Malware comes in many different forms and offers an attacker utility at multiple stages of the cyber kill chain, whether it’s stealing data, remote exploitation, or establishing persistence on a machine. With the advent of mobile computing, malware distribution has become an even more efficient, scalable, profit-generating mechanism. Mobile apps can collect sensitive data, generate fraudulent ad revenue, or commandeer the device’s compute power for use in a botnet.

Unlike some threats that can be sporadic and ephemeral, such as network intrusion, the prevalence of malware enables us to harvest examples over time and use them as a case study to evaluate how malicious actions evolve and how we can design automated systems to detect and classify them in spite of their dynamic, evasive properties.

To do this, we need to better understand current trends in malware and how to represent them in more effective abstractions which often requires developing scalable program analysis techniques that can be embedded in large scale analysis pipelines. Crafting suitable representations of malicious behaviour, both statically and dynamically, allows us to employ statistical techniques such as machine learning that can generalise to new, previously unseen, samples.

Related Publications

Intriguing Properties of Adversarial ML Attacks in the Problem Space
Fabio Pierazzi*, Feargus Pendlebury*, Jacopo Cortellazzi, Lorenzo Cavallaro
IEEE S&P · 41st IEEE Symposium on Security and Privacy, 2020
@inproceedings{pierazzi2020problemspace,
author = {F. Pierazzi and F. Pendlebury and J. Cortellazzi and L. Cavallaro},
booktitle = {2020 IEEE Symposium on Security and Privacy (SP)},
title = {Intriguing Properties of Adversarial ML Attacks in the Problem Space},
year = {2020},
volume = {},
issn = {2375-1207},
pages = {1308-1325},
doi = {10.1109/SP40000.2020.00073},
url = {https://doi.ieeecomputersociety.org/10.1109/SP40000.2020.00073},
publisher = {IEEE Computer Society},
}
TESSERACT: Eliminating Experimental Bias in Malware Classification across Space and Time
Feargus Pendlebury*, Fabio Pierazzi*, Roberto Jordaney, Johannes Kinder, and Lorenzo Cavallaro
USENIX Sec · 28th USENIX Security Symposium, 2019
@inproceedings{pendlebury2019tesseract,
author = {Feargus Pendlebury*, Fabio Pierazzi*, Roberto Jordaney, Johannes Kinder, and Lorenzo Cavallaro},
title = {{TESSERACT: Eliminating Experimental Bias in Malware Classification across Space and Time}},
booktitle = {28th USENIX Security Symposium},
year = {2019},
address = {Santa Clara, CA},
publisher = {USENIX Association},
note = {USENIX Sec}
}
BabelView: Evaluating the Impact of Code Injection Attacks in Mobile Webviews
Claudio Rizzo, Lorenzo Cavallaro, and Johannes Kinder
RAID · 21st International Symposium on Research in Attacks, Intrusions and Defenses, 2018
@inproceedings{DBLP:conf/raid/RizzoCK18,
author = {Claudio Rizzo and Lorenzo Cavallaro and Johannes Kinder},
title = {BabelView: Evaluating the Impact of Code Injection Attacks in Mobile Webviews},
booktitle = {{RAID}},
series = {Lecture Notes in Computer Science},
volume = {11050},
pages = {25--46},
publisher = {Springer},
year = {2018}
}
Transcend: Detecting Concept Drift in Malware Classification Models
Roberto Jordaney, Kumar Sharad, Santanu K. Dash, Zhi Wang, Davide Papini, Ilia Nouretdinov, and Lorenzo Cavallaro
USENIX Sec · 26th USENIX Security Symposium, 2017
@inproceedings {jordaney2017,
author = {Roberto Jordaney and Kumar Sharad and Santanu K. Dash and Zhi Wang and Davide Papini and Ilia Nouretdinov and Lorenzo Cavallaro},
title = {{Transcend: Detecting Concept Drift in Malware Classification Models}},
booktitle = {26th USENIX Security Symposium},
year = {2017},
address = {Vancouver, BC},
url = {https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/jordaney},
publisher = {USENIX Association},
note = {USENIX Sec}
}
Understanding Android App Piggybacking: A Systematic Study of Malicious Code Grafting
Li Li, Daoyuan Li, Tegawende F. Bissyande, Jacques Klein, Yves Le Traon, David Lo, and Lorenzo Cavallaro
IEEE T-IFS · IEEE Trans. Information Forensics and Security, 2017
@article{DBLP:journals/tifs/0029LBKTLC17,
author = {Li Li and Daoyuan Li and Tegawende F. Bissyande and Jacques Klein and Yves Le Traon and David Lo and Lorenzo Cavallaro},
title = {{Understanding Android App Piggybacking: A Systematic Study of Malicious Code Grafting}},
journal = {{IEEE Trans. Information Forensics and Security}},
volume = {12},
number = {6},
pages = {1269--1284},
year = {2017},
url = {https://doi.org/10.1109/TIFS.2017.2656460},
doi = {10.1109/TIFS.2017.2656460},
timestamp = {Sun, 28 May 2017 13:17:25 +0200},
biburl = {http://dblp.uni-trier.de/rec/bib/journals/tifs/0029LBKTLC17},
bibsource = {dblp computer science bibliography, http://dblp.org},
note = {IEEE TIFS}
}
Euphony: Harmonious Unification of Cacophonous Anti-Virus Vendor Labels for Android Malware
Mederic Hurier, Guillermo Suarez-Tangil, Santanu Kumar Dash, Tegawende F. Bissyande, Yves Le Traon, Jacques Klein, and Lorenzo Cavallaro
MSR · 14th International Conference on Mining Software Repositories, 2017
@inproceedings{DBLP:conf/msr/HurierSDBTKC17,
author = {Mederic Hurier and Guillermo Suarez-Tangil and Santanu Kumar Dash and Tegawende F. Bissyande and Yves Le Traon and Jacques Klein and Lorenzo Cavallaro},
title = {{Euphony: Harmonious Unification of Cacophonous Anti-Virus Vendor Labels for Android Malware}},
booktitle = {Proceedings of the 14th International Conference on Mining Software Repositories, {MSR} 2017, Buenos Aires, Argentina, May 20-28},
pages = {425--435},
year = {2017},
doi = {10.1109/MSR.2017.57},
timestamp = {Fri, 07 Jul 2017 14:06:35 +0200},
biburl = {http://dblp.uni-trier.de/rec/bib/conf/msr/HurierSDBTKC17},
bibsource = {dblp computer science bibliography, http://dblp.org},
note = {MSR}
}
The Evolution of Android Malware and Android Analysis Techniques
Kimberly Tam, Ali Feizollah, Badrul Nor Anuar, Rosli Salleh, and Lorenzo Cavallaro
ACM CSUR · ACM Computing Surveys, 2017
@article{Tam:2017:EAM:3022634.3017427,
author = {Kimberly Tam and Ali Feizollah and Badrul Nor Anuar and Rosli Salleh and Lorenzo Cavallaro},
title = {{The Evolution of Android Malware and Android Analysis Techniques}},
journal = {ACM Compututing Surveys},
issue_date = {February 2017},
volume = {49},
number = {4},
month = {January},
year = {2017},
issn = {0360-0300},
pages = {76:1--76:41},
articleno = {76},
numpages = {41},
url = {http://doi.acm.org/10.1145/3017427},
doi = {10.1145/3017427},
acmid = {3017427},
publisher = {ACM},
address = {New York, NY, USA},
keywords = {Android, classification, detection, dynamic analysis, malware, static analysis},
note = {ACM CSUR}
}
DroidSieve: Fast and Accurate Classification of Obfuscated Android Malware
Guillermo Suarez-Tangil, Santanu Kumar Dash, Mansour Ahmadi, Johannes Kinder, Giorgio Giacinto, and Lorenzo Cavallaro
ACM CODASPY · 7th ACM Conference on Data and Application Security and Privacy, 2017
@inproceedings{codaspy17,
author = {Guillermo Suarez-Tangil and Santanu Kumar Dash and Mansour Ahmadi and Johannes Kinder and Giorgio Giacinto and Lorenzo Cavallaro},
title = {{DroidSieve: Fast and Accurate Classification of Obfuscated Android Malware}},
booktitle = {{Proceedings of the Seventh ACM Conference on Data and Application Security and Privacy}},
year = {2017},
month = {March},
url = {http://dx.doi.org/10.1145/3029806.3029825},
doi = {10.1145/3029806.3029825},
note = {ACM CODASPY}
}
Misleading Metrics: On Evaluating Machine Learning for Malware with Confidence
Roberto Jordaney, Zhi Wang, Davide Papini, Ilia Nouretdinov, and Lorenzo Cavallaro
TR@RHUL · Technical Report, 2016
@TechReport{RHUL2016,
author = {Roberto Jordaney and Zhi Wang and Davide Papini and Ilia Nouretdinov and Lorenzo Cavallaro},
title = {{Misleading Metrics: On Evaluating Machine Learning for Malware with Confidence}},
institution = {Royal Holloway, University of London},
year = {2016},
number = {2016-1},
note = {TR@RHUL}
}
DroidScribe: Classifying Android Malware Based on Runtime Behavior
Santanu Kumar Dash, Guillermo Suarez-Tangil, Salahuddin Khan, Kimberly Tam, Mansour Ahmadi, Johannes Kinder, and Lorenzo Cavallaro
IEEE S&P-MoST · IEEE Security and Privacy Workshops: Mobile Security Technologies, 2016
@inproceedings{most16-droidscribe,
author = {Santanu Kumar Dash and Guillermo Suarez-Tangil and Salahuddin Khan and Kimberly Tam and Mansour Ahmadi and Johannes Kinder and Lorenzo Cavallaro},
title = {DroidScribe: Classifying Android Malware Based on Runtime Behavior},
booktitle = {IEEE Security and Privacy Workshops: Mobile Security Technologies},
year = 2016,
month = {May},
note = {IEEE S&P-MoST}
}
You Can't Touch This: Consumer-centric Android Application Repackaging Detection
Iakovos Gurulian, Konstantinos Markantonakis, Lorenzo Cavallaro, and Keith Mayes
FGCS · Future Generation Computer Systems, 2016
@Article{gurulian16:_you_cant_touch_this,
author = {Iakovos Gurulian and Konstantinos Markantonakis and Lorenzo Cavallaro and Keith Mayes},
title = {{You Can't Touch This: Consumer-centric Android Application Repackaging Detection}},
journal = {Future Generation Computer Systems},
year = 2016,
volume = 65,
pages = {1-9},
month = {December},
note = {FGCS}
}
Prescience: Probabilistic Guidance on the Retraining Conundrum for Malware Detection
Amit Deo, Santanu Kumar Dash, Guillermo Suarez-Tangil, Volodya Vovk, and Lorenzo Cavallaro
ACM CCS-AISec · 9th ACM CCS Workshop on Artificial Intelligence and Security, 2016
@inproceedings{aisec16,
author = {Amit Deo and Santanu Kumar Dash and Guillermo Suarez-Tangil and Volodya Vovk and Lorenzo Cavallaro},
title = {{Prescience: Probabilistic Guidance on the Retraining Conundrum for Malware Detection}},
booktitle = {9th ACM CCS Workshop on Artificial Intelligence and Security},
year = {2016},
note = {ACM CCS-AISec}
}
Conformal Clustering and Its Application to Botnet Traffic
Giovanni Cherubin, Ilia Nouretdinov, Alexander Gammerman, Roberto Jordaney, Zhi Wang, Davide Papini, and Lorenzo Cavallaro
SLDS · 3rd International Symposium of Statistical Learning and Data Science, 2015
@inproceedings{cherubin,
author = {Giovanni Cherubin and Ilia Nouretdinov and Alexander Gammerman and Roberto Jordaney and Zhi Wang and Davide Papini and Lorenzo Cavallaro},
title = {{Conformal Clustering and Its Application to Botnet Traffic}},
booktitle = {Statistical Learning and Data Sciences, 3rd International Symposium},
year = {2015},
note = {SLDS}
}
CopperDroid: Automatic Reconstruction of Android Malware Behaviors
Kimberly Tam, Salahuddin J. Khan, Aristide Fattori, and Lorenzo Cavallaro
NDSS · 22nd Annual Network and Distributed System Security Symposium, 2015
@InProceedings{copperdroid-ndss2015,
author = {Kimberly Tam, Salahuddin J. Khan, Aristide Fattori, and Lorenzo Cavallaro},
title = {{CopperDroid: Automatic Reconstruction of Android Malware Behaviors}},
booktitle = {22nd Annual Network and Distributed System Security Symposium, San Diego, California, USA},
year = 2015,
month = {February},
note = {NDSS}
}