- Senior Lecturer (Associate Professor) in Computer Security
- Research interests: web security, machine learning, formal methods.
- Publications: see my DBLP page.
- Email: maffeis at doc ic ac uk
- Tel: +44 (0)2075948390
- Office: 441 Huxley
Dr. Sergio Maffeis,
Department of Computing,
Imperial College London, SW7 2AZ, United Kingdom.
- IEEE Symposium on Security & Privacy (Oakland): S&P'23 (PC Member).
331 Network and Web Security
This course provides an overview of current cybersecurity issues, attacks and defenses; an introduction to secure software development, threat modelling and pentesting; and an in-depth look at server- and client-side security for web applications. In-class lectures are complemented by practical sessions in the lab.
More details can be found on the course web page.
446H Applied Network Security
This is a practical, project-based course to explore advanced topics in network security. This year it is offered as an ISO to MSc students.
More details can be found on the course web page.
- [PDF] Certified Federated Adversarial Training, with G. Zizzo, A. Rawat, M. Sinn, C. Hankin. NFFL@NeurIPS 2021.
We tackle the scenario of securing FL systems conducting adversarial training when a quorum of workers could be completely malicious. We model an attacker who poisons the model to insert a weakness into the adversarial training such that the model displays apparent adversarial robustness, while the attacker can exploit the inserted weakness to bypass the adversarial training and force the model to misclassify adversarial examples. We use abstract interpretation techniques to detect such stealthy attacks and block the corrupted model updates. We show that this defence can preserve adversarial robustness even against an adaptive attacker.
- [PDF] Hawk-Eye: Holistic Detection of APT Command and Control Domains, with A. Alageel. ACM SAC 2021, (Security Track).
We study the usage of domains in the context of the Command and Control infrastructure of APTs, focusing in particular on evasion techniques,
and we build a machine learning classifier that leverages novel sematic and structural features of malicious domains to detect APTs.
- [PDF] A Hybrid Graph Neural Network Approach for Detecting PHP Vulnerabilities, with R. Rabheru, H. Hanif. ArXiv 2020.
We presents DeepTective, a deep learning approach to detect vulnerabilities in PHP source code, leveraging both syntactic and semantic information.
Experimental results show that our model outperformed related solutions on both synthetic and realistic datasets, and was able to discover 4 novel vulnerabilities in established WordPress plugins.
- [PDF] Adversarial Attacks on Time-Series Intrusion Detection for Industrial Control Systems, with G. Zizzo, C. Hankin, K. Jones. TrustCom 2020. In this work we investigate the use of neural networks for intrusion detection on industrial control systems. We demonstrate their vulnerability to adversarial attacks and identify potential over-estimation of performance arising from data leakage artefacts.
- [PDF] Deep Latent Defence, with G. Zizzo, C. Hankin, K. Jones. CoRR 2019. This work introduces deep latent defence, a technique that makes neural-network based classifiers more resistant against adversarially-crafted attacks.
- [PDF] Adversarial Machine Learning Beyond the Image Domain, with G. Zizzo, C. Hankin, K. Jones. DAC 2019. This work gives a brief overview of adversarial machine learning, suggests key differences with the use of machine learning in the cyber domain, and shows an adversarial attack on an industrial control system.
- [PDF] Abstract Domains for Type Juggling, with V. Arceri. NSAD 2016. We provide a formal semantics for the core of PHP with type juggling, and propose a precise type analysis based on abstract interpretation.
- [PDF] BrowserAudit: Automated Testing of Browser Security Features, with C. Hothersall-Thomas and C. Novakovic. ISSTA 2015. A web application and testing framework comprising more than 400 security test for web browsers. Try it: browseraudit.com.
K. Bhargavan, A. Delignat-Lavaud. FOSAD VII Lecture Notes LNCS 8604, 2014. This is an introductory tutorial based on our USENIX Security 2013 paper Language-based Defenses Against Untrusted Browser Origins [PDF].
- [PDF] An Executable Formal Semantics of PHP, with D. Filaretti. ECOOP 2014. The K semantics of PHP, together with our interpreter/model-checker for PHP is available on phpsemantics.org.
[PDF] Discovering Concrete Attacks on Website Authorization by Formal Analysis,
with C. Bansal, K. Bhargavan, A. Delignat-Lavaud. Journal of Computer Security, 2014.
The WebSPI library and related web applicaiton models are available here.
- 2020 - MEng Computing: Rishi Rabheru,
Discovering security vulnerabilities in source code using Machine Learning
- 2020 - BEng Computing: James Williams,
Identification of IP addresses using fraudulent geolocation data [YouTube]
- 2019 - MSc Computing (Specialism): Olivier Roques,
Detecting Malware in TLS Traffic
- 2019 - MEng Computing: Thomas Bower,
- 2018 - MEng Compting: Thomas Szyszko,
Phishing Website Classification through Behavioural Analysis
- 2018 - MEng Computing: Hongtao Li,
- 2017 - MSc Computing (Specialism): Yuen Choo,
Cross-Device Tracking of Employees with Social Networks
- 2016 - MSc Computing (Specialism): Dimos Raptis,
Monitorito: Real-time visualisation of high-dimensional web traffic
- 2015 - BEng Computing: Sher Ali Khan,
A Comparative Study of PHP Dialects
- 2015 - MEng EEE: Lin Xin Koh,
Stealthy host monitoring capabilities in a Honeypot
- 2014 - BEng Computing: Charlie Hothersall-Thomas
BrowserAudit, A web application that tests the security of browser implementations
- Myles Foley: Reinforcement Learning for IoT Security. Starting October 2020.
- Mohamad Hazim Md Hanif: Software Vulnerability Detection using Machine Learning. Started October 2019.
- Almuthanna Alageel: Adversarial Network Intrusion Detection Against Advanced Persistent Threats. Started October 2018.
- Giulio Zizzo (2nd supervisor): Cyber Security for Industrial Control Systems. Started October 2017.
- Abdulrahman Alsaleh: Automatic analysis and enforcement of Security and Privacy properties of Web applications and Protocols. Started October 2016.
- Christopher Lidbury (2nd supervisor): Dynamic Analysis for Modern Concurrent C/C++ Applications. Ended 2019.
- Rabih Mohsen (2nd supervisor): Code Obfuscation Security. Ended 2016.
- Daniele Filaretti: An Executable Formal Semantics of PHP with applications to Program Analysis. Ended 2015.
- I'm always looking for outstanding PhD candidates with a strong background in formal methods and a keen interest to work in security. Previous peer-reviewed publications are a definite plus.
- The admission criteria for PhD students at Imperial are quite strict, and can be found here.
- Funding opportunities are listed here.
Certified Verification of Client-Side Web Programs. (CO-I) EPSRC/GCHQ Business Continuity Case, 2017.
Web Security and Privacy. (PI) GCHQ Academic Cyber Funding Small Grant, 2016.
This project provided practical support for research in web security and privacy, including the operation of ScanMyBrowser.
Cybersecurity lab starter. (PI) GCHQ Academic Cyber Funding Small grant, 2015.
This project set up a small lab for cybersecurity experiments, and partially supports the operation of BrowserAudit.
Certified Verification of Client-Side Web Programs. (CO-I) EPSRC grant EP/K032089/1, 2013-2016.
Foundations of Secure Web Programming (PI) EPSRC grant EP/I004246/1, 2010-2015.
Programming Abstractions and Static Analyses for the Web 2.0 and Beyond. (PI) EPSRC grant EP/E044956/1, 2007-2010.
Dynamic Net Data: Theory and Experiment. (Named RA) UK National E-Science Grant, 2004-2007.
- IEEE Security and Privacy (Oakland) 2010, 2011, 2017, 2019, 2020, 2021, 2023.
- World Wide Web - Security Track (WWW) 2018.
- Principles of Security and Trust (POST) 2015, 2018.
- ACM Symposium on Applied Computing - Security Track (SEC@SAC) 2015 (PC Chair), 2016 (PC Chair) .
- Program Protection and Reverse Engineering (PPREW) 2013, 2014, 2016.
- Hot Issues on Security Principles and Trust (HotSpot) 2015.
- Joint Program Protection and Reverse Engineering & Software Security and Protection: PPREW/SSP'15.
- International Conference on Web Engineering: ICWE'15.
- IEEE Computer Security Foundations Symposium (CSF) 2014.
- ACM Dynamic Languages Symposium (DLS) 2014.
- IEEE International Congress on Big Data (BigData) 2014.
- IEEE International Conference on Big Data (BigData) 2013.
- ACM SIGPLAN Programming Languages and Analysis for Security (PLAS) 2010, 2011, 2012 (PC Chair).
- Engineering Secure Software and Systems (ESSoS) 2012, 2013.
- Trustworthy Global Computing (TGC) 2013,2014.
- OWASP AppSec Research 2010.
- Analysis and Programming Languages For Web Applications and Cloud Applications (APLWACA) 2010.
- Expressiveness in Concurrency (Express) 2008, 2010, 2011.