Dr Steven J. Murdoch

I am an Associate Professor and Royal Society University Research Fellow in the Information Security Research Group of the Department of Computer Science at University College London. I am also a bye-fellow of Christ’s College, Innovation Security Architect at the OneSpan, Cambridge, a member of the Tor Project, and a Fellow of the IET and BCS.

Open positions

I am always interested in recruiting talented researchers to join my team at UCL, both as PhD students and for post-doctoral positions. Interested candidates should email me their curriculum vitae and a short research proposal.

Tweets for @sjmurdoch

Dr Steven J. Murdoch
Photo by James Tye

Recent publications

For more details see my full list of publications or my Google Scholar page. I also write articles on information security for the UCL Information Security Group blog – Bentham’s Gaze.

  • Waves of Malice: A Longitudinal Measurement of the Malicious File Delivery Ecosystem on the Web
    Colin C. Ife, Yun Shen, Steven J. Murdoch, Gianluca Stringhini
    We present a longitudinal measurement of malicious file distribution on the Web. Following a data-driven approach, we identify network infrastructures and the files that they download. We then study their characteristics over a short period (one day), over a medium period (daily, over one month) as well as in the long term (weekly, over one year). This analysis offers us an unprecedented view of the malicious file delivery ecosystem and its dynamics. We find that the malicious file delivery landscape can be divided into two distinct ecosystems: a much larger, tightly connected set of networks that is mostly responsible for the delivery of potentially unwanted programs (PUP), and a number of disjoint network infrastructures that are responsible for delivering malware on victim computers. We find that these two ecosystems are mostly disjoint, but it is not uncommon to see malware downloaded from the PUP Ecosystem, and vice versa. We estimate the proportions of PUP-to-malware in the wild to be heavily skewed towards PUP (17:2) and compare their distribution patterns. We observe periodicity in the activity of malicious network infrastructures, and we find that although malicious file operations present a high degree of volatility, 75% of the observed malicious networks remain active for more than six weeks, with 26% surviving for an entire year. We then reason on how our findings can help the research and law enforcement communities in developing better takedown techniques.
    ACM ASIA Conference on Computer and Communications Security (ASIACCS), Auckland, New Zealand, 09–12 July 2019. [ paper ]
  • Scanning the Internet for Liveness
    Shehar Bano, Philipp Richter, Mobin Javed, Srikanth Sundaresan, Zakir Durumeric, Steven J. Murdoch, Richard Mortier, Vern Paxson
    Internet-wide scanning depends on a notion of liveness: does a target IP address respond to a probe packet? However, the interpretation of such responses, or lack of them, is nuanced and depends on multiple factors, including: how we probed, how different protocols in the network stack interact, the presence of filtering policies near the target, and temporal churn in IP responsiveness. Although often neglected, these factors can significantly affect the results of active measurement studies. We develop a taxonomy of liveness which we employ to develop a method to perform concurrent IPv4 scans using ICMP, five TCP-based, and two UDP-based protocols, comprehensively capturing all responses to our probes, including negative and cross-layer responses. Leveraging our methodology, we present a systematic analysis of liveness and how it manifests in active scanning campaigns, yielding practical insights and methodological improvements for the design and the execution of active Internet measurement studies.
    ACM SIGCOMM Computer Communication Review, Volume 48, Issue 2, Pages 2–9, ACM, April 2018. Awarded IRTF Applied Networking Research Prize 2019. [ paper | DOI 10.1145/3213232.3213234 | code | data ]
  • Incentives in Security Protocols
    Alexander Hicks, Sarah Azouvi, Steven J. Murdoch
    Real world protocols often involve human choices that depend on incentives, including when they fail and require fail-safe or fail-deadly mechanisms. We look at three example systems (the EMV protocol, consensus in cryptocurrencies, and Tor) in this context, paying particular attention to the role that incentives play in fail-safe and fail-deadly situations. We argue that incentives should explicitly be taken into account in the design of security protocols, and discuss general challenges in doing so.
    International Workshop on Security Protocols, Cambridge, UK, 19–21 March 2018. Published in LNCS 11286, Springer-Verlag. [ paper | slides ]

Recent talks

For more detail see my full list of talks

  • Context and decontextualization as a cause of payment fraud
    Steven J. Murdoch
    Although 2FA is increasingly widespread, payment fraud remains commonplace. I will discuss a root cause for such failures – that transactions are losing the context previously associated with traditional in-branch payments and this lack of context is being taken advantage by criminals. I will propose some methods to identify such failures to help avoid the mistakes of the past.
    2FA WTF? What‘s the Future of CX/UX Digital Authentication, London, 30 October 2018. [ slides ]
  • Payment Security: Attacks & Defences
    Steven J. Murdoch
    This lecture provides an introduction to payment card and online banking security mechanisms and the fraud techniques which are designed to break or bypass these measures. An overview of the EMV protocol is given, along with an illustration of how skimming attacks and the no-PIN attack exploit protocol weaknesses. The man-in-the-browser attack is outlined, and how transaction authentication is intended to defend against this.
    Guest lecture as part of COMPGA03 - Introduction to Cryptography, University College London, 13 December 2016. [ slides ]
  • Decentralising Data Collection and Anonymisation
    Steven J. Murdoch
    A frequent approach for anonymising datasets is for individuals to submit sensitive data records to a central authority. The central authority then is responsible for safely storing and sharing the data, for example by aggregating or perturbing records. However, this approach introduces the risk that the central authority may be compromised, whether this from an externally originated hacking attempt or as a result of an insider attack. As a result, central authorities responsible for handling sensitive data records must be well protected, often at great expense, and even then the risk of compromise will not be eliminated. In this talk I will discuss an alternative anonymisation approach, where sensitive data records have identifiable information removed before being submitted to the central authority. In order for this approach to work, not only must this first-stage anonymisation prevent the data from disclosing the identity of the submitter, but also the data records must be submitted in such a way as to prevent the central authority from being able to establish the identity of the submitter from submission metadata. I will show how advances in network metadata anonymisation can be applied to facilitate this approach, including techniques to preserve validity of data despite not knowing the identity of contributors.
    New Developments in Data Privacy, Isaac Newton Institute, 09 December 2016. [ slides | video ]

Professional activities

Research supervision

Killian Davitt (PhD student, 2018–): understanding, measuring and improving the security of collaboration tools.

Alexander Hicks (PhD student, 2017–): privacy preserving continuous authentication.

Andreas Gutmann (PhD student, 2016–): privacy-preserving transaction authentication for mobile devices.

Shehar Bano (Research Assistant & PhD student, 2013–2016): measurement of censorship and censorship resistance systems.

Kumar Sharad (PhD student, 2012–2016): security in social networks – anonymisation and fraud prevention.

Program chair

14th Privacy Enhancing Technologies Symposium, 16–18 July, 2014, Amsterdam, Netherlands.

15th Privacy Enhancing Technologies Symposium, 30 June–2 July 2015, Philadelphia, PA, USA.

General chair

Financial Cryptography and Data Security 2011, 15th International Conference, 28 February–4 March 2011, St. Lucia.

Programme committee membership

  • IEEE European Symposium on Security and Privacy 2019
  • IFIP Summer School 2016, 2017, 2018
  • Financial Cryptography and Data Security (FC): 2010, 2016, 2018
  • Privacy Enhancing Technologies Symposium (PETS): 2007, 2008, 2009, 2011, 2017, 2018
  • Network and Distributed System Security Symposium (NDSS): 2017
  • ACM Conference on Computer and Communications Security (CCS): 2007, 2008, 2010, 2011, 2016
  • Annual Privacy Forum 2014
  • Free and Open Communications on the Internet (FOCI) 2013
  • USENIX Security 2012
  • European Symposium on Research in Computer Security (ESORICS) 2011
  • Workshop on Foundations of Security and Privacy (FCS-PrivMod): 2010
  • Workshop on Privacy in the Electronic Society (WPES): 2006, 2007, 2009
  • FIDIS/IFIP Internet Security & Privacy Summer School: 2008
  • ACM Symposium on Applied Computing (Computer Security track): 2007

Journal reviewing

Includes Proceedings on Privacy Enhancing Technologies (2017, 2018, 2019), ACM Transactions on Internet Technology (TOIT) (2017), International Journal of Computer Security (2016), IEEE Transactions on Dependable and Secure Computing (2009), ACM Transactions on Information and System Security (2008), IEEE Transactions on Software Engineering (2008), IEEE/ACM Transactions on Networking (2007), IEEE Security & Privacy (2007), The Triple Helix (2008), Identity in the Information Society (2008).

Contact Details

email (preferred):

s.murdoch at ucl.ac.uk


Dr Steven J. Murdoch
Computer Science Department
University College London
Gower Street
United Kingdom


+44 20 3108 1629 (internal x51629)

mobile and Signal:

+44 7866 807 628