Computer Sciences Dept.

Kevin Alejandro Roundy

Graduated with Ph.D. in May 2012
After graduating I joined Symantec Research Labs, where I am currently a Technical Director, in the Los Angeles area.
Picture of Kevin Roundy



Contact Information:
Email: (I've graduated but still read mail sent to this account)




Research Interests:

I have a background in machine learning and database research, but my Ph.D. research focuses on building tools that make challenging malware analysis tasks easier to solve. Suppose you were a security analyst at a big firm and someone dropped a nasty virus on you. Your task would be to quickly understand that piece of malware, to find out how it got into your system and what it did to you. I have extended the Dyninst Application Programming Interface so that you can take a program in its final binary version, without needing source code, even if it's evasive, defensive malware like the virus in our example, and: find its code, analyze it, modify it, and control its execution. Dyninst is a well-stocked toolbox that makes it easy for people like software engineers and security analysts to quickly build customized test suites and analysis tools. The most important tools in our box are control- and data-flow analyses, and binary instrumentation.

If you were the security analyst in my example and needed to understand a nasty virus, you could build up an understanding of it from first principles, but this is not an easy task, since most malware strongly resists analysis. To find the code in the .exe file, you'd have to separate out the code bytes from a mixture of junk and data bytes. To understand the code, you have to clarify all of the obfuscations that malware authors use to hide its meaning. To monitor the malware's execution you have to circumvent its evasive techniques. And to observe its nasty hidden behaviors, you need mechanisms to help you control and manipulate the program's execution.

Today, security analysts really don't have the tools at their disposal that can help them accomplish all of these tasks, so they often do end up working out solutions from first principles, which requires them to hire expert analysts. But Dyninst has long been able to find code in uncooperative binaries, analyze and modify their code, and control their execution. My primary research contribution has been to extend Dyninst to make its full capabilities available on malware, even if it's highly defensive and evasive.

Now, if analyzing a single nasty virus is a daunting task, consider what it's like for analysts at security companies. One of their biggest challenges is understanding and categorizing, literally thousands of new malware samples that get created each day. Dyninst provides the tools needed to build malware analysis factories that automate this process. The analyst tells Dyninst what analyses it wants to run, what behaviors to log, and how to control the programs. The analysis factory then executes the malware samples in an isolated environment and produces the desired reports for each sample. These factories are really easy to build, and we've implemented an example factory to serve as a starting point, that security analysts can easily customize.



Publications:

Kevin A. Roundy, Matteo Dell'Amico, Michael Hart, Daniel Kats, Robert Scott, Michael Spertus, Acar Tamersoy. Smoke Detector: Cross-Product Intrusion Detection With Weak Indicators Annual Computer Security Applications Conference (ACSAC), December 4-8 2017.

Shang-Tse Chen, Yufei Han, Duen Horng Chau, Christopher Gates, Michael Hart, Kevin A. Roundy. Predicting Cyber Threats with Virtual Security Products. Annual Computer Security Applications Conference (ACSAC), December 4-8 2017.

Robert Pienta, Fred Hohman, Alex Endert, Acar Tamersoy, Kevin Roundy, Chris Gates, Shamkant Navathe, Duen Horng (Polo) Chau. VIGOR: Interactive Visual Exploration of Graph Query Results. IEEE Transactions on Visualization and Computer Graphics (VAST), 1-6 October, 2017.

Kyle Soska, Chris Gates, Kevin A. Roundy, and Nicolas Christin. Automatic Application Identification from Billions of Files ACM SIGKDD Conference on Knowledge Discovery and Data Mining (KDD). Halifax, Nova Scotia. August 13-17, 2017. [PDF]

Bo Li, Kevin Roundy, Chris Gates, Yevgeniy Vorobeychik. Large-Scale Identification of Malicious Singleton Files. Full Paper. 7th ACM Conference on Data and Application Security and Privacy (CODASPY), Acceptance Rate 16%. Scottsdale, AZ. March 22-24, 2017. [PDF]

Sucheta Soundarajan, Acar Tamersoy, Elias Khalil, Tina Eliassi-Rad, Duen Horng Chau, Brian Gallagher and Kevin Roundy. Generating Graph Snapshots from Streaming Edge Data. 25th International World Wide Web Conference (WWW). Montreal, Canada. Apr 11-15, 2016. [PDF].

Acar Tamersoy, Kevin A. Roundy, and Duen Horng (Polo) Chau. Guilt By Association: Large Scale Malware Detection by Mining File-Relation Graphs ACM SIGKDD Conference on Knowledge Discovery and Data Mining (KDD). New York City, NY. August 24-27, 2014.[PDF]

Kevin A. Roundy and Barton P. Miller. Binary-Code Obfuscations in Prevalent Packer Tools, ACM Computing Surveys (CSUR) Volume 46 Issue 1, October 2013. [PDF]
This work was partially funded by a grant from PC Antivirus Reviews.

Kevin A. Roundy Hybrid Analysis and Control of Malicious Code, Ph.D. Dissertation, deposited on May 2nd, 2012. [PDF]

Andrew R. Bernat, Kevin A. Roundy, and Barton P. Miller. Efficient, Sensitivity Resistant Binary Instrumentation, International Symposium on Software Testing and Analysis (ISSTA), Toronto, Canada, July 2011. [PDF]

Kevin A. Roundy and Barton P. Miller. Hybrid Analysis and Control of Malware Binaries, Recent Advances in Intrusion Detection (RAID), Ottawa, Canada, September 2010. [PDF]




 
Computer Sciences | UW Home