Research Projects:

Reverse Engineering Mobile Applications:

Designed effective solutions to solve a series of reverse engineering challenges (e.g., packing, code obfuscation, anti-debug, anti-emulator, etc.) on mobile platforms.

  • Trace-based Function Similarity Mapping for Reversing Mobile Binaries: Detecting code similarity at binary level has been applied to a broad range of software security applications and reverse engineering tasks, including patch analysis, vulnerability assessment, code plagiarism detection, malware analysis etc. In this work, we designed a trace-based function mapping system that detects function similarity at binary level across different optimization options and obfuscation levels on mobile platforms.

    Our trace-based approach captures various runtime behavior features (e.g., memory access, library call, System call, etc.) through multi-layer monitoring via enhanced dynamic instrumentation and symbolic execution, then characterize functions with collected behaviors and perform function matching via different machine learning models. We conducted experiments on real world examples, ranging from popular mobile frameworks to top-ranked mobile applications.

  • Android Packer Analysis: Android packing is a novel technique that implements complex code hiding approaches against reverse engineering. In this project, we designed an automatic analysis platform that provides a comprehensive view of packed Android applications’ behavior by conducing multi-level monitoring and information flow tracking. The main analysis part is based on Android source code instrumentation, and we have released the complete source code at [GitHub]

    • Bytecode level analysis: instruments both Android Runtime (ART) and Dalvik Virtual Machine (DVM) to extract the hidden class information during the app’s execution, and then reassemble the original DEX files that was hiding by the packer.

    • Native code level analysis: monitors the execution of native components in packed Android apps. This monitoring analysis can be used to reveal the behavior of a packer. These frameworks include system call monitoring, Native-to-Java communication monitoring through JNI trace, library calls monitoring (libc trace), and IPC transaction monitoring through binder.

  • Publications:

    • Liao, Yibin, Ruoyan Cai, Guodong Zhu, Yue Yin and Kang Li. "MobileFindr: Function Similarity Identification for Reversing Mobile Binaries." ESORICS (2018). [Paper] [Slides]

    • Liao, Yibin, Jiakuan Li, Bo Li, Guodong Zhu, Yue Yin and Ruoyan Cai. "Automated Detection and Classification for Packed Android Applications." 2016 IEEE International Conference on Mobile Services (MS) (2016). [Paper] [Slides]

Detecting Virtualization Bugs:

This project is to design software tools that can automatically detect flaws in virtual device implementations such as QEMU. We investigated how to systematically test a virtual hardware implementation in QEMU, and extended the symbolic execution software package (KLEE) that automatically generates test case inputs that each covers unique execution path of the virtual hardware devices

  • Publication: Guodong Zhu, Kang Li, and Yibin Liao. "Toward Automatically Deducing Key Device States for the Live Migration of Virtual Machines". IEEE International Conference on Cloud Computing, 2015. [Paper]

Virtual Appliance Detection:

Virtual appliance is a virtual machine running for specific applications. The project is about how to detect virtual appliance environments with script and binary.

  • The purpose of the detection is to evade those defense methods that are based on virtual machines. In this project, we covered the techniques that detect different virtualization models, from popular virtual machines such as KVM/QEMU, VMware, and XEN, to light weight bare-metal HyperVisors, such as ESX.

  • We also cover different detection techniques from using native code such as WebGL, JavaScript, and ActiveX to device fingerprints.

PE-Header-Based Antivirus Tool:

In this project, I have developed a PE-Header-based antivirus tool for malware detection. This tool contains a web crawler, a downloader, a PE header parser, and an Icon parser, which are all written in Python.
[Report][Presentation Slides][Code]

  • In this project, I have evaluated this tool on a large dataset which contains 5598 malware samples and 1237 legitimate samples. The result shows that the PE-Header-based antivirus tool achieves more than 99% detection ration with less than 0.2% false positive for distinguishing between benign and malicious executables in less than 20 minutes.
  • I have also found 3 most prevalent icons from malware that are seldom seen in legitimate PE files and 8 types of misleading icons from malware.

Pre-computed Clustering for Movie Recommendation System in Real Time:

In this project, we presented a novel idea that applies machine learning techniques to construct a cluster for the movie by implementing a distance matrix based on the movie features and then make movie recommendation in real time. We implemented some different clustering methods and evaluated their performance in a real movie forum website owned by one of our authors. This idea can also be used in other types of recommendation systems such as music, news, and articles.

  • Publication: Bo Li, Yibin Liao, and Zheng Qin. "Precomputed Clustering for Movie Recommendation System in Real Time". Journal of Applied Mathematics, 2014. [Paper]

Google Earth Plugin Projects:

The following projects were focused on developing web-based applications using Google Earth Plug-in, JavaScript, HTML, and KML files. The Google Earth Plug-in and its JavaScript API let you embed Google Earth, a true 3D digital globe, into your web pages. Using the API you can draw markers and lines, drape images over the terrain, add 3D models, or load KML files, allowing you to build sophisticated 3D map applications.

HydroViz:

HydroViz is a web-based, student-centered, highly visual educational tool designed to support active learning in the field of Engineering Hydrology. The development of HydroViz is informed by recent advances in hydrologic data, numerical simulations and visualization and web-based technologies. It is based on integration of field data, remote sensing observations and computer simulations of hydrologic variables and processes.

The Main HydroViz Site is developed for the Isaac-Verot Watershed near the campus of the University of Louisiana (UL) at Lafayette. Click on the Globe below to access the main HydroViz site. 

The Adapted HydroViz Site is developed later. The HydroViz team at University of Louisiana at Lafayette is working with researchers at Tennessee Tech University, Dr. Faisal Hossain and Mr. Wondmagegn Yigzaw, to adapt the HydroViz project to a local watershed in Cookeville, TN.  Click on the Globe below to access this new HydroViz site.

ULL Google Earth:

ULL Google Earth is a web-based, highly visual tool designed for current and prospective students. You can easily locate your department, find university information, take an overall look through campus, and 3D view of some famous buildings in Louisiana.

HydroNile:

The main focus of this research on (1) Satellite-based rainfall estimation over the domain of the Nile basin using Infrared and Microwave satellite observations and, (2) Validation of available satellite-rainfall products from variety of existing algorithms, and assessment of their performance over the Nile Basin.  Our research also covers application-driven assessment of the satellite-rainfall products for hydrologic studies over the basin.