132 Nightingale Hall (NI)
105-107 Forsyth st
College of Information and Computer Science
Northeastern University
Boston, MA, 02115
United States


I am a PHD student at Boston SecLab, College of Computer & Information Science under supervison of Engin Kirda and William Robertson. I am very fortunate to collaborate with the top researchers of the field in our group. My current research interests span a wide range of topics in systems security with special focus on operating systems, binary analysis and malware and botnet detection.

Before joining SecLab, I was a research assistant at HPCAN lab, Sharif University of Techology , Tehran, Iran. I was mainly working on Network Optimizaion and Protocol Development.

I am originally from Bushehr, in southwest Iran, along the shores of the Persian Gulf.


Attack Detection
    Redemption: A Real-Time Protection Tool Against Ransomware Attacks
    An Anomaly-Based Approach to Detecing USB Attacks
    An Automated Approach to Identify Web-based Social Engineering Attacks


Malware Research
    UNVEIL: A Dynamic Analysis System to Detecting Ransomware
    Malicious QR Codes in the Wild
Browser Security
    Protecting End-Users from Ad-Injection Extensions
    In-Browser Detection of Malicious Third-Party Content Inclusions
Routing Protocols
    Multicast Routing in Wireless Networks
    Video Streaming over Ad-Hoc Networks


    QoS Multicast Routing in Wireless Mesh Networks, Jan 2010.
    Supervisor: Prof. Hamid Sarbazi-azad



    Amin Kharraz, Engin Kirda, Redemption: Real-time Protection Against Ransomware at End-Hosts,The 20th International Symposium on Research on Attacks, Intrusions and Defenses (RAID 2017). Atlanta, Georgia, September 2017.

    Ransomware is a form of extortion-based attack that locks the victim's digital resources and requests money to release them. The recent resurgence of high-profile ransomware attacks, particularly in critical sectors such as the health care industry, has highlighted the pressing need for effective defenses. While users are always advised to have a reliable backup strategy, the growing number of paying victims in recent years suggests that an endpoint defense that is able to stop and recover from ransomware's destructive behavior is needed. In this paper, we introduce Redemption, a novel defense that makes the operating system more resilient to ransomware attacks. Our approach requires minimal modification of the operating system to maintain a transparent buffer for all storage I/O. At the same time, our system monitors the I/O request patterns of applications on a per-process basis for signs of ransomware-like behavior. If I/O request patterns are observed that indicate possible ransomware activity, the offending processes can be terminated and the data restored. Our evaluation demonstrates that Redemption can ensure zero data loss against current ransomware families without detracting from the user experience or inducing alarm fatigue. In addition, we show that Redemption incurs modest overhead, averaging 2.6\% for realistic workloads.

    If you need ransomware dataset to do your research, please send me an email at mkharraz[at]ccs[dot]neu[dot]edu using your organization email address.

    Amin Kharraz, Engin Kirda, Book Chapter: Root Cause Analysis for Cybersecurity, To be appeared in Big Data Analytics in Cybersecurity and IT Management, New York, NY: CRC Press, Taylor & Francis 2016.

    Recent years have seen the rise of many classes of cyber attacks ranging from ransomware to Advanced Persistent Threats (APTs) which pose severe risks to companies and enterprises. While static detection and signature-based tools are still useful in detecting already observed threats, they lag behind in detecting such sophisticated attacks where adversaries are adaptable and can evade defenses. This book chapter intends to explain how to analyze the nature of current multi-dimensional attacks, and how to identify the root causes of such security incidents. The chapter also elaborates on how to incorporate the acquired intelligence to minimize the impact of complex threats, and perform rapid incident response.

    Although the concept of ransomware is not new (i.e., such attacks date back at least as far as the 1980s), this type of malware has recently experienced a resurgence in popularity. In fact, in 2014 and 2015, a number of high-profile ransomware attacks were reported, such as the large-scale attack against Sony that prompted the company to delay the release of the film "The Interview". Ransomware typically operates by locking the desktop of the victim to render the system inaccessible to the user, or by encrypting, overwriting, or deleting the user's files. However, while many generic malware detection systems have been proposed, none of these systems have attempted to specifically address the ransomware detection problem. In this paper, we present a novel dynamic analysis system called UNVEIL that is specifically designed to detect ransomware. The key insight of the analysis is that in order to mount a successful attack, ransomware must tamper with a user's files or desktop. UNVEIL automatically generates an artificial user environment, and detects when ransomware interacts with user data. In parallel, the approach tracks changes to the system's desktop that indicate ransomware-like behavior. Our evaluation shows that UNVEIL significantly improves the state of the art, and is able to identify previously unknown evasive ransomware that was not detected by the anti-malware industry.

    If you need ransomware dataset to do your research, please send me an email at mkharraz[at]ccs[dot]neu[dot]edu using your organization email address.

    Sajjad Arshad, Amin Kharraz, William Robertson, Identifying Extension-based Ad Injection via Fine-grained Web Content Provenance, The 19th International Symposium on Research on Attacks, Intrusions and Defenses (RAID 2016). Paris, France, September 2016.

    Extensions provide useful additional functionality for web browsers, but are also an increasingly popular vector for attacks. Due to the high degree of privilege extensions can hold, extensions have been abused to inject advertisements into web pages that divert revenue from content publishers and potentially expose users to malware. Users are often unaware of such practices, believing the modifications to the page originate from publishers. Additionally, automated identification of unwanted third-party modifications is fundamentally difficult, as users are the ultimate arbiters of whether content is undesired in the absence of outright malice. To resolve this dilemma, we present a fine-grained approach to tracking the provenance of web content at the level of individual DOM elements. In conjunction with visual indicators, provenance information can be used to reliably determine the source of content modifications, distinguishing publisher content from content that originates from third parties such as extensions. We describe a prototype implementation of the approach called OriginTracer for Chromium, and evaluate its effectiveness, usability, and performance overhead through a user study and automated experiments. The results demonstrate a statistically significant improvement in the ability of users to identify unwanted third-party content such as injected ads with modest performance overhead.

    Sajjad Arshad, Amin Kharraz, William Robertson, Include Me Out: In-Browser Detection of Malicious Third-Party Content Inclusions, The 20th International Conference on Financial Cryptography and Data Security (FC). Barbados, February 2016.

    Modern websites include various types of third-party content such as JavaScript, images, stylesheets, and Flash objects in order to create interactive user interfaces. In addition to explicit inclusion of third-party content by website publishers, ISPs and browser extensions are hijacking web browsing sessions with increasing frequency to inject third-party content (e.g., ads). However, third-party content can also introduce security risks to users of these websites, unbeknownst to both website operators and users. Because of the often highly dynamic nature of these inclusions as well as the use of advanced cloaking techniques in contemporary malware, it is exceedingly difficult to preemptively recognize and block inclusions of malicious third-party content before it has the chance to attack the user’s system. In this paper, we propose a novel approach to achieving the goal of preemptive blocking of malicious third-party content inclusion through an analysis of inclusion sequences on the Web. We implemented our approach, called Excision, as a set of modifications to the Chromium browser that protects users from malicious inclusions while web pages load. Our analysis suggests that by adopting our in-browser approach, users can avoid a significant portion of malicious third-party content on the Web. Our evaluation shows that Excision effectively identifies malicious content while introducing a low false positive rate. Our experiments also demonstrate that our approach does not negatively impact a user’s browsing experience when browsing popular websites drawn from the Alexa Top 500.

    In this paper, we present the results of a long-term study of ransomware attacks that have been observed in the wild between 2006 and 2014. We also provide a holistic view on how ransomware attacks have evolved during this period by analyzing 1,359 samples that belong to 15 different ransomware families. Our results show that, despite a continuous improvement in the encryption, deletion, and communication techniques in the main ransomware families, the number of families with sophisticated destructive capabilities remains quite small. In fact, our analysis reveals that in a large number of samples, the malware simply locks the victim's computer desktop or attempts to encrypt or delete the victim's files using only superficial techniques. Our analysis also suggests that defending against ransomware attacks is not as complex as it has been previously reported. For example, we show that by monitoring abnormal file system activity, it is possible to design a practical defense system that could stop a large number of ransomware attacks, even those using sophisticated encryption capabilities. A close examination on the file system activities of multiple ransomware samples suggests that by looking at I/O requests and protecting Master File Table (MFT) in the NTFS file system, it is possible to detect and prevent a significant number of zero-day ransomware attacks.

    QR codes, a form of 2D barcode, allow easy interaction between mobile devices and websites or printed material by removing the burden of manually typing a URL or contact information. QR codes are increasingly popular and are likely to be adopted by malware authors and cyber-criminals as well. In fact, while a link can look suspicious, malicious and benign QR codes cannot be distinguished by simply looking at them. However, despite public discussions about increasing use of QR codes for malicious purposes, the prevalence of malicious QR codes and the kinds of threats they pose are still unclear.

    In this paper, we examine attacks on the Internet that rely on QR codes. Using a crawler, we performed a large-scale experiment by analyzing QR codes across 14 million unique web pages over a nine-month period. Our results show that QR code technology is already used by attackers, for example to distribute malware or to lead users to phishing sites. However, the relatively few malicious QR codes we found in our experiments suggest that, on a global scale, the frequency of these attacks is not alarmingly high and users are rarely exposed to the threats distributed via QR codes while surfing the web.

    Amin Kharraz, Hamid Sarbazi-Azad, Albert Y. Zomaya, On-demand Multicast Routing Protocol with Efficient Route Discovery, Elsevier Journal of Network and Computer Applications 35(3): 942-950 (2012)

    In this paper, we introduce an efficient route discovery mechanism to enhance the performance and multicast efficiency of On-Demand Multicast Routing Protocol (ODMRP). Our framework, called limited flooding ODMRP, improves multicasting mechanism by efficiently managing flooding mechanism based on delay characteristics of the contributing nodes. In our model, only the nodes that satisfy the delay requirements can flood the Join-Query messages. We model the contributing nodes as M/M/1 queuing systems. Our framework considers the significant parameters in delay analysis, including random packet arrival, service process, and random channel access in the relying nodes, and exhibits its best performance results under high traffic load. Simulation results reveal that limited flooding ODMRP drastically reduces the packet overhead under various simulation scenarios as compared to original ODMRP.



I presented our USENIX paper at Seminar on Practical Security in Boston University.


Our paper got accepted in USENIX 2016.


Our paper will be presented at BlackHat2015.


Our research on ransomware attacks received media attention particularly at DarkReading and ComputerWorld.


Our paper got accepted in DIMVA 2015.


Our paper got accepted in DSN 2014.


My current research interests are mainly in application and system security with special focus on malware analysis, file systems and operating system security.

Read More


There are always exciting things to discuss in our field of research. My goal is to post interesting things in systems security on a regular basis.

Read More