Leyla Bilge

Leyla Bilge

Leyla Bilge
Head of NRG Europe

Leyla Bilge is technical director and leads the branch of the research team that resides in Europe.

She obtained her Ph.D in December 2011 from Eurecom which is based in the south of France. Her research interests embrace most computer security problems with special focus on DNS-based malware detection systems, malware analysis, reverse-engineering, big data analysis and cyber risk predictive analytics. She conducts large-scale data analysis on security data feeds to find novel malware detection systems and discover unrevealed facts about cyber threats.

She worked on the development of a malicious domains detection system which performs passive DNS analysis on big collections of DNS data produced by real users. In addition, she was involved in the World Wide Intelligence Network Environment (WINE) project. Currently, she has been focusing on developing risk assessment and risk prediction methodologies that could be useful for enhancing the security of organizations and individuals by introducing proactive security elements to the ecosystem.

Selected Academic Papers

When Sally Met Trackers: Web Tracking From the Users' Perspective

In Proceedings of the 31st USENIX Security Symposium (USENIX Security 2022).

SoK! Cyber Insurance - Technical Challenges and a System Security Roadmap.pdf

In Proceedings of the 41st IEEE Symposium on Security and Privacy (S&P 2020)
This paper looks at past research conducted in the area of cyber insurance and classifies previous studies in four different areas. Then it identifies, a group of practical research problems where security experts could help the cyber insurance domain.

How Did That Get In My Phone? Unwanted App Distribution on Android Devices

In Proceedings of the 42nd IEEE Symposium on Security and Privacy (S&P 2021)

The Tangled Genealogy of IoT Malware

In Proceedings of the 36th Annual Computer Security Applications Conference (ACSAC 2020)

Journey to the Center of the Cookie Ecosystem: Unraveling Actors' Roles and Relationships

In Proceedings of the 42nd IEEE Symposium on Security and Privacy (S&P 2021) Our analysis lets us paint a highly detailed picture of the cookie ecosystem, discovering an intricate network of connections between players that reciprocally exchange information and include each other's content in web pages whose owners may not even be aware.

Before We Knew It: An Empirical Study of Zero-Day Attacks In The Real World

In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS ‘12)
We describe a method for automatically identifying zero-day attacks from field-gathered data that records when benign and malicious binaries are downloaded on 11 million real hosts around the world.

Spearphishing Malware: Do we really know the unknown?

In Proceedings of the 15th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2018)

DISCLOSURE: Detecting Botnet Command and Control Servers Through Large-Scale NetFlow Analysis

In Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC ’12)
We present Disclosure, a large-scale, wide-area botnet detection system that incorporates a combination of novel techniques analysing netflow data.

The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patching

In Proceedings of the 36th IEEE Symposium on Security and Privacy (SP ‘15)

On the Effectiveness of Risk Prediction Based on Users Browsing Behavior

In Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (ASIA CCS '14)
We present a comprehensive study on the effectiveness of risk prediction based only on the web browsing behavior of users.

Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks

In Proceedings of the 12th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2015)
We present the results of a long-term study of ransomware attacks that have been observed in the wild between 2006 and 2014.

Needles in a haystack: mining information from public dynamic analysis sandboxes for malware intelligence

In Proceedings of the 24th USENIX Security Symposium (USENIX Security 2015) We propose a novel methodology to automatically identify malware development cases.

Industrial Espionage and Targeted Attacks: Understanding the Characteristics of an Escalating Threat

In Proceedings of the 15th International Workshop on Recent Advances in Intrusion Detection (RAID 2012)
We provide an in-depth analysis of a large corpus of targeted attacks identified by Symantec during the year 2011.

RiskTeller: Predicting the Risk of Cyber Incidents

In Proceedings of the 24th ACM Conference on Computer and Communications Security (ACM SIGSAC 2017)

Are You at Risk? Profiling Organizations and Individuals Subject to Targeted Attacks

In Proceedings of the 19th International Conference on Financial Cryptography and Data Security (FC 2015)
Considering the taxonomy of Standard Industry Classification (SIC) codes, the organization sizes and the public profiles of individuals as potential risk factors, we design case-control studies to calculate odds ratios reflecting the degree of association between the identified risk factors and the receipt of targeted attack.

The Dropper Effect: Insights into Malware Distribution with Downloader Graph Analytics

In Proceedings of the 22nd ACM Conference on Computer and Communications Security (ACM SIGSAC 2015)
We introduce the downloader-graph abstraction, which captures the download activity on end hosts, and we explore the growth patterns of benign and malicious graphs.

Measuring PUP Prevalence and PUP Distribution through Pay-Per-Install Services

In Proceedings of the 25th USENIX Security Symposium (USENIX Security 2019)
We perform the first systematic study of PUP prevalence and its distribution through pay-per-install (PPI) services, which link advertisers that want to promote their programs with affiliate publishers willing to bundle their programs with offers for other software.

Lean On Me: Mining Internet Service Dependencies From Large-Scale DNS Data

In Proceedings of the 33th Annual computer Security Applications Conference (ACSAC 2017)
To assess the security risk for a given entity, and motivated by the effects of recent service disruptions, we perform a large-scale analysis of passive and active DNS datasets including more than 2.5 trillion queries in order to discover the dependencies between websites and Internet services.

EXPOSURE: a Passive DNS Analysis Service to Detect and Report Malicious Domains

ACM Transactions on Information and System Security (TISSEC) (Volume 16 Issue 4, April 2014)
We present an extended version of Exposure and the experimental results on 17 months of its deployment on real data.