105–107 Forsyth Street
132E Nightingale Hall
Boston, MA 02115
Sajjad Arshad is a PhD student in the Information Assurance program at Northeastern University’s College of Computer and Information Science, advised by Professors William Robertson and Engin Kirda. Sajjad’s research involves computer system security through applications of secure design principles and defensive techniques in areas such as web and systems security, privacy in online advertising, and malware detection.
So far at Northeastern, Sajjad works as a research assistant at the Systems Security Lab, and has contributed to published research, discussing topics such as cyberspace safety and security, web security, and malware detection. He is interested in security engineering and how cyber security impacts and affects the industry as well as web-based malware and how he can remedy vulnerabilities in browsers and detect websites that distribute malware.
Before joining the PhD program at Northeastern, Sajjad earned his Bachelor of Science degree in Software Engineering at the University of Tehran as well as his Master of Science degree in Software Engineering at Shahid Beheshti University.
- MS, Shahid Beheshti University – Iran
- BS, University of Tehran – Iran
- Hometown: Yazd, Iran
- Field of Study: Information Assurance
- PhD Advisors: William Robertson and Engin Kirda
What are the specifics of your graduate education (thus far)?
Our Information Assurance program prepares us with a variety of backgrounds in reliability and security to address global threats to cyberspace.
What are your research interests?
My research is concerned with improving the security of computer systems through application of secure design principles and integration of defensive techniques such as attack detection, prevention, and recovery. Some particular domains that I am active in include Web and browser security, privacy in online advertising, and malware detection. Specifically, my research focuses on large-scale measurement and detection of web malware, primarily using browser instrumentation and distributed crawling. I also contributed to multiple web security measurement studies.
What’s one problem you’d like to solve with your research/work?
Nowadays, web browsers play an important role on the Internet since most applications are web-based. Therefore, maintaining browser security is critical. Web-based malware is very prevalent today and thousands of users are victims to this malware everyday, so I am trying to address these two problems by fixing vulnerabilities in browsers and detecting websites that distribute malware.
What aspect of what you do is most interesting?
The fact that even today, many Internet users are exposed to malwares without being aware of it.
What are your research or career goals, going forward?
I think that cyber security research in academia has a direct impact on industry as well. In other words, whatever research you are doing in security will be helpful in the industry, so my goal is to work in the industry as a security engineer.
Where did you grow up or spend your most defining years?
I was born in Yazd, Iran and I was there until the end of high school. After that, I moved to Tehran to go to undergrad and grad schools.
Where did you study for your undergraduate degree?
I went to University of Tehran, a prestigious university in Iran, for my undergrad degree. In high school I was very passionate about computer programming, and University of Tehran has one of the best software engineering programs in country.
Arshad, Sajjad, Kharraz, Amin, and Robertson, William. Identifying Extension-based Ad Injection via Fine-grained Web Content Provenance. International Symposium on Research in Attacks, Intrusions and Defenses (RAID), Paris, France, September 2016.
Extensions provide useful additional functionality for web browsers, but are also an increasingly popular vector for attacks. Due to the high degree of privilege extensions can hold, extensions have been abused to inject advertisements into web pages that divert revenue from content publishers and potentially expose users to malware. Users are often unaware of such practices, believing the modifications to the page originate from publishers. Additionally, automated identification of unwanted third-party modifications is fundamentally difficult, as users are the ultimate arbiters of whether content is undesired in the absence of outright malice. To resolve this dilemma, we present a fine-grained approach to tracking the provenance of web content at the level of individual DOM elements. In conjunction with visual indicators, provenance information can be used to reliably determine the source of content modifications, distinguishing publisher content from content that originates from third parties such as extensions. We describe a prototype implementation of the approach called ORIGINTRACER for Chromium, and evaluate its effectiveness, usability, and performance overhead through a user study and automated experiments. The results demonstrate a statistically significant improvement in the ability of users to identify unwanted third-party content such as injected ads with modest performance overhead.
Bashir, Muhammad Ahmad, Arshad, Sajjad, and Wilson, Christo. "Recommended For You": A First Look at Content Recommendation Networks. ACM Internet Measurement Conference (IMC), Santa Monica, CA, USA, November 2016.
One advertising format that has grown significantly in recent years are known as Content Recommendation Networks (CRNs). CRNs are responsible for the widgets full of links that appear under headlines like “Recommended For You” and “Things You Might Like”. Although CRNs have become quite popular with publishers, users complain about the low-quality of content promoted by CRNs, while regulators in the US and Europe have faulted CRNs for failing to label sponsored links as advertisements. In this study, we present a first look at five of the largest CRNs, including their footprint on the web, how their recommendations are labeled, and who their advertisers are. Our findings reveal that CRNs still fail to prominently disclose the paid nature of their sponsored content. This suggests that additional intervention is necessary to promote accepted best-practices in the nascent CRN marketplace, and ultimately protect online users.
Reza Mirzazade farkhani, Sajjad Arshad, Saman Jafari IEEE Secure Development Conference (SecDev) Poster Session Boston, MA, USA, September 2017
Lack of memory management in unsafe programming languages such as C/C++ has been introducing significant threats to the applications. As a result, there has been a continuous arms race between the development of attacks and countermeasures. Generally speaking, memory corruption attacks are categorized into two types; code injection and code reuse. The most prevalent and practical defense mechanisms against these attacks are non-executable memory (W X) and Address Space Layout Randomization (ASLR). However it has been shown that such defenses can be bypassed by motivated attackers . Therefore, new protections such as Control Flow Integrity (CFI) have been introduced by researchers . CFI is introduced to enforce the application’s control flow to adhere to the statically generated Control Flow Graph (CFG). The effectiveness of CFI depends on the ability to construct an accurate CFG. Creating a CFG needs a precise static analysis and points-to analysis. Precise points-to analysis is an undecidable problem and it leads to over approximation in the CFG of the program. These over approximations let the adversary to perform attacks despite the presence of CFI . Recently, a type matching method has been proposed in order to solve the aforementioned problems in a practical way , . Type checking only allows control transfers if the types of the caller and the callee match. Similar to CFI, type matching attempts to enforce the control flow of the program during runtime to stick to the branches recognized in the statically generated CFG, using label-based control-flow approach. In other words, the type of a function pointer that is used to call a function and the type of the calling function are compared at runtime before jumping to the function. The control flow transfer is disallowed if the types do not match. It is very common in real-world applications that different functions and function pointers have the same type. This leads to type collision for type matching. In this study, we find out that runtime type checking, indeed, faces numerous practical challenges for deployment. For example there are some types such as void * that can be matched with any other type. Therefore, restricting based on type is not effective because the caller and callee can have different types. There are also variadic functions and function pointers in which the type of caller is not known beforehand. Deciding based on the number and type of arguments is not possible statically. In C++, virtual methods return types can be covariant which is another challenge for type checking. In order to prevent type collision, a type diversification technique is required. Resolving collisions requires global type diversification which complicates dynamic loading of libraries and separate compilation. Our preliminary investigation on popular web servers such as Nginx, Apache and Lighttpd shows that there are a substantial number of functions and function pointers that have same type, which produces type collision and consequently over approximation. If the shared libraries are added to this list, the number of collision rises significantly. Diversifying all of these collisions requires having all the source code at same time for preserving the functionality. In addition to being performance-heavy, this prevents separate compilation. During this research, we have studied the implications of creating a restrictive CFI with type matching and propose some solutions to improve the accuracy of the CFG. Previous efforts have shown that even context-sensitive points-to analysis is not accurate enough for creating CFG . Combining the result of points-to analysis and type checking can result in a more precise CFG. In other words, by pruning the CFG with type matching, a more precise CFG would be available. This purging decreases the chance of a practical attack on CFI, but it faces numerous practical deployment challenges.
Sajjad Arshad, Seyed Ali Mirheidari, Tobias Lauinger, Bruno Crispo, Engin Kirda, William Robertson The Web Conference (WWW) Lyon, France, April 2018
Relative Path Overwrite (RPO) is a recent technique to inject style directives into sites even when no style sink or markup injection vulnerability is present. It exploits differences in how browsers and web servers interpret relative paths (i.e., path confusion) to make a HTML page reference itself as a stylesheet; a simple text injection vulnerability along with browsers’ leniency in parsing CSS resources results in an attacker’s ability to inject style directives that will be interpreted by the browser. Even though style injection may appear less serious a threat than script injection, it has been shown that it enables a range of attacks, including secret exfiltration. In this paper, we present the first large-scale study of the Web to measure the prevalence and significance of style injection using RPO. Our work shows that around 9 % of the sites in the Alexa Top 10,000 contain at least one vulnerable page, out of which more than one third can be exploited. We analyze in detail various impediments to successful exploitation, and make recommendations for remediation. In contrast to script injection, relatively simple countermeasures exist to mitigate style injection. However, there appears to be little awareness of this attack vector as evidenced by a range of popular Content Management Systems (CMSes) that we found to be exploitable.
Arshad, Sajjad, Kharraz, Amin, Robertson, William. Include Me Out: In-Browser Detection of Malicious Third-Party Content Inclusions. Financial Cryptography and Data Security (FC), 2016.
Kharraz, Amin, Arshad, Sajjad, Muliner, Collin, Robertson, William, and Kirda, Engin. UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware. USENIX Security Symposium, Austin, TX, August 2016.
Although the concept of ransomware is not new (i.e., such attacks date back at least as far as the 1980s), this type of malware has recently experienced a resurgence in popularity. In fact, in the last few years, a number of high-profile ransomware attacks were reported, such as the large-scale attack against Sony that prompted the company to delay the release of the film “The Interview.” Ransomware typically operates by locking the desktop of the victim to render the system inaccessible to the user, or by encrypting, overwriting, or deleting the user’s files. However, while many generic malware detection systems have been proposed, none of these systems have attempted to specifically address the ransomware detection problem. In this paper, we present a novel dynamic analysis system called UNVEIL that is specifically designed to detect ransomware. The key insight of the analysis is that in order to mount a successful attack, ransomware must tamper with a user’s files or desktop. UNVEIL automatically generates an artificial user environment, and detects when ransomware interacts with user data. In parallel, the approach tracks changes to the system’s desktop that indicate ransomware-like behavior. Our evaluation shows that UNVEIL significantly improves the state of the art, and is able to identify previously unknown evasive ransomware that was not detected by the antimalware industry.
Bashir, Muhammad Ahmad, Arshad, Sajjad, Robertson, William, and Wilson, Christo. Tracing Information Flows Between Ad Exchanges Using Retargeted Ads. USENIX Security Symposium, Austin, TX, USA, August 2016.
Numerous surveys have shown that Web users are concerned about the loss of privacy associated with online tracking. Alarmingly, these surveys also reveal that people are also unaware of the amount of data sharing that occurs between ad exchanges, and thus underestimate the privacy risks associated with online tracking. In reality, the modern ad ecosystem is fueled by a flow of user data between trackers and ad exchanges. Although recent work has shown that ad exchanges routinely perform cookie matching with other exchanges, these studies are based on brittle heuristics that cannot detect all forms of information sharing, especially under adversarial conditions. In this study, we develop a methodology that is able to detect client- and server-side flows of information between arbitrary ad exchanges. Our key insight is to leverage retargeted ads as a tool for identifying information flows. Intuitively, our methodology works because it relies on the semantics of how exchanges serve ads, rather than focusing on specific cookie matching mechanisms. Using crawled data on 35,448 ad impressions, we show that our methodology can successfully categorize four different kinds of information sharing behavior between ad exchanges, including cases where existing heuristic methods fail. We conclude with a discussion of how our findings and methodologies can be leveraged to give users more control over what kind of ads they see and how their information is shared between ad exchanges.
Mirheidari, Seyed Ali, Arshad, Sajjad, Jalili, Rasool. Alert Correlation Algorithms: A Survey and Taxonomy. Cyberspace Safety and Security (CSS), 2013.
Alert correlation is a system which receives alerts from heterogeneous Intrusion Detection Systems and reduces false alerts, detects high level patterns of attacks, increases the meaning of occurred incidents, predicts the future states of attacks, and detects root cause of attacks. To reach these goals, many algorithms have been introduced in the world with many advantages and disadvantages. In this paper, we are trying to present a comprehensive survey on already proposed alert correlation algorithms. The approach of this survey is mainly focused on algorithms in correlation engines which can work in enterprise and practical networks. Having this aim in mind, many features related to accuracy, functionality, and computation power are introduced and all algorithm categories are assessed with these features. The result of this survey shows that each category of algorithms has its own strengths and an ideal correlation frameworks should be carried the strength feature of each category.
Mirheidari, Seyed Ali, Arshad, Sajjad, Khoshkdahan, Saeidreza, Jalili, Rasool. A Comprehensive Approach to Abusing Locality in Shared Web Hosting Servers. Trust, Security and Privacy in Computing and Communications (TrustCom), 2013.
With the growing of network technology along with the need of human for social interaction, using websites nowadays becomes critically important which leads in the increasing number of websites and servers. One popular solution for managing these large numbers of websites is using shared web hosting servers in order to decrease the overall cost of server maintenance. Despite affordability, this solution is insecure and risky according to high amount of reported defaces and attacks during recent years. In this paper, we introduce top ten most common attacks in shared web hosting servers which can occur because of the nature and bad configuration in these servers. Moreover, we present several simple scenarios that are capable of penetrating these kinds of servers even with the existence of several securing mechanisms. Finally, we provide a comprehensive secure configuration for confronting these attacks.
Arshad, Sajjad, Naderi, Abbas. Comparison of Routing Protocols in Mobile Ad-Hoc Wireless Networks. Journal of AWERProcedia Information Technology and Computer Science, 2013.
Routing protocols for Mobile Ad-Hoc Wireless Networks are faced with challenges such as sequential topology variation, low transmission power and asymmetric connections. It has been proved that both proactive and reactive protocols are non-functional with these conditions. Zone Routing Protocol (ZRP) blends the proactive and reactive protocols benefits and the zone topology plan for each node is kept in it timely. In this work, the zone routing protocol is implemented and compared with proactive and reactive protocols which the experiment results are presented
Mirheidari, Seyed Ali, Arshad, Sajjad, Khoshkdahan, Saeidreza, Jalili, Rasool. Two Novel Server-Side Attacks against Log File in Shared Web Hosting Servers. International Conference on Internet Technology and Secured Transactions (ICITST), 2012.
Shared Web Hosting service enables hosting multitude of websites on a single powerful server. It is a wellknown solution as many people share the overall cost of server maintenance and also, website owners do not need to deal with administration issues is not necessary for website owners. In this paper, we illustrate how shared web hosting service works and demonstrate the security weaknesses rise due to the lack of proper isolation between different websites, hosted on the same server. We exhibit two new server-side attacks against the log file whose objectives are revealing information of other hosted websites which are considered to be private and arranging other complex attacks. In the absence of isolated log files among websites, an attacker controlling a website can inspect and manipulate contents of the log file. These attacks enable an attacker to disclose file and directory structure of other websites and launch other sorts of attacks. Finally, we propose several countermeasures to secure shared web hosting servers against the two attacks
Mirheidari, Seyed Ali, Arshad, Sajjad, Khoshkdahan, Saeidreza. Performance Evaluation of Shared Hosting Security Methods. Trust, Security and Privacy in Computing and Communications (TrustCom), 2012.
Shared hosting is a kind of web hosting in which multiple websites reside on one webserver. It is cost-effective and makes the administration easier for websites’ owners. However, shared hosting has some performance and security issues. In default shared hosting configuration, all websites’ scripts are executed under the webserver’s user account regardless of their owners. Therefore, a website is able to access other websites’ resources. This security problem arises from lack of proper isolation between different websites hosted on the same webserver. In this survey, we have examined different methods for handling mentioned security issue. Also we evaluated the performance of mentioned methods. Finally, we evaluated performance of these methods with various configurations
Arshad, Sajjad, Abbaspour, Maghsoud, Kharrazi, Mehdi, Sanatkar, Hooman. An Anomaly-based Botnet Detection Approach for Identifying Stealthy Botnets. International Conference on Computer Applications and Industrial Electronics (ICCAIE), 2011.
Botnets (networks of compromised computers) are often used for malicious activities such as spam, click fraud, identity theft, phishing, and distributed denial of service (DDoS) attacks. Most of previous researches have introduced fully or partially signature-based botnet detection approaches. In this paper, we propose a fully anomaly-based approach that requires no a priori knowledge of bot signatures, botnet C&C protocols, and C&C server addresses. We start from inherent characteristics of botnets. Bots connect to the C&C channel and execute the received commands. Bots belonging to the same botnet receive the same commands that causes them having similar netflows characteristics and performing same attacks. Our method clusters bots with similar netflows and attacks in different time windows and perform correlation to identify bot infected hosts. We have developed a prototype system and evaluated it with real-world traces including normal traffic and several real-world botnet traces. The results show that our approach has high detection accuracy and low false positive.
Rahmani, Hossein, Arshad, Sajjad, Moghaddam, Mohsen Ebrahimi. A Disk Scheduling Algorithm Based on ANT Colony Optimization. ISCA Conference on Parallel and Distributed Computing and Communication Systems (PDCCS), 2009.
Audio, animations and video belong to a class of data known as delay sensitive because they are sensitive to delays in presentation to the users. Also, because of huge data in such items, disk is an important device in managing them. In order to have an acceptable presentation, disk requests deadlines must be met, and a real-time scheduling approach should be used to guarantee the timing requirements for such environment. However, some disk scheduling algorithms have been proposed since now to optimize scheduling real-time disk requests, but improving the results is a challenge yet. In this paper, we propose a new disk scheduling method based on Ant Colony Optimization (ACO) approach. In this approach, ACO models the tasks and finds the best sequence to minimize number of missed tasks and maximize throughput. Experimental results showed that the proposed method worked very well and excelled other related ones in terms of miss ratio and throughput in most cases.