I’m a research scientist at Georgia Institute of Technology, where I am affiliated with Astrolavos Lab.My research interests lie on the intersection of Usable Web security, Web Attacks and Defenses, Network Attack and Defenses and Machine Learning. I hold a PhD in Computer Science from the University of Georgia, where I had the opportunity to work with Roberto Perdisci in his lab Network and Security Intelligence. My goal is to drive my passion for this field to make cybersecurity more accessible and user-friendly.
The rapid growth of online advertising has fueled the growth of ad-blocking software, such as new ad-blocking and privacy-oriented browsers or browser extensions. In response, both ad publishers and ad networks are constantly trying to pursue new strategies to keep up their revenues. To this end, ad networks have started to leverage the Web Push technology enabled by modern web browsers. As web push notifications (WPNs) are relatively new, their role in ad delivery has not yet been studied in depth. Furthermore, it is unclear to what extent WPN ads are being abused for malvertising (i.e., to deliver malicious ads). In this paper, we aim to fill this gap. Specifically, we propose a system called PushAdMiner that is dedicated to (1) automatically registering for and collecting a large number of web-based push notifications from publisher websites, (2) finding WPN-based ads among these notifications, and (3) discovering malicious WPN-based ad campaigns.Using PushAdMiner, we collected and analyzed 21,541 WPN messages by visiting thousands of different websites. Among these, our system identified 572 WPN ad campaigns, for a total of 5,143 WPN-based ads that were pushed by a variety of ad networks. Furthermore, we found that 51% of all WPN ads we collected are malicious, and that traditional ad-blockers and URL filters were mostly unable to block them, thus leaving a significant abuse vector unchecked.
@inproceedings{10.1145/3419394.3423631,author={Subramani, Karthika and Yuan, Xingzi and Setayeshfar, Omid and Vadrevu, Phani and Lee, Kyu Hyung and Perdisci, Roberto},title={When Push Comes to Ads: Measuring the Rise of (Malicious) Push Advertising},year={2020},isbn={9781450381383},publisher={Association for Computing Machinery},address={New York, NY, USA},url={https://doi.org/10.1145/3419394.3423631},doi={10.1145/3419394.3423631},booktitle={Proceedings of the ACM Internet Measurement Conference},pages={724–737},numpages={14},location={Virtual Event, USA},series={IMC '20},}
IMC
PhishInPatterns: Measuring Elicited User Interactions at Scale on Phishing Websites
Karthika Subramani, William Melicher, Oleksii Starov, and 2 more authors
In Proceedings of the 22nd ACM Internet Measurement Conference, 2022
Despite phishing attacks and detection systems being extensively studied, phishing is still on the rise and has recently reached an all-time high. Attacks are becoming increasingly sophisticated, leveraging new web design patterns to add perceived legitimacy and, at the same time, evade state-of-the-art detectors and web security crawlers.In this paper, we study phishing attacks from a new angle, focusing on how modern phishing websites are designed. Specifically, we aim to better understand what type of user interactions are elicited by phishing websites and how their user experience (UX) and interface (UI) design patterns can help them accomplish two main goals: i) lend a sense of professionalism and legitimacy to the phishing website, and ii) contribute to evading phishing detectors and web security crawlers. To study phishing at scale, we built an intelligent crawler that combines browser automation with machine learning methods to simulate user interactions with phishing pages and explore their UX and UI characteristics. Using our novel methodology, we explore more than 50,000 phishing websites and make the following new observations: i) modern phishing sites often impersonate a brand (e.g., Microsoft Office), but surprisingly, without necessarily cloning or closely mimicking the design of the corresponding legitimate website; ii) they often elicit personal information using a multi-step (or multi-page) process, to mimic users’ experience on legitimate sites; iii) they embed modern user verification systems (including CAPTCHAs); and ironically, iv) they sometimes conclude the phishing experience by reassuring the user that their private data was not stolen. We believe our findings can help the community gain a more in-depth understanding of how web-based phishing attacks work from a users’ perspective and can be used to inform the development of more accurate and robust phishing detectors.
@inproceedings{10.1145/3517745.3561467,author={Subramani, Karthika and Melicher, William and Starov, Oleksii and Vadrevu, Phani and Perdisci, Roberto},title={PhishInPatterns: Measuring Elicited User Interactions at Scale on Phishing Websites},year={2022},isbn={9781450392594},publisher={Association for Computing Machinery},address={New York, NY, USA},url={https://doi.org/10.1145/3517745.3561467},doi={10.1145/3517745.3561467},booktitle={Proceedings of the 22nd ACM Internet Measurement Conference},pages={589–604},numpages={16},keywords={neural networks, captcha, user experience, phishing, crawler},location={Nice, France},series={IMC '22},}
DIMVA
Detecting and Measuring In-The-Wild DRDoS Attacks at IXPs
Karthika Subramani, Roberto Perdisci, and Maria Konte
In Detection of Intrusions and Malware, and Vulnerability Assessment: 18th International Conference, DIMVA 2021, Virtual Event, July 14–16, 2021, Proceedings, 2021
Distributed reflective denial of service (DRDoS) attacks are a popular choice among adversaries. In fact, one of the largest DDoS attacks ever recorded, reaching a peak of 1.3 Tbps against GitHub, was a memcached-based DRDoS attack. More recently, a record-breaking 2.3 Tbps attack against Amazon AWS was due to a CLDAP-based DRDoS attack. Although reflective attacks have been known for years, DRDoS attacks are unfortunately still popular and largely unmitigated.In this paper, we measure in-the-wild DRDoS attacks as observed from a large Internet exchange point (IXP) and provide a number of security-relevant insights. To enable our measurements, we first developed IXmon, an open-source DRDoS detection system specifically designed for deployment at large IXP-like network connectivity providers and peering hubs. We deployed IXmon at Southern Crossroads (SoX), an IXP-like hub that provides both peering and upstream Internet connectivity services to more than 20 research and education (R&E) networks in the South-East United States. In a period of about 21 months, IXmon detected more than 900 DRDoS attacks towards 31 different victim ASes. An analysis of the real-world DRDoS attacks detected by our system shows that most DRDoS attacks are short lived, lasting only a few minutes, but that large-volume, long-lasting, and highly-distributed attacks against R&E networks are not uncommon. We then use the results of our analysis to discuss possible attack mitigation approaches that can be deployed at the IXP level, before the attack traffic overwhelms the victim’s network bandwidth.
@inproceedings{10.1007/978-3-030-80825-9_3,author={Subramani, Karthika and Perdisci, Roberto and Konte, Maria},title={Detecting and Measuring In-The-Wild DRDoS Attacks at IXPs},year={2021},isbn={978-3-030-80824-2},publisher={Springer-Verlag},address={Berlin, Heidelberg},url={https://doi.org/10.1007/978-3-030-80825-9_3},doi={10.1007/978-3-030-80825-9_3},booktitle={Detection of Intrusions and Malware, and Vulnerability Assessment: 18th International Conference, DIMVA 2021, Virtual Event, July 14–16, 2021, Proceedings},pages={42–67},numpages={26},keywords={IXP, DDoS attack, Traffic analysis, DRDoS attack},}
EUROSP
SoK: Workerounds - Categorizing Service Worker Attacks and Mitigations
Karthika Subramani, Jordan Jueckstock, Alexandros Kapravelos, and 1 more author
In 2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P), 2022
@inproceedings{9797352,author={Subramani, Karthika and Jueckstock, Jordan and Kapravelos, Alexandros and Perdisci, Roberto},booktitle={2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P)},title={SoK: Workerounds - Categorizing Service Worker Attacks and Mitigations},year={2022},volume={},number={},pages={555-571},doi={10.1109/EuroSP53844.2022.00041},}
You can even add a little note about which of these is the best way to reach you.