The former researcher of the IMDEA Software Institute, Platon Kotzias, defended his thesis: “A Systematic Empirical Analysis of Unwanted Software Abuse, Prevalence, Distribution, and Economics” in 2019, directed by the Associate Professor, Juan Caballero. Today he works at NortonLifeLock on a wide range of system security topics including malware detection on Android and Windows, application of AI on security topics, and network security.
This month the UPM has resolved the two winners of the Extraordinary Award and Platon’s thesis is one of them. In which he investigates how Potentially Unwanted Programs (PUP) can pose significant risks to users’ security and privacy. In particular, he analyzed in both breadth and depth the PUP abuse, prevalence, distribution, and economics.
His PhD shed light on various unknown facets of PUP that affected millions of Internet users. His work has been published in top-tier security conferences like Usenix Security, ACM CCS, IEEE Security & Privacy, and NDSS Symposium.
The four contributions of the thesis
Platon Kotzias performs a systematic study on the abuse of Windows Authenticode code signing by PUP and malware. Building an infrastructure that classifies potentially malicious samples as PUP or malware and using this infrastructure to evaluate 356K samples. He also evaluates the efficacy of Certification Authority (CA) defenses such as identity checks and revocation. CA revocations were equally low for both malware and PUP, so, he concludes that current CA defenses are largely ineffective for PUP.
He measured the prevalence of unwanted software on real consumer hosts using telemetry from 3.9 million hosts. He found PUP installed in 54% of the hosts in their dataset. They also analyzed the commercial pay-per-install (PPI) service ecosystem showing that commercial PPI services play a major role in the distribution of PUP.
In his thesis, Platon performed an analysis of enterprise security and measured the prevalence of both malware and PUP on real enterprise hosts. He used AV telemetry collected from 28K enterprises and 67 industry sectors with over 82M client hosts. Almost all enterprises, despite their different security postures, encounter some malware or PUP in a three year period.
And lastly, he performed an analysis of PUP economics. He proposed a novel technique for performing PUP attribution. Then, he used it to identify the entities behind three large Spanish-based PUP operations and measure the profitability of the companies they operate. The analysis showed that in each operation a small number of people manages a large number of companies, and that the majority of them are shell companies. In the period 2013–2015, the three operations have a total revenue of 202.5M euros and net income of 23M euros. Finally, he observed a sharp decrease on both revenue and income for all three operations starting mid-2014. So, he concludes that improved PUP defenses deployed by various software and security vendors significantly had an impact on the PPI market.