Malware comes in many different forms and offers an attacker utility at multiple stages of the cyber kill chain, whether it’s stealing data, remote exploitation, or establishing persistence on a machine. With the advent of mobile computing, malware distribution has become an even more efficient, scalable, profit-generating mechanism. Mobile apps can collect sensitive data, generate fraudulent ad revenue, or commandeer the device’s compute power for use in a botnet.
Unlike some threats that can be sporadic and ephemeral, such as network intrusion, the prevalence of malware enables us to harvest examples over time and use them as a case study to evaluate how malicious actions evolve and how we can design automated systems to detect and classify them in spite of their dynamic, evasive properties.
To do this, we need to better understand current trends in malware and how to represent them in more effective abstractions which often requires developing scalable program analysis techniques that can be embedded in large scale analysis pipelines. Crafting suitable representations of malicious behaviour, both statically and dynamically, allows us to employ statistical techniques such as machine learning that can generalise to new, previously unseen, samples.
Related Publications
Are Machine Learning Models for Malware Detection Ready for Prime Time?
IEEE S&P Magazine · IEEE Security & Privacy Magazine, 2023
IEEE S&P Magazine · IEEE Security & Privacy Magazine, 2023
@article{CavKinPen23,
author = {Cavallaro, Lorenzo and Kinder, Johannes and Pendlebury, Feargus and Pierazzi, Fabio},
journal = {IEEE Security \& Privacy Magazine},
title = {Are Machine Learning Models for Malware Detection Ready for Prime Time?},
year = {2023},
volume = {21},
number = {2},
pages = {53-56},
doi = {10.1109/MSEC.2023.3236543},
}
Drift Forensics of Malware Classifiers
AISEC · In Prof. of the ACM Workshop on Artificial Intelligence and Security, 2023
AISEC · In Prof. of the ACM Workshop on Artificial Intelligence and Security, 2023
@inproceedings{chow2023driftforensics,
title = {Drift Forensics of Malware Classifiers},
author = {Chow, Theo and Kan, Zeliang and Linhardt, Lorenz and Cavallaro, Lorenzo and Arp, Daniel and Pierazzi, Fabio},
booktitle = {Prof. of the {ACM} Workshop on Artificial Intelligence and Security ({AISec})},
year = {2023},
}
Jigsaw Puzzle: Selective Backdoor Attack to Subvert Malware Classifiers
IEEE S&P · 44th IEEE Symposium on Security and Privacy, 2023
IEEE S&P · 44th IEEE Symposium on Security and Privacy, 2023
@article{yang2022jigsaw,
author = {Limin Yang, Zhi Chen, Jacopo Cortellazzi, Feargus Pendlebury, Kevin Tu, Fabio Pierazzi, Lorenzo Cavallaro, Gang Wang},
title = {Jigsaw Puzzle: Selective Backdoor Attack
to Subvert Malware Classifiers},
booktitle = {{IEEE} Symposium on Security and Privacy},
volume = {abs/2202.05470},
year = {2023},
url = {https://arxiv.org/abs/2202.05470},
eprint = {2202.05470},
}
Is It Overkill? Analyzing Feature-Space Concept Drift in Malware Detectors
DLSP · 6th IEEE Workshop on Deep Learning Security and Privacy, 2023
DLSP · 6th IEEE Workshop on Deep Learning Security and Privacy, 2023
@inproceedings{chen23dlsp,
author = {Zhi Chen and Zhenning Zhang and Zeliang Kan and Limin Yang and and Jacopo Cortellazzi and Feargus Pendlebury and Fabio Pierazzi and Lorenzo Cavallaro and Gang Wang},
title = {Is It Overkill? Analyzing Feature-Space Concept Drift in Malware Detectors},
booktitle = {{IEEE} Workshop on Deep Learning Security and Privacy ({DLSP})},
year = {2023},
}
Dos and Don'ts of Machine Learning in Computer Security
USENIX Sec | Distinguished Paper Award · 31st USENIX Security Symposium, 2022
USENIX Sec | Distinguished Paper Award · 31st USENIX Security Symposium, 2022
@inproceedings{arp2022dodo,
author = {Daniel Arp and Erwin Quiring and Feargus Pendlebury and Alexander Warnecke and Fabio Pierazzi and Christian Wressnegger and Lorenzo Cavallaro and Konrad Rieck},
title = {Dos and Don'ts of Machine Learning in Computer Security},
booktitle = {31st USENIX Security Symposium},
year = {2022},
}
Transcending Transcend: Revisiting Malware Classification in the Presence of Concept Drift
IEEE S&P · 43rd IEEE Symposium on Security and Privacy, 2022
IEEE S&P · 43rd IEEE Symposium on Security and Privacy, 2022
@inproceedings{barbero2022transcendent,
author = {Federico Barbero and Feargus Pendlebury and Fabio Pierazzi and Lorenzo Cavallaro},
title = {Transcending Transcend: Revisiting Malware Classification in the Presence of Concept Drift},
booktitle = {{IEEE} Symposium on Security and Privacy},
year = {2022},
}
@article{labacacastro2022uaps,
author = {Raphael Labaca-Castro and Luis Muñoz-González and Feargus Pendlebury and Gabi Dreo Rodosek and Fabio Pierazzi and Lorenzo Cavallaro},
title = {Realizable Universal Adversarial Perturbations for Malware},
journal = {CoRR},
volume = {abs/2102.06747},
year = {2022},
url = {https://arxiv.org/abs/2102.06747},
eprint = {2102.06747},
archivePrefix = {arXiv}
}
Investigating Labelless Drift Adaptation for Malware Detection
AISec · 14th ACM Workshop on Artificial Intelligence and Security, 2021
AISec · 14th ACM Workshop on Artificial Intelligence and Security, 2021
@inproceedings{kan2021adaptation,
author = {Zeliang Kan and Feargus Pendlebury and Fabio Pierazzi and Lorenzo Cavallaro},
title = {Investigating Labelless Drift Adaptation for Malware Detection},
booktitle = {{ACM} Workshop on Artificial Intelligence and Security ({AISec})},
year = {2021},
}
INSOMNIA: Towards Concept-Drift Robustness in Network Intrusion Detection
AISec · 14th ACM Workshop on Artificial Intelligence and Security, 2021
AISec · 14th ACM Workshop on Artificial Intelligence and Security, 2021
@inproceedings{andresini2021insomnia,
author = {Giuseppina Andresini and Feargus Pendlebury and Fabio Pierazzi and Corrado Loglisci and Annalisa Appice and Lorenzo Cavallaro},
title = {{INSOMNIA}: Towards Concept-Drift Robustness in Network Intrusion Detection},
journal = {{ACM} Workshop on Artificial Intelligence and Security ({AISec})},
year = {2021},
}
Identifying Authorship Style in Malicious Binaries: Techniques, Challenges & Datasets
CoRR · arXiv CoRR, 2021
CoRR · arXiv CoRR, 2021
@article{gray2021aptclass,
author = {Jason Gray and Daniele Sgandurra and Lorenzo Cavallaro},
title = {Identifying Authorship Style in Malicious Binaries: Techniques, Challenges & Datasets},
journal = {CoRR},
volume = {abs/2101.06124},
year = {2021},
url = {http://arxiv.org/abs/2101.06124},
eprint = {2101.06124},
archivePrefix = {arXiv}
}
Intriguing Properties of Adversarial ML Attacks in the Problem Space
IEEE S&P · 41st IEEE Symposium on Security and Privacy, 2020
IEEE S&P · 41st IEEE Symposium on Security and Privacy, 2020
@inproceedings{pierazzi2020problemspace,
author = {Fabio Pierazzi and Feargus Pendlebury and Jacopo Cortellazzi and Lorenzo Cavallaro},
booktitle = {2020 IEEE Symposium on Security and Privacy (SP)},
title = {Intriguing Properties of Adversarial ML Attacks in the Problem Space},
year = {2020},
volume = {},
issn = {2375-1207},
pages = {1308-1325},
doi = {10.1109/SP40000.2020.00073},
url = {https://doi.ieeecomputersociety.org/10.1109/SP40000.2020.00073},
publisher = {IEEE Computer Society},
}
On the Dissection of Evasive Malware
IEEE T-IFS · IEEE Trans. Information Forensics and Security, 2020
IEEE T-IFS · IEEE Trans. Information Forensics and Security, 2020
@article{DBLP:journals/tifs/delia,
author = {Daniele Cono D'Elia and Emilio Coppa and Federico Palmaro and Lorenzo Cavallaro},
title = {{On the Dissection of Evasive Malware}},
journal = {{IEEE Trans. Information Forensics and Security}},
volume = {15},
pages = {2750--2765},
year = {2020},
url = {https://doi.org/10.1109/TIFS.2020.2976559},
doi = {10.1109/TIFS.2020.2976559},
bibsource = {dblp computer science bibliography, http://dblp.org},
note = {IEEE TIFS}
}
TESSERACT: Eliminating Experimental Bias in Malware Classification across Space and Time
USENIX Sec · 28th USENIX Security Symposium, 2019
USENIX Sec · 28th USENIX Security Symposium, 2019
@inproceedings{pendlebury2019tesseract,
author = {Feargus Pendlebury and Fabio Pierazzi and Roberto Jordaney and Johannes Kinder and Lorenzo Cavallaro},
title = {{TESSERACT: Eliminating Experimental Bias in Malware Classification across Space and Time}},
booktitle = {28th USENIX Security Symposium},
year = {2019},
address = {Santa Clara, CA},
publisher = {USENIX Association},
note = {USENIX Sec}
}
BabelView: Evaluating the Impact of Code Injection Attacks in Mobile Webviews
RAID · 21st International Symposium on Research in Attacks, Intrusions and Defenses, 2018
RAID · 21st International Symposium on Research in Attacks, Intrusions and Defenses, 2018
@inproceedings{DBLP:conf/raid/RizzoCK18,
author = {Claudio Rizzo and Lorenzo Cavallaro and Johannes Kinder},
title = {BabelView: Evaluating the Impact of Code Injection Attacks in Mobile Webviews},
booktitle = {{RAID}},
series = {Lecture Notes in Computer Science},
volume = {11050},
pages = {25--46},
publisher = {Springer},
year = {2018}
}
Transcend: Detecting Concept Drift in Malware Classification Models
USENIX Sec · 26th USENIX Security Symposium, 2017
USENIX Sec · 26th USENIX Security Symposium, 2017
@inproceedings {jordaney2017,
author = {Roberto Jordaney and Kumar Sharad and Santanu K. Dash and Zhi Wang and Davide Papini and Ilia Nouretdinov and Lorenzo Cavallaro},
title = {{Transcend: Detecting Concept Drift in Malware Classification Models}},
booktitle = {26th USENIX Security Symposium},
year = {2017},
address = {Vancouver, BC},
url = {https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/jordaney},
publisher = {USENIX Association},
note = {USENIX Sec}
}
Understanding Android App Piggybacking: A Systematic Study of Malicious Code Grafting
IEEE T-IFS · IEEE Trans. Information Forensics and Security, 2017
IEEE T-IFS · IEEE Trans. Information Forensics and Security, 2017
@article{DBLP:journals/tifs/0029LBKTLC17,
author = {Li Li and Daoyuan Li and Tegawende F. Bissyande and Jacques Klein and Yves Le Traon and David Lo and Lorenzo Cavallaro},
title = {{Understanding Android App Piggybacking: A Systematic Study of Malicious Code Grafting}},
journal = {{IEEE Trans. Information Forensics and Security}},
volume = {12},
number = {6},
pages = {1269--1284},
year = {2017},
url = {https://doi.org/10.1109/TIFS.2017.2656460},
doi = {10.1109/TIFS.2017.2656460},
timestamp = {Sun, 28 May 2017 13:17:25 +0200},
biburl = {http://dblp.uni-trier.de/rec/bib/journals/tifs/0029LBKTLC17},
bibsource = {dblp computer science bibliography, http://dblp.org},
note = {IEEE TIFS}
}
Euphony: Harmonious Unification of Cacophonous Anti-Virus Vendor Labels for Android Malware
MSR · 14th International Conference on Mining Software Repositories, 2017
MSR · 14th International Conference on Mining Software Repositories, 2017
@inproceedings{DBLP:conf/msr/HurierSDBTKC17,
author = {Mederic Hurier and Guillermo Suarez-Tangil and Santanu Kumar Dash and Tegawende F. Bissyande and Yves Le Traon and Jacques Klein and Lorenzo Cavallaro},
title = {{Euphony: Harmonious Unification of Cacophonous Anti-Virus Vendor Labels for Android Malware}},
booktitle = {Proceedings of the 14th International Conference on Mining Software Repositories, {MSR} 2017, Buenos Aires, Argentina, May 20-28},
pages = {425--435},
year = {2017},
doi = {10.1109/MSR.2017.57},
timestamp = {Fri, 07 Jul 2017 14:06:35 +0200},
biburl = {http://dblp.uni-trier.de/rec/bib/conf/msr/HurierSDBTKC17},
bibsource = {dblp computer science bibliography, http://dblp.org},
note = {MSR}
}
The Evolution of Android Malware and Android Analysis Techniques
ACM CSUR · ACM Computing Surveys, 2017
ACM CSUR · ACM Computing Surveys, 2017
@article{Tam:2017:EAM:3022634.3017427,
author = {Kimberly Tam and Ali Feizollah and Badrul Nor Anuar and Rosli Salleh and Lorenzo Cavallaro},
title = {{The Evolution of Android Malware and Android Analysis Techniques}},
journal = {ACM Compututing Surveys},
issue_date = {February 2017},
volume = {49},
number = {4},
month = {January},
year = {2017},
issn = {0360-0300},
pages = {76:1--76:41},
articleno = {76},
numpages = {41},
url = {http://doi.acm.org/10.1145/3017427},
doi = {10.1145/3017427},
acmid = {3017427},
publisher = {ACM},
address = {New York, NY, USA},
keywords = {Android, classification, detection, dynamic analysis, malware, static analysis},
note = {ACM CSUR}
}
DroidSieve: Fast and Accurate Classification of Obfuscated Android Malware
ACM CODASPY · 7th ACM Conference on Data and Application Security and Privacy, 2017
ACM CODASPY · 7th ACM Conference on Data and Application Security and Privacy, 2017
@inproceedings{codaspy17,
author = {Guillermo Suarez-Tangil and Santanu Kumar Dash and Mansour Ahmadi and Johannes Kinder and Giorgio Giacinto and Lorenzo Cavallaro},
title = {{DroidSieve: Fast and Accurate Classification of Obfuscated Android Malware}},
booktitle = {{Proceedings of the Seventh ACM Conference on Data and Application Security and Privacy}},
year = {2017},
month = {March},
url = {http://dx.doi.org/10.1145/3029806.3029825},
doi = {10.1145/3029806.3029825},
note = {ACM CODASPY}
}
Misleading Metrics: On Evaluating Machine Learning for Malware with Confidence
TR@RHUL · Technical Report, 2016
TR@RHUL · Technical Report, 2016
@TechReport{RHUL2016,
author = {Roberto Jordaney and Zhi Wang and Davide Papini and Ilia Nouretdinov and Lorenzo Cavallaro},
title = {{Misleading Metrics: On Evaluating Machine Learning for Malware with Confidence}},
institution = {Royal Holloway, University of London},
year = {2016},
number = {2016-1},
note = {TR@RHUL}
}
DroidScribe: Classifying Android Malware Based on Runtime Behavior
IEEE S&P-MoST · IEEE Security and Privacy Workshops: Mobile Security Technologies, 2016
IEEE S&P-MoST · IEEE Security and Privacy Workshops: Mobile Security Technologies, 2016
@inproceedings{most16-droidscribe,
author = {Santanu Kumar Dash and Guillermo Suarez-Tangil and Salahuddin Khan and Kimberly Tam and Mansour Ahmadi and Johannes Kinder and Lorenzo Cavallaro},
title = {DroidScribe: Classifying Android Malware Based on Runtime Behavior},
booktitle = {IEEE Security and Privacy Workshops: Mobile Security Technologies},
year = 2016,
month = {May},
note = {IEEE S&P-MoST}
}
You Can't Touch This: Consumer-centric Android Application Repackaging Detection
FGCS · Future Generation Computer Systems, 2016
FGCS · Future Generation Computer Systems, 2016
@Article{gurulian16:_you_cant_touch_this,
author = {Iakovos Gurulian and Konstantinos Markantonakis and Lorenzo Cavallaro and Keith Mayes},
title = {{You Can't Touch This: Consumer-centric Android Application Repackaging Detection}},
journal = {Future Generation Computer Systems},
year = 2016,
volume = 65,
pages = {1-9},
month = {December},
note = {FGCS}
}
Prescience: Probabilistic Guidance on the Retraining Conundrum for Malware Detection
ACM CCS-AISec · 9th ACM CCS Workshop on Artificial Intelligence and Security, 2016
ACM CCS-AISec · 9th ACM CCS Workshop on Artificial Intelligence and Security, 2016
@inproceedings{aisec16,
author = {Amit Deo and Santanu Kumar Dash and Guillermo Suarez-Tangil and Volodya Vovk and Lorenzo Cavallaro},
title = {{Prescience: Probabilistic Guidance on the Retraining Conundrum for Malware Detection}},
booktitle = {9th ACM CCS Workshop on Artificial Intelligence and Security},
year = {2016},
note = {ACM CCS-AISec}
}
Conformal Clustering and Its Application to Botnet Traffic
SLDS · 3rd International Symposium of Statistical Learning and Data Science, 2015
SLDS · 3rd International Symposium of Statistical Learning and Data Science, 2015
@inproceedings{cherubin,
author = {Giovanni Cherubin and Ilia Nouretdinov and Alexander Gammerman and Roberto Jordaney and Zhi Wang and Davide Papini and Lorenzo Cavallaro},
title = {{Conformal Clustering and Its Application to Botnet Traffic}},
booktitle = {Statistical Learning and Data Sciences, 3rd International Symposium},
year = {2015},
note = {SLDS}
}
CopperDroid: Automatic Reconstruction of Android Malware Behaviors
NDSS · 22nd Annual Network and Distributed System Security Symposium, 2015
NDSS · 22nd Annual Network and Distributed System Security Symposium, 2015
@InProceedings{copperdroid-ndss2015,
author = {Kimberly Tam, Salahuddin J. Khan, Aristide Fattori, and Lorenzo Cavallaro},
title = {{CopperDroid: Automatic Reconstruction of Android Malware Behaviors}},
booktitle = {22nd Annual Network and Distributed System Security Symposium, San Diego, California, USA},
year = 2015,
month = {February},
note = {NDSS}
}