Application of GIS and Spatial Data Modeling to Archaeology: A Case Study in the American Southwest

One of the most important methodological advances in the archaeology of the past quarter century is the use of Geographic Information System (GIS) in archaeological research. Within this time frame, GIS has evolved from an emergent geospatial technology with limited mapmaking capabilities to a technology of choice for cultural resource managers, planners, and academic archaeologists alike. This dissertation examines the evolutionary trajectory and impact of GIS in the discipline since its introduction, and its potential to support new applications of GIS-driven innovation in archaeological research. As part of this project, two separate studies were conducted. The first study assessed adoption and diffusion trends for the technology based on the published literature from 1987-2010 using bibliometric and content analysis. These results suggest that despite adoption reaching a critical mass point in 2003-2006, GIS use is still maturing, and emphasis continues to be on methodological refinements rather than theoretical advances. Many of the technical developments coincide with larger changes within computing and in the convergence of technologies and platforms within the GIS industry. Recent publications, however, indicate the emergence of a possibly new direction for archaeological research which relies more on computationally intensive rather than empirical methods of investigation, in effect blurring traditional distinctions between method and theory. The second study conducted as part of this project explores the implications of this phenomenon by developing and implementing an application within a GIS environment for knowledge discovery in databases. The objective was to explore the feasibility and efficacy of geographic data mining using current technologies and archaeological data standards, identify barriers to its implementation, and demonstrate a new course for GIS-driven innovation in the field. Various archaeological and environmental datasets from the Fort Wingate Depot Activity in western New Mexico, USA were selected, compiled, prepared, and analyzed as part of the case study. Logistic regression was combined with Weights-of-Evidence modeling to discover previously unknown but statistically significant relationships and patterns within the prehistoric and historic data. This study offers suggestions on both how to adapt old data to new technologies and how to adapt new technologies to new ways of thinking

Mining structural and behavioral patterns in smart malware

Mención Internacional en el título de doctorFuncas. Premio Enrique Fuentes Quintana 2016.Smart devices equipped with powerful sensing, computing and networking capabilities have proliferated lately, ranging from popular smartphones and tablets to Internet appliances, smart TVs, and others that will soon appear (e.g., watches, glasses, and clothes). One key feature of such devices is their ability to incorporate third-party apps from a variety of markets. This poses strong security and privacy issues to users and infrastructure operators, particularly through software of malicious (or dubious) nature that can easily get access to the services provided by the device and collect sensory data and personal information. Malware in current smart devices—mostly smartphones and tablets—has rocketed in the last few years, supported by sophisticated techniques (e.g., advanced obfuscation and targeted infection and activation engines) purposely designed to overcome security architectures currently in use by such devices. This phenomenon is known as the proliferation of smart malware. Even though important advances have been made on malware analysis and detection in traditional personal computers during the last decades, adopting and adapting those techniques to smart devices is a challenging problem. For example, power consumption is one major constraint that makes unaffordable to run traditional detection engines on the device, while externalized (i.e., cloud-based) techniques raise many privacy concerns. This Thesis examines the problem of smart malware in such devices, aiming at designing and developing new approaches to assist security analysts and end users in the analysis of the security nature of apps. We first present a comprehensive analysis on how malware has evolved over the last years, as well as recent progress made to analyze and detect malware. Additionally, we compile a suit of the most cutting-edge open source tools, and we design a versatile and multipurpose research laboratory for smart malware analysis and detection. Second, we propose a number of methods and techniques aiming at better analyzing smart malware in scenarios with a constant and large stream of apps that require security inspection. More precisely, we introduce Dendroid, an effective system based on text mining and information retrieval techniques. Dendroid uses static analysis to measures the similarity between malware samples, which is then used to automatically classify them into families with remarkably accuracy. Then, we present Alterdroid, a novel dynamic analysis technique for automatically detecting hidden or obfuscated malware functionality. Alterdroid introduces the notion of differential fault analysis for effectively mining obfuscated malware components distributed as parts of an app package. Next, we present an evaluation of the power-consumption trade-offs among different strategies for off-loading, or not, certain security tasks to the cloud. We develop a system for testing several functional tasks and metering their power consumption called Meterdroid. Based on the results obtained in this analysis, we then propose a cloud-based system, called Targetdroid, that addresses the problem of detecting targeted malware by relying on stochastic models of usage and context events derived from real user traces. Based on these models, we build an efficient automatic testing system capable of triggering targeted malware. Finally, based on the conclusions extracted from this Thesis, we propose a number of open research problems and future directions where there is room for researchLos dispositivos inteligentes se han posicionado en pocos años como aparatos altamente populares con grandes capacidades de cómputo, comunicación y sensorización. Entre ellos se encuentran dispositivos como los teléfonos móviles inteligentes (o smartphones), las televisiones inteligentes, o más recientemente, los relojes, las gafas y la ropa inteligente. Una característica clave de este tipo de dispositivos es su capacidad para incorporar aplicaciones de terceros desde una gran variedad de mercados. Esto plantea fuertes problemas de seguridad y privacidad para sus usuarios y para los operadores de infraestructuras, sobre todo a través de software de naturaleza maliciosa (o malware), el cual es capaz de acceder fácilmente a los servicios proporcionados por el dispositivo y recoger datos sensibles de los sensores e información personal. En los últimos años se ha observado un incremento radical del malware atacando a estos dispositivos inteligentes—principalmente a smartphones—y apoyado por sofisticadas técnicas diseñadas para vencer los sistemas de seguridad implantados por los dispositivos. Este fenómeno ha dado pie a la proliferación de malware inteligente. Algunos ejemplos de estas técnicas inteligentes son el uso de métodos de ofuscación, de estrategias de infección dirigidas y de motores de activación basados en el contexto. A pesar de que en las últimos décadas se han realizado avances importantes en el análisis y la detección de malware en los ordenadores personales, adaptar y portar estas técnicas a los dispositivos inteligentes es un problema difícil de resolver. En concreto, el consumo de energía es una de las principales limitaciones a las que están expuestos estos dispositivos. Dicha limitación hace inasequible el uso de motores tradicionales de detección. Por el contrario, el uso de estrategias de detección externalizadas (es decir, basadas en la nube) suponen una gran amenaza para la privacidad de sus usuarios. Esta tesis analiza el problema del malware inteligente que adolece a estos dispositivos, con el objetivo de diseñar y desarrollar nuevos enfoques que permitan ayudar a los analistas de seguridad y los usuarios finales en la tarea de analizar aplicaciones. En primer lugar, se presenta un análisis exhaustivo sobre la evolución que el malware ha seguido en los últimos años, así como los avances más recientes enfocados a analizar apps y detectar malware. Además, integramos y extendemos las herramientas de código abierto más avanzadas utilizadas por la comunidad, y diseñamos un laboratorio que permite analizar malware inteligente de forma versátil y polivalente. En segundo lugar, se proponen una serie de técnicas dirigida a mejorar el análisis de malware inteligente en escenarios dónde se requiere analizar importantes cantidad de muestras. En concreto, se propone Dendroid, un sistema basado en minería de textos que permite analizar conjuntos de apps de forma eficaz. Dendroid hace uso de análisis estático de código para extraer una medida de la similitud entre distintas las muestras de malware. Dicha distancia permitirá posteriormente clasificar cada muestra en su correspondiente familia de malware de forma automática y con gran precisión. Por otro lado, se propone una técnica de análisis dinámico de código, llamada Alterdroid, que permite detectar automáticamente funcionalidad oculta y/o ofuscada. Alterdroid introduce la un nuevo método de análisis basado en la inyección de fallos y el análisis diferencial del comportamiento asociado. Por último, presentamos una evaluación del consumo energético asociado a diferentes estrategias de externalización usadas para trasladar a la nube determinadas tareas de seguridad. Para ello, desarrollamos un sistema llamado Meterdroid que permite probar distintas funcionalidades y medir su consumo. Basados en los resultados de este análisis, proponemos un sistema llamado Targetdroid que hace uso de la nube para abordar el problema de la detección de malware dirigido o especializado. Dicho sistema hace uso de modelos estocásticos para modelar el comportamiento del usuario así como el contexto que les rodea. De esta forma, Targetdroid permite, además, detectar de forma automática malware dirigido por medio de estos modelos. Para finalizar, a partir de las conclusiones extraídas en esta Tesis, identificamos una serie de líneas de investigación abiertas y trabajos futuros basados.Programa Oficial de Doctorado en Ciencia y Tecnología InformáticaPresidente: Francisco Javier López Muñoz.- Secretario: Jesús García Herrero.- Vocal: Nadarajah Asoka

Euphony:Harmonious Unification of Cacophonous Anti-Virus Vendor Labels for Android Malware

Android malware is now pervasive and evolving rapidly. Thousands of malware samples are discovered every day with new models of attacks. The growth of these threats has come hand in hand with the proliferation of collective repositories sharing the latest specimens. Having access to a large number of samples opens new research directions aiming at efficiently vetting apps. However, automatically inferring a reference ground-truth from those repositories is not straightforward and can inadvertently lead to unforeseen misconceptions. On the one hand, samples are often mis-labeled as different parties use distinct naming schemes for the same sample. On the other hand, samples are frequently mis-classified due to conceptual errors made during labeling processes. In this paper, we analyze the associations between all labels given by different vendors and we propose a system called EUPHONY to systematically unify common samples into family groups. The key novelty of our approach is that no a-priori knowledge on malware families is needed. We evaluate our approach using reference datasets and more than 0.4 million additional samples outside of these datasets. Results show that EUPHONY provides competitive performance against the state-of-the-art

Did Arroyo Formation Impact the Occupation of Snake Rock Village, a Fremont Dryland Agricultural Community in Central Utah, ca. AD 1000–1200?

Fremont farmers of the northern Colorado Plateau grew maize at the limits for cultivation in western North America between AD 300–1300. Like other Indigenous farmers throughout the American Southwest, Fremont farmers used bundled agricultural niches where alluvial floodplains were the largest available site for cultivation. But dryland floodplains are a risk to the persistence of farming communities because the development of steep-sided arroyos lowers floodplain surfaces and water tables, rendering them unusable for growing maize. This study tests the relationship between the occupational timing of Snake Rock Village between AD 970–1240 and the formation of a 4.5m deep arroyo on Ivie Creek adjacent to the site. I present a high-precision AMS radiocarbon chronology of the village occupation paired with an AMS radiocarbon reconstruction of the Ivie Creek floodplain 400m upstream from the site. The results of this study provide a direct test of arroyo formation as a cause for the abandonment of Fremont agriculture by AD 1300. The results indicated that the abandonment of Snake Rock Village does not correspond with an incision of the adjacent floodplain. Instead, the floodplain was still aggrading when Snake Rock Village was abandoned, and the incision did not happen until AD 1570 or AD 1725. Thus, while some evidence implicates arroyo formation as one factor contributing to the abandonment of early agricultural villages in other parts of the northern Colorado Plateau, arroyo formation did not appear to constrain the persistence of floodplain farming on Ivie Creek

Exploring undergraduate interactions with mobile privacy and security

Many studies have proven that digital natives are not as tech-savvy as previously thought, and possibly vulnerable in terms of privacy and security. My focus was to characterise how this generation interacted with mobile privacy and security. We provide evidence from a cohort of South African students, using this to discuss areas in which they need to be protected. We employed a web-based survey of 77 students, supplemented by in-depth interviews with 10 additional students. In both cases, we enquired about knowledge of permissions, encryption and application installation practices. With the in-depth interviews we also observed students as they installed two applications, one of which over-requested permissions. Our findings showed that most students (80%) did not look for- or understand permissions, did not understand or look for encryption, and used location-based services unsafely. Based on these results, we argue that digital natives lack the technical skills to properly engage with mobile privacy and security. Furthermore, digital natives do not understand mobile security and privacy features and therefore ignore them. Digital natives trust the authors of software and fail to act securely when security and privacy features are requested out of context. We further argue that this generation of digital natives has been so overexposed to mobile requests that violate their privacy and security that they have become desensitised to them. We further argue that digital natives’ definition of privacy is different from that of previous generations. Lastly, we discuss the implications of our findings for Higher Education Institutions, Higher Education Policy and mobile application design

Techniques for advanced android malware triage

Mención Internacional en el título de doctorAndroid is the leading operating system in smartphones with a big difference. Statistics show that 88% of all smartphones sold to end users in the second quarter of 2018 were phones with the Android OS. Regardless of the operating systems which are running on smartphones, most of the functionalities of these devices are offered through applications. There are currently over 2 million apps only on the official Google store, known as Google Play. This huge market with billions of users is tempting for attackers to develop and distribute their malicious apps (or malware). Mobile malware has raised explosively since 2009. Symantec reported an increase of 54% in the new mobile malware variants in 2017 as compared to the previous year. Additionally, more incentive has been provided for profit-driven malware by the growth of black markets. This rise has happened for Android malware as well since only 20% of devices are running the newest major version of Android OS based on Symantec report in 2018. Android continued to be the most targeted platform with the biggest number of attacks in 2015. After that year, attacks against the Android platform slowed for the first time as attackers were faced with improved security architectures though Android is still the main appealing target OS for attackers. Moreover, advanced types of Android malware are found which make use of extensive anit-analysis techniques to evade static or dynamic analysis. To address the security and privacy concerns of complex Android malware, this dissertation focuses on three main objectives. First of all, we propose a light-weight yet efficient method to identify risky Android applications. Next, we present a precise approach to characterize Android malware based on their malicious behavior. Finally, we propose an adaptive learning system to address the security concerns of obfuscation in Android malware. Identifying potentially dangerous and risky applications is an important step in Android malware analysis. To this end, we develop a triage system to rank applications based on their potential risk. Our approach, called TriFlow, relies on static features which are quick to obtain. TriFlow combines a probabilistic model to predict the existence of information flows with a metric of how significant a flow is in benign and malicious apps. Based on this, TriFlow provides a score for each application that can be used to prioritize analysis. It also provides the analysts with an explanatory report of the associated risk. Our tool can also be used as a complement with computationally expensive static and dynamic analysis tools. Another important step towards Android malware analysis lies in their accurate characterization. Labeling Android malware is challenging yet crucially important, as it helps to identify upcoming malware samples and threats. A key challenge is that different researchers and anti-virus vendors assign labels using their own criteria, and it is not known to what extent these labels are aligned with the apps’ real behavior. Based on this, we propose a new behavioral characterization method for Android apps based on their extracted information flows. As information flows can be used to track why and how apps use specific pieces of information, a flowbased characterization provides a relatively easy-to-interpret summary of the malware sample’s behavior. Not all Android malware are easy to analyze due to advanced and easyto-apply anti-analysis techniques that are available nowadays. Obfuscation is the most common anti-analysis technique that Android malware use to evade detection. Obfuscation techniques modify an app’s source (or machine) code in order to make it more difficult to analyze. This is typically applied to protect intellectual property in benign apps, or to hinder the process of extracting actionable information in the case of malware. Since malware analysis often requires considerable resource investment, detecting the particular obfuscation technique used may contribute to apply the right analysis tools, thus leading to some savings. Therefore, we propose AndrODet, a mechanism to detect three popular types of obfuscation in Android applications, namely identifier renaming, string encryption, and control flow obfuscation. AndrODet leverages online learning techniques, thus being suitable for resource-limited environments that need to operate in a continuous manner. We compare our results with a batch learning algorithm using a dataset of 34,962 apps from both malware and benign apps. Experimental results show that online learning approaches are not only able to compete with batch learning methods in terms of accuracy, but they also save significant amount of time and computational resources. Finally, we present a number of open research directions based on the outcome of this thesis.Android es el sistema operativo líder en teléfonos inteligentes (también denominados con la palabra inglesa smartphones), con una gran diferencia con respecto al resto de competidores. Las estadísticas muestran que el 88% de todos los smartphones vendidos a usuarios finales en el segundo trimestre de 2018 fueron teléfonos con sistema operativo Android. Independientemente de su sistema operativo, la mayoría de las funcionalidades de estos dispositivos se ofrecen a través de aplicaciones. Actualmente hay más de 2 millones de aplicaciones solo en la tienda oficial de Google, conocida como Google Play. Este enorme mercado con miles de millones de usuarios es tentador para los atacantes, que buscan distribuir sus aplicaciones malintencionadas (o malware). El malware para dispositivos móviles ha aumentado de forma exponencial desde 2009. Symantec ha detectado un aumento del 54% en las nuevas variantes de malware para dispositivos móviles en 2017 en comparación con el año anterior. Además, el crecimiento del mercado negro (es decir, plataformas no oficiales de descargas de aplicaciones) supone un incentivo para los programas maliciosos con fines lucrativos. Este aumento también ha ocurrido en el malware de Android, aprovechando la circunstancia de que solo el 20% de los dispositivos ejecutan la versión mas reciente del sistema operativo Android, de acuerdo con el informe de Symantec en 2018. De hecho, Android ha sido la plataforma que ha centrado los esfuerzos de los atacantes desde 2015, aunque los ataques decayeron ligeramente tras ese año debido a las mejoras de seguridad incorporadas en el sistema operativo. En todo caso, existen formas avanzadas de malware para Android que hacen uso de técnicas sofisticadas para evadir el análisis estático o dinámico. Para abordar los problemas de seguridad y privacidad que causa el malware en Android, esta Tesis se centra en tres objetivos principales. En primer lugar, se propone un método ligero y eficiente para identificar aplicaciones de Android que pueden suponer un riesgo. Por otra parte, se presenta un mecanismo para la caracterización del malware atendiendo a su comportamiento. Finalmente, se propone un mecanismo basado en aprendizaje adaptativo para la detección de algunos tipos de ofuscación que son empleados habitualmente en las aplicaciones maliciosas. Identificar aplicaciones potencialmente peligrosas y riesgosas es un paso importante en el análisis de malware de Android. Con este fin, en esta Tesis se desarrolla un mecanismo de clasificación (llamado TriFlow) que ordena las aplicaciones según su riesgo potencial. La aproximación se basa en características estáticas que se obtienen rápidamente, siendo de especial interés los flujos de información. Un flujo de información existe cuando un cierto dato es recibido o producido mediante una cierta función o llamada al sistema, y atraviesa la lógica de la aplicación hasta que llega a otra función. Así, TriFlow combina un modelo probabilístico para predecir la existencia de un flujo con una métrica de lo habitual que es encontrarlo en aplicaciones benignas y maliciosas. Con ello, TriFlow proporciona una puntuación para cada aplicación que puede utilizarse para priorizar su análisis. Al mismo tiempo, proporciona a los analistas un informe explicativo de las causas que motivan dicha valoración. Así, esta herramienta se puede utilizar como complemento a otras técnicas de análisis estático y dinámico que son mucho más costosas desde el punto de vista computacional. Otro paso importante hacia el análisis de malware de Android radica en caracterizar su comportamiento. Etiquetar el malware de Android es un desafío de crucial importancia, ya que ayuda a identificar las próximas muestras y amenazas de malware. Una cuestión relevante es que los diferentes investigadores y proveedores de antivirus asignan etiquetas utilizando sus propios criterios, de modo no se sabe en qué medida estas etiquetas están en línea con el comportamiento real de las aplicaciones. Sobre esta base, en esta Tesis se propone un nuevo método de caracterización de comportamiento para las aplicaciones de Android en función de sus flujos de información. Como dichos flujos se pueden usar para estudiar el uso de cada dato por parte de una aplicación, permiten proporcionar un resumen relativamente sencillo del comportamiento de una determinada muestra de malware. A pesar de la utilidad de las técnicas de análisis descritas, no todos los programas maliciosos de Android son fáciles de analizar debido al uso de técnicas anti-análisis que están disponibles en la actualidad. Entre ellas, la ofuscación es la técnica más común que se utiliza en el malware de Android para evadir la detección. Dicha técnica modifica el código de una aplicación para que sea más difícil de entender y analizar. Esto se suele aplicar para proteger la propiedad intelectual en aplicaciones benignas o para dificultar la obtención de pistas sobre su funcionamiento en el caso del malware. Dado que el análisis de malware a menudo requiere una inversión considerable de recursos, detectar la técnica de ofuscación que se ha utilizado en un caso particular puede contribuir a utilizar herramientas de análisis adecuadas, contribuyendo así a un cierto ahorro de recursos. Así, en esta Tesis se propone AndrODet, un mecanismo para detectar tres tipos populares de ofuscación, a saber, el renombrado de identificadores, cifrado de cadenas de texto y la modificación del flujo de control de la aplicación. AndrODet se basa en técnicas de aprendizaje automático en línea (online machine learning), por lo que es adecuado para entornos con recursos limitados que necesitan operar de forma continua, sin interrupción. Para medir su eficacia respecto de las técnicas de aprendizaje automático tradicionales, se comparan los resultados con un algoritmo de aprendizaje por lotes (batch learning) utilizando un dataset de 34.962 aplicaciones de malware y benignas. Los resultados experimentales muestran que el enfoque de aprendizaje en línea no solo es capaz de competir con el basado en lotes en términos de precisión, sino que también ahorra una gran cantidad de tiempo y recursos computacionales. Tras la exposición de las contribuciones anteriormente mencionadas, esta Tesis concluye con la identificación de una serie de líneas abiertas de investigación con el fin de alentar el desarrollo de trabajos futuros en esta dirección.Omid Mirzaei is a Ph.D. candidate in the Computer Security Lab (COSEC) at the Department of Computer Science and Engineering of Universidad Carlos III de Madrid (UC3M). His Ph.D. is funded by the Community of Madrid and the European Union through the research project CIBERDINE (Ref. S2013/ICE-3095).Programa Oficial de Doctorado en Ciencia y Tecnología InformáticaPresidente: Gregorio Martínez Pérez.- Secretario: Pedro Peris López.- Vocal: Pablo Picazo Sánche

Jigsaw Puzzle: Selective Backdoor Attack to Subvert Malware Classifiers

Malware classifiers are subject to training-time exploitation due to the need to regularly retrain using samples collected from the wild. Recent work has demonstrated the feasibility of backdoor attacks against malware classifiers, and yet the stealthiness of such attacks is not well understood. In this paper, we focus on Android malware classifiers and investigate backdoor attacks under the clean-label setting (i.e., attackers do not have complete control over the training process or the labeling of poisoned data). Empirically, we show that existing backdoor attacks against malware classifiers are still detectable by recent defenses such as MNTD. To improve stealthiness, we propose a new attack, Jigsaw Puzzle (JP), based on the key observation that malware authors have little to no incentive to protect any other authors' malware but their own. As such, Jigsaw Puzzle learns a trigger to complement the latent patterns of the malware author's samples, and activates the backdoor only when the trigger and the latent pattern are pieced together in a sample. We further focus on realizable triggers in the problem space (e.g., software code) using bytecode gadgets broadly harvested from benign software. Our evaluation confirms that Jigsaw Puzzle is effective as a backdoor, remains stealthy against state-of-the-art defenses, and is a threat in realistic settings that depart from reasoning about feature-space-only attacks. We conclude by exploring promising approaches to improve backdoor defenses