Sergio Maffeis
- Senior Lecturer (Associate Professor) in Computer Security
- Research interests: web security, machine learning, formal methods.
- For a complete, but not up to date list of publications, see my DBLP page.
- Contact:
- Email: maffeis at doc ic ac uk
- Tel: +44 (0)2075948390
- Office: 441 Huxley
- Address:
Dr. Sergio Maffeis,
Department of Computing,
Imperial College London, SW7 2AZ, United Kingdom.
- IEEE Computer Security Foundations Symposium:CSF'25 (PC Member).
- [PDF] Mateen: Adaptive Ensemble Learning for Network Anomaly Detection, with F. Alotaibi. RAID 2024.
- [PDF] Rasd: Semantic Shift Detection and Adaptation for Multi-Classification NIDS, with F. Alotaibi. IFIPSEC 2024.
- [arXiv] Differentially Private and Adversarially Robust Machine Learning: An Empirical Evaluation, with J. Thakkar, G. Zizzo. PPAI@AAAI 2024.
- [arXiv] Elevating Defenses: Bridging Adversarial Training and Watermarking for Model Resilience, with J. Thakkar, G. Zizzo. DAI@AAAI 2024.
- [PDF] SQIRL: Grey-Box Detection of SQL Injection Vulnerabilities Using Reinforcement Learning, with S. Al Wahaibi, M. Foley. USENIX Security 2023.
- [PDF] Adaptive Experimental Design for Intrusion Data Collection, with K. Highnam, Z. Hanif, E. Van Vogt, S. Parbhoo, N. Jennings. CAMLIS 2023.
- [PDF] EarlyCrow: Detecting APT Malware Command and Control Over HTTP(S) Using Contextual Summaries, with A. Alageel. ISC 2022.
- [PDF] HAXSS: Hierarchical Reinforcement Learning for XSS Payload Generation, with M. Foley. IEEE TrustCom 2022.
- [PDF] VulBERTa: Simplified Source Code Pre-Training for Vulnerability Detections, with H. Hanif. IEEE IJCNN 2022.
- [PDF] A Hybrid Graph Neural Network Approach for Detecting PHP Vulnerabilities, with R. Rabheru, H. Hanif. IEEE DSC 2022.
- [PDF] Certified Federated Adversarial Training, with G. Zizzo, A. Rawat, M. Sinn, C. Hankin. NFFL@NeurIPS 2021.
- [PDF] Hawk-Eye: Holistic Detection of APT Command and Control Domains, with A. Alageel. ACM SAC 2021, (Security Track).
-
60015:70082 Network and Web Security (aka "331")
This course provides an overview of current cybersecurity issues, attacks and defenses; an introduction to secure software development, threat modelling and pentesting; and an in-depth look at server- and client-side security for web applications. In-class lectures are complemented by practical sessions in the lab.
More details can be found on the course web page.
-
70085 Software Systems Engineering
This module covers the fundamental technologies for designing and building modern software systems. These include networking and distributed systems, databases, web services, cloud computing and continuous delivery methods. All of these are illustrated via practical exercises and projects.
More details can be found on the course web page.
I teach only the first part of the course, introducing the web, web applications, and APIs.
- [PDF] SQIRL: Grey-Box Detection of SQL Injection Vulnerabilities Using Reinforcement Learning, with S. Al Wahaibi, M. Foley. USENIX Security 2023.
In this paper we develop SQIRL, a novel approach to detecting SQL injection vulnerabilities based on deep reinforcement learning. Our approach generates a more varied set of payloads than existing scanners, leading to the discovery of more vulnerabilities with fewer requests. SQIRL discovered 22 novel vulnerabilities, grouped in 6 CVEs, in production grade web applications.
- [PDF] EarlyCrow: Detecting APT Malware Command and Control Over HTTP(S) Using Contextual Summaries, with A. Alageel. ISC 2022.
In this paper, we present an approach to detect APT malware command and control over HTTP(S) contextual summaries, informed by a novel threat model focused on TTPs present in traffic generated by tools recently used as part of APT campaigns.
- [PDF] HAXSS: Hierarchical Reinforcement Learning for XSS Payload Generation, with M. Foley. IEEE TrustCom 2022.
In order to increase the diversity of payloads that can be automatically generated to exploit web applications in a black-box fashion, we develop a hierarchical reinforcement learning approach where agents focus separately on the tasks of escaping the current context, and evading sanitisation. Our approach improves on the state of the art of automated web scanners, and discovers 5 new CVEs in 3 production-grade web applications.
- [PDF] VulBERTa: Simplified Source Code Pre-Training for Vulnerability Detections, with H. Hanif. IEEE IJCNN 2022.
This paper presents a deep learning model pre-trained to learn a deep knowledge representation of C/C++ syntax and semantics, and then fine-tuned to obtain vulnerability detection classifiers. The evaluation results show that our classifiers outperform existing approaches across different datasets, despite their relative simplicity, and limited cost in terms of size of training data and number of model parameters.
- [PDF] A Hybrid Graph Neural Network Approach for Detecting PHP Vulnerabilities, with R. Rabheru, H. Hanif. IEEE DSC 2022.
We present DeepTective, a deep learning approach to detect vulnerabilities in PHP source code, leveraging both syntactic and semantic information.
Experimental results show that our model outperformed related solutions on both synthetic and realistic datasets, and was able to discover 4 novel vulnerabilities in established WordPress plugins.
- [PDF] Certified Federated Adversarial Training, with G. Zizzo, A. Rawat, M. Sinn, C. Hankin. NFFL@NeurIPS 2021.
We tackle the scenario of securing FL systems conducting adversarial training when a quorum of workers could be completely malicious. We model an attacker who poisons the model to insert a weakness into the adversarial training such that the model displays apparent adversarial robustness, while the attacker can exploit the inserted weakness to bypass the adversarial training and force the model to misclassify adversarial examples. We use abstract interpretation techniques to detect such stealthy attacks and block the corrupted model updates. We show that this defence can preserve adversarial robustness even against an adaptive attacker.
- [PDF] Hawk-Eye: Holistic Detection of APT Command and Control Domains, with A. Alageel. ACM SAC 2021, (Security Track).
We study the usage of domains in the context of the Command and Control infrastructure of APTs, focusing in particular on evasion techniques,
and we build a machine learning classifier that leverages novel sematic and structural features of malicious domains to detect APTs.
- [PDF] Adversarial Attacks on Time-Series Intrusion Detection for Industrial Control Systems, with G. Zizzo, C. Hankin, K. Jones. IEEE TrustCom 2020.
In this work we investigate the use of neural networks for intrusion detection on industrial control systems. We demonstrate their vulnerability to adversarial attacks and identify potential over-estimation of performance arising from data leakage artefacts.
- [arXiv] Deep Latent Defence, with G. Zizzo, C. Hankin, K. Jones. CoRR 2019.
This work introduces deep latent defence, a technique that makes neural-network based classifiers more resistant against adversarially-crafted attacks.
- [PDF] Adversarial Machine Learning Beyond the Image Domain, with G. Zizzo, C. Hankin, K. Jones. DAC 2019.
This work gives a brief overview of adversarial machine learning, suggests key differences with the use of machine learning in the cyber domain, and shows an adversarial attack on an industrial control system.
- [PDF] Abstract Domains for Type Juggling, with V. Arceri. NSAD 2016. We provide a formal semantics for the core of PHP with type juggling, and propose a precise type analysis based on abstract interpretation.
- [PDF] BrowserAudit: Automated Testing of Browser Security Features, with C. Hothersall-Thomas and C. Novakovic. ISSTA 2015. A web application and testing framework comprising more than 400 security test for web browsers. Try it: browseraudit.com.
- [PDF] Defensive JavaScript: Building and Verifying Secure Web Components, with
K. Bhargavan, A. Delignat-Lavaud. FOSAD VII Lecture Notes LNCS 8604, 2014. This is an introductory tutorial based on our USENIX Security 2013 paper Language-based Defenses Against Untrusted Browser Origins [PDF].
- [PDF] An Executable Formal Semantics of PHP, with D. Filaretti. ECOOP 2014. The K semantics of PHP, together with our interpreter/model-checker for PHP is available on phpsemantics.org.
- [PDF] A Trusted Mechanised JavaScript Specification, with M. Bodin, A. Chargueraud, D. Filaretti, P. Gardner, D. Naudziuniene, A. Schmitt, G. Smith. POPL 2014.
The COQ formalization and our JavaScript interpreter are available on jscert.org.
-
[PDF] Discovering Concrete Attacks on Website Authorization by Formal Analysis,
with C. Bansal, K. Bhargavan, A. Delignat-Lavaud. Journal of Computer Security, 2014.
The WebSPI library and related web applicaiton models are available here.
- 2023 - MEng Computing: Luqman Liaquat, Automated Diagnostics of Vulnerabilities in Browser-Based Security Mechanisms
- 2023 - MSc Computing: Congyun Guo, Deep Natural Language Processing Model for Phishing Detection and Target Identification
- 2022 - MSc Computing: Salim Al-Wahaibi, Reinforcement Learning For Web Security
- 2021 - MEng Computing: Alexander Nielsen, Creating a honeypot for detecting malicious web requests
- 2020 - MEng Computing: Rishi Rabheru,
Discovering security vulnerabilities in source code using Machine Learning
- 2020 - BEng Computing: James Williams,
Identification of IP addresses using fraudulent geolocation data [YouTube]
- 2019 - MSc Computing: Olivier Roques,
Detecting Malware in TLS Traffic
- 2019 - MEng Computing: Thomas Bower,
Identifying JavaScript skimmers on high-value websites
- 2018 - MEng Compting: Thomas Szyszko,
Phishing Website Classification through Behavioural Analysis
- 2018 - MEng Computing: Hongtao Li,
AMJ - An Analyzer for Malicious JavaScript
- 2017 - MSc Computing: Yuen Choo,
Cross-Device Tracking of Employees with Social Networks
- 2016 - MSc Computing: Dimos Raptis,
Monitorito: Real-time visualisation of high-dimensional web traffic
- 2015 - BEng Computing: Sher Ali Khan,
A Comparative Study of PHP Dialects
- 2015 - MEng EEE: Lin Xin Koh,
Stealthy host monitoring capabilities in a Honeypot
- 2014 - BEng Computing: Charlie Hothersall-Thomas
BrowserAudit, A web application that tests the security of browser implementations
Current:
- Abdullah Aldaihan: Large Language Models For Cyber Threat Detection. Started October 2023.
- Fahad Alotaibi: Concept drift in Deep Learning-based security applications. Started October 2021.
- Myles Foley: Reinforcement Learning for IoT Security. Started October 2020.
- Kate Highnam (co-supervision with Nick Jennings): Real-Time Self-Adaptation for Black-Box Intrusion Detection Systems. Started October 2019.
Past:
- Almuthanna Alageel: Adversarial Network Intrusion Detection Against Advanced Persistent Threats. Graduated 2024.
- Mohamad Hazim Md Hanif: Software Vulnerability Detection using Machine Learning. Graduated 2023.
- Giulio Zizzo (co-supervision with Chris Hankin): Cyber Security for Industrial Control Systems. Graduated 2021.
- Daniele Filaretti: An Executable Formal Semantics of PHP with applications to Program Analysis. Graduated 2015.
- I'm always looking for outstanding PhD candidates with a strong background in formal methods and a keen interest to work in security. Previous peer-reviewed publications are a definite plus.
- The minimum admission criteria for PhD students at Imperial are quite strict, and can be found here.
- Funding opportunities are listed here.
-
Certified Verification of Client-Side Web Programs. (CO-I) EPSRC/GCHQ Business Continuity Case, 2017.
-
Web Security and Privacy. (PI) GCHQ Academic Cyber Funding Small Grant, 2016.
This project provided practical support for research in web security and privacy, including the operation of ScanMyBrowser.
-
Cybersecurity lab starter. (PI) GCHQ Academic Cyber Funding Small grant, 2015.
This project set up a small lab for cybersecurity experiments, and partially supports the operation of BrowserAudit.
-
Certified Verification of Client-Side Web Programs. (CO-I) EPSRC grant EP/K032089/1, 2013-2016.
This project includes the joint development between Imperial College and INRIA of JsCert, a formal semantics of JavaScript in the Coq proof assistant.
(The original small-step operational semantics of JavaScript is available here.)
-
Foundations of Secure Web Programming (PI) EPSRC grant EP/I004246/1, 2010-2015.
-
Programming Abstractions and Static Analyses for the Web 2.0 and Beyond. (PI) EPSRC grant EP/E044956/1, 2007-2010.
-
Dynamic Net Data: Theory and Experiment. (Named RA) UK National E-Science Grant, 2004-2007.
- IEEE Computer Security Foundations Symposium (CSF) 2014, 2024, 2025.
- IEEE Security and Privacy (Oakland) 2010, 2011, 2017, 2019, 2020, 2021, 2023.
- World Wide Web - Security Track (WWW) 2018.
- Principles of Security and Trust (POST) 2015, 2018.
- ACM Symposium on Applied Computing - Security Track (SEC@SAC) 2015 (PC Chair), 2016 (PC Chair) .
- Program Protection and Reverse Engineering (PPREW) 2013, 2014, 2016.
- Hot Issues on Security Principles and Trust (HotSpot) 2015.
- Joint Program Protection and Reverse Engineering & Software Security and Protection: PPREW/SSP'15.
- International Conference on Web Engineering: ICWE'15.
- ACM Dynamic Languages Symposium (DLS) 2014.
- IEEE International Congress on Big Data (BigData) 2014.
- IEEE International Conference on Big Data (BigData) 2013.
- ACM SIGPLAN Programming Languages and Analysis for Security (PLAS) 2010, 2011, 2012 (PC Chair).
- Engineering Secure Software and Systems (ESSoS) 2012, 2013.
- Trustworthy Global Computing (TGC) 2013,2014.
- OWASP AppSec Research 2010.
- Analysis and Programming Languages For Web Applications and Cloud Applications (APLWACA) 2010.
- Expressiveness in Concurrency (Express) 2008, 2010, 2011.