Publications

In this UX research we identify the key cybersecurity challenges faced by political campaigns as they face increasing threats from well-funded, sophisticated attackers, especially nation-states.

This large-scale study demonstrates, by surveying 17280 participants, that existing toxicity classifiers fail to generalize to the diverse concerns of Internet users.

We propose a comprehensive online hate and harassment taxonomy derived from analyzing over 150 interdisciplinary research papers that cover disparate threats ranging from intimate partner violence to coordinated mobs.

We present Spotlight, a large-scale malware lead-generation framework that uses deep-learning to clusters malware famillies to isolate potentially-undiscovered ones and prioritizes them for further investigation

We analyze over 1.2 billion email-based phishing and malware attacks against Gmail users to understand which factors place a person at heightened risk of being targeted.

We conducted a retrospective measurement study of 3.2 million URLs that were requested for delisting from Google Search over five years.

In this paper, we propose a privacy-preserving protocol whereby a client can query a centralized breach repository to determine whether a specific username and password combination is publicly exposed, but without revealing the information queried.

In order to scale CSAI protections moving forward, we discuss techniques for automating detection and response by using recent advancements in machine learning.

To better understand the gendered risks and coping practices online in South Asia, we present a qualitative study of the online abuse experiences and coping practices of 199 people who identified as women and 6 NGO staff from India, Pakistan, and Bangladesh, using a feminist analysis.

This paper investigates users sentiment on how companies should respond to data breaches and what are the acceptable usage of leaked data.

In this paper, we present a measurement framework that we used to perform a large-scale, two-year, end-to-end measurement of ransomware payments, victims, and operators.

We present the 1st longitudinal study of the underground ecosystem fueling credential theft based on the 788,000 potential victims of keyloggers; the 12.4 million potential victims of phishing kits; and 1.9 billion usernames and passwords exposed via data breaches that we identified in 2017

In this paper, we demonstrate that SHA-1 collision attacks have finally become practical by providing the first known instance of a collision.

In this paper, we provide a seven-month retrospective analysis of Mirai’s growth to a peak of 600k infections and a history of its DDoS victims.

In this paper, we investigate a new form of blackhat search engine optimization that targets local listing services like Google Maps.

In this work, we present a comprehensive study on the prevalence and impact of HTTPS interception.

In this work we present Picasso: a lightweight device class fingerprinting protocol that allows a server to verify the software and hardware stack of a mobile or desktop client.

This paper demonstrates how to apply machine learning to Hearthstone to predict opponent future plays and game outcome.

In this work, we investigate the potential benefit of global reputation tracking and the pitfalls therein. We develop our findings from a snapshot of 45 million IP addresses abusing six Google services including Gmail, YouTube, and ReCaptcha between April 7–April 21, 2015.

Research on how the  the ecosystem of commercial pay-per-install (PPI) is structured and the role it plays in the proliferation of unwanted software

This paper study the blackhat cloaking techniques used by deceptive websites to hide bad content from search engine crawler and security scanners.

This paper study how effective the Google's notifications sent to webmasters of hacked web sites are based of over 760000 hacking incidents from July 2014 and June 2015.

In this research paper we investigate if people do plug random USB drives and found out that 45-98% do. We analyze the factors that affect opening rate and people motivation for plug-in in their computers those insecure drives.

Multi-year study that measure how email security has evolved from 2013 to 2015. Highlight progress made on deployment of email security technologies and uncover attacks against SMTP happening in the wild.

In this paper we summarize how the Internet blackmarket is structured and what anti-abuse strategies has been found effective against it.

Research about the security and memorability of secret questions based of their deployment at Google. Best student paper award at WWW'15.

Research study on how malicious and unwanted actors tamper directly with browser sessions for their own profit. Based of measurement done at Google this study also illuminate the scope and negative impact of ads injection.

Study of how manual account hijacking is performed based of Google data. Research include an analysis of the hijacking workflow and the best defense strategies to defend against such adversaries.

Longitudinal study of the underlying technical and financial capabilities of criminals who register phone verified accounts (PVA) and how to curb this type of abuse based on our experience at Google.

Paper about a novel generic approach to solving captchas using a single step that uses machine learning to attack the segmentation and the recognition problems simultaneously. Our tests show that this approac is able solve all the real world captcha schemes evaluated including Yahoo (5.33%) and ReCaptcha (33.34%), without any adjustments to the algorithm or its...

First  paper on how to use behavioral data to determine content sensitivity, via the clues that users give as to what information they consider private or sensitive through their use of Quora privacy enhancing product features. We show that data sensitivity is a nuanced measure that should be viewed on a continuum rather than as a binary concept, and advance the...

Case study about how to use microsurveys to conduct user experience research with a focus Google Consumer Surveys (GCS).

This paper we describe how we designed a new CAPTCHA schemes for Google that focus on maximizing usability. Our new scheme which is now an integral part of Google sign-up and is served to millions of users, achieved a 95.3% human accuracy, a 6.7% improvement compared to the old one.

Session Juggler allows to log into any websites on an untrusted terminal on any modern browser by using a simple bookmarklet and a smartphone. The site credentials are never transmited to the untrusted. With Session Juggler users never enter their long term credential on the untrusted terminal. Instead, users log in to a web site using a smartphone app and then...

Research showing how to attack text-based captchas and provide guidelines on how to design secure ones. These insights are based on sucessfull attacks againt 13 of the most popular captchas schemes we show how to

TalkBack is a new blog Linkback protocol that use a lightweight PKI and a rate limiting system to fight blog SPAM

WebDroid the first framework specifically dedicated to build secure embedded WebApp. This framework is build on the insights we gleaned from the security analysis of 30 embedded devices web interfaces for which we found over than 50 vulnerabilities.

We show how using a generic approach, based on advanced audio processing and machine learning algorithm, our captcha breaker Decaptcha is able to break all the popular audio CAPTCHA schemes, including Microsoft and Yahoo.

We show how to perform memory based attack against real-strategy games using our tool Kartograph to create map-hack. To defend against theses attacks we develop secure protocols for distributing game state among players so that each client only has the data he is allowed to see.

Kamouflage is a new kind of password manager that use plausible decoys to prevent offline attacks when the master password is weak.

Webseclab is a teaching framework designed to teach students web security through various exercises, project and quizzes. Webseclab combines a cloud-base service to aggregate class results and a student lab in form of a virtual machine that contains more than 80 exercises.

We show that phone features makes Tap-jacking easier. We explain how to exploit router web interface to steal WiFi network WPA key and location. Finally we demonstrate how to exploit the frame scrolling attack to attack Facebook frame busting defense and leak private information from Yahoo mobile webmail.

Based on our reverse-engineering we show how DPAPI, the Windows API for safe data storage on disk work. Our analysis reveals that it is possible to recover all previous passwords used by any user on a system. We have implemented DPAPI data decryption and previous password extraction in a free and open-source tool called DPAPIck.

We analyze how each of the major browser implements the private browsing mode and show their limitations and describe attacks against them. We also measure on which kind of website people use the private browsing mode.

We reveal a series of attacks against embedded devices based on a new type of vulnerability that we call cross channel scripting (XCS). XCS is a sophisticated form of cross site scripting (XSS) in which the attack injection and execution are carried out via different protocols.

We study frame busting defense for the Alexa Top-500 sites and show that all can be broken. Some attacks are browser-specific, other exploit code mistakes. We conclude with practical recommendations how to implement a secure frame busting defense.

Black-box web application vulnerability scanners are automated tools that probe web applications for security vulnerabilities. In order to assess the current state of the art, we obtained access to eight leading tools and carried out a study of: (i) the class of vulnerabilities tested by these scanners, (ii) their effectiveness against target vulnerabilities, and...

We perform a mass-scale user study on how people react to the 21 most popular captcha schemes (13 images, 8 audios). This study reveals that even the most popular captchas scheme are often difficult for humans, with audio captchas being particularly problematic.

We introduce the notion of strategy objectives that mixes logical constraints and numerical one. Using strategy objectives allows to perform a new range of analysis, such as evaluate what is the least costly defense, that traditional attacks graphs system are unable to perform. Strategy objectives are implemented in NetQi.

We reveal a series of attacks against embedded devices based on a new type of vulnerability that we call cross channel scripting (XCS). XCS is a sophisticated form of cross site scripting (XSS) in which the attack injection and execution are carried out via different protocols.

We conducted a longitudinal study of TrackBack spam, collecting and analyzing almost 10 million samples from a massive spam campaign over a 1 period. We report our finding including where the spam campaign leads and why blog spammers are different than email spammers.

This paper shows how Decaptcha is able to break eBay captchas with 75% accuracy. We show that using a custom breaker (75%) greatly out-perform state of art speech recognition system (1%)

NetQi is a free and open-source model-checker that implements the anticipation game logic framework, a variant of timed game. NetQi was designed to analyze all kind of network evolutions. In particular it is well suited to analyze network attacks and intrusions.

We present a three-fold extension to the anticipation-game framework designed to model network cooperation, the cost of attacks based on its duration and the introduction of new vector of attacks over time.

We show that NetAnalyzer is able to detect obfuscated protocols (i.e Bit torrent) by combining a payload analysis with a classifier based on several discriminators, including packet entropy and size. We also detail how netAnalyzer deals with tunneled session and covert channel.

The anticipation-games are a logic-based framework designed to evaluate the resilience of networks against attacks. What set anticipation-games from standard attack graphs is that it allows to model the dynamic nature of the attack and to take into account how the administrator respond to attacks.

We present a new technique to count the number of host behind a NAT. This technique based on TCP timestamp option, works with Linux and OSX system which make it complementary to the previous one based on IPID that only works against Windows hosts.