Saastha Vasan

Saastha Vasan

AI Security Researcher

University of California, Santa Barbara

Biography

I am a PhD candidate at University of California, Santa Barbara, advised by Prof. Giovanni Vigna and Prof. Christopher Kruegel (expected graduation July 2026). My research sits at the intersection of machine learning and computer security, with a focus on malware analysis, reverse engineering, and ML-driven threat detection. I build systems that translate security research into practical tools for malware investigation, cyber threat intelligence, and vulnerability analysis.

Interests
  • Malware Analysis
  • Machine Learning
  • Artificial Intelligence (AI)
  • Program Analysis
  • Threat Intelligence
  • Vulnerability Assessment
Education

  • Doctor of Philosophy(Ph.D), Computer Science, 2021 - present

    University of California, Santa Barbara

  • Bachelor of Technology, Computer Science, 2016 - 2020

    Amrita Vishwa Vidyapeetham, Kerala, India

Publications

MalwarePT: A Binary-Level Foundation Model for Malware Analysis
MalwarePT is a binary-level foundation model for malware analysis built on a ModernBERT-style encoder pretrained with masked language modeling on Windows PE code-section bytes. It transfers across malware-analysis tasks at different granularities — API call prediction, functionality classification, and malware detection under temporal drift — outperforming neural baselines and complementing feature-engineering approaches.
Saastha Vasan, Yuzhou Nie, Kaie Chen, Yigitcan Kaya, Hojjat Aghakhani, Roman Vasilenko, Wenbo Guo, Christopher Kruegel, Giovanni Vigna
PDF Cite
SoK: Challenges and Opportunities for AI in Converting Attack Evidence to Shareable Intelligence
A systematization-of-knowledge study combining a literature review and practitioner survey to define a Cyber Threat Intelligence (CTI) generation pipeline, evaluating the feasibility of LLMs for converting attack evidence into shareable intelligence.
Saastha Vasan, Christopher Kruegel, Giovanni Vigna
DeepCapa: Identifying Malicious Capabilities in Windows Malware
DeepCapa is an automated post-detection framework that identifies and maps potentially malicious capabilities in malware to the code that implements these capabilities. It proposes a novel feature engineering approach that statically extracts API-call sequences from multiple memory snapshots taken during a sample’s dynamic execution. This approach allows for more comprehensive code coverage and effectively counters anti-sandbox techniques. Deepcapa also proposes a neural network architecture to not only accurately detects capabilities but also provide interpretable detections.
Saastha Vasan, Hojjat Aghakhani, Stefano Ortolani, Roman Vasilenko, Ilya Grishchenko, Christopher Kruegel, Giovanni Vigna
PDF Cite
Invisible Image Watermarks Are Provably Removable Using Generative AI
Image watermarks embed hidden messages that are only detectable by the owners, preventing misuse of images, especially those generated by AI models. In this paper we introduce a family of regeneration attacks to remove these invisible watermarks. By adding random noise to an image and then reconstructing it, this approach effectively eliminates watermarks. The study highlights the vulnerability of all invisible watermarks to this proposed attack, emphasizing the need for a shift toward semantically similar watermarking methods.
Xuandong Zhao, Kexun Zhang, Zihao Su, Saastha Vasan, Ilya Grishchenko, Christopher Kruegel, Giovanni Vigna, Yu-Xiang Wang, Lei Li
PDF Cite Source Document
Columbus: Android App Testing Through Systematic Callback Exploration
Android apps are event-driven, and generating various types of events through app interfaces for testing purposes can be challenging. To address this, in this paper we introduce COLUMBUS, a callback-driven testing technique. COLUMBUS automatically identifies callbacks, uses symbolic execution and dynamic heap introspection to generate valid inputs, and incorporates feedback mechanisms to enhance crash detection and coverage. In evaluations, COLUMBUS outperforms existing testing tools in terms of both crashes and coverage.
Priyanka Bose, Dipanjan Das, Saastha Vasan, Sebastiano Mariani, Ilya Grishchenko, Andrea Continella, Antonio Bianchi, Christopher Kruegel, Giovanni Vigna
PDF Cite
See all publications

Experience

 
 
 
 
 
Ph.D. Intern
Cisco Systems, Inc. (Talos Group)
July 2025 – September 2025 Irvine, California
* Developed a large-scale .NET malware detection pipeline over 5M+ malicious and benign samples, achieving a 10% relative F1 improvement over prior academic baselines.
* Designed cross-platform XDR anomaly detection using Markov-chain process models and ancestry trees to identify anomalous execution patterns across macOS and Windows.
 
 
 
 
 
University of California Santa Barbara
Graduate Researcher
University of California Santa Barbara
October 2021 – Present Santa Barbara, California
* Led research on MalwarePT, a binary-level foundation model for malware analysis, covering pretraining, downstream evaluation, and robustness analysis.
* Built ML/LLM pipelines that map malware behavior to malicious capabilities, convert attack evidence into CTI, and support automated vulnerability root-cause analysis.
* Participating in Capture The Flag (CTF) competitions as a member of team Shellphish.
 
 
 
 
 
Aspirify Enterprises Pvt
Infosec Engineer
Aspirify Enterprises Pvt
December 2020 – July 2021 New Delhi, India
* Built red-team assessment modules for RCE, lateral movement, and N-day vulnerability simulation using C, C++, C#, and Python.
* Built modular exploit payloads and post-exploitation scripts that expanded the red-team framework's coverage for enterprise assessments.
 
 
 
 
 
University of California Santa Barbara
Research Intern
University of California Santa Barbara
March 2020 – September 2020 Santa Barbara, California
* Designed and developed a novel malware post-detection framework that identifies potentially malicious capabilities in Windows malware, outperforming existing solutions by 20% in precision and 80% in recall.
* Reverse-engineered malware executables and mapped their attack implementations to the MITRE ATT&CK Framework.
 
 
 
 
 
Amrita Vishwa Vidyapeetham
Student Researcher
Amrita Vishwa Vidyapeetham
December 2016 – February 2020 Kerala, India
* Conducted malware analysis, documented results, and developed proof-of-concept attack methods.
* Fostered collaborative learning by teaching reverse engineering and malware analysis, promoting ongoing education.
* Participated actively in Capture The Flag (CTF) competitions as part of team bi0s

Achievements

DARPA AI Cyber Challenge (AIxCC) — Team Shellphish, Top-7 Semi-Final Finish, $2M Award
DARPA Jan 2023 – Dec 2025
Core member of Team Shellphish during the DARPA AIxCC effort; contributed to automated root-cause analysis and vulnerability patching systems. The team secured a top-7 semi-final finish, won $2 million, and advanced to the finals.
Co-Chair, NSF-funded ACTION Institute Student Executive Council
NSF ACTION Institute Jan 2023
Lead internship recruitment, coordinate guest speaker sessions, foster research collaborations across 11 universities, and drive outreach programs introducing AI and security to high school students.
Uiversity of California, Santa Barbara
Academic Excellence Fellowship
Uiversity of California, Santa Barbara Oct 2021
Amrita Vishwa Vidyapeetham
Magna Cum Laude: Bachelors Degree in Computer Science with first class distinction
Amrita Vishwa Vidyapeetham Aug 2020
Amrita Vishwa Vidyapeetham
Student Excellence Award for achievements in computer science
Amrita Vishwa Vidyapeetham Dec 2019
Amrita Vishwa Vidyapeetham
Student Excellence Award for achievements in computer science
Amrita Vishwa Vidyapeetham Dec 2018

Recent Posts

Malware Analysis 5: Sepsis Ransomware
Basic Information Name: Sepsis Ransomware SHA256: 3c7d9ecd35b21a2a8fac7cce4fdb3e11c1950d5a02a0c0b369f4082acf00bf9a SHA-1 518d5a0a8025147b9e29821bccdaf3b42c0d01db MD5 1221ac9d607af73c65fd6c62bec3d249 File Type Win32 EXE Detection: According to the analysis report by Virus Total the detection rate of the sample is 57/70.
Nov 10, 2019 7 min read
Malware Analysis 5: Sepsis Ransomware
Malware Analysis4: APT_MalDoc_SharpShooter_Lazarus
Basic Information: Name: PT_MalDoc_SharpShooter_Lazarus sha256: dd38e5378f0de8489c9d015758d8ad390ecdf9599b8a4b90b218f6de6d1c1e16 FileType: Composite Document File FileExtension: Microsoft Office File Introduction: The sample is a Composite Document, having Colgate class action lawsuit as the subject. Compound Document file is also known as Compound File Binary Format.
Aug 19, 2019 4 min read
Malware Analysis4: APT_MalDoc_SharpShooter_Lazarus
Malware Analysis 3: Mydoom
Basic Information Name: Mydoom SHA256: fff0ccf5feaf5d46b295f770ad398b6d572909b00e2b8bcd1b1c286c70cd9151 SHA-1 f91a4d7ac276b8e8b7ae41c22587c89a39ddcea5 MD5 53df39092394741514bc050f3d6a06a9 File Type Win32 EXE The malware sample is a PE32 bit executable packed using UPX packer. We found out that the executable is packed using UPX packer (version ranging from 0.
Aug 1, 2019 5 min read
Malware Analysis 3: Mydoom
Malware Analysis 2: Mirage Fox
History: The APT15 (Aka Mirage, Royal APT, Playful Dragon .. ) group has been active since at least 2010, They conducted cyber espionage campaigns against targets in defense, high tech, energy, government, aerospace, manufacturing industries worldwide.
Jul 26, 2019 3 min read
Malware Analysis 2: Mirage Fox
Malware Analysis 1: Jigsaw Ransomware
Basic Properties: Name: Jigsaw Ransomware SHA256: 3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7 SHA-1 27d99fbca067f478bb91cdbcb92f13a828b00859 MD5 2773e3dc59472296cb0024ba7715a64e File Type 64Bit .Net EXE After performing initial static analysis we found out that the sample is a 64bit PE .
Jul 19, 2019 6 min read
Malware Analysis 1: Jigsaw Ransomware

Contact