33 research outputs found
Application of GIS and Spatial Data Modeling to Archaeology: A Case Study in the American Southwest
One of the most important methodological advances in the archaeology of the past quarter century is the use of Geographic Information System (GIS) in archaeological research. Within this time frame, GIS has evolved from an emergent geospatial technology with limited mapmaking capabilities to a technology of choice for cultural resource managers, planners, and academic archaeologists alike. This dissertation examines the evolutionary trajectory and impact of GIS in the discipline since its introduction, and its potential to support new applications of GIS-driven innovation in archaeological research. As part of this project, two separate studies were conducted. The first study assessed adoption and diffusion trends for the technology based on the published literature from 1987-2010 using bibliometric and content analysis. These results suggest that despite adoption reaching a critical mass point in 2003-2006, GIS use is still maturing, and emphasis continues to be on methodological refinements rather than theoretical advances. Many of the technical developments coincide with larger changes within computing and in the convergence of technologies and platforms within the GIS industry. Recent publications, however, indicate the emergence of a possibly new direction for archaeological research which relies more on computationally intensive rather than empirical methods of investigation, in effect blurring traditional distinctions between method and theory. The second study conducted as part of this project explores the implications of this phenomenon by developing and implementing an application within a GIS environment for knowledge discovery in databases. The objective was to explore the feasibility and efficacy of geographic data mining using current technologies and archaeological data standards, identify barriers to its implementation, and demonstrate a new course for GIS-driven innovation in the field. Various archaeological and environmental datasets from the Fort Wingate Depot Activity in western New Mexico, USA were selected, compiled, prepared, and analyzed as part of the case study. Logistic regression was combined with Weights-of-Evidence modeling to discover previously unknown but statistically significant relationships and patterns within the prehistoric and historic data. This study offers suggestions on both how to adapt old data to new technologies and how to adapt new technologies to new ways of thinking
Mining structural and behavioral patterns in smart malware
Mención Internacional en el título de doctorFuncas. Premio Enrique Fuentes Quintana 2016.Smart devices equipped with powerful sensing, computing and networking capabilities
have proliferated lately, ranging from popular smartphones and tablets
to Internet appliances, smart TVs, and others that will soon appear (e.g., watches,
glasses, and clothes). One key feature of such devices is their ability to incorporate
third-party apps from a variety of markets. This poses strong security and privacy issues
to users and infrastructure operators, particularly through software of malicious
(or dubious) nature that can easily get access to the services provided by the device
and collect sensory data and personal information.
Malware in current smart devices—mostly smartphones and tablets—has rocketed
in the last few years, supported by sophisticated techniques (e.g., advanced
obfuscation and targeted infection and activation engines) purposely designed to
overcome security architectures currently in use by such devices. This phenomenon
is known as the proliferation of smart malware. Even though important advances
have been made on malware analysis and detection in traditional personal computers
during the last decades, adopting and adapting those techniques to smart devices
is a challenging problem. For example, power consumption is one major constraint
that makes unaffordable to run traditional detection engines on the device, while
externalized (i.e., cloud-based) techniques raise many privacy concerns.
This Thesis examines the problem of smart malware in such devices, aiming at designing and developing new approaches to assist security analysts and end users in
the analysis of the security nature of apps. We first present a comprehensive analysis
on how malware has evolved over the last years, as well as recent progress made to
analyze and detect malware. Additionally, we compile a suit of the most cutting-edge
open source tools, and we design a versatile and multipurpose research laboratory for
smart malware analysis and detection.
Second, we propose a number of methods and techniques aiming at better analyzing
smart malware in scenarios with a constant and large stream of apps that
require security inspection. More precisely, we introduce Dendroid, an effective system
based on text mining and information retrieval techniques. Dendroid uses static
analysis to measures the similarity between malware samples, which is then used to
automatically classify them into families with remarkably accuracy. Then, we present
Alterdroid, a novel dynamic analysis technique for automatically detecting hidden or
obfuscated malware functionality. Alterdroid introduces the notion of differential fault
analysis for effectively mining obfuscated malware components distributed as parts
of an app package.
Next, we present an evaluation of the power-consumption trade-offs among different
strategies for off-loading, or not, certain security tasks to the cloud. We develop
a system for testing several functional tasks and metering their power consumption
called Meterdroid. Based on the results obtained in this analysis, we then propose a
cloud-based system, called Targetdroid, that addresses the problem of detecting targeted
malware by relying on stochastic models of usage and context events derived
from real user traces. Based on these models, we build an efficient automatic testing
system capable of triggering targeted malware. Finally, based on the conclusions extracted from this Thesis, we propose a number
of open research problems and future directions where there is room for researchLos dispositivos inteligentes se han posicionado en pocos años como aparatos
altamente populares con grandes capacidades de cómputo, comunicación y
sensorización. Entre ellos se encuentran dispositivos como los teléfonos móviles inteligentes
(o smartphones), las televisiones inteligentes, o más recientemente, los
relojes, las gafas y la ropa inteligente. Una característica clave de este tipo de dispositivos
es su capacidad para incorporar aplicaciones de terceros desde una gran
variedad de mercados. Esto plantea fuertes problemas de seguridad y privacidad para
sus usuarios y para los operadores de infraestructuras, sobre todo a través de software
de naturaleza maliciosa (o malware), el cual es capaz de acceder fácilmente a los
servicios proporcionados por el dispositivo y recoger datos sensibles de los sensores
e información personal.
En los últimos años se ha observado un incremento radical del malware atacando
a estos dispositivos inteligentes—principalmente a smartphones—y apoyado por sofisticadas
técnicas diseñadas para vencer los sistemas de seguridad implantados por
los dispositivos. Este fenómeno ha dado pie a la proliferación de malware inteligente.
Algunos ejemplos de estas técnicas inteligentes son el uso de métodos de ofuscación,
de estrategias de infección dirigidas y de motores de activación basados en el contexto.
A pesar de que en las últimos décadas se han realizado avances importantes
en el análisis y la detección de malware en los ordenadores personales, adaptar y
portar estas técnicas a los dispositivos inteligentes es un problema difícil de resolver. En concreto, el consumo de energía es una de las principales limitaciones a las que
están expuestos estos dispositivos. Dicha limitación hace inasequible el uso de motores
tradicionales de detección. Por el contrario, el uso de estrategias de detección
externalizadas (es decir, basadas en la nube) suponen una gran amenaza para la
privacidad de sus usuarios.
Esta tesis analiza el problema del malware inteligente que adolece a estos dispositivos,
con el objetivo de diseñar y desarrollar nuevos enfoques que permitan ayudar a
los analistas de seguridad y los usuarios finales en la tarea de analizar aplicaciones. En
primer lugar, se presenta un análisis exhaustivo sobre la evolución que el malware ha
seguido en los últimos años, así como los avances más recientes enfocados a analizar
apps y detectar malware. Además, integramos y extendemos las herramientas de código
abierto más avanzadas utilizadas por la comunidad, y diseñamos un laboratorio
que permite analizar malware inteligente de forma versátil y polivalente.
En segundo lugar, se proponen una serie de técnicas dirigida a mejorar el análisis
de malware inteligente en escenarios dónde se requiere analizar importantes cantidad
de muestras. En concreto, se propone Dendroid, un sistema basado en minería de
textos que permite analizar conjuntos de apps de forma eficaz. Dendroid hace uso
de análisis estático de código para extraer una medida de la similitud entre distintas
las muestras de malware. Dicha distancia permitirá posteriormente clasificar cada
muestra en su correspondiente familia de malware de forma automática y con gran
precisión. Por otro lado, se propone una técnica de análisis dinámico de código,
llamada Alterdroid, que permite detectar automáticamente funcionalidad oculta y/o
ofuscada. Alterdroid introduce la un nuevo método de análisis basado en la inyección
de fallos y el análisis diferencial del comportamiento asociado. Por último, presentamos una evaluación del consumo energético asociado a diferentes
estrategias de externalización usadas para trasladar a la nube determinadas
tareas de seguridad. Para ello, desarrollamos un sistema llamado Meterdroid que permite
probar distintas funcionalidades y medir su consumo. Basados en los resultados
de este análisis, proponemos un sistema llamado Targetdroid que hace uso de la nube
para abordar el problema de la detección de malware dirigido o especializado. Dicho
sistema hace uso de modelos estocásticos para modelar el comportamiento del usuario
así como el contexto que les rodea. De esta forma, Targetdroid permite, además,
detectar de forma automática malware dirigido por medio de estos modelos.
Para finalizar, a partir de las conclusiones extraídas en esta Tesis, identificamos
una serie de líneas de investigación abiertas y trabajos futuros basados.Programa Oficial de Doctorado en Ciencia y Tecnología InformáticaPresidente: Francisco Javier López Muñoz.- Secretario: Jesús García Herrero.- Vocal: Nadarajah Asoka
Euphony:Harmonious Unification of Cacophonous Anti-Virus Vendor Labels for Android Malware
Android malware is now pervasive and evolving rapidly. Thousands of malware samples are discovered every day with new models of attacks. The growth of these threats has come hand in hand with the proliferation of collective repositories sharing the latest specimens. Having access to a large number of samples opens new research directions aiming at efficiently vetting apps. However, automatically inferring a reference ground-truth from those repositories is not straightforward and can inadvertently lead to unforeseen misconceptions. On the one hand, samples are often mis-labeled as different parties use distinct naming schemes for the same sample. On the other hand, samples are frequently mis-classified due to conceptual errors made during labeling processes. In this paper, we analyze the associations between all labels given by different vendors and we propose a system called EUPHONY to systematically unify common samples into family groups. The key novelty of our approach is that no a-priori knowledge on malware families is needed. We evaluate our approach using reference datasets and more than 0.4 million additional samples outside of these datasets. Results show that EUPHONY provides competitive performance against the state-of-the-art
Did Arroyo Formation Impact the Occupation of Snake Rock Village, a Fremont Dryland Agricultural Community in Central Utah, ca. AD 1000–1200?
Fremont farmers of the northern Colorado Plateau grew maize at the limits for cultivation in western North America between AD 300–1300. Like other Indigenous farmers throughout the American Southwest, Fremont farmers used bundled agricultural niches where alluvial floodplains were the largest available site for cultivation. But dryland floodplains are a risk to the persistence of farming communities because the development of steep-sided arroyos lowers floodplain surfaces and water tables, rendering them unusable for growing maize. This study tests the relationship between the occupational timing of Snake Rock Village between AD 970–1240 and the formation of a 4.5m deep arroyo on Ivie Creek adjacent to the site. I present a high-precision AMS radiocarbon chronology of the village occupation paired with an AMS radiocarbon reconstruction of the Ivie Creek floodplain 400m upstream from the site. The results of this study provide a direct test of arroyo formation as a cause for the abandonment of Fremont agriculture by AD 1300. The results indicated that the abandonment of Snake Rock Village does not correspond with an incision of the adjacent floodplain. Instead, the floodplain was still aggrading when Snake Rock Village was abandoned, and the incision did not happen until AD 1570 or AD 1725. Thus, while some evidence implicates arroyo formation as one factor contributing to the abandonment of early agricultural villages in other parts of the northern Colorado Plateau, arroyo formation did not appear to constrain the persistence of floodplain farming on Ivie Creek
Exploring undergraduate interactions with mobile privacy and security
Many studies have proven that digital natives are not as tech-savvy as previously thought, and possibly vulnerable in terms of privacy and security. My focus was to characterise how this generation interacted with mobile privacy and security. We provide evidence from a cohort of South African students, using this to discuss areas in which they need to be protected. We employed a web-based survey of 77 students, supplemented by in-depth interviews with 10 additional students. In both cases, we enquired about knowledge of permissions, encryption and application installation practices. With the in-depth interviews we also observed students as they installed two applications, one of which over-requested permissions. Our findings showed that most students (80%) did not look for- or understand permissions, did not understand or look for encryption, and used location-based services unsafely. Based on these results, we argue that digital natives lack the technical skills to properly engage with mobile privacy and security. Furthermore, digital natives do not understand mobile security and privacy features and therefore ignore them. Digital natives trust the authors of software and fail to act securely when security and privacy features are requested out of context. We further argue that this generation of digital natives has been so overexposed to mobile requests that violate their privacy and security that they have become desensitised to them. We further argue that digital natives’ definition of privacy is different from that of previous generations. Lastly, we discuss the implications of our findings for Higher Education Institutions, Higher Education Policy and mobile application design
Techniques for advanced android malware triage
Mención Internacional en el título de doctorAndroid is the leading operating system in smartphones with a big difference.
Statistics show that 88% of all smartphones sold to end users in
the second quarter of 2018 were phones with the Android OS. Regardless
of the operating systems which are running on smartphones, most of
the functionalities of these devices are offered through applications. There
are currently over 2 million apps only on the official Google store, known
as Google Play. This huge market with billions of users is tempting for
attackers to develop and distribute their malicious apps (or malware).
Mobile malware has raised explosively since 2009. Symantec reported
an increase of 54% in the new mobile malware variants in 2017 as compared
to the previous year. Additionally, more incentive has been provided
for profit-driven malware by the growth of black markets. This rise has
happened for Android malware as well since only 20% of devices are running
the newest major version of Android OS based on Symantec report in
2018. Android continued to be the most targeted platform with the biggest
number of attacks in 2015. After that year, attacks against the Android
platform slowed for the first time as attackers were faced with improved
security architectures though Android is still the main appealing target OS
for attackers. Moreover, advanced types of Android malware are found
which make use of extensive anit-analysis techniques to evade static or
dynamic analysis.
To address the security and privacy concerns of complex Android malware,
this dissertation focuses on three main objectives. First of all, we
propose a light-weight yet efficient method to identify risky Android applications.
Next, we present a precise approach to characterize Android
malware based on their malicious behavior. Finally, we propose an adaptive learning system to address the security concerns of obfuscation in Android
malware.
Identifying potentially dangerous and risky applications is an important
step in Android malware analysis. To this end, we develop a triage system
to rank applications based on their potential risk. Our approach, called TriFlow, relies on static features which are quick to obtain. TriFlow combines
a probabilistic model to predict the existence of information flows with a
metric of how significant a flow is in benign and malicious apps. Based
on this, TriFlow provides a score for each application that can be used to
prioritize analysis. It also provides the analysts with an explanatory report
of the associated risk. Our tool can also be used as a complement with
computationally expensive static and dynamic analysis tools.
Another important step towards Android malware analysis lies in their
accurate characterization. Labeling Android malware is challenging yet
crucially important, as it helps to identify upcoming malware samples and
threats. A key challenge is that different researchers and anti-virus vendors
assign labels using their own criteria, and it is not known to what
extent these labels are aligned with the apps’ real behavior. Based on this,
we propose a new behavioral characterization method for Android apps
based on their extracted information flows. As information flows can be
used to track why and how apps use specific pieces of information, a flowbased
characterization provides a relatively easy-to-interpret summary of
the malware sample’s behavior.
Not all Android malware are easy to analyze due to advanced and easyto-apply anti-analysis techniques that are available nowadays. Obfuscation
is the most common anti-analysis technique that Android malware use to
evade detection. Obfuscation techniques modify an app’s source (or machine)
code in order to make it more difficult to analyze. This is typically
applied to protect intellectual property in benign apps, or to hinder the process
of extracting actionable information in the case of malware. Since
malware analysis often requires considerable resource investment, detecting
the particular obfuscation technique used may contribute to apply the
right analysis tools, thus leading to some savings.
Therefore, we propose AndrODet, a mechanism to detect three popular
types of obfuscation in Android applications, namely identifier renaming, string encryption, and control flow obfuscation. AndrODet leverages online
learning techniques, thus being suitable for resource-limited environments
that need to operate in a continuous manner. We compare our results
with a batch learning algorithm using a dataset of 34,962 apps from both
malware and benign apps. Experimental results show that online learning
approaches are not only able to compete with batch learning methods in
terms of accuracy, but they also save significant amount of time and computational
resources.
Finally, we present a number of open research directions based on the
outcome of this thesis.Android es el sistema operativo líder en teléfonos inteligentes (también
denominados con la palabra inglesa smartphones), con una gran diferencia
con respecto al resto de competidores. Las estadísticas muestran que el
88% de todos los smartphones vendidos a usuarios finales en el segundo
trimestre de 2018 fueron teléfonos con sistema operativo Android. Independientemente
de su sistema operativo, la mayoría de las funcionalidades
de estos dispositivos se ofrecen a través de aplicaciones. Actualmente hay
más de 2 millones de aplicaciones solo en la tienda oficial de Google, conocida
como Google Play. Este enorme mercado con miles de millones de
usuarios es tentador para los atacantes, que buscan distribuir sus aplicaciones
malintencionadas (o malware).
El malware para dispositivos móviles ha aumentado de forma exponencial
desde 2009. Symantec ha detectado un aumento del 54% en las nuevas
variantes de malware para dispositivos móviles en 2017 en comparación
con el año anterior. Además, el crecimiento del mercado negro (es decir,
plataformas no oficiales de descargas de aplicaciones) supone un incentivo
para los programas maliciosos con fines lucrativos. Este aumento también
ha ocurrido en el malware de Android, aprovechando la circunstancia de
que solo el 20% de los dispositivos ejecutan la versión mas reciente del sistema
operativo Android, de acuerdo con el informe de Symantec en 2018.
De hecho, Android ha sido la plataforma que ha centrado los esfuerzos de
los atacantes desde 2015, aunque los ataques decayeron ligeramente tras
ese año debido a las mejoras de seguridad incorporadas en el sistema operativo.
En todo caso, existen formas avanzadas de malware para Android
que hacen uso de técnicas sofisticadas para evadir el análisis estático o
dinámico.
Para abordar los problemas de seguridad y privacidad que causa el malware
en Android, esta Tesis se centra en tres objetivos principales. En
primer lugar, se propone un método ligero y eficiente para identificar aplicaciones
de Android que pueden suponer un riesgo. Por otra parte, se presenta
un mecanismo para la caracterización del malware atendiendo a su
comportamiento. Finalmente, se propone un mecanismo basado en aprendizaje
adaptativo para la detección de algunos tipos de ofuscación que son
empleados habitualmente en las aplicaciones maliciosas.
Identificar aplicaciones potencialmente peligrosas y riesgosas es un
paso importante en el análisis de malware de Android. Con este fin, en
esta Tesis se desarrolla un mecanismo de clasificación (llamado TriFlow)
que ordena las aplicaciones según su riesgo potencial. La aproximación
se basa en características estáticas que se obtienen rápidamente, siendo de
especial interés los flujos de información. Un flujo de información existe
cuando un cierto dato es recibido o producido mediante una cierta función
o llamada al sistema, y atraviesa la lógica de la aplicación hasta que
llega a otra función. Así, TriFlow combina un modelo probabilístico para
predecir la existencia de un flujo con una métrica de lo habitual que es
encontrarlo en aplicaciones benignas y maliciosas. Con ello, TriFlow proporciona
una puntuación para cada aplicación que puede utilizarse para
priorizar su análisis. Al mismo tiempo, proporciona a los analistas un informe
explicativo de las causas que motivan dicha valoración. Así, esta
herramienta se puede utilizar como complemento a otras técnicas de análisis
estático y dinámico que son mucho más costosas desde el punto de vista
computacional.
Otro paso importante hacia el análisis de malware de Android radica
en caracterizar su comportamiento. Etiquetar el malware de Android es
un desafío de crucial importancia, ya que ayuda a identificar las próximas
muestras y amenazas de malware. Una cuestión relevante es que los
diferentes investigadores y proveedores de antivirus asignan etiquetas utilizando
sus propios criterios, de modo no se sabe en qué medida estas etiquetas
están en línea con el comportamiento real de las aplicaciones. Sobre
esta base, en esta Tesis se propone un nuevo método de caracterización de
comportamiento para las aplicaciones de Android en función de sus flujos
de información. Como dichos flujos se pueden usar para estudiar el uso de
cada dato por parte de una aplicación, permiten proporcionar un resumen relativamente sencillo del comportamiento de una determinada muestra de
malware.
A pesar de la utilidad de las técnicas de análisis descritas, no todos los
programas maliciosos de Android son fáciles de analizar debido al uso de
técnicas anti-análisis que están disponibles en la actualidad. Entre ellas, la
ofuscación es la técnica más común que se utiliza en el malware de Android
para evadir la detección. Dicha técnica modifica el código de una
aplicación para que sea más difícil de entender y analizar. Esto se suele
aplicar para proteger la propiedad intelectual en aplicaciones benignas o
para dificultar la obtención de pistas sobre su funcionamiento en el caso
del malware. Dado que el análisis de malware a menudo requiere una inversión
considerable de recursos, detectar la técnica de ofuscación que se
ha utilizado en un caso particular puede contribuir a utilizar herramientas
de análisis adecuadas, contribuyendo así a un cierto ahorro de recursos.
Así, en esta Tesis se propone AndrODet, un mecanismo para detectar tres
tipos populares de ofuscación, a saber, el renombrado de identificadores,
cifrado de cadenas de texto y la modificación del flujo de control de la aplicación.
AndrODet se basa en técnicas de aprendizaje automático en línea
(online machine learning), por lo que es adecuado para entornos con recursos
limitados que necesitan operar de forma continua, sin interrupción.
Para medir su eficacia respecto de las técnicas de aprendizaje automático
tradicionales, se comparan los resultados con un algoritmo de aprendizaje
por lotes (batch learning) utilizando un dataset de 34.962 aplicaciones de
malware y benignas. Los resultados experimentales muestran que el enfoque
de aprendizaje en línea no solo es capaz de competir con el basado
en lotes en términos de precisión, sino que también ahorra una gran cantidad
de tiempo y recursos computacionales.
Tras la exposición de las contribuciones anteriormente mencionadas,
esta Tesis concluye con la identificación de una serie de líneas abiertas de
investigación con el fin de alentar el desarrollo de trabajos futuros en esta
dirección.Omid Mirzaei is a Ph.D. candidate in the Computer Security Lab (COSEC)
at the Department of Computer Science and Engineering of Universidad
Carlos III de Madrid (UC3M). His Ph.D. is funded by the Community
of Madrid and the European Union through the research project CIBERDINE
(Ref. S2013/ICE-3095).Programa Oficial de Doctorado en Ciencia y Tecnología InformáticaPresidente: Gregorio Martínez Pérez.- Secretario: Pedro Peris López.- Vocal: Pablo Picazo Sánche
Jigsaw Puzzle: Selective Backdoor Attack to Subvert Malware Classifiers
Malware classifiers are subject to training-time exploitation due to the need to regularly retrain using samples collected from the wild. Recent work has demonstrated the feasibility of backdoor attacks against malware classifiers, and yet the stealthiness of such attacks is not well understood. In this paper, we focus on Android malware classifiers and investigate backdoor attacks under the clean-label setting (i.e., attackers do not have complete control over the training process or the labeling of poisoned data). Empirically, we show that existing backdoor attacks against malware classifiers are still detectable by recent defenses such as MNTD. To improve stealthiness, we propose a new attack, Jigsaw Puzzle (JP), based on the key observation that malware authors have little to no incentive to protect any other authors' malware but their own. As such, Jigsaw Puzzle learns a trigger to complement the latent patterns of the malware author's samples, and activates the backdoor only when the trigger and the latent pattern are pieced together in a sample. We further focus on realizable triggers in the problem space (e.g., software code) using bytecode gadgets broadly harvested from benign software. Our evaluation confirms that Jigsaw Puzzle is effective as a backdoor, remains stealthy against state-of-the-art defenses, and is a threat in realistic settings that depart from reasoning about feature-space-only attacks. We conclude by exploring promising approaches to improve backdoor defenses