publications

2025

1. Exploiting Inaccurate Branch History in Side-Channel Attacks

   Yuhui Zhu and Alessandro Biondi

   In 34th USENIX Security Symposium 2025, 2025

   Abs arXiv HTML Code

   

   Modern out-of-order CPUs heavily rely on speculative execution for performance optimization, with branch prediction serving as a cornerstone to minimize stalls and maximize efficiency. Whenever shared branch prediction resources lack proper isolation and sanitization methods, they may originate security vulnerabilities that expose sensitive data across different software contexts. This paper examines the fundamental components of modern Branch Prediction Units (BPUs) and investigates how resource sharing and contention affect two widely implemented but underdocumented features: Bias-Free Branch Prediction and Branch History Speculation. Our analysis demonstrates that these BPU features, while designed to enhance speculative execution efficiency through more accurate branch histories, can also introduce significant security risks. We show that these features can inadvertently modify the Branch History Buffer (BHB) update behavior and create new primitives that trigger malicious mis-speculations. This discovery exposes previously unknown cross-privilege attack surfaces for Branch History Injection (BHI). Based on these findings, we present three novel attack primitives: two Spectre attacks, namely Spectre-BSE and Spectre-BHS, and a cross-privilege control flow side-channel attack called BiasScope. Our research identifies corresponding patterns of vulnerable control flows and demonstrates exploitation on multiple processors. Finally, Chimera is presented: an attack demonstrator based on eBPF for a variant of Spectre-BHS that is capable of leaking kernel memory contents at 24,628 bit/s.

2. Cybersecurity Education Showdown: A Comparative Analysis of K-12 Education Systems in the United States, the European Union and China

   Berenice Fernández Nieto, Daisy Romanini, and Yuhui Zhu

   In ITASEC - Italian Conference on CyberSecurity 2025, 2025

   Abs PDF

   

   Cybersecurity has become a critical aspect of modern life, essential for safeguarding infrastructure, maintaining data integrity, and addressing a growing array of threats. As cyberhygiene and cybersecurity literacy emerge as indispensable skills, K-12 education plays a pivotal role in cultivating a cybersecurity culture while simultaneously preparing the next generation of professionals. To delve into this role, our study conducts a comparative analysis of K-12 cybersecurity education in the United States, the European Union (with a focus on Germany, Estonia, France, and especially Italy), and the People’s Republic of China, highlighting their legal frameworks, funding mechanisms, and initiatives aimed at raising public awareness. The findings provide insights into the strengths and gaps in global efforts to integrate cybersecurity into education, offering guidance for policymakers and educators seeking to advance this crucial field. In particular, this work underscores the importance of balancing centralized policies with localized flexibility to create inclusive, adaptative, and dynamic cybersecurity education ecosystems.

2023

1. Devils in the Clouds: An Evolutionary Study of Telnet Bot Loaders

   Yuhui Zhu, Zhenxiang Chen, Qiben Yan, Shanshan Wang, Alberto Giaretta, Enlong Li, Lizhi Peng, Chuan Zhao, and Mauro Conti

   In ICC 2023 - IEEE International Conference on Communications, 2023

   Abs DOI

   

   One of the innovations brought by Mirai and its derived malware is the adoption of self-contained loaders for infecting IoT devices and recruiting them in botnets. Functionally decoupled from other botnet components and not embedded in the payload, loaders cannot be analysed using conventional approaches that rely on honeypots for capturing samples. Different approaches are necessary for studying the loaders evolution and defining a genealogy. To address the insufficient knowledge about loaders’ lineage in existing studies, in this paper, we propose a semantic-aware method to measure, categorize, and compare different loader servers, with the goal of highlighting their evolution, independent from the payload evolution. Leveraging behavior-based metrics, we cluster the discovered loaders and define eight families to determine the genealogy and draw a homology map. Our study shows that the source code of Mirai is evolving and spawning new botnets with new capabilities, both on the client side and the server side. In turn, shedding light on the infection loaders can help the cybersecurity community to improve detection and prevention tools.

2022

1. IoT Botnet Detection framework from Network Behavior based on Extreme Learning Machine

   Nasimul Hasan, Zhenxiang Chen, Chuan Zhao, Yuhui Zhu, and Cong Liu

   In IEEE INFOCOM 2022 - IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), 2022

   Abs DOI

   

   IoT devices have been affected by fundamental security flaws in recent years, rendering them exposed to various threats and viruses, particularly IoT botnets. In contrast to conventional malware on desktop computers and Android, heterogeneous processor architecture constraints on IoT devices pose various challenges to researchers. Traditional methodologies are challenging to apply because of the IoT’s unique properties, such as resource-constrained devices, enormous volumes of data, and the requirement of real-time detection. Then it proposes a lightweight framework to detect IoT botnet and botnet families. The framework operates with bot behavior data over a simple yet effective learning based method named Extreme Learning Machine. For IoT botnet detection, the experimental results demonstrate that the suggested technique achieves accuracy, precision, and recall of 97.7%, 97.1%, and 97.1%, respectively. The detection performance of botnet families is inspiring. Furthermore, a comparison of our framework to other current approaches reveals that it produces better results, particularly in terms of the training time, which gives it a considerable edge over other learning-based methods.

2021

1. AndroCreme: Unseen Android Malware Detection Based on Inductive Conformal Learning

   Gang Zhang, Hao Li, Zhenxiang Chen, Lizhi Peng, Yuhui Zhu, and Chuan Zhao

   In 2021 IEEE 20th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), 2021

   Abs DOI

   

   Android platform is facing serious malware threats due to its popularity, as evidenced by the drastic increase on the number of mobile malware families and variants in recent years. Detecting malware variants and zero-day malware is a critical challenge that must be addressed to protect mobile devices against malware attacks. In this study, we present AndroCreme, a novel network intrusion detection system (NIDS) that can identify unseen malware by analyzing the network behavior of Android malware. To address the temporal bias issue in NIDS, we propose a method for rapid iterative update of the model based on data selection and data size limitation. The selection of effective data is carried out by induction and conformal technology, and the data scale is controlled by the method of time window and data cycle selection. To further achieve fast training speed and high efficiency, we leverage a gradient boosting framework that uses a tree-based learning algorithm, namely, LightGBM, as the meta predictor. We evaluate the performance of AndroCreme over 400K real-world network flows, which are collected from over 30K Android benignware and 21K malware applications. The experimental results show that, compared with the retraining method using all data, AndroCreme requires only a small amount of datareduce more than 3x to obtain better detection performance, which effectively solves the temporal bias.

2018

1. DroidDetector: a traffic-based platform to detect android malware using machine learning

   Jingya Shen, Zhenxiang Chen, Shanshan Wang, Yuhui Zhu, and Muhammad Umair Hassan

   In Third International Workshop on Pattern Recognition, 2018

   Abs DOI

   

   With the rapid development of the mobile Internet,more and more people are using smart phones to access the Internet, especially Android devices, which have become the most popular devices of the moment. Although today’s mobile operating systems do their best to provide users with a secure Internet environment, due to the open source nature of Android, it is still unable to completely stop the outbreak of Android malware. Although existing source-based static detection and behavior-based dynamic detection can identify mobile malware, many problems still exist,such as low detection efficiency and difficulty in deployment. In order to solve these problems, we propose DroidDetector, a detection engine that can automatically detect whether an app is a malware or not by using off-line trained machine learning models for network traffic analysis. DroidDetector uses the VPNService class provided by the Android SDK to intercept network traffic (it does not require root permission). All data analysis are performed on the server,which consumes minimun cache and resource on mobile devices. We extract the length of the first 8 packets of network traffic as features and use Support Vector Machine(SVM) classification algorithm to train the model. In an evaluation experiment of 53107 TCP packet length feature tuples samples, DroidDetector can achieve 95. 68% detection confidence.