Karthika Subramani

I am a research scientist at the Georgia Institute of Technology, affiliated with the Astrolavos Lab. I earned my PhD in Computer Science from the University of Georgia, where I had the privilege of collaborating with Roberto Perdisci in his Network and Security Intelligence lab.

As a security researcher, I focus on investigating the security postures of Web and Network Technologies. In my doctoral and postdoctoral work at UGA and GTech, I have designed, built and evaluated systems that measure and detect large-scale abuse of well-established as well as newly developed web and network technologies. This often entails a holistic approach that integrates security expertise, data mining techniques, browser instrumentation, customized crawlers, and cutting-edge machine learning and deep learning methodologies.

news

May 21, 2024	Our paper titled “Characterizing and measuring in-the-wild CAPTCHA attacks” will be presented at IEEES&P’24.
May 16, 2024	Presenting our paper “Discovering and Measuring CDNs prone to Domain Fronting” at TheWebConf’24 in Singapore.
Jun 1, 2023	Program Committee Member for Annual Computer Security Applications Conference (ACSAC 2023)
Mar 17, 2023	Served as Judge of Poster Competition in Women in Cyber Security 2023(WiCyS 2023)
Feb 1, 2023	Program Committee Member for 4th Workshop of Designing Security for the Web(SecWeb 2023)

selected publications

IMC
When Push Comes to Ads: Measuring the Rise of (Malicious) Push Advertising

Karthika Subramani, Xingzi Yuan, Omid Setayeshfar, and 3 more authors

In Proceedings of the ACM Internet Measurement Conference, 2020

Abs Bib PDF

The rapid growth of online advertising has fueled the growth of ad-blocking software, such as new ad-blocking and privacy-oriented browsers or browser extensions. In response, both ad publishers and ad networks are constantly trying to pursue new strategies to keep up their revenues. To this end, ad networks have started to leverage the Web Push technology enabled by modern web browsers. As web push notifications (WPNs) are relatively new, their role in ad delivery has not yet been studied in depth. Furthermore, it is unclear to what extent WPN ads are being abused for malvertising (i.e., to deliver malicious ads). In this paper, we aim to fill this gap. Specifically, we propose a system called PushAdMiner that is dedicated to (1) automatically registering for and collecting a large number of web-based push notifications from publisher websites, (2) finding WPN-based ads among these notifications, and (3) discovering malicious WPN-based ad campaigns.Using PushAdMiner, we collected and analyzed 21,541 WPN messages by visiting thousands of different websites. Among these, our system identified 572 WPN ad campaigns, for a total of 5,143 WPN-based ads that were pushed by a variety of ad networks. Furthermore, we found that 51% of all WPN ads we collected are malicious, and that traditional ad-blockers and URL filters were mostly unable to block them, thus leaving a significant abuse vector unchecked.
@inproceedings{10.1145/3419394.3423631, author = {Subramani, Karthika and Yuan, Xingzi and Setayeshfar, Omid and Vadrevu, Phani and Lee, Kyu Hyung and Perdisci, Roberto}, title = {When Push Comes to Ads: Measuring the Rise of (Malicious) Push Advertising}, year = {2020}, isbn = {9781450381383}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/3419394.3423631}, doi = {10.1145/3419394.3423631}, booktitle = {Proceedings of the ACM Internet Measurement Conference}, pages = {724–737}, numpages = {14}, location = {Virtual Event, USA}, series = {IMC '20}, }
IMC
PhishInPatterns: Measuring Elicited User Interactions at Scale on Phishing Websites

Karthika Subramani, William Melicher, Oleksii Starov, and 2 more authors

In Proceedings of the 22nd ACM Internet Measurement Conference, 2022

Abs Bib PDF

Despite phishing attacks and detection systems being extensively studied, phishing is still on the rise and has recently reached an all-time high. Attacks are becoming increasingly sophisticated, leveraging new web design patterns to add perceived legitimacy and, at the same time, evade state-of-the-art detectors and web security crawlers.In this paper, we study phishing attacks from a new angle, focusing on how modern phishing websites are designed. Specifically, we aim to better understand what type of user interactions are elicited by phishing websites and how their user experience (UX) and interface (UI) design patterns can help them accomplish two main goals: i) lend a sense of professionalism and legitimacy to the phishing website, and ii) contribute to evading phishing detectors and web security crawlers. To study phishing at scale, we built an intelligent crawler that combines browser automation with machine learning methods to simulate user interactions with phishing pages and explore their UX and UI characteristics. Using our novel methodology, we explore more than 50,000 phishing websites and make the following new observations: i) modern phishing sites often impersonate a brand (e.g., Microsoft Office), but surprisingly, without necessarily cloning or closely mimicking the design of the corresponding legitimate website; ii) they often elicit personal information using a multi-step (or multi-page) process, to mimic users’ experience on legitimate sites; iii) they embed modern user verification systems (including CAPTCHAs); and ironically, iv) they sometimes conclude the phishing experience by reassuring the user that their private data was not stolen. We believe our findings can help the community gain a more in-depth understanding of how web-based phishing attacks work from a users’ perspective and can be used to inform the development of more accurate and robust phishing detectors.
@inproceedings{10.1145/3517745.3561467, author = {Subramani, Karthika and Melicher, William and Starov, Oleksii and Vadrevu, Phani and Perdisci, Roberto}, title = {PhishInPatterns: Measuring Elicited User Interactions at Scale on Phishing Websites}, year = {2022}, isbn = {9781450392594}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/3517745.3561467}, doi = {10.1145/3517745.3561467}, booktitle = {Proceedings of the 22nd ACM Internet Measurement Conference}, pages = {589–604}, numpages = {16}, keywords = {neural networks, captcha, user experience, phishing, crawler}, location = {Nice, France}, series = {IMC '22}, }
DIMVA
Detecting and Measuring In-The-Wild DRDoS Attacks at IXPs

Karthika Subramani, Roberto Perdisci, and Maria Konte

In Detection of Intrusions and Malware, and Vulnerability Assessment: 18th International Conference, DIMVA 2021, Virtual Event, July 14–16, 2021, Proceedings, 2021

Abs Bib PDF

Distributed reflective denial of service (DRDoS) attacks are a popular choice among adversaries. In fact, one of the largest DDoS attacks ever recorded, reaching a peak of 1.3 Tbps against GitHub, was a memcached-based DRDoS attack. More recently, a record-breaking 2.3 Tbps attack against Amazon AWS was due to a CLDAP-based DRDoS attack. Although reflective attacks have been known for years, DRDoS attacks are unfortunately still popular and largely unmitigated.In this paper, we measure in-the-wild DRDoS attacks as observed from a large Internet exchange point (IXP) and provide a number of security-relevant insights. To enable our measurements, we first developed IXmon, an open-source DRDoS detection system specifically designed for deployment at large IXP-like network connectivity providers and peering hubs. We deployed IXmon at Southern Crossroads (SoX), an IXP-like hub that provides both peering and upstream Internet connectivity services to more than 20 research and education (R&E) networks in the South-East United States. In a period of about 21 months, IXmon detected more than 900 DRDoS attacks towards 31 different victim ASes. An analysis of the real-world DRDoS attacks detected by our system shows that most DRDoS attacks are short lived, lasting only a few minutes, but that large-volume, long-lasting, and highly-distributed attacks against R&E networks are not uncommon. We then use the results of our analysis to discuss possible attack mitigation approaches that can be deployed at the IXP level, before the attack traffic overwhelms the victim’s network bandwidth.
@inproceedings{10.1007/978-3-030-80825-9_3, author = {Subramani, Karthika and Perdisci, Roberto and Konte, Maria}, title = {Detecting and Measuring In-The-Wild DRDoS Attacks at IXPs}, year = {2021}, isbn = {978-3-030-80824-2}, publisher = {Springer-Verlag}, address = {Berlin, Heidelberg}, url = {https://doi.org/10.1007/978-3-030-80825-9_3}, doi = {10.1007/978-3-030-80825-9_3}, booktitle = {Detection of Intrusions and Malware, and Vulnerability Assessment: 18th International Conference, DIMVA 2021, Virtual Event, July 14–16, 2021, Proceedings}, pages = {42–67}, numpages = {26}, keywords = {IXP, DDoS attack, Traffic analysis, DRDoS attack}, }

EUROSP

SoK: Workerounds - Categorizing Service Worker Attacks and Mitigations

Karthika Subramani, Jordan Jueckstock, Alexandros Kapravelos, and 1 more author

In 2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P), 2022

Bib PDF

@inproceedings{9797352,
  author = {Subramani, Karthika and Jueckstock, Jordan and Kapravelos, Alexandros and Perdisci, Roberto},
  booktitle = {2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P)},
  title = {SoK: Workerounds - Categorizing Service Worker Attacks and Mitigations},
  year = {2022},
  volume = {},
  number = {},
  pages = {555-571},
  doi = {10.1109/EuroSP53844.2022.00041},
}