Graduated with Ph.D. in May 2012
After graduating I joined
Symantec Research Labs, where
I am currently a Technical Director, in the Los Angeles area.
(I've graduated but still read mail sent to this account)
I have a background in machine learning and database research,
but my Ph.D. research focuses on building tools that make
challenging malware analysis tasks easier to solve. Suppose you were
a security analyst at a big firm and someone dropped a nasty virus on
you. Your task would be to quickly understand that piece of malware,
to find out how it got into your system and what it did to you.
I have extended the Dyninst Application Programming Interface
so that you can take a program in its final binary version, without
needing source code, even if it's evasive, defensive malware like the
virus in our example, and: find its code, analyze it, modify it, and
control its execution.
Dyninst is a well-stocked toolbox that makes it easy for people like
software engineers and security analysts to quickly build customized
test suites and analysis tools. The most important tools in our
box are control- and data-flow analyses, and
If you were the security analyst in my example and needed to
understand a nasty virus, you could build up an understanding of it
from first principles, but this is not an easy task, since most malware
strongly resists analysis. To find the code in the .exe file, you'd
have to separate out the code bytes from a mixture of junk and data
bytes. To understand the code, you have to clarify all
of the obfuscations that malware authors use to hide its meaning. To
monitor the malware's execution you have to circumvent its evasive
techniques. And to observe its nasty hidden behaviors, you need
mechanisms to help you control and manipulate the program's execution.
Today, security analysts really don't have the tools at their disposal
that can help them accomplish all of these tasks, so they often do end
up working out solutions from first principles, which requires them to
hire expert analysts. But Dyninst has long been able to find code in
uncooperative binaries, analyze and modify their code, and control
their execution. My primary research contribution has been to extend
Dyninst to make its full capabilities available on malware, even if
it's highly defensive and evasive.
Now, if analyzing a single nasty virus is a daunting task, consider
what it's like for analysts at security companies. One of their
biggest challenges is understanding and categorizing, literally
thousands of new malware samples that get created each day. Dyninst
provides the tools needed to build malware analysis factories that
automate this process. The analyst tells Dyninst what analyses it
wants to run, what behaviors to log, and how to control the
programs. The analysis factory then executes the malware samples in an
isolated environment and produces the desired reports for each
sample. These factories are really easy to build, and we've
implemented an example factory to serve as a starting point, that
security analysts can easily customize.
Kevin A. Roundy, Matteo Dell'Amico, Michael Hart, Daniel Kats, Robert Scott, Michael Spertus, Acar Tamersoy. Smoke Detector: Cross-Product Intrusion Detection With Weak Indicators Annual Computer Security Applications Conference (ACSAC), December 4-8 2017. [PDF]
Shang-Tse Chen, Yufei Han, Duen Horng Chau, Christopher Gates, Michael Hart, Kevin A. Roundy. Predicting Cyber Threats with Virtual Security Products. Annual Computer Security Applications Conference (ACSAC), December 4-8 2017. [PDF]
Robert Pienta, Fred Hohman, Alex Endert, Acar Tamersoy, Kevin Roundy, Chris Gates, Shamkant Navathe, Duen Horng (Polo) Chau. VIGOR: Interactive Visual Exploration of Graph Query Results. IEEE Transactions on Visualization and Computer Graphics (VAST), 1-6 October, 2017. [PDF]
Kyle Soska, Chris Gates, Kevin A. Roundy, and Nicolas Christin. Automatic Application Identification from Billions of Files ACM SIGKDD Conference on Knowledge Discovery and Data Mining (KDD). Halifax, Nova Scotia. August 13-17, 2017. [PDF]
Bo Li, Kevin Roundy, Chris Gates, Yevgeniy Vorobeychik. Large-Scale Identification of Malicious Singleton Files. Full Paper. 7th ACM Conference on Data and Application Security and Privacy (CODASPY), Acceptance Rate 16%. Scottsdale, AZ. March 22-24, 2017. [PDF]
Sucheta Soundarajan, Acar Tamersoy, Elias Khalil, Tina Eliassi-Rad, Duen Horng Chau, Brian Gallagher and Kevin Roundy. Generating Graph Snapshots from Streaming Edge Data. 25th International World Wide Web Conference (WWW). Montreal, Canada. Apr 11-15, 2016. [PDF].
Acar Tamersoy, Kevin A. Roundy, and Duen Horng (Polo) Chau. Guilt By Association: Large Scale Malware Detection by Mining File-Relation Graphs ACM SIGKDD Conference on Knowledge Discovery and Data Mining (KDD). New York City, NY. August 24-27, 2014.[PDF]
Kevin A. Roundy and Barton P. Miller.
Binary-Code Obfuscations in Prevalent Packer Tools,
ACM Computing Surveys (CSUR) Volume 46 Issue 1, October 2013. [PDF]
This work was partially funded by a grant
from PC Antivirus
Kevin A. Roundy
Hybrid Analysis and Control of Malicious Code,
Ph.D. Dissertation, deposited on May 2nd, 2012. [PDF]
Andrew R. Bernat, Kevin A. Roundy, and Barton P. Miller.
Efficient, Sensitivity Resistant Binary Instrumentation,
International Symposium on Software Testing and Analysis (ISSTA),
Toronto, Canada, July 2011.
Kevin A. Roundy and Barton P. Miller.
Hybrid Analysis and Control of Malware Binaries,
Recent Advances in Intrusion Detection (RAID),
Ottawa, Canada, September 2010.