present SURVEYLANCE, the first system that automatically identifies survey scams using machine learning techniques. Our evaluation demonstrates that SURVEYLANCE works well in practice by identifying 8,623 unique websites involved in online survey attacks. We show that SURVEYLANCE is suitable for assisting human analysts in survey scam detection at scale. Our work also provides the first systematic analysis of the survey scam ecosystem by investigating the capabilities of these services, mapping all the parties involved in the ecosystem, and quantifying the consequences to users that are exposed to these services. Our analysis reveals that a large number of survey scams are easily reachable through the Alexa top 30K websites, and expose users to a wide range of security issues including identity fraud, deceptive advertisements, potentially unwanted programs (PUPs), malicious extensions, and malware.

    Amin Kharraz, Wil Robertson, Engin Kirda,Protecting Against Ransomware: A New Line of Research or Restating Classic Ideas?, IEEE Security and Privacy Magazine, 2018

    Amin Kharraz, Engin Kirda, Redemption: Real-time Protection Against Ransomware at End-Hosts,The 20th International Symposium on Research on Attacks, Intrusions and Defenses (RAID 2017). Atlanta, Georgia, September 2017.

    Ransomware is a form of extortion-based attack that locks the victim's digital resources and requests money to release them. The recent resurgence of high-profile ransomware attacks, particularly in critical sectors such as the health care industry, has highlighted the pressing need for effective defenses. While users are always advised to have a reliable backup strategy, the growing number of paying victims in recent years suggests that an endpoint defense that is able to stop and recover from ransomware's destructive behavior is needed. In this paper, we introduce Redemption, a novel defense that makes the operating system more resilient to ransomware attacks. Our approach requires minimal modification of the operating system to maintain a transparent buffer for all storage I/O. At the same time, our system monitors the I/O request patterns of applications on a per-process basis for signs of ransomware-like behavior. If I/O request patterns are observed that indicate possible ransomware activity, the offending processes can be terminated and the data restored. Our evaluation demonstrates that Redemption can ensure zero data loss against current ransomware families without detracting from the user experience or inducing alarm fatigue. In addition, we show that Redemption incurs modest overhead, averaging 2.6\% for realistic workloads.

    If you need ransomware dataset to do your research, please send me an email at mkharraz[at]ccs[dot]neu[dot]edu using your organization email address.

    Amin Kharraz, Engin Kirda, Book Chapter: Root Cause Analysis for Cybersecurity, To be appeared in Big Data Analytics in Cybersecurity and IT Management, New York, NY: CRC Press, Taylor & Francis 2016.

    Recent years have seen the rise of many classes of cyber attacks ranging from ransomware to Advanced Persistent Threats (APTs) which pose severe risks to companies and enterprises. While static detection and signature-based tools are still useful in detecting already observed threats, they lag behind in detecting such sophisticated attacks where adversaries are adaptable and can evade defenses. This book chapter intends to explain how to analyze the nature of current multi-dimensional attacks, and how to identify the root causes of such security incidents. The chapter also elaborates on how to incorporate the acquired intelligence to minimize the impact of complex threats, and perform rapid incident response.

    Although the concept of ransomware is not new (i.e., such attacks date back at least as far as the 1980s), this type of malware has recently experienced a resurgence in popularity. In fact, in 2014 and 2015, a number of high-profile ransomware attacks were reported, such as the large-scale attack against Sony that prompted the company to delay the release of the film "The Interview". Ransomware typically operates by locking the desktop of the victim to render the system inaccessible to the user, or by encrypting, overwriting, or deleting the user's files. However, while many generic malware detection systems have been proposed, none of these systems have attempted to specifically address the ransomware detection problem. In this paper, we present a novel dynamic analysis system called UNVEIL that is specifically designed to detect ransomware. The key insight of the analysis is that in order to mount a successful attack, ransomware must tamper with a user's files or desktop. UNVEIL automatically generates an artificial user environment, and detects when ransomware interacts with user data. In parallel, the approach tracks changes to the system's desktop that indicate ransomware-like behavior. Our evaluation shows that UNVEIL significantly improves the state of the art, and is able to identify previously unknown evasive ransomware that was not detected by the anti-malware industry.

    If you need ransomware dataset to do your research, please send me an email at mkharraz[at]ccs[dot]neu[dot]edu using your organization email address.

    Sajjad Arshad, Amin Kharraz, William Robertson, Identifying Extension-based Ad Injection via Fine-grained Web Content Provenance, The 19th International Symposium on Research on Attacks, Intrusions and Defenses (RAID 2016). Paris, France, September 2016.

    Extensions provide useful additional functionality for web browsers, but are also an increasingly popular vector for attacks. Due to the high degree of privilege extensions can hold, extensions have been abused to inject advertisements into web pages that divert revenue from content publishers and potentially expose users to malware. Users are often unaware of such practices, believing the modifications to the page originate from publishers. Additionally, automated identification of unwanted third-party modifications is fundamentally difficult, as users are the ultimate arbiters of whether content is undesired in the absence of outright malice. To resolve this dilemma, we present a fine-grained approach to tracking the provenance of web content at the level of individual DOM elements. In conjunction with visual indicators, provenance information can be used to reliably determine the source of content modifications, distinguishing publisher content from content that originates from third parties such as extensions. We describe a prototype implementation of the approach called OriginTracer for Chromium, and evaluate its effectiveness, usability, and performance overhead through a user study and automated experiments. The results demonstrate a statistically significant improvement in the ability of users to identify unwanted third-party content such as injected ads with modest performance overhead.

    Sajjad Arshad, Amin Kharraz, William Robertson, Include Me Out: In-Browser Detection of Malicious Third-Party Content Inclusions, The 20th International Conference on Financial Cryptography and Data Security (FC). Barbados, February 2016.

    Modern websites include various types of third-party content such as JavaScript, images, stylesheets, and Flash objects in order to create interactive user interfaces. In addition to explicit inclusion of third-party content by website publishers, ISPs and browser extensions are hijacking web browsing sessions with increasing frequency to inject third-party content (e.g., ads). However, third-party content can also introduce security risks to users of these websites, unbeknownst to both website operators and users. Because of the often highly dynamic nature of these inclusions as well as the use of advanced cloaking techniques in contemporary malware, it is exceedingly difficult to preemptively recognize and block inclusions of malicious third-party content before it has the chance to attack the user’s system. In this paper, we propose a novel approach to achieving the goal of preemptive blocking of malicious third-party content inclusion through an analysis of inclusion sequences on the Web. We implemented our approach, called Excision, as a set of modifications to the Chromium browser that protects users from malicious inclusions while web pages load. Our analysis suggests that by adopting our in-browser approach, users can avoid a significant portion of malicious third-party content on the Web. Our evaluation shows that Excision effectively identifies malicious content while introducing a low false positive rate. Our experiments also demonstrate that our approach does not negatively impact a user’s browsing experience when browsing popular websites drawn from the Alexa Top 500.

    In this paper, we present the results of a long-term study of ransomware attacks that have been observed in the wild between 2006 and 2014. We also provide a holistic view on how ransomware attacks have evolved during this period by analyzing 1,359 samples that belong to 15 different ransomware families. Our results show that, despite a continuous improvement in the encryption, deletion, and communication techniques in the main ransomware families, the number of families with sophisticated destructive capabilities remains quite small. In fact, our analysis reveals that in a large number of samples, the malware simply locks the victim's computer desktop or attempts to encrypt or delete the victim's files using only superficial techniques. Our analysis also suggests that defending against ransomware attacks is not as complex as it has been previously reported. For example, we show that by monitoring abnormal file system activity, it is possible to design a practical defense system that could stop a large number of ransomware attacks, even those using sophisticated encryption capabilities. A close examination on the file system activities of multiple ransomware samples suggests that by looking at I/O requests and protecting Master File Table (MFT) in the NTFS file system, it is possible to detect and prevent a significant number of zero-day ransomware attacks.

    QR codes, a form of 2D barcode, allow easy interaction between mobile devices and websites or printed material by removing the burden of manually typing a URL or contact information. QR codes are increasingly popular and are likely to be adopted by malware authors and cyber-criminals as well. In fact, while a link can look suspicious, malicious and benign QR codes cannot be distinguished by simply looking at them. However, despite public discussions about increasing use of QR codes for malicious purposes, the prevalence of malicious QR codes and the kinds of threats they pose are still unclear.

    In this paper, we examine attacks on the Internet that rely on QR codes. Using a crawler, we performed a large-scale experiment by analyzing QR codes across 14 million unique web pages over a nine-month period. Our results show that QR code technology is already used by attackers, for example to distribute malware or to lead users to phishing sites. However, the relatively few malicious QR codes we found in our experiments suggest that, on a global scale, the frequency of these attacks is not alarmingly high and users are rarely exposed to the threats distributed via QR codes while surfing the web.


    Amin Kharraz, Hamid Sarbazi-Azad, Albert Y. Zomaya, On-demand Multicast Routing Protocol with Efficient Route Discovery, Elsevier Journal of Network and Computer Applications 35(3): 942-950 (2012)

    In this paper, we introduce an efficient route discovery mechanism to enhance the performance and multicast efficiency of On-Demand Multicast Routing Protocol (ODMRP). Our framework, called limited flooding ODMRP, improves multicasting mechanism by efficiently managing flooding mechanism based on delay characteristics of the contributing nodes. In our model, only the nodes that satisfy the delay requirements can flood the Join-Query messages. We model the contributing nodes as M/M/1 queuing systems. Our framework considers the significant parameters in delay analysis, including random packet arrival, service process, and random channel access in the relying nodes, and exhibits its best performance results under high traffic load. Simulation results reveal that limited flooding ODMRP drastically reduces the packet overhead under various simulation scenarios as compared to original ODMRP.

Research

My current research interests are mainly in application and system security with special focus on malware analysis, file systems and operating system security.

Read More

Blog

There are always exciting things to discuss in our field of research. My goal is to post interesting things in systems security on a regular basis.

Read More