Prof. Dr. Konrad Rieck
Institute of Computer Science
University of Göttingen
Goldschmidtstraße 7
37077 Göttingen, Germany
Konrad Rieck
Phone: +49 551 39-172000
Email: (PGP key)

About me

I am a junior professor at the University of Göttingen, where I am heading the Computer Security Group. Prior to taking this position, I have been working at Technische Universität Berlin and Fraunhofer Institute FIRST. I am a recipient of the CAST/GI Dissertation Award for Computer Security and received a Google Faculty Research Award in 2014.

My research interests revolve around computer security and machine learning. This includes the detection of computer attacks, the analysis of malicious software, and the discovery of vulnerabilities. I am also interested in efficient algorithms for analyzing structured data, such as sequences, trees and graphs

I am very happy to work with a group of bright and passionate PhD students: Fabian Yamaguchi, Daniel Arp, Christian Wressnegger, and Hugo Gascon.

My Erdős number is 3 (Müller → Jagota → Erdős). My Bacon number is ∞, though

Selected Publications

  • Modeling and Discovering Vulnerabilities with Code Property Graphs.

    Fabian Yamaguchi, Nico Golde, Daniel Arp, and Konrad Rieck.

    Proc. of 35th IEEE Symposium on Security and Privacy (S&P), May 2014.
    abstract abstractpdf pdf

    The vast majority of security breaches encountered today are a direct result of insecure code. Consequently, the protection of computer systems critically depends on the rigorous identification of vulnerabilities in software, a tedious and error-prone process requiring significant expertise. Unfortunately, a single flaw suffices to undermine the security of a system and thus the sheer amount of code to audit plays into the attacker's cards. In this paper, we present a method for effectively mining large amounts of source code for vulnerabilities. To this end, we introduce a novel representation of source code called a code property graph that merges concepts of classic program analysis, namely abstract syntax trees, control flow graphs and program dependence graphs, into a joint data structure. This comprehensive representation enables us to elegantly model templates for common vulnerabilities with graph traversals that, for instance, can identify buffer overflows, integer overflows, format string vulnerabilities, or memory disclosures. We implement our approach using a popular graph database and demonstrate its efficacy by identifying 18 previously unknown vulnerabilities in the source code of the Linux kernel.

  • Drebin: Efficient and Explainable Detection of Android Malware in Your Pocket.

    Daniel Arp, Michael Spreitzenbarth, Malte Hübner, Hugo Gascon, and Konrad Rieck.

    Proc. of 17th Network and Distributed System Security Symposium (NDSS), February 2014.
    abstract abstractpdf pdf

    Malicious applications pose a threat to the security of the Android platform. The growing amount and diversity of these applications render conventional defenses largely ineffective and Android smartphones often remain unprotected from novel malware. In this paper, we propose Drebin, a lightweight method for detection of Android malware that enables identifying malicious applications directly on the smartphone. As the limited resources impede monitoring applications at run-time, Drebin performs a broad static analysis, gathering as many features of an application as possible. These features are embedded in a joint vector space, such that typical patterns indicative for malware can be automatically identified and used for explaining the decisions of our method. In an evaluation with 123,453 applications and 5,560 malware samples Drebin outperforms several related approaches and detects 94% of the malware with few false alarms, where the explanations provided for each detection reveal relevant properties of the detected malware. On five popular smartphones, the method requires 10 seconds for an analysis on average, rendering it suitable for checking downloaded applications directly on the device.

  • Structural Detection of Android Malware using Embedded Call Graphs.

    Hugo Gascon, Fabian Yamaguchi, Daniel Arp, and Konrad Rieck.

    Proc. of 5th ACM Workshop on Artificial Intelligence and Security (AISEC), 45–54, November 2013.
    abstract abstractpdf pdf

    The number of malicious applications targeting the Android system has literally exploded in recent years. While the security community, well aware of this fact, has proposed several methods for detection of Android malware, most of these are based on permission and API usage or the identification of expert features. Unfortunately, many of these approaches are susceptible to instruction level obfuscation techniques. Previous research on classic desktop malware has shown that certain high level characteristics of the code, such as function call graphs, can be used to find similarities between samples while being more robust against certain obfuscation strategies. However, the identification of similarities in graphs is a non-trivial problem whose complexity hinders the use of these features for malware detection. In this paper, we explore how recent developments in machine learning classification of graphs can be efficiently applied to this problem. We propose a method for malware detection based on efficient embeddings of function call graphs with an explicit feature map inspired by a linear-time graph kernel. In an evaluation with 12,158 malware samples our method, purely based on structural features, outperforms several related approaches and detects 89% of the malware with few false alarms, while also allowing to pin-point malicious code structures within Android applications.

  • Deobfuscating Embedded Malware using Probable-Plaintext Attacks.

    Christian Wressnegger, Frank Boldewin, and Konrad Rieck.

    Proc. of 15th Symposium on Research in Attacks, Intrusions, and Defenses (RAID), 164–183, October 2013.
    abstract abstractpdf pdf

    Malware embedded in documents is regularly used as part of targeted attacks. To hinder a detection by anti-virus scanners, the embedded code is usually obfuscated, often with simple Vigenere ciphers based on XOR, ADD and additional ROL instructions. While for short keys these ciphers can be easily cracked, breaking obfuscations with longer keys requires manually reverse engineering the code or dynamically analyzing the documents in a sandbox. In this paper, we present KANDI, a method capable of efficiently decrypting embedded malware obfuscated using Vignere ciphers. To this end, our method performs a probable-plaintext attack from classic cryptography using strings likely contained in malware binaries, such as header signatures, library names and code fragments. We demonstrate the efficacy of this approach in different experiments. In a controlled setting, KANDI breaks obfuscations using XOR, ADD and ROL instructions with keys up to 13 bytes in less than a second per file. On a collection of real-world malware in Word, Powerpoint and RTF files, KANDI is able to deobfuscate every fourth document and exposes the contained malware binary.

See all publications.

Professional Activities

Editorial board of the Journal of Machine Learning Research (JMLR)
Guest editor of the special issue "Threat Detection, Analysis and Defense" in JISA
Steering committee of the GI SIG Intrusion Detection and Response (SIDAR)
Steering committee of the Conference on Detection of Intrusions and Malware (DIMVA)
Associate Member of the EU Network of Excellence SYSSEC

Conference and Workshop Organization
Program chair of the 10th Conference on Detection of Intrusions and Malware (DIMVA 2013)
General chair of the 6th European Conference on Computer Network Defense (EC2ND 2010)
Local organization of GI Graduate Workshop on Reactive Security (SPRING 2006)

Recent PC Memberships

Reviewing for Journals

Whenever Possible
I am a member of "Verband der krawattenlosen Wissensträger" (VDKW)

See all community services.