278 research outputs found
Explaining labor productivity differentials on Italian regions
Labor productivity convergence is a key factor in the catching up process of less developed regions. For the regional economies as a whole labor productivity differentials can be traced back to three distinct determinants: - composition effects due to the peculiar structure of the regional economy; a lower than average productivity level could, for instance, be due to the fact that a greater share or the regional labor force is employed in sectors that are denoted by lower productivity at the aggregate level; - different regional endowments, within each given industry, of physical and human capital per worker; - differing levels of total factor productivity (TFP). The study aims at explaining substantial and persistent regional differentials in labor productivity in Italy providing: 1. an assessment of the role played by the three factors above outlined in the variuos regions; 2. an empirical evaluation of the role played by some of the relevant factors suggested in the related literature (e.g., public and social capital, R&D expenditure, international openness, financial markets development, agglomeration and diversification economies, geographic factors), in explaining regional TFP differentials. The empirical analysis makes use of a particularly rich data set including annual regional accounts and capital stock data for 17 industries covering the period 1970-1994. Estimates of human capital broken down by region and industry are produced by the authors pooling information from the Labor force survey and Bank of Italyâs Survey of households income and wealth. The analysis of structural composition effects is carried out by means of the shift-share technique proposed by Esteban (2000), while a cointegrated panel model is used to estimate total factor productivity by region and sector. In an attempt to assess the relevance of spatial externalities in explaining regional TFP levels the final regression analysis makes use of spatial econometric techniques.
Towards Adversarial Malware Detection: Lessons Learned from PDF-based Attacks
Malware still constitutes a major threat in the cybersecurity landscape, also
due to the widespread use of infection vectors such as documents. These
infection vectors hide embedded malicious code to the victim users,
facilitating the use of social engineering techniques to infect their machines.
Research showed that machine-learning algorithms provide effective detection
mechanisms against such threats, but the existence of an arms race in
adversarial settings has recently challenged such systems. In this work, we
focus on malware embedded in PDF files as a representative case of such an arms
race. We start by providing a comprehensive taxonomy of the different
approaches used to generate PDF malware, and of the corresponding
learning-based detection systems. We then categorize threats specifically
targeted against learning-based PDF malware detectors, using a well-established
framework in the field of adversarial machine learning. This framework allows
us to categorize known vulnerabilities of learning-based PDF malware detectors
and to identify novel attacks that may threaten such systems, along with the
potential defense mechanisms that can mitigate the impact of such threats. We
conclude the paper by discussing how such findings highlight promising research
directions towards tackling the more general challenge of designing robust
malware detectors in adversarial settings
PowerDrive: Accurate De-Obfuscation and Analysis of PowerShell Malware
PowerShell is nowadays a widely-used technology to administrate and manage
Windows-based operating systems. However, it is also extensively used by
malware vectors to execute payloads or drop additional malicious contents.
Similarly to other scripting languages used by malware, PowerShell attacks are
challenging to analyze due to the extensive use of multiple obfuscation layers,
which make the real malicious code hard to be unveiled. To the best of our
knowledge, a comprehensive solution for properly de-obfuscating such attacks is
currently missing. In this paper, we present PowerDrive, an open-source, static
and dynamic multi-stage de-obfuscator for PowerShell attacks. PowerDrive
instruments the PowerShell code to progressively de-obfuscate it by showing the
analyst the employed obfuscation steps. We used PowerDrive to successfully
analyze thousands of PowerShell attacks extracted from various malware vectors
and executables. The attained results show interesting patterns used by
attackers to devise their malicious scripts. Moreover, we provide a taxonomy of
behavioral models adopted by the analyzed codes and a comprehensive list of the
malicious domains contacted during the analysis
Information fusion in content based image retrieval: A comprehensive overview
An ever increasing part of communication between persons involve the use of pictures, due to the cheap availability of powerful cameras on smartphones, and the cheap availability of storage space. The rising popularity of social networking applications such as Facebook, Twitter, Instagram, and of instant messaging applications, such as WhatsApp, WeChat, is the clear evidence of this phenomenon, due to the opportunity of sharing in real-time a pictorial representation of the context each individual is living in. The media rapidly exploited this phenomenon, using the same channel, either to publish their reports, or to gather additional information on an event through the community of users. While the real-time use of images is managed through metadata associated with the image (i.e., the timestamp, the geolocation, tags, etc.), their retrieval from an archive might be far from trivial, as an image bears a rich semantic content that goes beyond the description provided by its metadata. It turns out that after more than 20 years of research on Content-Based Image Retrieval (CBIR), the giant increase in the number and variety of images available in digital format is challenging the research community. It is quite easy to see that any approach aiming at facing such challenges must rely on different image representations that need to be conveniently fused in order to adapt to the subjectivity of image semantics. This paper offers a journey through the main information fusion ingredients that a recipe for the design of a CBIR system should include to meet the demanding needs of users
Adversarial Detection of Flash Malware: Limitations and Open Issues
During the past four years, Flash malware has become one of the most
insidious threats to detect, with almost 600 critical vulnerabilities targeting
Adobe Flash disclosed in the wild. Research has shown that machine learning can
be successfully used to detect Flash malware by leveraging static analysis to
extract information from the structure of the file or its bytecode. However,
the robustness of Flash malware detectors against well-crafted evasion attempts
- also known as adversarial examples - has never been investigated. In this
paper, we propose a security evaluation of a novel, representative Flash
detector that embeds a combination of the prominent, static features employed
by state-of-the-art tools. In particular, we discuss how to craft adversarial
Flash malware examples, showing that it suffices to manipulate the
corresponding source malware samples slightly to evade detection. We then
empirically demonstrate that popular defense techniques proposed to mitigate
evasion attempts, including re-training on adversarial examples, may not always
be sufficient to ensure robustness. We argue that this occurs when the feature
vectors extracted from adversarial examples become indistinguishable from those
of benign data, meaning that the given feature representation is intrinsically
vulnerable. In this respect, we are the first to formally define and
quantitatively characterize this vulnerability, highlighting when an attack can
be countered by solely improving the security of the learning algorithm, or
when it requires also considering additional features. We conclude the paper by
suggesting alternative research directions to improve the security of
learning-based Flash malware detectors
On the Feasibility of Adversarial Sample Creation Using the Android System API
Due to its popularity, the Android operating system is a critical target for malware attacks. Multiple security efforts have been made on the design of malware detection systems to identify potentially harmful applications. In this sense, machine learning-based systems, leveraging both static and dynamic analysis, have been increasingly adopted to discriminate between legitimate and malicious samples due to their capability of identifying novel variants of malware samples. At the same time, attackers have been developing several techniques to evade such systems, such as the generation of evasive apps, i.e., carefully-perturbed samples that can be classified as legitimate by the classifiers. Previous work has shown the vulnerability of detection systems to evasion attacks, including those designed for Android malware detection. However, most works neglected to bring the evasive attacks onto the so-called problem space, i.e., by generating concrete Android adversarial samples, which requires preserving the appâs semantics and being realistic for human expert analysis. In this work, we aim to understand the feasibility of generating adversarial samples specifically through the injection of system API calls, which are typical discriminating characteristics for malware detectors. We perform our analysis on a state-of-the-art ransomware detector that employs the occurrence of system API calls as features of its machine learning algorithm. In particular, we discuss the constraints that are necessary to generate real samples, and we use techniques inherited from interpretability to assess the impact of specific API calls to evasion. We assess the vulnerability of such a detector against mimicry and random noise attacks. Finally, we propose a basic implementation to generate concrete and working adversarial samples. The attained results suggest that injecting system API calls could be a viable strategy for attackers to generate concrete adversarial samples. However, we point out the low suitability of mimicry attacks and the necessity to build more sophisticated evasion attacks
Oblivion: an open-source system for large-scale analysis of macro-based office malware
Macro-based Office files have been extensively used as infection vectors to embed malware. In particular, VBA macros allow leveraging kernel functions and system routines to execute or remotely drop malicious payloads, and they are typically heavily obfuscated to make static analysis unfeasible. Current state-of-the-art approaches focus on discriminating between malicious and benign Office files by performing static and dynamic analysis directly on obfuscated macros, focusing mainly on detection rather than reversing. Namely, the proposed methods lack an in-depth analysis of the embedded macros, thus losing valuable information about the attack families, the embedded scripts, and the contacted external resources. In this paper, we propose Oblivion, an open-source framework for large-scale analysis of Office macros, to fill in this gap. Oblivion performs instrumentation of macros and executes them in a virtualized environment to de-obfuscate and reconstruct their behavior. Moreover, it can automatically and quickly interact with macros by extracting the embedded PowerShell and non-PowerShell attacks and reconstructing the whole macro behavior. This is the main scope of our analysis: we are more interested in retrieving specific behavioural patterns than detecting maliciousness per se. We performed a large-scale analysis of more than 30,000 files that constitute a representative corpus of attacks. Results show that Oblivion could efficiently de-obfuscate malicious macros by revealing a large corpus of PowerShell and non-PowerShell attacks. We measured that this efficiency can be quantified in an analysis time of less than 1 min per sample, on average. Moreover, we characterize such attacks by pointing out frequent attack patterns and employed obfuscation strategies. We finally release the information obtained from our dataset with our tool
- âŠ