V.N. Venkatakrishnan

Home

Publications

Refereed Journal Publications

  1. PeerShark: flow-clustering and conversation-generation for malicious peer-to-peer traffic identification ( with Pratik Narang, Chittaranjan Hota), EURASIP Journal on Information Security Vol 15, 2014. Link
  2. Between Worlds: Securing Mixed JavaScript/ActionScript Multi-party Web Content (with Phu H. Phung, Maliheh Monshizadeh, Meera Sridhar and Kevin Hamlen), IEEE Transactions on Dependable and Secure Computing, Accepted for publication. 2014.
  3. Automatic Detection of Parameter Tampering Opportunities and Vulnerabilities in Web Applications (with Prithvi Bisht, Timothy Hinrichs and Nazari Skrupsky), Journal of Computer Security . Volume 22. pp415-465. 2014.
  4. WAVES: Automatic Synthesis of Client-side Validation Code for Web Applications. (with Nazari Skrupsky, Maliheh Monshizadeh, Prithvi Bisht, Timothy Hinrichs and Lenore Zuck.) ASE Science Journal . Vol. 1, Issue 3, pp. 121-136, December 2012.
  5. CANDID: Preventing SQL Injection Attacks Using Dynamic Candidate Evaluations (with Prithvi Bisht and P. Madhusudan). ACM Transactions on Information and Systems Security (TISSEC) . Volume 13, Issue 2, February 2010.
  6. Alcatraz: An Isolation Environment for Experimenting with Untrusted Software (with Zhenkai Liang, Weiqin Sun and R. Sekar). ACM Transactions on Information and Systems Security (TISSEC) . Volume 12, Issue 3, January 2009. ISSN: 1094-9224. Link.
  7. Enhancing web browser security against malware extensions (with Mike Ter Louw and Jin Soon Lim ). Journal in Computer Virology Volume 4, Number 3, August 2008. ISSN: 1772-9890. Springer Paris. Link.

Refereed Conference and Workshop Publications

  1. Scaling JavaScript Abstract Interpretation to Detect and Exploit Node.js Taint-style Vulnerability (with Mingqing Kang, Yichao Xu, Song Li, Rigel Gjomemo, Jianwei Hou and Yinzhi Cao ), in IEEE Symposium on Security and Privacy (Oakland'23) , San Francisco, May 2023.
  2. Ostinato: Cross-host Attack Correlation Through Attack Activity Similarity Detection (with Sutanu Kumar Ghosh, Kiavash Satvat and Rigel Gjomemo ), 18th International Conference on Information Systems Security , Tripati, India, Dec 2022. Best Paper Award!!
  3. Extractor: Extracting Attack Behavior from Threat Reports (with Kiavash Satvat and Rigel Gjomemo , 6th IEEE European Symposium on Security and Privacy (Euro S&P'21), Nov 2021.
  4. Poirot: Aligning Attack Behavior with Kernel Audit Records for Cyber Threat Hunting (with Sadegh M. Milajerdi, Birhanu Eshete and Rigel Gjomemo ), 26th ACM Symposium on Computer and Communications Security (CCS'19), London, UK, Nov 2019.
  5. HOLMES: Real-time APT Detection through Correlation of Suspicious Information Flows (with Sadegh M. Milajerdi, Rigel Gjomemo, Birhanu Eshete, R. Sekar ), 40th IEEE Symposium on Security and Privacy (Oakland'19), San Francisco, CA, May 2019.
  6. NAVEX: Precise and Scalable Exploit Generation for Dynamic Web Applications (with Abeer Alhuzali, Rigel Gjomemo, Birhanu Eshete), 27th USENIX Security Symposium (SEC'18), Baltimore, MD. Distinguished Paper Award!!
  7. SLEUTH: Real-time Attack Scenario Reconstruction from COTS Audit Data (with Md Nahid Hossain, Sadegh M. Milajerdi, Junao Wang, Birhanu Eshete, Rigel Gjomemo, R. Sekar and Scott Stoller ) 26th USENIX Security Symposium (SEC'17), Vancouver, BC, Canada. (85 out of 522 submissions, 17%).
  8. DynaMiner: Leveraging Offline Infection Analytics for On-the-Wire Malware Detection (with Birhanu Eshete) 47th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'17), Denver, Colorado, July 2016. (49 out of 220 submissions, 22%).
  9. Chainsaw: Chained Automated Workflow-based Exploit Generation (with Abeer Alhuzhali, Birhanu Eshete and Rigel Gjomemo ) ACM Conference on Computer and Communications Security (CCS), Vienna, Austria 2016. (Acceptance Rate: 16%).
  10. Leveraging Static Analysis Tools for Improving Usability of Memory Error Sanitization Compilers, (with Rigel Gjomemo, Phu H. Phung, Ted Ballou, Kedar Namjoshi, V.N. Venkatakrishnan and Lenore Zuck), IEEE Conference on Quality, Reliability and Security (QRS), Vienna, Austria August 2016. (Acceptance Rate 29%) Best Paper Award!!
  11. Patching Logic Vulnerabilities for Web Applications using LogicPatcher (with M. Monshizadeh and P. Naldurg), 6th ACM Conference on Data and Applications Security (CODASPY'16).
  12. Vetting SSL Usage in Applications with SSLINT (with R. He, V. Rastogi, Y. Cao, Y. Chen, R. Yang and Z. Zhang ) 36th IEEE Symposium on Security and Privacy (Oakland'15) , San Jose, CA, May 2015. (55 papers accepted out of 407, 13.5%)
  13. Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android Applications (with D. Gallingani, R. Gjomemo and S. Zanero), Mobile Security Technologies (MoST'15), May 2015.
  14. EkHunter: A Counter-Offensive Toolkit for Exploit Kit Infiltration (with Birhanu Eshete, Abeer Alhuzhali, Maliheh Monshizadeh, Philip Porras and Vinod Yegneswaran) Network and Distributed Systems Security (NDSS'15) , San Diegeo, CA, February 2015. (50 publications accepted out of 313, 15.9%)
  15. From Verifications to Optimizations (with Rigel Gjomemo, Kedar Namjoshi, Phu H. Phung and Lenore Zuck) Verification, Model Checking and and Abstract Interpretation (VMCAI) Mumbai, India, January 2015.
  16. MACE: Detecting Privilege Escalation Vulnerabilities in Web Applications (with Maliheh Monshizadeh and Prasad Naldurg). 21st ACM Conference on Computer and Communications Security (CCS), Scottsdale, Arizona, November 2014. (115 papers accepted out of 585, 19.6%)
  17. DEICS: Data Erasure in Concurrent Software. (with Kalpana Gondi, and A. Prasad Sistla ). 19th Nordic Conference on Secure IT Systems (NordSec) , Tromso, Norway. October 2014. PDF
  18. PeerShark: Detecting Peer-to-Peer Botnets. (with Pratik Narang, Subhajit Ray and Chittaranjan Hota) International Workshop on Cyber Crime (IWCC) . San Jose. May 2014. PDF
  19. Digital Check Forgery Attacks on Client Check Truncation Systems. (with Rigel Gjomemo, Hafiz Malik, Nilesh Sumb, and Rashid Ansari ). Financial Cryptography and Data Security (FC'14) Barbados. March 2014. (31 papers accepted out of 165 submissions, 18.8%).
  20. WebWinnow: Leveraging Exploit Kit Workflows to Detect Malicious URLs. (with Birhanu Eshete) 4th ACM Conference on Data and Application Security and Privacy (CODASPY'14) San Antonio, TX, March 2014. (Acceptance rate: 19/119, 15.9%). PDF
  21. Sensitive Information Disclosure in Amazon Reviews. (with Federica Fornaciari and C. Ranganathan ) Eighth International Conference on Digital Society (ICDS'14) , Barcelona, Spain, March 2014. (Acceptance Rate: 28%.)
  22. A Threat Table based Approach to Telemedicine Secuirity. (with John C. Pendergrass, Karen Heart and C. Ranganathan ) International Conference on Health Information Technology Advancement. (HIM'13). Kalamazoo, Michigan, October 2013.
  23. SafeScript: JavaScript transformation for policy enforcement. (with Mike Ter Louw, Phu H. Phung, and Rohini Krishnamurti). 18th Nordic Conference on Secure IT Systems (NordSec) , Illulisat, Greenland. October 2013.
  24. CAVEAT: Facilitating Interactive and Secure Client-Side Validators for Ruby on Rails applications (with Timothy Hinrichs, Michael Cueno, Daniel Ruiz, and Lenore Zuck). Seventh International Conference on Emerging Security Information, Systems and Technologies (SECUREWARE) , Barcelona, Spain, August 2013.
  25. Weblog: A Declarative Language for Secure Web Development. (with Timothy Hinrichs, Daniele Rosetti, Gabriel Petronella, A. Prasad Sistla and Lenore Zuck). . Eighth ACM SIGPLAN Workshop on Programming Languages and Security (PLAS) , Seattle, WA. June 2013.
  26. TamperProof: A Server-Agnostic Defense for Parameter Tampering Attacks on Web Applications. (with Nazari Skrupsky, Prithvi Bisht, Timothy Hinrichs and Lenore Zuck ) 3rd ACM Conference on Data and Application Security and Privacy (CODASPY'13) San Antonio, TX, February 2013.
  27. WAVES: Automatic Synthesis of Client-side Validation Code for Web Applications. (with Nazari Skrupsky, Maliheh Monshizadeh, Prithvi Bisht, Timothy Hinrichs and Lenore Zuck.) ASE International Conference on CyberSecurity (ASE'12) . Washington D.C., December 2012.
  28. Don't Repeat Yourself: Automatically Synthesizing Client-side Validation (with Nazari Skrupsky, Maliheh Monshizadeh, Prithvi Bisht, Timothy Hinrichs, and Lenore Zuck.) The Third USENIX Conference on Web Application Development (WebApps'12), Boston, MA. June, 2012.
  29. SWIPE: Eager Erasure of Sensitive Data in Large Scale Systems Software (with Kalpana Gondi, Prithvi Bisht, Praveen Venkatachari and A. Prasad Sistla). 2nd ACM Conference on Data and Application Security and Privacy (CODASPY'12) San Antonio, TX. (21 out of 113 papers, 18.5%). PDF
  30. WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction (with Prithvi Bisht, Tim Hinrichs and Nazari Skrupsky). 18th ACM Conference on Computer and Communications Security (CCS'11) Chicago, IL, 2011. (60 papers accepted out of 429 submissions, 14%). PDF
  31. Strengthening XSRF Defenses for Legacy Web Applications Using White-box Analysis and Transformation (with Michelle Zhou and Prithvi Bisht). 6th International Conference on Information Systems Security (ICISS'10) Gandhinagar, India. December 2010. (14 papers accepted out of 51 submissions, 27%).
  32. WebAppArmor: A Framework for Robust Prevention of Attacks on Web Applications. (with V.N. Venkatakrishnan, Prithvi Bisht, Mike Ter Louw, Michelle Zhou,Kalpana Gondi and Karthik Thotta Ganesh). 6th International Conference on Information Systems Security (ICISS'10) Gandhinagar, India. December 2010. (Invited Paper and Keynote Presentation).
  33. NoTamper: Automatically Detecting Parameter Tampering Vulnerabilities in Web Applications (with Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, and Radoslaw Bobrowicz), ACM Conference on Computer and Communications Security (CCS'10), Chicago, IL, Oct 2010. PDF. (55 papers accepted out of 320, 17.6%). Among the 10 nationwide finalists for the 2010 ATT Award for Best Applied Security Research paper.
  34. AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements (with Mike Ter Louw and Karthik Thotta Ganesh). USENIX Security Symposium (SECURITY'10) , Washington D.C. Aug 2010. PDF. (30 papers accepted out of 202, 14.8%).
  35. Automatically Preparing Safe SQL Queries (with Prithvi Bisht and A. Prasad Sistla). Financial Cryptography and Data Security (FC'10), Tenerife, Spain. Jan 2010. PDF. (19 papers accepted out of 130, 14.6%).
  36. BluePrint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers (with Mike Ter Louw). IEEE Symposium on Security and Privacy (Oakland'09), Oakland, CA, May 2009.PDF. (26 out of 254 papers, 10.2%). Award for the 2009 ATT Award for Best Applied Security Research paper.
  37. Preventing Information Leaks Through Shadow Executions (with Roberto Capizzi, Antonio Longo and A. Prasad Sistla). Accepted for 24th ACSA Computer Applications Security Conference (ACSAC'08) , Anaheim, CA, December 2008. PDF (42 out of 185 submissions accepted, 22.7%).
  38. XSS-Guard: Precise Dynamic Prevention of Cross-Site Scripting Attacks (with Prithvi Bisht ). Fifth GI International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment (DIMVA'08), Paris, France, July 2008. PDF. (Acceptance 13 out of 42 papers, 31%).
  39. Expanding Malware Defense by Securing Software Installations (with Weiqing Sun, R. Sekar and Zhenkai Liang ). Fifth GI International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment (DIMVA'08), Paris, France, July 2008. (Acceptance 13 out of 42 papers, 31%).
  40. Analysis of Hypertext Isolation Techniques for XSS Prevention (with Mike Ter Louw and Prithvi Bisht). Workshop on Web 2.0 Security and Privacy (W2SP), Oakland, California, May 2008. PDF. (Acceptance rate: 14 out of 45 submissions, 31%).
  41. CMV: Automatic Verification of Complete Mediation for Java Virtual Machines (with A. Prasad Sistla, Michelle Zhou and Hilary Branske). 3rd ACM Symposium on Information, Computer and Communications Security (ASIACCS'08). Tokyo, Japan. March 2008. PDF(Acceptance rate: 32 out of 181 regular submissions, 18%).
  42. CANDID: Preventing SQL Injection Attacks Using Dynamic Candidate Evaluations (with Sruthi Bandhakavi, Prithvi Bisht and P. Madhusudan). 14th ACM Conference on Computer and Communications Security (CCS) Alexandria, Virginia, November 2007. PDF (Acceptance rate: 55 out of 303 Submissions, 18%).
  43. Extensible Web Browser Security (with Mike Ter Louw and Jin Soon Lim). Fourth GI International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment (DIMVA'07), Luzerne, Switzerland, July 2007. PDF (Acceptance rate: 14 out of 57 submissions, 24.5%).
  44. A Comparative Study of Three Random Password Generators (with Michael Leonhard ). IEEE Conference on Information Technology (EIT'07), Chicago, IL, May 2007.
  45. Data Sandboxing: A Technique for Enforcing Confidentiality Policies (with T. Khatiwala and R. Swaminathan). (22nd Annual ACSA Computer Applications Security Conference (ACSAC)) , Miami, FL, December 2006. PDF. (Acceptance rate: 32 out of 135 submissions, 26.5%).
  46. Provably Correct Runtime Enforcement of Non-interference Policies (with W. Xu, D.C. DuVarney and R. Sekar). (8th International Conference on Information and Communications Security (ICICS)) , Raleigh, NC, Decemeber 2006.PDF. (Acceptance rate: 40 out of 122 submissions, 32%).
  47. SUEZ: A Distributed Safe Execution Environment for System Administration Trials (with D. Sim). (20th USENIX System Administration Conference (LISA '06)), Washington D.C., December 2006. PDF.
  48. On Supporting Active User Feedback in P3P (with W. Xu and R. Sharda). 2nd Workshop on Secure Knowledge Management (SKM '06) , New York, September 2006. PDF.
  49. A framework for Privacy-concious Composite Web-based Services (with W. Xu, R. Sekar and I.V. Ramakrishnan). International Conference on Web Services (ICWS '06) (Application Services track), Chicago, IL, September 2006. PDF. (Acceptance rate: 17%).
  50. Programming language based analysis for lifting to an operating system's access control model (with Jon. Solworth). 2nd ECOOP Workshop on Programming Languages and Operating Systems (PLOS '05), Glasgow, UK, July 2005. PDF.
  51. An approach for realizing privacy preserving web-based services (with Wei Xu and R. Sekar and I.V. Ramakrishnan ). 14th international conference on World Wide Web, (WWW '05), (Special interest tracks and posters) Chiba, Japan, May 2005. PDF.
  52. A Secure Composition Framework for Trustworthy Personal Information Assistants (with Wei Xu and I.V. Ramakrishnan and R. Sekar ). IEEE conference on Integration of Knowledge Intensive Multi-Agent Systems (KIMAS '05) Waltham, April 2005 . PDF.
  53. One-way Isolation: An efficient approach for realizing safe execution environments (with Weiqin Sun and Zhenkai Liang and R. Sekar). 12th Network and Distributed Systems Security (NDSS '05) , San Diego, February 2005. PDF. (Acceptance rate: 13%).
  54. Enforcement techniques for expressive security policies. Ph.D Thesis. Department of Computer Science, Stony Brook University. December 2004.
  55. Isolated Program Execution: An application transparent approach for executing untrusted programs (with Zhenkai Liang and R. Sekar). 19th Annual Computer Application Security Conference (ACSAC 03), Las Vegas, December 2003. PDF Best Paper Award!!
  56. Model Carrying Code: A practical approach for safe execution of untrusted applications (with R. Sekar, Samik Basu, Sandeep Bhatkar and Daniel C. DuVarney). 19th ACM Symposium on Operating System Principles (SOSP 03), Bolton Landing, New York, October 2003. PDF. (Acceptance rate: 17%).
  57. SELF: A transparent security extension for ELF binaries (with Sandeep Bhatkar, Daniel C. DuVarney). 12th New Security Paradigms Workshop (NSPW 03), Ascona, Switzerland, August 2003. PDF. (Acceptance rate: 13 out of 43 submissions: 30%).
  58. An approach for secure software installation (with R.Sekar, Tapan Kamat, Sophia Tsipa and Zhenkai Liang). 16th USENIX System Administration Conference (LISA 02), Philadelphia, November 2002. PDF.
  59. Empowering mobile code using expressive security policies (with Ram Peri and R. Sekar). 11th ACM New Security Paradigms Workshop (NSPW 02), Virginia beach, 2002. PDF.
  60. XMC: A logic programming-based verification toolset (with C.R. Ramakrishnan, I.V. Ramakrishnan, Scott A. Smolka, Yifei Dong, Xiaoqun Du and Abhik Roychoudhury). 12th International conference on Computer Aided Verification (CAV 00), Chicago, Illinois, June 2000. PDF.
  61. QoS tradeoffs using partially reliable application-oriented transport protocol for multimedia applications over IP (with Songbin Wei and Vassillis Tsaoussidis). 3rd IEEE Conference in Computational Intelligence and Multimedia Applications (ICCIMA 99), New Delhi, India, September 1999. PDF.

Other publications

  1. A program analysis/transformation approach for enforcing information flow properties. Technical report. Department of Computer Science, SUNY at Stony Brook, May 2004.
  2. Recent approaches to ensure safe execution of untrusted code. Technical report. Department of Computer Science, SUNY at Stony Brook, August 2001.
  3. Java Stack Inspection: Eager evaluation revisited (with D. Dhurjati , R. Peri and G. Srikumar . . Technical Report. Department of Computer Scince, SUNY at Stony Brook, December 2001. Available on request.

News

Chicago has a lot of nice restaurants. See where I have eaten lately!

Resources for biking in Chicago.

Content
©Copyright
V.N. Venkatakrishnan