Prof. Dr. Thorsten Holz

  • Chair - Chair Systems Security
  • Member - Institute Horst Görtz Institute for IT-Security
Holz, Thorsten

Address

Ruhr-Uni­ver­si­ty Bo­chum
Chair for Systems Security
Uni­ver­si­täts­stras­se 150
44780 Bo­chum / Germany

room
ID 2/441
phone:
(+49)(0)234 / 32 - 25199
Fax:
(+49)(0)234 / 32 - 14956
Email:
thorsten.holz@rub.de
Website:
https://syssec.rub.de/~tho

Vita

Thorsten Holz is a professor in the Faculty of Electrical Engineering and Information Technology at Ruhr-University Bochum, Germany. His research interests include systems-oriented aspects of secure systems, with a specific focus on applied computer security. Currently, his work concentrates on bots/botnets, automated analysis of malicious software, and studying latest attack vectors. He received the Dipl.-Inform. degree in Computer Science from RWTH Aachen, Germany (2005), and the Ph.D. degree from University of Mannheim (2009). Prior to joining Ruhr-University Bochum in April 2010, he was a postdoctoral researcher in the Automation Systems Group at the Technical University of Vienna, Austria. In 2011, Thorsten received the Heinz Maier-Leibnitz Prize from the German Research Foundation (DFG).

Recent Professional Activities

  • 22nd USENIX Security Symposium, PC Member
  • 34rd IEEE Symposium on Security and Privacy (Oakland 2013), PC Member
  • 10th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2013), PC Member
  • 19th ACM Conference on Computer and Communications Security (CCS 2012), PC Member
  • 11th Workshop on the Economics of Information Security (WEIS 2012), PC Member
  • 2012 European Workshop on System Security (EuroSec 2012), PC Co-Chair
  • 18th Annual Network & Distributed System Security Symposium (NDSS '11), PC Member

Research

  • Studying current attack vectors with the help of honeypots and honeynets
  • Automated analysis of malicious software
  • Detection of infected machines (especially bots) on the network- and host-level
  • Security aspects of embedded systems, with a focus on smartphones
  • Security and privacy aspects of social networks

projects

More information about current projects can be found in the list of projects.

Courses

additional courses

Publications

2013
Preventing Backdoors In Server Applications With A Separated Software Architecture (Short Paper)

Felix Schuster, Stefan Rüster, Thorsten Holz - Con­fe­rence on De­tec­tion of In­tru­si­ons and Mal­wa­re & Vul­nerabi­li­ty As­sess­ment (DIMVA), Berlin, July 2013

Practical Timing Side Channel Attacks Against Kernel Space ASLR

Ralf Hund, Carsten Willems, Thorsten Holz - IEEE Symposium on Security and Privacy ("Oakland"), San Francisco, CA, May 2013

PSiOS: Bring Your Own Privacy & Security to iOS Devices

Tim Werthmann, Ralf Hund, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten Holz - ACM Symposium on Information, Computer and Communications Security (ASIACCS), Hangzhou, China, May 2013 - **Distinguished Paper Award**

A Security Layer for Smartphone-to-Vehicle Communication over Bluetooth

Andrea Dardanelli, Federico Maggi, Mara Tanelli, Stefano Zanero, Sergio M. Savaresi, Roman Kochanek, Thorsten Holz - Embedded Systems Letters

Slicing Droids: Program Slicing for Smali Code

Johannes Hoffmann, Martin Ussath, Michael Spreitzenbarth, Thorsten Holz - 28th In­ter­na­tio­nal ACM Sym­po­si­um on Ap­p­lied Com­pu­ting (SAC), Coimbra, Portugal, March 2013

Predentifier: Detecting Botnet C&C Domains From Passive DNS Data

Tilman Frosch, Marc Kührer, Thorsten Holz - Advances in IT Early Warning, Fraunhofer Verlag, February 2013. ISBN: 978-3-8396-0474-8

2012
Down to the Bare Metal: Using Processor Features for Binary Analysis

Carsten Willems, Ralf Hund, Amit Vasudevan, Andreas Fobian, Dennis Felsch, Thorsten Holz - Annual Computer Security Applications Conference (ACSAC), Orlando, FL, December 2012

Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis

Carsten Willems, Felix C. Freiling, Thorsten Holz - Annual Computer Security Applications Conference (ACSAC), Orlando, FL, December 2012

CXPInspector: Hypervisor-Based, Hardware-Assisted System Monitoring

Carsten Willems, Ralf Hund, Thorsten Holz - TR-HGI-2012-002, Ruhr-Uni­ver­si­tät Bo­chum, Horst Görtz In­sti­tut für IT-Si­cher­heit (HGI), November 2012

Down to the Bare Metal: Using Processor Features for Binary Analysis

Carsten Willems, Ralf Hund, Dennis Felsch, Andreas Fobian, Thorsten Holz - TR-HGI-2012-001, Ruhr-Universität Bochum, Horst Görtz Institut für IT-Sicherheit (HGI), November 2012

Scriptless Attacks – Stealing the Pie Without Touching the Sill

Mario Heiderich, Marcus Niemietz, Felix Schuster, Thorsten Holz, Jörg Schwenk - 19th ACM Conference on Computer and Communications Security (CCS), Raleigh, NC, October 2012

B@bel: Leveraging Email Delivery for Spam Mitigation

Gianluca Stringhini, Manuel Egele, Apostolis Zarras, Thorsten Holz, Christopher Kruegel, Giovanni Vigna - 21st USENIX Security Symposium, Bellevue, WA, USA, August 2012

On the Fragility and Limitations of Current Browser-provided Clickjacking Protection Schemes

Sebastian Lekies, Mario Heiderich, Dennis Appelt, Thorsten Holz, Martin Johns - 6th USENIX Workshop on Offensive Technologies (WOOT), Bellevue, WA, August 2012

SmartProxy: Secure Smartphone-Assisted Login on Compromised Machines

Johannes Hoffmann, Sebastian Uellenbeck, Thorsten Holz - 9th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), Heraklion, Greece, July 2012

Don’t Trust Satellite Phones: A Security Analysis of Two Satphone Standards

Benedikt Driessen, Ralf Hund, Carsten Willems, Chris­tof Paar, Thorsten Holz - IEEE Symposium on Security and Privacy ("Oakland"), San Francisco, CA, May 2012 - **Best Paper Award**

Tracking DDoS Attacks: Insights into the Business of Disrupting the Web

Armin Büscher, Thorsten Holz - 5th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), San Jose, CA, April 2012

An Empirical Analysis of Malware Blacklists

Marc Kührer, Thorsten Holz - PIK - Praxis der Informationsverarbeitung und Kommunikation. Volume 35, Issue 1, Pages 11–16, April 2012

MoCFI: A Framework to Mitigate Control-Flow Attacks on Smartphones

Lucas Davi, Alexandra Dmitrienko, Manuel Egele, Thomas Fischer, Thorsten Holz, Ralf Hund, Stefan Nürnberger, Ahmad-Reza Sadeghi - Annual Network & Distributed System Security Symposium (NDSS), San Diego, February 2012

2011
Crouching Tiger - Hidden Payload: Security Risks of Scalable Vectors Graphics

Mario Heiderich, Tilman Frosch, Meiko Jensen, Thorsten Holz - 18th ACM Conference on Computer and Communications Security (CCS), Chicago, IL, October 2011

POSTER: Control-Flow Integrity for Smartphones.

Lucas Davi, Alexandra Dmitrienko, Manuel Egele, Thorsten Holz, Ralf Hund, Stefan Nürnberger, Ahmad-Reza Sadeghi, Thomas Fischer - 18th ACM Conference on Computer and Communications Security (CCS'11)

TrumanBox: Improving Dynamic Malware Analysis by Emulating the Internet

Christian Gorecki, Felix C. Freiling, Marc Kührer, Thorsten Holz - 13th International Symposium on Stabilization, Safety, and Security of Distributed Systems (SSS), Grenoble, France, October 2011

Automated Identification of Cryptographic Primitives in Binary Programs

Felix Gröbert, Carsten Willems, Thorsten Holz - 14th International Symposium on Recent Advances in Intrusion Detection (RAID), Menlo Park, CA, September 2011

IceShield: Detection and Mitigation of Malicious Websites with a Frozen DOM

Mario Heiderich, Tilman Frosch, Thorsten Holz - 14th International Symposium on Recent Advances in Intrusion Detection (RAID), Menlo Park, CA, September 2011

BotMagnifier: Locating Spambots on the Internet

Gianluca Stringhini, Thorsten Holz, Brett Stone-Gross, Christopher Kruegel, Giovanni Vigna - USENIX Security Symposium, San Francisco, CA, August 2011

Jackstraws: Picking Command and Control Connections from Bot Traffic

Gregoire Jacob, Ralf Hund, Christopher Kruegel, Thorsten Holz - USENIX Security Symposium, San Francisco, CA, August 2011

Proceedings of 8th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA)

Thorsten Holz, Herbert Bos - 8th Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), Amsterdam, Netherlands, July 2011

Automatic Analysis of Malware Behavior using Machine Learning

Konrad Rieck, Philipp Trinius, Carsten Willems, Thorsten Holz - Journal of Computer Security, Vol. 19, No. 4, pages 639-668, 2011

Mobile Security Catching Up? Revealing the Nuts and Bolts of the Security of Mobile Devices

Michael Becher , Felix C. Freiling, Johannes Hoffmann, Thorsten Holz, Sebastian Uellenbeck, Christopher Wolf - IEEE Symposium on Security and Privacy ("Oakland"), Berkeley, CA, May 2011

Das Internet-Malware-Analyse-System (InMAS)

Markus Engelberth, Felix C. Freiling, Jan Goebel, Christian Gorecki, Thorsten Holz, Ralf Hund, Philipp Trinius, Carsten Willems - Datenschutz und Datensicherheit (DuD), Volume 35, Number 4, pp. 247-252

The Underground Economy of Spam: A Botmaster's Perspective of Coordinating Large-Scale Spam Campaigns

Brett Stone-Gross, Thorsten Holz, Gianluca Stringhini, Giovanni Vigna - USE­NIX Work­shop on Lar­ge-Sca­le Ex­ploits and Emer­gent Thre­ats (LEET), Boston, MA, March 2011

2010
A Malware Instruction Set for Behavior-Based Analysis

Philipp Trinius, Carsten Willems, Thorsten Holz, Konrad Rieck - GI Si­cher­heit - Schutz und Zu­ver­läs­sig­keit, Jah­res­ta­gung des Fach­be­reichs Si­cher­heit der Ge­sell­schaft für In­for­ma­tik, Ber­lin, Ger­ma­ny, Oc­to­ber 2010

Towards secure deletion on smartphones

Michael Spreitzenbarth, Thorsten Holz - GI Si­cher­heit - Schutz und Zu­ver­läs­sig­keit, Jah­res­ta­gung des Fach­be­reichs Si­cher­heit der Ge­sell­schaft für In­for­ma­tik, Berlin, Germany, October 2010

Abusing Social Networks for Automated User Profiling

Marco Balduzzi, Christian Platzer, Thorsten Holz, Engin Kirda, Davide Balzarotti, Christopher Kruegel - 13th International Symposium on Recent Advances in Intrusion Detection (RAID), Ottawa, Canada, September 2010

Is the Internet for Porn? An Insight Into the Online Adult Industry

Gilbert Wondracek, Thorsten Holz, Christian Platzer, Engin Kirda, Christopher Kruegel - Workshop on the Economics of Information Security (WEIS), Harvard University, USA, June 2010

A Practical Attack to De-Anonymize Social Network Users

Gilbert Wondracek, Thorsten Holz, Engin Kirda, Christopher Kruegel - IEEE Symposium on Security and Privacy ("Oakland"), Berkeley, CA, May 2010

Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries

Clemens Kolbitsch, Thorsten Holz, Christopher Kruegel, Engin Kirda - IEEE Symposium on Security and Privacy ("Oakland"), Berkeley, CA, May 2010

Verfolgen und Abschwächen von Malicious Remote Control Networks

Thorsten Holz - Ausgezeichnete Informatikdissertationen 2009. LNI D-10, pages 101-110, May 2010

ADSandbox: Sandboxing JavaScript to Fight Malicious Websites

Andreas Dewald, Thorsten Holz, Felix C. Freiling - ACM Symposium on Applied Computing (SAC), Sierre, Switzerland, March 2010

Botzilla: Detecting the "Phoning Home" of Malicious Software

Konrad Rieck, Guido Schwenk, Tobias Limmer, Thorsten Holz, Pavel Laskov - ACM Symposium on Applied Computing (SAC), Sierre, Switzerland, March 2010

The InMAS Approach

Markus Engelberth, Felix Freiling, Jan Goebel, Christian Gorecki, Thorsten Holz, Ralf Hund, Philipp Trinius, Carsten Willems - 1st European Workshop on Internet Early Warning and Network Intelligence (EWNI'10)

2009
A Malware Instruction Set for Behavior-Based Analysis

Philipp Trinius, Carsten Willems, Thorsten Holz, Konrad Rieck - Technical Report TR-2009-007, University of Mannheim, December 2009

Automatic Analysis of Malware Behavior using Machine Learning

Philipp Trinius, Carsten Willems, Thorsten Holz, Konrad Rieck - Berlin Institute of Technology, Technical Report 18-2009

Walowdac - Analysis of a Peer-to-Peer Botnet

Ben Stock, Jan Göbel, Markus Engelberth, Felix Freiling, Thorsten Holz - European Conference on Computer Network Defense (EC2ND), Milan, Italy, November 2009

Visual Analysis of Malware Behavior (Short paper)

Philipp Trinius, Thorsten Holz, Jan Göbel, Felix Freiling - Workshop on Visualization for Cyber Security (VizSec), Atlantic City, NJ, USA, October 2009

Automatically Generating Models for Botnet Detection

Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Göbel, Christopher Kruegel, Engin Kirda - Eu­ropean Sym­po­si­um on Re­se­arch in Com­pu­ter Se­cu­ri­ty (ESO­RICS), Saint Malo, France, September 2009

Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones

Thorsten Holz, Markus Engelberth, Felix Freiling - Eu­ropean Sym­po­si­um on Re­se­arch in Com­pu­ter Se­cu­ri­ty (ESO­RICS), Saint Malo, France, September 2009

Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms

Ralf Hund, Thorsten Holz, Felix Freiling - USENIX Security Symposium, Montreal, Canada, August 2009

Towards Proactive Spam Filtering (Extended Abstract)

Jan Göbel, Thorsten Holz, Philipp Trinius - Con­fe­rence on De­tec­tion of In­tru­si­ons and Mal­wa­re & Vul­nerabi­li­ty As­sess­ment (DIMVA), Milan, Italy, July 2009

Frühe Warnung durch Beobachten und Verfolgen von bösartiger Software im Deutschen Internet: Das Internet-Malware-Analyse System (InMAS)

Markus Engelberth, Felix Freiling, Jan Goebel, Christian Gorecki, Thorsten Holz, Philipp Trinius, Carsten Willems - 11. Deutscher IT-Sicherheitskongress des Bundesamtes für Sicherheit in der Informationstechnik (BSI), Bonn, May 2009

Tracking and Mitigation of Malicious Remote Control Networks

Thorsten Holz - Universität Mannheim, pages 1-138, URN urn:nbn:de:bsz:180-madoc-23306, April 2009

MalOffice - Detecting malicious documents with combined static and dynamic analysis

Markus Engelberth, Carsten Willems, Thorsten Holz - Virus Bulletin Conference, Geneva, Switzerland, September 2009

2008
Towards Next-Generation Botnets

Ralf Hund, Matthias Hamann, Thorsten Holz - European Conference on Computer Network Defense (EC2ND), Dublin, Ireland, December 2008

As the Net Churns: Fast-Flux Botnet Observations

Jose Nazario, Thorsten Holz - International Conference on Malicious and Unwanted Software, October 2008

Reconstructing Peoples Lives: A Case Study in Teaching Forensic Computing

Felix Freiling, Thorsten Holz, Martin Mink - In­ter­na­tio­nal Con­fe­rence on IT Se­cu­ri­ty In­ci­dent Ma­nage­ment & IT Fo­ren­sics (IMF), Mannheim, Ger­ma­ny, September 2008

Learning and Classification of Malware Behavior

Konrad Rieck, Thorsten Holz, Carsten Willems, Patrick Düssel, Pavel Laskov - Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), Paris, France, July 2008

Studying Malicious Websites and the Underground Economy on the Chinese Web

Jianwei Zhuge, Thorsten Holz, Chengyu Song, Jinpeng Guo, Xinhui Han, Wei Zou - Work­shop on the Eco­no­mics of In­for­ma­ti­on Se­cu­ri­ty (WEIS), Hanover, NH, USA, June 2008

Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm

Thorsten Holz, Moritz Steiner, Frederic Dahl, Ernst Biersack, Felix C. Freiling - USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), San Francisco, CA, April 2008

Monkey-Spider: Detecting Malicious Websites with Low-Interaction Honeyclients

Ali Ikinci, Thorsten Holz, Felix Freiling - GI Si­cher­heit - Schutz und Zu­ver­läs­sig­keit, Jah­res­ta­gung des Fach­be­reichs Si­cher­heit der Ge­sell­schaft für In­for­ma­tik, Saarbrücken, April 2008 - **Best Paper Award**

Rishi: Identifizierung von Bots durch Auswerten der IRC Nicknamen

Jan Göbel, Thorsten Holz - DFN-CERT Work­shop "Si­cher­heit in ver­netz­ten Sys­te­men", Ham­burg, February 2008

Measuring and Detecting Fast-Flux Service Networks

Thorsten Holz, Christian Gorecki, Konrad Rieck, Felix Freiling - Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 2008

2007
Collecting Autonomous Spreading Malware Using High-Interaction Honeypots

Jianwei Zhuge, Thorsten Holz, Xinhui Han, Chengyu Song, Wei Zou - International Conference on Information and Communications Security (ICICS), LNCS 4861, Zhengzhou, China, December 2007

Virtual Honeypots - From Botnet Tracking to Intrusion Detection

Niels Provos, Thorsten Holz - Addison-Wesley Professional; 1. edition, 440 pages

Measurement and Analysis of Autonomous Spreading Malware in a University Environment

Thorsten Holz, Jan Goebel, Carsten Willems - Con­fe­rence on De­tec­tion of In­tru­si­ons and Mal­wa­re & Vul­nerabi­li­ty As­sess­ment (DIMVA), Lucerne, Switzerland, July 2007

Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation

Jan Göbel, Thorsten Holz - USENIX Workshop on Hot Topics in Understanding Botnets (HotBots), Cambridge, MA, April 2007

Toward Automated Dynamic Malware Analysis Using CWSandbox

Carsten Willems, Thorsten Holz, Felix C. Freiling - IEEE Security & Privacy, Volume 5, Number 2, Pages 32-39, March/April 2007

2006
Advanced Honeypot-based Intrusion Detection

Jan Göbel, Jens Hektor, Thorsten Holz - USE­NIX ;login:, Vo­lu­me 31, Issue 6, Pages 18-23, De­cem­ber 2006

A Comparative Study of Teaching Forensics at a University Degree Level

Philip Anderson, Maximillian Dornseif, Felix Freiling, Thorsten Holz, Alastair Irons, Christopher Laing, Martin Mink - International Conference on IT Security Incident Management & IT Forensics (IMF), Stuttgart, Germany, October 2006

The Nepenthes Platform: An Efficient Approach to Collect Malware

Paul Baecher, Markus Koetter, Thorsten Holz, Maximillian Dornseif, Felix Freiling - 9th International Symposium on Recent Advances in Intrusion Detection (RAID), Hamburg, Germany, September 2006

The Effect of Stock Spam on Financial Markets

Rainer Böhme, Thorsten Holz - Workshop on the Economics of Information Security (WEIS), University of Cambridge, June 2006

Design and Implementation of the Honey-DVD

Maximillian Dornseif, Felix Freiling, Nils Gedicke, Thorsten Holz - IEEE In­for­ma­ti­on As­suran­ce Work­shop (IAW), West Point, NY, June 2006

Safety, Liveness, and Information Flow: Dependability Revisited

Zinaida Benenson, Felix Freiling, Thorsten Holz, Dogan Kesdogan, Lucia Draque Penso - ARCS Workshop on Dependability and Fault-Tolerance, Frankfurt am Main, Germany, March 2006

Effektives Sammeln von Malware mit Honeypots

Thorsten Holz, Georg Wicherski - DFN-CERT Workshop "Sicherheit in vernetzten Systemen", Hamburg, March 2006

New Threats and Attacks on the World Wide Web

Thorsten Holz, Simon Marechal, Frédéric Raynal - IEEE Security & Privacy Volume 4, Issue 2, Pages 72-75, March 2006

Learning More About Attack Patterns With Honeypots

Thorsten Holz - GI Sicherheit - Schutz und Zuverlässigkeit, Jahrestagung des Fachbereichs Sicherheit der Gesellschaft für Informatik, Magdeburg, February 2006

2005
Spying With Bots

Thorsten Holz - USENIX ;login:, Volume 30, Issue 6, Pages 18-23, December 2005

Security Measurements and Metrics for Networks

Thorsten Holz - Dependability Metrics (Lecture Notes in Computer Science 4909, Advanced Lectures), pages 157-165, 2005

Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks

Felix Freiling, Thorsten Holz, Georg Wicherski - European Symposium on Research in Computer Security (ESORICS), Milan, Italy, September 2005

A Pointillist Approach for Comparing Honeypots

Fabien Pouget, Thorsten Holz - Con­fe­rence on De­tec­tion of In­tru­si­ons and Mal­wa­re & Vul­nerabi­li­ty As­sess­ment (DIMVA), Vienna, Austria, July 2005

Detecting Honeypots and Other Suspicious Environments

Thorsten Holz, Frederic Raynal - IEEE In­for­ma­ti­on As­suran­ce Work­shop (IAW), West Point, NY, June 2005

A Short Visit to the Bot Zoo

Thorsten Holz - IEEE Security & Privacy, Volume 3, Issue 3, Pages 76-79, May 2005

2004
Vulnerability Assessment using Honeypots

Maximillian Dornseif, Felix C. Gärtner, Thorsten Holz - PIK - Praxis der Informationsverarbeitung und Kommunikation, Volume 27, Issue 4, Pages 195-201, December 2004

NoSEBrEaK - Attacking Honeynets

Maximillian Dornseif, Thorsten Holz, Christian N. Klein - IEEE Information Assurance Workshop (IAW), West Point, NY, June 2004

Ermittlung von Verwundbarkeiten mit elektronischen Ködern

Maximillian Dornseif, Felix C. Gärtner, Thorsten Holz - Con­fe­rence on De­tec­tion of In­tru­si­ons and Mal­wa­re & Vul­nerabi­li­ty As­sess­ment (DIMVA), Dortmund, Germany, July 2004