Leyla Bilge

Leyla Bilge is technical director and leads the branch of the research team that resides in Europe. She obtained her Ph.D in December 2011 from Eurecom which is based in the south of France. Her research interests embrace most computer security problems with special focus on DNS-based malware detection systems, malware analysis, reverse-engineering, big data analysis and cyber risk predictive analytics. She conducts large-scale data analysis on security data feeds to find novel malware detection systems and discover unrevealed facts about cyber threats. She worked on the development of a malicious domains detection system which performs passive DNS analysis on big collections of DNS data produced by real users. In addition, she was involved in the World Wide Intelligence Network Environment (WINE) project. Currently, she has been focusing on developing risk assessment and risk prediction methodologies that could be useful for enhancing the security of organizations and individuals by introducing proactive security elements to the ecosystem.

Selected Academic Papers

  • Can I Opt Out Yet? GDPR and the Global Illusion of Cookie Control
    Iskander Sanchez-Rola, Matteo Dell'Amico, Platon Kotzias, Davide Balzarotti, Leyla Bilge, Pierre-Antoine Vervier
    To appear at the 14th ACM Asia Conference on Computer and Communications Security (ACM ASIACCS 2019)

    We evaluate both the information presented to users and the actual tracking implemented through cookies; we find that the GDPR has impacted website behavior in a truly global way, both directly and indirectly. On the other hand, we find that tracking remains ubiquitous.

  • Spearphishing Malware: Do we really know the unknown?
    Yanko Baychev and Leyla Bilge
    In Proceedings of the 15th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2018)

  • RiskTeller: Predicting the Risk of Cyber Incidents
    Leyla Bilge, Yufei Han, Matteo Dell'Amico
    In Proceedings of the 24th ACM Conference on Computer and Communications Security (ACM SIGSAC 2017)

    We present a system, RiskTeller, that can predict to-be-infected machines in an enterprise environment.

  • Lean On Me: Mining Internet Service Dependencies From Large-Scale DNS Data
    Matteo Dell'Amico, Leyla Bilge, Ashwin Kayyoor, Petros Efstathopoulos, Pierre-Antoine Vervier
    In Proceedings of the 33th Annual computer Security Applications Conference (ACSAC 2017)

    To assess the security risk for a given entity, and motivated by the effects of recent service disruptions, we perform a large-scale analysis of passive and active DNS datasets including more than 2.5 trillion queries in order to discover the dependencies between websites and Internet services.

  • Measuring PUP Prevalence and PUP Distribution through Pay-Per-Install Services
    Platon Kotzias, Leyla Bilge, Juan Caballero
    In Proceedings of the 25th USENIX Security Symposium (USENIX Security 2019)

    We perform the first systematic study of PUP prevalence and its distribution through pay-per-install (PPI) services, which link advertisers that want to promote their programs with affiliate publishers willing to bundle their programs with offers for other software.

  • Are You at Risk? Profiling Organizations and Individuals Subject to Targeted Attacks
    Olivier Thonnard, Leyla Bilge, Anand Kashyap, Martin Lee
    In Proceedings of the 19th International Conference on Financial Cryptography and Data Security (FC 2015)

    Considering the taxonomy of Standard Industry Classification (SIC) codes, the organization sizes and the public profiles of individuals as potential risk factors, we design case-control studies to calculate odds ratios reflecting the degree of association between the identified risk factors and the receipt of targeted attack.

  • Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks
    Amin Kharraz, William Robertson, Davide Balzarotti, Leyla Bilge, Engin Kirda
    In Proceedings of the 12th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2015)

    We present the results of a long-term study of ransomware attacks that have been observed in the wild between 2006 and 2014.

  • Needles in a haystack: mining information from public dynamic analysis sandboxes for malware intelligence
    Mariano Graziano, Davide Canali, Leyla Bilge, Andrea Lanzi, Davide Balzarotti
    In Proceedings of the 24th USENIX Security Symposium (USENIX Security 2015)

    We propose a novel methodology to automatically identify malware development cases.

  • The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patching
    Antonio Nappa, Richard Johnson, Leyla Bilge, Juan Caballero, Tudor Dumitras
    In Proceedings of the 36th IEEE Symposium on Security and Privacy (SP ‘15)

    We present the first systematic study of patch deployment in client-side vulnerabilities.

  • The Dropper Effect: Insights into Malware Distribution with Downloader Graph Analytics
    Bum Jun Kwon, Jayanta Mondal, Jiyong Jang, Leyla Bilge, Tudor Dumitras
    In Proceedings of the 22nd ACM Conference on Computer and Communications Security (ACM SIGSAC 2015)

    We introduce the downloader-graph abstraction, which captures the download activity on end hosts, and we explore the growth patterns of benign and malicious graphs.